Category Archives: b2b

Tech support scams are still going strong

When we think of online scams, for most of us, several images come to mind: Nigerian Princes who need us to make a transfer so that we can become millionaires, websites offering gifts for being their millionth visitor, and so on.

However, things have become so much more sophisticated. Not just because the methods used to con people are more complex in terms of how they can be detected, but also because thieves have learnt a vital lesson: their largest source of wealth isn’t isolated users, but the companies in which these users work. This is why the workplace has become their ideal target.

Types of social engineering attacks

These days, the trick doesn’t necessarily lie in getting a virus onto someone else’s computer. Instead, the aim is to get the users themselves to do the dirty work. This is what’s known as social engineering, a method by which a criminal will use us to carry out an action which will severely compromise our company’s IT security.

Broadly speaking, there are several types:

1.- Tech support. This has been one of the more frequent scams in recent years. Whether it’s via an email, a suspicious website, or even a phone call, we’ll receive a warning that something in our software or operating system has gone wrong, and that we need to get in touch with tech support ASAP. Time is the key element in this scam: if the criminal pulls it off well, they’ll manage to convince you that the longer it takes you to apply the solution, the worse it’ll be for your company. Once you contact them, there will be a vast array of possible cons: installing malicious software, providing credit card details, sharing confidential information about the company, to name but a few. If the employee complies, the scam will have begun.

This is a big deal. According to a study by Microsoft, tech support scams are the most frequent and most dangerous type of scam. In fact, in 2017, Microsoft received complaints from 153,000 users reporting this type of scam, 24% more than the previous year. What’s more, these complaints came from 183 different countries, which paints a dangerous picture of a scam which is happening at a global level.

2.- Software update. This is similar to the tech support scam, but in this case it almost always comes from a website. We’ll come across a banner telling us about a problem with our browser or operating system: a virus has been detected, you need to download the latest version of flash, and so on. If we click on these banners, we’ll end up installing malicious software on our computer.

3.- Identity theft. This one is especially common via email: we get an email which is supposedly from someone in the office (a boss, a workmate…) or someone high up in the company who we really shouldn’t ignore. If we fall into their trap, we’ll be tricked into installing software or giving out personal, financial or corporate information.

 What to do to avoid this.

The worst thing about these attacks is that they don’t affect just the user: if these attacks are carried out in the workplace, the cybersecurity of the whole company will be in serious trouble. This is why it’s a good idea to take measures to avoid possible vulnerabilities.

1.- Employee awareness. Many employees tend to think that any possible scams will target the very core of the company. However, it’s precisely the lowest links in a company which are the weakest. Every company must make sure their employees are aware that they too are vulnerable.

2.- Some keys. If an employee gets an email that seems to be from the company’s corporate email address, are they sure that it really is? If the company’s name contains the letter ‘l’, have they checked that it hasn’t been swapped for a capital ’i’ to throw them off? If the warning is coming from a website, have they wondered why something like this would pop up in their browser? If they get a phone call, why would they get this call on their personal mobile? These kinds of tips won’t keep us completely secure, but they can be useful.

3.- It’s better to be suspicious. If in doubt, it’s better to be suspicious of everything, rather than putting a company’s cybersecurity at risk. If an employee has any kind of doubts, the best thing to do is to reach out to someone in charge to check the information before doing anything.

4.- Threat detection technology. With the human side of the problem solved, the technological problem also needs to be solved. To do so, companies need EDR (Endpoint Detection and Response) technologies, which will identify and predict possible threats, acting on them in the case of any danger. It’s what Panda Adaptive Defense 360 does, which, when faced with any threat, blocks every kind of danger or malicious software before it can be installed as a consequence of this type of scam.

Discover Panda Adaptive Defense

The post Tech support scams are still going strong appeared first on Panda Security Mediacenter.

How to make your company cyber-resilient

The first Panda Security Summit (#PASS2018), which brought the CIOs and CISOs of European companies to Madrid on May 18, served to underscore the concept of cyber-resilience as a key trend in the current cybersecurity environment. But what do we mean when we talk about how important it is for a company to be cyber resilient?

Download the report here

 Being resilient is a must

A cyber-resilient company is one that can prevent, detect, contain, and recover from a cyberattack, minimizing exposure time and the impact of countless serious threats against data, applications and IT infrastructure. This is how the latest Panda Security report, presented at #PASS2018, defines it: Cyber-resilience: the key to business security.

Until recently, financial companies and governments were the main targets of cyberattacks. Nowadays, companies of every size and sector depend to a greater or lesser extent on the Internet to carry out their business and, as a consequence, the threat has become universal. As these dangers increase, the current approaches to maintaining cyber-resilience are no longer enough. Cybersecurity management needs an in-depth review with new security models.

To do this, companies must adopt a new, comprehensive, strategic, and persistent stance, with a new approach to their security program that can provide protection without imposing undue restrictions on their business.  This new stance must be based on strengthening preventative defenses, accepting that these defenses can be overcome by the attackers, or that the attackers may already be present within the organization. In fact, malware concealment and new technologies to penetrate defenses are allowing threats to stay on corporate networks for long periods without being detected.

How to adopt a cyber-resilient stance in your company

Cybersecurity must be treated as a corporate risk management problem, and not as a purely IT based problem. To manage this, companies need to carry out tasks like prioritizing the most valuable assets in the organization, finding out the most relevant threats and adversaries, adopting an ongoing crisis stance, or continually implementing initiatives to minimize risks.

The organization’s processes, technologies, tools, and security services must be reviewed and adjusted as threats evolve, as part of a continuous improvement process based on wariness. Being resilient means that this adaptation needs to be carried out as fast as possible, or even in real time.  It’s also necessary to create a full register of all assets, from data to applications, and monitor all actions that are carried out with them.

Cyber-resilient companies also have to assume that, sooner or later, they will be compromised by a cyberattack. To correctly manage their cybersecurity, organizations need to understand and adopt the ‘cycle of resilience’, whose key phases are:

  • In the pre-incident phase, they will have to do so through the ability to better prevent and resist threats, making use of advanced cybersecurity technologies that can detect known and unknown, or zero-day malware.
  • During the incident, the resilient attitude is implemented by quickly reacting to sudden threats with detection, containment, and response. For this, it’s necessary to make the most of the new paradigms that are arising as a result of the monitoring and visibility capabilities that Endpoint Detection and Response (EDR) solutions provide.
  • The post-incident phase is developed by absorbing impacts while strategic security objectives are still met and the operative environment is reconstructed, in such a way that future sources of threats are eliminated.

When it comes to minimizing the impact on business, the time that passes between a breach and its discovery, is the decisive factor in the overall cost of the incident In this sense, monitoring, visibility of what happens on endpoints, and technologies that allow the detection and investigation process to be automated, such as Panda Adaptive Defense, drastically reduce this time.

Longer response times for more severe incidents

The report also reflects the fact that the increase in the volume and severity of cybersecurity incidents detected by a majority of companies –64% and 65% respectively–, has meant an increase in detection and response times in 57% of cases.

What’s more, it identifies as highly cyber-resilient companies that have robust cyberattack prevention (72%), detection (68%), containment (61%) and response (67%) systems.  Another distinctive feature of these companies is that they have in place a Computer Security Incident Response Plan (CSIRP), with professionals specialized in its application (91%), and are led by managers who understand that high cyber-resilience is directly related to economic growth (63%) and the company’s reputation (69%).

The growing number of threats, and the more sophisticated nature of attacks pose a challenge for companies’ cybersecurity, compelling them to review their cybersecurity program to make their organization cyber-resilient.  At Panda Security, we have at our disposal the latest technology as well as the most highly skilled team of experts to help your company to achieve this goal, with a new security model that has all the answers.

Download the report here

The post How to make your company cyber-resilient appeared first on Panda Security Mediacenter.

How to get your company ready for a security audit

These days, everything and everyone is connected, which means that security has become a real headache for most companies. And more so since last Friday, when it became mandatory to comply with the new General Data Protection Regulation (GDPR) – especially since infringing it can spell real trouble for companies that haven’t taken it into account

There’s no doubt that the proliferation of new threats, together with the complexity of the latest attacks, is driving companies to push security towards the top of their list of priorities. This in turn leads to greater investment in cybersecurity by companies. According to data supplied by Gartner, we’re talking about an 8% increase in cybersecurity spending for this year, or to put it another way, a total of $96.3 billion dollars.

Even though companies are strengthening the implementation of protection strategies for their systems, cybercriminals are also stepping up their efforts to exploit new weaknesses. All of this means that maximizing company security is now more than ever an absolute must for any organization.

Evaluate your company’s security

Given this current context, it becomes abundantly clear that companies must make sure the defense strategies they have in place for threats are performing to their full potential. To this end, carrying out a security audit can be a good way to find out the state of your company’s protection systems. This way, the analysis you carry out will provide an insight into the main risks your company is exposed to, its strengths, as well as where it can improve. Then, from here, the security teams can use the results as a starting point to design and implement a cybersecurity strategy which suits your company’s needs. But how can we get ready for this security audit?

Guidelines for drawing up a security plan

One of the very first steps in any security audit is to create an inventory of all devices. It’s absolutely essential to classify each and every device that is connected to the network (desktop computers, laptops, smartphones, multipurpose devices, and security systems integrated into the network) to have an accurate idea of what it is that needs protecting. It’s also important to keep this inventory up to date so that, when devices are added or removed, there are no surprises in the activity log.

As well as classifying every kind of device that needs to be protected, it’s also vital to carry out a periodic evaluation of the software used by the company. This means that companies must classify the software and firmware applications that are being run on each device on their network, and determine what software they need to run so that they can perform their tasks within the company.

Apart from this, it’s crucial to implement secure settings. That means any operating system, browser, and even printer, must be configured with security in mind. At the same time, in order to stop security breaches and make applications more secure, it is of utmost importance to apply patches or updates that will keep the system secure.

Finally, controlling shadow IT (IT systems and solutions built and used inside companies that have never been explicitly approved by the organization) is of vital importance to ensure an environment which is 100% secure.

What happens if there is a security breach in a company?

The effects of a cyberattack on an organization can be devastating, and even if we have a prevention protocol in place alongside a great security team, breaches happen. Therefore, it’s crucial to have a Security Incident Response Plan (SIRP) to face up to these threats. Planning an incident response strategy includes setting up a way to evaluate the situation, identify the kind and severity of the attack (the nature of the attack, where it came from, the possible intent, and the systems and files at risk) and a way to notify, document, and review these incidents and the possible damages suffered by the company.

Although carrying out a security audit is a task that requires a great deal of time and commitment, it is something that is simply unavoidable. It is the only way we can effectively draw up a plan to strengthen the company’s protection against cyberattacks and security breaches. The key is to have a detailed insight of everything that is happening on the company’s devices and networks in order to drastically reduce the attack surface.

The post How to get your company ready for a security audit appeared first on Panda Security Mediacenter.

What GDPR Means for B2B Ecommerce Businesses and How Much It Will Cost

Starting from May 25, 2018, all businesses that collect and store personal data of EU citizens have to comply with General Data Privacy Regulation (GDPR). It is a set of regulations the EU passed in 2016 to protect identity rights of its citizens.

What does GDPR mean for B2B ecommerce businesses? It would be a mistake to believe that if a company caters to businesses, not to individuals, GDPR won’t affect it. Every contact person from a customer company is, in fact, an individual protected by GDPR, and B2B marketers should take it into account when planning mass-mailings and other campaigns involving customer data.

The scariest thing about GDPR is that it applies to all companies regardless of their location. If a company has data of only one EU citizen residing within the EU, it may still be sued. And the fines may be astronomical, up to €20 million ($24 million) or 4% of your annual revenue.

Image source: dmnews

GDPR Cost for the Fortune 500 Companies

Ernst & Young estimated that the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR. For example, Facebook had appointed a team of 60 specialists to work on GDPR compliance, across 18 months, and had to move 1.5 billion users from Ireland to the USA.

Nevertheless, on May 26, Facebook, Instagram, WhatsApp, and Google were hit with $8.8 billion in GDPR lawsuits, from four European countries simultaneously.

Los Angeles Times and Chicago Tribune could not ready themselves for the big date and started temporarily blocking EU citizens instead. This induced the fear that the internet would be split, with the EU left isolated from the rest of the world. However, the EU has about 500 million potential users, and it will be hard to ignore such a lucrative market in the long run.

Taking Care of User Data

So what has a B2B company to do to become GDPR compliant and how much will it cost?

Image source: petri

GDPR rules cover any data that can be considered personal: addresses, credit card numbers, travel records, religion, web search history, ID codes, biometric data, and more.

Corporations with more than 250 employees will have to appoint a DPO – Data Protection Officer. That person will be responsible for any data breaches that may appear in the future as well as for GDPR audits. The latter will become part of life for larger corporations; some will be able to organize audits in house, the others will have to pay for such audits to the third parties.

The first step in GDPR compliance will be to take stock of all user data in the company: where it is located, who has access to it, who takes care of it, and so on. The highest fine under GDPR is when you knew there was a data breach but did not react in time. For larger organizations, there is a 72 hours period to inform the regulators, anything longer than that will be punished.

Security specialists from ecommerce development company Iflexion recommend businesses to deploy software that signals immediately after a data breach took place. The software should be able to document what happened so that it is possible to assess the level of damage.

New Rules about Consent

B2B ecommerce businesses should identify all personal data that is stored within the company and evaluate consent given for every piece of this data for each particular purpose.

For example, if a customer’s representative gave their email address to download a white paper from your website, under GDPR that does not mean that you can send them emails about your products. If you want to do so, you will have to ask for consent explicitly.

The Right to Object

If a user wants a company to stop using their data, the company has to comply. This is called the right to object, and the customer should be informed about it at the first point of contact.

This is especially relevant to direct marketing. If a user tells you they do not want to receive email from you anymore, don’t send them another email asking them to reconsider – this would be a violation of GDPR.

Changes in the Front End

Cookies are also treated as personal data, so a company has to ask for the visitor’s permission to use them on the site. An inquiry for such a permission should include a link to the company’s privacy policy so that the user can know how their data will be used.

Privacy policies have to be rewritten to explain new rules and capabilities. From what we have seen so far, privacy policy documents only became more difficult to read as the companies rushed their content in order to be compliant before May 25.

In the opt-in box, the consent to become a member of an emailing list, now may not be checked in advance. The checkbox has to be empty so that the user clicks on it out of their own will. You will also have to enhance the database with several new columns: the type of consent asked for, the time when the user gave the consent and so on. It is crucial that you be able to document user consent in case of audits and/or lawsuits that may come later.

GDPR Is a Way of Life Now

The days of the wild, wild internet are ending and GDPR is here to stay. It is still almost free to send thousands of emails but the cost of sending it to one wrong person now may be unbearably high. Document everything, audit your company as if it were audited by a regulator and keep on selling in spite of all.

The post What GDPR Means for B2B Ecommerce Businesses and How Much It Will Cost appeared first on TechWorm.

Cyber resilience was the star of the Panda Security Summit 2018

Last Friday, we held our first advanced cybersecurity conference, Panda Security Summit 2018, where cyber-resilience was the focal point. Among the audience of over 400 attendees were CISOs and CIOs of large Spanish and European companies. Silva Barrera hosted the event, which served as a framework to look at the latest cybersecurity trends – attacks, and how to protect against them all along the security chain, as well as the overall state of the sector – from the point of view of analysts, public institutions, and private companies.

Cyber-resilience, key in advanced cybersecurity

All of the conferences and workshops enabled attendees to get a clear vision of the cornerstones needed to reach the highest level of security within organizations. The importance of being resilient as far as security is concerned was widely recognised as being a key feature. It is also the leitmotif of Panda Security’s latest report, which was presented at #PASS2018. All of the speakers shared their ideas and experiences of how to prevent attacks, how to get back to the original state after an attack, and how to mitigate the effects of an attack using a good response strategy. The common theme running through all of the strategies analysed was prevention, detection, containment, and response.

The conference was opened by José Sancho, president of Panda Security, who underlined that this wasn’t just another cybersecurity conference. He emphasized that: “We believe we can give a clear, objective view of this complex, hard to understand landscape, with its multitude of technologies, its varied interests, and its messages which aren’t always objective.”

The first speaker of #PASS2018 was Ian McShane, Research Director of Gartner. In his speech, he explained that the challenge for 2019 is to reinforce prevention, especially in endpoint protection strategy. “The endpoint needs something more than an antivirus; endpoint detection and response (EDR) technologies are the key, as they offer a traceability which is indispensable for analysis and prevention. But these technologies aren’t going to replace humans; we still need analysts,” he explained.

Javier Candau, head of the National Cryptologic Centre (CNN-CERT) focused on the challenge of cybersecurity in Spain. He indicated that one of the main challenges facing the country in this area is the need to strengthen the National Security Framework (Esquema Nacional de Seguridad – ENS) certifications, which are mandatory for all mid to high level information systems. “Our incident management tool is registering more and more cases: businesses and institutions are becoming less and less reluctant to report cases,” added Candau.

Nikolaos Tsouroulas, Head of Cybersecurity Product Management at ElevenPaths in Telefónica explained that “technology is necessary, but people are even more important. Security professionals are the most valuable investment in this area.” Tsouroulas also stated that today’s threats mutate, evolve, and multiply extremely quickly. This means that managed detection and response (MDR) must opt for factors such as prioritizing endpoints and networks, data exchange, and real-time performance.

The conference continued with the participation of Nicola Esposito, Director of Deloitte’s CyberSOC EMEA Center, who explained that protection against advanced cyberthreats is a key factor for the company. “Nevertheless,” he went on to say, “It’s vital for companies to have a strategy so that they can be resilient in case something happens.” Esposito also highlighted factors such as the application of threat intelligence platforms, the creation of threat detection controls, and perimeter monitoring with automated alerts, but always with a fundamental role played by humans.

Finally, the director of the laboratory PandaLabs, Pedro Uría, put forth the keys for business security, protection and resilience, now that malware is no longer the problem. Instead, hackers are the future challenge of cybersecurity, as they use more complex methods. “New attacks, like those that don’t use malware, are the target of threat hunting services, such as those offered by the Panda Adaptive Defense platform,” explained Uría.

Panda Security Report: cyber-resilience and companies

The report ‘Cyber-resilience: the key to business security’ conveys the fact that the increase in the volume and severity of cyber-incidents detected by the majority of companies (64% and 65% respectively) has meant an increase in detection and response times in 57% of cases.

In light of this complex situation, Panda explains that cybersecurity must be understood as a corporate risk management problem. This means that companies must continually review and adjust their security organization, processes, technologies, tools, and services, in order to adapt to the evolution of threats in a process based on distrust.

The report from the advanced cybersecurity company also identifies companies that can count on robust cyberattack prevention (72%), detection (68%), containment (61%), and response (67%) systems as highly cyber-resilient. Likewise, companies that have set up a Computer Security Incident Response Plan (CSIRP) have experts who are specialised in their application (91%), and are led by directors who understand that a high level of cyber-resilience is directly related to economic growth (63%) and the company’s reputation (69%).

Do you want your company to be cyber-resilient? At Panda Security we have at our disposal the latest technology as well as the most highly skilled team of experts to help your company to prevent cyberattacks and to adapt after any kind of security incident.


The post Cyber resilience was the star of the Panda Security Summit 2018 appeared first on Panda Security Mediacenter.

How will I protect my company in 2020?

Fast-forward to the year 2020: what cyberthreats is your company up against? In order to get a head start on the future of cybercrime, companies, government organizations, and citizens need to gear up for the challenges of a world which is ever more connected thanks to new advances in technology. The best way to avoid harm is to get ready for when it comes. The Information Security Forum, a non-profit association which analyses and researches the sector, has presented ‘Threat Horizon 2020’, a report which breaks the threats of tomorrow down into three main themes.

 Large scale conflicts are looming

As the ISF points out, we are facing an uncertain future: nations, along with terrorist groups, organized criminals, hacktivists, and hackers, will be on the list of possible assailants putting security at risk. Protecting critical infrastructure will be key in 2020: with new possibilities of attacking energy, communications, and logistics systems, all kinds of organizations could lose the basic tools they need in their day-to-day operation.

With a combination of traditional military forces and new technologies which can be used in attacks, the cybercriminals of the near future will be able to create high impact situations which will put companies and nations at risk. In the wars of the future, as well as armies and missiles, digital attackers will also play a part. National cybersecurity departments are already preparing for possible unauthorized access to their infrastructure and their election systems. And this is a matter of when, not if it happens. In light of the possibility of these extreme consequences, the ISF recommends having in place an up-to-date incident response plan, as well as training and educating employees so that, if worst comes to worst, they know how to react at the outbreak of cyberwarfare.

The danger of the IoT: access points increase in number

As technology advances and becomes more democratized, more and more opportunities are created for organizations. But these progress scenarios are a double-edged sword for our security and our privacy. The increase in the number of IoT devices in business environments means an increase in the number of attack vectors. This in turn makes cybercriminals’ jobs a lot easier, as was the case in the recent DDoS attack on the financial sector, when televisions and webcams were hacked. Likewise, fridges, dishwashers, and smart coffee makers could be attacked in order to create power surges which could put electrical networks of whole regions at risk. As we’ve seen with attacks similar to Mirai, any IoT device is susceptible to remote hacking.

To cope with these assaults, the ISF recommends making sure that IoT devices connected to corporate networks can’t be used to attack the company. It’s worth remembering that neglecting such apparently harmless devices as printers can be dangerous.

More regulatory pressure, greater transparency

The last section of the report discusses the relationship between the new regulations and the growing burden that adapting to this new climate means for employees. The need for transparency will multiply information storage points and, by giving access to administrators who aren’t part of the organization, the likelihood of a security breach will also increase. At the same time, the strict privacy regulations will increase the financial repercussions of any attacks, via the imposition of significant fines.

With just a few hours left on the countdown to GDPR, the regulation that aims to protect the privacy of EU citizens’ personal data and control how companies can use this data, this point of view makes even more sense. Given these difficulties, the ISF recommends balancing the management of regulatory requirements with the business risks. It’s also vital to have tools which will simplify compliance with the different regulations for the protection of employees’ and clients’ data.

Companies such as Instagram already got a head-start on the May 25 deadline, with their new ‘Data Download’ function, which allows users to download a file containing all the photos, comments, and personal data from their profile. In this way, if a user wants to delete their account right away, they will be able to take all their information with them.

The world will be completely different in 2020, and there’s no one way to combat national attacks, reduce the risks associated with technological advances, or to comply with new legislation. Nevertheless, in the cybersecurity world, tools such as Panda Adaptive Defense 360 can ease the transition to new, ever smarter environments, with tools of the future for threats of the future. Don’t wait until 2020!

The post How will I protect my company in 2020? appeared first on Panda Security Mediacenter.

GDPR Is Here: What Now?

Two years have flown by. The new GDPR (General Data Protection Regulation) came into effect on the 25th of May 2016, and it will be mandatory to comply with it from the same date in 2018. If your company still hasn’t adapted to the changes, it had better start to do so ASAP.

This isn’t just any old procedure, and nor is it simply an additional provision. It’s a vital issue as far as the security, privacy, and processing of information is concerned. But there is some truly worrying data: according to Crowd Research Partners, 30% of companies aren’t ready to adapt to the new regulation.

GDPR is going to affect the immediate present for companies at a European level, and those that don’t insert the new regulation into their legal framework will face two possible dangers: the legal and financial consequences, and the associated cybersecurity risks.

The consequences of breaching GDPR

1.- For your company’s accounts

Breaching GDPR has four levels of sanctions: a warning, a reprimand, the suspension of data processing, and a fine. This last case has two levels: Level 1, a payment of €10 million or 2% of annual global turnover (whichever figure is higher); at Level 2, a payment of €20 million, or 4% of annual global turnover (again, the higher figure).

If we add to all this (which is already a lot) any claims made by users affected by your infraction or possible complaints from any corporate or economic operator, believe us: flouting the regulation will end up affecting you more than you could ever imagine. And, make no mistake: it won’t be worth it.

2.- For the credibility of your business

Not complying with GDPR can also put the viability of your business and the future of your company at serious risk. Do you really want to be the only one who doesn’t comply with a regulation which is mandatory in the whole European Union? If you do, you’d better get ready for your company to be known for it.

This is no small thing: GDPR obliges you, among other things, to officially notify of possible leaks of users’ private data. If you’d rather breach the regulation, your company’s image will be associated with this infringement, both in public opinion and within your industry. And next time you want to secure commercial agreements of any kind, this will be one of the key reasons you’ll be given no for an answer.

The real battle: cybersecurity

But it doesn’t stop there. If 2017 and 2018 are, so far, the quintessential years of cybersecurity attacks, GDPR is yet another ingredient in the juicy recipe already being prepared by cybercriminals all over the world in order to commit this kind of crime.

If you think that it’s no big deal, why don’t you mull over the two possible situations that can occur if someone should want to infringe on your cybersecurity using GDPR as a starting block:

1.- Economic extortion

Picture this: even though you have to comply with the new EU regulation, it turns out that you didn’t. Someone finds a security breach in your company, makes use of it, gets access to some data and… Bingo! They discover your non-compliance. The cybercriminal knows full well that you could face fines of up to €20 million, so, what if they ask for a financial ‘reward’ in exchange for keeping their mouth shut?

The fact is that any compensation demanded will be much lower than the possible fine, but, apart from the fact that you’ll be breaking the new regulation, you’ll also be risking the possibility that the extortion won’t stop there.

2.- Blackmail

With, among other cases, the elections in the United States, it was made quite clear: cyberattacks don’t necessarily have to have a financial element, rather they can also have political, ideological, social, or corporate ends. If someone discovers vulnerabilities in your cybersecurity, they could try to force you to take actions that you don’t want to take.

It goes without saying that, in order to avoid either of the two situations outlined above, you must take the utmost care of your company’s cybersecurity. This is of course something that must be ever present in the day to day of your company, but even more so in this context.

Discover Panda Data Control

We hope we’ve managed to convince you. If your company still hasn’t got to work on GDPR, or has done so but still has some work to do on it, take a look at our guide on how to adapt to the new regulation as soon as possible. And if you want to equip yourself in terms of technology and cybersecurity, Panda Adaptive Defense, with its Data Control Module can help you not only when it comes to preventing any attacks, but can also help you to defend yourself if the attack has already happened.

The post GDPR Is Here: What Now? appeared first on Panda Security Mediacenter.

Javier Candau: “Cooperation between the public and private sectors is essential to combat cyberthreats”


On May 18, Panda Security will be holding the Panda Security Summit (#PASS2018). The aim of this event is to offer a clear and objective perspective of the current security environment, focusing on the main dimensions on which the sector is now based. Among the speakers taking part is the head of Spain’s National Cryptologic Center (CCN-CERT), Javier Candau, who will be offering his view of the cybersecurity challenge in Spain.

All security dimensions are important for a company, according to Candau, but the confidentiality of certain issues and processes is particularly relevant. According to him, management has to understand that a business is sustained by its systems and the information it generates, so this is a strategic decision, as are vigilance and auditing.

As the head of the CCN-CERT, Javier Candau knows what the keys are for a government in the fight against cyberthreats. These include the implementation of improvements in areas such as detection capabilities, considering cybersecurity as a horizontal service; collaboration between the public and private sectors; the response, which has to be rapid and round-the-clock across all points of the corporate network; and deterrence.

So far, sectors such as the aeronautical industry, the general public, and the defense or energy sectors have been the main targets of complex attacks. In order to face these types of incidents, the CCN-CERT is looking to advance awareness among government authorities and business management, and improve the capacity to detect complex attacks with anomaly detection tools such as CARMEN, which must integrate with tools for correlating the logs of organizations and, essentially, with endpoint tools.

Candau also highlights the work being done to improve the cybersecurity structures of organizations, aiming for some services to be provided horizontally and for technical staff to be adequately qualified through training programs and the provision of technical information on technologies and configurations.

Cooperation with the private sector and challenges in 2018

Large companies are working with the Government to be able to deal with cyberattacks, but for this, it is first necessary to ensure they have confidence, explains Candau, and later, they need to complement and reinforce the security services that the private sector provides them. In this way, the head of the CCN-CERT hopes that companies will at some point share information about the attacks they suffer and their cybersecurity concerns.

The essential cybersecurity challenge for the government this year is to provide much more proactive horizontal services, with the setting up of the Security Operations Center of the Spanish Central Administration. In addition, Candau explains that the Center is working on improving exchange platforms, detection capabilities, auditing capabilities, and training platforms and content.

CCN-CERT’s approach to combating cybercrime against the state culminates with the identification of the origin of the attacker. To this end, and in line with current regulations, the government organization operates in terms of risk/impact and speed of response.

Javier Candau admits that cybercrime has very different complexities. These range from botnets, which are generally easy to detect and disinfect, to organized crime attacks that look for direct financial benefit or the theft of information, passing through complex ransomware of difficult cryptologic analysis.

The head of the CCN-CERT also underlines that the targets set are sufficient to protect the country’s critical infrastructure against cyberattacks, but these systems do not undertake the challenge of protecting operational networks. Candau recognizes that it is no longer acceptable for these not to be interconnected, as businesses need this information, so he advocates coherent security policies and thorough vigilance of interconnections as well as traffic and anomalies in industrial protocols. Security must therefore be applied in all dimensions: physical, cyber and human.

For more information about national cybersecurity, the role played by the CCN-CERT in the major attacks of 2017 and Javier Candau’s view of the challenges for the coming years, come to the Panda Security Summit, where Europe comes together for cybersecurity.

Register #PASS2018

The post Javier Candau: “Cooperation between the public and private sectors is essential to combat cyberthreats” appeared first on Panda Security Mediacenter.

Xavier Mertens: “Cryptojacking is one of the most brilliant attacks I’ve seen”

The aim of a hacker used to be to steal or destroy information, yet today what they try to do above all is profit financially in exchange for information. We can see how attacks are becoming more professional and businesses are being built around them. Some years ago, it wasn’t so easy to buy ransomware or rent a bot to launch attacks. Xavier Mertens, an independent cybersecurity consultant and renowned IT security blogger, insists on the importance of traditional security to combat these highly effective new threats. Mertens’ voluntary participation in the SANS Internet Storm Center, the global cooperative system for warning against cyberthreats, gives him a great insight into the very latest attacks.  

PS: How can IT security professionals adapt to these new needs?  

XM: The usual protection measures are still important. If employees can stick to following typical security measures: implementing appropriate network segmentation, using secure passwords, configuring devices correctly and not exposing sensitive information or tools on the Web, I believe they could be protected against any modern threat.

Most security problems occur because people need to carry out everyday tasks, and are unaware of the basic measures required to protect them. Recently I tried to scan a document and, after checking the login credentials and firewall and ensuring that the printer worked correctly, I realized that it wouldn’t work because the Server Message Block version 1 (SMBv1) protocol was configured, something that has already been widely disapproved of. As such, it is something you need to decide whether or not to enable. Users normally enable the default settings as they don’t know how to change them or they simply don’t have time to do so and just want to get on with their day-to-day routine. But it is not so complicated, as industry experts, to resolve these basic problems and protect the security of tools that are as common in companies as printers.

Xavier Mertens

PS: What is the Internet Storm Center? What is your role as an ISC Handler?

XM: The Internet Storm Center is an organization whose aim is to monitor the Internet and ensure it operates properly. Using automated tools, we collect information for professionals in the sector, generate useful content in the form of a cybersecurity journal and try to increase awareness of the problem. For example, with the dshield’ project, people can send their firewall records to build up our database and create a detection system based on repetition. We were able to detect the Mirai botnet because we have tools that showed activity peaks on specific ports. We are the ‘Internet’s firemen’.

PS: How can we avoid recent attacks such as those that are aimed at mining crypto-currencies?

XM: The protection remains the same as for other types of malware, because crypto-currency mining is carried out with malicious code that runs on your computer. The standard advice still stands: have a cybersecurity solution that protects you completely and don’t click or download unknown files. Nevertheless, I think that crypto-jacking is one of the most brilliant attacks I’ve seen. Criminals are moving from ransomware to mining because it is much less intrusive and you don’t need so many resources to evade detection. With ransomware, you don’t know if victims will pay the ransom because they may have backed up their files. With crypto-currency mining however, you are sure to recover your investment, and it is much less invasive. You can run mining on any type of device, unlike ransomware which is restricted to Windows, Mac or Linux, and the victim’s system will still operate despite the attack.

A colleague at the ISC analyzed the power of his computer while mining crypto-currencies. The fans and the CPU of the computer were always busy and running at full strength. So imagine the consequences that mining could have in a company with numerous computers: energy consumption increases, it has a significant impact on data center traffic and can even increase the office temperature.

PS: You have GIAC certification in reverse engineering malware. Should companies be investing in this type of analysis?

XM: I don’t think you should invest in reverse engineering unless you have a big budget and a lot of time. The aim of companies is not to understand the behavior of malware, but to resume normal activity as soon as possible. When analyzing malicious files, we want to know why they behave as they do in order to generate a list of ‘Indicators of Compromise’ to share with other researchers in the sector and provide this intelligence to customers.

PS: How do you draw up an effective incident response plan?

XM: Incident response plans are not easy to address, particularly if they are for companies that don’t have the resources or the right personnel. In my opinion, you can always start with the small things. The first step is to be prepared, increase awareness and involve all employees, and this is something that can be done by any company.

PS: As the deadline draws closer, how can companies prepare themselves for GDPR compliance?

XM: The GDPR is designed to protect the privacy of users. So bearing this in mind, if you have implemented a comprehensive security strategy, if you know where the data is and how it is protected, and if you only have collected the information that is strictly necessary for your business, the GDPR should not represent a problem for you. This regulation takes us back to basics, to some simple guidelines: encrypt your information, don’t store passwords in public files, make sure databases are not exposed on the Internet, etc. Possibly the biggest challenge will be for small companies that don’t have an inventory of all the information they possess, not just internal data, but also what they share with suppliers and users. Companies are now in the process of reviewing all the information they possess and we hope that they are taking the necessary measures to adapt to the GDPR.

The post Xavier Mertens: “Cryptojacking is one of the most brilliant attacks I’ve seen” appeared first on Panda Security Mediacenter.

Nicola Esposito: “The key to resilience is having a mature strategy and a good partner”

Our first cybersecurity summit, the Panda Security Summit (#PASS2018), is approaching fast, and will feature talks from key figures in the sector, such as Nicola Esposito, Director of Deloitte’s CyberSOC EMEA Center. In his lecture, “Keys for a more attentive, safer and resilient organization in the face of advanced cyberthreats“, Esposito will explain how Deloitte, from its Cyber ​​Risk area, helps organizations to strengthen their risk and security management program. In advance of the summit, we asked this expert about resilience in the corporate cybersecurity environment.

What are the most significant advanced threats facing companies today?

Advanced threats combine numerous tools, techniques and targeting methods. Malware is currently one of the major threats due to its capacity to spread rapidly across an organization and even around the world.

Which aspect of resilience would you say is most important for the security of companies?  

You can’t single out one aspect. All of them (prevention, detection, containment, response and continuous improvement) have to be taken into account to adopt a serious approach to IT security. In line with this approach, and in order to offer its customers an end-to-end solution, Deloitte has developed its Common Storefront based on the four areas of Strategy, Security, Vigilance and Resilience.

How can the creation of an integrated and connected ecosystem contribute to improving corporate security infrastructure?

The creation of this ecosystem can help make companies more secure and become part of a chain of security. This is one of the reasons why Deloitte promotes the Threat Intelligence network, so as to share indicators of compromise (IoCs) and increase the detection capacity of customers. Such networks allow these IoCs to be shared practically in real time, and consequently reduce the time of exposure to the corresponding malware.

What risks do non-resilient companies face?

Non-resilient companies are probably not taking cybersecurity risks seriously. This is the biggest challenge. Once a company’s management recognizes the threat, it needs a trusted partner to set up a robust security program. So the second challenge is to find a partner able to guide you along a potentially complicated path.

What are the keys to creating resilient companies?

The key to resilience is having a mature strategy and a good partner. With a mature strategy you can address risks in the proper way, starting with business risks and not focusing on them directly from the technological perspective. This strategy should include the values ​​mentioned earlier: Security, Vigilance and Resilience. It is also important to have partners with a global vision, who understand the scope of current threats, and have end-to-end capabilities to understand business risks, advise customers accordingly, and implement and operate the technologies to make their business resilient.

What is the risk of ignoring resilience?

The greatest risk is the likelihood of being hit by a cyberattack and the inability to recover from it. It is not just that critical systems are compromised, there is also the potential damage to brand reputation, which in some cases may take years to restore. There are also risks associated with regulatory compliance, which are related to the security controls implemented in every company.

To what aspect of cyber-resilience should we pay most attention?

The aspect of resilience that is often ignored, or not adequately considered, is detection. Mainly because detection means having visibility, and to have this, you have to understand where and how to pay due attention to all the other sections that comprise cyber-resilience.

At Panda we know that detection and the response to attacks is essential to business cybersecurity. That’s why tools such as Panda Adaptive Defense guarantee the protection of aspects that could sometimes be overlooked. To bolster cyber-resilience, Nicola Esposito will be taking part in the Panda Security Summit on May 18 in Madrid. Don’t miss it?

The post Nicola Esposito: “The key to resilience is having a mature strategy and a good partner” appeared first on Panda Security Mediacenter.

Silvia Barrera: “Cybersecurity never costs more than the damage that can be inflicted”

The Panda Security Summit (#PASS2018), our advanced cybersecurity summit, is now less than two weeks away. This event will bring together CISOs and CIOs from all over Europe to discuss the latest trends in protection and threats, as well as the global cybersecurity panorama. So as the day draws closer, we bring you the second part of our interview with Silvia Barrera, writer, expert in cybersecurity, and master of ceremonies at the PASS.


In this second part of the interview, Silvia describes what security challenges she expects institutions and companies will face over the next few years, as well as what can be done to make businesses and organizations resilient in terms of cybersecurity.

[If you missed the first part of our interview with Silvia, you can read it here].

What do you feel is the greatest problem today regarding the security of companies and institutions? 

First the human factor and then the technical side. In technical aspects, the problem can be avoided by properly evaluating risks and using internal and external checks and controls. You can’t just think about the employee; organizations and companies need to integrate and align cybersecurity as a strategic objective of the business and as such assume the costs of IT security. There will be difficult times ahead in terms of security risks and data protection, and there will be stiff penalties and consequences, particularly in terms of corporate reputation, as illustrated by the recent cases of Facebook and Tesla.

What challenges do you think businesses and organizations will face with respect to IT security in the next two years? 

The change in consumer mentality. We have to try to be as preventive as possible, acting at every point of the process to mitigate the cost of cybercrime for users, but we cannot truthfully tell users or customers that they will never be the victim of an attack. They will be, and consequently they must be prepared.

The more concerned you are about your cybersecurity, the more secure you will be, and this goes for your business, reputation, etc. Cybe-security never costs more than the damage that can be inflicted. The Internet offers an infinite array of tools and features that can make life easier, but it can also ruin it.

What does it mean for you that a company or institution is resilient from the point of view of cybersecurity? 

Resilience is the best factor for gauging the strength of a company or institution. It tests how you manage communications, data, security and IT infrastructure. The capacity to recover from a possible attack is also a factor to evaluate your readiness and how you can improve it. Ultimately, it shows who can successfully adapt to technological changes and demands. And with regard to external customers, how you take care of this within your organization will also reflect how you take care of your customers’ information. Your reputation and their trust is at stake.

In your view, what aspect of resilience is the most important to keep companies and institutions secure?

All of them. From prevention, avoiding the vast majority of attacks and incidents, to detection and response. Although there is no 100 percent security, as we know, almost 99 percent of attacks can be avoided. How? By taking into account all factors of resilience. It is important to be aware that cybersecurity is like taking care of your own security and personal health. You might not get a tangible return from it, but it guarantees a long life, full of satisfaction and success. That is resilience.

The post Silvia Barrera: “Cybersecurity never costs more than the damage that can be inflicted” appeared first on Panda Security Mediacenter.