Daily Archives: May 6, 2019

What Is DevOps Maturity, and How Does It Relate to DevOps Security?

By now, many organizations have turned to DevOps as part of their ongoing digital transformations. This process has not been the same for any two companies. Indeed, organizations have embraced DevOps at their own place, and they’ve invested varying levels of time and budget into their nascent deployments. Such variety has helped shape organizations’ DevOps […]… Read More

The post What Is DevOps Maturity, and How Does It Relate to DevOps Security? appeared first on The State of Security.

Women and Nonbinary People in Information Security: Tricia Howard

Last time, I got to speak with social engineering expert Jenny Radcliffe. This time, I got to speak with cybersecurity-minded client manager Tricia Howard. I got to learn even more about social engineering from her plus quite a bit about the importance of user education.   Kim Crawley: Please tell me a bit about yourself […]… Read More

The post Women and Nonbinary People in Information Security: Tricia Howard appeared first on The State of Security.

Top Tips On Cyber Security for SMEs

Guest article by Damon Culbert of Cyber Security Jobs

Cyber criminals are a part of modern life, from Uber account hacks to major business data breaches, our online identities are rarely safe. And, while big-name companies under threat often make the news, it’s small and medium-sized enterprises who are actually their biggest targets.

Large businesses and government departments may seem like more obvious hacking targets with bigger payoffs, but these organisations can afford much more robust, well-kept and successful IT security measures and cyber security professionals working round the clock. Due to this, cyber criminals are much more likely to swing for easy targets like family businesses.

With the introduction of GDPR across Europe, all businesses are now much more responsible for the personal data they keep, meaning companies of all size can’t really afford to not have at least the basic security measures in place. The UK National Cyber Security Centre (NCSC) have created a list of five principles as part of their Cyber Essentials Scheme. These include:

1. Secure your internet connection
2. Protect from viruses and other malware
3. Control access to your data and services
4. Secure your devices and software
5. Keep your devices and software up to date

All small businesses should know these principles and be putting them into practice, no matter how many staff they employ. In addition to this, here are a couple of other tips to keep hackers at bay which can be simply implemented into your business practices and keep the ICO (Information Commissioner’s Office) from the door.

Invest in Software and Hardware
While just functioning from day to day might be your only priority as a small business owner, investing in your technology will undoubtedly help in the long run. Keeping your software, such as virus software and operation systems, will ensure that any vulnerabilities identified by the creators are covered and there are no gaping holes in your cyber defences.

It might also be a good idea to invest in a good-quality back-up server and cyber insurance, so that if any personal data is every compromised, your operations can simply switch to the back-up server without affecting your business. Cyber insurance will also help keep you covered in case any clients’ personal data is lost and costs are incurred.

Staff Awareness Without the awareness of your staff, no manner of cyber security measures will keep your business safe. 90% of breaches happen because of user interaction, most commonly through phishing scams. Sophisticated phishers can impersonate senior members of staff in your organisation and trick other employees into handing over login details, authorising bogus payments or redirecting bank transfers.

Ensuring that staff are made aware of how to identify phishing scams and even having experienced trainers come in to guide them through cyber security best practice may seem like a cost you can spare but will go far in keeping the walls around your business impenetrable.

Compliance
The GDPR states that businesses who suffer a breach must alert the ICO and any customers who may have been affected within 72 hours of discovery. This is vital, and although fines could still be handed out for failure to prevent a breach, these fines will be much higher if the ICO discovers that you kept the information to yourself for longer than the 72 hour period.

The average time it takes for an organisation to discover a breach is 229 days, so the actual time it takes for the breach to come to your attention isn’t going to work too poorly in your favour. However, regular reporting is likely to result in earlier identification which will not only help you save time and money, but will also be a great trust signal to your clients that you take protecting their data seriously.

Pre-emptive planning
Security breaches are a ‘when’ not ‘if’ problem, so planning ahead is a necessity of modern business. 74% of SMEs don’t have any money saved to deal with an attack and 40% wouldn’t even know who to contact in the event of a breach. Having comprehensive disaster management plans in place will help keep you and your clients safe, keep your reputation in top shape and make sure you don’t have to pay out major money in the worst case scenario.

Plan of Action
The best thing for SMEs to do is to start small and keep building their defences as time goes on, helping keep costs down and customers happy. Here’s a plan of action to get started:

1. Start with the basics: follow the Cyber Essentials Scheme and bake these principles into your daily operations
2. Get an understanding of the risks to your business: check out the NCSC’s ’10 Steps to Cyber Security’ for further detail than the Cyber Essentials
3. Know your business: if you still feel your data isn’t safe, research more comprehensive frameworks like the IASME standard developed for small businesses
4. Once you have a complete security framework in place, develop on the NCSC’s advice with more sophisticated frameworks, such as the NIST framework for cybersecurity.

Putin Signs Nationwide Internet Censorship Into Law

Russian President Vladimir Putin has signed a bill to create a separate Russian national internet.

The legislation is primarily focused on establishing an autonomous national system, separate from the internet used globally, which would have its own DNS system and would require all traffic in the country to pass through online government monitoring. Putin has justified the move as being due to mitigating the threats of interference from foreign governments in Russian politics.

The bill comes on the heels of several other measures passed by Putin’s government, largely aimed at curtailing internet freedom, including one passed in March that granted it the power to punish Russian citizens for insulting public officials, and another targeting “unreliable socially significant information.”

Civil libertarians and security experts alike say Putin’s project mirrors China’s massive censorship of the Internet, which is called the “Golden Shield Project” and the “Great Firewall.”

“It’s about being able to cut off certain types of traffic in certain areas during times of civil unrest,” said Russian author Andrei Soldatov.

The intended separation from the wider internet has also proven unpopular with Russians. A recent poll conducted showed only 23% approve of the legislation, and thousands of protestors demonstrated in Moscow in opposition to it earlier this year.

Read more about the story here.

 

The post Putin Signs Nationwide Internet Censorship Into Law appeared first on Adam Levin.

Vulnerability Spotlight: Multiple bugs in several Jenkins plugins

Jenkins is an open-source automation server written in Java. There are several plugins that exist to integrate Jenkins with other pieces of software, such as GitLab. Today, Cisco Talos is disclosing vulnerabilities in three of these plugins: Swarm, Ansible and GitLab. All three of these are information disclosure vulnerabilities that could allow an attacker to trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Jenkins and the associated companies to ensure that these issues are resolved and that updates are available for affected customers.

Read more over at the Talos blog here.

The post Vulnerability Spotlight: Multiple bugs in several Jenkins plugins appeared first on Cisco Blog.

Identity enhancements to support the more than 1 million active third-party applications on our platform

This week at //build 2019, we’re announcing several enhancements to our identity platform for developers. These enhancements are designed to support the more than one million active third-party applications using our identity platform each month and include:

  • Our work to unify the Microsoft identity platform across personal accounts and Azure Active Directory (Azure AD) accounts.
  • Our new unified app registrations portal.
  • The Microsoft Authentication Libraries.
  • Ability to use your GitHub identity to sign in to Microsoft products.

Head over the Identity blog for a closer look at these enhancements for developers. If you’re at //build this week stop by the Microsoft identity platform and Azure AD booths.

The post Identity enhancements to support the more than 1 million active third-party applications on our platform appeared first on Microsoft Security.

Developing connected security solutions

Many organizations deploy dozens of security products and services from Microsoft and others to combat increasing cyberthreats. As a result, the ability to quickly extract value from these solutions has become more challenging. This creates opportunity for developers to build solutions that augment and integrate security across products, services, tools, and workflows. With Gartner forecasting worldwide information security spending to exceed $124 billion by the end of 2019, the potential for developers in cybersecurity is significant and growing.

Developers at independent software vendors (ISVs), managed security providers (MSP/MSSPs), IT services and systems integrators (SIs), and enterprises can:

  • Solve integration and deployment challenges.
  • Extend capabilities to meet customer- or industry-specific needs.
  • Address security skills and staffing shortages through automation.

Using traditional paradigms, developers can build integrated apps with Microsoft APIs and SDKs. In addition, new options have emerged for security experts to develop security experiences, workflows, and analytics without writing any code. By supporting a diverse set of capabilities for security developers of all types, Microsoft enables them to:

  • Unlock value for Microsoft customers—Create solutions for the more than 19 million Microsoft Cloud customers, which includes 95 percent of Fortune 500 businesses, governments and startups.
  • Accelerate application development—Unified Microsoft Graph APIs simplify development across services and data connectors (like Azure Logic Apps, Microsoft Flow, etc.) provide code-free options. Samples and guidance make it easy to get started, and communities enable collaboration and learning.
  • Leverage the speed and scale of the Microsoft Cloud—Microsoft’s cloud platform and services enable developers to collect and analyze large amounts of varied security data and build apps at global scale.

How to develop connected security solutions

Microsoft offers a combination of APIs and services that can be used by developers. Both are supported by communities, where developers can collaborate with their peers.

APIs / SDKs

By sharing security insights and taking actions in real-time, integrated apps can streamline security management, improve threat protection, and speed response. Developers can leverage Microsoft APIs and SDKs to realize end-to-end scenarios for their apps using:

  • Microsoft Graph Security API to streamline integration across multiple security solutions to enable cross-product scenarios. Microsoft Graph Security API provides a single programmatic interface with a common schema and authentication model to simplify integration for these scenarios.

and / or

  • Direct APIs and SDKs to connect to individual services to enable product-specific scenarios.

Services

Microsoft provides a rich set of services to power integrated security event management, analytics, investigation, and automation. Developers can build experiences, workflows, and analytics on top of the following services to deliver additional value to customers:

  • Azure Sentinel is a cloud native Security Information and Event Management (SIEM) service. With Azure Sentinel you can connect various data sources for security monitoring and analysis, author detection queries to mitigate threats, and build workflows to enable security automations, dashboards for reporting, and machine learning models for threat detection.
  • Azure Logic Apps and Microsoft Flow—For workflow automations and orchestrations.
  • Azure Notebooks and Power BI—For analytics and reporting.

Communities

Open-source communities on GitHub enable developers to easily share code samples, detection rules, machine learning models, playbooks, tools, and more. These communities enable collaboration with other security experts to learn and share. A security developer GitHub community serves as a starting point to share code, libraries, notebooks, workbooks, and queries for connected experiences, as well as a resource to find related communities.

Get started today

Here are a few resources to help you get started:

  • A new Developer’s Guide to Building Connected Security Solutions offers a primer for those who want to build apps, workflows, and analytics that integrate with Microsoft security solutions. In addition to introducing the Microsoft APIs, services, and communities available to developers, the guide offers detailed guidance on when and how to use each one and what technology and integration option best aligns with your desired scenario and application type. Download the guide.
  • Visit the GitHub community to learn from and share with other security developers.
  • Attend the Microsoft Build session, “Building apps that integrate, automate, and manage security operations,” Wednesday, May 8, at 5 PM.

The post Developing connected security solutions appeared first on Microsoft Security.

GDPR and Data Breach Risks: An Interview with Bogdan Manolea of ApTI

May 2018 brought on the mandatory implementation of GDPR regulations for Europe, but, de facto, for the entire world since European users can freely roam across the internet of pretty much all countries.

Much to the fretting of virtually everyone else around the world, lots of companies and websites located outside of EU had to review and restructure not just the text from their privacy policies, but their actual data collection practices.

GDPR One Year Later: An Interview with Bogdan Manolea

Now, a year later, on the law’s 1st anniversary since its implementation, I decided to have a talk with someone who understands much more about it than me, namely with Bogdan Manolea from the Romanian Association for Technology and Internet (APTI) and from Trusted.ro (the 3rd party seal of approval for e-commerce websites, vouching for their safety and honesty following independent tests).

bogdan manolea from apti

Bogdan Manolea delivering a conference talk. Photo credit: CristalStudio.ro

He doesn’t like the word expert, but I don’t really know how to introduce him avoiding the word. Let’s just say he’s the first person who comes to my mind whenever I have some issues and doubts regarding digital rights in general (not just the very recent GDPR).

Here’s what we talked about and what his answers were. [The interview was a bit edited for length and clarity.]

1. As a GDPR expert, what’s your take on how this law was implemented in Europe and beyond, now, almost one year later since its principles became enforced?

First, I hate the words “GDPR expert”. I don’t understand how you can be an expert in a law that was adopted three years ago and it started to be implemented one year ago. This is just marketing bullshit, IMHO.

Moreover, the truth is that data protection existed for a long time in Europe as a specific domain and the Council of Europe Convention 108 on automatic processing of personal data exists from 1981. Even the first EU directive exists from 1995.

So, the fact that some media picked up the subject only recently or that companies have become much more aware since the huge fines from GDPR were advertised, that is just their problem.

But the concern for privacy and personal data protection, including specific legislation on the matter, have existed in Europe for decades. Even the principles are almost the same from 1981.

The need for a law more in line with the digital processing of personal data has been discussed for years and the digital rights groups from Europe (including myself from APTI in Romania) have been active in pinpointing the limits of the previous directive from 1995 and asking for a better legislation that is unique at the entire EU space level. This is why GDPR was adopted in 2016 and it started being applied in 2018.

So the principles should have been enforced for some time, actually. The fact that we are still discussing how companies are implementing the data protection principles after decades of laws in this domain shows us that the legislation was basically inefficient, to a large extent.

2. Do you think companies have mostly adapted to this new framework, by and large? Have you noticed a great array of differences between various categories of businesses implement GDPR? For example, companies from a certain niche versus others in a different niche, or based on company size, or on their location?

It would be almost impossible for one person to have a pan-European overview of how GDPR was implemented so far. The situation depends on so many factors – size, niche, location, country, compliance with previous legislation, the quantity of data collected, etc.

From my empiric evidence, there is a huge wide range of compliance – from a high level of compliance in multinationals that are more used to compliance mechanisms and new regulations, especially if they come from countries with traditional strong data protection regimes (e.g. Germany) to no compliance at all in SMEs [n. a – Small to Medium Enterprises] that do not use digital tools and are in one of the countries where the DPA (Data Protection Authority) is very weak in its enforcement.

3. So what would be in your opinion the good and bad in GDPR implementation so far?

The good thing with GDPR is that it forced companies to think more (in depth) about the personal data they are collecting in order to answer the basic questions posed by GDPR (What data? How do we collect it? For what purposes? For how long? Etc.)

There are several bad things that are worrying me:

  • The risk of missing the purpose and scope of GDPR. Instead of protecting the personal data of European citizens, we might create a layer of bureaucracy which does little for achieving this aim;
  • The absolute need for simplification and guidance for SMEs in understanding the exact steps to be done for compliance on data protection;
  • The crucial role of the DPAs in implementing the GDPR. With a dormant DPA, all the while GDPR seems like just a nice story, with no real effects.

4. What’s the no #1 mistake companies can do when it comes to preventing data breaches?

There are a lot of actions that can be done and it depends on the size of the company and the importance of the data that is being processed.

But one thing that strikes me personally, in almost all companies, as a measure that is easy to do and could save a lot of hassle later, is disk encryption by default (before booting the OS) of all mobile devices (laptops, mobile phones, and tablets).

I mean, these types of devices are being lost or stolen regularly all over the world. This is just human nature and it is very possible to happen to your company sooner or later. It’s almost impossible not to have any personal data on them. But still, very few companies have a mandatory policy of having all their mobile devices encrypted by default.

bogdan manolea from Gpec and apti

Bogdan Manolea delivering a conference talk. Photo credit: CristalStudio.ro

5. How about the no #1 mistake they may do once a data breach already occurs?

Probably to panic. 🙂

This is why it is helpful to have a data breach procedure and to test it from time to time. Especially in big companies, this should be a must.

6. I don’t mean to sound fatalistic, but do you think there’s a certain unavoidable component to data breaches in this new law framework? Can a company avoid penalties with a certainty of 100% through preparation? I, for one, certainly hope so & think so, but I think there are a lot of defeatist voices among company reps having a hard time adapting to the new rules.

Of course, it is unavoidable. The question about data breaches is when it will happen, not if it will happen. If it never happens, then you’re very, very lucky or you just don’t know about it.

But this is why if you report a data breach, it doesn’t automatically mean that you will be fined. Look at the numbers compiled by our colleagues from civil society (based on FoI requests to DPAs) from all over the EU and you will see this is true. But it also shows that probably the level of reporting is very different from one country to another.

You can see the table of facts and figures here.

So, in Romania, for example, by March 2019 there were reported 414 data breaches and, as far as we know, there wasn’t any fine yet.

7. Do you know if the position of Data Protection Officer was actually created within companies, on a significant scale? As in, did companies really hire a person to fulfill this role alone, without other ‘merry weather’ responsibilities?

First, let me emphasize again that not all companies need a DPO. The art 37 of the GDPR makes it clear that only in two situations private companies must employ a DPO:

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

Also, the DPO can be external, you don’t have to have an internal staff role for this.

Moreover, GDPR doesn’t say that it must do only that – however, it is worth emphasizing that a DPO may have other tasks that are in a conflict of interest with this position – for details see Art 29 with regards to DPOs – Chapter 3.5.

8. What do you think of the new laws the US authorities are striving to adopt soon regarding data protection? I know there are some debates within the US to adopt new laws, but EU representatives are a bit critical of American efforts so far.

I haven’t followed the topic too closely, but I can point out is that EU is actually the most advanced globally in the field of data protection legislation, so it starts to “export” this legislation in several other areas, not just to the US.

Also, I think that California, with this act, may be more advanced than other US states in these activities.

9. What’s your no #1 advice to companies trying to navigate the post-GDPR framework of digital consumer rights?

From a privacy advocate perspective, I think there are two basic things all companies should do:

  • Do an analysis on what data you collected and if you can live without it (thinking about your users and their rights, not with the idea “it might be helpful in the future, who knows?”). This is part of the “data minimization” direction within GDPR and if you do it properly you can actually collect less data (renouncing those bits that might have been collected for an unclear purpose anyway.)
  • Keep your users informed about what you do with their data. Article 29WP has a pretty simple table as an Annex to their Opinion on transparency, which is a great guide.

For Romanian readers, I’ve written a very user-friendly guide here, on the topic of protecting yourself from conflicts with your consumers over data privacy.

10. Finally, do you have a remarkable data breach story to share, one which we could all learn a bit from? What’s the most interesting/crazy/serious/impressive case of data breach fulfilled (or averted) that you heard of?

What is remarkable for me is the long history of Facebook data breaches from the past couple of years (see the latest), some with ridiculous mistakes (Plaintext passwords? Really?) and how they got away with it. So far, at least…

Thank you, Bogdan, for your time and answers.

The post GDPR and Data Breach Risks: An Interview with Bogdan Manolea of ApTI appeared first on Heimdal Security Blog.

Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder

Calico Jack, Captain Blood, and Blackbeard. So many recognizable stories, books, and movies have been made about the period of stealing and looting exemplified by the golden age of piracy. Time will tell whether we see such romanticized stories of dashing rogues based on this new golden age of criminality that we now live in. In fact, if you look at the FBI’s statistics, the internet has enabled cybercriminals to increase their ill-gotten gains by 700% in 10 years (2007-2017). To put that in perspective, when pirates looted and plundered their way across the seven seas, the top 20 pirates ever stole about $615.5 million when adjusted to 2017 dollars. Flash forward several hundred years and compare that to the takings from cybercrime in the US alone, where the FBI has just released new estimate losses exceeding $2.7 billion in 2018!

In this series of blogs, I’ll be exploring cybercrime and fraud, outlining some of the strategies that you can adopt to help mitigate risk, and how you can use Cisco products and technologies to help implement those strategies.

So, let’s delve into this golden age of criminality in a little more detail. First, it’s important to realize that the scale of this illicit profit has brought with it a tremendous amount of professionalism. This is illustrated by the fact that while losses have increased 700%, the number of incidents has only increased by 50%, resulting in a much higher loss per incident. Of course, the FBI only has a US-centric view, so how representative is it globally? If we consider research from the Center for Strategic and International Studies (CSIS), the estimated global cost of cybercrime is 0.59% to 0.8% of GDP ($445 billion to $608 billion). Furthermore, if we then compare that to the value that the UN Office on Drugs and Crime (UNODC) assigns to the global cost of the illicit drugs trade of 0.5% to 0.6% of GDP, you realize that the cybercrime market is at least as big, if not bigger, than the global trade in illicit drugs! With such profits obtained at risks that are fractional compared to other criminal enterprises, it’s easy to see why cybercrime remains an attractive and growing area for professional criminals.

So how much could it continue to grow? Are we already at peak cybercrime? In October 2017, BITKOM (German Association for Information Technology, Telecommunications and New Media) published a survey that showed 49% of German internet users had been a victim of cybercrime. Furthermore, if we compare this to an analysis from the US Department of Justice looking at the Lifetime Likelihood of Victimization that estimated that 99% of people would be a victim of robbery at least once and that 87% of people would be a victim 3 or more times, and you can see that, depressingly, there appears to remain a significant growth prospect for cybercrime.

So what’s driving this explosive growth in cybercrime? Interestingly enough, it’s actually a new form of a very old crime: Fraud. And by old, I mean really old! They say the earliest recorded form of fraud is the story of Hegestratos in 300 BC! Hegestratos took out a large loan for cargo secured against the value of his ship. When the ship arrived, and the cargo was sold, the lender would be repaid with interest. If the loan was not repaid, the lender had security in the form of the ship. However, if the ship sank, the lender lost both the loan and the security. Needless to say, Hegestratos figured it was easier to sink the ship, save the cargo and sell it and pocket the loan for good measure! What’s remarkable is how, since those days, fraud has evolved as time, technology, and most importantly, the law has advanced. After all, why even bother going to all the trouble of having a ship if you can just pretend to have one? This was made an offense in the UK by as early as 1541 (obtaining property by false or counterfeit token). Once again, fraud evolved so that by 1757 the law would need to be updated to the broader concept of false representation. In the US, with its larger geography, the symbiotic evolution of fraud, technology, and the law are even more clear where counterfeiting laws of 1797 evolved into false claims in 1863, mirroring the evolution of the law in the UK before then having to add mail fraud in 1872 and then wire fraud in 1952. At each stage you can see how criminals are the first to adapt and exploit the opportunities new technology provides for fraud before the defenders can catch up.

Today, little has changed as we continue to see the same scenarios playing out. According to the German Federal Police Division responsible for Crime, the Bundeskriminalamt (BKA), 99.4% of all recorded cybercrime loses come from fraud. The emphasis here is on recorded losses as the BKA makes some great points about the difficulties in truly quantifying cybercrime losses, especially intangible losses such as reputational or brand impact. Therefore, if we cross reference these numbers with the annual Internet Crime Report from the FBI Internet Crime Complaint Center (IC3) and some quick addition reveals that all forms of fraud accounted for approximately 85% of the overall number, validating the BKA’s approach. In fact, they specifically call out the losses associated with two specific forms of fraud known as Business Email Compromise (BEC) and Email Account Compromise (EAC). These are two variations on a fraud in which the criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds.

The classic example of this is when the person responsible for the finance or payment of suppliers receives an email purportedly from the Chief Executive Officer (CEO) demanding the urgent payment of a supplier via wire transfer. Of course, the email isn’t from the CEO and the account details are nothing more than an account being held by another unsuspecting person who will transfer it on again. By the time the fraud has been identified, the money has moved several times through various accounts and potentially countries and will rarely be recovered. Emphasizing the earlier point regarding the professional nature of this type of crime, the FBI said the perpetrators of this are “transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers” who “may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.” The gains for the criminal are staggering, in its 2016, 2017 and 2018 reports, the FBI IC3 identified it as a hot topic and estimated the losses in 2018 were nearly $1.4 billion.

How does this compare with losses from other forms of cybercrime? Well, in 2018, the FBI statistic for losses due to another popular from of cybercrime, the classic corporate data breach, was $117.7 million or 8% of the loss due to BEC/EAC. Looking at the state of California within the FBI statistics, we see that BEC/EAC is the single biggest cause of losses, accounting for 33% of the overall losses due to any form of cybercrime. So, has this risk peaked? Well, examining a survey from credit agency, Experian, you can see that they identified that 72% of businesses have a growing concern about fraud in 2017 and 63% of them have experienced the same or higher losses due to fraud pointing to a real and growing risk. It’s worth bearing in mind that despite the FBI’s estimated total losses from BEC/EAC now exceeding $5 billion, the losses increased 78% between 2016 and 2017 and again by 92% between 2017 and 2018. Bad as it is, things may continue to get a lot worse.

So, what is to be done? In the next blog post, I’ll be talking about some of the strategies, products, and technologies that can help address and mitigate the issues I discussed in this blog. Of course, I welcome your thoughts, comments and feedback so please do take the time to let me know your thoughts!

The post Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder appeared first on Cisco Blog.

Episode 486 – The Different Types Of Malware

The word malware is used very broadly for any type of malicious software. This episode breaks down malware and talks about the different types you can come across. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to subscribe to the Security In […]

The post Episode 486 – The Different Types Of Malware appeared first on Security In Five.

Fraudsters Targeting Consumers with One-Ring Phone Scams

Fraudsters are targeting consumers with one-ring phone scams that exploit people’s curiosity so as to trick them into paying exorbitant fees. According to the U.S. Federal Communications Commission (FCC), this scam oftentimes begins when a fraudster contacts an unsuspecting consumer using a one-ring phone call. Many of these calls appear to originate from phone numbers […]… Read More

The post Fraudsters Targeting Consumers with One-Ring Phone Scams appeared first on The State of Security.