Category Archives: data protection

The Risks of Public Wi-Fi and How to Close the Security Gap

public wi-fi risksAs I write this blog post, I’m digitally exposed, and I know it. For the past week, I’ve had to log on to a hospital’s public Wi-Fi each day to work while a loved one recuperates.

What seems like a routine, casual connection to the hospital’s Wi-Fi isn’t. Using public Wi-Fi is a daily choice loaded with risk. Sure, I’m conducting business and knocking out my to-do list like a rock star but at what cost to my security?

The Risks

By using public Wi-Fi, I’ve opened my online activity and personal data (via my laptop) up to a variety of threats including eavesdropping, malware distribution, and bitcoin mining. There’s even a chance I could have logged on to a malicious hotspot that looked like the hospital network.

Like many public Wi-Fi spots, the hospital’s network could lack encryption, which is a security measure that scrambles the information sent from my computer to the hospital’s router so other people can’t read it. Minus encryption, whatever I send over the hospital’s network could potentially be intercepted and used maliciously by cybercriminals.

Because logging on to public Wi-Fi is often a necessity — like my situation this week — security isn’t always the first thing on our minds. But over the past year, a new normal is emerging. A lot of us are thinking twice. With data breaches, privacy concerns, the increase in the market for stolen credentials, and increasingly sophisticated online scams making the headlines every day, the risks of using public Wi-Fi are front and center.

Rising Star: VPNpublic wi-fi risks

The solution to risky public Wi-Fi? A Virtual Private Network (VPN). A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your online activity by encrypting your data when you connect to the internet from a remote or public location. A VPN also conceals your location, IP address, and online activity.

Using a VPN helps protect you from potential hackers using public Wi-Fi, which is one of their favorite easy-to-access security loopholes.

Who Needs a VPN?

If you (or your family members) travel and love to shop online, access your bank account, watch movies, and do everyday business via your phone or laptop, a VPN would allow you to connect safely and encrypt your data no matter where you are.

A VPN can mask, or scramble, your physical location, banking account credentials, and credit card information.

Also, if you have a family data plan you’ve likely encouraged your kids to save data by connecting to public Wi-Fi whenever possible. Using a VPN, this habit would be secured from criminal sniffers and snoopers.

A VPN allows you to connect to a proxy server that will access online sites on your behalf and enables a secure connection most anywhere you go. A VPN also allows hides your IP address and allows you to browse anonymously from any location.

How VPNs work

To use a VPN you subscribe to VPN service, download the app onto your desktop or phone, set up your account, and then log onto a VPN server to conduct your online activity privately.

If you are still logging on to public Wi-Fi, here are a few tips to keep you safe until VPNs become as popular as Wi-Fi.

Stay Safe on Public Wi-Fi 

Verify your connection. Fake networks that mine your data abound. If you are logging on to Wi-Fi in a coffee shop, hotel, airport, or library, verify the exact name of the network with an employee. Also, only use Wi-Fi that requires a password to log on.public wi-fi risks

Don’t get distracted. For adults, as well as kids, it’s easy to get distracted and absorbed with our screens — this is risky when on public Wi-Fi, according to Diana Graber, author of Raising Humans in a Digital World. “Knowing how to guard their personal information online is one of the most important skills parents need to equip their young kids with today,” says Graber. “Lots of young people visit public spaces, like a local coffee shop or library, and use public Wi-Fi to do homework, for example. It’s not uncommon for them to get distracted by something else online or even tempted to buy something, without realizing their personal information (or yours!) might be at risk.”

Disable auto Wi-Fi connect. If your phone automatically joins surrounding networks, you can disable this function in your settings. Avoid linking to unknown or unrecognized networks.

Turn off Wi-Fi when done. Your computer or phone can still transmit data even when you are not using it. Be sure to disable your Wi-Fi from the network when you are finished using it.

Avoid financial transactions. If you must use public Wi-Fi, don’t conduct a sensitive transaction such as banking, shopping, or any kind of activity that requires your social security or credit card numbers or password use. Wait until you get to a secured home network to conduct personal business.

Look for the HTTPS. Fake or unsecured websites will not have the HTTPS in their address. Also, look for the little lock icon in the address bar to confirm a secure connection.

Secure your devices. Use a personal VPN as an extra layer of security against hackers and malware.

The post The Risks of Public Wi-Fi and How to Close the Security Gap appeared first on McAfee Blogs.

Are You Really Covered by Your Cyber Insurance?

The whole point of IT security is to minimize risk, and risk is, ultimately, a financial reality. A well-run organization practices risk mitigation by not only using the best tools, services and methods for maximizing data security, but also increasingly by augmenting great security with the right cyber insurance.

As we know, the cyberthreat landscape is in a constant state of change. It’s a contest between evolving threats on the one side, and the security knowledge, options, resources, products and services on the other. The insurance landscape is also in a constant state of change. Yet too many organizations treat this kind of insurance as either unnecessary, or as a necessary, but generic, turn-key, set-it-and-forget-it checkbox item. In fact, it’s an important, complicated and necessary financial service that needs to be frequently reviewed, reconsidered and updated.

With new and evolving threats to your organization’s financial well-being, it’s time to rethink what you know about cyber insurance.

Why Most Companies Aren’t Covered

Cyber insurance is a relatively new phenomenon for most companies. Only 38 percent of organizations are covered by data insurance, according to Spiceworks, a social exchange for IT services. Of those covered, around 45 percent have had coverage for less than two years and only 24 percent have been covered for more than five years. Furthermore, only 11 percent of those without insurance plan to buy a policy within the next two years.

That means knowledge about and experience with insurance is understandably incomplete at most organizations. As a result, corporate leadership is often unsure about its value or about the specifics of coverage.

Unfamiliarity with the finer points of insurance is also evident in the Spiceworks survey. Of the organizations not covered, the top reasons for not yet purchasing cyber insurance are that it just isn’t a priority at the organization (41 percent), a lack of budget (40 percent), a lack of knowledge about insurance (36 percent), and it’s simply not required by regulations at the organization (34 percent).

This lack of understanding is very troublesome given the average total cost of a data breach ranges from $2.2 million to $6.9 million, according to the “2018 Cost of a Data Breach Study” from the Ponemon Insitute and IBM Security. For bigger breaches at larger companies, the cost can soar into the hundreds of millions of dollars.

A wide gap exists between the actual need for insurance and the perceived need. It’s time to change that.

Insurance Against Hacks? You Don’t Know the Half of It

Most people in the industry would say that the point of cyber insurance is to protect against the financial hit from an attack, right? This may be true, but not always.

Verizon’s “2018 Data Breach Investigations Report” investigated more than 53,000 incidents and more than 2,000 confirmed breaches. They found that around 73 percent of data breaches took place because of external attackers, while 28 percent involved employees and other insiders.

Unfortunately, insurance coverage sometimes focuses on external hacks to the exclusion of “inside jobs,” accidents, service provider errors and other non-hacking causes.

Going back to the Spiceworks report, policies can vary greatly: Liability is covered by 78 percent of cyber insurance policies, electronic data by 75 percent and legal or investigative fees by 69 percent. But only around 52 percent of those policies cover loss of income or cyber extortion losses, and only 35 percent cover damage to reputation.

In addition, according to U.K. insurance governance company Mactavish, many insurance policies contain eight major flaws:

  1. They cover attacks or hacks, but may not cover accidents and errors;
  2. They cover only costs required by law, but may not cover the total incident costs;
  3. Coverage is limited to the time of the network interruption, but may not cover business disruption;
  4. They may limit or exclude systems delivered by outsourced service providers;
  5. They may exclude software or systems in development or beta;
  6. They may not cover incidents caused by contractors;
  7. Notification requirements may be too complicated; and
  8. They may only cover insurer-appointed advisers and specialists.

When considering your options for cyber insurance, keep an eye out for these common exceptions to ensure you’re picking the plan that best fits your business needs.

How Compliance Complicates Coverage

In addition to focusing on data breaches, organizations must pay attention to a complex and evolving regulatory environment. Enterprises now face a new world of regulatory compliance around privacy, from the General Data Protection Regulation (GDPR) to the California Consumer Protection Act (CCPA), which will go into effect on Jan. 1, 2020.

It’s tempting to respond to this by saying, “We’ll just comply, of course, and all will be well.” But it’s not that simple. Fines for noncompliance could be enormous, and companies can be fined for not only violations or potential violations of user privacy, but also for how personal data is collected, stored, processed and even how the collection is communicated to the public.

All this is new, and it’s likely that in the coming years, many organizations will be slapped with hefty fines for misunderstanding the laws’ fine print, how they express and organize their privacy policies, how user data is processed, and other peripheral or secondary matters.

Bringing it back to cyber insurance, many policies will not cover fines or other costs if the violation is around the processing of data or communication of policy. Some U.S. states even ban insurance coverage for regulatory fines of any kind, and insurance companies strike that coverage in those states. Compliance is becoming an increasingly relevant aspect of insurance, but many insurance policies just don’t fully cover it.

It’s Often a Matter of Interpretation

One problem with an unsophisticated approach to insurance is that organizations can accept policies that don’t cover them. Another problem is having a different interpretation of those policies than the provider, which can be a costly misunderstanding.

One interesting example is what I call the “act of war” clause: Many policies will cover a breach, unless that breach is the result of an “act of war” by a nation state.

That sounds reasonable. The trouble is, some of the most sophisticated and damaging exploits are developed by these threat actors. Some are created by one government, modified by another, then deployed by who-knows. This could provide a loophole for insurance providers that don’t want to pay up. They can argue that a hack enabled by malware developed by a foreign government means the attack was an “act of war,” and therefore not covered under the policy.

How to Find Cyber Insurance Coverage That Fits

The important takeaway here is to not make assumptions about coverage. Read the fine print. Pay special attention to liabilities around compliance, including fines.

Ideally, the right insurance offers cyber risk mitigation that offsets some or all of the costs when recovering from a breach or other security event. The right policy will compensate for not only lost business during business or network interruption, but also lawsuits and even extortion costs.

It’s also important to understand that insurance won’t cover you if you’re not protecting yourself with great security software, systems and policies. If your company is negligent with security, the insurance companies won’t pay.

First, make sure you’ve got strong cybersecurity systems, tools and procedures in place. Then, shop around for the cyber insurance plan that works best for you — and read the fine print. Negotiate for a policy that truly and fully covers all possible financial loss for everything having to do with data — from attacks to accidents to compliance. Lastly, review your coverage regularly as cyber risks evolve.

The post Are You Really Covered by Your Cyber Insurance? appeared first on Security Intelligence.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

Catastrophe, Not Compromise: VFEmail Attack Destroys Decades of Data

The email provider VFEmail suffered a “catastrophic” hack that destroyed the company’s primary and backup data servers in the U.S.

As reported by Krebs on Security, the attack began on the morning of Feb. 11, when the company’s official Twitter account warned that all external-facing systems across multiple data centers were down. Hours later, VFEmail tweeted that it “caught the perp in the middle of formatting the backup server.” Just after 1 p.m., the company reported that all disks on every server had been formatted with every VM, file server and backup server lost.

Only a small, Netherlands-based backup server was left untouched. VFEmail founder Rick Romero (@Havokmon) tweeted on Feb. 12 that the company is “effectively gone” and will likely not return.

VFEmail’s Exceptional Circumstances

Most email attacks aren’t looking to destroy data. As reported by Healthcare IT News, healthcare email fraud attacks are up by nearly 500 percent over the last two years, while IT Pro Portal noted that threat actors are now leveraging compromised accounts to gain email access and steal confidential data. Even ransomware attacks — which include the threat of data destruction — are typically used as leverage to generate corporate payouts.

The VFEmail hack, meanwhile, had no clear aim: No ransom message was reported, and there’s no evidence that data was exfiltrated before being destroyed. Romero managed to track the attacker to an IP address hosted in Bulgaria — likely just a virtual machine (VM) that was used as a launch pad for the attack.

He also noted that to compromise VFEmail’s mail hosts, VM hosts and SQL server clusters, the attacker would have needed multiple passwords, as reported by Ars Technica. While some of the mail service is back up and running, there’s only a slim chance that U.S. email data will be recovered.

Back Up Your Mission-Critical Email Data

Email clients come with inherent risks and no guarantees. While layered email security can help reduce the risk of malware infections and ransomware attacks, it can’t prevent host-side attacks like the one VFEmail experienced.

Security teams should follow best practices for defending against threats that destroy data, such as ransomware attacks. According to experts, data backups are key to reducing the risk of complete data loss — while this typically applies to local files, enterprises using hosted email providers to send and receive mission-critical data should consider creating an on- or off-site email backup to combat the threat of catastrophic data destruction.

The post Catastrophe, Not Compromise: VFEmail Attack Destroys Decades of Data appeared first on Security Intelligence.

Why You Need a Security-First Culture to Deliver on Your Customer-First Goals

I’ve been working in the security industry for mumble mumble years, and one recurring problem I’ve noticed is that security is often considered an add-on to business initiatives. This is neither new, nor surprising. And while the “customer-first” approach is not really a new talking point for most companies, “customer-obsessed” became a major business initiative for many in 2018. This is due to a number of factors — increased brand visibility via social media, changing buyer behaviors and evolving data privacy legislation, to name a few — and doesn’t show any signs of changing in 2019.

What Does It Mean to Be Customer-First?

Contrary to what many businesses seem to believe, customer obsession doesn’t mean sending six emails in two weeks to make sure your customer is happy with his or her purchase and requesting a good review or rating. Being customer-first simply means listening to your customers’ needs. It requires you to quickly adjust and react to meet those needs — or, ideally, anticipate them and proactively offer solutions to your customers’ issues.

Most of all, customer obsession requires trust. To build trust among your end users, security must be the foundation of every customer-first initiative. In fact, I’d argue that organizations must be security-obsessed to effectively deliver on their customer-first plans.

Prioritize Security to Build Customer Trust

The benefits of a customer-first business approach are clear: increased loyalty to your brand, revenue gains, etc. It is also apparent why security is so important: No organization wants to suffer the consequences of a data breach. However, by looking deeper into what a security-first to customer-first culture looks like, you’ll quickly uncover the complexity of this issue.

First, there is a distinct difference between checking the boxes of your security requirements (i.e., compliance) and truly making your customers’ welfare a top priority. Of course, adherence to security and privacy regulations is essential. Without these standardized compliance policies, companies could measure success in a variety of ways, which would look different to everyone. And if we’re being honest, meeting compliance regulations is often more about avoiding penalties than improving your business.

Second, your brand is more than just your product or service; it encompasses the way your company looks, feels, talks and spends money and is representative of its culture and beliefs. In other words, your brand is about the way people feel when they interact with your company. According to Forrester Research, today’s buyers are increasingly looking at these other characteristics when they make decisions about the products or services they use.

This is where security becomes essential. If you want to instill trust among your end users, you need to go beyond standard compliance measures. Security must become a foundation of your company culture and your customer-first initiatives. It must be threaded into every business initiative, corporate policy, department and individual. This means technology purchases should be made with your end users’ security in mind, as well as your employee data and corporate assets.

It also means evaluating your business partners and the policies they have in place to ensure they fall within your standards. For example, are you considering moving critical business technology to the cloud as part of your digital transformation initiatives? If so, what do you know about your cloud provider’s security precautions? Are you working with advertisers or marketing organizations that interact with your end users? If so, do you know how they handle your customers’ and prospects’ personal data?

How to Develop a Strong Security Culture

Operating a business that is customer-first is ambitious. It’s also really, really hard. By making security a cultural tenet throughout your organization, you communicate to your customers that your brand is trustworthy, your business has integrity and that they matter to you. So how do you do it?

Collaborate

Design collaboration into your security strategy with open solutions. The threat-solution cycle is a familiar one: A new security event occurs, the news covers it, a new company emerges to solve the problem, your company deploys the solution and then a new security event occurs. The entire industry is stuck in a vicious cycle that we, as vendors, have created. To break this cycle we need to take a page from our adversaries. Share intelligence with our peers and our competitors. Learn from other industries. Use open technology that integrates multiple sources of data. Only then are we equipped to uncover risks to our customers that hide among the chaos.

Build Security Muscle Memory

Many organizations are spending a lot of money on security awareness training, which is great. However, the best training is useless if employees are bypassing security measures for convenience. Make security processes required, enforceable and, above all, easily incorporated into the daily life of your users.

Shift Your Perspective

Security strategy is often an afterthought to business initiatives that cut costs, increase revenue and improve efficiency. Security is, after all, a cost. But a good security culture can set your company apart. It can be the champion or the killer for your brand, particularly in an era where customers’ buying motivations have shifted.

Right now, brand loyalty is an asset. A recent Harris Poll survey found that 75 percent of respondents will not buy from a company, no matter how great the products are, if they don’t trust it to protect their data. Stability, integrity and corporate responsibility are key factors in purchasing decisions. Making security a strategic pillar of your company’s brand is a tremendous responsibility, but one that will go a long way toward establishing trust among your users.

The Best Way to Grow Your Business

A customer-first approach is, arguably, the business initiative that can impact your bottom line the most. Understanding and proactively addressing your customers’ security and privacy concerns shows that you’re not just trying to sell a product or service, but that you are responsible with their data and operate with integrity. In an era where brand integrity matters, security-first is the best way to grow your business.

The post Why You Need a Security-First Culture to Deliver on Your Customer-First Goals appeared first on Security Intelligence.

Organizations Continue to Fail at IoT Security, and the Consequences Are Growing

The internet of things (IoT) is taking over the world — or, at least, it seems that way. According to Gartner, we can expect more than 20 billion connected IoT devices by 2020, up from just shy of 9 billion devices in 2017.

Yet as the IoT takes over the world, IoT security remains, well, pitiful. Connected devices emerged as one of the biggest attack vectors of 2018. While organizations are finally recognizing that the IoT is a threat to their overall cybersecurity, they are failing to ensure that the networks and data generated by IoT devices remain protected.

You Can’t Protect What You Can’t See

One reason why the IoT became one of the biggest attack vectors of 2018 was its invisibility on enterprise networks. According to a report from Gemalto, 48 percent of businesses admitted they are unable to detect the devices on their network. However, consumers expect businesses to have a handle on IoT security. It’s become a sort of paradox for businesses: They have to protect what they cannot see on their networks.

At the same time, IoT vendors are failing on their end by not developing devices and software with security built in — nor do they have to because there aren’t security standards for the IoT.

“Consider the operating systems for such appliances,” wrote Nick Ismail for Information Age. “How do you upgrade the OS in a wall-mounted air conditioning unit that’s connected wirelessly? Or a smart light bulb? If you can’t upgrade an operating system, how can you attempt to patch any vulnerabilities?”

That’s why cybercriminals are specifically targeting IoT devices. Their security is weak on the device/software side as well as on the network side because organizations struggle to account for all of their connected devices.

In 2018, favorite targets for threat actors included routers and firewalls. The United States Computer Emergency Readiness Team (US-CERT) put out a warning last spring that attackers were going after network devices, saying that if they can own the router, they’ll also take charge of the traffic. The alert added that a “malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.” Legacy systems or systems that are never updated are low-hanging fruit for the picking.

Attacks Against Connected IoT Devices

Cybercriminals know that IoT connections and devices are easy targets, which is why experts warn that we will see an uptick in the number of specifically targeted attacks in the coming years. For example, a rise in malware that targets the medical industry, and not just medical devices themselves, but all of the IoT devices found in hospitals, such as heating, ventilation and air conditioning (HVAC) systems or wireless printers.

Threat actors are also utilizing ransomware for their IoT-based attacks. Ransomware attacks against the IoT aren’t the same as the attacks against your internal network. With an attack on a computer or server, ransomware is able to lock down your data directly. With the IoT, the data itself is in the cloud and the device can easily be rebooted, which means you won’t need to pay the ransom — that’s a lose-lose for the attacker.

Instead, ransomware attacks against the IoT are timed to hit at a critical moment, acting like a distributed denial-of-service (DDoS) attack. The ransomware will take down the device when it can’t be reset, or it takes over the system itself. For example, a ransomware attack could take over a building’s HVAC system late at night on a holiday weekend, turning the air conditioning on high until the ransom is paid.

We’ve also seen how malware can turn IoT devices into botnets and affect the functionality of other networks and devices. These botnets are expected to evolve unless IoT security improves.

IoT Security Solutions for Vendors and Organizations

IoT security is expected to gain a higher profile in 2019. Security experts predict more attacks against IoT infrastructure, more malware targeted directly at these devices and just more endpoints to defend. This means that 2019 should be the year that everyone, from vendors to organizational security teams, invest in their security approach and solutions.

On the software side, security is primarily in vendors’ hands. With greater emphasis and awareness of DevSecOps, we should expect to see a bigger push to bake security directly into devices. New privacy laws across the U.S. will also force manufacturers to give users greater control; for example, California passed a law to ban default passwords on new devices by 2020 and ensure each device has security measures built in.

On the organizational side, security teams can introduce advanced tools such as nano agents and fog computing, which allow for microsegmentation of individual devices. Fog computing is a layer between the device and the cloud, allowing for real-time monitoring of the devices, especially highly critical ones where a cyber incident could be the difference between life and death. While perhaps further off in the future, nano agents can be embedded directly into individual devices to monitor cyber risk.

The internet of things is taking over the world — and so will cybercriminals if we don’t address the security problems surrounding these devices.

The post Organizations Continue to Fail at IoT Security, and the Consequences Are Growing appeared first on Security Intelligence.

GDPR: Not Heavy Handed Yet, But Driving Data Breaches Into The Open

With the European Union’s landmark General Data Protection Regulation (GDPR) now in place a bit more than eight months, it seems that at least one of its messages has had

The post GDPR: Not Heavy Handed Yet, But Driving Data Breaches Into The Open appeared first on The Cyber Security Place.

Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event

In June 2017, the cybersecurity world changed. As soon as NotPetya began infecting systems in Ukraine and spreading across Europe and beyond, it became clear that the intent of this worm wasn’t espionage, distributing malware or holding data for ransom. Rather, it was designed to destroy data, shut down systems and create havoc.

One of the most severely impacted organizations was global shipping giant Maersk, which transports 20 percent of the world’s trade goods. When Maersk’s systems went down, it sent shockwaves around the world and caused security observers to shudder. NotPetya was apparently a cyberweapon launched against Ukraine, but a far greater number of countries and organizations became collateral damage.

It was a wake-up call for Maersk, according to Andy Powell, who joined the company as its new chief information security officer (CISO) in June 2018, a year after the NotPetya attack.

“What Maersk was very strong at was our ability to recover,” Powell said in a fireside chat with IBM Security General Manager Mary O’Brien on Tuesday, the opening night of the 2019 IBM Think conference. “Balancing business resilience with preventative measures means that any company can address some of these high-end attacks, but you’ve got to accept that some of them are going to get through. And therefore, you need to be able to recover your business.”

While cybersecurity inevitably changed in the wake of NotPetya, it’s continuing a rapid transformation as businesses digitize and create ever more data. O’Brien and Powell discussed these profound shifts during their chat, along with Kevin Baker, CISO of Westfield Insurance, who underscored the impacts of digital transformation on data security, risk and compliance.

Watch the video from Think 2019

Lessons in Resiliency and Agile Security

In the age of cloud and connected everything, the volume of data being produced has exploded, along with opportunities for greater insights, innovation and new business models. This digital transformation has broad implications for security.

“Our clients want to know where their containers are, they want to know what part of the process is involved, they want to know information around what they’re moving,” Powell said. “We can provide that as part of the transformation.”

To secure digital innovation for clients, alongside its legacy systems, Maersk’s security team has taken an agile approach. Security is frequently seen as a roadblock to innovation, Powell said. Bringing together project teams and the security organization helps speed innovations to market by building security into the process from the beginning.

“The reality is the security people need to be working with them in those teams to actually integrate security from day one, and that’s starting to really pay off, because we’re no longer seen as the outsiders,” Powell said. “We’re seen as somebody who is prepared to adopt the culture and work with them. That teamed approach is very important.”

Focus on Data Security, Risk and Compliance

Ohio-based Westfield Insurance, with $4.9 billion in assets, has been in business since 1848. That means “a lot of data,” Baker said during the Think fireside chat.

“Because of digitization, it’s a veritable explosion of data. Our job is to know what data we have, where it is, how many copies of it we have, where it’s moving, who can access it and what the criticality of that data is so we can focus on data that has a regulatory import,” Baker said.

Baker’s team focuses on governance and risk, monitoring existing regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. And they look to the horizon for emerging compliance risks, such as California’s data privacy law, which will take effect in January 2020.

The California Consumer Privacy Act (CCPA) follows in the footsteps of the European Union (EU)’s General Data Protection Regulation (GDPR) with strict data privacy mandates, including a “right to be forgotten,” whereby companies will be required to destroy certain types of customer data.

“‘Forget me’ is a new capability that we have to solve for,” Baker said. “So we’re looking for ways that we can tag the data, move the security control down at the data element, and use the same tagging and process in multiple ways. It’s more than data classification, but it starts there.”

How Can Digital Transformation Help Reduce Complexity?

Digital transformation in business — through the adoption of technologies such as the cloud, artificial intelligence, and mobile and smart devices — has had major implications for the security industry as well. Although security products have made strides in protecting businesses beyond the traditional firewall, complexity is a hidden cost of innovation.

“We believe the No. 1 challenge is the complexity that we — the vendors and our clients — have jointly created,” O’Brien said during her chat at the IBM Think conference, her first as IBM Security general manager. “We got here because we let the latest threat of the day or requirement drive our technology and our strategy. So every time there was a new attack, a new merger, a new regulation, we created a new tool.”

The second problem of security innovation, O’Brien added, is that these products are created, purchased and deployed in silos. They are not integrated and don’t naturally talk to each other. According to O’Brien, it’s time to eliminate this complexity to enable business innovation and transformation.

This past October, IBM Security launched IBM Security Connect, a simple, open and connected cloud platform that can automatically access security data no matter where it resides. This enables security teams to take advantage of existing investments, from IBM or other vendors, without compromising effectiveness.

“You have insights today, but not total insights,” O’Brien said. “But because Connect can tap into your existing data wherever it is, you will see the full picture of your security situation without having to migrate your data or manually integrate it.”

For his part, Baker said limiting the number of tools but integrating them across multiple vendor systems is key to making strides toward his team’s data security goals.

“We elected to use not more security tools, but fewer security tools. We chose tools that were on their own pretty powerful, things like IBM’s QRadar and Guardium. Then we integrated that with other vendors,” Baker explained. “We use these tools to create our own link and do our own analysis. Not just the net-new data, but even the legacy data, and then to analyze that data as a single unit, to track the most critical data. We know that we can’t track it all. We need to zero in on what’s important.”

The post Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event appeared first on Security Intelligence.

What Have We Learned About Data Protection After Another Year of Breaches?

There was no shortage of talking points on data protection in 2018, from concerns over data risk and compliance requirements to the challenges of operational complexities. When we surveyed some of the most prominent trends and themes from the last year, three topics stood out among the many facets of these core cybersecurity challenges: regulatory compliance, data breach protection and risk management.

As we settle into 2019, let’s take a closer look at what we learned in the past year and explore how organizations around the world can improve their data security posture in the long term.

Navigating Your GDPR Compliance Journey

When the General Data Protection Regulation (GDPR) took effect last May, companies were seeking guidance and best practices to address their compliance challenges. Although this sense of urgency is beginning to diminish, the demand for data privacy controls will only increase as organizations across industries and geographies adjust to the post-GDPR world.

In January 2020, the California Consumer Privacy Act (CCPA) will go into effect, and Brazil’s data protection law, Lei Geral de Proteção de Dados Pessoais (LGPDP), will kick in the following month. Many of the processes and requirements — not to mention the benefits — associated with GDPR compliance will be highly relevant to organizations’ preparations for these new regulations. In the year ahead, security teams should continue to focus on:

  • GDPR readiness: Complying with GDPR can require changes across nearly every aspect of your business, from customer communications to social media interactions and data protection processes for handling and storing personal and financial information. Analyze your GDPR readiness and kick-start compliance with this five-phase GDPR action plan.
  • How to report a breach: The GDPR requires companies to report a breach within 72 hours of their becoming aware of it, where feasible — an unprecedented timeline. Be sure to understand the requirements for reporting a breach, from the root cause to the assessment of the scope and the mitigation action plan.
  • GDPR and business success: Beyond the challenges and demands of compliance, the GDPR can be good for your business. When managed appropriately, compliance can help drive the organization to a more robust and future-proof security posture.

Data Protection Is a Hot Topic as Breaches Soar

Given that 27 percent of organizations will experience a recurring material breach in the next two years — coupled with the rapid proliferation of attack vectors such as the internet of things (IoT) — it’s no surprise that data security was top of mind for security professionals in 2018. Below are some of the salient themes:

  • Avoiding breaches: Data breaches are on the rise, due in part to an increase in the number of attack vectors created by complex IT environments. Yet many of these breaches are preventable. While every organization’s challenges are different, some of the most common data security mistakes can put enterprise and customer data at serious risk.
  • Responsibility: Who is responsible for data risk management? Blamestorming — the unpleasant, often futile process of pointing fingers — often follows a breach. By determining who is ultimately accountable before a breach, the C-suite can help prevent a breach in the first place and avoid the blamestorming.
  • Maintaining control over data: With the increasing number of ransomware variants, it’s critical to augment ongoing user education with technical controls and processes for optimal protection. Yet these measures can only do so much; technologies and processes that deliver preventive protection and instant remediation can help you maintain control of your data in the face of an attack.

Gain the Upper Hand Through Risk Management

Hand in hand with concerns about breaches, organizations are proactively seeking ways to understand, reduce and mitigate the risks that lead to these breaches. The third most popular topic covered a variety of risk mitigation and management themes that can help organizations on their journey toward smarter data protection, including:

  • Formalizing processes: Proactively finding and protecting the crown jewels is the only pre-emptive advantage organizations have in the battle of the breach. Creating and deploying formal risk management processes can help organizations evaluate information assets and the vulnerabilities that threaten to compromise them.
  • Structured versus unstructured data: Both structured and unstructured data are core business assets. That’s why it’s important to understand the differences between them and key considerations for assessing the risk levels for both structured and unstructured data when building a data protection strategy.

As you grapple with today’s data privacy, protection and risk management challenges — and prepare for tomorrow’s — these lessons, best practices and expert opinions from 2018 can help guide your security strategy and improve your data protection posture in 2019 and beyond.

Learn more about data protection

The post What Have We Learned About Data Protection After Another Year of Breaches? appeared first on Security Intelligence.

Intel SGX Can Be Abused to Hide Advanced Malware: Researchers

A team of researchers has demonstrated that Intel’s SGX technology can be abused to hide an advanced and stealthy piece of malware that could allow attackers to steal data and conduct activities on the victim’s behalf. Intel says its technology works as intended and it’s not designed to block these types of attacks.

read more

TrustArc Named Winner In The 15th Annual Info Security PG’s 2019 Global Excellence Awards®.

TrustArc, the leading data privacy management company, today announced that Info Security Products Guide, the industry’s leading information security research and advisory guide, has named the TrustArc Privacy Platform a winner in the 15th Annual 2019 Info Security PG’s Global Excellence Awards® in the Best Compliance category. These prestigious global awards recognisze cybersecurity and information technology vendors with advanced, ground-breaking products, solutions, and services that are helping set the bar higher for others in all areas of security and technologies.

TrustArc has been a leader in privacy compliance and data protection for over two decades, offering an unmatched combination of innovative technology, expert consulting and TRUSTe certification solutions, that together address all phases of privacy program management. The TrustArc Platform provides end-to-end privacy management through a series of modules that address critical privacy functions such as data inventory and mapping, privacy risk assessments, consent management, and individual rights and data subject access requests (DSAR). The TrustArc Platform supports key privacy management compliance initiatives, including GDPR, COPPA, EU-US Privacy Shield, Swiss-US Privacy Shield, APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP).

“We are proud to be recognised as an industry leader and privacy compliance technology winner by Info Security Products Guide,” said Chris Babel, CEO of TrustArc. “Behind this success is our relentless drive and focus on providing our customers with unmatched privacy solutions. We believe this recognition from Info Security Products Guide further validates our commitment to our customers and their privacy needs.”

About Info Security PG’s Global Excellence Awards
Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping end-users informed of the choices they can make when it comes to protecting their digital resources and assets. It is written expressly for those who are adamant on staying informed of security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping cyber security and industry predictions & directions that facilitate in making the most pertinent security decisions. Visit www.infosecurityproductsguide.com for the complete list of winners.

About TrustArc
TrustArc, the leader in privacy compliance and data protection for over two decades, offers an unmatched combination of innovative technology, expert consulting and TRUSTe certification solutions, that together address all phases of privacy program management. The TrustArc Platform, fortified over eight years of operating experience, across a wide range of industries and client use cases, along with our extensive services, leverage deep privacy expertise and proven methodologies, which have been continuously enhanced through thousands of customer engagements. Headquartered in San Francisco, and backed by a global team across the Americas, Europe, and Asia, TrustArc helps customers worldwide demonstrate compliance, minimize risk and build trust. For more information, visit the TrustArc website, blog and LinkedIn.

The post TrustArc Named Winner In The 15th Annual Info Security PG’s 2019 Global Excellence Awards®. appeared first on IT Security Guru.

Developing a Security Plan Around Consumer Data Privacy Concerns

When developing a security plan, most organizations turn their focus internally to protect business interests. That used to work because most people didn’t give cybersecurity a second thought — that is, until their personally identifiable information (PII) was affected. But that isn’t the case anymore.

With the increase in very large, high-profile data breaches and regulations such as the General Data Protection Regulation (GDPR), consumers now care about security and data privacy, and they want to make sure the companies they do business with are taking action to protect customers’ PII. According to a study from The Harris Poll and Dtex, Americans are demanding organizations do a better job at cybersecurity and protecting personal data. The challenge for organizations is to enact security policies and systems that meet enterprise objectives while also addressing consumer privacy concerns.

Digital Monitoring Is the Primary Concern

The security and data privacy issue that concerns Americans most is digital monitoring. The majority of consumers don’t mind that their PII is being digitally monitored — they understand this helps organizations streamline business operations — but they want transparency. In other words, they want to know what information is being used and why.

It isn’t just consumers that demand this transparency. More than three-quarters (77 percent) of those surveyed in the Harris Poll/Dtex report said they want their employers to be transparent about how employee information is monitored. Transparency is such an important issue that the vast majority of Americans (71 percent) would turn down an employment opportunity if the prospective employer was not upfront about digital monitoring.

Consumers and employees understand that monitoring of digital identities is often done in the name of improved cybersecurity — that this will protect them in the long run — and the security angle plays a role in their perception. But it stops with the workplace; consumers don’t want a Big Brother monitoring their personal devices, even when they are used in a business setting. They also worry about the amount of digital monitoring that occurs in social media, banking, government and even retail. Again, they don’t like being watched, but recognize that this will help organizations provide better security.

Still, most people don’t believe they can do anything about it. According to an ExpressVPN study, 89 percent of Americans think they should have some control over how companies, especially the big tech companies, share the PII they gather, but barely half (52 percent) believe that will happen in 2019. Even with the spotlight shining brightly on security and privacy, Americans simply don’t trust organizations to keep their personal data safe. Cybersecurity of personal data is taken out of their hands once they share the information. According to Harold Li, vice president of ExpressVPN, it shouldn’t be that way.

“Privacy is a fundamental right, and internet users should be in control of their personal data and how it should be used,” he asserted.

Develop a Security Plan That Works for Everyone

We know what consumers want when it comes to the protection of their digital identity. Now it is up to every organization to find a way to develop a security plan and put together a cybersecurity system that addresses consumer concerns while providing optimal business operations.

This begins with understanding why and how consumers’ PII is used for business, which requires internal security leadership to meet with other business units to understand how each uses and stores consumer and employee data. Marketing will use this information differently than human resources and accounting, for example, and providing the right security and data privacy solution can’t be a one-size-fits-all approach if data protection and transparency is the goal.

The growing number of privacy laws will also impact any security policy, and leadership has to go beyond the regulations already in effect. Security and privacy systems have to address more than just the GDPR and the California Consumer Privacy Act (CCPA), or newer laws in Colorado and Illinois. Instead, leadership must anticipate what is coming, possibly from a federal level, and recognize that how they handle privacy concerns today isn’t going to meet next year’s demands.

Security policy that deals with data privacy also needs to address the concerns of consumers. As Americans become more savvy about cybersecurity, they will expect organizations to put greater emphasis on protecting PII and to offer more transparency around digital identity monitoring. If your organization isn’t willing to meet consumer expectations, they will take their business to a company that will.

Finally, no organization can improve its security and privacy policies without improving internal behavior. More emphasis needs to be placed on data privacy training and transparency. Just as employees should receive education on how to identify a phishing email or avoid downloading malware, they should also be well-versed on what constitutes a violation of data privacy.

Consumers are more aware than ever about cybersecurity and its risks. They understand that they willingly turn over a lot of personal information, and now they want organizations to step up efforts to protect that data’s privacy. The onus to meet the challenge of consumers’ security and privacy expectations is on the enterprise. Developing a security plan around consumer concerns is a good first step.

The post Developing a Security Plan Around Consumer Data Privacy Concerns appeared first on Security Intelligence.

How to Keep Your Kids Safe on the Internet (10 Actionable Tips)

These 10 actionable tips will improve Internet safety for your kids and we recommend you follow them right now.

Safer Internet Day 2019 is an international event happening on the 5th of February and is aimed at raising awareness on online safety by promoting safer and positive use of technology for children.

This year’s main theme was “Together for a better Internet” calling everyone to take action and join the movement for creating a better Internet for kids and young people.

For the past years, technology has evolved beyond our control and has improved many aspects of our lives and kids knowledge base, but what about its risks?

According to one report from US-based PCMag, 76% of parents are worried about their kids’ online safety and have major concerns over the danger they are exposed to.

Kids nowadays grow with technology and parents’ core challenges are to find the best ways to limit and control their access on the Internet.

With so many information flooding on the Internet today, there’s an increasing danger for children to become an easy target for malicious actors trying to take advantage of their lack of knowledge.

From falling for online scams, sharing too much personal data to cyberbullying or meeting online sexual predator, these are some of the biggest risks that children face online.

Online protection for children is difficult to be detailed in just one article, as we can approach different aspects of it, but our main focus is to highlight the most actionable tips parents can apply to protect kids when navigating online.

Apply these 10 actionable tips to improve Internet safety for your children

1. Educate your kids about cybersecurity and online threats

You want your kids to spend time on the Internet and take advantage of the learning opportunities, but you also want them to be safe. To do that, you need to explain in simple and kid language about online threats and how to identify them.

When it comes to cybersecurity, education plays a vital role during the learning process,  and parents need to talk to their children about safe browsing on the Internet, malicious sites they can access, explain about different forms of cyberbullying, and other necessary topics that help them have a bigger picture of what’s going on.

The more you speak openly about online threats with your kids about their activity on the Internet, the easier is for them to understand what they see or hear online.

The following questions could prove useful for you and your kids and family. You’ll also find helpful information on key topics that will help you enhance your online safety:

These are just a few key topics you and your family should address and focus on to improve online safety.

2. Set usage limits and time spend on the Internet for your kids

The Internet might be a fascinating world for kids, but most parents become really concerned about the time spent there. If you notice your kid is developing an addiction to staying up all night to be on the Internet, it could be a sign to set usage limits and time spend on the Internet. Make sure you clearly tell them about the time they can spend on their computer or laptop.

Parents should also clarify what their kids can and can’t do when they navigate online.

3. Be patient and listen to your kids. Let them teach you

Staying online can be a daunting task and we cannot always predict where a discussion or comment will go or what type of people we find on social media networks.

You may check your kids’ computers, their smartphones or any other Internet-connected devices on a daily basis, but it really helps listen to them.

But how much do we actually know about our children?

In just a few words…not very much, because there will always be methods to evade our attention.

So, we strongly advise you to be patient and listen to your kids. Let them teach you about the social media platforms they use or the latest video that went viral on Youtube.

This is by far the easiest way to get information about their online habits, instead of losing time on spying their computers and trying to understand their browsing history.

So, just listen to them. Pretend that you don’t know too much about this Internet thing and let them start talking. There’s nothing more exciting for children than pretending to be teachers. Not to mention the trust they gain in themselves and finally, in you, as a parent.

4. Use parental control software to monitor your child’s online activities

Given the increasing number of devices kids use to connect on the Internet, it’s difficult for parents to supervise every time they’re online. Parental control apps can help. They are a great way to track your children online behavior and control what they are doing on their smartphones or other devices.

These software solutions act as an online guardian and help parents better monitor kids’ Internet usage, keep track of visited sites, control the Internet connection time, or block malicious websites and report any unusual online activity.

If you want to monitor your kids’ activity and are looking for free parental control software tools, this list comes in handy.

5. Install an antivirus solution on your kids’ devices

We all know that kids are naturally curious and attracted to new things, and they can easily access malicious links from untrusted websites or download video games from unknown web locations.

Thus, you need to consider installing a good antivirus solution from a reliable company that packs a real-time scanning engine, firewall and automatic update.

To help you decide what is the best solution for you and your family, whether you need free or paid antivirus, this in-depth security guide might help.

6. Keep your child’s software up-to-date

Here’s another Internet safety tip every parent should follow. Make sure you check if the Windows operating system used on your child device has all the latest and available security patches installed, such as browsers, plugins, desktop apps, etc. These updates include both security and feature patches and are meant to fix or improve the software you use.

If you aren’t aware of the importance of software patching, please read what security experts have to say about this topic.

Throughout our security alerts, we’ve learned that cybercriminals usually gain access to networks and systems by exploiting security flaws found in popular software tools like Adobe Flash, Java or browsers like Internet Explorer, Mozilla Firefox and Google Chrome.

That’s why you need to verify the device your children are using and make sure all necessary security patches are installed.

For monitoring your kid’s computer apps and securely deploying updates as soon as they’re available, you can use our Thor Free security solution which does an excellent job.

7. Don’t let kids navigate online without installing an anti-malware solution

If you hear your child complaining about slow-down issues, pop-ups all over the screen, new toolbars, a different default engine or random error messages, these could be warning signs of a malware infection.

An antivirus solution is no longer enough to protect you and your family against next-gen malware. To keep your kids safe on the Internet, we recommend using an anti-malware solution as an extra layer of protection to secure your digital assets.

8. Secure your Home Wireless network from prying eyes

The home Wi-Fi network is usually accessed only by members of the same house, but that doesn’t mean that malicious actors can’t get unauthorized access.

To better secure your home wireless network from prying eyes, the first thing to do is set up a strong and unique password so neighbors or other people can’t take control over your personal data.

But we have to take security seriously and do more than just adding a strong password. Online criminals might exploit your poor Wi-fi security measures and “listen” to your traffic in order to retrieve sensitive information or take advantage of your network to launch attacks such as Man-in-the-Middle attacks, network sniffing or data theft.

We recommend checking out this 12 simple, and essential steps guide we’ve included enhancing the security of your home wireless network.

9. Do NOT connect to unsecured WiFi networks outside your home

Your children may be safe at home, but with so many Wi-Fi public networks they connect to, how can we be sure they will remain safe?

We often go to public places and enjoy a coffee or tea, without even thinking about the online dangers or hackers that could wait for our connection to start.

Even if we can’t be anywhere, there are still a few things we can do to greatly improve their online security.

First, make sure the smartphone, laptop or tablet they use has some sort of protection, like anti-spyware or antivirus protection to keep the software protected against exploits and security breaches.

Secondly, information is the secret for your kids’ online safety, no matter where they are, so read these actionable measures on how you can improve the public Wi-Fi network.

10. Online habits have real-life consequences

As challenging as might be for children to understand the risks of being online, cybersecurity awareness is vital these days. We should teach them to avoid talking to strangers online, how to distinguish between fake and real news, and explain about the most frequent security risks out there.

Various choices and decisions should be made to increase our family’s security strategy, but we need to establish what is it that we are afraid of. The limits we set may increase our online security strategy, but at the same time, we could risk blocking the naturaldevelopment of our children being surrounded by tech gadgets.

Children need to acknowledge that online actions lead to real-life consequences and have cyber hygiene on how to use the Internet safely.

We put together these 4 resources to learn how to increase your kids’ online privacy and  secure your most valuable data:

Online Privacy in Under 1 Hour: Improve your Security Fast

Here are the Top Online Scams You Need to Avoid Today [Updated 2018]

The ABCs of Detecting and Preventing Phishing

Best free security and privacy tools in 2019

Final thoughts 

We need to teach children about cyber threats that put in danger their online safety. But we also need to “preach” online protection from malware threats and phishing attempts that usually target unaware or uneducated minds.

How do you keep your kids safe from online threats today? What methods are you using? Feel free to share your thoughts in a comment below.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

*This article was initially published by Andra Zaharia in March 2015 and updated by Ioana Rijnetu in February 2019.

The post How to Keep Your Kids Safe on the Internet (10 Actionable Tips) appeared first on Heimdal Security Blog.

Is 2019 the year national privacy law is established in the US?

Data breaches and privacy violations are now commonplace. Unfortunately, the consequences for US companies involved can be complicated. A company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. A person may be entitled to free credit monitoring for a specified period of time or may have the right to be notified of the breach sooner than somebody living in another state. … More

The post Is 2019 the year national privacy law is established in the US? appeared first on Help Net Security.

Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You?

A classic meet-cute – the moment where two people, destined to be together, meet for the first time. This rom-com cornerstone is turned on its head by Netflix’s latest bingeable series “You.” For those who have watched, we have learned two things. One, never trust someone who is overly protective of their basement. And two, in the era of social media and dating apps, it’s incredibly easy to take advantage of the amount of personal data consumers readily, and somewhat naively, share online and with the cloud every day.

We first meet Joe Goldberg and Guinevere Beck – the show’s lead characters – in a bookstore, she’s looking for a book, he’s a book clerk. They flirt, she buys a book, he learns her name. For all intents and purposes, this is where their story should end – but it doesn’t. With a simple search of her name, Joe discovers the world of Guinevere Beck’s social media channels, all conveniently set to public. And before we know it, Joe has made himself a figurative rear-window into Beck’s life, which brings to light the dangers of social media and highlights how a lack of digital privacy could put users in situations of unnecessary risk. With this information on Beck, Joe soon becomes both a physical and digital stalker, even managing to steal her phone while trailing her one day, which as luck would have it, is not password protected. From there, Joe follows her every text, plan and move thanks to the cloud.

Now, while Joe and Beck’s situation is unique (and a tad dramatized), the amount of data exposed via their interactions could potentially occur through another romantic avenue – online dating. Many millennial couples meet on dating sites where users are invited to share personal anecdotes, answer questions, and post photos of themselves. The nature of these apps is to get to know a stranger better, but the amount of personal information we choose to share can create security risks. We have to be careful as the line between creepy and cute quickly blurs when users can access someone’s every status update, tweet, and geotagged photo.

While “You” is an extreme case of social media gone wrong, dating app, social media, and cloud usage are all very predominant in 2019. Therefore, if you’re a digital user, be sure to consider these precautions:

  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public, so turn your profiles to private in order to have control over who can follow you. Take it a step further and go into your app settings to control which apps you want to share your location with and which ones you don’t.
  • Use a screen name for social media accounts. If you don’t want a simple search of your name on Google to lead to all your social media accounts, consider using a different variation of your real name.
  • Watch what you post. Before tagging your friends or location on Instagram and posting your location on Facebook, think about what this private information reveals about you publicly and how it could be used by a third-party.
  • Use strong passwords. In the chance your data does become exposed, or your device is stolen, a strong, unique password can help prevent your accounts from being hacked.
  • Leverage two-factor authentication. Remember to always implement two-factor authentication to add an extra layer of security to your device. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.
  • Use the cloud with caution. If you plan to store your data in the cloud, be sure to set up an additional layer of access security (one way of doing this is through two-factor authentication) so that no one can access the wealth of information your cloud holds. If your smartphone is lost or stolen, you can access your password protected cloud account to lock third-parties out of your device, and more importantly your personal data.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You? appeared first on McAfee Blogs.

How Online Gamers Can Play It Safe

Online gaming has grown exponentially in recent years, and scammers have taken note. With the industry raking in over $100 billion dollars in 2017 alone[1], the opportunity to funnel some money off through fraud or theft has proven irresistible to the bad guys, leaving gamers at greater risk.

From malware and phishing scams, to phony game hacks, identity theft, and more, gamers of all stripes now face a minefield of obstacles online and in real life. So, if you’re going to play games, it’s best to play it safe.

Here’s what to look out for:

Dodgy Downloads

Gamers who play on their computer or mobile device need to watch out for dangerous links or malicious apps disguised as popular or “free” games. Hackers often use innocent-looking downloads to deliver viruses and spyware, or even sign you up for paid services, without your consent. In one prominent case, more than 2.6 million Android users downloaded fake Minecraft apps that allowed hackers to take control of their devices.

Researchers have even discovered a ransomware threat that targets gamers. TeslaCrypt was designed to encrypt game-play data until a ransom is paid. Originally distributed through a malicious website, it has since been circulating via spam.

And while it’s true that game consoles like PlayStation and Xbox aren’t as vulnerable to viruses, since they are closed systems, that doesn’t mean that their users don’t face other risks.

Social Scams

Players on any platform could wind up with malware, sent directly from other players via chat messages. Some scammers use social engineering tricks, like inviting other players to download “helpful” tools that turn out to be malware instead. When you consider that 62% of kids play games where they speak to others, the odds of a risky interaction with a stranger seems quite real.

Players of the Origin and Steam services, for instance, were targeted by hackers posing as other players, inviting them to play on their teams. Over chat message, they suggested the players download an “audio tool” that turned out to be a keystroke logger, aimed at stealing their access credentials for the game.

Other social scams include malicious YouTube videos or websites, offering game bonuses and currency, for free.

Another widespread social threat is account takeover, or ATO for short. This is when a scammer hacks a real account in order to post spammy links, and scam messages that appear to come from a trusted contact. Some accounts, for games like League of Legends, have even been stolen and sold online for money because they boasted a high level, or rare skins.

Phishing

Finally, be on the lookout for phishing websites, offering free games or bonuses, or phishy emails prompting you to login to your account, with a link leading to a copycat gaming site. Often, these are designed to steal your login credentials or distribute fake games that contain malware.

Players of the wildly popular Fortnite, for example, have been particularly targeted. The latest phishing scam is aimed at stealing the third-party sign-in tokens that allow cybercriminals to access a user’s account, and the payment details associated with it.

So now that you know about a little more about gaming threats, here’s how to win at playing it safe:

  1. Do Your Research—Before downloading any games from the Internet or app stores, make sure to read other users’ reviews first to see that they are safe. This also goes for sites that sell game hacks, credits, patches, or virtual assets typically used to gain rank within a game. Avoid illegal file-sharing sites and “free” downloads, since these are often peppered with malware. It’s always best to go for a safer, paid option from a reputable source.
  2. Play Undercover— Be very careful about sharing personal information, in both your profile information, and your chat messages. Private information, such as your full name, address, pet’s name, school, or work details, could be used to guess your account password clues, or even impersonate you. Consider playing under an alias.
  3. Be Suspicious—Since scammers use the social aspect of games to fool people, you need to keep your guard up when you receive messages from strangers, or even read reviews.
    Some YouTube and social media reviews are placed there to trick users into thinking that the game or asset is legitimate. Dig deep, and avoid looking for free hacks. Ask gamers you know in real life for recommendations that worked for them.
  4. Protect Yourself—Avoid using older versions of games, and make sure that games you do play are updated with patches and fixes. And if you think a gaming account may already have been compromised, change your passwords immediately to something unique and complex.Safeguard your computers and devices from known and emerging threats by investing in comprehensive security software, and keep yourself up-to-date on the latest scams.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

[1]According to The 2017 Year In Review Report by SuperData

The post How Online Gamers Can Play It Safe appeared first on McAfee Blogs.

Employees Are Working From Home — Do You Know Where Your Remote Work Policy Is?

The remote work trend is here to stay — and it’s a growing phenomenon.

Nearly two-thirds (63 percent) of companies have employees who work remotely, yet more than half of those companies (57 percent) do not have a remote work policy, according to a 2018 report from the freelancing website Upwork. What’s more, many of the companies that do have a remote work policy said it hasn’t been updated in the past five years or has become more lenient over that time.

Remote work security is a lot like mobile security, and the work-at-home trend is a lot like the bring-your-own-device (BYOD) trend. You likely have a policy that covers mobile security. You need one that covers remote work.

What Could Go Wrong?

The elevated exposure associated with remote work is undeniable. In fact, it’s not even a controversial point. According to Shred-it, 86 percent of C-level executives believe that the risk of a data breach is higher when employees work remotely. Additionally, CybSafe reported that one-third of U.K. businesses have suffered a data breach because of remote work in the past 12 months.

All of those numbers make sense. Simply working outside the office comes with inherent risks. Remote workers are more likely to connect via insecure WiFi, either at home or while working in public spaces such as coffee shops. A study by OneLogin even found that more than half of remote workers spend up to one day per week connected to unsecured networks.

Sensitive conversations — or talk that could help threat actors do their work — involving remote workers are more likely to take place in writing (via chat or email) than in person, which creates a record that could be accessed by cybercriminals. Work-from-home employees are also more likely to mix professional and personal equipment, software, data and online activity. That means threat actors could more easily breach personal consumer hardware and software as an entry point into company networks. In other words, hacking a remote worker may offer a higher payoff than hacking an in-office employee.

Furthermore, remote, freelance and contract workers are more likely to use their own equipment and perform their own IT tasks than in-office staff. And most remote workers are neither experts in choosing secure hardware nor skilled in the complexities of IT security. They’re also more vulnerable to hardware theft, shoulder surfing and other risks.

Don’t Forget About Compliance

Beyond the obvious security risks, remote work policies dramatically enhance regulatory compliance. The General Data Protection Regulation (GDPR) led the way, California followed, and soon, many U.S. states will have strong regulations around security and privacy. Yet many of the remote work policies currently in place were created before the GDPR even started making headlines.

A good remote work policy covers a broad range of categories, from employment rules to expense reporting to legal obligations. But the data security provisions are probably the most important. And because the security and regulatory landscapes — as well as attitudes and demands around remote work — keep changing, your company’s remote work policy should keep changing too.

Components of a Good Remote Work Policy

Clearly, it’s important to create a good remote work policy if you don’t have one — or update the one you’ve got to reflect current realities and best practices. But what exactly makes a good policy?

First, create a detailed plan for communication and training related to remote workers, and specify this plan in the policy. Clarify that the remote work policy applies to all workers, even if they do work at home one hour a month. Keep in mind the differences (legal and otherwise) between permanent, full-time employees on the one hand and contract, freelance, temporary or contingent workers on the other. Your policy is one tool for the company to help employees boost security in their homes, which is always a good idea.

Next, align the policy with remote work infrastructure and software. Be clear about rules for company-owned equipment. List all user tools (e.g., cloud document platforms, workgroup communication, video conferencing, project management, etc.) so that remote and in-office employees are all on the same page — literally — and using the same approved and security-monitored tools.

You’ll then want to draft a notification process in the event of a security event and include the steps that each employee must take in the event of a breach. Include clear actions to keep operating systems, applications, certificates, and security and networking software up to date. Include all applicable in-office rules, such as the password policy and other security-related rules. It’s also important to make remote work policies compatible with employee contracts — i.e., make sure overlapping or contradicting areas are addressed.

Lastly, make sure you plan to monitor policy adoption and adherence. Learn from security successes and failures and keep the policy flexible. Importantly, update the remote work policy frequently by setting a schedule for reviewing it on a regular basis.

Address Your Remote Security Gap

The bottom line is that the reality of remote work extends the enterprise attack surface to include employees’ homes. It’s vital to address this gaping hole with a clear, up-to-date remote work policy that is consistently monitored and enforced.

The post Employees Are Working From Home — Do You Know Where Your Remote Work Policy Is? appeared first on Security Intelligence.

Moving to the Hybrid Cloud? Make Sure It’s Secure by Design

Many organizations have such a positive first experience with cloud computing that they quickly want to move to a hybrid cloud environment with data and workloads shared between private and public clouds. The flexibility and control that a hybrid cloud provides is why it is expected to be the dominant cloud computing model for the foreseeable future.

However, companies often don’t think about security issues until after they are well along in the process of building a hybrid cloud. This can lead to nasty surprises when they realize this environment introduces some unique security considerations that don’t exist in traditional infrastructure. That’s why a hybrid cloud needs to be secure by design.

Cloud Security Is a Shared Responsibility

Public cloud providers offer enterprise-class security, but that doesn’t absolve customers from responsibility for protecting data, enforcing access controls and educating users. Private cloud security is complicated because private clouds can take many forms. They may be hosted entirely on-site, entirely in the public cloud or some combination. Private cloud infrastructure can also be dedicated to a single tenant or shared across multiple zones with isolation providing dedicated resources. Each environment has different security demands.

The scale and dynamism of cloud computing complicates visibility and control. Many customers incorrectly believe that cloud providers take care of security. In fact, security is a shared responsibility. In my experience, most cloud security failures occur because customers don’t live up to their part of the bargain.

No single cloud security mechanism does the entire job. There is also little consensus about what the ideal cloud security environment should look like. As a result, most product offerings in this market are still evolving. Secure by design starts with assessing risk and building a framework for technology.

A New Way of Computing

Moving to the cloud doesn’t mean relinquishing total control, but it does require embracing a new security mindset based on identity, data and workloads rather than underlying platforms. Security professionals who can reorient themselves around business enablement rather than device protection are particularly well-suited to securing public clouds.

Cloud computing is highly distributed and dynamic, with workloads constantly spinning up and down. Visibility is essential for security. According to Gartner, cloud security should address three core topics that have not traditionally been an IT discipline: multitenancy risk, virtualization security and software-as-a-service (SaaS) control.

Multitenancy risk is inherent to cloud architectures because multiple virtual machines (VMs) share the same physical space. Major public cloud providers go to great lengths to mitigate the possibility that one tenant could access data in another VM, but on-premises infrastructure is susceptible if the servers are not configured properly. Changes made to one hybrid cloud environment may also inadvertently affect another.

Virtualization security refers to the unique risks of virtualized environments. While hypervisors and VMs are in many ways more secure than bare-metal environments because the operating system is isolated from the hardware, the use of shared resources like storage and networking also introduces potential vulnerabilities that don’t exist on dedicated servers.

SaaS environments require greater attention to authentication and access control because the user doesn’t own the network. Governance standards need to be put in place to ensure that users take appropriate precautions with data and that all necessary regulatory and compliance guidelines are met.

Without these new competencies, organizations will struggle to gain visibility into their hybrid cloud environments, making it almost impossible to determine which computing and storage tasks are taking place where, using which data and under whose direction. In that situation, provisioning and enforcement of policy can quickly become impractical. But if organizations practice secure-by-design principles using new cloud-native tools, they can get a single-pane-of-glass view into activity that enables policy enforcement.

Three Keys to Secure Hybrid Cloud Deployments

Three areas merit special attention: encryption, endpoint security and access control.

Encryption is the best form of data protection. Data moving to and from the public cloud should be encrypted at all stages, and sensitive data should never be left unencrypted. All cloud providers support encryption, but not necessarily by default. Customers need to choose the type of encryption that is most appropriate and secure encryption keys.

When public cloud services are accessed over the public internet, special attention needs to be paid to endpoint security to prevent the risk of creating access points for attackers or becoming targets of malware. For example, an attacker who compromises a PC and logs on as an administrator for the company’s public cloud effectively has the keys to the kingdom. Hardware firewalls aren’t protection enough.

Secure web gateways (SWGs) utilize URL filtering, advanced threat defense (ATD) and malware detection to protect organizations and enforce internet policy compliance. SWGs are delivered as both physical and virtual on-premises appliances, cloud-based services or hybrid cloud/on-premises solutions. They provide an additional layer of protection against destructive attacks such as ransomware and enable safer and more efficient adoption of cloud-based services.

Finally, cloud-specific access control is a necessity if employees, contractors and vendors are to use both public and private clouds. Single sign-on (SSO) and federated access controls can minimize inconvenience while maintaining control and security monitoring.

Identity and access management-as-a-service (IDaaS) works in both multitenant and dedicated environments. It provides identity governance and administration, access management, and analytics functions that span the organization’s entire cloud environment. IDaaS can also be integrated with existing access management software to manage access to legacy applications.

The Cloud Security Alliance has an extensive library of resources that cover practices for hybrid cloud security. Organizations should familiarize themselves with these guidelines before beginning the migration process. Building security into hybrid infrastructure from the beginning minimizes the pain and delay of backfilling later.

The post Moving to the Hybrid Cloud? Make Sure It’s Secure by Design appeared first on Security Intelligence.

Converged IT and OT to Advance Security Maturity

The convergence of IT, operational technology (OT) and industrial internet of things (IIoT) has raised concerns about cybersecurity, safety and data privacy for many organizations, according to a new Ponemon Institute study. Released

The post Converged IT and OT to Advance Security Maturity appeared first on The Cyber Security Place.

Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns

Global risks are intensifying but the collective will to tackle them appears to be lacking. — The World Economic Forum’s “Global Risks Report 2019”

With the start of a new calendar year, chief information security officers (CISOs) are looking for ways to set the tone for the year and have more engaged conversations with top leadership regarding cybersecurity risks. The good news is January provided such an opportunity, but it’s not what you might expect.

Every year, the world’s elite descends on Davos, Switzerland, as part of the global gathering known as the World Economic Forum (WEF). A few weeks before they hold this event, the WEF releases its “Global Risks Report,” and this year, once again, cyber risks figured prominently. The report was based on survey responses from nearly 1,000 decision-makers from the business and government sectors, academia, nongovernmental organizations (NGOs), and other international organizations.

Cybersecurity Risks Once Again in the Top 5

The report opens with its distinctive global risks landscape diagram, and cyber-related risks fall in the top-right quadrant of global risks, both in terms of likelihood and impact. When it comes to likelihood, data fraud or theft came in fourth place after three environmental risks, with cyberattacks rounding out the top five.

When ranked by impact, cyberattacks still made it into the top 10, in seventh place, followed immediately by critical information infrastructure breakdown. The fact that data fraud or theft wasn’t in the top 10 risks by impact might indicate that markets and business leaders are more confident about the global economy’s ability to detect and respond to such an event.

This is by no means the first time that technology-related risks made it to the top of the list: Cyberattacks have appeared four times in the top five risks by likelihood since 2010 (in 2012, 2014, 2018 and 2019). However, in terms of impact, the only technology-related risk to make the top five was critical information infrastructure breakdown in 2014.

Is it symptomatic of a larger disconnect that, in the last decade, global leaders only once perceived a technology-related risk as a top-five risk in terms of impact? Do top leadership and board directors at your organization share this attitude?

A Conversation Starter for CISOs and Top Leadership

Of course, the WEF report is aimed at a global audience of business and government executives, so it might not be immediately apparent how CISOs could benefit from grabbing a copy and leafing through it. However, because technology-based risks — and more specifically, cyber-related risks — feature so prominently in the report, there is a unique opportunity to engage or re-engage top leadership and boards to discuss these issues and re-evaluate the organization’s current risk appetite. Among the topics covered in the report are many areas that CISOs should be ready to engage on, including:

  • Machine learning and artificial intelligence (AI) — How, if at all, is your organization leveraging these technologies? Is the security function engaged at the earliest part of the process to implement them?
  • Regulatory changes, such as the General Data Protection Regulation (GDPR) — Is your organization now fully compliant with the GDPR? Are there other GDPR-like regulations on the horizon that need to be on your radar?
  • Interconnectedness of cybersecurity risks — Is your organization on its way to becoming cyber resilient? How often is your organization’s resilience put to the test?
  • Quantum computing and cryptography — Who, if anyone, is keeping track of developments in quantum computing? How often is this disruptive technology being discussed, both in terms of the opportunities it presents, but also the risks to traditional cryptographic methods of protecting company secrets?

Interconnectedness Versus Resilience

If there’s one section of the report that CISOs should share with top leadership, it is the portion titled “Managing in the Age of Meltdowns” (just three pages long). As the interconnectedness of technology increases the potential for cascading failures, this section reminds us of the stakes: “When something goes wrong in a complex system, problems start popping up everywhere, and it is hard to figure out what’s happening. And tight coupling means that the emerging problems quickly spiral out of control and even small errors can cascade into massive meltdowns.”

The section covers different strategies to help deal with complex, dynamic systems and provides guidance for CISOs to review and improve the effectiveness of existing processes. Strategies include encouraging healthy skepticism and recognizing the value of clear and honest lines of reporting. CISOs should also try to “imagine failure” or, better yet, simulate a breach to practice their response. The report also reminds security leaders to perform thorough root-cause analysis, as “too often, we base decisions on predictions that are overly simplistic, missing important possible outcomes.”

Find a Rallying Point

Most CISOs know they’re more likely to be heard when aligning their messages and efforts with the concerns of top leadership. In a world of increasing global risks, security leaders must engage with all levels of the organization to truly understand what cybersecurity risks are top of mind, from the board and C-suite all the way down to entry-level analysts. Organizing around mutual concerns will help maximize security at the enterprise.

The post Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns appeared first on Security Intelligence.

Four differences between the GDPR and the CCPA

By passing the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the Golden State is taking a major step in the protection of consumer data. The new law gives consumers insight into and control of their personal information collected online. This follows a growing number of privacy concerns around corporate access to and sales of personal information with leading tech companies like Facebook and Google. The bill was signed by … More

The post Four differences between the GDPR and the CCPA appeared first on Help Net Security.

Data Breach Fatigue Makes Every Day Feel Like Groundhog Day

The constant string of data breaches isn’t what I’d call funny, but it does make me think about one of my favorite cinematic comedies. The film “Groundhog Day” stars Bill Murray as a grumpy weatherman who travels to the little town of Punxsutawney, Pennsylvania, where a famous rodent supposedly predicts when spring will arrive.

According to some unexplained movie logic, Murray’s character ends up caught in a time warp so that he wakes up the day after Groundhog Day and it’s — you guessed it — Groundhog Day once again. No matter what he does, he wakes up day after day and the same events happen again and again. As you can imagine, the poor weatherman starts to lose his mind and, for a time, gives up trying to change his fate.

In the world of cybersecurity, things don’t appear to be much different. If it feels like there’s a new data breach reported every day, that’s because it’s more or less true. According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day.

All told, there were at least 11.6 billion records lost in those breaches. The consequences for the economy and individual businesses and consumers are mounting, and the cost of these breaches is staggering if you consider the average cost per lost record, which was $148 in the U.S. last year.

These data points raise other questions about the human impact of data breach Groundhog Day, if you will. How does the daily barrage of data breaches affect our behavior? Are we responding with urgency to this growing problem as consumers, businesses and security professionals? Or have we given a collective shrug, accepting that this is the new normal?

What Does Data Breach Fatigue Look Like?

One apparent consequence of constant breaches is data breach fatigue — the idea that consumers have become inured to the effects of data breaches and are less motivated to do anything to protect themselves. The data breach fatigue effect is a little hard to calculate, but there is some evidence it exists, and the fallout is harmful to both consumers and the breached organizations.

In one study, researchers measured consumer sentiment on social media in the aftermath of a breach at the U.S. Office of Personnel Management that affected 21.5 million people. According to the study, overall sentiment about the breach was tinged with anxiety and anger, but victims of the breach showed higher levels of sadness. Moreover, social media chatter about the breach dropped off significantly over time. Two months after the breach, engagement was almost nonexistent, which the researchers said showed acceptance, apathy and the onset of breach fatigue.

While there isn’t a lot of data on how people respond to having their personal information breached, there is some evidence in consumer surveys that data breach fatigue is setting in. For example, a significant proportion of users don’t take proactive steps to improve their security after a breach, such as changing their passwords or checking their credit score. Although almost 50 percent of respondents to a 2016 Experian survey said they were taking more precautions to protect their personal information, just 33 percent check their credit scores regularly and only 36 percent review the privacy policies of the companies they do business with.

In another study conducted by RAND Corporation, only half (51 percent) of survey respondents said they changed their password or PIN after a breach, and a scant 4 percent said they started using a password manager. While 24 percent said they became “more diligent” in response to a breach, 22 percent took no action whatsoever.

Finally, a survey conducted by Ponemon Institute in 2014 on behalf of Experian found that many consumers were taking a passive approach to data breach notifications. Of the 32 percent of consumers who had received at least one data breach notification in the prior two years, their concern about breaches didn’t necessarily produce an urgent response. Although 45 percent of breach victims said they were “very concerned” or “extremely concerned” about the potential for identity theft, 32 percent said they ignored the breach notification or took no action, and 55 percent said they did nothing to protect themselves from identity theft.

If data breach fatigue contributes to consumers failing to take the necessary precautions to protect themselves, it could leave those consumers at greater risk of identity theft, damaged credit, financial loss and privacy violations. But before we start blaming the victims for being irresponsible, it’s clear from the Ponemon/Experian study that many breach victims feel powerless or even trapped because the products and services they depend on from breached companies can’t easily be replaced, and nothing they can do as individuals will change the likelihood that their data will be breached.

The Dangers of Data Breach Fatigue

There’s another risk from data breach fatigue that is maybe underappreciated: that organizations will assume their security and privacy practices won’t matter to consumers. We know from surveys that consumers are very concerned about cybersecurity, but constant breaches have caused a steady erosion of trust between businesses and customers.

In another consumer survey from 2018, conducted by The Harris Poll on behalf of IBM Security, only 20 percent of respondents said they “completely trust” organizations they interact with to maintain the privacy of their data, and 73 percent said it is extremely important that companies take swift action to stop a data breach.

People do care about the security and privacy of their information, and some will take their business elsewhere. In the 2014 Ponemon survey for Experian, 29 percent of respondents said they stopped doing business with a company after a breach.

There are some things organizations can do to start rebuilding trust. Consumers expect a certain baseline of activity in a company’s response that includes identity theft protection and credit monitoring, access to customer service to handle questions and, perhaps most importantly, a sincere apology.

According to Michael Bruemmer, a vice president of consumer protection at the Experian Data Breach Resolution Group, the following steps are crucial to effective communications after a breach:

  • Provide timely notification explaining what happened and why.
  • Explain the risks or impact to the customer as a result of the breach.
  • Explain all the facts and don’t sugarcoat the message.
  • Make the communications more personal with less technical and legal jargon.
  • Describe easy-to-follow steps for customers to protect themselves from identity theft and fraud.
  • Consider using other communication channels to reach customers, including social media and a secure website to answer frequently asked questions and a way for customers to enroll in identity theft protection services.

Practice Your Incident Response Plan

Communicating with customers after a breach is just one element of an effective incident response (IR) plan. But most organizations don’t have any plan for responding to a breach.

Caleb Barlow, vice president of threat intelligence at IBM Security, said having an incident response playbook is “just the beginning.” Organizations need to practice for a full-business response and hone the crisis leadership and communication skills of executives, board members and heads of key departments, such as PR and HR.

“In the heat of the moment, there’s no time to fumble through the playbook and figure out what to do next,” Barlow wrote in a blog post. “That’s when your training and muscle memory kicks in and you execute your plan. If you don’t practice it, you are exposed to an avoidable disadvantage.”

To stop the cycle of data breaches and data breach fatigue, organizations and consumers alike need to shake off our fatalism and reluctance to change. Cyberattacks and breaches may be inevitable, but we have control over the way we respond, and we can’t afford to accept the status quo.

We can’t keep doing the same things and expect different results. If data breach fatigue keeps organizations stuck in a pattern of passive and uncoordinated breach responses — and if consumers remain reluctant to take security into their own hands — then every day is going to feel like just another Groundhog Day.

Learn how to build your breach response plan

The post Data Breach Fatigue Makes Every Day Feel Like Groundhog Day appeared first on Security Intelligence.

Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

 

At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

  • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
  • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
  • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.

McAfee Blogs: Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure

Many of us rely on customer support websites for navigating new technology. Whether it’s installing a new piece of software or troubleshooting a computer program, we look to customer support to save the day. Unfortunately, cybercriminals are leveraging our reliance on customer support pages to access our personal information for financial gain. It appears that a malicious website is attempting to trick users into handing over their McAfee activation keys and personally identifiable information (PII) data by disguising themselves as the official McAfee customer support website.

So how exactly does this cyberthreat work? First, malicious actors advertise the fake website on Twitter. If a user clicks on the ad, they are presented with a “Download McAfee” button. When the user clicks on the download button, they are redirected to a screen prompting them to enter their name, email address, contact number, and product activation key to proceed with the download. However, when the user clicks on the “Start Download” button, they are redirected to a screen stating that their download failed due to an unexpected error.

 

At this point, the site owner has received the user’s personal data, which they could exploit in a variety of ways. And while this scheme may seem tricky to spot, there are a number of ways users can defend themselves from similar scams:

  • Be vigilant when clicking on social media links. Although it may be tempting to click on advertisements on your social media feed, these ads could possibly house sketchy websites developed by cybercriminals. Use caution when interacting with social media ads.
  • Go straight to the source. If you come across an advertisement claiming to be from a company and the link asks for personal data, it’s best to go directly to the company’s website instead. Use the official McAfee customer support page if you require technical support or assistance with your McAfee product.
  • Use security software. A security solution like McAfee WebAdvisor can help you spot suspicious websites and protect you from accidentally clicking on malicious links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure appeared first on McAfee Blogs.



McAfee Blogs

AI May Soon Defeat Biometric Security, Even Facial Recognition Software

It’s time to face a stark reality: Threat actors will soon gain access to artificial intelligence (AI) tools that will enable them to defeat multiple forms of authentication — from passwords to biometric security systems and even facial recognition software — identify targets on networks and evade detection. And they’ll be able to do all of this on a massive scale.

Sounds far-fetched, right? After all, AI is difficult to use, expensive and can only be produced by deep-pocketed research and development labs. Unfortunately, this just isn’t true anymore; we’re now entering an era in which AI is a commodity. Threat actors will soon be able to simply go shopping on the dark web for the AI tools they need to automate new kinds of attacks at unprecedented scales. As I’ll detail below, researchers are already demonstrating how some of this will work.

When Fake Data Looks Real

Understanding the coming wave of AI-powered cyberattacks requires a shift in thinking and AI-based unified endpoint management (UEM) solutions that can help you think outside the box. Many in the cybersecurity industry assume that AI will be used to simulate human users, and that’s true in some cases. But a better way to understand the AI threat is to realize that security systems are based on data. Passwords are data. Biometrics are data. Photos and videos are data — and new AI is coming online that can generate fake data that passes as the real thing.

One of the most challenging AI technologies for security teams is a very new class of algorithms called generative adversarial networks (GANs). In a nutshell, GANs can imitate or simulate any distribution of data, including biometric data.

To oversimplify how GANs work, they involve pitting one neural network against a second neural network in a kind of game. One neural net, the generator, tries to simulate a specific kind of data and the other, the discriminator, judges the first one’s attempts against real data — then informs the generator about the quality of its simulated data. As this progresses, both neural networks learn. The generator gets better at simulating data, and the discriminator gets better at judging the quality of that data. The product of this “contest” is a large amount of fake data produced by the generator that can pass as the real thing.

GANs are best known as the foundational technology behind those deep fake videos that convincingly show people doing or saying things they never did or said. Applied to hacking consumer security systems, GANs have been demonstrated — at least, in theory — to be keys that can unlock a range of biometric security controls.

Machines That Can Prove They’re Human

CAPTCHAs are a form of lightweight website security you’re likely familiar with. By making visitors “prove” they’re human, CAPTCHAs act as a filter to block automated systems from gaining access. One typical kind of CAPTCHA asks users to identify numbers, letters and characters that have been jumbled, distorted and obfuscated. The idea is that humans can pick out the right symbols, but machines can’t.

However, researchers at Northwest University and Peking University in China and Lancaster University in the U.K. claimed to have developed an algorithm based on a GAN that can break most text-based CAPTCHAs within 0.05 seconds. In other words, they’ve trained a machine that can prove it’s human. The researchers concluded that because their technique uses a small number of data points for training the algorithm — around 500 test CAPTCHAs selected from 11 major CAPTCHA services — and both the machine learning part and the cracking part happen very quickly using a single standard desktop PC, CAPTCHAs should no longer be relied upon for front-line website defense.

Faking Fingerprints

One of the oldest tricks in the book is the brute-force password attack. The most commonly used passwords have been well-known for some time, and many people use passwords that can be found in the dictionary. So if an attacker throws a list of common passwords, or the dictionary, at a large number of accounts, they’re going to gain access to some percentage of those targets.

As you might expect, GANs can produce high-quality password guesses. Thanks to this technology, it’s now also possible to launch a brute-force fingerprint attack. Fingerprint identification — like the kind used by major banks to grant access to customer accounts — is no longer safe, at least in theory.

Researchers at New York University and Michigan State University recently conducted a study in which GANs were used to produce fake-but-functional fingerprints that also look convincing to any human. They said their method worked because of a flaw in the way many fingerprint ID systems work. Instead of matching the full fingerprint, most consumer fingerprint systems only try to match a part of the fingerprint.

The GAN approach enables the creation of thousands of fake fingerprints that have the highest likelihood of being matches for the partial fingerprints the authentication software is looking for. Once a large set of high-quality fake fingerprints is produced, it’s basically a brute-force attack using fingerprint patterns instead of passwords. The good news is that many consumer fingerprint sensors use heat or pressure to detect whether an actual human finger is providing the biometric data.

Is Face ID Next?

One of the most outlandish schemes for fooling biometric security involves tricking facial recognition software with fake faces. This was a trivial task with 2D technologies, in part because the capturing of 2D facial data could be done with an ordinary camera, and at some distance without the knowledge of the target. But with the emergence of high-definition 3D technologies found in many smartphones, the task becomes much harder.

A journalist working at Forbes tested four popular Android phones, plus an iPhone, using 3D-printed heads made by a company called Backface in Birmingham, U.K. The studio used 50 cameras and sophisticated software to scan the “victim.” Once a complete 3D image was created, the life-size head was 3D-printed, colored and, finally, placed in front of the various phones.

The results: All four Android phones unlocked with the phony faces, but the iPhone didn’t.

This method is, of course, difficult to pull off in real life because it requires the target to be scanned using a special array of cameras. Or does it? Constructing a 3D head out of a series of 2D photos of a person — extracted from, say, Facebook or some other social network — is exactly the kind of fake data that GANs are great at producing. It won’t surprise me to hear in the next year or two that this same kind of unlocking is accomplished using GAN-processed 2D photos to produce 3D-printed faces that pass as real.

Stay Ahead of the Unknown

Researchers can only demonstrate the AI-based attacks they can imagine — there are probably hundreds or thousands of ways to use AI for cyberattacks that we haven’t yet considered. For example, McAfee Labs predicted that cybercriminals will increasingly use AI-based evasion techniques during cyberattacks.

What we do know is that as we enter into a new age of artificial intelligence being everywhere, we’re also going to see it deployed creatively for the purpose of cybercrime. It’s a futuristic arms race — and your only choice is to stay ahead with leading-edge security based on AI.

The post AI May Soon Defeat Biometric Security, Even Facial Recognition Software appeared first on Security Intelligence.

Mimecast Expands Data Migration Services With Acquisition Of Simply Migrate.

Mimecast Limited (NASDAQ: MIME), a leading email and data security company, today announced it has acquired Simply Migrate Ltd., an innovative provider of archive data migration technology. With this acquisition, Mimecast expands its migration services with a rich portfolio of connectors, combined with a deeper experience in helping organizations get out of the business of managing expensive, unreliable legacy archives so they can move to a next-generation data protection strategy in the Mimecast cloud. This helps enable them to reduce costs, safeguard their intellectual property, preserve institutional memory, accelerate e-discovery and achieve compliance.

The cost and complexity of legacy data migration is one of the leading obstacles preventing enterprises from moving to modern cloud-based archiving solutions such as Mimecast. The acquisition of Simply Migrate will offer customers and prospects a faster, less expensive and more reliable path to the Mimecast cloud.

“Legacy archiving systems are outdated and unable to handle growth and ever-changing demands of a modern enterprise. Many organizations struggle with the ballooning email storage volumes alongside other unstructured data types, coupled with the cost and management burdens of storing it on-premises,” said Peter Bauer, chief executive officer at Mimecast. “With the acquisition of Simply Migrate, customers can reap the benefits of the Mimecast Cloud Archive, which was recently named a Leader in the Gartner Magic Quadrant for Enterprise Information Archiving for the fourth year in a row. The technology Simply Migrate offers is engineered to provide end-to-end migration into the Mimecast Cloud Archive, helping to cut costs and operational complexity while achieving a superior result with more flexible access to data, case management, supervision and more.”

For more information, please visit our Mimecast Cloud Archive page.

About Mimecast

Mimecast is a cybersecurity provider that helps thousands of organizations worldwide make email safer, restore trust and bolster cyber resilience. Mimecast’s expanded cloud suite enables organizations to implement a comprehensive cyber resilience strategy. From email and web security, archive and data protection, to awareness training, uptime assurance and more, Mimecast helps organizations stand strong in the face of cyberattacks, human error and technical failure. www.mimecast.com

The post Mimecast Expands Data Migration Services With Acquisition Of Simply Migrate. appeared first on IT Security Guru.

How to Build a System Hardening Program From the Ground Up

Commercial and open-source system configurations such as Windows, Linux and Oracle do not always have all the necessary security measures in place to be deployed immediately into production. These configurations often have features and functionalities enabled by default, which can make them less secure, especially given the sophistication and resourcefulness of today’s cybercriminals.

A system hardening program can help address this issue by disabling or removing unnecessary features and functionalities. This enables security teams to proactively minimize vulnerabilities, enhance system maintenance, support compliance and, ultimately, reduce the system’s overall attack surface.

Unfortunately, many companies lack a formal system hardening program because they have neither an accurate IT asset inventory nor the resources to holistically maintain or even begin a program. An ideal system hardening program can successfully track, inventory and manage the various platforms and assets deployed within an IT environment throughout their life cycles. Without this information, it is nearly impossible to fully secure configurations and verify that they are hardened.

Planning and Implementing Your System Hardening Program

System hardening is more than just creating configuration standards; it also involves identifying and tracking assets in an environment, establishing a robust configuration management methodology, and configuring and maintaining system parameters to expected values. To manage and promote system hardening throughout your organization, start by initiating an enterprisewide program plan. Most companies are engaged in various stages of a plan, but suffer from inconsistent approaches and execution.

A plan builds on the premise that hardening standards will address the most common platforms, such as Windows, Linux and Oracle, and IT asset classes, such as servers, databases, network devices and workstations. These standards will generally address approximately 80 percent of the platforms and IT asset classes deployed in an environment; the remaining 20 percent may be unique and require additional research or effort to validate the most appropriate hardening standard and implementation approach. By adopting the 80/20 rule, hardening will become more consistent, provide better coverage and increase the likelihood of continued success.

Let’s take a closer look at the components of a system hardening program plan and outline the steps you can take to get started on your hardening journey, gain companywide support of your strategy and see the plan through to completion.

1. Confirm Platforms and IT Asset Classes

First thing’s first: Determine the types of platforms and IT asset classes deployed within your environment. For example, list and document the types of server versions, such as Windows 2016, Windows 2012 R2, Red Hat Enterprise Linux or Ubuntu, and the types of desktop versions, such as Windows 7 and Apple iOS. Then, list the types of database versions, such as MySQL, Oracle 12c and MongoDB. The IT asset inventory should be able to report on the data needed to create the platform and IT asset class list. However, some companies struggle to maintain an IT asset inventory that accurately accounts for, locates and tracks the IT assets in their environment.

If there isn’t an up-to-date IT asset inventory to report from, review network vulnerability scan reports to create a list of platforms and asset classes. The scan reports will help verify and validate existing platforms and IT asset classes in your environment, as well as devices that may be unique to your company or industry. Interviewing IT tower leads can also support this information-gathering exercise, as can general institutional knowledge about what is deployed.

2. Determine the Scope of Your Project

Once you’ve documented the platforms and IT asset classes, you can determine the full scope of the system hardening program. From a security perspective, all identified platforms and IT asset classes should be in scope, but if any platform or IT asset class is excluded, document a formalized rationale or justification for the exception.

Any platform or IT asset class not included in the hardening scope will likely increase the level of risk within the environment unless compensating controls or countermeasures are implemented.

3. Establish Configuration Standards

Next, develop new hardening builds or confirm existing builds for all in-scope platforms and IT asset classes. Create this documentation initially from industry-recognized, authoritative sources. The Center for Internet Security (CIS), for example, publishes hardening guides for configuring more than 140 systems, and the Security Technical Implementation Guides (STIGs) — the configuration standards for U.S. Department of Defense systems — can be universally applied. Both of these sources are free to the public. It is generally best to apply one set of hardening standards from an industry-recognized authority across all applicable platforms and IT asset classes whenever possible.

This is the step in the plan where you’ll reference the in-scope listing of all platforms and IT asset classes. For each line item on the list, there should be a corresponding hardening standard document. Start with the industry-recognized source hardening standards and customize them as necessary with the requisite stakeholders.

As an example, let’s say the Microsoft Windows Server 2008 platform needs a hardening standard and you’ve decided to leverage the CIS guides. First, download the Microsoft Windows Server 2008 guide from the CIS website. After orienting the Windows Server team to the overall program plan objectives, send the hardening guide for review in advance of scheduled meetings. Then, walk through the hardening guide with the Windows Server team to determine whether the configuration settings are appropriate.

During these discussions, the team should be able to verify which configuration settings are currently in place, what is not in place, and what may violate company policy for pre- and postproduction server images. If there are hardening guide configuration settings that are not already in place, conduct formal testing to ensure that these changes will not degrade performance, lead to outages or cause other problems within the production environment.

Let’s take the configuration setting “Cryptographic Services to Automatic,” a Microsoft Windows Server 2008 hardening standard from the CIS guide, for example. If this configuration setting is not already in place, can it be implemented? If it cannot be implemented, document the reason why it causes problems as determined through testing, whether it violates company policy or anything else that’s applicable. Note this particular configuration setting as an exception in the overall hardening standard documentation for future reference.

4. Implement Your System Hardening Standards

After you’ve established the hardening build and maintenance documentation and conducted any necessary configuration testing, implement the hardening standards accordingly. The preproduction “golden,” or base, images should be hardened initially to proactively disable or remove unnecessary features prior to deploying in production. Starting with the preproduction images should be less time- and labor-intensive because only one image per platform typically needs to be hardened, removing the need for a change management process or scheduled downtime.

Once a particular platform image is hardened, that image can be used to re-image the postproduction platforms already deployed in the environment. The hardened configuration changes can be deployed with configuration management tools, depending on the platform. For example, the Windows team can implement a vast array of configuration settings throughout the environment it manages with Group Policy. If you cannot make automated hardening changes globally for some or all platforms, you’ll need to physically visit these systems individually and manually apply the configuration changes.

5. Monitor and Maintain Your Program

An effective system hardening program requires the support of all IT and security teams throughout the company. The success of such a program has as much to do with people and processes as it does with technology. Since system hardening is inherently interdisciplinary and interdepartmental, a variety of skill sets are needed to carry it out. Hardening is a team effort that requires extensive coordination.

It’s important to appoint a hardening lead to ensure accountability and responsibility for the management and oversight of the program. This individual should possess the drive to achieve results, a knack for problem-solving, and the ability to direct others in collaboration and teamwork. The system hardening lead is ultimately responsible for the success of the program and should provide the focus, support and momentum necessary to achieve its objectives.

Still, accountability for hardening-related activities should be formally assigned to the teams best suited to ensure their completion and maintenance. The information security team should help facilitate improvements when gaps are identified and serve in a governance role by monitoring the hardening practices of all teams, challenging poor processes and approaches, and verifying compliance against hardening standards. If configuration management tools are not available, verify compliance using vulnerability scans.

All this complexity demands a great deal of synchronization. The roles and responsibilities must be clearly delineated so teams can focus their efforts on activities that truly advance the hardening program plan.

System Hardening Has Never Been So Crucial

Implementing and managing an effective system hardening program requires leadership, security knowledge and execution. Obtaining executive commitment, management support and sufficient investment for the program is also crucial. If you carefully choose a combination of easy-to-implement platforms and IT asset classes and more challenging, longer-term hardening efforts, you’ll see incremental improvements in program execution and support.

Companies everywhere and across industries face an ever-accelerating rate of change in both the threat and technology landscapes, making system hardening more crucial than ever. A hardening program isn’t built in a day, but an effective, thoughtfully constructed plan can significantly lower your company’s risk posture.

The post How to Build a System Hardening Program From the Ground Up appeared first on Security Intelligence.

Cybersecurity Experts Share Insight For Data Privacy Day 2019

You’ll have to forgive my ignorance—but what is an appropriate gift for Data Privacy Day? Perhaps an encrypted portable drive? That might not be a bad idea, but what I have

The post Cybersecurity Experts Share Insight For Data Privacy Day 2019 appeared first on The Cyber Security Place.

Heimdal Security Supports the ROC Leeuwenborgh Capture the Flag (CTF) Challenge

We, at Heimdal Security, are focused on educating both our readers and customers through actionable and useful blog articles, security alerts, protection guides, online courses, and other helpful resources designed to enhance cybersecurity awareness.

Through every project, education remains a core focus. Our goal is to make online security and privacy simple and accessible to anyone, and we think this starts with understanding the basics.

We also believe in the power of the cybersecurity community and being actively involved in it.

Every time we have the chance to support young and passionate students with their educational endeavors, encourage them to develop security skills and dive deeper into the world of cybersecurity, we do it without hesitation.

With that in mind, we are happy to announce that we are supporting the students from ROC Leeuwenborgh in the Netherlands by providing security software during their upcoming CTF competition.

A Capture the Flag (CTF) competition is usually hosted at cybersecurity conferences and aims to challenge participants to use their security skills and solve problems by capturing “flags” from the compromised computer networks.

This type of event requires players to register with the red or a blue team and includes a series of challenges that vary in terms of difficulties.

Students from the ROC Leeuwenborgh are competing for the blue team by trying to build their own CTF network with several “flags” and defend them against attacks of the red team.

They will present the network at the Security Congress called “The Journey of the Digital Experience over cybersecurity” in Brightlands, Netherlands, which takes place on the 1st of February. During this event, there will be security talks held by students, consisting of different workshops, presentations, and demonstrations.

How the Capture the Flag network works

The Dutch students have built their own network using components and resources from their education center, which includes a Ubiquiti Access Point, a router, switches, the RedSocks Malicious Threat Detector (MTD), Network-attached storage (NAS) and 7 servers.

The Capture the Flag environment will be divided into three different levels: beginner, advanced and expert, and will focus on cracking the passwords of the Access Points (which will be encrypted) to get access to the network.

There will be two dedicated servers for the beginner level in which attendees (participants) will have to use the “EternalBlue” exploit used as part of the massive WannaCry ransomware in 2017.

During the CTF competition, participants will solve puzzles of different levels of difficulty (cryptographic, steghide, and others) to get a password that will help them unlock password-protected Word documents placed on the desktop. These docs will give them access to “flags” that will break two more servers in the beginner network. Participants will face more challenges trying to solve more puzzles before they access the advanced network.

Same methods apply for the “expert” level, but at this point, students will use the Heimdal Security’s security solution, Thor Premium Home, to monitor networks and make the challenge more competitive.

During this event, participants will have to prove knowledge of offensive and defensive skills for hacking and protecting networks, cryptography, exploitation, etc, and they will work in the team to face challenges and capture all the flags in the specified timeframe.

The best team will win a substantial amount of money and other attractive prizes.

The Dutch Police also joins the CTF competition

It’s worth mentioning that an important partner of this event is the Dutch Police which will have a separate Capture the Flag network. Given the rise of advanced online threats, phishing, or DDoS attacks, the role of the Police and the IT specialists is indispensable for raising awareness about the importance of cybersecurity.

This CTF competition offers participants the opportunity to “become” IT specialists within the Dutch Police and use their hacking skills to collect as many flags as possible ahead of other competitors. It is mainly focused on cryptography and forensics, and participants are encouraged to bring their own device to join the competition. They will compete in the same environment and the winners will be rewarded with attractive prizes.

This is a great way for students, or professional and amateur hackers from the Dutch region and other places to learn hacking techniques, improve their problem-solving skills, and, most important, gain hands-on practice.

Bottom line, every Capture the Flag competition is a huge opportunity for students and people passionate about cybersecurity to think out of the box and test their team player skills.

If you have all these, take the leap and join the competition on the 1st of February!

More details about the event can be found here and information about the registration is here.

If you are interested in cybersecurity, or you want to embark on a career in infosec, you can always check out our free educational resources and learn how to better protect yourself against cybercriminals attacks.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

The post Heimdal Security Supports the ROC Leeuwenborgh Capture the Flag (CTF) Challenge appeared first on Heimdal Security Blog.

Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy

It’s 2019 and technology is becoming more sophisticated and prevalent than ever. With more technology comes greater connectivity. In fact, by 2020, there will be more than 20 billion internet-connected devices around the world. This equates to more than four devices per person. As we adopt new technology into our everyday lives, it’s important to consider how this emerging technology could lead to greater privacy risks if we don’t take steps to protect our data. That’s why the National Cyber Security Alliance (NCSA) started Data Privacy Day to help create awareness surrounding the importance of recognizing our digital footprints and safeguarding our data. To further investigate the impact of these footprints, let’s take a look at how we perceive the way data is shared and whose responsibility it is to keep our information safe.

The Impact of Social Media

Most of us interact with multiple social media platforms every day. And while social media is a great way to update your friends and family on your daily life, we often forget that these platforms also allow people we don’t really know to glimpse into our personal lives. For example, 82% of online stalkers use social media to find out information about potential victims, such as where they live or where they go to school. In other words, social media could expose your personal information to users beyond your intended audience.

Certain social media trends also bring up issues of privacy in the world of evolving technology. Take Facebook’s 10-year challenge, a recent viral trend encouraging users to post a side-by-side image of their profile pictures from 2009 and 2019. As WIRED reporter Katie O’Neill points out, the images offered in this trending challenge could potentially be used to train facial recognition software for age progression and age recognition. While the potential of this technology is mostly mundane, there is still a risk that this information could be used inequitably.

How to Approach Requests for Personal Data

Whether we’re using social media or other online resources, we all need to be aware of what personal data we’re offering out and consider the consequences of providing the information. While there are some instances where we can’t avoid sharing our personal data, such as for a government document or legal form, there are other areas where we can stand to be a little more conservative with the data that we divulge. For example, many of us have more than just our close family and friends on our social networks. So, if you’re sharing your location on your latest post, every single person who follows you has access to this information. The same goes for those online personality quizzes. While they may be entertaining, they put an unnecessary amount of your personal information out in the open. This is why it’s crucial to be thoughtful of how your data is collected and stored.

So, what steps can you take to better protect your online privacy? Check out the following tips to help safeguard your data:

  • Think before you post. Before tagging your friends on Instagram, sharing your location on Facebook, or enabling facial recognition, consider what this information reveals and how it could be used by a third-party.
  • Set privacy and security settings. If you don’t want the entire World Wide Web to be able to access your social media, turn your profiles to private. You can also go to your device settings and choose which apps or browsers you want to share your location with and which ones you don’t.
  • Enable two-factor authentication. In the chance your data does become exposed, a strong, unique password can help prevent your accounts from being hacked. Furthermore, you can implement two-factor authentication to stay secure. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy appeared first on McAfee Blogs.

WordPress’ WSOD protection feature appears half-baked, Garners security doubts

Experts suggest that WordPress’ new feature ‘White Screen Of Death (WSOD) Protection’ can be altered to block security plugins from functioning. The feature is expected to release with WordPress 5.1

The post WordPress’ WSOD protection feature appears half-baked, Garners security doubts appeared first on The Cyber Security Place.

11 Expert Takes On Data Privacy Day 2019 You Need To Read

The Council of Europe agreed that January 28 should be declared European Data Protection Day back in 2007; two years later the U.S. joined in with the Data Privacy Day

The post 11 Expert Takes On Data Privacy Day 2019 You Need To Read appeared first on The Cyber Security Place.

Data Protection Day – New Year, Same Passwords?

By Sandor Palfy, Chief Technology Officer of Identity and Access Management at LogMeIn

The number of data breaches we saw in 2018 – let alone those we saw in the last couple of weeks – certainly brings a somber mood to this year’s Data Protection Day. Big names, including the likes of British Airways, Cathay Pacific and Facebook made headlines last year for all the wrong reasons, and the fact that it took less than 24 hours for the first data breach of 2019 to make the news only makes things worse.

But there is a silver lining yet. The heightened buzz around data privacy has increased awareness in the critical role businesses play in employing best practices around data protection, and the fact that humans are the weakest link in security strategy.

Passwords have always played an integral role in data security, and most companies rely on them as their go-to method for authentication. But with the average person having over 200 passwords to memorise, many find it too complicated to remember unique credentials for each platform. One employee motivated by convenience and productivity using the same weak password across business and personal platforms is all it takes for a data hack to occur.

Business leaders should take today as an opportunity to educate employees on the importance of healthy password practices. Using a password manager to generate and remember a random string of characters and numbers is a vital step in strengthening account security. As those on the front line, staff should also be given guidance on responding quickly to data hacks. If a business can build a strong defence mechanism combined with trained staff, it will stand a better chance of remaining secure and cyber-ready.

By leveraging tools such as password managers alongside solid cybersecurity processes, we can ensure that data breaches as a result of weak passwords are a thing of the past.

The post Data Protection Day – New Year, Same Passwords? appeared first on IT Security Guru.

Industry reactions to Data Privacy Day 2019

The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Privacy Day is observed annually on Jan. 28. Cindy Provin, CEO, nCipher Security These high profile policy developments are sending a signal that the days of using personal data for commercial advantage … More

The post Industry reactions to Data Privacy Day 2019 appeared first on Help Net Security.

GDPR-ready organizations see lowest incidence of data breaches

Organizations worldwide that invested in maturing their data privacy practices are now realizing tangible business benefits from these investments, according to Cisco’s 2019 Data Privacy Benchmark Study. The study validates the link between good privacy practice and business benefits as respondents report shorter sales delays as well as fewer and less costly data breaches. Business benefits of privacy investments The GDPR, which focused on increasing protection for EU residents’ privacy and personal data, became enforceable … More

The post GDPR-ready organizations see lowest incidence of data breaches appeared first on Help Net Security.

AWS Provides Secure Access to Internal Assets With Amazon WorkLink

Amazon Web Services (AWS) on Wednesday announced the launch of Amazon WorkLink, a service that enables organizations to provide employees easy and secure access to internal websites and applications from their mobile devices without the need for a VPN or custom browser.

read more

As BYOD Adoption and Mobile Threats Increase, Can Enterprise Data Security Keep Up?

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

The Ten Rules of BYOD

Growing Acceptance of Personal Devices in the Enterprise

It wasn’t long ago that corporate leadership balked at the idea of their employees using personal devices for work. While workers had been using their personal computers and laptops to access company networks, it wasn’t until smartphones and digital tablets were introduced that the concept of BYOD caught on. Security for these devices wasn’t very mature back then, and IT and security decision-makers had well-founded concerns.

Over the past decade, of course, phones have evolved into personal hand-held computers. According to Comscore, only 17 percent of consumers were using smartphones in 2009, compared to 81 percent in 2016. That irreversible trend, along with the rise of the internet of things (IoT) and wearable devices, linked personal technology inextricably with enterprise networks.

Employees believe they are more productive and efficient when using not only their device of choice, but also their preferred software and apps. Apparently, leadership agrees: The same Bitglass study found that 85 percent of companies now allow not only employees, but even contractors, customers and suppliers to access enterprise data from their personal devices. Despite this shift, more than half of those surveyed believe mobile threats have gotten worse.

Mobile Threats Are Rising, but Security Hasn’t Changed Much

Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Threat actors can gain access to both corporate data and personal data from one easy-to-breach device. Basic mobile security protections, such as remote wiping and mobile device management tools, are deployed in just over half of the organizations surveyed by Bitglass. In addition, many security teams lack visibility into apps used on personal devices.

Most threat actors who attack mobile devices are after passwords, according to mobile security expert Karen Scarfone, as quoted by Wired.

“A lot of email passwords still go back and forth in the clear,” she said. “That’s a big problem.”

Passwords remain the keys to the data castle, and they are largely unencrypted and unprotected on mobile devices. This, coupled with the password reuse epidemic, means that threat actors can gain virtually unlimited access to corporate networks through personal devices.

Clearly, there’s plenty of room for improvement when it comes to mobile security. A U.S. Department of Homeland Security (DHS) study mandated by the Cybersecurity Act of 2015 found that while the federal government’s use of mobile technology is improving, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Similar security holes exist in the private sector. According to SyncDog, mobile devices are the most dangerous point of intrusion to corporate networks. In large enterprises in particular, “mobile devices are looked at as toys with games on them, and protecting them comes last in line to application management, network security, mainframes and other larger IT concerns.”

BYOD Security Starts With Smart Policies

How can chief information security officers (CISOs) and IT leaders ensure that employees use their personal devices in a smart, secure way? First, determine whether the employee needs to use personal devices for work at all. If there are jobs within the organization that don’t require regular access to networks, or if employees are working remotely, these users should not be allowed to participate in a BYOD program because their devices are neither authorized nor consistently monitored.

Second, employees should be required — or, at least, highly encouraged — to update their device software, especially operating systems and any security software. Consider requiring all employees who use personal devices to install the corporate security software and use the company’s security protocols if they are connecting to enterprise networks.

Third, communicate BYOD policies to employees and implement effective measures to enforce them. Policies should include the most basic data security best practices, such as implementing multifactor authentication (MFA), creating strong and unique passwords, using virtual private networks (VPNs) over public WiFi, and locking devices with biometric controls. In addition to protecting enterprise networks, these steps will help secure employees’ personal data on devices. But remember, a policy is useless if you don’t enforce it. People will break the rules if they know there are no consequences to pay.

When it comes to worker productivity, the embrace of BYOD has been a good thing for businesses. But in a world where cyberthreats loom large and data loss could result in huge fines and reputational damage, enterprises need to prioritize the security of their critical assets — and that of the thousands of endpoints that access them.

To learn more, read the IBM white paper, “The Ten Rules of Bring Your Own Device (BYOD).”

Read the white paper

The post As BYOD Adoption and Mobile Threats Increase, Can Enterprise Data Security Keep Up? appeared first on Security Intelligence.

How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry

At the IBM Security Summit in 2018, X-Force Red Global Head Charles Henderson told a memorable story. A colleague frantically reached out one Friday afternoon asking him to test five medical internet of things (IoT) devices. One of the devices was to be implanted in the colleague’s body, and he wanted to make sure he chose the most secure model. Charles immediately called his hacker friends, who happily agreed to help him with the research. Within a couple days, Charles recommended a specific model to his colleague, confident the model was the least hackable.

Unlike Charles’ colleague, most patients do not have someone on hand to test their medical IoT devices prior to implantation, which is why it’s critical for device manufacturers to build security into the devices from the earliest stages of development. Patients should be able to trust that the devices in their bodies have no critical vulnerabilities that criminals could potentially exploit.

A Q and A With ‘Q’: Reviewing the FDA’s Guidance on Medical IoT Devices

On Jan. 29–30, 2019, the Food and Drug Administration (FDA) will host a public workshop to discuss medical IoT security. The discussion will focus on the recently drafted guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which aims to help strengthen cybersecurity across medical IoT devices.

Catherine Norcom, X-Force Red’s resident hardware hacker, specializes in building and testing IoT devices in the medical field. Catherine, also known as “Q,” recently joined the team after serving 10 years in the U.S. Air Force.

I chatted with Catherine about the FDA’s guidance, the top risks related to medical IoT devices and how to minimize those risks.

Question: Thank you for taking the time to chat today, Catherine. Which parts of the FDA’s guidance do you think may be most effective?

Catherine: I like the objective of the guidance. Manufacturers of medical IoT devices should be prioritizing security, especially considering the potential detrimental consequences of a breach. Specifically, I like the clause about logging people out after a period of inactivity. I also like the clause that discusses the need for rapid deployment of patches and updates.

However, that clause actually contradicts another clause in the guidance that recommends users approve any product updates before they are installed. That being said, in November 2018, the FDA provided more details on this topic, saying critical patches can and should be applied without user approval. I also think that’s an important update. After all, patient safety should not vary from user to user, simply based on whether they have the resources to process and deploy critical patches in a timely fashion. The FDA should include those details in the guidance.

I also like that the guidance promotes encrypting any information stored on devices and requires authentication of some kind before the user accesses medical information coming from the device. That way, if a user left a device on a bus, for example, someone else could not access the user’s private medical information.

 

Where do you think the guidance could be improved?

There are some parts that seemed like they could vary in meaning. For example, the guidance recommends assessing risk and mitigation throughout a product’s life cycle. However, manufacturers and end users can have different interpretations of what constitutes the life cycle of a product. Obviously, manufacturers will release newer versions of products, whether it’s because of their own innovations or due to external factors such as a pending update to a third-party operating system or plug-in that makes the existing product design a challenge to maintain.

When a manufacturer releases a new version of a product, they cannot continue to support all older versions of that product in the same manner they did before. But even after the manufacturer needs to end its support, the product may still work fine for some period. And even if it doesn’t work as well as it once did without manufacturer support, the user may choose to continue using and servicing it themselves. Although this is a difficult subject to address, it could be valuable if the guidance is able to spell out in more detail what the expectations are for manufacturers and users at different stages of a normal product life cycle. There are other FDA documents that include more details about this matter, but it should be spelled out in this guidance as well.

The guidance also uses buzzwords like “holistic.” Many manufacturers — and, frankly, people in general — do not know what that term means or else they could interpret it differently. Also, a part of the guidance recommends manufacturers identify vulnerabilities up front. This is both exceedingly nuanced and complex. For example, even if a manufacturer identified a vulnerability in the Wi-Fi connection, they may not know the USB port is also vulnerable. In this case, you need penetration testers to assess risk throughout the process – whether that’s hiring outside specialists or someone in-house. Penetration testers, who are hackers, understand the many different ways criminals may exploit individual vulnerabilities or chain them together to compromise a device. As such, testers can identify how criminals may exploit vulnerabilities – whether it’s one or many chained together – exposing a device and connected ecosystem.

Since X-Force Red specializes in cybersecurity, let’s pivot the conversation and discuss security risks that come with medical IoT devices.

Medical IoT devices are a top target of cybercriminals, so even if a manufacturer thinks it has developed a device with reasonable security, criminals may still find vulnerabilities. I recently read a Ponemon Institute study that said 67 percent of medical device makers believe an attack on one or more medical devices they have built is likely.

One of the most obvious points of vulnerability is if the user loses the device or the device is stolen. If criminals get physical access to the hardware, they may be able to access all of the medical data in that device. They could also potentially reverse engineer the device and in this way gain access to even more information that is stored on underlying servers. That information could aid in planning a larger attack against the device manufacturer or help criminals use patient identity in insurance fraud or other schemes.

Yes, physically stealing a device would provide the easiest pathway to compromising it. What about the risks related to the Wi-Fi connection used by most IoT devices?

Obviously, anything connected to Wi-Fi can potentially be compromised. A brute force attack is one of the more popular attack methods. The service set identifier (SSID) is the Wi-Fi network name you see when you try to connect. If a device broadcasts its SSID, for example, a criminal would see the device on the Wi-Fi network and may try every password under the sun until one grants him access. These attacks are typically automated by computers and it can take mere seconds to brute force a weak password.

Also, if the Wi-Fi connection from the device is not secured and the data stored on the device is not encrypted, a criminal could intercept the packets and access medical data as it moves from the device to the router. Essentially, a criminal could grab the device’s stored medical data as it moves through the air.

What about USB ports? Many medical IoT devices contain USB ports similar to those we use to charge our cellphones.

Yes, USB ports on medical IoT devices can be used to transfer data. If someone plugs into the device’s USB port and the stored data is unencrypted, the person could potentially access the data. It’s similar to your cellphone: If you plug a USB cable into your phone and connect it to a laptop, you can see the data on your phone and move it to your laptop.

As a rule, people should avoid connecting to any USB port they do not control. That means avoiding those in airports, airplanes, public places, etc. Behind every USB port, there can be a device reading data without explicit permission.

 

So, what can IoT medical device manufacturers do to strengthen the security of their products as they’re being developed?

First, developers should make sure the device’s SSID is hidden so it doesn’t show up on Wi-Fi networks. Also, IoT manufacturers will oftentimes give all their devices the same SSID. For example, devices that are meant for the kitchen will have the SSID “kitchen.” If devices have the same SSID, then a criminal can connect to them even if they are hidden. It’s crucial that devices have unique SSIDs and preferably let their owners name them to create random names that attackers won’t be able to readily look up.

Good security practices for an application programming interface (API)-enabled device include making sure a criminal doesn’t have access to the API key — which is like a password — so that he or she can’t read the private medical data that the medical device is logging.

An easy and obvious recommendation is to use encryption. Any data on the device and the connection to the wireless hotspot or cell phone should be encrypted. Encryption will disable criminals’ ability to read private data whether they steal packets or plug into a USB port. Manufacturers can also make proprietary software that only talks to the specific IoT device and enables it to securely decrypt the data on it.

It’s also critical to have a secure connection between the device and Wi-Fi access point you are using. The device should not connect to anything that doesn’t require authentication.

Finally, manufacturers must test their hardware and software as the device is being developed. Manual penetration testing can uncover unknown vulnerabilities that automated tools may not find. For example, testers can determine whether the software was programmed in a way that makes files difficult to read. As they are writing and developing the device and its software, manufacturers should consult a security expert at every step, from selecting products to testing during development, and test after the device is built.

Any last words or recommendations for the FDA as it works to finalize the guidance?

Unfortunately, hacking an IoT device, medical and nonmedical, is oftentimes not that difficult. At the DEF CON hacker conference, people with little experience were hacking IoT coffee pots and voting booths in minutes. When you allow an IoT device on your network, if the device has a vulnerability, a criminal can easily compromise your entire network. That’s why it’s critical for all IoT manufacturers to prioritize security when developing their products.

This guidance is a step in the right direction to achieving that goal. It gives some really strong recommendations and places a focus on the subject of IoT security. The FDA is inviting comments from medical device and component manufacturers, independent researchers and security firms, which will be extremely beneficial in shaping the final draft. It’s always encouraging to see the security world’s perspective being brought into the development of this kind of guidance.

Listen to the X-Force Red in Action Podcast Series

The post How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry appeared first on Security Intelligence.

National Data Privacy Day Is Wishful Thinking

You have to have a supreme sense of irony, or be in major denial, to call Monday, Jan. 28, Data Privacy Day. Given the current state of big data collection

The post National Data Privacy Day Is Wishful Thinking appeared first on The Cyber Security Place.

McAfee Blogs: How Safe is Your Child’s School WiFi?

School WiFi. For many of our digital natives, school WiFi may even be a more important part of their daily life than the canteen!! And that is saying something…

You’d be hard pressed to find a child who rocked up to school without a device in their backpack in our digital age. The vast majority of schools have embraced the many positive learning benefits that internet-connected devices offer our kids. The traditional blackboard and textbook lessons that were confined to the four walls of the classroom are gone. Instead our kids can research, discover, collaborate, create and most importantly, learn like never before.

But in order for this new learning to occur, our kids need to be internet connected. And this is where school WiFi comes into play.

Do Parents Need to Be Concerned About School WiFi?

As parents, we have a responsibility to ensure our kids are safe and not at risk – and that includes when they are using the WiFi at school. Ideally, your child’s school should have a secure WiFi network but unfortunately, that doesn’t mean that they do. School budgets are tight and top-notch secure WiFi networks are expensive, so in some cases, security maybe jeopardised.

The other factor we shouldn’t ignore is that our batch of digital natives are very tech literate. The possibility that one of them may choose to cause some mayhem to their school WiFi network should also not be ignored!!

At the end of the day, the security of a WiFi network is all about whether it has tight access controls. If it allows only approved devices and people to connect via a secure login then it is more secure than public WiFi. However, if it is open to anyone or easy for anyone to connect to it, then you need to treat it like public WiFi.

What Are the Risks?

An unsecured school WiFi network is as risky as public WiFi which, according to the Harvard Business Review, is as risky as rolling a dice,

Students and staff who use an unsecured WiFi network are at risk of receiving phishing emails, being the victim of a ransomware attack or even having their data or personal details stolen. There is also a risk that the entire school’s operations could be disrupted and possibly even closed down through a DDOS – a Denial of Service Attack.

What Can Parents Do to Ensure Their Kids Are Safe Using School WiFi?

There are several steps parents can take to minimise the risks when their offspring use school WiFi.

  1. Talk To Your School

The first thing to do is speak to your child’s school to understand exactly how secure their network is. I’d recommend asking who has access to the network, what security practices they have in place and how they manage your child’s private data.

  1. Install Security Software

Operating a device without security software is no different to leaving your front door unlocked. Installing security software on all devices, including smartphones, will provide protection against viruses, online threats, risky websites and dangerous downloads. Check out McAfee’s Total Protection security software for total peace of mind!

  1. Keep Device Software Up To Date

Software updates are commonly designed to address security issues. So ensuring ALL your devices are up to date is a relatively easy way of minimising the risk of being hacked.

  1. Schedule Regular Data Back Up

If you are the victim of a ransomware attack and your data is backed up then you won’t even have to consider paying the hefty fee to retrieve your (or your child’s) data. Backing up data regularly should be not negotiable however life can often get in the way. Why not schedule automatic backups? I personally love online backup options such as Dropbox and Google Drive however you may choose to invest in a hard drive.

  1. Public Wi-Fi Rules?

If after talking to your school, you aren’t convinced that your child’s school WiFi network is secure, then I recommend that your kids should treat it as if it was public WiFi. This means that they should NEVER conduct any financial transactions using it and never share any personal details. But the absolute best way of ensuring your child is safe using an unsecured WiFi network, is to use a Virtual Private Network (VPN). A VPN like McAfee’s Safe Connect creates an encrypted tunnel so anything that is shared over WiFi is completely safe.

As a mum of 4, I am very keen to ensure my kids are engaged with their learning. And in our digital times, this means devices and WiFi. So, let’s support our kids and their teachers in their quest for interactive, digital learning but please don’t forget to check in and ensure your kids are as safe as possible while using WiFi at school.

Take Care

Alex xx

The post How Safe is Your Child’s School WiFi? appeared first on McAfee Blogs.



McAfee Blogs

How Safe is Your Child’s School WiFi?

School WiFi. For many of our digital natives, school WiFi may even be a more important part of their daily life than the canteen!! And that is saying something…

You’d be hard pressed to find a child who rocked up to school without a device in their backpack in our digital age. The vast majority of schools have embraced the many positive learning benefits that internet-connected devices offer our kids. The traditional blackboard and textbook lessons that were confined to the four walls of the classroom are gone. Instead our kids can research, discover, collaborate, create and most importantly, learn like never before.

But in order for this new learning to occur, our kids need to be internet connected. And this is where school WiFi comes into play.

Do Parents Need to Be Concerned About School WiFi?

As parents, we have a responsibility to ensure our kids are safe and not at risk – and that includes when they are using the WiFi at school. Ideally, your child’s school should have a secure WiFi network but unfortunately, that doesn’t mean that they do. School budgets are tight and top-notch secure WiFi networks are expensive, so in some cases, security maybe jeopardised.

The other factor we shouldn’t ignore is that our batch of digital natives are very tech literate. The possibility that one of them may choose to cause some mayhem to their school WiFi network should also not be ignored!!

At the end of the day, the security of a WiFi network is all about whether it has tight access controls. If it allows only approved devices and people to connect via a secure login then it is more secure than public WiFi. However, if it is open to anyone or easy for anyone to connect to it, then you need to treat it like public WiFi.

What Are the Risks?

An unsecured school WiFi network is as risky as public WiFi which, according to the Harvard Business Review, is as risky as rolling a dice,

Students and staff who use an unsecured WiFi network are at risk of receiving phishing emails, being the victim of a ransomware attack or even having their data or personal details stolen. There is also a risk that the entire school’s operations could be disrupted and possibly even closed down through a DDOS – a Denial of Service Attack.

What Can Parents Do to Ensure Their Kids Are Safe Using School WiFi?

There are several steps parents can take to minimise the risks when their offspring use school WiFi.

  1. Talk To Your School

The first thing to do is speak to your child’s school to understand exactly how secure their network is. I’d recommend asking who has access to the network, what security practices they have in place and how they manage your child’s private data.

  1. Install Security Software

Operating a device without security software is no different to leaving your front door unlocked. Installing security software on all devices, including smartphones, will provide protection against viruses, online threats, risky websites and dangerous downloads. Check out McAfee’s Total Protection security software for total peace of mind!

  1. Keep Device Software Up To Date

Software updates are commonly designed to address security issues. So ensuring ALL your devices are up to date is a relatively easy way of minimising the risk of being hacked.

  1. Schedule Regular Data Back Up

If you are the victim of a ransomware attack and your data is backed up then you won’t even have to consider paying the hefty fee to retrieve your (or your child’s) data. Backing up data regularly should be not negotiable however life can often get in the way. Why not schedule automatic backups? I personally love online backup options such as Dropbox and Google Drive however you may choose to invest in a hard drive.

  1. Public Wi-Fi Rules?

If after talking to your school, you aren’t convinced that your child’s school WiFi network is secure, then I recommend that your kids should treat it as if it was public WiFi. This means that they should NEVER conduct any financial transactions using it and never share any personal details. But the absolute best way of ensuring your child is safe using an unsecured WiFi network, is to use a Virtual Private Network (VPN). A VPN like McAfee’s Safe Connect creates an encrypted tunnel so anything that is shared over WiFi is completely safe.

As a mum of 4, I am very keen to ensure my kids are engaged with their learning. And in our digital times, this means devices and WiFi. So, let’s support our kids and their teachers in their quest for interactive, digital learning but please don’t forget to check in and ensure your kids are as safe as possible while using WiFi at school.

Take Care

Alex xx

The post How Safe is Your Child’s School WiFi? appeared first on McAfee Blogs.

Two Elasticsearch Databases Found Unprotected

After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit. Click

The post Two Elasticsearch Databases Found Unprotected appeared first on The Cyber Security Place.

Debunking conventional wisdom to get out of the security and privacy rut

Given the unprecedented rate of technological change, the dizzying news cycle, and an always-on social media mentality, it may be surprising to learn that when it comes to security and

The post Debunking conventional wisdom to get out of the security and privacy rut appeared first on The Cyber Security Place.

First Large GDPR Fine issued and its to Google for €50 million

Every member state, organisation and almost every individual have been watching supervisory authorities closely to see if and who will

First Large GDPR Fine issued and its to Google for €50 million on Latest Hacking News.

5G Is Coming: Security Risks You Need to Know About

The future of connectivity is here ­– 5G. This new network is set to roll out across the nation this coming year and bring greater speed to our handheld devices, which means more data and lower latency. But perhaps one of the most anticipated and popular benefits is it will allow even more IoT devices to come online and encourage more connection between said devices. This would enable users to remotely connect to or monitor their IoT devices like kitchen or security gadgets. The promise of more connectivity, smoother IoT user experience, and even more devices online, means there are likely more opportunities and avenues for cyberattacks. 5G will no doubt shape the foreseeable future, let’s see how.

Today, interconnected devices operate on low-powered, low-data-rate networks, such as Cat-M and NB-IoT. With the introduction of 5G networks across the world, the capabilities of VR and AR, AI and ML, and automation and robotics will enhance immensely. Take self-driving cars, for example. These machines require close proximity to their computing to reduce the latency of decision making. The capabilities of 5G don’t end there either. From manufacturing, transportation and logistics, to public safety and the establishment of smart cities, industries are at the ready to take their business to the next level with 5G. With this newfound growing anticipation for the future of 5G, the question has to be asked, what are the security implications for smaller IoT devices?

From an innovation standpoint, 5G is a beacon of light, but from a cybersecurity standpoint, 5G is a “hotbed for a new era of intensified cyberwar.” Denial-of-service attacks, or DDoS, are particular causes of concern for cybersecurity researchers. Devices like refrigerators, thermometers, even light bulbs, will be able to come online because of 5G. Users will be able to remotely check on these appliances through a simple app, but these devices can also be usurped by malicious characters. This increased connectivity and power could see big name sites down for days, or even affect city utility capabilities. Government agencies and private entities are not immune either, but they do have plans in place in the event a DDoS attack occurs.

While consumers can only wait and see what happens with the rollout, industries across the board will want to harness the benefits of 5G. However, consumers and organizations alike need to be cautious in terms of how 5G could be used to help, or hinder, us in the future. Rest assured, even if malicious actors utilize this technology, McAfee’s security strategy will continue to keep pace with the ever-changing threat landscape.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post 5G Is Coming: Security Risks You Need to Know About appeared first on McAfee Blogs.

Embrace the Intelligence Cycle to Secure Your Business

Regardless of where we work or what industry we’re in, we all have the same goal: to protect our most valuable assets. The only difference is in what we are trying to protect. Whether it’s data, money or even people, the harsh reality is that it’s difficult to keep them safe because, to put it simply, bad people do bad things.

Sometimes these malicious actors are clever, setting up slow-burning attacks to steal enterprise data over several months or even years. Sometimes they’re opportunistic, showing up in the right place at the wrong time (for us). If a door is open, these attackers will just waltz on in. If a purse is left unattended on a table, they’ll quickly swipe it. Why? Because they can.

The Intelligence Cycle

So how do we fight back? There is no easy answer, but the best course of action in any situation is to follow the intelligence cycle. Honed by intelligence experts across industries over many years, this method can be invaluable to those investigating anything from malware to murders. The process is always the same.

Stage 1: Planning and Direction

The first step is to define the specific job you are working on, find out exactly what the problem is and clarify what you are trying to do. Then, work out what information you already have to deduce what you don’t have.

Let’s say, for example, you’ve discovered a spate of phishing attacks — that’s your problem. This will help scope subsequent questions, such as:

  • What are the attackers trying to get?
  • Who is behind the attacks?
  • Where are attacks occurring?
  • How many attempts were successful?

Once you have an idea of what you don’t know, you can start asking the questions that will help reveal that information. Use the planning and direction phase to define your requirements. This codifies what you are trying to do and helps clarify how you plan on doing it.

Stage 2: Collection

During this stage, collect the information that will help answer your questions. If you cannot find the answers, gather data that will help lead to those answers.

Where this comes from will depend on you and your organization. If you are protecting data from advanced threats, for instance, you might gather information internally from your security information and event management (SIEM) tool. If you’re investigating more traditional organized crime, by contrast, you might knock on doors and whisper to informants in dark alleys to collect your information.

You can try to control the activity of collection by creating plans to track the process of information gathering. These collection plans act as guides to help information gatherers focus on answering the appropriate questions in a timely manner. Thorough planning is crucial in both keeping track of what has been gathered and highlighting what has not.

Stage 3: Processing and Exploitation

Collected information comes in many forms: handwritten witness statements, system logs, video footage, data from social networks, the dark web, and so on. Your task is to make all the collected information usable. To do this, put it into a consistent format. Extract pertinent information (e.g., IP addresses, telephone numbers, asset references, registration plate details, etc.), place some structure around those items of interest and make it consistent. It often helps to load it into a schematized database.

If you do this, your collected information will be in a standard shape and ready for you to actually start examining it. The value is created by putting this structure around the information. It gives you the ability to make discoveries, extract the important bits and understand your findings in the context of all the other information. If you can, show how attacks are connected, link them to bad actors and collate them against your systems. It helps to work with the bits that are actually relevant to the specific thing you’re working on. And don’t forget to reference this new data you collected against all the old stuff you already knew; context is king in this scenario.

This stage helps you make the best decisions you can against all the available information. Standardization is great; it is hard to work with information when it’s in hundreds of different formats, but it’s really easy when it’s in one.

Of course, the real world isn’t always easy. Sometimes it is simply impossible to normalize all of your collected information into a single workable pot. Maybe you collected too much, or the data arrived in too many varied formats. In these cases, your only hope is to invest in advanced analytical tools and analysts that will allow you to fuse this cacophony of information into some sensible whole.

Stage 4: Analysis Production

The analysis production stage begins when you have processed your information into a workable state and are ready to conduct some practical analysis — in other words, you are ready to start producing intelligence.

Think about the original task you planned to work on. Look at all the lovely — hopefully standardized — information you’ve collected, along with all the information you already had. Query it. Ask questions of it. Hypothesize. Can you find the answer to your original question? What intelligence can you draw from all this information? What stories can it tell? If you can’t find any answers — if you can’t hypothesize any actions or see any narratives — can you see what is missing? Can you see what other information you would need to collect that would help answer those questions? This is the stage where you may be able to draw new conclusions out of your raw information. This is how you produce actionable intelligence.

Actionable intelligence is an important concept. There’s no point in doing all this work if you can’t find something to do at the end of it. The whole aim is to find an action that can be performed in a timely manner that will help you move the needle on your particular task.

Finding intelligence that can be acted upon is key. Did you identify that phishing attack’s modus operandi (MO)? Did you work out how that insider trading occurred? It’s not always easy, but it is what your stakeholders need. This stage is where you work out what you must do to protect whatever it is you are safeguarding.

Stage 5: Dissemination

The last stage of the intelligence cycle is to go back to the stakeholders and tell them what you found. Give them your recommendations, write a report, give a presentation, draw a picture — however you choose to do it, convey your findings to the decision-makers who set the task to begin with. Back up your assertions with your analysis, and let the stakeholders know what they need to do in the context of the intelligence you have created.

Timeliness is very important. Everything ages, including intelligence. There’s no point in providing assessments for things that have already happened. You will get no rewards for disseminating a report on what might happen at the London Marathon a week after the last contestant finished. Unlike fine wine, intelligence does not improve with age.

To illustrate how many professionals analyze and subsequently disseminate intelligence, below is an example of an IBM i2 dissemination chart:

The Intelligence Cycle

The analysis has already happened and, in this case, the chart is telling your boss to go talk to that Gene Hendricks chap — he looks like one real bad egg.

Then what? If you found an answer to your original question, great. If not, then start again. Keep going around the intelligence cycle until you do. Plan, collect, process, analyze, disseminate and repeat.

Gain an Edge Over Advanced Threats

We are all trying to protect our valued assets, and using investigation methodologies such as the intelligence cycle could help stop at least some malicious actors from infiltrating your networks. The intelligence cycle can underpin the structure of your work both with repetitive processes, such as defending against malware and other advanced threats, and targeted investigations, such as searching for the burglars who stole the crown jewels. Embrace it.

Whatever it is you are doing — and whatever it is you are trying to protect — remember that adopting this technique could give your organization the edge it needs to fight back against threat actors who jealously covet the things you defend.

To learn more, read the interactive white paper, “Detect, Disrupt and Defeat Advanced Physical and Cyber Threats.”

Read the white paper

The post Embrace the Intelligence Cycle to Secure Your Business appeared first on Security Intelligence.

More regulation, more solutions needed: IoT device breaches continue to put user data at risk

Almost half of companies still can’t detect IoT device breaches, according to a Gemalto study. But, use of blockchain technology might provide a solution.’With IoT devices continuing to immerse themselves

The post More regulation, more solutions needed: IoT device breaches continue to put user data at risk appeared first on The Cyber Security Place.

Using Offender Profiling Techniques in Security Operations

Let’s start this article off with a question. What does Agent Smith from the Matrix, the Joker from Batman and Darth Vader from Star Wars all have in common? It’s

The post Using Offender Profiling Techniques in Security Operations appeared first on The Cyber Security Place.

Industry reactions to Google’s €50 million GDPR violation fine

On 21 January 2019, the French National Data Protection Commission (CNIL) imposed a financial penalty of €50 million against Google, in accordance with the GDPR. This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Here are some reactions … More

The post Industry reactions to Google’s €50 million GDPR violation fine appeared first on Help Net Security.

McAfee Blogs: Artificial Intelligence & Your Family: The Wows & the Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post Artificial Intelligence & Your Family: The Wows & the Risks appeared first on McAfee Blogs.



McAfee Blogs

AI & Your Family: The Wows and Potential Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Succeed in Your Cloud Migration With a Secure Hybrid Cloud Strategy

Picture this: An object storage misconfiguration has left thousands of customer records fully exposed. Your company is about to face costly compliance consequences and a loss of customer trust. How should you respond? More importantly, how could a secure hybrid cloud strategy have helped prevent such an incident from happening in the first place?

As IT teams face significant pressure to develop a successful cloud migration strategy, organizations are treating security as an afterthought in their rush to quickly move to the cloud. Today, 81 percent of organizations have a multicloud strategy, according to RightScale. Migration without cloud security services for visibility and governance can significantly increase the complexity, costs and risks of adoption.

In This Article

When Unsecure Cloud Migration Becomes Disastrous

Too often, security is forgotten in the excitement to capture the hybrid cloud’s remarkable potential. Perceptions that secure processes can slow digital transformation may lead to security being treated as an afterthought. While effectively managed cloud adoption can improve data security and disaster recovery, many organizations are wary of public cloud providers’ shared responsibility models with third-party security providers, which can increase the complexity for users and complicate processes for access and governing compliance compared to on-premises deployments. A Cybersecurity Insiders survey found that 43 percent of cloud adopters lack of visibility into infrastructure security, 38 percent report compliance troubles and 35 percent struggle to consistently enforce security policies.

Learn more about how to secure your hybrid cloud

Misconfigured cloud servers and other improperly configured systems were solely responsible for the exposure of 2 billion data records tracked by IBM X-Force researchers last year. In addition, inadvertent insider error has contributed to an over 400-percent year-over-year growth in cloud security risks, due in large part to misunderstandings about shared responsibility models to protect data in the cloud. Ultimately, if a data breach or disruption occurs, the organization is liable for the loss of customer trust, regulatory fines and other expensive consequences.

By rushing cloud adoption, business are more likely to generate risks than gain a competitive advantage. In fact, 74 percent of organizations reported that they likely experienced a data breach in the past year due to a lack of secure cloud migration processes. Secure cloud design, a full understanding of responsibility models and solutions for proactive risk management are critical to realizing cloud benefits.

How to Adopt Hybrid Cloud With Confidence

The organization’s ability to develop a successful cloud migration strategy depends, in part, on the IT team’s ability to effectively manage competing priorities of speed, cost efficiency and security. Across industries, hybrid cloud adoption is a necessary tool to balance expanding workloads and data assets. As cloud threats increase, managing hybrid cloud infrastructures requires the enterprise to develop new processes and adopt new solutions for visibility and control.

Strive for True Hybrid Cloud Visibility

Hybrid cloud environments can host a wide array of resources and application programming interfaces (APIs), which can make it challenging to orchestrate effective security controls.

The need for visibility necessitates management solutions designed to capture a diverse view of storage, networking and provisioning activities across public and private cloud environments. Cloud security services should offer visibility and analytics to proactively manage compliance, identify threats and accelerate remediation activities.

Proactively Manage the Cloud Life Cycle

Effective data governance in a hybrid cloud infrastructure requires comprehensive security policies that are proactively and consistently implemented across apps, services, databases, users and endpoints. Cloud security tools should support the organization’s transition to a DevSecOps model where security works alongside DevOps so that proper security controls are built into the design process from the beginning. In turn, this simplifies the process of access management, authentication and authorization in native and migrated cloud apps. To manage threats and compliance risks, organizations need solutions that automate policy enforcement and strengthen compliance posture in a hybrid cloud environment post-deployment.

Why the Enterprise Is Responsible for Protecting Customer Trust in the Hybrid Cloud

The revolution toward a digital economy is underway, and organizations recognize the potential of the hybrid cloud to introduce agility and scale. As IT teams face pressure to deploy a hybrid cloud infrastructure that supports digital transformation activities, many are rushing to the cloud without a comprehensive approach to protecting critical data by design and default.

To fully realize the potential benefits of the secure hybrid cloud, organizations must recognize and understand that the responsibility for protecting customer data and a secure move to the cloud continues to rest with their organization and IT teams. Implementing secure processes during migration and adoption can reduce the costs and risks that result from treating security as an afterthought. Cloud security services for visibility and orchestration are a necessity to proactively manage policy, compliance and access across cloud apps and services.

Learn more about how to secure your hybrid cloud

The post Succeed in Your Cloud Migration With a Secure Hybrid Cloud Strategy appeared first on Security Intelligence.

Encryption is key to protecting information as it travels outside the network

A new Vera report reveals stark numbers behind the mounting toll of data breaches triggered by cybercrime and accidents. One of the most recognized and mandated security controls, installed encryption tools protect

The post Encryption is key to protecting information as it travels outside the network appeared first on The Cyber Security Place.

The Success of Your Business Depends on Digital Trust. Here Is How to Measure It

Most people can name a recent example of online data being compromised, and consumers have become more concerned about how organizations protect their data. Whether the data in question is a physical location, credit card numbers or buying preferences, modern, tech-savvy consumers are thinking long and hard about digital trust risks and the privacy of their data.

“It’s not now just about price, feature, and benefits, it’s not even about history and legacy, it is about trust,” said researcher Mark McCrindle on behalf of Blackmores, an Australian vitamin company, according to CMO. “Every brand must build and maintain trust, particularly because the customer is more skeptical and empowered.”

In This Article

The Consumer Confidence Crisis

Consumer confidence in brands has dropped to a historic low. According to the “2018 Edelman Trust Barometer,” 7 in 10 industries are solidly in “distrust territory.” Customers are increasingly aware that their decision to share personal data with brands could have significant implications, and new legislation backs the customer’s right to opt out of untrustworthy brand engagements.

As organizations work to build customer-focused, digital business models, it’s critical to consider the role of trust and privacy in the customer journey. Delivering digital trust isn’t a matter of propping up a secure website or app, or avoiding a costly, embarrassing data breach. It’s about creating a digital experience that exceeds customer expectations, allows frictionless access to goods and services, and protects customers’ right to privacy while using the data they share to create customized, valuable experiences.

Learn how to deliver digital trust

Why Failure to Build Trust Is Risky

There are clear risks facing organizations that fail to deliver trust-inspiring digital experiences. The staggering reputational costs to brands that suffer a data breach underline how easily trust is broken and how difficult it can be to restore. However, even without security incidents, there could be significant consequences for brands that don’t transform the customer experience.

Customers who experience friction as part of the digital experience may choose to go elsewhere, impacting profitability. Brands that lack transparent data privacy practices could struggle to build strong customer relationships if the consumer feels that the interaction is “sketchy” or too invasive. There’s also risk for the organization: If it can’t tell the difference between legitimate customer transactions and costly fraud, it may throw up frustrating security barriers or risk loss due to account compromise or other fraudulent activities.

How to Measure Digital Trust With Business Outcomes

“Digital trust is not a method, product or service,” wrote IBM security orchestration, automation and response leader Matthew Konwiser. “It’s a philosophy that acknowledges why … businesses stay in business; their clients trust them.”

Digital trust can be measured in business outcomes. While these aspects are more complex than security metrics or compliance, they are critical. Digital trust results from a shift in how the organization approaches the customer journey, which can be measured in the following business outcomes.

Outcome No. 1: Build User Trust

Organizations should transform digital customer experiences to create a secure and seamless customer journey across digital products. This reinforces customer trust while providing internal visibility into customer behavior. Increased trust should result in greater customer loyalty and greater share of wallet.

Outcome No. 2: Drive Growth

Organizations that focus on digital trust continuously work to improve user experience and strengthen internal security safeguards. By utilizing security solutions that assess risk and only add verification when needed, there are fewer false positives and security teams can focus where needed. Automation and authentication based on risk scoring can streamline customer access and reduce workload for already over-tasked IT/security staff.

Outcome No. 3: Create Efficiency

Brands should continuously work to offer an improved user experience and strengthen internal security safeguards. Leaders at trust-driven organizations prioritize operational efficiency gains and risk reduction.

Why You Should Shift to a Trust-Focused Model

While digital trust isn’t the exclusive goal or responsibility of the security department, the CISO is a diplomat in the transformation process. At a trust-focused organization, security risk is recognized as business risk. Business leaders should actively support the need for persistent visibility into digital customer behavior, even as the cybersecurity team works to strengthen safeguards against threat actors and data privacy risks.

Trust should feel seamless for trusted customers with barriers only appearing to threat actors. Cognitive solutions and analytics can provide visibility into a customer’s movements across digital platforms and identify risks by comparing real-time data to a baseline of known threats. When an abnormal pattern of customer logins, transactions or behavior is identified, the system should automate an immediate response to further authenticate users or isolate risks.

The process of delivering digital trust is about more than security and technology, however. It’s a shift in leadership that places the customer experience at the center of digital transformation. Trust-focused organizations adopt design thinking processes to create digital products based on the customer journey and architect secure DevOps. Baked-in security offers greater assurance against risks and creates a more seamless digital experience across channels.

Empathy Is at the Core of Trust Delivery

Digital trust is a moving target, like any other strategic business goal. Your organization can’t rely on stagnant strategies to grow profitability or address risks. To build lasting customer relationships, organizations must understand that trust is a dynamic pursuit that requires agility.

Empathy toward the customer is at the core of trust delivery. As customer attitudes about privacy and behaviors shift, enterprise practices and technology must keep up with evolving data privacy threats, compliance requirements and client behaviors. The importance of trust is unlikely to diminish, but delivering trust-inspiring customer experiences requires a culture of design thinking, continuous improvement and security by default.

Read the e-book: Deliver Digital Trust

The post The Success of Your Business Depends on Digital Trust. Here Is How to Measure It appeared first on Security Intelligence.

Children’s Charity or CryptoMix? Details on This Ransomware Scam

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making a donation instead of a ransom payment. While CryptoMix has used this guise in the past, they’ve recently upped the ante by using legitimate information from crowdfunding pages for sick children to further disguise this scheme.

So, how does CryptoMix trick users into making ransom payments? First, the victim receives a ransom note containing multiple email addresses to contact for payment instructions. When the victim contacts one of the email addresses, the “Worldwide Children Charity Community” responds with a message containing the profile of a sick child and a link to the One Time Secret site. This website service allows users to share a post that can only be read once before it’s deleted. CryptoMix’s developers use One Time Secret to distribute payment instructions to the victim and explain how their contribution will be used to provide medical help to sick children. The message claims that the victim’s data will be restored, and their system will be protected from future attacks as soon as the ransom is paid. In order to encourage the victim to act quickly, the note also warns that the ransom price could double in the next 24 hours.

After the victim makes the payment, the ransomware developers send the victim a link to the decryptor. However, they continue to pretend they are an actual charity, thanking the victim for their contribution and ensuring that a sick child will soon receive medical help.

CryptoMix’s scam tactics show how ransomware developers are evolving their techniques to ensure they make a profit. As ransomware threats become stealthier and more sophisticated, it’s important for users to educate themselves on the best techniques to combat these threats. Check out the following tips to help keep your data safe from ransomware:

  • Back up your data. In order to avoid losing access to your important files, make copies of them on an external hard drive or in the cloud. In the event of a ransomware attack, you will be able to wipe your computer or device and reinstall your files from the backup. Backups can’t always prevent ransomware, but they can help mitigate the risks.
  • Never pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments.
  • Use security software. Adding an extra layer of security with a solution such as McAfee Total Protection, which includes Ransom Guard, can help protect your devices from these types of cyberthreats.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Children’s Charity or CryptoMix? Details on This Ransomware Scam appeared first on McAfee Blogs.

The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach

The threat group known as The Dark Overlord has claimed responsibility for a law firm data breach involving files allegedly related to the 9/11 terrorist attacks.

The Dark Overlord first announced on New Year’s Eve that it had stolen files belonging to Llyod’s of London, Silverstein Properties and Hiscox Syndicates Ltd., according to Motherboard. Although the group’s announcement on the Pastebin messaging service has been deleted, Motherboard confirmed the hack with Hiscox.

The stolen information reportedly includes email and voicemail messages as well as legal files such as non-disclosure strategies and expert witness testimonies.

9/11 Data Held for Ransom

In a Dec. 31 tweet, The Dark Overlord claimed it had managed to steal more than 18,000 secret documents that would provide answers about 9/11 conspiracy theories. Twitter has since suspended the group’s account.

SC Magazine reported that the law firm paid an initial ransom, but then violated terms of agreement by reporting the incident to law enforcement. The threat group is now demanding a second ransom be paid in bitcoin and said it will also sell information obtained in the breach to interested third parties on the dark web.

According to a post on Engadget, The Dark Overlord also attempted to prove it had committed the data breach by publishing nonsensitive material from other law firms as well as organizations such as the U.S. Transportation Security Administration (TSA) and Federal Aviation Authority (FAA).

How to Limit the Threat of Groups Like The Dark Overlord

This latest attack from The Dark Overlord is further proof that data breaches can not only create a PR nightmare, but also put organizations’ survival and, in some cases, national security at risk.

Unfortunately, the exact details around how The Dark Overload accessed the law firm’s network are unknown. Security experts recommend conducting a short but comprehensive 15-minute self-assessment to gauge the organization’s IT security strengths and weaknesses. The results can be benchmarked against similar firms, and security leaders can gain access to the expertise they need to keep groups like The Dark Overlord away from their data.

The post The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach appeared first on Security Intelligence.

Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces

Imagine: You just received an alert that threat actors infiltrated your network, leaked mission-critical data and posted it in publicly accessible forums on the dark web. What do you do?

As a security leader, you knew that a breach was inevitable. Your data, applications and endpoints were expanding at an alarming rate — far faster than your organization’s ability to track and control its critical assets. Still, you never imagined you’d find out about the leak via a third-party notification, or just how frightening it would be to learn that your cyber resiliency strategy was insufficient to protect customer data.

If this scenario is familiar, don’t worry — you’re not alone. Traditional approaches to asset identification and protection have failed businesses around the world and across verticals as security leaders struggle to address challenges such as lack of visibility into enterprise data, outdated risk frameworks and the mind-bending acceleration of the threat landscape. To keep pace with opportunistic bad actors looking to take advantage of these security gaps, chief information security officers (CISOs) must implement more sophisticated controls before it’s too late.

Learn more about protecting critical assets

Attack Surfaces Are Expanding Faster Than IT Awareness

With critical assets channeled between multiple clouds, on-premises systems, and multiplatform applications on both company-owned and personal endpoints, it’s no wonder security leaders are stuggling to see the full security picture. And this lack of visibility into enterprise data is more expensive than ever: The cost of a successful endpoint attack now exceeds $5 million, according to The Ponemon Institute, and the compromise rate of enterprise systems has more than doubled in the past five years, according to McKinsey & Company.

CISOs are increasingly called upon to report on security risks in business terms to the board. However, security leaders struggle to speak to invisible data risks, since not all business applications in use are known to IT security. In fact, 57 percent of CISOs said a lack of visibility into the location and protection of sensitive data is “what keeps them up most at night,” as reported by Forbes.

New Frameworks for Asset Protection

Traditional asset protection frameworks have involved time-consuming work to catalog assets, evaluate controls, assign risks and create remediation plans.

“In an increasingly digitized world, protecting everything equally is not an option,” wrote Piotr Kamiski, Chris Rezek, Wolf Richter and Marc Sorel of McKinsey & Company. “The digital business model is, however, entirely dependent on trust.”

Today’s security leaders need new frameworks to find, use and manage critical assets in an evolving enterprise security landscape. Failure to adapt to the new realities of data risk has weighty consequences. The Ponemon Institute’s “2018 Cost of a Data Breach” study, sponsored by IBM, reported an average cost of $3.86 million, a 6.4 percent increase from the previous year. The cost of noncompliance with data security and privacy standards, meanwhile, has risen 45 percent since 2011 to a staggering $14 million, according to SC Magazine. Security leaders must also consider the weightiest consequence of failure to protect sensitive data and assets: loss of consumer trust.

As the risks associated with critical assets continue to shift, a proactive response is necessary to keep up with the evolving threat landscape. The new standard for critical asset protection is a three-part framework to achieve intelligent visibility, proactive mitigation and continuous control.

Intelligent visibility means unified oversight across data, cloud networks and endpoints, with insight into the most critical risks and assets. Proactive mitigation is defined by the ability to create, apply and enforce security across endpoints, apps and data at scale. Continuous control is the ability to create security policies at scale, optimize asset protections, and comply with regulatory requirements and policies.

Smarter Security for Critical Assets: 5 Use Cases

An Aberdeen Group study sponsored by IBM revealed that best-in-class firms are 74 percent more likely than others to view asset statuses via real-time dashboards. These industry leaders are also 40 percent more likely to connect disparate systems for end-to-end control of sensitive data. Use cases for artificial intelligence (AI), cognitive computing, extensibility, automation and human intelligence demonstrate the value of a comprehensive security immune system.

1. Artificial Intelligence

The average security operations center (SOC) logs 200,000 events each day, according to IBM research. Separating false positives from significant risks is a real challenge for overworked and understaffed SOC teams.

Applied AI excels at analyzing structured and unstructured data assets to prioritize risks, classify critical assets and detect anomalies. Integrating AI solutions for testing and compliance enables DevOps to achieve privacy by default and design.

2. Cognitive Computing

Critical asset protection requires the organization to fight false positives and respond immediately to significant threats. Cognitive computing, an advanced application of AI, machine learning and deep learning networks, augments human intelligence and grows smarter with use. Organizations can automatically investigate and respond to indicators of compromise (IoCs) to reduce the workload on SOC analysts.

3. Extensibility

Even with dozens of security solutions, enterprises are struggling to achieve the integration needed for true asset transparency. Over 58 percent of IT executives recently cited a lack of infrastructure-agnostic visibility as their primary challenge, according to Security Boulevard.

By investing in a collaborative threat sharing platform, organizations can scale the capabilities of security solutions in nearly real time and exchange knowledge with a vibrant collective of partners and peers.

4. Automation

One of the most significant risks facing the enterprise is innocent and malicious insider threats. Insider-caused incidents are nearly twice as costly as the average global data breach, according to a Ponemon Institute study. There’s a need for solutions to introduce total transparency and automated action against the most critical risks. An adaptive security ecosystem of solutions can intelligently uncover insights into external and internal threats, orchestrate responses and share actionable threat intelligence.

5. People

SOC analysts must be knowledgeable to defend against evolving threats. CISOs can improve internal skill sets and outsource critical capacities by partnering with managed security services providers (MSSPs). These experts can provide training and expertise to SOC analysts while delivering endpoint and data protection services for a resilient enterprise. Offensive security partnerships can offer expert penetration testing, vulnerability analytics and threat intelligence.

Protecting Customer Trust

Unlocking the ability to find and secure critical assets with leading security solutions can enable the enterprise to achieve regulatory compliance, reduce operational costs and improve security talent retention. Most importantly, critical asset protection is a tool for securing customer trust. Trust is a currency, and solutions for data protection can provide a remarkable advantage for customer confidence.

Read the e-book: Protect Critical Assets

The post Protect Your Critical Assets in a Landscape of Expanding Attack Surfaces appeared first on Security Intelligence.

2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2)

In part 1 of this retrospective, we took stock of what happened in the first 6 months of 2018 and what we had to learn in terms of cybersecurity and privacy. Now, we review the second part of the year and inventory the most relevant insights and actionable advice.

Got anything else to add? Drop us a line.

July in cybersecurity review

The bad news:

This summer was more hot than usual for health care companies, with two of them losing incredible amounts of data and funds to malware attacks.

The same SamSam ransomware that hit the city of Atlanta and caused damages upwards of $10 million encrypted the machines of LabCorp, a major lab services provider.

In Canada, CarePartners found the medical histories and contact information of 80,000 of its patients stolen in a massive data breach and held for ransom. Some of those patients even had active credit card numbers and expiry dates on file.

“The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed,” highlighted a CBS News report.

The good news:

In July, Google took us all by surprise by announcing the end of phishing. Well, at least among Google’s ranks. The company reported it completely eliminated phishing among its employees by switching to physical keys for 2-factor authentication.

google titan security key

For those who missed this news, a physical key is simply a USB device that works the same as the codes online services text you or provide for you as an extra security layer after the password. With a physical key, to log in you input your password, then connect the device and it will authenticate you instead of that code.

Takeaways:


Why are physical keys better? Well, baring the hassle of having to buy a device, they work with most services and completely eliminate hackers’ ability to hijack your SMS messages to intercept the code.
Click To Tweet


That’s an easy thing to do for them and that’s why we always recommend using a dedicated app for 2FA, not SMS-based codes. Furthermore, with physical keys, you eliminate the hassle of having to open an app every time and putting in the unique code.

August in cybersecurity review

The bad news:

August kicked off with another big profile ransomware attack. A WannaCry strain hit TSMC (Taiwan Semiconductor Manufacturing Co.), one of Apple’s biggest suppliers of components for iPhones, Apple Watches and iPads.

TSMC traced the incident to a supplier who connected an infected device to a computer, without scanning it beforehand, which caused the ransomware to spread until it took down three plants.

Oh yes, and the Alaskan borough of Matanuska-Susitna was, as this outlet put it, “cast back to the dark ages” after BitPaymer ransomware took out almost 500 workstations and 120 out of 150 servers.

If ransomware wasn’t enough, the organization was also under fire from an external attacker, which gained access to the network and deployed the Emotet banking trojan. Everything from email to phones, doors and payment systems went down, which forced employees to actually pull out typewriters and pens to write receipts by hand.

“In 35 years in the business, this is the worst I’ve seen. It’s meant to disrupt our way of life,” said Eric Wyatt, the orgs’ IT director.

The good news:

While things were pretty dire during summer’s last month, there was one great thing that happened.

Apple removed Onavo Protect, a Facebook-owned VPN, from its app store. What for? Data collection, obviously. Apple wasted no time to tell Facebook that its Onavo Protect violated the App Store Guidelines, which specifically try to stop app developers from farming user data then selling it to third parties.

Why a VPN though?

Because Onavo Protect did more than just reroute users’ traffic to a Facebook-owned website, it also “improved” its service by “analyzing your use of websites, apps, and data.” It was a ham-fisted attempt by Facebook to collect even more information from those who, in theory, care about privacy. Fortunately, Apple continued their strategy of protecting user privacy and data security in their ecosystem.

As for Google, the company allowed the Onavo Protect to be available for download.

Takeaways:

If you truly care about privacy, not just accessing region-locked services or content, do your research on the VPN provider you pick. Otherwise, you’re paying for nothing, as some VPN services actually collect your data and sell it to third parties.

We put together a few tips on this here.

September in cybersecurity review

The bad news:

Summer ended with a big headache for 380,000 British Airways customers, after the company announced that, between August 21 and September 5, booking transactions were compromised in an attack.

Basic information like names and addresses were stolen but the travelers’ problems didn’t end there, because hackers also took off with payment card details. How did this happen?

The hackers performed a cross-site scripting attack which involves them targeting an unsecured web page component and injecting malicious Javascript code to hijack personal information.

Anyone who visited the baggage claim information page had their information stolen once they eventually used the payment form.

The good news:

After what seemed like endless months of waiting for perpetrators to be caught, the US Department of Justice announced that it had finally charged one of the hackers involved in the WannaCry attack.

hs-Do-you-know-what-antivirus-vendors-do-with-your-data_A90808

The fact that the hacker in question is North Korean and belongs to an organization also blamed for the massive Sony Breach and an $81 million robbery should surprise no one.  The positive takeaway here is that authorities managed to create a damning paper trail between the individual and the North Korean government, eliminating any doubt that WannaCry was a state-sponsored attack.

“The insight into how an adversary like this works can help defenders plan on what they might be up to,” explained Ben Read, senior manager of cyberespionage analysis at FireEye in a Wired article covering the event.

Takeaways:

The old “cybersecurity is a high-stake cat and mouse game” line comes to mind. This two news from September really do put into perspective hackers’ creativity (here is how they change tactics during attacks) and the challenges of apprehending them.

October in cybersecurity review

The bad news:

October showed that old tactics still work for new attacks.

Cyrptomining malware might be a 2018 “novelty”, but fake updates and installers are old as dirt. Combine them and you get fake Adobe installers that really do install a new version of Flash but also sneak a crypto jacking script that will enslave your PC to mine for the cryptocurrency.

We explained in this piece what cryptojacking really means, how you can secure your devices against it and what you need to be aware of. If you know the basics, it’s easier to avoid even more advanced attacks.

The good news:

The best news in October comes from Google, which released an important privacy app for all Android phones made in the last 7 years.

Called Intra, the free app encrypts Domain Name System (DNS) connections on mobile and covers an important gap in privacy measures.

In the past, visiting HTTPS-only websites is essential but still not totally private, as DNS is usually unencrypted and can be hijacked in order to steal your information. For journalists and other people operating in dangerous, surveillance-heavy areas, this tool is extremely valuable, as it protects from “DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.”

Takeaways:

If you have an older smartphone running Android, Intra is a free download.

If you have a newer Android device running Android 9 Pie, you can control these settings by going to this path: Settings > Network & Internet > Advanced > Private DNS.

To avoid cryptojacking, the most basic of measures would be to either make sure you’re downloading patches and software from the official site or simply use a trusted software installer that makes sure updates are legitimate and deployed immediately.

November in cybersecurity review

The bad news:

Japan’s cybersecurity minister said point blank that he had never used a computer. He also revealed that, since the age of 25, he has “instructed” his employees and secretaries to use computers on his behalf.

Seriously-Computer-Guy-Reaction-Gif

Seeing how November 30 was Computer Security Day and security experts around the world took to social media to share helpful cybersecurity tips, we hope at least Mr. Sakurada’s employees and secretaries took note.

In any case, the incident did not do wonders for public confidence in how the Government approaches data security.

The good news:

The last few days of November saw a major, yet funny hacking incident. One user was inspired by how many unsecured printers he found using a popular security tool and decided to start a funny awareness campaign. He sent out this message to be printed on those unsecured devices and, at the same time, promote his favorite streamer with hilarious results.

 

 

Takeaways:

Cases like Japan’s questionable leadership make it even more necessary to learn cybersecurity basics yourself and protect your valuable information. Don’t have time to go hunting for that knowledge?

This quick course delivers one easily doable (and memorable!) security tip in your inbox every day, for a whole year.

We’re classifying the Pewdiepie event as good news because the hacker in question only wanted to spread awareness over insecure IoT devices.

Even better, they did it by tying into the humongous popularity of an Internet influencer, reaching a lot of people who otherwise wouldn’t have been exposed to good security practices.
With so many troublesome reports and devices hijacked for nefarious purposes, old-fashioned pranks like these seem like a breath of fresh air.

Curious to find out what can happen with insecure devices? We explained more here.

December 2018 in cybersecurity review

The bad news:

As 2018 was hurtling to the finish line, there was a massive Google+ data breach (resist the urge to roll your eyes), a massive Quora hack (another major service compromised) and bitcoin scams evolving into bomb threats (we told you hackers are creative!).

SplashData released again a list of the most common passwords in the world and how they changed compared to last year, showing just how lax users are when it comes to protecting their own devices and accounts.

  1. 123456 Unchanged
  2. password Unchanged
  3. 123456789 Up 3
  4. 12345678 Down 1
  5. 12345 Unchanged
  6. 111111 New
  7. 1234567 Up 1
  8. sunshine New
  9. qwerty Down 5
  10. iloveyou Unchanged

At least two-factor authentication is more widespread nowadays, with services forcing users to rely more than a single password on, so the list above might not spell doom like in the past years. You could also smile at so many I love yous that unlock devices if you’re feeling optimistic.

However, good password practices are mandatory, so try to be a bit more creative with them or use a password manager.

The good news:

Though the weather report for security was frightful in 2018, privacy-oriented Mozilla (mother company of Firefox, one of the browsers we highly recommend) managed to send out a very valuable message to its user base and beyond.

Just in time for the holiday bonanza, when Christmas scams and other dangers multiply exponentially, Mozilla released a holiday shopping guide named “Privacy Not Included.

Not only is it useful on its own, showing the trendiest gadgets if you’re looking for a gift, but it also brings security and privacy front and center, pinpointing the IoT and smart devices insecure by design.

Takeaways:

No doubt about it, 2018 has not been an easy year, not for regular users and not for businesses.

Just how many data breaches happened?

This handy visualization tool will probably burn itself on your eyelids. Hopefully, it will also kick you into gear and consider spending a bit of time to review the information you share with services.

biggest data breaches 2018-min

This AI-powered tool can go into the legalese of privacy policies and give you a much better overview of what happens to your data.

You should also consider getting the right online security so your digital life won’t besieged by malware, cryptojacking, phishing, and other major threats.

We put together these guides for you, so take the opportunity to step into a more secure, more private 2019:

1. Here Are The Essential Security Tips To Stay Safe On Social Media

2. The Best Encrypted Messaging Apps You Should Use Today 

3. Today You’re Being Hacked – How To Choose Secure Settings

Do you have any other recommendations and tools for data privacy and security? Feel free to share below.

 

The post 2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2) appeared first on Heimdal Security Blog.

How to Protect Three Common IoT Devices in 2019

It’s no secret – IoT devices are creeping into every facet of our daily lives. In fact, Gartner estimates there will be 20.4 Billion IoT devices by the year 2020. More devices mean greater connectivity and ease of use for their owners, but connectivity also means more opportunities for hacks. With CES 2019 kicking off this week, we turn our focus toward the year ahead, and take a look at some of the IoT devices that are particularly high-profile targets for cybercriminals: gaming systems, voice tech, routers, and smart cars.

Routers

Routers are very susceptible to attacks as they often come with factory-set passwords that many owners are unaware of or don’t know how to change, making these devices easy targets for hackers. That’s bad news, since a router is the central hub in a connected home. If a router is compromised and all of the devices share the same Wi-Fi network, then they could potentially all be exposed to an attack. How? When an IoT device talks to its connected router, the device could expose many of its internal mechanisms to the internet. If the device does not require re-authentication, hackers can easily scan for devices that have poorly implemented protocols. Then with that information, cybercriminals can exploit manufacturer missteps to execute their attacks. To help protect your router (and thus all your other devices), a best practice is to consider one with a layer of protection built-in, and be sure to use a long and complex password for your Wi-Fi network.

Gaming Systems

Over ten years ago, researchers found that many video gaming consoles were being distributed with major security issues involved with the Universal Plug and Play protocol (UPnP), a feature that allows IoT devices on a network to see each other and interact with one another. However, not much has been done to solve the problem. Through exploiting the UPnP weaknesses in gaming systems to reroute traffic over and over again, cybercriminals have been able to create “multi-purpose proxy botnets,” which they can use for a variety of purposes.  This is just the jumping-off point for malicious behavior by bad actors. With this sort of access into a gaming system, they can execute DDoS attacks, malware distribution, spamming, phishing, account takeovers, click fraud, and credit card theft. Our recent gaming survey found that 64% of respondents either have or know someone who has been directly affected by a cyberattack, which is an astonishing uptick in attacks on gamers. Considering this shift, follow our tips in the section above for routers and Wi-Fi, never use the same password twice, and be weary of what you click on.

Voice Tech

In 2018, 47.3 million adults had access to smart speakers or voice assistants, making them one of the most popular connected devices for the home. Voice-first devices can be vulnerable largely due to what we enable them to be connected with for convenience; delivery, shopping, and transportation services that leverage our credit cards. While it’s important to note that voice-first devices are most often compromised within the home by people who have regular access to your devices (such as kids) when voice recognition is not properly configured, any digital device can be vulnerable to outside attacks too if proper security is not set up. For example, these always-on, always-listening devices could be infiltrated by cybercriminals through a technique called “voice squatting.” By creating “malicious skills,” hackers have been able to trick voice assistants into continuing to listen after a user finishes speaking. In this scenario an unsuspecting person might think they’re connecting to their bank through their voice device, when unbeknownst to them, they’re giving away their personal information.  Because voice-controlled devices are frequently distributed without proper security protocol in place, they are the perfect vehicle in terms of executing a cyberattack on an unsuspecting consumer. To protect your voice assistants, make sure your Wi-Fi password is strong, and be on the lookout for suspicious activity on linked accounts.

While you can’t predict the future of IoT attacks, here are some additional tips and best practices on how to stay ahead of hackers trying to ruin your year:

  • Keep your security software up-to-date. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
  • Pay attention to the news. With more and more information coming out around vulnerabilities and flaws, companies are more frequently sending out updates for smart cars and other IoT devices. While these should come to you automatically, be sure to pay attention to what is going on in the space of IoT security.
  • Change your device’s factory security settings. This is the single most important step to take to protect all devices. When it comes to products, many manufacturers aren’t thinking “security first.” A device may be vulnerable as soon as opening the box. By changing the factory settings you’re instantly upgrading your device’s security.
  • Use best practices for linked accounts.  For gaming systems and voice-first devices in particular, if you connect a service that leverages a credit card, protect that linked service account with strong passwords and two-factor authentication (2FA) where possible. In addition, pay attention to notification emails, especially those regarding new orders for goods or services. If you notice suspicious activity, act accordingly.
  • Setup a separate IoT network. Consider setting up a second network for your IoT devices that don’t share access to your other devices and data. Check your router manufacturer’s website to learn how. You might also consider adding in another network for guests and unsecured devices from others. Lastly, consider getting a router with built-in security features to make it easier to protect all the devices in your home from one place.
  • Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a Firewall is included to ensure that your devices are protected.
  • Up your gaming security. Just announced at CES 2019, we’re bringing a sense of security to the virtual world of video games. Get in on the action with McAfee Gamer Security, Beta, it’s free!

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post How to Protect Three Common IoT Devices in 2019 appeared first on McAfee Blogs.

Kicking off CES 2019 with New Security Solutions and Collaborations

Today, we at McAfee are announcing some exciting new security solutions and integrations at CES in Las Vegas. For those of you who are unfamiliar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies. McAfee now delivers protection to more than 500 million customers worldwide, and we understand the importance of creating new solutions for those who want to live their connected lives with confidence. To help empower our customers to do this, we’ve added to our security lineup and are working with other tech innovators who understand the importance of protecting users’ online safety.

One addition to our lineup of security solutions is McAfee Gamer Security. In a recent gaming survey, we discovered that 75% of gamers are worried about the security of gaming as online threats continue to rise. To help combat these threats, we developed McAfee Gamer Security, which protects gamers while optimizing their gaming experience. Some of the product’s key features include Game Mode, a gamer-centric interface, and minimal security resource consumption. These features help optimize gamers’ computing resources, provide system status updates, and equip users with lightweight security protection.

In addition to our latest product advancements, we’ve also teamed up with other companies looking to better the cybersecurity landscape for consumers. The first is Google. In order to further simplify the process of securing today’s connected home, McAfee will provide McAfee Secure Home Platform voice commands for the Google Assistant. McAfee Secure Home Platform provides an extra layer of security to help automatically protect all of the connected devices on the user’s home network. Soon, Google Assistant users can easily manage their connected home security by just using their voice.

While it’s important to secure the connected home, it is also important to protect your mobile and IoT devices as well. According to McAfee Labs 2019 predictions, cybercriminals will leverage trusted devices like smartphones and tablets to try and access users’ IoT devices in the upcoming year. To help customers stay safeguarded from this threat, we’ve teamed up with Verizon to protect their home networks through Verizon Home Network Protection. This McAfee-powered solution helps Verizon Fios customers stay secured against malicious websites, provide parental controls, and protect all devices connected to their home network.

Furthermore, we at McAfee and Dell have teamed up to protect consumers and small businesses as they enjoy the benefits of today’s technology. To do this, we’ve expanded our collaboration to provide pre-installed McAfee software on PCs and laptops globally to both consumer and small business customers. Customers who purchase a new laptop or PC will also have the option to extend McAfee protection beyond their Dell device to their smartphones and tablets. This allows users to have a more robust security shield around all of their connected devices, creating a safer overall online experience. Dell consumer and small business customers who purchase Dell Inspiron, XPS, Vostro, and G-Series laptops will receive a 30-day or 1-year subscription. Customers who purchase Alienware, OptiPlex, Latitude, and Precision will have the option of adding a 30-day free subscription or purchasing a 1-year subscription.

Another one of our latest innovations is the addition of Cryptojacking Blocker to McAfee WebAdvisor. As we observed in our latest McAfee Labs report, coin mining malware is on the rise, growing more than  4000% in the last year. Cryptojacking Blocker helps protect users from having their devices hijacked without their knowledge or permission. The tool helps prevents websites from mining for cryptocurrency and is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

So far, CES 2019 has proven that innovation will continue to evolve, just as the cybersecurity landscape will continue to mature. By working together to improve the technology that protects connected devices, we can help users optimize their digital life without compromising their online safety.

To stay on top of McAfee’s CES news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Kicking off CES 2019 with New Security Solutions and Collaborations appeared first on McAfee Blogs.

What CES Can Show Us About Evolving Consumer Security Needs: A Timeline

Appropriately dubbed the ‘Global Stage for Innovation,’ it’s no wonder CES showcases the most cutting-edge consumer technologies coming out in the year ahead. No topic is off the table; Attendees will learn more about connected homes, smart cities and self-driving cars, try out shiny new digital health wearables, headsets, and other connected tech, explore AI-driven technologies, and so much more.

Although events like CES showcase breakthrough technologies, interestingly, they also highlight how rapidly new technology is replaced with the next new thing. The rate at which we are treading on new ground is shifting exponentially, and what we see at CES this January might be obsolete in just a few years.

This rapidly changing technological landscape poses a significant predicament to consumers, a ‘digital dilemma’ if you will: as new technologies accelerate and IoT devices that house them progress, new challenges arise with them. This is particularly the case when it comes to security and privacy. And, just as security and products change and adapt, so do our needs and wants as consumers. Those of a teen differ from those of a parent, from those of a baby boomer, and so on. Let’s see how those needs change over time.

A Digital Life Timeline

2015: The Teen Technologist

Born in the late ‘90s, this teen is an everyday gamer, who loves to play games online with friends. They also love their smartphone, mostly for the access to social media. A teen wouldn’t necessarily be concerned with security, so having a comprehensive system built in is crucial.

2021: The Young Professional

Entering the workforce for the first time, the young professional is finally able to buy the gadgets that were once luxuries. They might have two phones; one for work and a personal device. Additionally, they are bringing more connected devices into their home, so the need for a secure home network has become obvious. They are also always on the go and having to connect to public Wi-Fi, so a Virtual Private Network (VPN) should be considered.

2032: The Concerned Parent

Fast forward almost ten years, the young professional has become a worrying parent. Their kids are spending too much time on screens. Having a way to monitor what they are doing on the internet and limit their time online is crucial, and an application that could  provide parental controls would be welcomed. Also, as they bring larger, more connected devices into the home, like smart refrigerators and thermostats, they are excited about a platform that will bake in security through a home network.

2038: The Brand Loyalists

The concerned parent has found devices they like and those they do not like. But more importantly, they have found brands they love, and they may continue to purchase from to bring the latest technology into their family’s lives. A comprehensive security system that covers all types of devices is exactly what they would need to keep a layer of protection

2045: The Unacquainted User

At this point in a digital journey, our user has stopped keeping up with trends because things have changed so much. Almost to the point where they are unwilling to learn new tech, or are untrusting of it all together. But the need to maintain their security and privacy is still top of mind –especially as cybercriminals often prey on this demographic due to being an easy target. A person like this might worry about ransomware, viruses, and identity theft along with protecting their home network.

As you can see, a person’s security and safety needs, desires, and even their devices evolve depending on the moment in which they are within their life. With so much in flux, the last thing anyone wants to think about is security – but with constantly changing technology at an all-time high, it’s safe to bet that threats will evolve to keep pace, and so should the ways in which we protect devices. For these reasons, it’s important to leverage a security partner that will keep this in mind, and will grow with not only our evolving needs, but evolving technology, too.

To learn more about consumer security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post What CES Can Show Us About Evolving Consumer Security Needs: A Timeline appeared first on McAfee Blogs.

2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 1)

After a year filled with incidents, 2018 brought a host of reveals about the extent of this threat. Then, it quickly became the year of privacy concerns, after an onslaught of major data breaches and the never-ending Cambridge Analytica scandal.

We put together this timeline for a quick overview of what came before, so everyone is better equipped for 2019.

Because we don’t believe in alarmism and scaremongering just for the sake of getting a reaction, we gathered both the good and the bad news of cybersecurity.

We also included a few helpful tips to keep your digital life safe, so scroll on!

January in cybersecurity review

The bad news:

January probably marked the fever pitch of buying cryptocurrencies, as Bitcoin soared to the $20,000 mark. Unfortunately, this also started a forest fire of cyber attacks, with cryptocurrency exchanges getting hacked, users getting scammed, phishing multiplying and so on. Wherever there’s money being traded online, that’s where you’ll find malicious actors trying to turn a profit.

The crypto area proved to be particularly profitable to them and most outlets rushed to it.

hs-How-to-safely-invest-in-digital-currency_BC9917

However, the two big bads of January were Meltdown and Spectre, attacks everyone has heard about by now, as it sent security experts around the world in a full panic.

These two major vulnerabilities were discovered not in online platforms, as usual, but in Intel chips, critical components providing the processing power of most computers in the world. The aptly-named “Meltdown” could let hijackers get into higher-privileged parts in a computer’s memory. The haunting Spectre let them access data from other apps running on the machine. The worst part?

Both of these fundamental vulnerabilities were also present in processors made by companies like AMD and ARM, so they were basically in every computer.

In the following months, chipset makers released various patches and temporary fixes, which slowed down some computers by even 20%.

While news like this usually gets stuck in enthusiast circles, the whole world felt the impact of Spectre and Meltdown, as patches were issued at a breakneck pace and everyone could feel their machines slowing down.

The good news:

On the upside, Google X made the biggest announcement: the Alphabet group, Google’s mother company, debuted Chronicle, its own cybersecurity product that includes the famous VirusTotal service.

It was good news for consumers, as, with Google’s resources and data, perhaps companies would do a better job of keeping user data safe.

However, since then, we’ve not heard much on Chronicle’s cybersecurity efforts. Perhaps in 2019?

Takeaways:

You can’t do anything about flawed systems but that doesn’t mean you shouldn’t take care of yourself. If you’re thinking about investing, especially in cryptocurrencies, following these protection steps is essential.

February in cybersecurity review

The bad news:

2017 was the year of ransomware, with devastating attacks shaking healthcare, transportation, state agencies and businesses both big and small.

February kicked off with a major reveal from the US Government: the Trump administration attributed the devastating NotPetya ransomware attacks of 2017 to Russia. This announcement showed just how far cyberwarfare can go and how many innocent businesses and individuals can get in the crossfire.

hs-New-ransomware-outbreak-combines-attack-vectors-delivers_A40000

For those who weren’t quite as aware of cybersecurity or data protection back then, NotPetya was the most devastating cyber attack in history, crippling essential infrastructure, and services. The White House described said that it “quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”

Even though the White House said that “this was also a reckless and indiscriminate cyberattack that will be met with international consequences,” NotPetya and similar strains continued to show up in 2018, highlighting how unprepared businesses are for this threat.

We wrote more on the topic here and explained why traditional solutions like Antivirus are, due to their nature, simply unable to detect ransomware in time.

The good news:

The good guys took down “Infraud,” a criminal online, arresting and indicting dozens of criminals that dealt in stolen user data, malware, skimmed devices for ATMs and so on.

The criminal marketplace was one of the major Dark Web operations in history, putting to shame even the famous Silk Road. Authorities estimated that, through it, regular Internet users lost a total of up to half a billion USD.

The hackers were arrested en masse through a Homeland Security action coordinated with law enforcement in Australia, Britain, Italy, France, Kosovo, and Serbia. In the world of cybercrime, this win is not a tiny drop in a bucket but a great example of how collaboration and resource sharing can positively make an impact for everyone.

Takeaway:

For ransomware protection, you need more than a simple antivirus. This goes for regular users and doubly so for businesses so that a large-scale attack doesn’t catch so many computers lacking the essential security layers.

March in cybersecurity review

The bad news:

March definitely started off on the wrong foot, with a host of revelations giving headaches to mostly anyone connected to the internet.

First, GitHub revealed that it had survived the biggest DDoS attack ever recorded. The attack saw 1.3 terabits of traffic per second levered against GitHub servers. This time, it wasn’t a huge botnet of devices left unsecured by regular users and hijacked by attackers to do their bidding, but another type of DDoS attack that relied on querying databases responsible for website loading speed. If you want to know more about DDoS and how various attacks work, check out this in-depth explanation.

Then, just a day after the GitHub announcement, Equifax made a chilling announcement once again. Another 2.4 million people were affected by the 2017 Equifax data breach, which meant 2.4 million more people having to go through the headaches involved with credit freezing. There was also a massive UnderArmor data breach with 150 million accounts compromised but, fortunately, that only included information like usernames and emails, not passwords or other highly sensitive data.

Isn’t it concerning that you can say “fortunately only emails were stolen” nowadays, especially when discussing the data of hundreds of millions of people?

The pace of data breaches and reveals has been relentless this year, making users extremely untrusting towards major services (and for good reason!).

Oh, and not to mention that the city of Atlanta, from water management departments to police, was hit by the SamSam ransomware. This was an attack that initially cost $2.6 million to recover from, then the costs went up to $9.5 million once the extent of the damage was properly assessed, even though the ransom was only $52.000.

Just goes to show why ransomware should not be underestimated, especially for organizations that do not have the budget or the awareness required for cyber resilience. *cough, cough, healthcare*

most-common-threats-in-cyber-security

The good news:

On the upside, another major bust happened in March, when the Department of Justice indicted nine hackers for attacking over 300 universities worldwide, 144 of which were based in the UK.

The DOJ revealed that the malicious actors took off with an estimated $3 billion in intellectual property (ebooks, research, various other library resources), stealing 31 terabytes of data and selling it on Megapaper.ir and Gigapaper.ir.

How did the attacks happen? Good old spearphishing. The hackers sent off emails to university professors and other employees, tricking them into handing over their login credentials. And yes, just like with NotPetya and other major operations, these were state-sanctioned hackers.

“For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps,” said Deputy Attorney General Rosenstein.

Fortunately, as collaboration increases, cybercriminals have a tougher time taking advantage of borders to target other countries, as shown by the outcome of this massive investigation.

Another great news was that the Ghostery ad-blocker went open source, finding a better business model and focusing more on their users’ privacy.

We’re major fans of this service and the announcement couldn’t have made us happier, as Ghostery is now vetted by thousands of developers and provides a really granular control over the ads you’re seeing.

Takeaway:

Beyond using proper security shields against ransomware, to be safe you need to know what you’re up against. The best online protection is knowing how phishing and spearphishing attacks work, so learn how to spot malicious links!

April in cybersecurity review

The bad news:

April kicked off with some bad revelations for Android users. A team of security experts from Security Research Labs took to the Hack in the Box security conference to reveal their project: two years spent reverse engineering Android phones’ operating systems to demonstrate that the makers of those phones hid security patches from users.

“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” said one of the researchers, who gave an example as well. The Samsung 2016 J3 smartphone showed its owners that it had every available update installed in 2017 but skipped 12 security-critical patches. In an Android landscape filled with malicious apps and too many phishing attacks to count, this reveal certainly didn’t help to assuage fears. The researchers fortunately launched an app to check if your phone lacks critical updates, so we encourage you to use it.

Then, after the Android revelation, another bombshell dropped.

Alexa can turn into a spy device.

Security researchers from Checkmarx demonstrated an attack in which they did not have to hack Alexa to make her listen to everything the owners had to say. Essentially, they just manipulated the Alexa skills and showed just why it’s so risky to have an always-on, connected device fitted with a microphone.

Fortunately, this attack is no longer possible.

The good news:

And, in even better news for website owners worldwide (and netizens in general), in April Europol managed to finally shut down the biggest DDoS for hire website in the world.

More than 136,000 users wanting to damage had registered for webstresser.org, a malicious service that could launch junk traffic attacks to any website for as little as $19 per month. The authorities from Germany and the US stepped in and arrested the owners, taking down the site’s infrastructure as well.

Takeaways:

Be very careful with what devices you allow in your home, especially smart devices. See what can happen with unsecured devices and what you can do to prevent that.

Always keep your devices updated, from your computer to your phone or any other IoT device. Only buy devices that get updated religiously, outdated software is commonly targeted by criminals.

May in cybersecurity review

The bad news:

While Facebook was the social media platform that took the most heat this year, Twitter also had a major security incident.

In May, the chief technology officer of Twitter announced that a bug in the platform exposed user passwords internally, in plain text. While Twitter said it was unlikely criminals got their hands on those passwords, security experts urged users to change their passwords.

The good news:

On May 25, the General Data Protection Regulation (GDPR) went into effect. This was the biggest piece of legislation every passed design to protect your data and let you know exactly what happens to your information whenever you go online or download an app.

With fines of up to 20 million or up to 4% of the annual worldwide turnover (whichever sum was bigger) for those companies caught mishandling user data, GDPR promised to usher in a new age for the processing of personal data.

However, at the surface level, all that happened is that Internet users from Europe got bombarded with a thousand emails all saying “Please let us use your data from now on.”

Which obviously lead to a lot of misplaced complaining, as users were swamped by too many unwanted communications and missed the opportunity to actually see where their data went.

Like one wise netizen said, complaining about GDPR emails is like putting your fingers in your ears and going “La La La” while a police officer reads you your Miranda rights. Unfortunately, a lot of users did just that, choosing to either remain unaware or simply feeling overwhelmed by too many data breaches and Facebook revelations

Takeaways:

  1. Strong passwords are not enough. Use two-factor authentication, it’s essential to keep your accounts from being compromised.
  2. Read terms of service for the services you use and use efficient privacy tools to minimize the risk of trackers and beacons gathering your data.

June in cybersecurity review

The bad news:

And the data breaches continued all through June, with headlines showing millions of users’ being compromised.

First, the public was made aware by the existence of Exactis, a marketing and data aggregation company. How? A data breach, of course. The company exposed a database with 340 million records with phone numbers, home addresses and personal characteristics of Americans.

A security researcher spotted the unsecured database using Shodan, a common search engine and was shocked to see just how many accounts were contained in it.

Then, right when public sentiment couldn’t be more unfavorable towards Facebook, a bug in the platform made up to 14 million users’ posts public. No matter what your privacy settings and restricted lists were, every post was made available for the world to see.

But, troublesome as that incident was, it paled in comparison to the MyHeritage breach.

Fortunately, the breach for this online genealogy website only exposed email addresses and hashed passwords for 92 million users. Why fortunately? Because MyHeritage also operates MyHeritage DNA, the DNA-testing kit you can order and use at home to find out your ancestry. In the case of a compromised email or online account, you can always make another. What can you do if your DNA and medical info get out there?

If it’s just curiosity urging you to get a consumer DNA testing kit, you know what they say about that and what happens to the cat ;).

The good news:

On the bright side, June brought quite a lot of good news for your security.

hs-Do-you-know-what-antivirus-vendors-do-with-your-data_A90808

Through Operation Wire Wire, US official took down a rink of more than 70 email scammers – 42 US citizens, 29 Nigerians and 3 individuals from Poland, Mauritius, and Canada. The operation seized $2.4 million in funds and recovered more than $14 million in money scammed from unfortunate victims.

The same month, California unanimously passed the California Consumer Privacy Act of 2018, a bill built with GDPR principles in mind, designed to bring the same benefits to US residents of California.

Then, the best news of June: the Wi-Fi Alliance announced the WPA3 security protocol for Wi-Fi, which virtually eliminates the risk of dictionary attacks trying to guess your password.

Seeing how WPA2 was launched in 2018, the WPA3 update was long in the making and will go a long way into making sure Wi-Fi networks are more secure. However, the rollout will take some time, with experts estimating the end of 2019 for large-scale implementation of the protocol.

Takeaways:


This is one of the biggest security lessons of 2018: Don’t put the data you can never change about yourself into the hands of random companies.
Click To Tweet


Until WPA3 gets widely deployed, spend a few minutes to secure your Wi-Fi network and learn more about what the risks are.

And we’ll end this 2018 in cybersecurity retrospective on that happy note. Stay tuned for part two of this series, which will review what happened in the last 6 months and the lessons everyone should learn from those events.

Got anything to add? Drop us a line below.

 

The post 2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 1) appeared first on Heimdal Security Blog.

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

12 Days of Hack-mas

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. The ways in which they exact their attacks are becoming more sophisticated and harder to detect. 2019 shows no sign of slowing down when it comes to the sophistication and multitude of cyberattacks targeted toward consumers.

Between the apps and websites we use every day, in addition to the numerous connected devices we continue to add our homes, there are a more ways than ever in which our cybersecurity can be compromised. Let’s take a look at 12 common, connected devices that are vulnerable to attacks –most of which our friends at the “Hackable?” podcast have demonstrated– and what we can do to protect what matters. This way, as we move into the new year, security is top of mind.

Connected Baby Monitors

When you have a child, security and safety fuels the majority of your thoughts. That’s why it’s terrifying to think that a baby monitor, meant to give you peace of mind, could get hacked. Our own “Hackable?” team illustrated exactly how easy it is. They performed a “man-in-the-middle” attack to intercept data from an IoT baby monitor. But the team didn’t stop there; next they overloaded the device with commands and completely crashed the system without warning a parent, potentially putting a baby in danger. If you’re a parent looking to bring baby tech into your home, always be on the lookout for updates, avoid knockoffs or brands you’re not familiar with, and change your passwords regularly.

Smart TVs

With a click of a button or by the sound of our voice, our favorite shows will play, pause, rewind ten seconds, and more – all thanks to smart TVs and streaming devices. But is there a sinister side? Turns out, there is. Some smart TVs can be controlled by cybercriminals by exploiting easy-to-find security flaws. By infecting a computer or mobile device with malware, a cybercriminal could gain control of your smart TV if your devices are using the same Wi-Fi. To prevent an attack, consider purchasing devices from mainstream brands that keep security in mind, and update associated software and apps regularly.

Home Wi-Fi Routers

Wi-Fi is the lifeblood of the 21st century; it’s become a necessity rather than a luxury. But your router is also a cybercriminal’s window into your home. Especially if you have numerous IoT devices hooked up to the same Wi-Fi, a hacker that successfully cracks into your network can get ahold of passwords and personal information, all of which can be used to gain access to your accounts, and launch spear phishing attacks against you to steal your identity or worse. Cybercriminals do this by exploiting weaknesses in your home network. To stay secure, consider a comprehensive security solution like McAfee® Secure Home Platform.

Health Devices and Apps

Digital health is set to dominate the consumer market in the next few years. Ranging from apps to hardware, the ways in which our health is being digitized varies, and so do the types of attacks that can be orchestrated. For example, on physical devices like pacemakers, malware can be implanted directly on to the device, enabling a hacker to control it remotely and inflict real harm to patients. When it comes to apps like pedometers, a hacker could source information like your physical location or regular routines.  Each of these far from benign scenarios highlight the importance of cybersecurity as the health market becomes increasingly reliant on technology and connectivity.

Smart Speakers

It seems like everyone nowadays has at least one smart speaker in their home. However, these speakers are always listening in, and if hacked, could be exploited by cybercriminals through spear phishing attacks. This can be done by spoofing actual websites which trick users into thinking that they are receiving a message from an official source. But once the user clicks on the email, they’ve just given a cybercriminal access to their home network, and by extension, all devices connected to that network too, smart speakers and all. To stay secure, start with protection on your router that extends to your network, change default passwords, and check for built-in security features.

Voice Assistants

Like smart speakers, voice assistants are always listening and, if hacked, could gain a wealth of information about you. But voice assistants are also often used as a central command hub, connecting other devices to them (including other smart speakers, smart lights or smart locks). Some people opt to connect accounts like food delivery, driver services, and shopping lists that use credit cards. If hacked, someone could gain access to your financial information or even access to your home. To keep cybercriminals out, consider a comprehensive security system, know which apps you can trust, and always keep your software up to date.

Connected Cars

Today, cars are essentially computers on wheels. Between backup cameras, video screens, GPS systems, and Wi-Fi networks, they have more electronics stacked in them than ever. The technology makes the experience smoother, but if it has a digital heartbeat, it’s hackable. In fact, an attacker can take control of your car a couple of ways; either by physically implanting a tiny device that grants access to your car through a phone, or by leveraging a black box tool and  your car’s diagnostic port completely remotely. Hacks can range anywhere from cranking the radio up to cutting the transmission or disabling the breaks. To stay secure, limit connectivity between your mobile devices and a car when possible, as phones are exposed to risks every day, and any time you connect it to your car, you put it at risk, too.

Smart Thermostats

A smart thermostat can regulate your home’s temperature and save you money by learning your preferences. But what if your friendly temperature regulator turned against you? If you don’t change your default, factory-set password and login information, a hacker could take control of your device and make it join a botnet

Connected Doorbells

When we think high-tech, the first thing that comes to mind is most likely not a doorbell. But connected doorbells are becoming more popular, especially as IoT devices are more widely adopted in our homes. So how can these devices be hacked, exactly? By sending an official-looking email that requests that a device owner download the doorbell’s app, the user unwittingly gave full access to the unwelcome guest. From there, the hackers could access call logs, the number of devices available, and even video files from past calls. Take heed from this hack; when setting up a new device, watch out for phishing emails and always make sure that an app is legitimate before you download it.

Smart Pet Cameras

We all love our furry friends and when we have to leave them behind as we head out the door. And it’s comforting to know that we can keep an eye on them, even give them the occasional treat through pet cameras. But this pet-nology can be hacked into by cybercriminals to see what’s get an inside look at your home, as proven by the “Hackable?” crew. Through a device’s app, a white-hat hacker was able to access the product’s database and was able to download photos and videos of other device owners. Talk about creepy. To keep prying eyes out of your private photos, get a comprehensive security solution for your home network and devices, avoid checking on your pet from unsecured Wi-Fi, and do your research on smart products you purchase for your pets.

Cell Phones

Mobile phones are one of the most vulnerable devices simply because they go everywhere you go. They essentially operate as a personal remote control to your digital life. In any given day, we access financial accounts, confirm doctor’s appointments and communicate with family and friends. That’s why is shocking to know how surprisingly easy it is for cybercriminals to access the treasure trove of personal data on your cell phone. Phones can be compromised a variety of ways; but here are a few: accessing your personal information by way of public Wi-Fi (say, while you’re at an airport), implanting a bug, leveraging a flaw in the operating system, or by infecting your device with malware by way of a bad link while surfing the web or browsing email.  Luckily, you can help secure your device by using comprehensive security such as McAfee Total Protection, or by leveraging a VPN (virtual private network) if you find yourself needing to use public Wi-Fi.

Virtual Reality Headsets

Once something out of a science fiction, virtual reality (VR) is now a high-tech reality for many. Surprisingly, despite being built on state of the art technology, VR is quite hackable. As an example, though common and easy-to-execute tactics like phishing to prompt someone to download malware, white-hat hackers were able to infect a linked computer and execute a command and control interface that manipulated the VR experience and disorientated the user. While this attack isn’t common yet, it could certainly start to gain traction as more VR headsets make their way into homes. To stay secure, be picky and only download software from reputable sources.

This is only the tip of the iceberg when it comes to hackable, everyday items. And while there’s absolutely no doubt that IoT devices certainly make life easier, what it all comes down to is control versus convenience. As we look toward 2019, we should ask ourselves, “what do we value more?”

Stay up-to-date on the latest trends by subscribing to our podcast, “Hackable?” and follow us on Twitter or Facebook.

The post 12 Days of Hack-mas appeared first on McAfee Blogs.

Here Are The Most Common Cyber Security Threats That Occur in The Healthcare Sector

Cyber attacks are growing at alarming rates with no signs of slowing down. Actually, a new attack can unfold right now, as we write this article.

What’s worrying is that these types of threats target almost everything and everyone from large and small organizations, to home users,  various industries and sectors.

The worst part is the impact and the damages caused. Recovering after a major cyber attack – whether it’s an organization, institution, or home user – it requires a mix of resources: time, money, qualified people, to get back on track.

The healthcare sector is no exception.

Last year, when the devastating WannaCry ransomware happened, healthcare was among the most affected sectors. The National Health Service (NHS) in England and Scotland was a prime target for cybercriminals with more than 40 NHS medical organizations and practices having their services disrupted.

Recently, the same institution unveiled details about a data breach in which confidential and sensitive data of 150,000 NHS patients have been disclosed. The incident was a result of a coding error by healthcare software supplier TPP.

According to a study from IBM Security, “healthcare organizations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average”.

The  2018 Thales Data Threat Report (Healthcare edition) stated that 77% of healthcare organizations have been breached, with some of the most valuable personal data about their patients and customers being exposed.

These numbers show only a part of the reality, but there’s more to discover. If these statistics and findings didn’t raise your blood pressure, let’s see find out:

Why cybercriminals target the healthcare system

Money isn’t the prime motivator for malicious actors to target patients’ records, and manipulate data in ways that will determine doctors and other medical professionals to provide wrong diagnostics for different diseases.

All the protected healthcare information is valuable and attractive for cybercriminals knowing that these sensitive data is a matter of “life and death” and they can create chaos in institutions.

In many cases, the IT infrastructure used in hospitals and other medical institutions is vulnerable, because most of the medical devices used by doctors and nurses don’t have the latest updates. Cybercriminals take advantage of software vulnerabilities, exploit them and hack hospitals, wreaking havoc.

The human nature is also vulnerable (and untrained) to spot such attacks, which lead to people getting easily lured into clicked on a malicious link or attachment send via email. Key findings from the 2018 Annual Healthcare Cybersecurity Report by Proofpoint pointed out that malicious actors “trick healthcare workers into opening an unsafe attachment, impersonate members of the executive team, instructing staff to wire money or send sensitive information.”

As we all know, in many countries, the healthcare system is viewed as critical and vital for the entire population along with electricity or transportation which makes it even more attractive to cybercriminals.

The growing number of healthcare IoT devices used by medical personnel to diagnose, monitor, and treat complicated disease cases represent another attractive target for malicious actors to exploit. After these devices are installed in a hospital, doctors and nurses don’t focus on the security and privacy aspects, but on its main purpose: to provide a better experience for patients and improve the medical workflow.

While cybersecurity, in general, isn’t a top priority for medical institutions, if all the products used are built to be “secure by default”, there will be less cyber threats to expose and compromise personal information.

Here are the main cybersecurity threats in healthcare

Any type of cyber threats can occur on a small or large scale for the healthcare sector, but what are the most frequent ones? And how can we prevent them from exposing our most valuable data?

Ransomware and advanced malware attacks 

These popular cyber threats remain lucrative for malicious actors which will continue to use it during their campaigns. Malware is a serious issue for all industries, but “ransomware exploded between Q2 and Q4 of 2017, dwarfing all other types of cyber attacks against healthcare companies combined”, said the report from Proofpoint. Also, the WannaCry ransomware is one of the best examples.

According to Verizon’s 2018 Breach Investigations report, 92 percent of malware is still delivered by email. Of all the malware attacks out there, phishing emails will continue to be a persistent threat and “plague the healthcare sector”, say security experts.

There are a few reasons why this will not be going away. One is the evolving nature of the types of emails the hackers are sending, and another is not keeping the [warnings] to employees fresh,

added Susan Lucci, Senior privacy and security consultant.

Cybercriminals will not stop turning their attention to healthcare, but they will evolve their tactics with more sophisticated and targeted attacks to steal and compromise sensitive information.

How to protect yourself:

  • Train your employees about security awareness and teach them how to easily spot phishing emails, so they are not tempted to click on suspicious links or attachments received on the email.
  • Periodically check if your main email address shows up in Have I Been Pwned or Firefox Monitor to find out if your account is part of a data breach.
  • Don’t forget to secure every login on your online accounts with the two-factor authentication system.
  • We put together this actionable guide in which you will find the safety checklist to follow and prevent ransomware attacks.
  • Carefully consider how much personal information you share on social media, and consider revise your privacy settings for each social account.

Insider threats

According to the 2018 Protected Information Data Breach Report by Verizon, healthcare is the only industry in which internal actors represent the biggest risk to an organization. Moreover, key findings show that 58% of all healthcare data breaches and security threats are caused by insiders, people who have access to healthcare resources and important data.

When these individuals perform current medical tasks in a way that negatively affect an organization or institution, a lot of damage is caused: bad image for the organization, loss of patients’ trust, possible lawsuits and others.

How to mitigate them:

  • Educate and train your employees and other persons with access to critical medical resources about the top risks associated with certain behaviors, data protection of patients, or privacy. Focus on improving employees’ cyber resilience and learn them to adopt the mindset of working with security in mind.
  • Teach employees and medical personnel to use browser add-ons and extensions and always keep them enabled on browsers.
  • Rely on technology and implement solutions that allow decision-makers to detect healthcare data breaches quickly or even prevent them.
  • When data breaches are detected, the authorized persons need to respond effectively by initiating an investigation to reduce or limit the impact.

Cryptojacking attacks

These cyber threats have been one of the most popular attacks in 2018, almost surpassing ransomware, and they’re constantly evolving. The healthcare sector is also targeted by crypto jacking attacks, as malicious actors can target a vulnerable website and inject a script. Then, unprotected visitors on that website had their computers enslaved in order to mine cryptocurrency.

Mining software can be also installed on IoT medical devices and networks, and the rule is simple: the longer your computer runs, the more cybercriminals can use it to secretly mine cryptocurrencies.

How to stay safe:

  • Use a reputable antivirus product, coupled with an anti-malware solution that periodically scans your online traffic and blocks infected websites you could access.
  • Scan your system and see if you observe unusual activities at your computer, especially an increase at the CPU usage.
  • On any browser, use an Adblocker that has can stop cryptocurrency-mining scripts. One example is uBlock but you can also use an Adblock extension for your browser.
  • Remember to always keep your systems, networks, and software patched, especially your browser which is the direct target for some malicious actors.

IoT healthcare attacks

IoT continues to evolve and still be a hot topic. The adoption of the Internet-connected medical devices has proven to have great benefits for hospitals focused on improving infrastructure and keeping employees and patients’ data secure.

However, keep in mind that there’s no such thing as 100% secure software, so the medical personnel needs to practice precaution.

New research demonstrated that “hackers can <trick> or induce medical devices into sharing detailed information about the device’s inner workings.” Moreover, malicious actors can target specific devices to get error messages, gather information to customize a potential attack to be tailored to the target device.

Most of the IoT devices and software used in hospitals aren’t checked for updates and existing vulnerabilities are immediately exploited by cybercriminals. And from here we can unfold a scenario in which an upcoming cyber attack happens.

This is why more attention to the safety aspect is required, in order to protect patients’ personal information stored on these devices.

How to protect IoT medical devices:

  • Make sure you check for updates and apply them immediately, to prevent exposing your IoT medical devices to cyber attacks;
  • Remember to always use a secure Internet network and protect this network with a unique and strong password.
  • Medical institutions need to demand from manufacturers that software products are “secure by default” or/and improve devices security.
  • To reduce the impact of these attacks, manufacturers SHOULD take security seriously and work on providing transparency about devices security.
  • Decision-makers need to be aware of the importance of protecting these devices after deployment and put all efforts into keeping patients’ personal data secure.

Healthcare supply chain attacks

The supply-chain attack involves exploiting vulnerabilities in a supply network used by specific organizations. It could be a medical institution, such as a private or public hospital which is targeted by this type of attack.

These attacks happen when cybercriminals intercept a delivery from a supplier and inject malicious code directly into the medical devices delivered, without anyone being aware of the risks. Basically, hackers look for backdoors in the systems of a trusted partner/business that provide software for medical devices.

The worst part is that these products (considered legitimate) from medical devices makers “arrive at the destination” after being injected with malware and can compromise patients personal information.

How to mitigate supply chain attacks

  • To avoid such attacks and ensure the protection of medical records, medical institutions should require all third-parties to have certification (HIPAA) and meet the standards they need to meed and be compliant.
  • Have clear terms and conditions of established business agreements with suppliers and make sure they are fully met.
  • Limit employees access to specific data which is absolutely needed to perform their daily tasks.
  • As the old saying goes, prevention is the best medicine, so it’s for the best to have a crisis management plan in place and use it accordingly.
  • In case of a supply chain attack, ensure employees are trained to follow the company’s policy and procedure and lower the impact of data breaches.

These main cybersecurity threats will challenge healthcare organizations/institutions to find the best defense and protect patients and employees the most valuable data.

It’s worth reminding that the costs of these cyber threats in healthcare are too expensive to be ignored, so organizations need to allocate wisely budget for cybersecurity, educate employees with security in mind, and know the importance of securing health data.

During an interview for DefCamp 2018, Jelena Milosevic, Pediatric nurse and Independent researcher, emphasizes the importance of building a safe and secure environment in healthcare:

“Healthcare without (basic) security is like surgery without sterile instruments / The operation was (technically) a success, but the patient died from sepsis.”

Have you applied any of these security measures? Do you have others we should add? What about the security threats targeting healthcare? What else should we include in the list? Let us know, we’d love to know your thoughts!

The post Here Are The Most Common Cyber Security Threats That Occur in The Healthcare Sector appeared first on Heimdal Security Blog.

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.

 

 

The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

Affected by a Data Breach? 6 Security Steps You Should Take

It’s common for people to share their personal information with companies for multiple reasons. Whether you’re checking into a hotel room, using a credit card to make a purchase at your favorite store, or collecting rewards points at your local coffee shop, companies have more access to your data than you may think. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

A high-profile hotel and another popular consumer brand’s perks program recently experienced data breaches that exposed users’ personal information. If you think you were affected by one of these breaches, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a data breach, or just want to take extra precautions:

  • Change your password. Most people will rotate between the same three passwords for all of their personal accounts. While this makes it easier to remember your credentials, it also makes it easier for hackers to access more than one of your accounts. Try using a unique password for every one of your accounts or employ a password manager.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Update your privacy settings. Be careful with how much of your personal information you share online. Make sure your social media accounts and mobile apps are on private and use multi-factor authentication to prevent your accounts from being hacked.
  • Be vigilant about checking your accounts. If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Affected by a Data Breach? 6 Security Steps You Should Take appeared first on McAfee Blogs.

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

NIST’s Creation of a Privacy Framework

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).

Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.

NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.

Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.

NIST has established many of the same goals for the Privacy Framework. These goals include:

  1. Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
  2. Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
  3. Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
  4. Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
  5. Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
  6. Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
  7. Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations

During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.

It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?

We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

Ghouls of the Internet: Protecting Your Family from Scareware and Ransomware

scareware and ransomwareIt’s the middle of a workday. While researching a project, a random ad pops up on your computer screen alerting you of a virus. The scary-looking, flashing warning tells you to download an “anti-virus software” immediately. Impulsively, you do just that and download either the free or the $9.99 to get the critical download.

But here’s the catch: There’s no virus, no download needed, you’ve lost your money, and worse, you’ve shared your credit card number with a crook. Worse still, your computer screen is now frozen or sluggish as your new download (disguised malware) collects the data housed on your laptop and funnels it to a third party to be used or sold on the dark web.

Dreadful Downloads

This scenario is called scareware — a form of malware that scares users into fictitious downloads designed to gain access to your data. Scareware bombards you with flashing warnings to purchase a bogus commercial firewall, computer cleaning software, or anti-virus software. Cybercriminals are smart and package the suggested download in a way that mimics legitimate security software to dupe consumers. Don’t feel bad, a lot of intelligent people fall for scareware every day.

Sadly, a more sinister cousin to scareware is ransomware, which can unleash serious digital mayhem into your personal life or business. Ransomware scenarios vary and happen to more people than you may think.

Malicious Mayhem

What is Ransomware? Ransomware is a form of malicious software (also called malware) that is a lot more complicated than typical malware. A ransomware infection often starts with a computer user clicking on what looks like a standard email attachment only that attachment unlocks malware that will encrypt or lock computer files.

scareware and ransomware

A ransomware attack can cause incredible emotional and financial distress for individuals, businesses, or large companies or organizations. Criminals hold data ransom and demand a fee to release your files back to you. Many people think they have no choice but to pay the demanded fee. Ransomware can be large-scale such as the City of Atlanta, which is considered the largest, most expensive cyber disruption in city government to date or the WannaCry attack last year that affected some 200,000+ computers worldwide. Ransomware attacks can be aimed at any number of data-heavy targets such as labs, municipalities, banks, law firms, and hospitals.

Criminals can also get very personal with ransomware threats. Some reports of ransomware include teens and older adults receiving emails that falsely accuse them or browsing illegal websites. The notice demands payment or else the user will be exposed to everyone in his or her contact list. Many of these threats go unreported because victims are too embarrassed to do anything.

Digital Terrorists

According to the Cisco 2017 Annual Cybersecurity Report, ransomware is growing at a yearly rate of 350% and, according to Microsoft,  accounted for roughly $325 million in damages in 2015. Most security experts advise against paying any ransoms since paying the ransom is no guarantee you’ll get your files back and may encourage a second attack.

Cybercriminals are fulltime digital terrorists and know that a majority of people know little or nothing about their schemes. And, unfortunately, as long as our devices are connected to a network, our data is vulnerable. But rather than living anxiously about the possibility of a scareware or ransomware attack, your family can take steps to reduce the threat.

Tips to keep your family’s data secure:

Talk about it. Education is first, and action follows. So, share information on the realities of scareware and ransomware with your family. Just discussing the threats that exist, sharing resources, and keeping the issue of cybercrime in the conversation helps everyone be more aware and ready to make wise decisions online.

Back up everything! A cybercriminal’s primary goal is to get his or her hands on your data, and either use it or sell it on the dark web (scareware) or access it and lock it down for a price (ransomware). So, back up your data every chance you get on an external hard drive or in the cloud. If a ransomware attack hits your family, you may panic about your family photos, original art, writing, or music, and other valuable content. While backing up data helps you retrieve and restore files lost in potential malware attack, it won’t keep someone from stealing what’s on your laptop.scareware and ransomware

Be careful with each click. By being aware and mindful of the links and attachments you’re clicking on can reduce your chances of malware attacks in general. However, crooks are getting sophisticated and linking ransomware to emails from seemingly friendly sources. So, if you get an unexpected email with an attachment or random link from a friend or colleague, pause before opening the email attachment. Only click on emails from a trusted source. 

Update devices.  Making sure your operating system is current is at the top of the list when it comes to guarding against malware attacks. Why? Because nearly every software update contains security improvements that help secure your computer from new threats. Better yet, go into your computer settings and schedule automatic updates. If you are a window user, immediately apply any Windows security patches that Microsoft sends you. 

Add a layer of security. It’s easy to ignore the idea of a malware attack — until one happens to you. Avoid this crisis by adding an extra layer of protection with a consumer product specifically designed to protect your home computer against malware and viruses. Once you’ve installed the software, be sure to keep it updated since new variants of malware arise all the time.

If infected: Worst case scenario, if you find yourself with a ransomware notice, immediately disconnect everything from the Internet. Hackers need an active connection to mobilize the ransomware and monitor your system. Once you disconnect from the Internet, follow these next critical steps. Most security experts advise against paying any ransoms since paying the ransom is no guarantee you’ll get your files back and may encourage a second attack.

The post Ghouls of the Internet: Protecting Your Family from Scareware and Ransomware appeared first on McAfee Blogs.

Have You Talked to Your Kids About a Career in Cybersecurity?

career in cybersecurityHere’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?

Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.

Job Security

According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?

Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.career in cybersecurity

It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.

But what about a cybersecurity expert? Have you noticed any of these skills in your kids?

Cybersecurity skills/traits:

Problem-solving
Critical thinking
Flexible/creative problem solving
Collaborative, team player
Continual learner
Gaming fan
A sense of duty, justice
Persistent, determined
Works well under pressure
Curious and perceptive
Technology/tech trend fan
Verbal and written communications

Education

Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.

Conversation Starters

First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices. career in cybersecurity

Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.

Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.

Additional resources*

CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.

CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.

CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).

GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.

career in cybersecurityNational CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.

National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.

National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.

*Resource list courtesy of Stay Safe Online.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.

Working Together to Ensure Better Cybersecurity

For many, it’s hard to picture a work environment that doesn’t revolve around the use of technology. Digital, cloud-based services coupled with access through mobile and IoT devices have completely reshaped organizations by streamlining business processes and enabling people to work anywhere, anytime. Thanks to these advances, there have also been a variety of recent shifts in how employers and employees interact with each other, ranging from liberal remote work policies companies asking employees to bring their own devices to work.

Often these changes feel remarkable, efficient and convenient, as they make our work lives much more efficient – but these advancements also create concerns around cybersecurity. Many devices contain both personal and professional data , and when we take our work home or on the go with us, we’re not constantly protected by a company firewall, safe Wi-Fi, or other standard cybersecurity measures. Regardless of what industry you are in, online safety is no longer just IT’s problem. Cybersecurity is now a shared responsibility between an organization and its employees.

Naturally, these changes require education and communication around cybersecurity best practices in order to develop positive habits that will keep both employers and employees safe. Getting a habit to stick also requires an organization to develop culture of security in tandem, in which every individual and department is accountable for cybersecurity and bands together with the shared objective of staying secure.

October is National Cybersecurity Awareness Month, which is a great time to look at how everyone can be a part of the cybersecurity solution within their organization. If cybersecurity has not historically not been a priority within an organization, starting a conversation about it can be difficult, whether you’re an employee or an employer. Consider using these tips to start thinking about personal cybersecurity and how that translates into an overall cybersecurity plan within your organization.

Employers can take the following steps:

  • Identify which company assets are of greatest value, then ensure security measures are in place. Employee, customer, and payment data are all assets that cybercriminals could leverage via phishing, malware, password breaches, and denial-of-service (DoS) attacks. Begin to develop a formal cybersecurity plan based on your specific needs.
  • Set up an alert system. Put a system into place that will alert employees and your organization of an incident. This also includes an avenue for employees to report problems they might notice before they become widespread. The sooner people know about a vulnerability, the faster they can respond and take action.
  • Develop a response plan. Practice an incident response plan to contain an attack or breach. Keep in mind the goal of maintaining business operations in the short term while assessing the long-term effects of the cyber incident.

Employees can follow these guidelines:

  • Regularly update your device’s software. This is the easiest way to ensure your devices are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Take security precautions, even if your company isn’t there yet. Professional and personal information is often intertwined on our devices – especially our mobile phones. Keep all your data secure with comprehensive mobile security, such as McAfee® Mobile Security. Then work within your organization to develop a cybersecurity plan that works for all.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Working Together to Ensure Better Cybersecurity appeared first on McAfee Blogs.

As Search Engines Blacklist Fewer Sites, Users More Vulnerable to Attack

Turns out, it’s a lot harder for a website to get blacklisted than one might think. A new study found that while the number of bot malware infected websites remained steady in Q2 of 2018, search engines like Google and Bing are only blacklisting 17 percent of infected websites they identify. The study analyzed more than six million websites with malware scanners to arrive at this figure, noting that there was also a six percent decrease in websites being blacklisted over the previous year.

Many internet users rely on these search engines to flag malicious websites and protect them as they surf the web, but this decline in blacklisting sites is leaving many users just one click away from a potential attack. This disregard of a spam attack kit on search engine results for these infected sites can lead to serious disruption, including a sharp decline in customer trust. Internet users need to be more vigilant than ever now that search engines are dropping the ball on blacklisting infected sites, especially considering that total malware went up to an all-time high in Q2, representing the second highest attack vector from 2017-2018, according to the recent McAfee Labs Threats Report.

Another unsettling finding from the report was that incidents of cryptojacking have doubled in Q2 as well, with cybercriminals continuing to carry out both new and traditional malware attacks. Cryptojacking, the method of hijacking a browser to mine cryptocurrency, saw quite a sizable resurgence in late 2017 and has continued to be a looming threat ever since. McAfee’s Blockchain Threat Report discovered that almost 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent—and that’s just from non-obfuscated sites.

And then, of course, there are just certain search terms that are more dangerous and leave you more vulnerable to malware than others. For all of you pop culture aficionados, be careful which celebrities you digitally dig up gossip around. For the twelfth year in a row, McAfee researched famous individuals to assess their online risk and which search results could expose people to malicious sites, with this year’s Most Dangerous Celebrity to search for being “Orange is the New Black’s” Ruby Rose.

So, how can internet users protect themselves when searching for the knowledge they crave online, especially considering many of the most popular search engines simply aren’t blacklisting as many bot malware infected sites as they should be? Keep these tips in mind:

  • Turn on safe search settings. Most browsers and search engines have a safe search setting that filters out any inappropriate or malicious content from showing up in search results. Other popular websites like iTunes and YouTube have a safety mode to further protect users from potential harm.
  • Update your browsers consistently. A crucial security rule of thumb is always updating your browsers whenever an update is available, as security patches are usually included with each new version. If you tend to forget to update your browser, an easy hack is to just turn on the automatic update feature.
  • Be vigilant of suspicious-looking sites. It can be challenging to successfully identify malicious sites when you’re using search engines but trusting your gut when something doesn’t look right to you is a great way of playing it safe.
  • Check a website’s safety rating. There are online search tools available that will analyze a given URL in order to ascertain whether it’s a genuinely safe site to browse or a potentially malicious one infected with bot malware and other threats.
  • Browse with security protection. Utilizing solutions like McAfee WebAdvisor, which keeps you safe from threats while you search and browse the web, or McAfee Total Protection, a comprehensive security solution that protects devices against malware and other threats, will safeguard you without impacting your browsing performance or experience.

To keep abreast of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post As Search Engines Blacklist Fewer Sites, Users More Vulnerable to Attack appeared first on McAfee Blogs.

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

Aussie Ruby Rose is McAfee’s Most Dangerous Celebrity

Keeping up to date with celebrity gossip is a sport for many of us. Staying on top of what your favourite celebrity wore to the latest Hollywood shindig and, of course who they were with can be very time consuming and often require extensive searching! But did you know that searching for your favourite celebrity can actually put your personal security at risk?

Every year McAfee, the device-to-cloud cybersecurity company, undertakes global research, entitled Most Dangerous Celebrities, to identify which celebrities generate the riskiest search results which could potentially expose fans to malicious websites and risky downloads. And in 2018, the top spot was filled for the first time ever by an Australian celebrity: actress and television presenter Ruby Rose.

The very talented Ruby Rose kicked off her career as a hugely popular VJ (video jockey) on MTV. Before long, she went on to enjoy great success as a model, television presenter and then actress with her role as Stella Carlin in the cult series Orange Is The New Black. Ruby’s casting as Batwoman in the upcoming television series would have no doubt assisted in propelling her to first position.

Who Are the Most Dangerous Celebrities to Search For in 2018?

In the global list of Most Dangerous Celebrities, American reality TV star, Kristin Cavallari finished behind Rose at No. 2, followed by French actress Marion Cotillard (No. 3), the original Wonder Woman Lynda Carter (No. 4), Aussie actress Rose Byrne (No. 5), star of Will and Grace Debra Messing (No. 6), reality TV star Kourtney Kardashian (No. 7), actress Amber Heard (No. 8), American morning TV show host Kelly Ripa (No. 9), and finally Orange Is The New Black actor, Brad William Henke round out the top 10.

American actress Lucy Liu topped Australia’s list of the Most Dangerous Celebrities to search for. The top 10 list was littered with Aussie celebrities as well, including Naomi Watts (No. 2), Cate Blanchett (No 4.), Elle Macpherson (No.9) and Margot Robbie (No.10).

Interestingly, Aussie morning TV show host Sonya Kruger came in at number 17 on the list, a notable mention after appearing alongside other Australian TV stars, such as Carrie Bickmore and Georgie Gardiner in the recent fake Facebook ads scamming unsuspecting victims into purchasing face cream subscriptions. The recent Facebook scam demonstrates how cybercriminals capitalise on our love of celebrity when trying to trap unsuspecting consumers into scams.

Cybercriminals Capitalise on our ‘Celebrity Culture’

Online scammers and cybercriminals are always looking at new ways to get their hands on our private information with the aim of making big bucks. Tapping into our love of celebrity, cybercriminals will create professional looking websites that contain downloads which contain spyware or malware. These malicious celebrity sites may also require users to set up an account. Unsuspecting visitors will then provide their email addresses and passwords to the site not realising that their details have been compromised.

Our fast-paced modern lives mean that we often cut corners in the name of speed and convenience. Some of us are just so keen to view the promised content about our favourite celebrity that we drop our guard and don’t take the time to ensure the site is legitimate.

But not taking the time to ensure a link is safe means fans are not only putting their devices at risk of infection from viruses, but themselves at risk of identity theft.

How to Avoid Being Targeted by a Cyber Criminal

One of the best ways of staying safe online and avoiding falling victim to a scam is to adopt safe searches practices. Here are my top tips to ensure you stay out of trouble!

1. Think Before You Click

Users looking for a sneak-peek of Ruby Rose’s upcoming Batwoman series should be cautious and only download directly from a reliable source. The safest thing to do is to wait for the official release instead of visiting a third-party website that could contain malware.

2. Apply Updates as Soon as they are Available

Device and app updates will often include security fixes. Applying updates is an important step to help ensure devices stay protected.

3. Browse with Security Protection

Searching and browsing without security software is a little like navigating a foreign city with any guidelines. McAfee Total Protection is a comprehensive security solution that can help keep devices protected against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help identify malicious websites – very helpful!

4. Use Parental Control Software

Kids are fans of celebrities too, so ensure that limits are set on the child’s device and use software that can help minimise exposure to potentially malicious or inappropriate websites.

Whether you celebrity watch because you are enamoured, envious or inspired, please don’t let your hobby put you at risk of identity theft. Ensure you (and your kids) search safely so you can stay out of the way of cybercrims and their scams!

Alex x

 

The post Aussie Ruby Rose is McAfee’s Most Dangerous Celebrity appeared first on McAfee Blogs.

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

#CyberAware: Will You Help Make the Internet a Safe Place for Families?

National Cyber Security Awareness MonthDon’t we all kinda secretly hope, even pretend, that our biggest fears are in the process of remedying themselves? Like believing that the police will know to stay close should we wander into a sketchy part of town. Or that our doors and windows will promptly self-lock should we forget to do so. Such a world would be ideal — and oh, so, peaceful — but it just isn’t reality. When it comes to making sure our families are safe we’ve got to be the ones to be aware, responsible, and take the needed action.

Our Shared Responsibility

This holds true in making the internet a safe place. As much as we’d like to pretend there’s a protective barrier between us and the bad guys online, there’s no single government entity that is solely responsible for securing the internet. Every individual must play his or her role in protecting their portion of cyberspace, including the devices and networks they use. And, that’s what October — National Cyber Security Awareness Month (NCSAM) — is all about.

At McAfee, we focus on these matters every day but this month especially, we are linking arms will safety organizations, bloggers, businesses, and YOU — parents, consumers, educators, and digital citizens — to zero in on ways we can all do our part to make the internet safe and secure for everyone. (Hey, sometimes the home team needs a huddle, right!?)

8 specific things you can do!

National Cyber Security Awareness Month

  1. Become a NCSAM Champion. The National Cyber Security Alliance (NCSAM) is encouraging everyone — individuals, schools, businesses, government organizations, universities — to sign up, take action, and make a difference in online safety and security. It’s free and simple to register. Once you sign up you will get an email with a toolbox packed with fun, shareable memes to post for #CyberAware October.
  2. Tap your social powers. Throughout October, share, share, share great content you discover. Use the hashtag #CyberAware, so the safety conversation reaches and inspires more people. Also, join the Twitter chat using the hashtag #ChatSTC each Thursday in October at 3 p.m., ET/Noon, PT. Learn, connect with other parents and safety pros, and chime in.National Cyber Security Awareness Month
  3. Hold a family tech talk. Be even more intentional this month. Learn and discuss suggestions from STOP. THINK. CONNECT.™ on how each family member can protect their devices and information.
  4. Print it and post it: Print out a STOP. THINK. CONNECT.™ tip sheet and display it in areas where family members spend time online.
  5. Understand and execute the basics. Information is awesome. But how much of that information do we truly put into action? Take 10 minutes to read 10 Tips to Stay Safe Online and another 10 minutes to make sure you take the time to install a firewall, strengthen your passwords, and make sure your home network as secure as it can be.National Cyber Security Awareness Month
  6. If you care — share! Send an email to friends and family informing them that October is National Cybersecurity Awareness Month and encourage them to visit staysafeonline.org for tips and resources.
  7. Turn on multi-factor authentication. Protect your financial, email and social media accounts with two-step authentication for passwords.
  8. Update, update, update! This overlooked but powerful way to shore up your devices is crucial. Update your software and turn on automatic updates to protect your home network and personal devices.

Isn’t it awesome to think that you aren’t alone in striving to keep your family’s digital life — and future — safe? A lot of people are working together during National Cyber Security Awareness Month to educate and be more proactive in blocking criminals online. Working together, no doubt, we’ll get there quicker and be able to create and enjoy a safer internet.

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Will You Help Make the Internet a Safe Place for Families? appeared first on McAfee Blogs.

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.