Category Archives: compliance

Only one quarter of retail banks have adopted an integrated approach to financial crime systems

Most banks plan to integrate their fraud and financial crime compliance systems and activities in response to new criminal threats and punishing fines, with the U.K. leading the pack, according to a survey by Ovum, on behalf of FICO. Responses show that U.S. systems are less integrated than Canada’s – only 25 percent of U.S. banks have a common reporting line for both fraud and compliance, versus 60 percent for Canada. The survey also found … More

The post Only one quarter of retail banks have adopted an integrated approach to financial crime systems appeared first on Help Net Security.

What Is the ISA/IEC 62443 Framework?

Cybersecurity threats to manufacturing and process plants are coming from a wide range of attack vectors including supply chain, logistics, enterprise computing, remote connections, operator stations, programmable logic controllers, distributed control systems (DCSs), smart sensors and new smart devices. Many emerging Internet of Things (IoT) and communications technologies offer greater connectivity, but they make the […]… Read More

The post What Is the ISA/IEC 62443 Framework? appeared first on The State of Security.

Major Web Hosting Hazards You Should Take Seriously

“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”

This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”

Come on, people.

Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?

While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.

If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.

Shocking Stats

Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).

From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.

The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.

While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.

For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.

Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.

While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.

That’s why we’re going to talk about hosting security issues that you should protect your site from.

How Web Hosting Affects the Security of Your Website

Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.

For example, if you’re a blogger or a business owner, you’ll get:

  • A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
  • A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
  • High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
  • Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.

Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:

  • Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
  • Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
  • Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.

So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.

Beware of these Major Web Hosting Hazards

  1. Shared Hosting Issues

Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.

For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.

Can you believe it? 800 websites on one server! Talk about performance issues, right?

While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.

Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.

  1. Attacks that Exploit an outdated version of PHP

It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.

However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.

Source: Threat Post

“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”

For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!

“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”

On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.

Well, hopefully you’re not going to be one of them.

  1. More Sophisticated DDoS Attack Techniques

DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.

For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.

The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky

Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.

For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.

 

For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.

Source: The Register

Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.

Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.

Stay Protected

Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.

Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.

 

Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.

The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.

The real impact: how cybercrime affects more of your business than you think

Some businesses – usually those that have never experienced any kind of major IT incident – think of cybercrime as an inconvenience. They may believe that if their company is hacked it will cause some disruption and perhaps an embarrassing news story, but that ultimately the breach will have only a minor effect.

However, the truth is that cybercrime can have a huge range of unexpected consequences. Here we take a lot of the real impact of a breach – cybercrime might affect you a lot more than you think.

It loses customer confidence

When you suffer a cyberattack it becomes common knowledge very quickly. Whether your site is taken offline or Google places a ‘hacked site’ warning against you, customers will learn fast that you have been compromised. And when a potential customer hears that you have been breached, they will immediately associate you with the attack, deeming your site to be unsafe to use.

Under the General Data Protection Regulation (GDPR) it is also a legal requirement for you to inform any customers whose data has been affected by the breach within 72 hours of becoming aware of the breach. This goes further to lose your confidence with those customers who have already used your services or bought from your site.

It costs you sales

No business wants to lose the confidence of its customers, mostly importantly because it will naturally have an effect on your sales. If – in the eyes of your customers – your site can’t be trusted, they will stop using it and move on to a competitor. This means that before you take anything else into account, you will be losing business simply due to the fact that you have been a victim of cybercrime.

Of course, if the cybercrime takes your website offline, you will also lose any potential transaction over that period – but the more crucial factor is the long-term effect of customers believing that you are not longer safe to buy from.

It costs a lot of money

Cyber attacks can be extremely costly for a variety of reasons. We have already talked about the kind of disruption to trading that will occur when any kind of cybercrime takes place, but it is actually a lot more complicated than that. Firstly, many forms of cybercrime will directly steal money from a business. This could come in the form of a phishing attack on a member of staff, or even a business email compromise attack.

However, there are also other costs to consider such as the financial ramifications of dealing with the hack and securing your business. And of course, any trust that is lost in your partners or suppliers can lead to you losing them.

It weakens your SEO efforts

You might not realise it, but cybercrime can have a serious impact on your search engine optimisation (SEO). There are many reasons for this – firstly, if Google believes your site is hacked, it can place a ‘hacked site’ warning in the listings. Additionally, many hacks will actually alter or steal content from your site, and website content is one of the most important ranking factors in the eyes of all search engines.

Another important factor is downtime. If Google sees that your website is down for a significant period of time, this is a negative ranking factor, and can see your site sliding. Any cybercrime will cause downtime, as you will need to take your site offline in order to fix the issues and return it to normal.

It causes problems with compliance

We have already mentioned the GDPR in this article, and how it can force you to disclose cyber breaches to any affected individuals. However, it is important to remember that compliance with the GDPR and regulations can become an issue if you suffer a cyberattack.

Under the GDPR, businesses are required to take appropriate steps to protect themselves against attacks, in order to secure the private information that they hold on customers. Failing to do can put you at risk of heavy fines from the ICO.

It loses your intellectual property

Another extremely common occurrence during a cyberattack is that intellectual property will be stolen. Given the incredible value of IP to some businesses, such as in technology or pharmaceutical firms, it can be easy to see how stolen IP could make a business unsustainable.

If your organisation relies upon the secrecy of its IP, then you need to make sure you are taking appropriate steps to defend that IP against cybercrime.

The post The real impact: how cybercrime affects more of your business than you think appeared first on CyberDB.

IoT Security in 2019: Things You Need to Know

In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.

IoT visibility & security in 2019:

1. IoT endpoint security vs network security

Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.

Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.

2. “Cryptography is typically bypassed, not penetratedShamir’s law

In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should  now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.

3. 3rd party IoT vulnerabilities

One of the main issues in IoT security is the heavily reliance of IoT devices on third-party components for communication capabilities, cryptographic capabilities, the operating system itself etc. In fact, this reliance is so strong that it has reached a point where it’s unlikely to find an IoT device without third-party components within it. The fact that third-party libraries are commonly used across devices, combined with the difficulty to secure them, makes them a sweet spot for hackers to look for IoT vulnerabilities and exploit many IoT devices through such 3rd party component.

Vulnerability in third-party components is very dangerous. In many IoT devices, there is no separation and segmentation between processes and/or tasks, which means that even one vulnerability in a third-party library is compromising the entire device. This could lead to lethal results: attackers can leverage the third-party vulnerability to take control over the device and cause damage, steal information of perform a ransomware attack on the manufacturer.

it’s not only that third-party components are dangerous, but they are also extremely difficult to secure. Many third-party components are delivered in binary form, with no source code available. Even when the source code is available, it’s often hard to dive into it and asses the security level or vulnerabilities inside it. Either way, most developers use the open-source components as black-boxes. On top of that, static analysis tools and compiler security flags lack the ability to analyze and secure third-party components and most IoT security solutions cannot offer real-time protection into binary code.

VxWorks vulnerabilities

A recent example of such third party vulnerability that affects millions of devices can be found in the security bugs found in the VxWorks embedded operating system. These vulnerabilities exposed every manufacturer that used VxWorks operating system, even if security measures like penetration testing, static analysis, PKI and firmware analysis were taken.

To summarize, in order to provide strong and holistic IoT protection, you must handle and secure all parts of the device, including the third-party components. Sternum IoT security solutions focus on holistically securing IoT devices from within and therefore offers a unique capability of embedding security protection & visibility into the device from end-to-end. Sternum’s solution is also operating during real-time execution of the device and prevents all attack attempts at the exact point of exploitation, while immediately alerting about the attack and its origins, including from within third-party libraries.

4. Regulation is kicking in

In the past two years, we’re seeing a across industries effort to create regulations and standards for IoT security. We are expecting to see more of these efforts shaping into real regulations that will obligate manufacturers to comply with them.

A good and important example is the FDA premarket cybersecurity guidance that was published last year and is expected to become a formal guidance in 2020. The guidance includes different aspects of cybersecurity in medical devices (which is in many cases are essentially IoT devices) such as data integrity, Over-the-air updates, real-time protection, execution integrity, third-party liabilities and real-time monitoring of the devices.

Another example is the California Internet of Things cybersecurity law that states: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.

We expect to see more states and countries forming regulations around IoT security since these devices lack of security may have a dramatic effect on industry, cities, and people’s lives. Top two regulations that are about to be released are the new EU Cybersecurity Act (based on ENISA and ETSI standards) and the NIST IoT and Cybersecurity framework.

The post IoT Security in 2019: Things You Need to Know appeared first on CyberDB.

7 Cybersecurity Practices to Protect Organizations from Future Threats

Image Source: Freepik

Cybersecurity is the process of protecting and defending an enterprise’s use of cyberspace by detecting, preventing and responding to any of the malicious attacks like disabling, disrupting, injecting malware, or anything thing else aimed to harm the organization.

At its center, cybersecurity defends your organization from vicious and threat attacks aimed to disrupt and steal information from your organization. Cybersecurity risks are similar to financial and reputational risks as it could directly affect the organization’s growth, driving the costs up and adversely affecting the revenue.

If you’re a part of an organization, and especially, if your workplace stocks sensitive information of individuals or clients involved, then this is an ideal time to educate yourself regarding cybersecurity and ways to safeguard your organization against cyber attacks and threats with the help of professionals who hold cybersecurity certifications.

  1. Enable Firewall

In football, there’s a famous phrase- “Attack is the first line of defense.” and in the scenario of cybersecurity, the firewall serves the very same purpose. The firewall protects unauthorized access to your system, mail services, and websites. In addition to the external firewall, considering installing internal firewalls for the work network as well as on for your home network, in cases if employees decide to work remotely.

  1. Conduct Cybersecurity Awareness Training

According to a recent survey, 77% of those who took part admitted that they use free public WiFi networks to access work-related documents or have connected their corporate devices to such networks which are most often unsecured. Only 17% of them said that they use a VPN when outside the office.

 

33% of insider threat attacks have caused due to mistakes or irrationality from the employees; these mistakes are preventable. As per the SANS, cybersecurity experts have reported that their knowledge programs have made a tangible impact on the organization’s security.

  1. Back-Up Company Data

It is one of the prioritized security practices among cybersecurity professionals. Backing up your data could be a lifesaver. In the advent of Trojan horses and Ransomware, small mistakes could lead to complete data wipeout.

 

Handling the back-up data is also equally important. Make sure back-ups are thoroughly protected, encrypted, and updated frequently.

  1. Multi-Factor Authentication

MFA (Multi-factor authentication) is considered to be one of the prominent cybersecurity practices among professionals. MFA adds an extra layer of protection to any data that is protected by this means.

 

Even in an unfortunate situation if any malicious attack gets to your sensitive data, it would further require to pass additional authentication layers of security to get to the actual data and cause any harm. Also, these practices are notification enabled, and any susceptible attempt is reported to the user by multiple communication channels.

  1. Bring Your Own Device (BYOD) Policies 

BYOD policies have been around since 2004, and ever since it has managed only to boom among the corporate culture. It is predicted that by 2022, the BYOD market will hit $367B. Also, research data has it that the companies who opt for BYOD, save $350/year for every employee.

Sure, letting the employees use their own devices for work increases their productivity, but it does make the organization’s data susceptible to cyber attacks. With the increasing use of the mobile device, smartwatches, and wearables, and IoT products companies that are serious about BYOD or using cloud storage, in general, should consider the security vulnerability and implement stringent policies to protect their valuable information. MDM (Mobile Device Management) software enables the cybersecurity or the IT team to implement security settings and configurations that let them secure all devices connected to company networks

  1. Manage Passwords

Changing passwords is a pain, and employees often distance themselves from such action unless the HR or the IT team forcefully sit next to them and make them change their passwords.

Password management is a critical part of corporate security, and in today’s BYOD world, it is essential to be extra cautious about data protection. Privileged access accounts are diamond mine for the attackers, and when it comes to the security of these accounts, unauthorized access could doom the growth of the organization.

  1. Document Cybersecurity Policies

Business often operates on verbal bases when it comes to security while ideally, they should be considering documenting every policy and training operations related to cyberspace. Multiple online portals like the Small Business Administration (SBA) & FCC’s Cyberplanner 2.0 Cybersecurity portal provides checklists, online instruction, and information distinct to protect online businesses.

Conclusion

Always remember the fact that one unsafe click could result in complete data wipeout or leak, and education yourselves about the cybersecurity practices that could help your organization prevent itself from threats. Not just to an organization’s security, it is also helpful to any individual who uses the internet. Keeping yourselves afloat regarding such practices is a part of the job as all kinds of engagement is slowly and swiftly happening on the cloud.

 

———————

 

Author Bio:

Gaurav Belani is a senior SEO and content marketing analyst at The 20 Media, a content marketing agency that specializes in data-driven SEO. He has more than seven years of experience in digital marketing and loves to read and write about AI, ML, cybersecurity and other emerging technologies. In his spare time, he enjoys watching movies and listening to music. Connect with him on Twitter @belanigaurav.

 

The post 7 Cybersecurity Practices to Protect Organizations from Future Threats appeared first on CyberDB.

What is the difference between penetration testing and bug bounty programmes?

To stay secure many businesses regularly test their systems to identify vulnerabilities. Penetration testing is one of the most common types of cyber security assessment but in recent years a growing number of businesses have also turned to ‘bug bounty’ programmes to supplement their testing programmes.

Penetration testing (often referred to as pen testing) is a well-known and established form of assessment, typically carried out by a company that specialises in ethical hacking. (Covered here in great detail by Redscan’s extensive glossary). Bug bounty programmes, however, are a more recent offering, viewed by many as a complement to penetration testing, helping to widen the scope of security testing on platforms that are already well-secured against attacks.

Many large organisations run their own on bug bounty programmes, including Google, Facebook and Microsoft (which paid out millions in bounties in 2018). Even the EU has begun funding programmes.

In fact, according to Gartner, by 2022, automated and CSSTP (crowdsourced security testing platform) products and services will be employed by more than 50 per cent of enterprises, rising from fewer than 5 per cent today. In this article we take a look at the key differences between security testing offered by pen testing providers and bug bounty programmes.

  1. The expertise

Pen tests are carried out by experienced ethical hackers employed by specialist cyber security companies. Professional ethical hackers are required to have undertaken qualifications in cyber security, ensuring that they have an in-depth knowledge of the legal, technical, and ethical aspects of testing. Before any work is undertaken by a penetration tester, it is common practice to know the person’s identity and sign a contract to agree the scope of the work.

Bug bounty programmes also attract professional ethical hackers, however, as anyone can sign up to a programme, testing will typically be carried out by a mixture of professionals and amateurs, with hugely varied experience, knowledge, and ethics. Bug bounties tend to attract students and those looking to practice their ethical hacking skills. For this reason there can be lots of fake, duplicate and/or false vulnerabilities reported.

  1. The scope

Pen tests are conducted to meet the exacting needs of a specific client. Indeed, there are many types of assessment, ranging from internal and external network testing, to web application testing, wireless testing, and more. Testing can also be arranged to suit the operational requirements of a business, for example, by being conducted outside of regular working hours.

Bug bounty programmes are focussed only on testing websites and web applications that are publicly accessible. For this reason, bounty programs aren’t able to detect vulnerabilities inside a network or before websites and applications go live. The scope of the testing is also typically far less well defined, and sometimes organisations will not receive the type of feedback they are seeking.

  1. The duration

Penetration testing for web applications is usually carried out over a relatively short time – perhaps two to three days.

Big bounty programmes, on the other hand, are not conducted in line with specific deadlines and for this reason are best used for continuous testing. This makes them ideal for large technology businesses that are constantly releasing new products and updates. But it also means they are less useful for companies that have less frequent release cycles.

  1. The cost

The cost of a penetration test is typically based on the number of days required for hackers to achieve the agreed objective of the test.

Most bug bounty platforms, on the otherhand, allow organisations to set the price they are prepared to pay. While this may seem appealing, setting bounties too low might well deter testers. On the flipside, if a huge number of vulnerabilities are discovered, costs can quickly mount up.

Some bug bounty programs offer rewards for £100,000s but such single pay outs remain the exception.

  1. The feedback

Any good penetration test will not only identify exposures, but will also provide the feedback and support needed to address them. Bug bounty programmes are focussed solely on discovering vulnerabilities and for this reason the level of feedback will generally be low.

If an organisation manages its own bug bounty program, it may struggle to deal with an influx of reports from testers.

 

The post What is the difference between penetration testing and bug bounty programmes? appeared first on CyberDB.

Why Your Data Security Strategy Should Include Data Masking

 

Data Masking/Tokenization/Anonymization replaces sensitive information with fictitious data while retaining the original data format. The data masking process lets you continue to work with your data as if it were not encrypted. Databases, business applications and collaboration software continue to work as if the data was real, but unauthorized personnel only have access to the fake data and can’t extract meaningful sensitive information.

ITAR compliance: ignorance is no excuse

The ITAR (International Traffic in Arms Regulations) legislation details what measures businesses and individuals must take to comply with ITAR requirements and specifies severe penalties, both civil and criminal, for non-compliance. The reach of the regulations is broad and suppliers of all kinds may be subject to requirements to keep sensitive information secure and restricted.

Does Data Residency Reduce Cloud Risks?

Countries are establishing data residency regulation to protect private and classified data generated from their citizen by mandating storing this information within that country (the country of origin). The theory is that the laws of the country in which the data is stored apply to that data. Large cloud providers such as Amazon, Microsoft, Salesforce are opening cloud data centers outside their home countries (Cloud Data Center Expansion Race) to satisfy these laws. The question is “Does Data Residency Reduce Cloud risks?