Author Archives: Bianca Soare

What Are The Cybersecurity Issues With Remote Work

Remote work has become a highly popular and common practice around the world. According to the latest International Workplace Group report, 50% of employees globally are now working outside of their main office headquarters for at least 2.5 days per week. 80% of the same survey respondents indicated that out of two similar employment offers, they would decline the one that doesn’t offer the remote work possibility. What’s more, 75% of people consider flexible working to be the new normal. So it’s clear that remote work is here to stay.

However, while this practice increases flexibility, improves productivity and enhances work-life balance, there’s a downside to it. The problem here is that there are real cybersecurity issues with remote work that put your company’s sensitive data at risk.

Cybersecurity and Remote Work Statistics

In a recent study, OpenVPN reported that 90% of IT professionals believe remote workers are not secure. At the same time, over 70% think remote staff poses greater risk than onsite employees. So, the good news is that experts are actually acknowledging the security risks of remote work and this is the first step towards addressing the issue.

remote workers are not secure

Image source: Openvpn.net

The Cybersecurity Issues with Remote Work

You may have a fully remote workforce, people who work from home from time to time, or employees who frequently go on business trips. And without a doubt, it’s more difficult to take care of their security than it is to manage your on-site endpoints.

Here are three bad habits related to remote work that your remote workers may be making that endanger your organization:

1. Accessing sensitive data through unsafe Wi-Fi networks

Your employees’ could be connecting to their home wireless network or accessing their corporate accounts using unsecured public Wi-Fi. This way, malicious actors nearby can easily spy on their connection and harvest confidential information. For instance, data sent in an unencrypted form in plain text might be intercepted and stolen by cybercriminals. For this reason, your employees should not be allowed to access any unknown Wi-Fi networks unless they are using a VPN connection.

2. Using personal devices for work

46% of employees admitted to transferring files between work and personal computers when working from home, which is a worrying practice.

At the same time, a trend of allowing employees to use their personal devices at work, commonly referred to as “Bring Your Own Device” or BYOD policy, has appeared.

You need to be fully aware of the issues involved by your employees using their personal devices for work-related matters. For instance, they may suddenly leave the company and hold on to the confidential information that has been stored on their device during their employment and you will not get the chance to erase it.

What’s more, they may not be keeping their software up-to-date, which opens up security holes in your environment. We keep stressing the importance of applying software patches in a timely manner and for a good reason.

Consequently, we would advise against letting your employees use their personal devices at work since it would be difficult for you to control what happens on their endpoints.

3. Ignoring basic physical security practices in public places

Even if cybersecurity is our focus, we can’t completely leave physical security behind when it comes to your company’s sensitive information. For example, there are employees who may be talking loudly on the phone while working in public places, expose their laptop’s screen for the entire crowd inside a café to see or even leave their devices unattended.

Teach your employees even the most basic security measures, even if they may seem like common sense at first glance. A friendly reminder for them not to expose the data of your business will always be of great benefit.

Creating a work-from-home security policy

So, how do you protect your company’s private data when you can’t fully control the devices used to access your network? Where should you start to make sure your remote workforce is secure?

The first step is to create a security policy specifically designed for remote workers. 93% of the IT professional interviewed in the OpenVPN study already have a formalized remote work policy in place and this quite impressive and reassuring.

Below are the essential security clauses that should be included in your remote work policy:

  • Clearly define which positions are eligible for remote work.

Be transparent towards your employees. Everyone should be aware which job functions are allowed to work remotely are which are not due to security reasons. Unfortunately, not every position is a good fit for remote work. If you don’t have a clear guide in place, chances are your work-from-home approvals will be judged as unfair.

  • List the tools and platforms they should be using.

Both your remote and on-site employees should be on the same page at all times and use the same approved tools, such as cloud storage platforms, communication/video conferencing tools, project management tools, etc.

  • Provide employees with steps to follow at the first signs of account compromise.

If they believe the company’s information has been compromised, they should have a clear guide to follow, such as where they should report the incident, be instructed to immediately change their passwords, etc. These steps should be included in their mandatory cybersecurity training, alongside other items such as how to create strong passwords.

What Solutions Your Remote Workforce Should Use For An Increased Security

Here are the fundamental tools that both your regular and remote employees should have installed on their devices:

1. Multi-factor authentication

This type of authentication will act as an additional layer of security on top of your remote employees’ accounts. The more security layers in place, the little the risk of a cyber-criminal to gain access to your sensitive systems.

2. Password Manager

Besides multi-factor authentication, in regards to passwords, your employees should also be using a password manager. This way, they will not need to remember all of the different passwords that they need to set up for their work-related accounts.

3. VPN

VPN connections are crucial when your employees connect to unsecured networks, such as Wi-Fi hotspots, even when they work from home. It’s recommended for your employees to be using your company’s VPN. What this tool does is it routes the traffic through the internet from your organization’s private network, ensuring even more security. Basically, anyone who tries to intercept the encrypted data will not be able to read it. And this way, your employees will be able to connect to your company’s intranet, the private network designed to be used only by your company’s staff (in case you have one).

4. Firewall

A firewall will prevent unauthorized access to and from the network, further strengthening the security of your employees’ devices. What firewalls do is they monitor network traffic, at the same time finding and blocking unwanted traffic. So, firewalls are important tools that will protect your remote endpoints against various cyber threats.

5. A strong EDR solution

Last but not least, your system administrators should be able to see the exact details of your endpoints at all times. This is why it’s recommended you deploy a complete endpoint detection and response (EDR) solution, that will allow you to remotely prevent next-gen malware, data leakage, respond quickly to threats, and automatically manage software deployment and patching.

Conclusion

It’s crucial for you to remain innovative and competitive in the current business landscape and allowing your employees to work remotely is definitely a necessary step. Yet, remote work comes with security risks that you should address before you allow anyone to work from outside the office – no matter if we’re talking about permanent remote workers or the ones who do it just a few hours per month. However, only when you will correctly respond to this challenge, will you be capable of fully seizing this opportunity that increases talent retention, productivity, and improves your staff’s work-life balance.

The post What Are The Cybersecurity Issues With Remote Work appeared first on Heimdal Security Blog.

Password Mistakes You and Your Employees Are (Probably) Making

Your employees might already be aware of a few password security practices. But are they actually following the latest recommendations? In fact, are you aware of what makes up a strong password policy? Both you and your employees could be (unknowingly) making common password mistakes and applying antiquated password security guidelines. So, keep on reading to make sure you’re in alignment with the most recent password requirements.

In this article, I’m going to share with you pieces of advice on how you can prevent the most frequent password mistakes and how you can create a strong password policy for your organization.

Some of the points covered in this article may seem controversial at first glance and completely out of sync with the password security rules that we’ve all grown accustomed to by now. Nonetheless, they are supported by the latest password guidelines released by The National Institute of Standards and Technology (NIST) – NIST 800-63-3: Digital Identity Guidelines. For those unfamiliar with this institution, to give you a quick background, they are a non-regulatory federal agency within the US Department of Commerce, whose guidelines oftentimes have built the foundation of the security industry’s standards.

The NIST paper isn’t new. In fact, it was released more than two years ago. Yet, many organizations still seem to be ignoring it and this is why we’ve decided to bring it into the spotlight and present their instructions on password security.

What are the Best Practices for Creating a Strong Password Policy?

Older NIST password security guidelines required enforcing policies such as using highly complex passwords, changing them regularly, and forbidding password reuse. However, their newest guide is based upon a quite radically different approach.

Does this mean that your employees should be setting their passwords to “Password1234” and never change them?

Of course not. This new approach is focused on making password management easier and more user-friendly. It has been created based on studies showing that very strict password policies only lead to poorer password habits.

Below you will find password security recommendations that will make it slightly easier for your employees to comply with and for you to keep your business secured. So, here is what you should do to promote a healthy password security management among your employees based on NIST’s recommendations:

#1. Stop asking your users to change their passwords on a predefined schedule

First of all, your users will be thankful that they won’t have to create new passwords and remember the new ones every 90 days (or even more frequently). Most of them do not even change their passwords entirely anyway and only add an extra character at the end every time they are required to modify them. So how does this practice reinforce password security?

Periodic password resets have been created in order to reduce the period of time a system is exposed due to an account potentially being compromised. But why change passwords if there is no suspicious of a breach? Useless password resets burden users and create additional tasks for sysadmins if, for instance, your employees forget them and require password resets.

So, how often should your users change their passwords?

According to NIST, passwords should NOT be changed unless there is evidence of a data breach or any reason which shows a specific account has been compromised. In other words, only when there is a possible danger related to an account should password resets be mandatory, rather than making your users change their passwords on a predetermined schedule.

However, it’s really important for you to provide your specialists with the proper cybersecurity tools to monitor users’ activity and identify compromised accounts in real-time.

Microsoft has removed the password expiration policies from their Windows 10 security baseline. Here is what they wrote on their blog:

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

[…]

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines. 

Aaron Margosis, Microsoft Security Guidance blog

#2. Encourage your users to select long and easy to recall passphrases

It’s time to move beyond complicated passwords based upon highly complex construction rules. It will be much easier for people to remember phrases that actually make sense to them instead of memorizing strings of completely random characters. However, the passphrase should not be something too obvious and tightly related to something which defines them as individuals (and might also be at hand for malicious hackers on social media).

Traditional PasswordsNIST Passwords
Highly complex string of random characters

Example: *Ajh{df0s_SF(8aLsV9(fkj@<;sK+
Long and memorable passphrases

Example: “It’s so easy to create strong passwords with NIST’s guidelines!”
Example: “I’m really looking forward to this year’s holiday season.”

Of course, longer passwords composed of various types of characters are more difficult to decipher from a cryptographic standpoint. Nonetheless, traditional password construction rules make them harder to remember and seem to only be making users end up choosing insecure passwords. According to NIST, IT systems should allow a minimum of 8 characters and a maximum of 64 characters and include all kinds of characters including punctuation and spaces. The minimum required password length proposed by NIST is still 8 characters.

Sometimes, many password-related attacks are not affected by password length and complexity at all. Unfortunately, complicated passwords completely fail when it comes to social engineering attacks, credential stuffing, keyloggers, or phishing/spear phishing, but this is a whole different subject that I’m not going to dive into in this article.

#3. Implement multi-factor authentication

NIST’s guidelines also advise on the implementation of multi-factor authentication, which can considerably increase security without further burdening users with complex requirements. Multi-factor authentication encompasses a wide range of authentication technologies, such as biometrics, smartphone apps/codes received via text messages, or token devices which will provide an additional layer of security.

#4. Cross-check passwords with password dictionaries

A password validation dictionary that contains commonly used and insecure passwords is also necessary. This way, unsafe passwords will be automatically rejected by your system.

Let’s say a user creates a password of the minimum required length that also happens to be highly insecure. And let’s suppose that the password will not be prohibited by the restricted passwords list, yet the chosen password can be easily hacked.

Since NIST does not provide a list of “bad” passwords, organizations should create their own notorious passwords databases and constantly update them. According to the paper featured in the ISACA Journal, the open-source repository “SecLists” on GitHub or the password validation tool “NIST Bad Passwords” can be good starting points for you to create your own internal password dictionary.

Also, the same publication advises against forgetting about context-specific passwords. For instance, you should take into account the usage of a user’s own name, the company’s name or anything closely related to the organization they are part of.

In essence, a generic password dictionary will not be able to block anything related to an individual user, which brings us to the next point.

#5. Constantly revisit and update your password policy

Unfortunately, a one-size-fits-all approach when it comes to password policies is not advisable. Every organization must create a policy that covers custom password restrictions and revise them constantly. What’s more, if a data breach ever takes place, all compromised passwords must be included in the forbidden passwords list.

#6. Train your users

Last but not least, make sure that in your cybersecurity training sessions you teach your employees how to form passwords based on the most recent NIST guidelines. After they’ve been properly trained, they should be able to correctly identify which passwords are secure and which ones are not.

Key Takeaways

  • Recommended Password Length— 8-64 characters.
  • Character types — All available characters are allowed and encouraged.
  • Multi-factor Authentication — Highly encouraged.
  • Password Construction — Long passphrases instead of complex passwords are recommended. There must be no match between them and the password dictionary.
  • Password Reset Frequency — Only if the password is forgotten or at first signs of compromise.

Examples of Password Mistakes Made by Your Employees

I’ve already gone through password construction rules, but there are more best practices in regard to password security that your employees should follow. They may seem obvious for most people, however, be certain you still include them in your cybersecurity training sessions as a reminder.

#1. Reusing the same password

Your users may be using the same passwords for different business-related accounts – for instance, for their email login account and an online third-party service where they registered with their corporate email address. If that specific website gets hacked, chances are that cyber-attackers will use their passwords to try to log into their accounts. This tactic is called credential stuffing and is a practice highly employed by cybercriminals.

What’s more, another mistake can be reusing a password they’ve set up for a personal account on their business account, since the same type of attack could easily happen.

#2. Sharing passwords

Needless to say, your employees’ passwords must always remain confidential. They should never share them with other employees or members outside of your organization.

#3. Not using a password manager

We can all agree on the fact that remembering a different password for each account is a hassle, especially for third-party websites. However, when using password managers, your employees will only need to remember the one used to access their password manager, where all their passwords are stored.

#4. Skipping multi-factor authentication

Multi-factor authentication can dramatically reduce fraudulent login attempts, so make sure that you’ve set up this option on your organizations’ accounts and that your people do not have the possibility to skip it!

#5. Changing a single character of the password after you’re suspecting their account has been compromised

If cybercriminals have managed to guess their password, if the new one is just slightly different, chances are the password is going to be hacked once again. So, make sure your users understand and apply the password security guidelines presented in-depth above.

#6. Storing passwords in plain text on their devices

Your employees may be keeping their passwords in plain text and that is, of course, a terrible practice, since the passwords could be easily accessed by malicious actors. Thus, they should stay away from storing them on their phones, spreadsheets, text files, or emailing the passwords to their personal email addresses for whatever reasons.

#7. Writing them down in easily accessible places

No one should write down their passwords on post-it notes kept on their desks, hidden under the keyboard, written on their day planner, etc. The danger of insider threat might linger inside your organization.

#8. Logging into their business accounts on unsecured networks or devices.

If your employees want to connect remotely and use an open public Wi-Fi network or enter their login credentials on a personal device that is not properly secured, their connection could be left open to snooping. In this case, they should always use a VPN.

Conclusion

The guidelines proposed by NIST truly have the capacity to aid IT professionals to strengthen their defenses without unnecessarily burdening their users. Nonetheless, organizations that have adopted them or are considering implementing them, should completely understand the logic and approach behind. And most importantly, security professionals must first comprehend the cybersecurity risk profile of their company to create strong password policies.

What do you think about NIST’s password security guidelines? Have you already implemented them inside your organization?

The post Password Mistakes You and Your Employees Are (Probably) Making appeared first on Heimdal Security Blog.

How Deepfakes Can Ruin Your Business

Worldwide concern is increasing over the adverse effects that deepfakes could have on society, and for good reason. Recently, the employee of an energy company based in the UK was tricked into thinking he was talking on the phone with his boss, the CEO of the German parent company, who asked him to transfer $243,000 to a Hungarian supplier. Of course, the employee was not speaking with the actual CEO, but with a scammer who was impersonating the real CEO through voice-altering AI.

This kind of social engineering attack is not new. In fact, merely two months ago, cybersecurity researchers identified three successful deepfake audio attacks on companies. Their “CEO” called a financial officer to ask for an urgent money transfer. The voices of the real CEO had been taken from earnings calls, YouTube videos, TED talks, and other recordings, and inserted into an AI program which enabled fraudsters to imitate the voices.

These types of incidents are the audio version of what are known as deepfake videos, which have been causing global panic for the past couple of years. As we become accustomed to the existence of deepfakes, this may affect our trust in any videos we see or audio footage we hear, including the real ones. Videos, which once used to be the ultimate form of truth that transcended edited pictures that can be easily altered, can now deceive us as well.

And this brings us to the question:

How safe is your business in the face of the deepfake threat?

What are Deepfakes?

Deepfakes are fake video and audio footage of individuals, that are meant to make them look like they have said and done things which, in fact, they haven’t. “Deep” relates to the “deep learning” technology used to produce the media and “fake” to its artificial nature. Most of the time, the faces of people are superimposed on the bodies of others, or their actual figure is altered in such a way that it appears to be saying and doing something that they never did.

The term was born in 2017 when a Reddit user posted a fake adult video showing the faces of some Hollywood celebrities. Later, the user also published the machine learning code used to create the video.

Can we detect and stop Deepfakes?

Right now, researchers and companies are investigating how they can utilize AI to distinguish and wipe out deepfakes. New advancements have started to rise that are meant to help us identify which pictures and recordings are real and which are fake.

For example, Facebook, Microsoft, the Partnership on AI coalition, and academics from several universities are launching a contest to help improve the detection of deepfakes. They aim to encourage people to produce a technology that can be used by anyone to detect when deepfake material has been created. The Deepfake Detection Challenge will feature a data set and leaderboard, alongside grants and awards, to motivate participants to design new methods of identifying and stopping fake footage meant to deceive others.

Yet, this won’t prevent the fake media from being created, shared, seen and heard by millions of people before it is removed. And without doubt, it can be extremely difficult to face the consequences and repair the damage once malicious materials get distributed.

How can you spot Deepfake videos?

Until some highly reliable technical solutions are designed, we should learn to identify the tell-tale signs of deepfakes. So, here are the flaws you should be looking for:

  • Blinking – According to research, the eye blinking in videos seems to be not that well presented in deepfake videos.
  • Head position – Watch out for blurry face borders that subtly blend into the background.
  • Artificially-looking skin – If the face looks extra smooth like it’s been edited, this may be another warning sign. Also, watch out for the skin tone that can be slightly different than the rest of the body.
  • Slow speech and different intonation – Sometimes, you will notice the one who is being impersonated talks rather slowly or there isn’t quite a match between the real person’s voice and the fake one.
  • An overall strange look and feel – In the end, you should trust your instinct. Sometimes, you can simply tell something’s not right.

At the moment, one can easily spot deepfakes. But in the future, as this technology progresses, it will gradually become more difficult.

Deepfakes could destroy everything

Here is what deepfakes could have a highly negative impact on:

#1. Politics

Deepfakes could influence elections since they can put words into politicians’ mouths and make them look like they’ve done or said certain things which, in fact, they haven’t. Deepfake producers could target popular social media channels, where the content shared can instantly become viral.

#2. Justice

Fake evidence for criminal trials could be used against people in court and this way, they could become accused of crimes they did not commit. Thus, the wrong people could go to jail. And on the other hand, people who are guilty could be set free based on false proof.

#3. Stock market

Deepfakes could be used to manipulate stock prices when altered footage of influential people making certain statements gets distributed. Imagine what would happen if a fake video of the CEOs of companies such as Apple, Amazon, or Google declaring they’ve done something illegal. For instance, back in 2008, Apple’s stock dropped 10 points based on a false rumor that Steve Jobs had suffered a major heart attack emerged.

#4. Online bullying

The deepfake technology could also be used to amplify cyberbullying, especially since it’s now becoming widely available. People can easily turn into victims when manipulated media of them is posted online. Or they can get blackmailed by cybercriminals who are threatening leak the footage if, for instance, they don’t pay a certain amount of money.

#5. Companies

Someone could be making false statements about your business to destabilize and degrade it. Malicious actors could make it look like you or someone within your organization admitting to having been involved in consumer fraud, bribery, sexual abuse, and any other wrongdoings you can think of. Obviously, these kinds of false statements can destroy your company’s reputation and make it difficult for you to prove otherwise.

What can be done?

Due to the current gaps in the law, producers of deepfakes are not incriminated. However, the Deepfakes Accountability Act (known as “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act – yes, you’ve correctly identified an acronym right there) aims to take measures to criminalize this type of fake media.

In short, anyone who creates deepfakes would be required to reveal that the footage is altered. And if they fail to do so, it will be considered a crime. The existence of these kinds of regulations is mandatory to protect deepfake victims and also the general public from distorted information.

How can you protect your business from Deepfakes?

Your competitors could resort to deepfake blackmail in order to try to eliminate you from the industry.

No matter how good technological deepfake detection solutions will become, they won’t prevent manipulated media from being shared and reach large numbers of people. So, the best way is to teach your employees how to identify fake footage and question everything that seems suspicions inside the organization.

#1. Train your employees

The topic of deepfakes can be looked at during your cybersecurity training. For instance, if they receive an unexpected call from the CEO who is asking them to transfer $1 million to a bank account, they could, first of all, question if the person on the other line is who they say they are. Maybe, a good countermeasure would be to have a few security questions in place that need to be asked to verify a caller’s identity.

#2. Monitor your brand’s online presence

Your brand’s presence is probably already being monitored online. So, make sure your designated people keep an eye on fake content involving your organization and if anything suspicious is brought to light, they do their best to take it down as soon as possible and mitigate the damage.

This brings us to the next point.

#3. Be transparent

If you become a victim of deepfakes, ensure that your audience is aware of the targeted attack. Trying to ignore what happened or assume that people didn’t believe what they’ve seen or heard won’t make the issue disappear. Therefore, your PR efforts should be centered around communicating that someone from your company has been impersonated and highlighting the artificial nature of the distributed footage.

Never let misinformation erode your public’s confidence!

Wrapping it all up

The dangers of deefakes are real and should not be underestimated. A single ill-intended rumor could destroy your business. So, you, both as an individual and an organization, should be prepared to stand against these threats.

 

The post How Deepfakes Can Ruin Your Business appeared first on Heimdal Security Blog.

SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People

The web surfing history of millions of people was intercepted yesterday in a huge data leak. Large Swedish companies, such as Volvo, SAS, Ericsson, Husqvarna, and SKF have been affected, as originally reported by the Swedish newspaper Dagens Nyheter. About 40,000 people involved in the cyber incident allegedly are Swedes.

Spyware in Browser Extensions Enabled the Attack

The data spill was caused due to a spy code installed in Chrome and Firefox add-ons, which allowed the browsing history of millions of users to be harvested and sold.

A part of the leaked data comes from some of the largest organizations in Sweden. The database contained information such as discussions between employees, downloaded files, and internal confidential information. More precisely, it was possible to see exactly what people did online and although the information was considered to be anonymous, their identity could be confirmed.

The Failure of a SpaceX Rocket Engine Was Also Leaked

According to security engineer Sam Jadali, other major international companies have been involved as well. For instance, information from the space company SpaceX regarding the failure of a rocket engine was revealed. The vehicle was used to transport astronauts to and from the International Space Station (ISS).

The Company Behind the Data Leak

The information was collected and sold by Nacho Analytics, which is ending its activity now that the leak has been brought to light.

This is the pop-up message that is currently being displayed on their website:

“Nacho Analytics is closing all remaining accounts, and sending refunds to our existing customers for their recent payments. It will take a few days to work through this process. We appreciate your patience. If you are an active customer, please check your email for more detailed information.

Our limited site is active to offer customer support during this transition.”

nacho analytics data leak september 2019

Browsing habits are a method of studying customer patterns and monitoring competitors. This leak is similar to the one we’ve seen in the Cambridge Analytica scandal, which could abuse Facebook data to be used in political campaigns, writes SVT.

Why Did the Data Leak Happen?

The reason is that many companies use browser-based tools. And if an employee accesses a browser extension compromised by spyware, the activity within the tool can also be intercepted by cybercriminals.

Our CEO, Morten Kjaersgaard, has spoken with IT-Kanalen about how serious the problem is.

In his view, the issue seems to be greater than we realize. Specifically, any extension could be used by cybercriminals to access sensitive data. The reason is that these add-ons are not part of a company’s internal system, but developed by third parties. When users install a plugin in a browser, a port opens to the underlying engine – in this case, Chrome or Firefox – where it gets access to data other than it should have access to.

On a more positive note, the issue was discovered early, and this way we can get the chance to better understand it and find solutions. We should somehow be glad that the attack did not hit IE, which is more commonly used because this way the damage would probably have been significantly higher, says Morten Kjaersgaard.

How can we reduce the risks?

The simple answer would be to disable all plugins. But since this is rarely a viable solution, here are the recommendations for companies and consumers.

Advice for Companies

Companies should follow several steps. First of all, their IT department should design some form of policy-based system for deciding which add-ons should be installed and also know how they should be handled and monitored. There are existing solutions that are partially already integrated into Chrome.

Secondly, traffic should be monitored in real-time. This way, companies can detect early on whether systems connect and send data to suspicious locations. If this practice is combined with DNS protection and IP filtering, then you will have a great security foundation for your company.

Advice for Consumers

The most obvious recommendation would be not to install any extensions. But if you need to do it, always make sure you only have installed a few add-ons that you really depend on. What’s more, browser extensions should come from trusted, reputable sources and not from any unknown sites or companies.

By using DNS and IP filtering in combination with traffic monitoring and firewalls, both consumers and companies will play their part in the fight against cybercriminals. And this is something that we must all start with as soon as possible, Morten Kjaersgaard concludes.

Swedish speakers can read the full interview with Morten Kjaersgaard, Heimdal Security’s CEO, here.

Does your company need a cybersecurity solution to prevent Spyware and the most advanced types of malware?

Get in touch today to learn how we can help you.

 

The post SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People appeared first on Heimdal Security Blog.

Participate in Our Survey and Get the Chance to Win A $50 Amazon Voucher!

If you’re a Heimdal Blog reader and/or our customer, you already know we advocate for continuous cybersecurity education.

This is why we decided to launch a survey to better understand what’s your level of cybersecurity awareness and what security measures you apply to stay safe on the Internet. Based on your responses, we will create a report to analyze and present the current state of consumers’ cybersecurity hygiene and awareness.

Stay tuned for the final results!

What’s in it for you?

We’ve also prepared some special prizes for you, meaning you can get the chance to win one of the 5 Amazon vouchers worth $50!

Here you can access the survey.

Read the Rules, Terms and Conditions, and Privacy Policy:

Survey/Sweepstakes Rules

ELIGIBILITY:

Survey/Sweepstakes is open to anyone of legal age in their residing country as of the date of entry, including but not limited to Thor Home users. Employees of Heimdal Security (the Sponsor) and their affiliates, subsidiaries, advertising and promotion agencies, suppliers and their immediate family members and/or those living in the same household of each are not eligible to participate in the Sweepstakes. No purchases are necessary. A purchase will not increase chances of winning. All federal, state and local laws and regulations apply. Void where prohibited or restricted by law. Only the respondents who provide their email address at the final question of the survey (Question 39) will be eligible for winning the prize.

AGREEMENT TO RULES:

By participating, you agree to be fully unconditionally bound by these Rules, and you represent and warrant that you meet the eligibility requirements set forth herein. In addition, you agree to accept the decisions of Heimdal Security, as final and binding as it relates to the content. The Sweepstakes is subject to all applicable federal, state, and local laws.

SURVEY/SWEEPSTAKES PERIOD:

The Survey/Sweepstakes entry period begins at 1:30 pm CET on September 3, 2019, and ends at 1:30 pm CET on October 3, 2019. Winners will be selected from entries properly submitted and timely received during the Survey/Sweepstakes Period.

HOW TO ENTER:

During the Survey/Sweepstakes Period, submit your responses here. The entries must fulfill all sweepstakes requirements, as specified, to be eligible to win a prize. Winners will be granted the prize upon submitting their full name and valid email address at the final question of the survey (Question 39). Respondents who have not provided a valid email address will not be eligible for winning. You may enter only once and you must fill in the information requested. You may not enter more times than indicated by using multiple email addresses, identities or devices in an attempt to circumvent the rules. If you use fraudulent methods or otherwise attempt to circumvent the rules your submission may be removed from eligibility at the sole discretion of Heimdal Security.

PRIZES AND ODDS OF WINNING:

There will be 5 winners drawn at random. Each of the 5 winners will receive a $50 Amazon gift card. No cash or other prize substitution permitted. The prize is non-transferable. Any and all prize-related expenses, including without limitation any and all federal, state, and/or local taxes shall be the sole responsibility of the winner. No substitution of prize or transfer/assignment of prize to others or request for the cash equivalent by winners is permitted. Acceptance of prize constitutes permission for Heimdal Security to use winner’s name, likeness, and entry for purposes of advertising and trade without further compensation unless prohibited by law. The odds of winning depend on the number of eligible entries received.

HOW WINNERS ARE SELECTED AND NOTIFIED:

Five (5) winners will be selected by random drawing to be held on October 4, 2019. Winners will be chosen from survey responses received in the Survey/Sweepstake Period. The potential winners will be notified via email to the email address submitted at the final question of the Survey (Question 39) within one (1) week after the drawing. The drawing will be conducted by Heimdal Security. In the event that a potential winner is disqualified for any reason, Heimdal Security may award the applicable prize to an alternate winner selected randomly. Heimdal Security shall have no liability for a winner’s failure to receive notices due to winners’ spam, junk e-mail or other security settings or for winners’ provision of incorrect or otherwise non-functioning contact information. If the selected winner cannot be contacted, is ineligible, fails to claim the prize within 15 days from the time award notification was sent, or fails to timely return a completed and executed declaration and releases as required, prize may be forfeited, and an alternate winner selected.

TERMS AND CONDITIONS:

Heimdal Security reserves the right to modify, terminate, suspend, or cancel the Survey/Sweepstakes at its sole discretion. Heimdal Security also reserves the right to disqualify your entry if found ineligible to participate. If a dispute arises regarding your identity, Heimdal Security reserves the right not to award the prize and draw another winner.

Heimdal Security has the right, in its sole discretion, to maintain the integrity of the Survey/Sweepstakes, to void votes for any reason, including, but not limited to multiple entries from the same user from different IP addresses, multiple entries from the same computer in excess of that allowed by sweepstakes rules, or the use of bots, macros or scripts or other technical means for entering.

Any attempt by an entrant to deliberately damage any web site or undermine the legitimate operation of the sweepstakes may be a violation of criminal and civil laws and should such an attempt be made, Heimdal Security reserves the right to seek damages from any such person to the fullest extent permitted by law.

PRIVACY POLICY:

Your identity will not be disclosed to any third-parties and will only be accessed by Heimdal Security. The names and email addresses collected in the Survey/Sweepstakes period will be deleted within one (1) week after the winners are announced unless you explicitly signed up to receive future Newsletter communications. can opt-out of receiving this communication at any time by clicking the unsubscribe link in the newsletter and choose to be deleted from Heimdal Security’s database.

Your responses will be used to create a report around the current state of consumers’ cybersecurity awareness and practices. Responses will be kept anonymous.

SPONSOR:

HEIMDAL SECURITY • VAT NO. 35802495 • VESTER FARIMAGSGADE 1 • 3 SAL • 1606 KØBENHAVN V

The post Participate in Our Survey and Get the Chance to Win A $50 Amazon Voucher! appeared first on Heimdal Security Blog.

5G Dangers: What are the Cybersecurity Implications?

5G is no longer technology of the future, but a current reality. Entire markets have already started to switch to 5G, which marks the beginning of a new era. This is the only technology created so far with a huge potential to elevate the use of the Internet of Things (IoT), foster an environment of interconnectivity, and sustain economic growth. 5G will bring along a plethora of benefits, such as increased data speed, lower latency on network response time, and higher reliability. However, at the same time, new cybersecurity threats are likely to arise. This is why your business must be ready to face the 5G dangers.

Your company’s and customers’ sensitive data could be compromised due to cyber-attacks in a 5G world. What’s more, your connected IoT devices could be affected too, each and every one of them being likely to pose security risks for your entire network. And once IoT devices are overridden by cybercriminals, they can wreak havoc in your organization and even cause physical damage.

What is 5G?

First of all, let’s try to understand more about the 5G technology and why it can be so dangerous for your business from a cybersecurity standpoint.

The “G” stands for “Generation”. In the simplest terms, the higher the number close to the letter “G”, the higher the speed and the lower the latency. Here is a quick comparison between the 5 Generations:

1G 2G 3G 4G 5G comparison

Source: Adaptation after “A Review of Wireless Mobile Technology”, published in the International Journal of Science and Research (IJSR).

At some point, 5G will most probably replace the existing 4G networks. According to Ericsson’s Mobility Report released in June 2019, 5G subscriptions will reach 1.9 billion by the end of 2024, making up over 20% of all mobile subscriptions at that time. So while we’re still quite early in the game, it is not too soon to start thinking about the 5G implications for your business, both positive and negative.

How will your business benefit from 5G?

Let’s start off with evaluating the potential benefits. As we transition to the 5G technology, your business can expect better use of resources and improvement of your daily operations and communication. More specifically, here are the main areas your business will benefit from once you’ll start using 5G:

#1. Increased network speed

As I’ve pointed out above, the first benefit that comes to mind is the high speed supported by the network, which will increase your employees’ productivity once they will be able to complete tasks much faster.

#2. Better communication

The virtual communication and collaboration will certainly be improved as well. Also, cutting-edge communication methods that involve VR and AR will be successfully sustained by the powerful 5G network.

#3. The IoT network will be taken to the next level

5G will seamlessly connect all the devices that make up your IoT network. This aspect will enable tremendous opportunities for IoT uses, ranging from drones, self-driving cars, VR and AR equipment, and other emerging technologies.

#4. More innovation

The 5G technology will most likely become a catalyst for innovation. In major industry verticals such as healthcare, automotive, and manufacturing we will witness technology advancements that have never been seen before.

#5. Reduced costs and energy consumption

The 5G technology will supposedly reduce the core network consumption by 90% and extend the battery life of your devices aims to extend device battery life ten times.

Organizations are impatient to use 5G

According to a survey recently released by Gartner, two-thirds of organizations are planning to deploy 5G by 2020. Yet apparently, businesses want to embark on the 5G journey faster than communication vendors can provide it. Furthermore, they are planning to use 5G networks mainly for IoT communications, with operational efficiency as key driver.

Gartner has also stated that, by 2022, half of the communication vendors which have completed commercial 5G deployments will not be able to monetize their back-end technology infrastructure investments. This will not be possible due to the fact that systems will not completely meet the 5G use case requirements.

“Most CSPs will only achieve a complete end-to-end 5G infrastructure on their public networks during the 2025-to-2030 time frame — as they focus on 5G radio first, then core slicing and edge computing,” said Sylvain Fabre, senior research director at Gartner.

Initially, communication service providers will focus on consumer broadband services, which may delay investments in edge computing and core slicing. And the latter are much more valuable and relevant to the 5G technology.

Security flaws in 5G enable various types of attacks

As pointed out by security researchers during Black Hat 2019, a security flaw in 5G allows Man-in-the-Middle (MiTM) attacks. It seems that security protocols and algorithms for 5G are now being ported from 4G standard and experts have discovered that this can allow device fingerprinting for targeted attacks and MiTM assaults.

How can this happen exactly? The 5G network is comprised of base stations, or cells, that cover a certain area. They connect to the cloud, and the latter connects to the base network. In order for the connection to be possible, 5G devices send information to the base station. The station then sends it to the chain for authentication to the core network. The information delivered includes details such as “whether or not voice calling is enabled, SMS ability, vehicle to vehicle communication (V2V) support, what frequency bands are being used, the device category, […] radio requirements”.

During the same Black Hat conference, researchers revealed that in 5G, as with 4G, the device capability information is sent to the base station before any security measures are applied to the connection. Basically, the traffic is encrypted from the endpoint to the base station, but since the device capabilities are sent before the encryption is applied, they can still be read in plain text. And this enables multiple types of attack, like Mobile network mapping (MNmap), bidding down, and battery drain on the narrowband Internet of Things (NB IoT) devices.

The research team that unveiled this threat was capable of creating a map of devices connected to a certain network and list very specific details like device manufacturer, operating system, version, model, allowing them to precisely categorize a device as an Android or iOS, IoT or a phone, car modem, router, etc. And this flaw opens the gate to targeted attacks against specific devices.

Attackers can intercept calls and track phone locations

Researchers have also discovered three security flaws in both 4G and 5G, which can be exploited to intercept phone calls and track the locations of cell phone users. And the scary part is that academics are saying that anyone with a little knowledge of cellular paging protocols will be able to conduct this kind of attack.

the torpedo attack 5G

Image source: TechCrunch – The Torpedo attack — or “TRacking via Paging mEssage DistributiOn.

The 5G Dangers for Your Company

Now, imagine what a negative impact 5G could have on your business. First of all, it will certainly enable more entry points for cyberattacks. And while the level of connectivity and speed between your interconnected IoT devices will increase, multiple opportunities for malicious actors to break into your systems will unfold. Thus, you might witness attacks at a scale never seen before.

What’s more, the 5G technology could also lead to botnet attacks, which will spread at a much higher speed than the current networks allow it. Attackers could also use botnets to initiate Distributed-Denial-of-Service attacks.

How can you avoid 5G threats?

With the rapid development of IoT and 5G, It’s crucial for you to evaluate your overall security strategy before your organization starts adopting the 5G technology. As with any emerging technology, 5G will generate new use cases that will need appropriate cybersecurity measures. Thus, it’s mandatory for you to deploy 5G networks with security measures in mind.

Conclusion

Extreme outcomes of security breaches are likely to happen due to 5G security flaws. And they can prove to be both expensive and disastrous. This brings us to the most critical aspect that security experts should begin with, namely the fact that 5G networks must have, first of all, built-in security measures in place. But the first important step will remain to identify the security regulations that the 5G technology truly needs, coupled with strict cybersecurity rules and regulations imposed to 5G network providers.

The post 5G Dangers: What are the Cybersecurity Implications? appeared first on Heimdal Security Blog.