Daily Archives: May 2, 2019

Weekly Update 137

Weekly Update 137

It's the last one from home for a few weeks, both for Scott and myself. Whilst I head off to the US for a couple of weeks, he's back home to the UK before other Europe travel then we'll both end up back on the Gold Coast in a few weeks time before the AusCERT conference.

This week, we're talking about how kids are so good at circumventing things like parental controls and how maybe - just maybe - talking to your kids and using some social techniques is a better (or at least complimentary) approach to hard controls. Partly as a result of that tweet, we're also discussing the rampant negativity we seem to constantly face by a small minority on Twitter. It's minor in numbers, but increasingly carries a mental weight (see the link below for context). Plus there's Trustico. Ah, Trustico, just have a listen and see what you think...

Weekly Update 137
Weekly Update 137
Weekly Update 137


  1. My 9-year old found a clever way to circumvent iOS' parental controls (imagine what it's like for the average person trying to understand this stuff...)
  2. We're both confounded by the unnecessary ongoing negativity folks on Twitter seem intent on espousing (I'm linking to this one because it's a perfect example of injecting negativity into an otherwise happy, joyful tweet)
  3. Trustico has some really shady marketing going on with their certs (that's a link to Scott's post smashing the screwy - make sure you search for "nerdville"!)
  4. Twilio are sponsoring my blog this week, check out what you can do with Authy to add 2FA to your site (this is dead easy - do it!)

Adam Levin Discusses Mobile Banking and Security with TicToc

Adam Levin was featured on a short video on TicToc by Bloomberg, where he discussed the trade-offs between security and convenience for mobile banking and payment apps.

“As business tries in its technological innovation to make things more convenient, you end up with the conundrum between convenience and security.” Levin said.

See the video below, or on Bloomberg.com:

The post Adam Levin Discusses Mobile Banking and Security with TicToc appeared first on Adam Levin.

TrustArc Announces Platform Dashboard to Simplify Privacy Management for CCPA, GDPR and Other Global Regulations

TrustArc is excited to announce a major expansion of our award-winning privacy platform to simplify compliance management for the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and other privacy regulations. The enhancements include a comprehensive set of dynamic components including regulatory updates, risk scores, program status and other privacy program KPIs accessible through a unified privacy program management dashboard. Our new dashboard streamlines compliance and risk management for privacy, IT and business teams. The privacy regulatory landscape is changing dramatically and businesses are looking for ways to stay on top of the new requirements. The major … Continue reading TrustArc Announces Platform Dashboard to Simplify Privacy Management for CCPA, GDPR and Other Global Regulations

The post TrustArc Announces Platform Dashboard to Simplify Privacy Management for CCPA, GDPR and Other Global Regulations appeared first on TrustArc Blog.

The State of Machine Learning in 2019

Here we are, almost four whole months into 2019 and machine learning and artificial intelligence are still hot topics in the security world. Or at least that was the impression I had. Our 2019 CISO Benchmark Report however, found that between 2018 and 2019, CISO interest in machine learning dropped from 77% to 67%. Similarly, interest in artificial intelligence also dropped from 74% to 66%.

Now there are a number of reasons why these values could have dropped over a year. Maybe there’s a greater lack of certainty or confidence when it comes to implanting ML. Or perhaps widespread adoption and integration into more organizations has made it less of a standout issue for CISOs. Or maybe the market for ML has finally matured to the point where we can start talking about the outcomes from ML and AI and not the tools themselves.

No matter where you stand on ML and AI, there’s still plenty to talk about when it comes to how we as an industry are currently making use of them. With that in mind, I’d like to share some thoughts on ways we need to view machine learning and artificial intelligence as well as how we need to shift the conversation around them.

More effective = less obvious

I’m still amazed by how machine learning is still a hot topic. That’s not to say it does not deserve to be an area of interest though. I am saying however, that what we should be talking about are the outcomes and capabilities it delivers. Some of you may remember when XML was such a big deal, and everyone could not stop talking about it. Fast forward to today and no one advertises that they use XML since that would just be obvious and users care more about the functionality it enables. Machine Learning will follow along the same path. In time, it will become an essential aspect of the way we approach security and become simply another background process. Once that happens, we can focus on talking about the analytical outcomes it enables.

An ensemble cast featuring machine learning

Anyone who has built an effective security analytics pipeline knows that job one is to ensure that it is resilient to active evasion. Threat actors know as much or more than you do about the detection methods within the environments they wish to penetrate and persist. The job of security analytics is to find the most stealthy and evasive threat actor activity in the network and to do this, you cannot just rely on a single technique. In order for that detection to happen, you need a diverse set of techniques all of which complement one another. While a threat actor will be able to evade one or two of them simultaneously, they don’t stand a chance against hundreds of them! Detection in diversity!

To explain this, I would like to use the analogy of a modern bank vault. Vaults employ a diverse set of detection techniques like motion, thermal, laser arrays, and on some physical dimension, an alarm will be tripped, and the appropriate response will ensue. We do the same in the digital world where machine learning helps us model timing or volumetric aspects of the behavior that are statistically normal and we can signal on outliers. This can be done all the way down at the protocol level where models are deterministic or all the way up to the application or users’ behavior which can sometimes be less deterministic. We have had years to refine these analytical techniques and have published well over 50 papers on the topic in the past 12 years.

The precision and scale of ML

So why then can’t we just keep using lists of bad things and lists of good things? Why do we need machine learning in security analytics and what unique value does it bring us? The first thing I want to say here is that we are not religious about machine learning or AI. To us, it is just another tool in the larger analytics pipeline. In fact, the most helpful analytics comes from using a bit of everything.

If you hand me a list and say, “If you ever see these patterns, let me know about it immediately!” I’m good with that. I can do that all day long and at very high speeds. But what if we are looking for something that cannot be known prior to the list making act? What if what we are looking for cannot be seen but only inferred? The shadows of the objects but never the objects if you will. What if we are not really sure what something is or the role it plays in the larger system (i.e., categorization and classification)? All these questions is where machine learning has contributed a great deal to security analytics. Let’s point to a few examples.

The essence of Encrypted Traffic Analytics

Encryption has made what was observable in the network impossible to observe. You can argue with me on this, but mathematics is not on your side, so let’s just accept the fact that deep packet inspection is a thing of the past. We need a new strategy and that strategy is the power of inference. Encrypted Traffic Analytics is an invention at Cisco whereby we leverage the fact that all encrypted sessions begin unencrypted and that the routers and switches can send us an “Observable Derivative.” This metadata coming from the network is a mathematical shadow of the payloads we cannot inspect directly because it is encrypted. Machine learning helps us train on these observable derivatives so that if its shape and size overtime is the same as some malicious behavior, we can bring this to your attention all without having to deal with decryption.

Why is this printer browsing Netflix?

Sometimes we are lucky enough to know the identity and role of a user, application, or device as it interacts with systems across the network. The reality is, most days we are far from 100% on this, so machine learning can help us cluster network activity to make an assertion like, “based on the behavior and interactions of this thing, we can call it a printer!”. When you are dealing with thousands upon thousands of computers interacting with one another across your digital business, even if you had a list at some point in time – it is likely not up to date. The value to this labeling is not just so that you have objects with the most accurate labels, but so you can infer suspicious behavior based on its trusted role. For example, if a network device is labeled a printer, it is expected to act like a printer – future behavior can be expected from this device. If one day it starts to browse Netflix or checks out some code from a repository, our software Stealthwatch generates an alert to your attention. With machine learning, you can infer from behavior what something is or if you already know what something is, you can predict its “normal” behavior and flag any behavior “not normal.”

Pattern matching versus behavioral analytics

Lists are great! Hand me a high-fidelity list and I will hand you back high-fidelity alerts generated from that list. Hand me a noisy or low fidelity list and I will hand you back noise. The definition of machine learning by Arthur Samuels in 1959 is “Field of study that gives computers the ability to learn without being explicitly programmed.” In security analytics, we can use it for just this and have analytical processes that implicitly program a list for you given the activity it observes (the telemetry it is presented). Machine learning helps us implicitly put together a list that could not have been known a priori. In security, we complement what we know with what we can infer through negation. A simple example would be “if these are my sanctioned DNS servers and activities, then what is this other thing here?!” Logically, instead of saying something is A (or a member of set A), we are saying not-A but that only is practical if we have already closed off the world to {A, B} – not-A is B if the set is closed. If, however we did not close off the world to a fixed set of members, not-A could be anything in the universe which is not helpful.

Useful info for your day-to-day tasks

I had gone my entire career measuring humans as if they were machines, and not I am measuring humans as humans. We cannot forget that no matter how fancy we get with the data science, if a human in the end will need to understand and possibly act on this information, they ultimately need to understand it. I had gone my entire career thinking that the data science could explain the results and while this is academically accurate, it is not helpful to the person who needs to understand the analytical outcome. The sense-making of the data is square in the domain of human understanding and this is why the only question we want to ask is “Was this alert helpful?” Yes or no. And that’s exactly what we do with Stealthwatch. At the end of the day, we want to make sure that the person behind the console understands why an alert was triggered and if that helped them. If the “yeses” we’ve received scoring in the mid 90%’s quarter after quarter is any indication, then we’ve been able to help a lot of users make sense of the alerts they’re receiving and use their time more efficiently.


We owe a big round of applause to artificial intelligence for birthing the child we know, and love named machine learning and all that it has contributed to security analytics over the past year. We remain pragmatic in its application as we know that, just because it is the new kid on the block, we cannot turn our backs on simple or complex lists of rules, simple statistical analysis, and any other method that has got us to where we are today.

Lucky for us, machine learning has already shown signs of playing well with its peers as we continue to find ways to improve existing security processes through pairing them with ML. It can’t solve every single problem on its own, but when it works together with the people and processes that have come before it, we get that much closer to a more secure future. And if Machine Learning is the child of AI, who then are its brothers and sisters that we have yet to explore in Security Analytics? We have some big ideas and some already in prototype state, but remember, in the end, we will ask you if it is helpful or not helpful, not all the data science mumbo jumbo!

As always, we welcome your comments below. Readers who enjoyed this blog would also benefit from viewing our library of recent Cybersecurity Reports or checking out our new Threat of the Month blog series.

The post The State of Machine Learning in 2019 appeared first on Cisco Blog.

Fallout from Gavin Williamson sacking | Letters

Readers respond to the sacking of the defence secretary Gavin Williamson over accusations of leaking

While I am delighted that Gavin Williamson (May tells defence secretary: ‘You leaked, you are fired’, 2 May) has been removed from the government – remember he said that all British jihadists should be hunted down and killed in the Middle East rather than returned for trial here – I am sorry that as a result Rory Stewart no longer has responsibility for prisons. His is a deserved promotion, but as prisons minister he was the first member of the government to make any attempt to get to grips with the problems of our criminal justice system and offered to resign if things did not improve. How sad that there are not more of that ilk in public life these days.
Maureen Panton
Malvern, Worcestershire

• Is the Gavin Williamson who has just been sacked as defence secretary for allegedly leaking plans discussed in the National Security Council to allow Huawei to be involved in building the UK’s 5G network the same Gavin Williamson who told us last year that it’s Jeremy Corbyn that “cannot be trusted”?
Sasha Simic

Continue reading...

Get security beyond Microsoft products with Microsoft 365

Over time, organizations and individuals acquire stuff. Things we love and things we need. Things we don’t need but can’t seem to get rid of. I was confronted with this challenge when we bought a 1908 craftsman home. How could I make my beloved modern furniture and mandatory kid-friendly gear work? Planning a space that pulled together the contemporary pieces with the old-world details of our home took some work, but it was worth it (and actually kind of fun). Best of all, our home has character and it feels like us.

IT organizations have also accumulated stuff over the years. Legacy systems can’t be easily replaced (like my kid-friendly furniture). Investments have been made in cloud services and security solutions to solve specific problems. It’s not always practical or even smart to replace existing products around which IT has developed processes that work. This can be a struggle for security architects striving for a single pane of glass across their security ecosystem. While they might never reach that holy grail, Microsoft 365 can get them a lot closer.

Microsoft security capabilities can extend across the entire digital landscape, including non-Microsoft products and services. Our latest e-book, Security beyond Microsoft products, illustrates how IT can secure a diverse digital estate and integrate with other security solutions to eliminate “security silos.”

Secure a diverse digital estate

The Security beyond Microsoft products e-book provides concrete examples of how Microsoft 365 security can be used to protect non-Microsoft applications and services. For example, you can use Azure Active Directory (Azure AD) to extend your sign-in policies to thousands of third-party cloud apps. Microsoft Intune secures and manages Android and Apple devices. You can even track threats across a hybrid cloud ecosystem.

Integrate with other security solutions

Microsoft 365 is a complete, intelligent solution, but it also integrates well with other security products. If you have individual security products that are still under contract or that you’ve fine-tuned for your team and processes, there is no need to lose those investments. The Security beyond Microsoft products e-book describes how Microsoft 365 works with other vendor products, such as a third-party Multi-Factor Authentication (MFA) product or a data loss prevention (DLP) solution.

Learn more

I was able to bring eclectic pieces together in a seamless, comfortable way that balanced the old and new, and you can do the same across your security organization. Learn more by downloading the first five e-books in our series:

Check back to read the final e-book in this series, “Secure your most sensitive data,” which details how Microsoft 365 can protect your data even as it travels.

The post Get security beyond Microsoft products with Microsoft 365 appeared first on Microsoft Security.

Qakbot levels up with new obfuscation techniques

Qakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence. In this blog post, we will detail an update to these schedule tasks that allows Qakbot to maintain persistence and potentially evade detection.


The post Qakbot levels up with new obfuscation techniques appeared first on Cisco Blog.

Confused about Cybersecurity Platforms? We Can Help.

“Cybersecurity platform” continues to be an industry buzzword. Vendors talk about it at industry events, and many analysts. But can every vendor claim to offer a platform and also be credible? More importantly, how does that help your business? The security industry has evolved by responding to emerging threats with new, shiny tools, resulting in many disparate tools. Most organizations (over 60%, according to ESG research) are looking to consolidate security vendors. This trend for fewer tools is also showing better results. A recent Cisco CISO Benchmark Study cited organizations with fewer vendors saw less than 5,000 alerts per day versus 10,000 alerts (over 66% of organizations). Teams were able to focus on more important work like remediation and those with less than 10 vendors had higher average response rates. But fewer vendors can mean fewer management consoles reducing the complexity. Fewer siloed vendors may be a step to a cybersecurity platform. It seems to be a driver for a platform approach or integrated architecture, as suggested by a customer in the Cisco report.

If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together.” —Cisco CISO Report 2019

What is a Cybersecurity Platform?

ESG Research dug deeper into this platform appeal by surveying organizations to learn their desire for a cybersecurity platform and what the top attributes for this platform are. The attributes help provide a definition of a cybersecurity platform and fall into three driver buckets: Must Be Comprehensive, Make It Simple, and Embrace the Cloud.





How Does McAfee Stack Up?

This is a good list to use to evaluate if you are looking to take a cybersecurity platform approach. McAfee reviewed the ESG criteria to test our platform approach and found that we are 100% on target. See the results in the ESG paper McAfee’s Enterprise-class Cyber Security Technology Platform.

Core to the McAfee platform is industry-acclaimed McAfee ePolicy Orchestrator. There’s also the mature and proven messaging fabric, Data Exchange Layer (DXL), which connects and optimizes across security functions and provides real-time threat intelligence to the entire security ecosystem. Our customers agree—watch our video about Prime Therapeutics. They are detecting threats and correlating data with McAfee ePO, DXL, McAfee Threat Intelligence Exchange, and McAfee Active Response.

Who Are the Platform Players?

Looking at the attributes, not all vendors can meet the criteria. Most security vendors offer just one distinct security tool. Offering a platform requires a vendor to have an integrated portfolio and/or willingness to easily integrate with other security functions. If they do match the criteria, you can dig deeper to find a few “gotcha” items.

Most organizations believe that taking a platform approach for their cybersecurity will yield higher efficacy and stronger operational efficiencies. These metrics can translate into better business outcomes like saving $1 million when an organization can respond efficiently to contain a cyberattack within 30 days of a data breach (IBM Cost of Data Breach Study 2018).

McAfee has held the position for years that security working together is better. Comment below with your cybersecurity platform perspective.

The post Confused about Cybersecurity Platforms? We Can Help. appeared first on McAfee Blogs.

Incident response: Putting all the R’s in IR

It is well established that the ‘R’ in IR stands for “Response.” But given the challenges facing incident response teams today, IR could just as well stand for “It’s Rough.” The landscape is challenging, tools are multiplying, and the talent shortage seems insurmountable.

First of all, according to Cisco’s recent CISO Benchmark Study, 79 percent of security leaders are finding it challenging to orchestrate threat response in a multi-vendor environment. There has also been a drop from Cisco’s 2018 survey in the number of legitimate security alerts organizations are remediating – down from roughly 50 percent last year to just under 43 percent this year. All this means that incident response is not getting any easier: only 35 percent of security professionals find it easy to determine the scope of a compromise, contain it, and remediate it.

Attackers continue to innovate and come up with new attack types at a record pace. They’re so brazen that they even use Facebook and other social networks to share tools and sell stolen, personal information. Meanwhile, security teams struggle to keep up with this innovation, acquiring new technology to deal with every emerging threat.

IT infrastructure is too complicated, and resources are too scarce, to manage all of these tools and derive the intended benefits from them. Especially since, often times, security products don’t talk to one another – requiring the manual analysis and comparison of seemingly infinite alerts and logs to try to make sense of what’s going on.

But there is some good news in all of this. According to a Cybersecurity Almanac published by Cisco and Cybersecurity Ventures, Fortune 500 and Global 2000 CISOs are expected to reduce the number of point security products they are using by 15-18 percent this year. Additionally, our CISO Benchmark Study tells us that more security teams are using time to remediate as a success metric for their operations (48 percent compared to just 30 percent last year). Remediation is difficult, demonstrating that security teams are setting the bar very high for themselves.

This hopefully shows that organizations are allowing CISOs to think more strategically about security – and that the C-suite in general is perhaps realizing that it’s about more than just buying a bunch of products and hoping they work.

Three more R’s: readiness, recon, and remediation

In actuality, there’s more to the ‘R’ in IR than just ‘response.’ To effectively respond to attacks, organizations not only have to react when they occur, but also:

  1. Be prepared for them in the first place. (Readiness.)
  2. Have an efficient way of obtaining visibility into any threats that make their way in. (Recon.)
  3. Mitigate attacks as quickly as possible. (Remediation.)

How do you master all these R’s? First of all, if your environment is made up of dozens of security technologies each performing siloed tasks and not sharing intelligence, you can’t really succeed. You will never have enough time, resources, and patience to piece all of this disparate information together and identify attacks before they rip through your environment.

At Cisco, we are constantly trying to figure out how to make security better to more effectively protect today’s businesses. Above all else – beyond all the latest features and capabilities – we focus on integrated security above everything. We don’t want our products to protect against just one type of attack, or secure just one area of the network. We want to cover you from edge to endpoint – and we want our products to work together to lessen the burden on you and your team.

Here are some of the newer ways we are helping to fortify organizations’ incident response plans, and putting all the R’s in IR.

Cisco Stealthwatch – A whole lot of readiness  

Talk about being prepared. Cisco Stealthwatch has recently become the first and only security analytics platform to provide comprehensive visibility and threat detection across today’s modern infrastructure – including private, hybrid, and public multi-cloud environments. It automatically aggregates and analyzes security information across the entire enterprise to deliver a clear, understandable look at what’s going on 24/7. Stealthwatch prioritizes the most critical issues for the security team, and enables team members to easily drill down into any alerts that require further investigation.

Essentially, Stealthwatch serves as the eyes and ears of the network, using a combination of behavioral modeling and machine learning to pinpoint anomalies that could signify risk. It even detects threats in encrypted traffic without the burden of IT teams having to do decryption. In addition to monitoring on-premises infrastructure and private clouds, Stealthwatch can monitor all public cloud environments including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Cisco Threat Response – Advanced recon and remediation

In the one year since we introduced our threat response platform, included for free with several of our security products, Cisco Threat Response (CTR) has become a foundation for fast, efficient incident investigation and response across the entire Cisco security architecture. It brings together threat intelligence from Cisco and third-party technologies, as well as Cisco Talos, via a single, intuitive console.

CTR reduces the need for security teams to shift between different interfaces and manually piece together data. If a threat is uncovered, it can be quickly remediated directly through CTR. The result is dramatically accelerated threat detection, investigation, and response.

This year, we unveiled a new browser plug-in for CTR to further simplify investigations. With the plug-in, if you are on a web site (such as the Talos blog) that includes information and observables on specific attacks, you can easily pull those observables into CTR to determine if the attack is present in your environment. It works with any web page that includes data on Indicators of Compromise (IOCs), allowing security analysts to quickly kick off the threat investigation process.

AMP for Endpoints – Speaking of recon and remediation…  

Some of you may already be familiar with our Advanced Malware Protection (AMP) technology. But do you know that it can be used to proactively hunt for the riskiest one percent of threats in your environment to improve both security posture and operations? AMP for Endpoints provides a holistic view of all end devices on your network, including IoT devices. It continuously monitors and records all files to quickly detect stealthy malware.

AMP provides valuable insight into how malware got in, where it’s been, what it’s doing, and how to stop it. This greatly simplifies investigations and shortens incident triage and mitigation time. Once a threat is uncovered, you can quickly block it within AMP using just a few clicks.

Through integrations with other prominent Cisco security technologies, this investigation and remediation can also be extended to other parts of the network beyond just endpoints. AMP can see a threat in one area of your environment and then automatically block it everywhere else it appears.

Integrated solutions for accelerated response

These are just a few of the ways Cisco is helping to speed and improve incident response. These new features are complemented by our comprehensive, integrated security portfolio, as well as a full array of professional services. In fact, we’ve also recently enhanced our incident response services to increase customer resiliency in the face of evolving attacks.

Putting all the R’s in IR? That’s Imminently Reachable.

Find out how we can help. See our infographic to get started.

The post Incident response: Putting all the R’s in IR appeared first on Cisco Blog.

Unprotected Database Exposed 13.7M Users’ Employment Information

An unprotected database made it possible for anyone on the web to view the personal and employment information of 13.7 million users. Security researcher and GDI Foundation member Sanyam Jain discovered the database and determined that it belonged to Ladders, a New York-based job recruitment site which specializes in high-end jobs. Jain then shared his […]… Read More

The post Unprotected Database Exposed 13.7M Users’ Employment Information appeared first on The State of Security.

Episode 484 – Microsoft Finally Agrees This Password Practice Is Worthless

Microsoft announced that they are behind ditching a password practice the rest of the security world has been against for 10 years. This episode talks about what that practice is and why it can make your company less secure if you use this practice.  Be aware, be safe. *** Support the podcast with a cup […]

The post Episode 484 – Microsoft Finally Agrees This Password Practice Is Worthless appeared first on Security In Five.

Protect Your Digital Life: Why Strong Passwords Matter

Over the years, our lives have become more and more digital. Think about it: 20 years ago, no one was using banking apps and social media had just barely begun coming to fruition. Now, many of us are reliant on mobile banking to pay our bills and we check our favorite social media platforms multiple times a day. Our lives exist almost entirely online with our sensitive personal data shielded by password protection — from our financials to our official documentation, personal photos and more. With so much of our personal data relying on the strength of our online passwords, it’s vital that users stay up-to-date on the latest password security practices. As we take the time to recognize World Password Day, it’s important to think about why passwords matter and how you’re safeguarding your personal information online.



Think about all of the online data you have that is password protected: your email, your social media accounts, your online banking profile, your movie and TV streaming service, the list goes on and on. If you aren’t following best practices for password security and just one of your passwords is exposed or breached, this could potentially lead to cybersecurity turmoil. For example, an Android app that helped users find and connect to free Wi-Fi hotspots recently left its database of more than 2 million network passwords exposed. While the app claimed to only share public hotspots, many were found to be home wireless networks thanks to the precise GPS location data that was also stored in the database. Now imagine that one of the victims of this password exposure utilized the same credentials for their online banking profile. If their password ended up in the wrong hands, a cybercriminal could potentially access the user’s financial data, leading to fraudulent charges or even identity theft. As you can see, creating a strong and unique password could mean the difference between keeping your online data safe and being at risk of a cyberattack.

Many people just go through the motions when creating passwords instead of taking the time to consider what exactly their credentials are protecting. World Password Day is the perfect opportunity to be diligent about revamping passwords. Check out the following tips to take your password security to the next level:

  • See if your passwords have been exposed. Go to a site such as HaveiBeenPwned to see if your password(s) have been compromised in a breach. Change them if you find that your credentials may have been jeopardized.
  • Layer up your passwords. Passwords should always contain a variety of capital and lowercase letters, numbers, and symbols. Today, many systems enforce password requirements during the account set-up process to ensure password strength.
  • Choose unique passwords across all of your accounts. Many consumers utilize the same password, or variations of it, across all of their accounts. This means if a hacker discovers just one password, all personal data is suddenly at risk. Therefore, it is crucial to diversify your passcodes to ensure hackers cannot obtain access to all of your accounts at once, should one password be compromised.
  • Use a password manager. Since it can be difficult to remember multiple complex passwords, use a password manager to keep track. With password managers, you’ll only need to remember one master password, in order to access the rest. Many password managers can also generate strong passwords to utilize when creating new logins.
  • Enable two or multi-factor authentication. Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Protect Your Digital Life: Why Strong Passwords Matter appeared first on McAfee Blogs.

World Password Day: Using a Passphrase to Strengthen Your Security

Human nature has shown that people re-use passwords, at least for non-work accounts that aren’t requiring quarterly changes. How can it affect your current security that you’ve reused an old password from 2012? Surprisingly, quite a lot. Hashed passwords and the plain text equivalent from a breached site can be paired with your then-username. Hackers […]… Read More

The post World Password Day: Using a Passphrase to Strengthen Your Security appeared first on The State of Security.

Smashing Security #126: Zombie chickens and fast-food victims

What’s the worst that can happen if you join a Hollywood hard man’s Facebook page? What drove a man to hijack a website’s name at gunpoint? And can you solve the mystery of the Canadian Hamburglar?

Find out in the award-winning “Smashing Security” podcast with Graham Cluley, Carole Theriault, and special guest Mark Stockley from Naked Security.

The Infamous Password

Passwords may not be the favourite piece of your workday, however, I have a theory – if I could share with you the value of a password and the reality of how simple they can be to create; then passwords may not be the monster you avoid. When you get the “your password expires in […]… Read More

The post The Infamous Password appeared first on The State of Security.

UK businesses are reporting fewer data breaches, but is this as positive as it sounds?

A third of businesses and a fifth of charities were hit by a cyber attack or data breach in the past year, the UK government’s Cyber Security Breaches Survey 2019 has found.

This is a marked improvement on the previous two years, in which 43% (2018) and 46% (2017) of businesses were breached, but it doesn’t tell the full story of the UK’s threat landscape. Although the number of organisations being targeted seems to be decreasing, those that are vulnerable to attacks are experiencing them more often, with two in five organisations saying that they come under threat at least once a month.

The threat is much higher among medium-sized businesses (60% being breached in the past year), large businesses (61%) and high-income charities (52%).

So why is this bad?

The fact that fewer organisations are being targeted by attacks is a major plus. The report says this may be because businesses and charities are going to greater lengths to become cyber secure. For example, it found that:

  • More businesses (57% vs 51% in 2018) and charities (43% vs 27%) update senior management on their cyber security actions at least once a quarter;
  • Cyber security policies are becoming more common in businesses (33% vs 27%) and charities (36% vs 21%);
  • Businesses (56% vs 51%) and charities (41% vs 29%) are more likely to have implemented controls in all five technical areas of the government’s Cyber Essentials scheme;
  • Staff awareness training is becoming more common in businesses (27% vs 20%) and charities (29% vs 15%);
  • Charities are getting better (60% vs 46%) at implementing measures such as health checks, audits and risk assessments; and
  • More medium-sized (31% vs 19%) and large businesses (35% vs 24%) have invested in cyber insurance.

These improvements have coincided with the introduction of the GDPR (General Data Protection Regulation), indicating that its compliance requirements are working.

However, the report suggests that it’s not as clear-cut as that, and that the seemingly positive conclusions might be hiding serious failures.

The effects of the GDPR

The report found that 30% of businesses and 36% of charities surveyed have made changes to their cyber security practices as a result of the GDPR. This is an incredibly low figure, given that the Regulation is mandatory and has been in effect for a year.

Even among those that have addressed the GDPR, very few have done so comprehensively. For example:

  • 60% of businesses and charities have created new policies;
  • 15% of businesses and 17% of charities have had extra staff training and communications;
  • 11% of businesses and 4% of charities changed firewall or system configurations; and
  • 6% of businesses and 10% of charities have created new business continuity or disaster recovery plans.

This suggests that, although the GDPR has benefited the small proportion that have implemented its requirements (at least partially), the majority of organisations have done little if anything to improve their cyber security practices.

This is probably a major reason that cyber attacks are becoming focused on a select group of organisations. Those that have implemented the GDPR’s requirements have protected themselves from most attacks, forcing cyber criminals to seek out more vulnerable targets.

The trend might also be explained by a change in the way organisations interpreted the survey’s questions. The government suggests that some organisations fear the repercussions of GDPR violations and might not admit to suffering cyber security breaches.

If this is true, those organisations are only making life harder for themselves. The GDPR was designed to improve transparency and make organisations take responsibility for cyber security.

Organisations that own up to data breaches (provided they weren’t caused by major security failures) have little to fear. Regulators and the public are becoming a lot more forgiving, and incidents occur with such regulatory that they are practically inevitable.

However, that leniency is based on the assumption that organisations will be honest when it comes to their security measures. You can try to hide your security failures, but regulators will almost certainly discover them and levy severe fines.

Demonstrate your GDPR compliance with our documentation toolkit

One of the most important steps you can take to become transparent and accountable for your data protection practices is to document them.

The Regulation specifies that organisations must be able to demonstrate that they have adopted the necessary technical and organisational security measures, which means keeping a list of everything you’ve done, justifying why it’s been done and how often you’ve reviewed your measures.

This is a big task, but you can simplify it with our GDPR Documentation Toolkit. It contains more than 80 indispensable policies, procedures, forms, schedules and guidance documents written by our expert practitioners, which you can use to prove that you have met the GDPR’s requirements.

The post UK businesses are reporting fewer data breaches, but is this as positive as it sounds? appeared first on IT Governance Blog.