Category Archives: data protection

How to Overcome Cognitive Biases That Threaten Data Security

Did you know the software that powers our brains contains security flaws that need to be patched? I’m talking about cognitive biases, which are the wetware vulnerabilities that collectively constitute the single greatest threat to enterprise data security.

The Interaction Design Foundation defines cognitive bias as “an umbrella term that refers to the systematic ways in which the context and framing of information influence individuals’ judgment and decision-making.”

In other words? A cognitive bias is simply a logical error in thinking that’s as human as the enjoyment of cupcakes and rainbows. Yes, people are irrational, but irrationality is a generality. Cognitive biases, on the other hand, are specific and defined.

Cognitive Biases Put Data Security at Risk

Don’t confuse cognitive biases (which describe thought processes) with logical fallacies (which describe flaws in arguments during communication). The former is about thoughts, and the latter is about words. This is significant because cognitive bias is one of the biggest reasons why enterprise data can be made insecure. In fact, these logical errors are a significant reason why 27 percent of employees fail social engineering tests.

Social engineering is nothing more than a systematic exploitation of human cognitive biases. Successful phishing attackers, for example, know how to use cognitive biases to convince recipients to voluntarily open links that they wouldn’t click if their actions were based on perfect logic.

Here’s another example of how cognitive biases can compromise security: Let’s say a member of an organization’s computer security incident response team (CSIRT) is confronted with a new breach. Considering a list of possible causes, someone with an anchoring bias might fixate on the first possibility considered instead of the most likely one. Another person with the availability heuristic cognitive bias might consider only potential sources that happen to come to mind — rather than taking a systematic approach that considers all possibilities. Another person suffering from the Dunning-Kruger effect, a cognitive bias that causes a subject to overestimate his or her abilities, might choose to investigate and solve the issue alone rather than bringing in colleagues, consultants or specialists.

In each of these cases, the responder fails to approach the problem systematically and with reason. Instead, he or she allows cognitive biases to muddle the process — creating unnecessary cost, consuming too much time and introducing potential risk.

Given the rapidly increasing volume and frequency of cyberthreats, it’s more important than ever to address cognitive bias head-on. Investing in the right incident response platform (IRP) can go a long way toward eliminating cognitive bias-driven decision-making.

Logical Flaws Lead to Security Lapses

I’ve learned to watch out for attentional bias as a writer, which is where perception can be affected by one’s reoccurring thoughts. This bias, for example, can potentially become a security risk when it comes to writing and interpreting technical documentation related to software or hardware features.

Creators of documentation must first become extremely familiar with the issues, technologies, processes and methods they’re documenting. Because these factors are top of mind, descriptions might gloss over or omit contextual cues for readers who have a different set of ideas in mind or are less familiar with the issues at hand. In other words: What seems obvious to the writer might be a source of confusion for the reader — with neither party able to relate to the other’s point of view.

The 2018 RSA Survey of 155 IT professionals at the RSA Conference in May found that 26 percent of companies ignore security bugs because they believe they don’t have time to fix them. The problem, however, is dealing with the consequences of unfixed bugs tends to take longer than it would’ve taken to implement the initial fix in the first place.

This could be the result of a cognitive bias called hyperbolic discounting, where choices that benefit the present self are given priority over those that benefit the future self. In this context, the benefits of ignoring a bug now are given more weight than the cost of dealing with the problem later.

The survey also revealed that IT professionals deliberately ignore security holes for other reasons, including a lack of knowledge about how to proceed. This choice could be driven by the ambiguity effect cognitive bias, where a lack of information informs a decision. Because the path to troubleshooting a problem is unclear, that path is rejected.

Finally, less than half of the organizations surveyed said they patch vulnerabilities as soon as they’re known. Eight percent of respondents even reported that they apply patches just once or twice per year. This is good, old-fashioned procrastination — which, of course, is also a cognitive bias.

Understanding Biases to Reduce Human Error

Awareness about specific cognitive biases must be a core part of every security training exercise. The first step toward overcoming cognitive biases is for everyone to understand that they exist, they’re pervasive and they have a negative impact on data security. Cognitive biases are also the reason for best practices, which embody institutional learning and lessons that reduce reliance on individual thought processes.

Most importantly, security professionals must overcome the biases that enable biases. At many organizations, security specialists fail to understand the perspective of less technical users. This lack of understanding is a cognitive bias called the curse of knowledge, and it can result in false assumptions and poor communication.

But the mother of all cognitive biases is that only other people have cognitive biases. This belief is called the bias blind spot. The truth is that cognitive biases are just part of being human. I have them, you have them — and nobody is immune.

It’s important for security leaders to base their decision-making on this inescapable fact and frequently patch the wetware bug that constitutes the biggest threat to your organization’s security.

The post How to Overcome Cognitive Biases That Threaten Data Security appeared first on Security Intelligence.

UK Email Threat Firm Tessian Secures $13 Million Series A Funding

London, UK-based start-up Tessian has raised $13 million in a Series A funding round led by Balderton Capital. Existing investors Accel, Amadeus Capital Partners, Crane, LocalGlobe, Winton Ventures and Walking Ventures also participated. It brings Tessian's total funding, including initial Angel investments and seed funding, to $16.8 million.

read more

Is Your Healthcare Organization Prepared to Withstand a Data Security Breach?

The healthcare industry has long been a top target for cybercriminals. According to a 2016 study from the Ponemon Institute, 89 percent of healthcare organizations have experienced a data security breach resulting in the loss or theft of patient information.

More importantly, the cost of a data breach for healthcare is more expensive than any other vertical — and the volume of breaches is expected to increase. For example, the rate of ransomware attacks against healthcare organizations is projected to quadruple between 2017 and 2020.

So, what’s causing this massive uptick in attacks?

More Data, More Problems for Healthcare Organizations

Data proliferation is one major culprit. According to the International Data Corporation (IDC), 60 percent of healthcare applications will collect real-time location data and clinical Internet of Things (IoT) device information by 2019. What’s more, more than 40 percent of healthcare organizations around the world will use IoT-enabled biosensors in the next two years.

Another factor is low cybersecurity spend. Healthcare organizations allocate less than 6 percent of their IT budget for security, according to 2017 research from Symantec and HIMSS Analytics, which is well below the industry average.

The sheer value of healthcare data is also driving the surge in attacks against the sector. According to the FBI, electronic health records are far more valuable to cybercriminals than financial information, Reuters reported.

A Data Security Breach Has Major Consequences

Given all these factors, the impact of this skyrocketing attack volume is far-reaching across healthcare organizations and the industry overall. For example, 49 percent of healthcare executives said cybersecurity challenges create potential roadblocks when it comes to mergers and acquisitions (M&A).

The most obvious consequence of a data security breach is the cost burden. According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average compromised healthcare record costs organizations $380 — that’s three times the global average across industries. In the U.S., organizations can face steep fines for violating the Health Insurance Portability and Accountability Act (HIPAA). While the $19 million in such fines reported by the Office of Civil Rights was down slightly in 2017 from the previous year, this is still more than three times what healthcare companies paid out in 2015, according to the Telebehavioral Health Institute.

In addition to the financial cost, a healthcare data breach can negatively impact an organization’s reputation. This is particularly worrisome since more than half of patients said they would change their healthcare provider following a breach, according to a 2015 survey from TransUnion Healthcare.

Strengthening the Security Immune System

Given the healthcare industry’s vulnerability and the dire consequences of a data breach, it’s no surprise that cybersecurity spending is forecast to exceed $65 billion over the next five years, according to a 2017 report from Cybersecurity Ventures.

Data proliferation has resulted in a staggering number of false positives and logs. This requires the use of artificial intelligence (AI) to respond to attacks in real time. The security immune system strategy offers a fully integrated approach to safeguarding your business and its IT environment.

The system is centered around an AI-powered core of security orchestration and analytics tools that continuously process the many risk variables across the entire ecosystem of connected capabilities. This powerful integration helps increase visibility into hidden risks that human analysts might otherwise miss.

Is your organization prepared to withstand a data breach? Join IBM for a complimentary HIMSS webinar on June 19, 2018 at 8 p.m. EST.

Register now for the June webinar, “Healthcare Cognitive Security”

The post Is Your Healthcare Organization Prepared to Withstand a Data Security Breach? appeared first on Security Intelligence.

Apple to terminate developers who collect, sell user data without consent

Apple has updated the Legal section of its App Store rulebook to include new guidelines for members of the iOS Developer Program. iOS developers who collect or sell personal data to a third party without clear, express consent from their users will be banished from the Apple developer community, and the App Store implicitly.

Apple’s new legal terms come on the heels of the EU’s General Data Protection Regulation that kicked into gear last month, affecting any global business that collects or processes personally identifiable information (PII) of EU citizens.

The GDPR’s Data Minimization and Anonymization principles, as well as the so-called Right to Be Forgotten, oblige companies to limit the collection of personally identifiable information (PII) to the absolute minimum needed for the service or app to work properly.

In that respect, Apple is now demanding that developers adhere to a new set of data collection guidelines. Some highlights:

  • All apps must include a link to their privacy policy in an easily accessible manner
  • Explicitly identify what data, if any, the app/service collects, how it collects it, and all the uses of that data
  • Confirm that any third party with whom an app shares user data provides equal protection of user data as stated in the app’s privacy policy
  • Describe how a user can revoke consent and/or request deletion of the user’s data
  • Apps that collect user or usage data must secure user consent for the collection
  • Ensure the purpose strings clearly and completely describe the use of the data
  • Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access (i.e. don’t ask for microphone access if the app only wants to post to social media)
  • Don’t ask the user to sign up / sign in if the app doesn’t include significant account-based functionality
  • The app must include a way to revoke social network credentials and disable data access between the app and social network from within the app
  • Unless otherwise permitted by law, developers may not use, transmit, or share someone’s personal data without first obtaining their permission
  • Apps should not attempt to surreptitiously build a user profile based on collected data
  • Developers must not use information from Contacts, Photos, or other APIs that access user data to build a contact database for their own use or for sale/distribution to third parties

These are just some of the key new requirements for iOS developers doing business in the App Store. The guidelines also clarify that developers who use their apps to surreptitiously discover passwords or other private data will be removed from the Developer Program. The same goes for app sellers who share user data with third parties without obtaining clear, express consent from end users.

Enterprise Cloud Security: Is Blockchain Technology the Missing Link?

Blockchain made headlines recently as the transaction infrastructure for bitcoin and other cryptocurrencies, but this shared ledger solution is now being reimagined as a way to bridge the enterprise security gap. In fact, 60 percent of companies have already implemented (or plan to implement) blockchain technology — with 28 percent actively testing solutions and 20 percent in the discovery and evaluation phase.

But many challenges remain, including scalability and privacy. There’s still more work to do before blockchain can effectively bridge the gap from potential benefit to security baseline.

A Perceptual Shift in Blockchain Technology

The use of blockchain technology as a cryptocurrency record-keeper makes sense. Adding “blocks” of data to a public ledger in sequence helps ensure that transactions are both visible and difficult to alter (since any modification of the original ledger results in widespread mismatches). It’s an ideal combination of user privacy and security oversight: While the identity of digital wallet holders is obfuscated, transaction records are a matter of public record.

As cryptocurrency markets have cooled and (somewhat) stabilized, however, interest in blockchain as a security technology has swelled.

“While still nascent, there is promising innovation in blockchain towards helping enterprises tackle immutable cyber-risk challenges, such as digital identities and maintaining data integrity,” Ed Powers, cyber risk lead at Deloitte U.S., noted in a 2017 report.

Blockchain was also a high-profile topic at the 2018 RSA Conference in April: While some attendees argued for blockchain technology as the solution to General Data Protection Regulation (GDPR) compliance, others worried about issues like viability at scale, data integrity and provenance.

No matter the outlook, it’s clear that blockchain is undergoing a shift as enterprises look for ways to shore up cybersecurity in a market dominated by distributed cloud networks, limited visibility and huge potential consequences.

A Dearth of Blockchain Expertise

So, what’s the potential for blockchain? Demand for blockchain talent recently skyrocketed as companies look for engineers with the skills to develop new applications and services that leverage this technology, according to TechCrunch. There’s already more than $3.7 billion in initial coin offering (ICO) funding waiting for talented developers — and 14 openings for every experienced candidate.

Of course, experience is part of the problem: Blockchain simply hasn’t been around long enough for IT professionals to amass significant working knowledge. Despite supply constraints, however, demand isn’t slowing down. In fact, TechCrunch also reported on a 700 percent increase in companies looking for blockchain engineering talent since January 2017.

Some companies are leveraging blockchain itself to create new cybersecurity marketplaces where motivated white- and black-hat hackers can design antimalware tools for profit. Think of it as a way to bridge the growing cybersecurity skills gap: These hubs enable security professionals to develop antimalware tools or connect with businesses in need of security expertise. Instead of the traditional hiring and vetting process, everything is conducted via blockchain-based secure contracts. Upon completion of successful projects, security experts are paid in cryptocurrency.

More traditional use cases for blockchain leverage its inherent audit capabilities. Since all transactions added to public and private blockchains are signed and time-stamped, enterprises can quickly track down specific events or users of interest. Also, new transactions fundamentally alter the state of the blockchain ledger: Previous iterations are stored, providing companies with a complete history log that both limits the chance of data tampering and ensures all IT actions are auditable as required by emerging compliance regulations.

Build a Better Blockchain, One Link at a Time

Despite enterprise advancement in the area of blockchain, however, there’s still room for improvement. For example, there are limited enterprise use cases for this technology, since very few apps use (or benefit from) the addition of blockchain. While this will change as the market evolves, current use cases are few and far between.

In addition, while traceability is an inherent property of blockchain, data quality is not. The Deloitte report noted that “blockchain technology does not guarantee or improve data quality.” Enterprises remain responsible for ensuring the accuracy and reliability of their data before it becomes part of a shared chain ledger.

Finally, The Wall Street Journal reported that while blockchain excels at data security and trust, it may struggle with privacy. Consider the GDPR: Key components of this legislation are the right to be forgotten and the power of citizens of the European Union (EU) to request access to stored personal data from organizations at any time. The nature of blockchain, however, prohibits this kind of data grab and removal, meaning multiple blockchains might be required to comply with GDPR legislation.

The problem is that the unbroken nature of blockchain is its biggest strength — fragmenting chains reduces total security efficacy.

Enterprises are understandably interested in blockchain’s inherent benefits, such as shared ledgers and natural auditability. Alone, however, blockchain is not the missing link to cloud security. This technology must be paired with apps and services that ensure accurate data entry and reliable sourcing and can address emerging privacy issues. When it comes to enterprise security applications, blockchain holds significant promise but remains developmentally adolescent.

The post Enterprise Cloud Security: Is Blockchain Technology the Missing Link? appeared first on Security Intelligence.

Next-Gen Cybersecurity for Trucking

The transportation industry is midway through the CALSTART 2018 Cyber Truck Challenge, and Heavy Duty Trucking (HDT) has announced that the University of Tulsa (TU) is working to develop a truck cybersecurity device. Cyber

The post Next-Gen Cybersecurity for Trucking appeared first on The Cyber Security Place.

In data we trust – balancing data innovation with data protection

Data is now a part of our daily lives and businesses must show consumers that they can safeguard their data effectively. When a friend asked a 19-year old Mark Zuckerberg

The post In data we trust – balancing data innovation with data protection appeared first on The Cyber Security Place.

5.9 Million Card Details Accessed in Dixons Carphone Hack

Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating "unauthorised access to certain data held by the company." It describes this access as "an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores," and "1.2m records containing non-financi

read more

A Proposed Solution to the Password Reuse Problem

Password reuse across multiple sites creates major security risks. If an attacker can steal credentials and gain access to one account, he or she can also log into every other account that uses the same password. The threat doesn’t just apply to individuals, however. Employees using the same passwords at home and work put the entire enterprise at risk.

Facebook CEO Alex Stamos believes password reuse is the top cause of harm on the internet, according to CNET. When it comes to defending crown jewels against nefarious actors, passwords are a weak link.

The average individual has 150 online accounts protected by passwords, Dashlane reported in 2017. Combine that number with the fact that anywhere from 75 to 93 percent of users reuse passwords across multiple sites, according to a range of surveys conducted over the years, and the gravity of the issue becomes difficult to deny.

A New Approach to the Password Reuse Problem

In an effort to stamp out the bad habit of password reuse, two members of the computer science department at the University of North Carolina (UNC) at Chapel Hill proposed a new framework that would enable major web services to coordinate to ensure users don’t use the same passwords.

The authors considered the reality that a framework for password reuse is fraught with risks to users’ security and privacy. However, they asserted that technology can lend a solution to the problem and encouraged thought leaders to consider the benefits of a framework that “enables a server at which a user is setting a password, here called a requester, to ask of other websites, here called responders, whether the user has set a similar password at any of them.”

Neither website would have access to information that reveals the password itself, according to the proposal. The websites would only receive information alerting them to the similarities in the user’s passwords.

Consider single sign-on (SSO) technology, which allows a user to log into one application through his or her LinkedIn or Facebook account. Conceptually, the two websites are sharing information about the user — except, in this case, it’s in lieu of a password. The authors noted that SSO solutions mitigate the problem of password reuse by eliminating the need to create new login credentials.

A Flimsy Framework?

Best practices for cyber hygiene already call for users to create unique passwords for each site, so let’s imagine a scenario in which the proposed framework is implemented. Would behaviors really change?

Rishi Bhargava, co-founder of security operations provider Demisto, said that if sites were to start coordinating under this plan, they could do little more than perhaps alert users to instances of password reuse. If this happens across multiple sites, a user might grow so annoyed that he or she would start using a password manager or modify each password by one character. In other words, the framework would achieve very little.

Still, the likelihood of financial and retail sites going along with the proposal is slim, but the framework is just one of a number of efforts to better secure sites. Organizations and individuals should continue to use two-factor authentication (2FA), but it’s also critical to augment user training.

2FA and Biometrics Provide a More Practical Solution

From a security perspective, the issue is about whether passwords are keeping users safe online. Cybercriminals can use stolen credentials to gain access to multiple sites, so the proposal is a step in the right direction to some degree.

However, the framework has several issues, especially in the European Union (EU), where, according to the General Data Protection Regulations (GDPR), a password hash is considered personally identifiable information (PII). Passing the hash between services could allow a man-in-the-middle (MitM) attack, but it’s also important to note that EU citizens would need to consent to this transfer.

Still, proposing that two companies with PII belonging to millions of people should share information about their passwords seems a bit like the novel “1984.” What would George Orwell say? Surely other options exist.

Depending on the software provider for tools such as business email, people can use 2FA on dozens of third-party applications. A better solution might be to call for internet services to adopt better password and privileged access integration.

The recent IBM Future of Identity Study found that consumers are increasingly embracing biometrics as a viable solution to the password problem. Users are suffering from password fatigue, which is one reason why the proposed framework doesn’t do enough to solve the password problem. Still, the study revealed that password managers and biometrics do hold promise for the future.

Listen to the podcast: Millennials, Baby Boomers and the Future of Identity

The post A Proposed Solution to the Password Reuse Problem appeared first on Security Intelligence.

GDPR: Time to Move Forward — and Keep It Going

For nearly a year now, we’ve been telling you this was coming. We did our best to prepare you for the inevitable. And now that May 25, 2018 has come and gone, I really do hope that we’ve been able to help you get ready.

Ready for what? Unless you’ve been living under a rock all this time, you know I’m talking about the General Data Protection Regulation — or, as we affectionately refer to it, GDPR. As of May 25, GDPR enforcement has become a reality. That means all your GDPR-related plans and processes should (ideally) be in place and every member of your team should know what they’re supposed to do and when they’re supposed to do it.

But you still need to understand that being ready is not the same thing as being done. That’s why I’d like to share some important lessons we’ve learned about GDPR readiness.

There’s No Magic Checklist

I’ve had more than one person ask me for a “complete” checklist they could use to help ensure they’d managed to get everything done. Unfortunately, there’s no such thing. Yes, you certainly could hire IBM — or some other company — to examine and evaluate all the GDPR-related work you’ve done and report back on your status. But there would still be work for you to do.

The truth is, GDPR comprises 99 articles that spell out its requirements. You need to read and familiarize yourself with all of them. Yes, I said all of them. There’s no silver bullet, no shortcut, no cheat sheet. It’s your job to identify the controls that you need to implement based on your organization’s specific situation.

Once Is Not Enough

You need to embed your processes into the very fabric of your work and, above all, you need to make sure those processes are repeatable. That may mean doing internal readiness reviews for every product or service you offer, so you can see how you’re going to keep everything going day in and day out.

It’s not possible to do that with quarterly reviews. GDPR requires considering its obligations in everything you do, making “privacy by design and by default” and “security by design and by default” mantras that you follow from now on. Think about how you’ll review new projects or develop product enhancements, and then take the necessary steps to see that GDPR is baked in. For example, IBM Security Guardium Analyzer is a software-as-a-service (SaaS) solution that can help you locate GDPR-relevant data on an ongoing basis. With it, you set up a repeatable process to identify and prioritize those databases that may be most likely to fail a GDPR audit — so you can take action to help minimize your risk.

GDPR Is a Team Sport

This may be one of the most important lessons I’ve learned as I’ve been helping organizations get themselves on track with their GDPR readiness plans over the past year. You absolutely need to include all the major stakeholders in your planning and decision-making. I’ve seen more than a few situations where implementers aren’t working with program managers, for example, or where the privacy office sets out policies that can’t readily be put into practice.

When it comes to GDPR, you shouldn’t expect to be the hero running down the field in the fourth quarter toward that winning touchdown. Because without your team, you’re going to get tackled.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

One More Thing: Remembering Adam Nelson (1965–2018)

Remembering Adam Nelson (1965-2018)

On behalf of the entire IBM GDPR team, I want to dedicate the final blog in this series to our dear friend and colleague, Adam C. Nelson, who passed away last month.

As a freshly minted attorney, Adam joined the IBM Security and Privacy Consulting Practice in 2000, where he was among the first to focus on privacy issues and ultimately contributed to three IBM patents that involved data privacy. His patents of 2006 and 2011 were woven into the IBM Total Privacy Management Framework, which our consultants still use to measure the privacy management maturity of an organization. And his Data Privacy Engine patent of 2014 applied artificial intelligence toward managing multiple privacy regulations worldwide.

In addition to writing a number of the blog posts in this series, Adam co-authored numerous papers, including “A technology perspective on worldwide privacy regulations.” A peer-reviewed paper published in the IBM Journal of Research and Development in 2009, it included a worldwide survey of privacy regulations and linked standard technologies as a method of compliance. And it explained the legal aspects of regulations in a way that nonlawyer technologists could understand.

Although he left IBM and came back twice, Adam returned each time with newly developed skill sets. Most recently, he took charge of the IBM International Privacy Consulting Practice. In that role, he evangelized privacy, collaborating with me on developing numerous GDPR-focused assets, including the IBM GDPR Framework and GDPR Readiness Assessment.

Adam was a great colleague and a wonderful individual, always willing to jump in and volunteer to help, even as he was fighting his brave three-year battle with cancer. I will never forget Adam’s great eye for detail — and our humorous debates over the definitions of words we were using as we wrote this blog series together. His impact on the way we approach privacy in this industry was tremendous — especially where GDPR is concerned. And while Adam will truly be missed, his fine work at IBM will live on.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post GDPR: Time to Move Forward — and Keep It Going appeared first on Security Intelligence.

Ransomware Recovery: Maintain Control of Your Data in the Face of an Attack

Imagine the panic and concern that hits as you look at a screen that says: “All files on your computer have been locked. Please pay the ransom within 24 hours to get the key … or else.”

From the days of ransomware being distributed on floppy disks to modern-day attacks like WannaCry and Petya spreading around the world in minutes, this may be your image of ransomware recovery. Ransomware either locks your computer or your data before demanding a fee in exchange for the supposed safe return of your critical assets.

Unfortunately, the actual costs associated with ransomware go well beyond simply paying a ransom. The disruption this form of attack causes can bring operations to a halt — affecting the organization’s bottom line, reputation and brand.

Join the Guardium Tech Talk: Encrypting Your Object Store Data Without Giving Your Keys to the CSP

Ransomware: To Err Is Human

Aside from blocking organizations from accessing their own data, cybercriminals also use ransomware to hide the delivery of other malware, steal data or simply cause business disruption. The growing sophistication and proliferation of ransomware over the past few years has led many companies to anticipate an eventual attack.

Recognizing the inevitability of a ransomware incident is a good first step toward mitigating this threat. But the reality is that organizations must immediately assess how their business has been disrupted — whether confidential or proprietary data is at risk and whether their recovery plan is sufficient — in the event of an attack.

Historically, ransomware payloads have been delivered via email attachments, malicious or hijacked websites and adware — just to name a few. But methods of ransomware deployment and execution usually have one thing in common: human intervention. Security training has helped educate users to be wary of suspicious emails from untrusted sources or unusual content, and this is a great start.

However, as more and more ransomware variants spread via broader means, it’s critical to augment ongoing user education with technical controls and processes for optimal protection. For example, it is crucial to update security patches for all operating systems and software, especially antivirus and antimalware tools, for the latest known attack vectors. It is also important to minimize and monitor system and data access permissions based on least privileged access and job functions.

Still, preventative measures can only do so much because, well, humans are human.

Known malware or vulnerabilities aren’t actually known until they are discovered, and protection is not provided until the antivirus and antimalware tools have been updated to detect these vulnerabilities. This recursive cycle of applying protection only after finding the problem requires us to think about additional methods that provide preventative protection and instant remediation in the event of an attack or infection.

As an example, let’s assume that someone (or something) has infiltrated your system or network. In an unprotected environment, data exfiltration is rudimentary once the system or network has been compromised. If the data is encrypted and unable to be decrypted without the proper authentication and authorization, however, data exfiltration is blocked even though the encrypted bits may be accessible to the attacker. This basic layer of protection gives you the peace of mind that even if malware or ransomware gets to your data, it is safe from unauthorized use or disclosure.

Make Backups, Encryption and Cloud Storage Your Priority

Even if your data is protected against theft or unauthorized disclosure, the files may still be locked by the ransomware. How can you regain access? According to an alert from the Department of Homeland Security (DHS) on ransomware and recent variants, it is critical to have a secure data backup and recovery process.

The DHS advised organizations to:

  • Implement a backup and recovery plan for all critical data;
  • Regularly test backups to limit the impact of a data breach and accelerate the recovery process; and
  • Isolate critical backups from the network for maximum protection if network-connected backups are affected by ransomware.

While having a backup and recovery strategy is considered a best practice, the enormous amount of data organizations use every day can be challenging to back up, especially on a frequent basis. However, options for backing up large quantities of data exist today in the form of cloud storage.

The cloud has emerged as a low-cost alternative for backup and archiving, especially object storage where application programming interface (API) connectivity and geographic location choices make isolating backup data from the network relatively easy and inexpensive. But cloud storage comes with its own unique challenges, particularly privacy.

With the right approach, object store dependency and privacy concerns can be alleviated. Organizations must have technical and operational processes in place that allow data to be archived in object stores but stored in a way that explicitly blocks cloud service providers (CSPs) from accessing that data. In other words, the right approach is to copy, move, back up and archive data while encrypted and to make this practice a key part of the organization’s data protection strategy.

Join the Guardium Tech Talk: Encrypting Your Object Store Data Without Giving Your Keys to the CSP

How to Simplify Ransomware Recovery

Ransomware is designed to enable cybercriminals to take command and control of your systems and business operations for quick financial gain or other malicious intent. Once a successful attack begins, you no longer have control or access to one of your organization’s most valuable assets: its data.

Conversely, the focus of ransomware recovery is all about maintaining control as efficiently and securely as possible. This necessitates making data protection with secure backup and recovery an essential part of your security processes. To align with new regulations, such as the General Data Protection Regulation (GDPR), security controls must be implemented by design and by default so that your data is protected from the time it is collected until the end of its life cycle.

Organizations need to control the who, what, when and how of systems and data that are accessed based on job function or role. This is good security hygiene at its most basic level. By using a strong, data-centric solution that combines encryption, access controls, key management and monitoring — and linking it to a secure backup strategy — organizations can narrow the attack surface for ransomware and better position organizational operations to continue in the face of an attack.

That sounds complex, but it’s not.

With emerging cloud data encryption tools that feature file and object store encryption capabilities, organizations can significantly reduce the risk and cost of ransomware with a single integrated solution that covers role-based access controls, advanced encryption, key management, access monitoring, object storage security with geographic dispersal and native backup and restores capabilities. In addition, these tools manage data protection consistently, whether you are protecting attached storage at the file or volume level or object storage via API — and regardless of whether it is on-premises, in the cloud or a hybrid environment.

Expanding on the concepts of regular backups with encryption and secure cloud storage takes the best practices of good security hygiene and adds layers of data protection, consistency, automation and control to help organizations become better prepared to weather the storm of evolving cyberthreats.

To learn how IBM Multi-Cloud Data Encryption supports ransomware recovery, join us for our upcoming webinar on June 28, 2018, “Guardium Tech Talk: Encrypting Your Object Store Data Without Giving Your Keys to the CSP.”

The post Ransomware Recovery: Maintain Control of Your Data in the Face of an Attack appeared first on Security Intelligence.

With the GDPR, companies face new era of compliance and transparency

A new Avecto survey explored IT and security’s role in helping companies achieve compliance with the new guidelines for the collection and processing of personal information of individuals within the EU. 500 IT and cybersecurity professionals in the UK, North America, and Germany were included in the study to understand familiarity with the regulation, the data protection measures in place, and the protections they added to secure personal data. Even with the GDPR going into … More

The post With the GDPR, companies face new era of compliance and transparency appeared first on Help Net Security.

Train Your Employees to Think for Themselves in Data Security

Employers have learned (the hard way) that one of the biggest security threats in the organization is their own staff. A report published by Ipswitch looks at data breach causes to find

The post Train Your Employees to Think for Themselves in Data Security appeared first on The Cyber Security Place.

How third-party risk affects your GDPR compliance

In this podcast, Darron Gibbard, Chief Technical Security Officer EMEA at Qualys, discusses third-party risk and how it affects the GDPR compliance of your organization. Here’s a transcript of the podcast for your convenience. Hello. My name is Darron Gibbard, and I am the Chief Technical Security Officer at Qualys. In this Help Net Security session today, I am going to be covering third-party risk – how does this affect your GDPR compliance? One are … More

The post How third-party risk affects your GDPR compliance appeared first on Help Net Security.

GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been)

Data is breached every single day but most of these breaches don’t make headlines. When the European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018, many companies who

The post GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been) appeared first on The Cyber Security Place.

#CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online

Summer has officially rolled out its welcome mat. But as most parents might be thinking about slowing down, for most kids, summer is when digital device use goes into overdrive. That’s why June — which also happens to be Internet Safety Month — is a perfect time strengthen your family’s digital readiness.

Good news: This digital safety skills booster is quick and actionable. And who knows — if a few of these tips boost your family’s safety, you may have just saved summer for everyone!

4 Ways to Boost Family Safety Online 

Practice safe social. Challenge your family to reign in its social footprint by taking these specific actions: 1) Adjust privacy settings on all social networks. 2) Trim friend and follower lists. 3) Delete any personal data on social profiles such as birthdate, address, or school affiliation. 4) Edit, limit app permissions. As we’ve just seen in the headlines, the misuse of personal data is a very big deal. 5) Share with care. Routinely scrolling, liking, and commenting on social sites such as Snapchat and Instagram can give kids a false sense of security (and power). Remind tweens and teens to share responsibly. Oversharing can damage a reputation and words or images shared callously can damage other people.

Practice safe gaming. Summertime is a gamer’s heaven. Endless battles and showdowns await the dedicated. However, some digital pitfalls can quickly douse the fun. According to the National Cyber Security Alliance’s gaming tip sheet, safe gaming includes: updating gaming software, protecting devices from malware, protecting your child’s personal data, using voice chat safely, and paying close attention to content ratings.

Practice strong security. There are some steps only a parent can take to safeguard the family online. 1) Parental controls. Filtering software blocks inappropriate websites and apps as well as establishes boundaries for family tech use. 2) Comprehensive security software helps protect your PCs, tablets, and devices from viruses, malware, and identity theft. 3) Keeping your guard up. According to McAfee’s Gary Davis staying safe online also includes digital habits such as using strong passwords, boosting your network security and firewall, and being aware of the latest scams that target consumers.

Practice wise parenting. 1) Know where kids go. Know which apps your kids love and why, how they interact with others online, and how much time they spend online. 2) Unplug. Establish tech-free family activities this summer. Powering off and plugging into quality time is the most powerful way to keep your family safe online. Strong relationship empowers responsibility. 3) Be confident. As parenting expert, Dr. Meg Meeker says, parents should be parenting from a place of confidence, rather than from a place of fear. “The temptation for parents is to think that they have no control over what their child does online. This isn’t true,” says Meeker. “Parents, you are in control of your child’s technology use; it is not in control of you.”

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post #CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online appeared first on McAfee Blogs.

Shape up US businesses: GDPR will be coming stateside

Despite the significant financial penalties, US consumers have tended to look away or forgive brands in the aftermath of a breach, but recent research shows that this is no longer the case. High profile security breaches, such as the one hitting Hyatt Hotels last October, combined with the focus on privacy and personal data resulting from the Facebook case has created a more informed consumer. The majority is now demanding that brands better protect their … More

The post Shape up US businesses: GDPR will be coming stateside appeared first on Help Net Security.

Musings From a Coffee Bar: Threat Modeling Tips for Open Campus Security

Imagine you’re attending a training conference at a company whose campus is so vast and sprawling that a map is required to get from one end to the other — whether by car or foot. The physical security on this campus is sparse, and Wi-Fi access is in every building. There are a handful of badge readers on the doors, but also underground tunnels, offices without door locks and a lack of security checkpoints.

You also spy agile design spaces with intellectual property scribbled on the walls, as well as hundreds of people during lunch hour. It seems as though just about anyone could walk onto this open campus, grab a coffee — and get in a little afternoon social engineering or, at the very least, eavesdropping.

While this open campus scene is not uncommon, it’s also where threat modeling (i.e., risk identification and prioritization) comes in to play.

Creative Threat Modeling Tips

With such a massive campus, how would a team of cybersecurity professionals secure it? Chief information security officers (CISOs) shouldn’t be afraid of an open campus. Threat modeling allows internal security teams to tailor security to areas that present the greatest security risk. Sometimes, all you need is a little creative thinking to improve your cybersecurity efforts.

  • Revamp Wi-Fi: Segment Wi-Fi based on the individual buildings or by quadrant of the campus, and deploy identity and access management (IAM) in each building and for all mobile infrastructure. Provide guest Wi-Fi that runs on a set of private cloud-based servers — rather than on-premise or within the same data center server cluster on-premise.
  • Smarten up entry and exit points: Implement a facial recognition and voice recognition software in all entry and exit points. This strategy does not mean the ultimate goal is to stop every employee as they go about their workday — or the delivery man who is always dropping off packages. A better solution would be to stop visitors or individuals who are rarely seen on campus.
  • Rethink threat modeling: Perform threat modeling with a twist. Ask a team of security professionals from a security services company to walk around the campus for a week with a Raspberry Pi, a high-gain antenna or Metasploit running on a smartphone — or any of their other favorite hacker toys to see what the team finds. Use the results to build threat models for individual buildings and areas. This strategy allows internal security teams to tailor security to the areas of the campus that present the most significant security risk.
  • Employ drones: Large, sprawling campuses that take up several acres or square miles could employ drones to patrol the perimeter. Of course, the drones and associated software will have to be properly secured before use to prevent them from being hacked. A solid alternative for any company not comfortable with this scenario is to use helicopter patrols or small low-altitude remote-controlled kit airplanes.

Incorporate AI to Perform Fluid Threat Modeling

Cybersecurity threats are changing continuously. So, security responses and practices should be fluid, dynamic and adaptive — not static and rigid as they have been for last two decades.

If companies have the money to spend (and want to be exceptionally forward-thinking), their research and development team could teach artificial intelligence (AI) the concept of fluid threat modeling. Any AI would have to be trained on a wide variety of scenarios by professionals who have experience with threat modeling scenarios, such as active shooters, hostage situations, hijacking, bomb threats and the like.

Facial recognition, for example, could be incorporated into daily physical security through the use of artificially intelligent robots that greet visitors, walk the halls and engage in short conversations with employees, patrol the parking decks, escort individuals walking alone at night and so forth.

This is not to suggest that robots should replace humans outright, only that they could augment security teams that are short-staffed, overwhelmed and cannot be everywhere at once. With the growing shortage of cybersecurity professionals, there may come a day when AI is the only viable alternative to no security at all.

All of this is highly theoretical and many years away, but it could help to grab a cup of coffee and start thinking about it now — especially as security professionals, scientists and mathematicians are making history and setting technology precedence in the field of AI and autonomous systems and neural networks.

The post Musings From a Coffee Bar: Threat Modeling Tips for Open Campus Security appeared first on Security Intelligence.

SecurityWeek RSS Feed: ALTR Emerges From Stealth With Blockchain-Based Data Security Solution

Austin, Texas-based ALTR emerged from stealth mode on Wednesday with a blockchain-based data security platform and $15 million in funding.

ALTR announced the immediate availability of its product, which has been in development for nearly four years while the company operated in stealth mode.

read more



SecurityWeek RSS Feed

Cybercriminals Steal the Show! 26 Million Ticketfly Customers’ Data Compromised in Massive Breach

When we find out our favorite artist is coming to town, we immediately head to the web to snatch up a ticket to their show. This where ticket distribution services, such as Ticketmaster and TicketFly, become handy, as they allow us to easily input our information to claim a spot for the show. But as of this week, users of the latter company are unfortunately now dealing with that very information being compromised by a massive data breach. In fact, Troy Hunt, founder of “Have I Been Pwned,” discovered that a hacker posted several Ticketfly database files to a public server online.

This attack first began with an unnamed hacker informing Ticketfly of a security vulnerability and demanding a ransom of one bitcoin to reveal the flaw and help fix it. This threat was met with no response. Following which, the hacker then defaced the site, prompting the company to take it offline, and stole piles of Ticketfly customer data in the process.

In addition to a whopping 26 million email addresses, this stolen data includes users’ names, phone numbers, home and billing addresses. As of now, no financial information has been published publicly by the hacker, but he or she has threatened to post more data if they are not paid their ransom.

So, with this personal information out in the open and potentially more still to come, what can these Ticketfly customers do to ensure they protected their data? Start by following these tips:

  • Keep an eye out for sketchy emails. One way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Set up an alert. Though this hacker has not published financial data, that doesn’t mean he or she may not still have it on hand. Therefore, if you’re a Ticketfly user, it’s best to proactively place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Invest in an identity theft solution. With this breach, Ticketfly users may be faced with the possibility of identity theft. That’s precisely why they should leverage an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Cybercriminals Steal the Show! 26 Million Ticketfly Customers’ Data Compromised in Massive Breach appeared first on McAfee Blogs.

Virtualization-based security (VBS) memory enclaves: Data protection through isolation

The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks.

Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves.

Figure 1. VBS secure memory enclaves

An enclave is an isolated region of memory within the address space of a user-mode process. This region of memory is controlled entirely by the Windows hypervisor. The hypervisor creates a logical separation between the normal world and secure world, designated by Virtual Trust Levels, VTL0 and VT1, respectively. VBS secure memory enclaves create a means for secure, attestable computation in an otherwise untrusted environment.

VBS enclaves in Microsoft SQL Server

A key technology that will leverage VBS secure memory enclaves is Microsoft SQL Server. The upcoming SQL Server secure enclave feature ensures that sensitive data stored in an SQL Server database is only decrypted and processed inside an enclave. SQL Servers use of secure enclaves allows the processing of sensitive data without exposing the data to database administrators or malware. This reduces the risk of unauthorized access and achieves separation between those who own the data (and can view it) and those who manage the data (but should have no access). To learn more about the use of secure enclaves in SQL Server, see the blog post Enabling confidential computing with Always Encrypted using enclaves.

Data protection

One of the major benefits of secure memory enclaves is data protection. Data resident in an enclave is only accessible by code running inside that enclave. This means that there is a security boundary between VTL0 and VTL1. If a process tries to read memory that is within the secure memory enclave, an invalid access exception is thrown. This happens even when a kernel-mode debugger is attached to the normal process the debugger will fail when trying to step into the enclave.

Code integrity

Code integrity is another major benefit provided by enclaves. Code loaded into an enclave is securely signed with a key; therefore, guarantees can be made about the integrity of code running within a secure memory enclave. The code running inside an enclave is incredibly restricted, but a secure memory enclave can still perform meaningful work. This includes performing computations on data that is encrypted outside the enclave but can be decrypted and evaluated in plaintext inside the enclave, without exposing the plaintext to anything other than the enclave itself. A great example of why this is useful in a multi-tenant cloud computing scenario is described in the Azure confidential computing blog post. This move allowed us to continually make significant innovations in platform security.

Attestation

Attestation is also a critical aspect of secure memory enclaves. Sensitive information, such as plaintext data or encryption keys, must only be sent to the intended enclave that must be trusted. VBS enclaves can be put into debug mode for testing but lose memory isolation. This is great for testing, but in production this impacts the security guarantees of the enclave. To ensure that a production secure enclave is never in debug mode, an attestation report is generated to state what mode the enclave is in (among various other configuration and identity parameters). This report is then verified by a trust relationship between the consumer and producer of the report.

To establish this trust, VBS enclaves can expose an enclave attestation report that is fully signed by the VBS-unique key. This can prove the relationship between the enclave and host, as well as the exact configuration of the enclave. This attestation report can be used to establish a secure channel of communication between two enclaves. In Windows this is possible simply by exchanging the report. For remote scenarios, an attestation service can use this report to establish a trust relationship between a remote enclave and a client application.

One feature that relies on secure memory enclave attestation is Windows Defender System Guard runtime attestation, which allows users to measure and attest to all interactions from the enclave to other capabilities, including areas of runtime and boot integrity.

Figure 2. Windows Defender System Guard runtime attestation

Elevating data security

There are many secure memory enclave technologies in the industry today. Each have pros and cons in capabilities. The benefit of using a VBS secure memory enclave is that there are no special hardware requirements, only that the processor supports hypervisor virtualization extensions:

Additionally, VBS enclaves do not have the same memory constraints as a hardware-based enclave, which are usually quite limited.

VBS secure memory enclaves provide hardware-rooted virtualization-based data protection and code integrity. They are leveraged for new data security capabilities, as demonstrated by Azure confidential computing and the Always Encrypted feature of Microsoft SQL Server. These are examples of the rapid innovation happening all throughout Microsoft to elevate security. This isnt the last youll hear of secure memory enclaves. As Microsoft security technologies continue to advance, we can expect secure memory enclaves to stand out in many more protection scenarios.

 

 

Maxwell Renke, Program manager, Windows

Chris Riggs, Principal Program Manager, Microsoft Offensive Security Research

 

Analyzing Your GDPR Readiness: The Core Data Protection Capabilities You Need

May 25 marked the deadline for enterprises worldwide to comply with the provisions of the General Data Protection Regulation (GDPR). The sweeping regulation from the European Union (EU) is intended to revolutionize the relationships of data holders or processors and the people associated with that data (also known as data subjects). The GDPR protects the personal data of data subjects from the EU, including citizens, visitors and noncitizen residents, regardless of where their data is being held or processed — and penalties for noncompliance can be substantial.

GDPR conformance is a challenge for many enterprises, even ones with no current EU-resident customers or employees. Companies around the world will be affected if they hire employees with EU citizenship (including dual citizenship) — or if they ever develop customer or business-partner relationships involving EU citizens or residents.

But what is one of the hardest parts of getting ready (and maintaining readiness) for the GDPR? Knowing where to start. The obligations the regulation imposes could spark changes in nearly every part of your enterprise — from customer outreach via social media and data protection to archiving transaction records.

GDPR: Why Data Protection Is Difficult

Data, including personal data, is hard to control because it’s dynamic, distributed and in demand. As data grows, changes and multiplies, keeping track of it becomes more difficult. Your business can’t stop to reexamine and classify data every time a customer record is updated. (Learn more about how to accelerate your GDPR efforts.)

In the age of big data analytics, cloud computing and mobile access, organizations can struggle to keep track of all their data sources. Data is increasingly accessible — and in increasingly complex combinations. Due to this, figuring out every place you hold the personal information of even a single EU data subject is an enormous challenge — and with hundreds or thousands of customers, a vastly bigger one.

Preparing a Five-Phase Action Plan

Finding where your enterprise holds personal data, however, is just one aspect of reaching compliance. Discovering security risks to data stores, designing business processes that minimize data exposure, operating with privacy as a central concern and employing data protection tactics, such as encryption or pseudonymization, all help.

But compliance needs to go even further.

Under the GDPR, you may need to be ready to comply with the regulation by meeting data subjects’ requests to transfer or erase information that identifies them, or by providing documentation of compliance to auditors.

You need to map out a plan to follow a five-phase approach to compliance — no matter where you are in your journey:

  1. Assess data holdings and vulnerabilities to know what data resources are affected.
  2. Design intelligent systems to help ensure compliance.
  3. Transform your business practices and operations.
  4. Operate with privacy at the forefront.
  5. Conform to legal requirements of the regulation.

For a regulation as complex as the GDPR, going at it alone can mean wasted time and uncertainty. Software tools, such as IBM Security Guardium Analyzer, can help you face these challenges with higher efficiency and accuracy, at a low cost and with minimal operational overhead — whether your data is on-premises or stored in the cloud.

Wherever you are on the road to GDPR readiness, there are steps you can take to help your enterprise find GDPR personal data, uncover risk and take action.

Read the datasheet to learn more about how Guardium Analyzer’s specific capabilities

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Analyzing Your GDPR Readiness: The Core Data Protection Capabilities You Need appeared first on Security Intelligence.

The importance of understanding your cloud application attack surface

Many of today’s available security tools have evolved over years with a focus on a specific problem, one that is static and often very slow.You’ve decided to move to the

The post The importance of understanding your cloud application attack surface appeared first on The Cyber Security Place.

McAfee Blogs: High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.



McAfee Blogs

High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.

The emergence and impact of the Data Protection Officer

According to Forrester, 80 percent of companies likely didn’t comply with the General Data Protection Regulation (GDPR) deadline, and of those, 50 percent intentionally ignored the regulation by weighing the costs and risks. Many companies either didn’t have time, are ignoring, or are unaware of the true impact of GDPR and how it not only affects systems and processes, but also staffing needs. That said, one of the lesser known mandates of the regulation is … More

The post The emergence and impact of the Data Protection Officer appeared first on Help Net Security.

May’s Cybersecurity Recap: Welcome to the GDPR Compliance Show

This month’s cybersecurity recap has a clear focus: the European Union’s General Data Protection Regulation (GDPR). Now in effect, GDPR has been a source of continuing difficulty and discussion for businesses around the world. But ready or not, the regulation has arrived and companies are now obligated to meet new data handling, disclosure and compliance standards. Here’s a look at some of the top GDPR stories published this May.

Shoring Up GDPR

While enterprises may not be fully prepared for GDPR, there’s no time like the present to gear up for potential compliance challenges. Cindy Compert, Distinguished Engineer and IBM Security’s chief technology officer (CTO) of data and security and privacy, suggests that companies can shore up their GDPR compliance outlook by considering the following:

  • Consult legal experts to determine their obligations
  • Create a cross-functional GDPR team
  • Review all privacy and customer consent policies
  • Ensure all compliance efforts can be tracked, audited and verified

WHOIS Worries

Pre-GDPR, the ICANN WHOIS database provided readily accessible information about registered domains, including owner contact information, availability and registered company. Under current interpretations of GDPR, however, access to this database will be significantly restricted for both security professionals and automated processes associated with security, making it harder for security researchers to track threat origins and discover causal links.

Privacy Problems

Even with GDPR now in force, many companies struggle to secure critical data. In fact, nearly one-quarter of all internal work folders are accessible by all employees within an organization — and almost half of companies surveyed had 1,000 or more sensitive files open to everyone on staff.

What’s more, many “ghost” users, employees who leave the company or move to a new department with different responsibilities, can still access critical files. Under GDPR compliance rules, this is a problem. Enterprises need to know who has access and demonstrate that this access meets new privacy expectations.

Addressing Insider Threats

In addition to “ghost” users, more traditional insider threats remain a critical concern for organizations. Under GDPR, however, the stakes are much higher. If staff maliciously or accidentally expose consumer information, the disclosure requirements alone could cripple corporate finances, to say nothing of assessed penalties and fines.

As a result, it’s critical to evaluate two key areas:

  • Consumer identity and access management (CIAM) solutions: CIAM tools are used to collect basic consumer information. Under GDPR, express consent is required to collect this data, along with clear descriptions of how this data will be used. In addition, consumers must have the ability to “opt out” at any time.
  • Insider threat controls: Because personal data can be found across applications, unstructured sources such as files and structured sources such as databases, insider threat controls are essential to limit the chance of a breach and ensure anyone accessing this information meets GDPR expectations. Companies must have tools in place to ensure the right people have access to personal data and remove any access that doesn’t meet GDPR compliance requirements.

Positive Outlook

Despite insider threat worries, privacy concerns and issues with WHOIS, IBM Security and the IBM Institute for Business Value’s new report, The End of the Beginning: Unleashing the Transformational Power of GDPR, found that the majority of business leaders see the new regulation as an opportunity for innovation. Eighty-three percent of business leaders agree that security and privacy are now key business differentiators and companies on the leading edge of GDPR believe it will create new opportunities for data-led business models and data monetization.

This dovetails with the findings of the IBM Cybersecurity and Privacy Research survey, conducted by The Harris Poll on behalf of IBM, which reported that 75 percent of consumers would not buy products from companies they don’t trust to properly secure their data.

Put simply? While complex and time-consuming, the shift to GDPR may drive long-term business benefits as public privacy perception shifts.

Read the full study: The End of the Beginning — Unleashing the Transformational Power of GDPR

Getting Your House in Order

Indeed, many companies see GDPR as a benefit rather than a burden. Why? Because you can’t protect what you don’t know. Companies can’t defend critical data if they don’t know where it’s located or assure regulators that systems are secure when they aren’t sure if applications are patched or hardware has been updated — and the GDPR provides ample incentive to clean house.

The result is a need for improved cybersecurity strategy. This starts with auditing corporate networks to determine what’s working, what isn’t and what needs to change.

For enterprises, GDPR offers a chance to take stock of current data-handling practices and implement changes that enhance both overall compliance and long-term ROI. While some regulations, such as the approach to WHOIS data, are still a work in progress, the GDPR compliance show puts subpar practices on notice and has the cybersecurity world watching to see what happens next.

Still on your GDPR journey? Get more actionable insights from the IBM Professionals

The post May’s Cybersecurity Recap: Welcome to the GDPR Compliance Show appeared first on Security Intelligence.

Insider Threat at Coca-Cola Compromises 8,000 Employees’ Information

Cybercrime is often seen as a battle of good versus evil – a hacker tries to infiltrate a system while cyber defenders work hard to fend them off. Sometimes, data breaches are the work of these cybercriminals, and other times they’re caused by an actual employee of the affected company – something we like to call an insider threat. Just this past week, popular soft drink producer Coca-Cola announced that they were facing exactly that: an insider threat in the form of a former employee found carrying a personal hard drive of worker data.

So far, we know that this employee uploaded the data of their fellow coworkers onto an external hard drive, which they took with them when departing the company. According to a company representative, “the type of stolen and exposed data varies per employee.” And though there are no more known specifics around the data, we do know that this theft impacts 8,000 individual Coca-Cola employees.

As of now, Coca-Cola says it’s been working with law enforcement to dig into the details of this insider threat, but in the interim, these employees need to start taking proactive steps to protect their personal information. In order to do just that, follow these basic security tips:

  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Freeze your credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.`
  • Consider an identity theft protection solution. With their personal information floating around, these employees could be faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.


{
"metadata": {
"id": "85576554-caea-4ff0-b59a-9fa580469932",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/insider-threat-at-coca-cola-compromises-information/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/05/img_1602006167739330.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/05/img_1602006167739330.jpg",
"pubDate": "Thur, 31 May 2018 12:35:48 +0000"
}
}

The post Insider Threat at Coca-Cola Compromises 8,000 Employees’ Information appeared first on McAfee Blogs.

Application Development GDPR Compliance Guidance

Last week IBM developerWorks released a three-part guidance series I have written to help 
Application Developers develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

The GDPR
The General Data Protection Regulation (GDPR) was created by the European Commission and Council to strengthen and unify Europe's data protection law, replacing the 1995 European Data Protection Directive. Although the GDPR is a European Union (EU) regulation, it applies to any organizations outside of Europe that handle the personal data of EU citizens. This includes the development of applications that are intended to process the personal information of EU citizens. Therefore, organizations that provide web applications, mobile apps, or traditional desktop applications that can indirectly process EU citizen's personal data or allow EU citizens sign in are subject to the GDPR's privacy obligations. Organizations face the prospect of powerful sanctions should applications fail to comply with the GDPR.

Part 1: A Developer's Guide to the GDPR
Part 1 summarizes the GDPR and explains how the privacy regulation impacts and applies to developing and supporting applications that are intended to be used by European Union citizens.

Part 2: Application Privacy by Design
Part 2 provides guidance for developing applications that are compliant with the European Union’s General Data Protection Regulation. 

Part 3: Minimizing Application Privacy Risk

Part 3  provides practical application development techniques that can alleviate an application's privacy risk.

Leveraging Imperva Solutions for GDPR Compliance Part II: Pseudonymization

Down to the wire- the GDPR compliance deadline is here.

It’s May 25 and the EU’s General Data Protection Regulation (GDPR) is live. As you know by now, the risk and potential costs associated with a failure to comply with the EU’s General Data Protection Regulation (GDPR) are substantial.

GDPR non-compliance penalties can be severe, and apply to any organization of any size that collects or processes personal data originating in the EU. Starting May 25, 2018, these rules will be officially enforced, which is likely causing some angst for those organizations that have been procrastinating on their readiness efforts.

However, as outlined in our first blog, Imperva data protection solutions can help organizations address key GDPR data security requirements- including sensitive data discovery and classification and monitoring. Specifically, we noted how Imperva SecureSphere and the new out-of-the-box profile for GDPR, the Data Classification Profile for GDPR.

The new functionality allows you to easily scan your databases and classify sensitive information pertinent to the GDPR Regulations- and output this information through comprehensive reporting capabilities. So, we’ve helped you understand how to easily discover and classify your information – which is a key requirement under GDPR Article 35: Data Protection and Impact Assessment. But now what?

The need for “minimizing data” and the role of pseudonymization

Once you’ve taken the necessary steps to understand your sensitive data landscape and have a full inventory of what is onsite you can now start looking at methods and technologies to help reduce the compliance impact and risk associated with the data.

In fact, the GDPR requires that organizations practice data minimization and purpose limitation. Article 32 references Security of Processing, which essentially refers to the need to implement appropriate technical and organizational security controls to protect personal data against accidental or unlawful loss, destruction, alteration, access or disclosure. So, this means that organizations can collect and use data limited to only what is necessary for a specific and defined purpose.

In practice, one key area where data minimization comes into play relates to DevOps environments. While many organizations copy production database content for use in development, testing, QA and analytics environments, it can easily run counter to this data minimization principle. In addition, the copying of data for these purposes significantly amplifies the attack surface within an organization particularly because these replicated data sources tend to be less protected than the source production environments.

While the GDPR doesn’t call out any specific technology (as technology evolves over time) to support data minimization, it does encourage “pseudonymization” of personal data.

Pseudonymization is a security technique for replacing sensitive data with realistic fictional data and generally means removing direct identifiers (names, addresses, email, etc.) associated with the data in question. In particular, pseudonymizing your data, helps facilitate processing of the data in ways beyond (but still compatible with) original collection purposes.   Pseudonymization is compatible with other key aspects of the GPDR including: data protection (privacy) by design, security requirements, and as a safeguard when processing data for scientific, historical and statistical purposes (analytics).

How Imperva supports “pseudonymization”

Imperva can help your organization provision secure pseudonymized sensitive data, thereby supporting data minimization and risk through its Imperva Camouflage data masking solution. Imperva Camouflage is an industry-recognized and highly versatile software solution that helps effectively discover, classify, and ultimately obfuscate your organization’s sensitive data through the process of data masking. This high-value process replaces real data with realistic fictional data that is functionally and statistically accurate and achieves pseudonymization and other variations of data replacement and minimization.

So, what exactly is data masking and how does it support the pseudonymization requirement? Let’s use Figure 1 below as our guide. In the original production data set, a record shows that a man named John Smith who is 65 years old has a Social Security number (SSN) of 123-21-9812. After the data masking solution is configured and deployed according to the needs of the end-users, and the requirements of GDPR- John Smith might become Tom Young who is 58 years old and has an SSN of 531-51-5279.

Figure 1: Data masking replaces original data with fictitious, realistic data and supports efficient pseudonymization

 Figure 1: Data masking replaces original data with fictitious, realistic data and supports efficient   pseudonymization

The key point here is that the solution accurately and automatically ensures that the masked data maintains the referential integrity and operational accuracy so that personal data can be securely processed for scientific, historical and statistical purposes- across ALL databases and applications. This means that for the end-user and various applications and test functions involved, the data will have all the realism of the original production copy, and all systems will be fully-functional and any necessary complex relationships will be maintained. So, not only do you have a tool purpose-built to support privacy compliance requirements such as GDPR, but one that can ensure continued improvement and security within the DevOps functions.

Implementing Pseudonymized Data for GDPR using Imperva Camouflage

So, Imperva Camouflage can provide significant value in addressing GDPR compliance support, and overall data security and DevOps support through by utilizing fine-grained classification of data and pseudonymization rules applied via the masking engine. But how do you go about making that happen?

Within the solution, a GDPR discovery and classification policy is available out of the box that allows you to quickly identify sensitive data that falls within the scope of the GDPR regulations. No customization or configuration involved. Furthermore, the detailed sensitive data inventory is easily transported from the data discovery engine (CX-Discover™) to the data masking engine (CX-Mask™) within the solution to apply the chosen and automated pseudonymization rules to your data.  The overall process is quite simple and involves the following core steps:

  1. Define your data sources– the first step involves logging into Imperva Camouflage inputting some basic connection information and appropriate credentials required to access those databases. These will be the Datasources that you wish to discover and classify.
  2. Select and run the desired search rules– Once the data source has been connected and confirmed, simply select and run the GDPR discovery policy from the Search Rule Library.
  3. Review and refine search results- reviewing the Search Results helps determine the data to be masked and allows for easy export of the information in a variety of formats for review.
  4. Export and run masking rules to pseudonymize the data- Following the completion of the classification review process, and the desired data has been approved for masking, the inventory is exported to the CX-Mask™ masking engine through an MS Excel-based Functional Masking Document, where the desired masking strategies are easily configured and applied- prior to running the project which will automatically complete the pseudonymization effort.

Let’s take a look at each of these steps in a little more detail.

  1. Defining a Datasource

When you first log in to CX-Discover, you’ll be presented with a basic (empty) dashboard view.  To create a data source including appropriate connection information:

  1. Click New Datasource in the left-hand navigation pane. The New Datasource page is displayed.
  2. Provide a name (label) for the new Datasource in the Datasource
  3. Select the Type appropriate to this Datasource (Oracle for example). CX-Discover uses the database type and related information provided on this page to connect to and communicate with the specified database via JDBC.
  4. Enter the Host on which this database resides.
  5. Provide the Port number for this database. Common JDBC port numbers include 1521 for Oracle and 1433 for Microsoft SQL Server.
  6. Provide the Username and Password for the account CX-Discover will use when searching the database. This database-level user must have the appropriate permissions on the underlying database because these permissions will determine which objects and data the search engine has access to.

  1. Selecting and Running GDPR Search Rules

Prior to searching a Datasource for sensitive data, you must specify the search rules to use. A standard library of common search rules is provided and includes the comprehensive policy specifically designed for discovering and classifying data according to the GDPR requirements. To select and run GDPR search rules:

  1. Select the GDPR search policy to run. You can view the underlying search categories by expanding the hierarchy. This search policy can also be easily tailored to fit your needs by navigating to System > Search Rules and selecting the GDPR
  2. Select the Schemas to Search to identify the scope of the search. This list is automatically populated for you or by clicking get schemas. If this list is empty, click get schemas and then refresh the page once the get schemas job completes.
  3. Click Next. (The defaults for the remaining options are appropriate for most searches. Refer to Search Rule Configuration in the online user guide for details.) The Overview Page for this Datasource is displayed.
  4. Click Search. A message indicating that the search job has been submitted is displayed. You can view the progress of the search in the Jobs Page. Once the search completes, the next step is to Review/Refine the Search Results.

3. Reviewing/Refining Search Results

A number of different options exist for viewing and refining Search Results including the capability to view results by Category, Table, Column, and Data Type.  To view the results of your GDPR search:

  1. Click Search Results in the left navigation pane to display the list of tables and columns that were identified by the search process as containing sensitive data.
  2. Click the Approve check-box to mark all of the new Search Results as approved/accepted as being accurate. This page is also used for modifying the automatically assigned Categories, Subcategories, and Masking Strategies as appropriate.
  3. Click Save to associate your edits with the underlying Data Model.
  4. Note- you also have the option to view/export various reports automatically generated reports and charts to aid in reviewing and refining of the Search Results by clicking the Reports link in the Datasource Overview page of the selected Datasource.

4. Exporting/Running Masking Rules

Now that the classification review is complete, and the inventory is ready for masking, you can easily transfer the approved Search Results (including preliminary masking strategies) in spreadsheet (MS Excel) format. This spreadsheet will serve as a starting point for pseudonymizing your data using the CX-Mask engine. This spreadsheet export is also known as a Functional Masking document (FMD).

To export and run masking rules:

  1. Click Overview in the left-hand navigation pane to display summary Connection and Search
  2. Click FMD to generate the spreadsheet. Depending on your browser settings, you may be prompted to download/save -or- it may open directly in Excel.

  1. Review the FMD in MS Excel and make any necessary adjustments to the masking configuration. The process for configuring and running the FMD is covered in more detail in the FMD User Guide.
  2. Launch the CX-Mask Power User GUI to convert the FMD into an executable masking configuration file.

  1. Navigate to Tools > Project Generator
  2. Specify the name/location of the FMD generated in the previous steps.
  3. Specify the name/location of the masking configuration (project) file to generate.
  4. Launch the masking engine via the GUI or automate it via command line execution.
  5. After launching the CX-Mask Power User GUI, open the masking configuration (project) file generated in the previous steps.

  1. Click Run in the left navigation pane. A list of masking rules (targets) is displayed in the run panel.
  2. Click Start to initiate the masking engine and apply the configured masking rules to the selected database. Status messages are displayed in the Log window and will show when the masking process has been successfully completed.

So, now that we have Pseudonymized data- what do we do with it?

Once databases that were provisioned for masking have been discovered, classified; and the various masking techniques have been applied, you’re now in a position to report on progress towards GDPR compliance, and in particular the data minimization requirements with Article 32.

From an operational standpoint, the next step in the process simply involves provisioning the now pseudonymized data copies to the DevOps target environments. Once configured, this replication process is typically automated using the existing tools already in use within the customer’s environment. It is quite likely that a single masking process can support both the analytics and application test use cases saving time and cost.

Further, while GDPR compliance is a key requirement and focus, it’s also worth noting that the use of pseudonymized data helps optimize the DevOps function by removing the risk associated with using “real” data, thereby allowing organizations to reduce overhead and processes involved with the approval of copy generation, and also enabling more users (including third parties) and access to the data to complete test and development functions more efficiently and effectively. With the sensitive data removed, the risk is eliminated, and data-driven processes are accelerated.

Further, with the help of Imperva Data Security Solutions, support for the other data security-specific Articles can also be achieved. We’ll get into those use cases and solutions in the next blog in this series.

Contact us to learn more about Imperva Camouflage, Imperva’s GDPR compliance capabilities and to explore our data security solutions in detail.

Are Ransomware Attacks Rising or Falling?

There are conflicting reports over whether or not ransomware attacks are growing. Many organizations state (quite convincingly) that it’s the most popular malware form and that ransom-related attacks have been increasing at a rapid rate over the past year.

However, other reports offer a more nuanced point of view.

What Was the Most Prevalent Malware in 2017?

According to Verizon’s most recent data, 2018 Data Breach Investigations Report, ransom attacks were the most prevalent variety of malware in 2017. The report looked at more than 50,000 incidents from all over the world. Ransomware was found in more than 700 of the incidents — and has steadily increased since Verizon started counting them explicitly in 2014.

However, the numbers may not tell the entire story. Verizon’s report shows the rapid increase in ransomware as the primary attack vector of all malware. In 2016, ransoms were used for about one-third of all malware attacks. The actual statistics show that ransom-related attacks are moving from targeting individual users to enterprise servers. This shift is the first clue about what’s happening.

The Rate of Ransomware Attacks Increases

Another dependable data source of actual incidents, Malwarebytes tracked a 90 percent increase in the number of detected ransomware attacks in 2017. Malwarebytes analyzed close to a billion malware incidents around the world — supplementing this with their own honeypot malware collection. They found that the monthly rate of ransom-related attacks increased up to 10 times the rate observed in 2016. One of the reasons for the big jump was the popularity of specific ransomware campaigns, such as WannaCry, Locky and Cerber.

This popularity could be due to “a better overall product to sell” or a “special relationship with the holders and herders of malicious spam botnets and exploit kits (the primary methods of distributing malware),” according to Malwarebytes.

Are Ransom-Related Attacks Losing Favor?

Ransom-related attacks moved from number 10 to number five on Malwarebytes’ list of most popular business-based detections. That’s a significant increase in popularity, but Malwarebytes also notes that “development of new ransomware families grew stale.” Over the last part of 2017, there has been a shift away from ransom-related attacks.

“With ransomware slowly going out of favor, criminals pivoted to banking Trojans, spyware and hijackers in 2017 to attack companies instead,” reported Malwarebytes.

One potential reason for a move away from ransom-related attacks? More businesses are reporting their ransom attacks and forgoing any payouts, according to Datto’s latest data, State of the Channel Ransomware Report Europe. This ups the odds for attackers — and reduces their return on their investments in malware.

Unlike Verizon’s report, Datto’s data isn’t based on actual incident reports but rather an overall assessment by security professionals. It may be hard to draw any solid conclusions on overall payout trends, given that many victims don’t want to let anyone know when they made them.

One way to do this is to monitor the collection accounts of the criminals to see what the actual payouts were, which is what Quartz did. They examined the total payout from the WannaCry attack and found it was about $140,000 in bitcoin. This number may seem low given the number of endpoints that were hit with this malware. Attackers may be finding out that their crime doesn’t pay — or at least doesn’t pay as well as they think it could have.

A Move to More Targeted Methods

F-Secure’s 2018 report, The Changing State of Ransomware, analyzed the number of new ransom-related attack families detected over the past year. The report found a decrease in new families created in the last quarter of 2017. They offer another reason for why criminals are moving away from collecting ransoms: the rapid rise in the dollar-equivalent price of cryptocurrencies like bitcoin, which used to be the medium of exchange for ransom collections. But as these currencies increased in value, it becomes more profitable for criminals to create or mine new cryptocurrency directly, rather than wait for payouts.

F-Secure also found that ransom-related attacks are moving to more targeted methods, allowing criminals to focus “on the quality rather than quantity of targets in the hopes of getting a better payday.” That could be the most important conclusion of all from these various reports.

Ransom attacks are still a major threat and are not disappearing anytime soon. While the big payout days are waning, it can still be a threat for businesses. Be sure to vet your backup policies and procedures and use protective measures to detect and repel these sorts of attacks.

Download the Ransomware Response Guide from IBM INCIDENT RESPONSE SERVICES[/button

The post Are Ransomware Attacks Rising or Falling? appeared first on Security Intelligence.

GDPR Breach Notification: What Are the Requirements for Response?

Last month, I took part in a General Data Protection Regulation (GDPR) Summit panel in London where I spoke on the topic of breach notification. Here are the discussion points resulting from the debate, as well as the overarching theme that focused on how businesses are preparing for the new data breach notification timing of 72 hours.

For many organizations, the GDPR represents the first time they will have a formal obligation to make a notification, both to a supervisory body and to affected individuals. The GDPR brings a timeline that no organization has experienced before, and it’s important to understand that a company must report a breach within 72 hours of becoming aware of the breach, where feasible.

How Long Does It Take to Detect a Data Breach?

Being aware of the data breach is an important point here. The Ponemon Institute publishes an annual report, sponsored by IBM, analyzing the cost of a data breach. The 2017 report showed that the mean time to detect an incident was 191 days — with a further 66 days required to contain the incident. While these timelines have improved annually over the past few years, they clearly are at odds with an organization’s ability to notify within 72 hours.

Once a potential incident has been detected, an organization must activate its incident response (IR) process. This means determining what has happened, what type of attack took place and then working on how the breach can be contained.

The U.K.’s Information Commissioner’s Office (ICO) states that they will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. They will want to know the potential scope and the cause of the breach, what the mitigation action plan is and how a company is working to address the problem.

Understanding Your Personal Data

Many of us are receiving emails from companies who are checking to see if we require a relationship with them. This data “spring clean” implies that organizations are only holding information that is relevant to their business. It’s also incredibly important for organizations to know what data exists and where it is kept.

It would be hard to determine the risk represented by a data breach if an organization did not know what personal data existed and where it was stored and processed. It’s an obvious point, but you cannot secure and protect personal data if you are unclear about its existence.

Securing Your Data

The GDPR provides a clear reason for companies to re-evaluate their security strategies. In Article 32, organizations are encouraged to put in place a level of security appropriate to the risk. So, how do organizations decide what is appropriate?

The panel discussed how companies are looking at adapting industry standards for cybersecurity, whether it be the ISO 27001, Cyber Essentials Scheme or Information Security Forum’s Controls Framework. Selecting a standard, evaluating the organization’s capabilities and gaps against the standard and then implementing solutions for those gaps, was felt by the panel to be an important part of GDPR preparedness.

Breach Notification

Having a detailed and current record of processing activities will be a great asset in determining whether the breached data was personal in nature. This is critical in helping the organization assess whether there is a risk of harm or infringement of rights of the affected data subjects.

This will help the organization determine whether or not they need to notify an incident and if they do, to which bodies and at what scale. It’s important to understand that not every little incident will require notification. You have to assess the impact and risk to an individual’s privacy and security.

Multi-Teaming and Muscle Memory

Effective incident response requires multidisciplinary teaming from across business functions including IT, human resources (HR), legal, the data protection officer (DPO) and communications. Getting all these functions to work effectively together, quickly, under pressure — perhaps with the eyes of the world’s media on them — is unlikely to come about without thorough preparation.

If an organization isn’t doing so already, it’s time to rehearse the IR plan. You have to make it muscle memory, just like the emergency services act at the scene of an accident. Practice your breach crisis plan and create your run books. You will need this in the event of a breach to show you are doing everything possible to fulfill the GDPR breach notification requirements, and report within 72 hours of becoming aware of the incident.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

 

The post GDPR Breach Notification: What Are the Requirements for Response? appeared first on Security Intelligence.

Will GDPR be the death of WHOIS?

Two cybersecurity and privacy attorneys recently argued that the General Data Protection Regulation (GDPR) will interfere with the availability of the WHOIS database and will seriously hinder the efforts of law enforcement and security researchers to track down malware peddlers, phishers, hackers and other online criminals. Will it? And who’s to blame for this situation? About the WHOIS database The WHOIS service/database is operated by the Internet Corporation for Assigned Names and Numbers (ICAAN), and … More

The post Will GDPR be the death of WHOIS? appeared first on Help Net Security.

The “Don’t Ask, Don’t Tell” Problem with Data Privacy in Tech

“Freedom consists not in doing what we like, but in having the right to do what we ought.” – Pope John Paul II. Sometimes we need to look at the past

The post The “Don’t Ask, Don’t Tell” Problem with Data Privacy in Tech appeared first on The Cyber Security Place.

The Hack React: Testing a SOC Director’s Cybersecurity Incident Response

The following story illustrates what can occur before, during and after a cybersecurity hack. Malcolm Gerhard isn’t real, but the issues he faces are not products of fiction. Hardly a week goes by without a headline-grabbing cyberattack or data breach, and the healthcare industry is known to be at heightened risk. Actual case studies inspired Malcolm’s experience in this scenario. Read on to discover what happens when a SOC director discovers and responds to a healthcare hack. Would you have reacted differently?

Malcolm Gerhard packed up his pickleball racket. Some competitive cardio was often a welcome distraction from his security work at the regional group of medical practices. As Lincoln Healthcare’s security operations center (SOC) director, he was the official cybersecurity incident response officer on call.

“You seem stressed, Mal,” said Thu Ngo, his pickleball competitor and IT ops colleague. “Is it work-related?”

“Yeah,” Malcolm admitted. “There are just so many things out of our control.” The last thing he wanted was patient records to end up in the wrong hands.

Managing a SOC meant constant concerns about talent resources, training and solutions. Of course, like many of the “good guys,” Malcolm felt a strong sense of responsibility to protect Lincoln Healthcare’s patients and employees from data exposure.

A Visit to the SOC Watering Hole

Dr. Shane Stewart found himself with a few extra minutes in his office at Lincoln Healthcare. He decided to spend some time browsing a physicians’ message board from his work laptop. Thanks to his web browser’s autofill suggestions for his email address and password, the cardiologist was able to log in quickly.

Stewart was not a technologist — but he did consider himself pretty tech-savvy compared to other doctors. A decade prior, he’d worked hard to modify his clinical workflow to integrate Lincoln Healthcare’s new electronic health records (EHR) software. Meanwhile, many of his colleagues dug their heels in and protested the impacts of technology on patient care.

He scanned over message board threads until he found what he was looking for: a discussion about how his fellow cardiologists were integrating the latest board recommendations. Stewart posted a reply and headed home for the day.

In the mere moments it had taken him to post, malicious code on the forum took advantage of a vulnerability in his browser and launched a zero-day exploit.

What didn’t he know? His visit to the forum pulled Lincoln Healthcare’s network into a watering hole attack, which is when a hacker aims to impact a specific group of users by targeting sites those users regularly visit. In the mere moments it had taken him to post, malicious code on the forum took advantage of a vulnerability in his browser and launched a zero-day exploit.

Stolen Credentials Spin Out of Control

Before Dr. Stewart could even finish packing up for the day, the zero-day attack dropped a stealthy remote access Trojan (RAT) on his laptop. Like many other human endpoints, Dr. Stewart was guilty of a few security crimes, including storing his passwords in his web browser for easy access to his web apps and services.

It wasn’t long before the RAT programmatically scraped all the credentials necessary to gain control of his accounts, including his access to Lincoln Healthcare’s cloud-based EHR system.

There’s a RAT in the Practice Network

After entering the network via the watering hole attack, the RAT spent the next few weeks wreaking well-obscured havoc. With Dr. Stewart’s scraped credentials (and some escalated user privileges) the attackers behind the RAT had complete access to the practice’s EHR servers.

As quickly as the PHI was being compiled, it was being leaked.

It used an internal server to aggregate the protected health information (PHI) of tens of thousands of Lincoln Healthcare patients. As quickly as the PHI was being compiled, it was being leaked. This was thanks to the RAT’s connection between the internal server and an external file transfer protocol (FTP) site.

Private Data Leaves the Practice

The RAT’s activity wasn’t wholly undetectable: Its activity was reflected in server logs, but the overburdened SOC personnel didn’t detect it. Like many hospitals and medical facilities, Lincoln Healthcare strived to maintain compliance with Health Insurance Portability and Accountability Act (HIPAA) audits — and the team had not had a chance to tune the alert threshold of its security information and event management (SIEM) system to notify it of the anomalous activity.

Malcolm Gerhard and rest of the SOC team would have detected more than unusual data transfer activity if they’d had their SIEM properly tuned. There was a data trail left by the internal server’s connection to a server hosted at the dynamic domain 1337.my-ftp.biz, which revealed PHI was being exported.

To be clear, the SOC team wasn’t slacking during this time. Operations was slammed with researching solutions, false positives and industry intelligence. The sheer volume of noise Malcolm’s team sorted through on a daily basis was nothing short of dizzying.

An Unfortunate Hack Discovery

Malcolm’s worst nightmare came true three weeks later: He received a direct message on Twitter from a well-known security blogger and researcher who had a reputation for detecting leaks. But he wasn’t asking for an interview — he wanted Malcolm’s email address.

Malcolm’s heart pounded as he read through the email: “Sorry to be the bearer of bad news … ” The blogger went on to explain how he’d discovered the PHI of some of Lincoln Healthcare’s patients on a Dark Web forum dedicated to stolen information exchange. He included enough screenshots to confirm this was not a false alarm.

Lincoln’s Last-Minute Cybersecurity Incident Response

Malcolm’s hands shook as he sent a chat message to Lincoln Healthcare’s chief information security officer (CISO). Less than 30 minutes later the two sat across a table from Lincoln Healthcare’s CEO, legal counsel and chief public officer, discussing what to do next.

“How much is this going to cost us?” the CEO asked.

She looked exhausted, and Malcolm winced as he scanned the latest Ponemon report on data breaches. The report revealed the average cost of a data breach in 2017 was $3.62 million.

The conversation over the next few hours focused on their next steps. Malcolm and the rest of the team contacted law enforcement and began working to hire third-party experts to assist since they weren’t sure how to proceed.

Malcolm spent the following weeks in a stressed-out blur of meetings as he worked with the CISO to hire an incident response team to assist Lincoln Healthcare’s crisis team with the investigation, response and cleanup.

The Better Way to React to Hacks

Often, by the time a data breach is discovered, the malicious party has already done a significant amount of damage. However, there are a few crucial steps Malcolm could take to either prevent or more effectively control a costly breach and avoid the embarrassment of having a third party inform him of a looming security crisis.

To start, the incident response team can block and quarantine attempted zero-day exploits by investing in a robust endpoint security solution. It can also identify real-time threat exchange data using a security information and event management (SIEM) tool and generate timely alerts with a managed detection and response solution.

In addition, Malcolm might consider implementing an incident response platform to trigger real-time notifications during a data breach. An identity governance solution, meanwhile, can notify the team of escalated user privileges and lock down compromised accounts. Finally, participating in threat sharing can help Malcolm and his team stay up to date on risky IP addresses and servers.

The best hack react is the one put into place before an emergency cybersecurity incident response becomes necessary.

There’s no escaping the fact that cybercriminals are targeting valuable information, including everything from client PHI to financial records. When coupled with the dramatic growth of zero-day exploits, there are very real challenges confronting today’s SOC directors.

The best hack react is the one put into place before an emergency cybersecurity incident response becomes necessary. With an ecosystem of solutions, your security operations team will gain the power to detect, respond to and mitigate threats at every step of the process.

 

Read more: Too Many Organizations Don’t Have a Plan to Respond to Incidents

The post The Hack React: Testing a SOC Director’s Cybersecurity Incident Response appeared first on Security Intelligence.

The Inadvertent Insider Threat: A CISO Confronts a Breach From Within

The following story illustrates what happens when a chief information security officer (CISO) encounters an inadvertent insider threat. While Marie Addison isn’t real, the challenges she faces are hardly works of fiction. Even the most secure companies have employees who forget to follow best practices. Human error, credential misuse and disgruntled employees may not cause the statistical majority of security incidents, but they do pose a genuine risk for any CISO. Read on to discover the choices Marie makes as her story unfolds. Did she follow the best path?

“The speaker for today’s Women in Technology lunch and learn is Marie Addison, a CISO, cybersecurity leader and big data expert,” announced event host Sara Cheema.

“Marie’s company is an industry leader in data-driven buyer persona profiles,” Sara continued. “Her role includes protecting a variety of fast-streaming data sources, including user behavior, social media sentiment and market research.”

Marie walked to the podium, adjusted the microphone and arranged her notes carefully before starting her speech.

“Thank you, Sara. What I’ve prepared today isn’t going to be your standard talk, but I hope it’s a refreshingly honest look at the challenges I face,” Marie said. “I’ve drawn up some notes about the realities of my role as a CISO.”

After a brief pause she continued, “Sometimes, I’m too busy playing whack-a-mole with high-risk security threats to plan and implement the right preventive measures. But, thankfully, we’ve never had a data breach — and I’m here to tell you how.”

An Inadvertent Insider Threat

Back at the agency, the junior database analyst (DBA), Ross Silver, felt like banging his head against his desk. The internal server the company used to aggregate data was reaching capacity. Based on how slow his queries were running, there wasn’t much time left before capacity was maxed out.

Ross knew uptime was crucial for the agency to do its most important work: using an analytical engine to marry data with insights into social media sentiment, message board text scrapings and third-party market research.

However, the capacity (or lack thereof) wasn’t the source of Ross’s frustration. His irritation stemmed from the fact that he was the only data operations staffer on site that afternoon. The chief information officer (CIO), Rai Kagome, was unreachable for the next two weeks, as she was on a cruise with her family. The senior DBA was attending an event where the CISO, Marie, was the featured speaker. Last, the IT director was taking a few days of medical leave.

Not only was Ross the lone data staffer on site, but his database credentials were also relatively limited.

A Goldmine of Exposed Admin Credentials

Ross walked into the IT director’s empty office and opened the top desk drawer. It didn’t take him long to find what he needed: a sticky note labeled “admin,” which listed a username and password. Ross snapped a quick photo of the note with his mobile device.

Ross used the admin credentials to access the server when he returned to his desk. Clicking on users, he scrolled down until he saw his username listed. With a few more purposeful clicks, he escalated his account privileges — and when he logged back in as Ross Silver, he was both a junior DBA and super admin user of the central database.

A Temporary Cloud Storage Solution

As he worked to connect to an external third-party cloud service, Ross wondered why the organization was using an on-premises database to store such a critical workload — especially when there was so much capacity in the cloud. While it wasn’t cheap to store such a massive amount of data, the service offered a free 30-day trial.

Ross knew temporarily escalating his credentials was risky business, but he didn’t want to be held responsible if the internal server hit capacity and the agency’s productivity slowed to a halt.

Ross knew temporarily escalating his credentials was risky business, but he didn’t want to be held responsible if the internal server hit capacity and the agency’s productivity slowed to a halt. This storage solution wasn’t permanent, he thought. The IT director would be back in the office before Ross’ company credit card got hit for the next month’s subscription fee.

Ross logged back into the admin account to restore his usual junior DBA permissions and felt satisfied that he’d created a temporary bandage for their big data volume problem. Besides, he had heard on a podcast that all of those rumors about public cloud security issues were greatly exaggerated.

Default Access Disaster

Despite Ross’s ability to resourcefully navigate access management for the agency’s on-premises server, he’d left a few crucial boxes unchecked in the cloud. He failed to notice that when he blindly accepted the default access settings for the cloud storage service, it left the repository fully open to anyone searching for open data sets.

Since Ross had labeled the data with his agency’s name, the date and the details “full buyer data backup,” it was practically a pot of gold for cybercriminals.

One Security Researcher’s Discovery

Security researcher Lexi Milic couldn’t believe what she’d found while browsing unprotected data sets on a popular cloud storage service. Right in front of her was bytes upon bytes of personally identifiable information (PII), labeled with an organization’s name and backup.

Lexi was one of the good guys. Sure, she’d built her brand on exposing real companies’ cloud security snafus — but it wasn’t like she sold unprotected data when she uncovered it. Lexi always notified companies about her discoveries, which sometimes netted her a bug finder’s fee. However, her blog and massive social media following were the real pillars of her cloud security influencer brand.

This digital marketing agency was foolish to use its entire name, but that made it easy for Lexi to locate the company’s website. She used the online contact form to write a short, informative email about the exposed data in the cloud, including a direct link to the cloud repository and screenshots.

Glancing at the time on her laptop, Lexi was relieved to see it was only 6 p.m. This meant she might be able to get the blog post published before 7:30 p.m. to get some exposure that evening.

She had already drafted the majority of an article about the perils of the popular cloud security service’s default settings. With a real-world example of a company exposing its own PII, she was in solid shape. In fact, she’d probably spend the following morning on the phone doing interviews with reporters from the big security blogs. She was excited about getting more exposure.

A CISO’s Cybersecurity Nightmare

Marie’s work device buzzed as she sat in gridlocked traffic during her morning commute. Still exhilarated from her speech at the conference the day before, she glanced down and saw a text message from Rai, the CIO: “We’ve had a breach. It’s bad. All over the news. Head to the conference room as soon as you’re here.”

Marie’s hands shook as she typed out a quick response: “Got it. Stuck in traffic, be there in 15 minutes.” She wished the other cars would disappear as she sent a follow-up message: “Will let you know when I’m parking.”

The article said the company’s buyer persona profile data — its proprietary product — was fully exposed in the cloud.

Rai met Marie in the parking lot and briefed her during their walk to the conference room. The previous evening, a popular security blogger had published an article about the company, complete with links and screenshots. The article said the company’s buyer persona profile data — its proprietary product — was fully exposed in the cloud.

Rai had received search alerts for the agency’s name based on data exposure throughout the night, but her phone didn’t wake her up. And the email from Lexi was only discovered when Rai woke up at 7 a.m. By then, the issue was all over the news — and the company’s CEO was blowing up her phone.

Not All PR Is Positive Exposure

The next few weeks at the agency were the worst of Marie’s professional life. She sat in countless incident meetings, chewing her lip while the client-facing C-suite fretted about client churn. The agency hired public relations experts to collaborate with legal counsel as the organization scrambled to address the incident publicly.

Marie and Rai were tasked with fast forensics. There was no shortage of pressure from the CEO to provide a better explanation than, “We’re working to investigate the cause of this incident and improve our controls.”

More than two-thirds of the records compromised in 2017 were caused by an inadvertent insider.

Unfortunately, the forensics were far from simple — especially since the exposed data carried an alleged date on which the vast majority of the IT team was out of office. Marie’s team wasn’t able to pinpoint the cause until the IT director performed a manual log review.

Before long, the junior DBA, Ross Silver, found himself sitting down with human resources for an interview.

Better Ways to Protect PII

Real organizations face data exposure from the well-meaning actions of inadvertent insiders every day. In fact, more than two-thirds of the records compromised in 2017 were caused by an inadvertent insider. Even though this is not the most common type of incident organizations face, it’s still among the most complex threats that security leaders like Marie must face.

As a CISO, Marie was well aware that humans are risky endpoints. She’d worked hard to protect the agency’s digital perimeter as it became more porous. She’d collaborated with the CIO to ensure the right people had the right access. Unfortunately, the IT director had ignored the agency’s policy and written down his credentials anyway.

A Happier Cybersecurity Epilogue

Fortunately for security leaders in the real world, the story doesn’t have to end this way. To avoid a public relations fiasco and frustrating forensic investigation, Marie could have done a number of things differently. First, her agency could have leveraged identity and access management (IAM) services to manage identity governance and technology deployment. Then, there wouldn’t have been a credentials-based nightmare.

In addition, Marie could have used a mainframe security solution to effectively delegate and automate the CISO’s constantly expanding role. She could have also monitored employee behaviors with user behavior analytics (UBA) and insider threat protection tools. Deploying a data protection solution would have helped her keep tabs on high-risk behavior in real time. Plus, a resiliency and compliance platform would have allowed her to restrict attempts to change configurations with a resiliency and compliance platform.

It also goes without saying that proper training for security personnel on incident response and remediation could have helped her team handle the issue. In the case of a future breach, Marie might consider hiring incident response experts to work alongside the company’s own public relations team.

Humans will always make occasional mistakes, but organizations can prepare for the inevitable with the right security arsenal of solutions to monitor users, automate IAM and protect data assets.

Despite the fact that CISOs like Marie Addison are investing heavily in cybersecurity awareness training, users like Ross are still clicking the links in phishing emails and uploading PII to external cloud storage services. Considering the sheer volume of external and internal threats CISOs face daily, Marie’s whack-a-mole reference is not an exaggeration.

Yet the actions of well-meaning insiders who forget to update security settings don’t need to escalate into highly visible security disasters. Humans will always make occasional mistakes, but organizations can prepare for the inevitable with the right security arsenal of solutions to monitor users, automate IAM and protect data assets. With an ecosystem of solutions, CISOs can stop feeling like they’re constantly chasing down threats and instead take a more proactive, secure stance.

 

Read more: From Suspicious Activity to Suspended Account in Less Than a Minute — Stopping Insider Threats With Automation

The post The Inadvertent Insider Threat: A CISO Confronts a Breach From Within appeared first on Security Intelligence.

The Digital Disaster: A CIO Embraces Cyber Resilience

The following story illustrates the challenges a chief information officer (CIO) might encounter when building a cyber resilience and response plan. While Martin Kinsley is fictitious, the nightmare scenario he experiences — rapidly spreading malware and data loss — is all too real for many organizations. Companies often believe their business-critical data is safely backed up — only to be met with permanent data loss. Read on to see what challenges Martin faces in his cyber resilience efforts and discover what choices he makes in response. What would you have done differently?

“So many people rely on us to get where they need to go,” said regional airline CIO Martin Kinsley to his team of IT leaders. The meeting was focused on cyberattack prevention, but he never missed an opportunity to discuss customer service. As he wrapped up the Friday afternoon session, he took care to emphasize the airline’s people-first values.

“Any mistake can affect people on a deeply personal level,” Martin said. “Missing flights means missing business meetings, birthdays, weddings — those are moments our passengers can never get back.” He felt proud as he wrapped up the meeting and returned to his office, as he’d worked tirelessly to convince the rest of the leadership team that security and cyber resilience needed to be a priority. While he knew the business continuity plan was a work in progress, the airline’s customer satisfaction scores had never been higher.

The IT team didn’t always receive the credit it deserved from headquarters leadership, but Martin was aware that the success of the team’s client-facing systems and infrastructure helped the airline maintain its multicity contract with a major air carrier.

No Rest for Weary Security Leaders

As Martin worked through his outstanding emails at the end of the week, he thought about how he had earned the short getaway that awaited him. With just a few tasks standing between him and a three-day vacation, he was ready for the break.

Just as Martin prepared to close his inbox, a new message came in from the airline’s security information and event management (SIEM) solution. He read the subject line — “High Alert: Network Security Incident” — and quickly realized the message was serious.

Most of Martin’s team was still in the office, so he asked them to assemble in the conference room immediately. He tasked them with investigating the notification and tracking down the cause of the security incident. Help desk calls began to roll in at the same time, and soon the team had the answer: Malware had infected hundreds of airport terminals.

Martin expelled a heavy sigh.

The help desk advised customer service agents to power down the terminals, but it was too late. Every endpoint was already infected and encrypted.

Cyber Resilience in the Face of Chaos

The malware had spread rapidly across his airline’s remote agent and passenger terminals over the past few hours. The infected terminals were now essentially bricks. Help desk employees were fielding calls from frantic airport employees complaining about angry passengers. To make matters worse, remediation attempts had failed since the malware’s encryption was airtight.

Not only was the malware spreading like wildfire, but the damage it inflicted was also focused on the largest airport in their region — a major international hub. Thousands of passengers at that airport were effectively grounded on the busiest weekday for airlines (and they were definitely unhappy about it).

All six of their airline terminals shared a network, which was segregated from headquarters’ networks. Forensics would come later, but Martin was fairly certain whatever strain of malware they were dealing with had the escalated account privileges necessary to spread damage to every one of the airline’s terminals.

Martin reached in his pocket to text Marina Petrov, the airline’s CEO, who was already fielding calls from his office with airport supervisory staff about emergency policies for granting vouchers and hotel rooms to angry travelers on the ground. He quickly typed to Marina that he was afraid the incident was getting even worse.

The team’s frantic efforts to contain the malware had failed, and they were now in full-on remediation mode.

By late Saturday morning, Martin’s prediction had come true. The malware had reached every endpoint on the airline’s terminal network — executing malicious code at all of their regional airports. The team’s frantic efforts to contain the malware had failed, and they were now in full-on remediation mode.

Marina stood in the door of the conference room where the IT team had created an impromptu security operations center (SOC). Martin informed her that — since all of the terminals had been infected and encrypted — his team had no choice but to start from ground zero, which meant establishing backups.

Failed Backups Lead to Business Continuity Disaster

“You’re saying the last usable backup we have is six months old?” Martin asked frantically. When system admin Fei Zhou nodded, Martin felt faint. His long-awaited weekend getaway had been replaced by the worst weekend he could have imagined. In fact, it was now early Saturday afternoon, and it had been nearly 30 hours since he’d seen his bed or taken a shower.

“The network-attached storage has been running idle since before I was hired — and no data’s been backed up,” said Fei.

After looking up and down through the directory and backup logs, Fei discovered the backup had stopped working the same week her predecessor left the company. She also saw the admin credentials had changed for the centralized network management tool.

Martin bit back the urge to ask why Fei hadn’t bothered to test backups (or do any other kind of digging) during her nearly five months at the organization. It was a definite failure on her part, but the current situation wasn’t any one person’s fault. It was a series of failures caused by everyone on the IT team.

Martin winced when he realized his worst-case fear of permanent data loss was achieved. He discovered the latest release of the reservation software was issued three months ago. So, his team could restore the backups — but they’d need to perform manual updates. The manual update process was long and grueling, but Martin and his team maintained their composure as they worked together. All the while, Martin scolded himself for not checking the backups himself.

Lasting Financial and Reputational Repercussions

“Too little, too late,” Marina said. Her words echoed in Martin’s ears after a Tuesday morning meeting with the leadership team. Martin’s team had demonstrated heroic behavior over the weekend, working tirelessly to restore backups to each of the terminals and manually update the reservation software. It was a painstaking process, but their hours of work paled next to the IT failures that had caused the issue in the first place.

The airline’s operations were just beginning to return to normal four days after the malware hit. News reports were scathing — and the chief financial officer (CFO)’s tentative projections of just how much the incident would cost were beyond grim. Union negotiations around pilot overtime revealed staffing costs into the millions. This number didn’t even begin to cover the costs of accommodating travelers over the weekend or the reputational damage the airline had suffered.

The average cost of a data breach is well over $3.62 million.

Martin knew the media would eventually forget the information technology incident, but he couldn’t say the same for the airline’s customers. Would they ever trust the company to get them where they needed to be again? Marina and the CFO had also alluded to rumors of heavy federal fines and a loss of contracts.

While the average cost of a data breach is well over $3.62 million, Martin knew this disaster was going to be far above average, even without the leak of data. He was certain the next chapter would include better information security safeguards and regular backup testing — but Martin had few other certainties about the airline’s future.

Embracing Proactive Cyber Resilience

Rapidly spreading malware that causes permanent data loss is all too common in the real world. In the past year, countless high-profile organizations have experienced long-lasting repercussions as a result of ransomware and malware spreading through their networks.

As Martin realized too late, his experience was the product of countless technical and human failures across the IT department. Although tasks were left undone for months on end, it wasn’t because his IT team wasn’t putting in hours or effort. Martin wanted to lead his organization toward a state of cyber resilience, but he lacked the expertise and resources to create an end-to-end strategy.

To avoid an expensive disaster, security leaders like Martin should consider onboarding resilience consulting services to design a business continuity plan and establish a central incident management hub instead of relying solely on a series of SIEM and network monitoring applications.

A resilience orchestration tool can help security teams automatically contain and respond to an incident across complex network structures.

A resilience orchestration tool can help security teams automatically contain and respond to an incident across complex network structures. And with the help of incident response experts, CIOs like Martin can also contain malware in the event of a breach and ensure that the security operations team does all the right things.

In addition, security leaders can invest in automated, cloud-based backup services to protect sensitive data and implement disaster recovery-as-a-service (DRaaS) tools to prevent a lasting IT outage.

A worst-case scenario can become a reality at any time — but it doesn’t need to result in regulatory repercussions or long-term damage to an organization’s reputation. With the systems and processes for proactive security response, CIOs can achieve confidence in their cyber resilience plans and remediation ecosystem.

Read more: Practice — The Best Defense for Responding to Cyber Incidents

The post The Digital Disaster: A CIO Embraces Cyber Resilience appeared first on Security Intelligence.

The Compliance Crisis: A Compliance Officer Faces an Outdated Risk Management Framework

The following story illustrates what can happen when a compliance officer is confronted with an outdated or incomplete risk management framework. While Frank Roth is fictitious, many real-world organizations face pressing security and compliance issues due to their failure to regularly update policies and procedures. Read on to learn about Frank’s challenges and the choices he makes to overcome them. How would you have responded in his place?

It was Frank Roth’s first day on the job as a risk and compliance officer at a utility company. While Frank had decades of experience creating risk management frameworks for highly regulated industries, joining the utility company was a bold career move and an important promotion for him. After a busy morning of filling out paperwork and touring the headquarters, it was time to assess the organization’s risk status.

Frank expected the utility company already had some solid policies in place so he could jump right in preparing for the upcoming audit he’d learned about during his final interview. He grabbed a binder labeled “Compliance” from the bookcase in his office.

Frank flipped to the last page and couldn’t believe the listed date: 2016. That can’t be right, he thought. He imagined there must be some missing data because the last documentation added to the compliance notebook was two years old.

His heart pounding at this alarming discovery, Frank emailed chief information officer (CIO) Shondra Washington to schedule a meeting.

Missing Data Reaches Epidemic Proportions

“Well, you know I started just two weeks before you did,” Shondra informed Frank.

Frank didn’t know that — but he did now. Since it was now his third day on the job, it must only be Shondra’s 17th. Frank realized there was indeed no chance Shondra had compliance documents that hadn’t been added to his notebook.

“I’m sorry to hear your compliance notebook’s so far out of date. Frankly speaking, my experience hasn’t been all that different,” Shondra said as she tapped a pen against her desk. “As a matter of fact, I discovered the IT team’s master inventory list hadn’t been updated in nine months.”

While Shondra went on to discuss the epidemic levels of shadow IT she was trying to harness, Frank began to panic. The company’s next audit date was approaching quickly. At a loss, he struggled to summon his usual dry humor.
“Well, meeting over a thousand specific compliance requirements and identifying risks will require knowing what’s on the network,” he said.

Information Labeling and Handling Ceased to Exist

Frank and Shondra’s meeting was scheduled for an hour but ended up lasting the majority of the afternoon. Frank learned when it came to information labeling and handling, things were even worse. How was this possible?

Shondra told him the most recent information labeling and handling policy, which defined information labeling updates as the CIO’s purview, was 18 months old. Frank knew the utility company had brought new assets onto the network in an aggressive expansion into renewable energy sources — and it had undoubtedly acquired new customers.

He couldn’t even begin to wrap his head around the amount of data assets that were unlabeled and unaddressed in the access policy.

He knew the organization was swimming in data. He couldn’t even begin to wrap his head around the amount of data assets that were unlabeled and unaddressed in the access policy.

Identity and Access Management Mystery

Shondra assured Frank she was working hard to create an updated inventory and get her hands around information labeling. However, she was hesitant to provide a solid timeline on either project. Frank glanced down at his notes and noticed an item labeled “privacy impact assessments (PIAs),” which he knew was an analysis of how information is handled. He asked Shondra about the state of identity governance.

Shondra had an uneasy expression, so Frank continued: “User access controls should be able to determine what users were added and when — who left the company and whether their user IDs were revoked. I also need to demonstrate which IT administrators have access to critical systems.”

“Well, I wouldn’t really describe the current state as identity governance,” Shondra said. “More like ad-hoc user access chaos. I kicked off an identity governance audit my second day on-site, but it’s not going to be done for a few weeks.”

Frank knew he and Shondra had both taken new roles hoping for the best — and had ultimately stepped into an ordeal of mismanaged regulatory requirements and processes. Unfortunately, he wasn’t sure how to manage risks when IT leadership was struggling to maintain the status quo.

Digital Transformation Disaster

Shondra worked tirelessly over the next week to bring the IT department up to par. Frank faced an internal compliance and risk management framework that was years out of date, but he did his best to fill in the gaps where he could. The overwhelmed new hires discussed recent app releases over lunch.

Shondra mentioned that the last CIO had focused on cost savings and customer satisfaction. As a result, the customer portal and energy efficiency apps were pushed through DevOps without dedicated time for security testing.

Frank felt his blood pressure spiking as Shondra detailed how the CIO’s “digital transformation” plan included a third-party development agency and unreasonable development timelines. Worst of all: It relied heavily on business users for feature-based acceptance testing.

“So, you’re telling me both customer apps and employee apps could be full of vulnerabilities?” Frank asked.

Shondra nodded slowly. “You know, it’s way more expensive to fix these bugs post-release than just do secure DevOps in the first place,” she said. “I wish we knew the extent of the vulnerabilities, but I have to direct more resources towards actual testing. From what I hear, the requirements kept changing and projects ran over budget, so the last CIO pushed the development agency to do even less testing than usual.”

Frank had no idea how they’d pass upcoming audits — let alone stay ahead of complex regulatory mandates.

Frank had hoped he’d find well-documented, updated risk management procedures on his first day. Instead, he was completely uncertain whether the company’s business dealings were even ethically sound. Furthermore, he had no idea how they’d pass upcoming audits — let alone stay ahead of complex regulatory mandates.

Risk Management Framework From the Ground Up

Both newly hired and seasoned compliance and risk management professionals often struggle to develop a proactive stance on business risk management. According to one study, up to 89 percent of organizations didn’t fully understand General Data Protection Regulation (GDPR) requirements six months ahead of the deadline for compliance.

Fortunately, Frank isn’t destined to face a failed compliance audit or to call his former employer to beg for his old job back. Today’s compliance climate is complex and costly, but the right solutions can help leaders reduce risk and stay ahead of regulations — even if they’re dealing with serious compliance fatigue.

Frank could implement an effective risk management framework to help combat the issues he’s facing. His first step might be to identify all network endpoints, as well as both authorized and shadow software, in seconds using an automated endpoint detection solution. He could then apply policy-based compliance to both endpoints and cloud services with a security intelligence platform — making his job a whole lot easier.

By leveraging comprehensive identity and access tools, Frank could bridge the gap between messy patchwork approaches and unified, compliant management for user governance. A two year-outdated compliance notebook is definitely stressful, but an ecosystem of data security and protection solutions would automate the overwhelming task of identifying data records that are subject to industry-based regulations.

By leveraging comprehensive identity and access tools, Frank could bridge the gap between messy patchwork approaches and unified, compliant management for user governance.

Rather than give in to his despair, Frank should start by developing a plan based on outdated standard operating procedures using an incident response solution. He could make security tools do double duty, using packs of pre-built and customizable reports for compliance reporting. Finally, he could use a security app exchange to implement built-in compliance reporting and collaborate with incident response experts to develop a truly resilient plan to mitigate risks.

Risk management and compliance is far from simple — especially for individuals like Frank who are struggling to reconcile complex regulatory requirements with outdated operating procedures and scrambling to manually assess organizational risk.
By leveraging automated solutions to create a comprehensive ecosystem of support for risk management, compliance and business resiliency, security leaders can get a better handle on the organization’s security and compliance posture and prepare for the future. Compliance requirements and networks are changing quickly but developing total oversight and change management can instill confidence in overwhelmed security professionals.

 

Read more: As Cyber Risk Escalates, the C-Suite Must Take Action

The post The Compliance Crisis: A Compliance Officer Faces an Outdated Risk Management Framework appeared first on Security Intelligence.

The Cloud Commotion: An IT Director’s Road to Cloud Transformation

The following story illustrates the struggles IT and security leaders encounter when undergoing cloud transformation. While Shira Sutton is fictitious, many real-life firms face similar pressure to fast-track cloud adoption. Selecting the right approach to cloud migration is not easy, but what can be even more difficult are the unanticipated hurdles that arise around compliance, resilience, data governance and identity management. Follow Shira’s decision-making process throughout her company’s cloud transformation journey, and consider what you may have done differently.

Shira Sutton had been handed the daunting task of cloud transformation.

“Do you think you can handle it?” Wendy Nguyen, the retail organization’s chief information officer (CIO), had asked several weeks prior.

As her organization’s IT director, Shira was no stranger to the cloud — or its cost reduction and operational efficiency potential. However, she was not looking forward to the enormous task ahead.

“Of course,” Shira said confidently. “I’m ready for whatever comes next.” While she wasn’t surprised to receive the directive from Wendy, she knew the move to the cloud would be riddled with challenges.

After a considerable amount of work, Shira was finally presenting a cloud transformation framework to the organization’s leadership team. She was looking forward to the flexibility and scalability benefits of the cloud, but she also had many concerns about how the shift would affect security.

Designing the ‘Right’ Type of Cloud

Shira and Wendy had a brief discussion about the “right” cloud approaches for the organization during their last meeting. Shira knew Wendy’s proposal of using a public cloud wasn’t necessarily the best option for their organization. She was worried about how a public cloud would impact her company’s legacy applications, critical workloads and sensitive data.

A multi-tenant environment could lead to diminished performance — and they certainly couldn’t afford to be the next highly publicized retail data breach. Shira also knew her organization was at risk of falling behind the curve when it came to cloud adoption, considering 83 percent of workloads will be cloud-based by 2020. She wondered if there were a way to hit fast forward on migration and achieve the digital transformation benefits of cloud now.

Shira presented the pros and cons of a multi-tenant public cloud strategy and private cloud to the leadership team, making a case for her preferred solution: a hybrid cloud that would allow the company to maintain control over its cloud workloads in a managed environment.

As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.

In fact, infrastructure-as-a-service (IaaS), just one aspect of the cloud, is currently experiencing 38.1 percent year-over-year growth. As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.

Taking a Vertical Approach to Cloud Migration

The leadership team asked Shira about many issues, including the commonness of hybrid clouds in enterprise settings and how they were trending compared to public clouds. She knew they shared her concerns about security risks, but she also realized their top priority (as business-minded executives) was cutting costs while preserving uptime and minimizing latency.

Shira explained cloud adoption had dropped slightly in the past year but was still at 51 percent in 2018. While the team agreed, Shira wanted to be sure the hybrid cloud was secure enough.

Scaling Governance to the Cloud

After the leadership team gave her recommendation the green light, Shira assembled a task force for vendor selection and spent weeks researching options. With the help of Wendy and other colleagues, she made her final selection and was deep in discussion with a representative from the newly hired vendor.

Armed with a list of questions, Shira sought to understand how her organization’s governance methods would scale to the cloud. Most importantly: Would her cloud workloads be compliant with industry regulations and regulatory requirements?

Assessing Cloud Vendor Security

Shira felt assuaged by the vendor’s explanation of its approach to security and controls. The conversation addressed her concerns about data compliance and encryption. It also helped her understand the company’s well-defined approach to scaling private cloud to hybrid cloud deployments.

While Shira wasn’t fully sold on the vendor’s promise of seamless policy management during the cloud migration, she felt confident in its commitment to availability and data protection. At the end of the conversation, the provider sent up-to-date copies of its certifications.

After she received those documents, Shira followed up with the compliance team about regulatory requirements. She wasn’t entirely sure how she’d achieve always-on compliance in the cloud.

Resilience and Incident Response Planning

Over the next few weeks, Shira turned her attention to resilience planning. With her organization’s workload primed for residency in a more diverse environment, Shira was aware the organization’s strategy for availability and risk response was about to evolve significantly. The purpose of this evolution was to accommodate her customers’ and employees’ need for always-on availability and on-demand access.

Shira carefully outlined the importance of a comprehensive resilience and response plan to the leadership team. While the executives were aware of the crushing cost of a data breach, they agreed with Shira’s assertion that even a 15-minute period of downtime was intolerable.

Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.

The retailer’s current response and resilience approach weren’t anywhere near industry standards. Its existing data backups and failover solutions certainly weren’t foolproof. However, Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.

Choosing Rapid Recovery

Business resilience and incident response planning was no joke. Shira used the cloud transformation as a long-overdue opportunity to create a stable plan for potential breaches, failover and disaster recovery. However, that was easier said than done.

Shira chose to focus on rapid recovery. She felt confident that vendor-recommended solutions for high-speed recovery could mitigate risks during downtime, failover or other incidents. Risk tolerance is complex, but Shira knew her team needed to be able to respond to the unexpected and recover quickly.

While Shira was careful to emphasize the realities of security and resilience risks, both she and Wendy agreed response-based resilience planning was the right approach. They decided to invest in regularly verified cloud backups to cover all the bases. Ideally, Shira hoped the organization wouldn’t have to face an unplanned outage or service interruption.

Migrating Identity and Access Management

As she finalized her retail organization’s move to the hybrid cloud, Shira faced the need to scale another mountain: issues of identity and access management (IAM) in the cloud. She also wasn’t the only one worried about this side of cloud risks. Wendy had recently dug into some research on security risks that revealed that compromised or stolen credentials were behind a massive proportion of data breaches.

Like many other organizations in retail, Shira understood her organization’s IAM challenges were immense. There were always remote access challenges, such as the organization’s distributed workforce and high employee turnover in the industry.

The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.

Existing governance at Shira’s organization was far from automated — and best described as a patchwork of policy-based administration across many different legacy apps and services. Internal IAM challenges also weren’t as tough as external ones. The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.

The impending move to the hybrid cloud was the perfect opportunity to reevaluate the company’s existing systems and policies for identity and access governance. But Shira wasn’t even sure where to start when it came to creating a more straightforward mode of managing users and their access to data.

Performing Manual IAM Review

Shira worked to tackle a post-migration plan for reviewing identity and access for each component of the organization post-cloud adoption, including the retailer’s customer-facing apps, internal apps and systems infrastructure.

She also tackled the long-overdue task of updating her organization’s current IAM processes, policies and controls. Shira worked closely with the cloud vendor during this process to understand how current policy-based administration efforts would scale to the cloud. Based on the provider’s recommendations, she began to document testing policies for IAM migration post-deployment.

Preparation Is Key to Cloud Success

Shira knew moving to the cloud would be simpler if the organization had a solid groundwork for managing data, risks people and policies. However, she didn’t have time to redesign its governance strategy from the ground up before migration day.

By the time the go-live date finally rolls around, would Shira feel confident her organization is entering a new era of cloud computing? Or would she instead continue to worry about security, continuity and access risks?

This type of cloud experience isn’t rare: Many organizations struggle to keep their cloud transformation goals on track when they encounter unanticipated obstacles around regulatory compliance, resilience, data governance and identity management.

Shira constantly worried about her options throughout the cloud transformation experience. What if she’d made the wrong recommendations around cloud adoption? Would her organization absorb new security risks, compromise resilience or discover massive issues during deployment testing because legacy systems weren’t functioning correctly or securely in the cloud?

A Smarter Approach to Cloud Transformation

Shira didn’t need to worry about missed opportunities on the road to cloud transformation or risk realization. To overcome the barriers to cloud success, she could have enlisted expert assistance to create a multiyear plan for cloud migration. She also could have invested in managed hybrid could services to unlock an easy-to-manage, centralized infrastructure instead of increased complexity.

In addition, Shira’s team could’ve taken a proactive stance on incident response and intelligence services for resilience planning. Finally, IAM and cloud identity services could have helped Shira create a seamless bridge between on-premises and cloud infrastructure.

With expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.

Cloud adoption may be necessary to help organizations achieve an agile advantage — but it certainly isn’t simple. As Shira discovered, the journey to the cloud is filled with challenges and potential detours. Fortunately, with expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.

 

Read more: It’s Time to Bring Cloud Environments Out of the Shadows

The post The Cloud Commotion: An IT Director’s Road to Cloud Transformation appeared first on Security Intelligence.

What Are the Legalities and Implications of ‘Hacking Back’?

Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of “hacking back” opens up a wide range of cyber defense tools to IT and security managers. These tools could empower them to repel invaders with honeypots and other, more-active measures.

Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

Hacking Back: Shall We Play?

The practice of hacking back isn’t new: The 1983 movie “War Games” was inspired the Computer Fraud and Abuse Act of 1986, which prohibits anyone from knowingly accessing a computer without proper authorization. Google made questionably legal use of discovery technologies back in 2009 to find the command and control servers in Taiwan that were running the Operation Aurora attacks, as documented in this report from George Washington University.

Moreover, a security researcher was fired from his job after doing some hacking back to investigate a 2003 Lockheed Martin breach in Orlando, Florida, The New Yorker recently reported. The researcher took Lockheed Martin to court and sued for damages — and won the suit.

The Problem With Attribution

“Attribution is a very elusive target to achieve, so your error ratio can be quite high,” said Dudu Mimran, chief technology officer at Telekom Innovation Laboratories in Israel. Timeliness matters, he stressed, especially if you can analyze an attack in progress and connect the dots. The more time that lapses after an attack, the harder the attribution process becomes. And while attribution technologies are getting better at identifying sources of attacks, they are still far from perfect.

Attribution is also very much a cat-and-mouse game, as attackers get more adept at hiding their origins — or deliberately misleading researchers by including someone else’s code to throw them off the trail. Many hackers also employ obfuscation technologies so their malware can persist longer in corporate networks to do more damage.

A Question of Intent

Is the defendant guilty of murder or manslaughter? It’s not always easy to determine whether a cyberattack had malicious aim behind it. For attackers, their intent could range from deliberate criminal action to a mistake in network configuration. So, it is important to determine this before any hacking back is permitted.

There is a similar assessment of intent for defenders too: Are they trying to get their data back? Are they trying to monitor what the attacker is doing? Are they trying to cause harm to their attacker — or destroy the illegal use of proprietary technology?

Governor Nathan Deal just vetoed Georgia Senate Bill 315, the Electronic Frontier Foundation reported. The bill would have created a new crime of unauthorized access to a network but didn’t include any definition of criminal intent. If enacted without any changes, it could have meant that security researchers would be liable for prosecution just for entering a client’s network.

Canada is considering allowing hacking back in its Communications Security Establishment under Bill C-59. That bill is still working its way through Parliament, according to Global News.

Prosecuting Cybercriminals

Even without these new laws, there are legal steps that a government entity can take to prosecute hackers. But here’s the rub: Most of these agencies lack the skills or staffing to pursue cyber counter-measures. In many government agencies, there are numerous job vacancies for security analysts — so they are often not centers of excellence when it comes to hacking back efforts.

One way is for government to cooperate with private industry, which is what happened when it came time to try to stem the tide of Somali pirates. The government eventually accepted the use of private security services by the commercial shippers — and worked with insurers to help to provide a solution to stop the numerous raids of ocean cargo in that part of the world. This public-private cooperation has the side benefit of being able to help improve attribution, according to a 2017 report from the Carnegie Endowment.

We still have a lot of work to do before hacking back is both a legal and an acceptable response to a data breach or cyberattack. But as technologies get better at figuring out attribution and in proving the intent of both parties, hacking back could become a regular weapon for IT and security managers.

The post What Are the Legalities and Implications of ‘Hacking Back’? appeared first on Security Intelligence.

The 55 Things You Need To Know About GDPR

By Niall Bennet, Corresponding Author  at Betipy, Everyone has been receiving a lot more emails than usual lately, as companies seek to find out whether their mailing list members wish

The post The 55 Things You Need To Know About GDPR appeared first on The Cyber Security Place.

Privacy International Launches GDPR Probe into Data Companies

Privacy International has launched a new investigation into a swathe of shadowy data companies to see if they comply with the new EU General Data Protection Regulation (GDPR), which came

The post Privacy International Launches GDPR Probe into Data Companies appeared first on The Cyber Security Place.

Email Leakage – An Overlooked Backdoor to GDPR Failure

On May 25, 2018, two years after it was adopted by the European Union, the General Data Protection Regulation (GDPR) came into force. For two years companies have been bombarded with offers for GDPR solutions from security firms; and publications have been bombarded with surveys claiming that only n% of firms are ready or even understand GDPR.

read more

SecurityWeek RSS Feed: Email Leakage – An Overlooked Backdoor to GDPR Failure

On May 25, 2018, two years after it was adopted by the European Union, the General Data Protection Regulation (GDPR) came into force. For two years companies have been bombarded with offers for GDPR solutions from security firms; and publications have been bombarded with surveys claiming that only n% of firms are ready or even understand GDPR.

read more



SecurityWeek RSS Feed

GDPR: Today is the day

Today is the day many organizations around the world have been preparing for. As GDPR becomes enforceable, we sat down with Jerry Caponera, VP Cyber Risk Strategy, Nehemiah Security, to talk about this important regulation and its wide-ranging impact. What are the most common misconceptions about the GDPR? I think one of the biggest misconceptions about GDPR is that companies have to be “done” by May 25th or the fines will start rolling on May … More

The post GDPR: Today is the day appeared first on Help Net Security.

The Ultimate List of 50 Free Security Tools, Tested For You

The idea that we should create a gargantuan list of cyber security tools started running through our minds a while ago because, in our journey into the cyber security and data protection world, we ran into lots of useful tools.

When we decided to work on this list, we had no idea how and where to begin.

What tools should we include? What should we not? How do we tell if one is worthy and the other one is not?

Do we mention ultra-known products?

Should we stick to what’s free or should we also add paid products?

Eventually, we came up with what we’re about to read. But first here’s a quick guideline that you should read before we jump right to the subject:

  1. We don’t claim this is the ultimate list. It’s not complete and it’s definitely not final. It probably never will be. We are aware that we missed lots of essential, important tools – by mistake or just because we can’t know them all. So please feel free to jump in with more useful tools that you feel they should be mentioned.
  2. We stayed away from recommending antivirus, VPN or firewall products. There are independent industry experts who only do that. Instead, we prefer to list those experts or websites that will help you compare such services, in order to choose what’s best for you
  3.  We tried to test them all before recommending them. And we only included tools that have free versions.

Here’s our list :

50+ free security tools you can use for your online protection

Table of contents:

ACCOUNT & AUTHENTICATION MANAGEMENT
Check if your password is strong
Password managers
Activate two-factor authentication
Was your account hacked?
SOCIAL MEDIA SECURITY
Geo-tag removal on social accounts
Revoke access to third-party apps
Do a security check-up
Other communicating tools
SAFE BROWSING
Keeping vulnerable software under control
Extra Encryption, Privacy, and Anonymity
Redirect checkers
Remote screenshots
Scan for threats
BACKUP, BACKUP, BACKUP
REPORTING
MISCELLANEOUS
Conclusion

ACCOUNT & AUTHENTICATION MANAGEMENT

Password

How strong is your password?

A unique and strong password is key to our online safety. We keep recommending this in our articles (and we’ll keep doing it) so people can realize the importance of setting passwords that hackers can’t reach.

First of all, here’s why it should be unique:

We never use the same key for our house and car, right? Then why would we use the same password for our accounts?

Our online accounts are interconnected. If one of those passwords is breached, the cyber criminal will have access to the rest of your accounts.

And no matter how careful you are not to give out your password, sometimes you might not be responsible for the breach. Companies have plenty of vulnerabilities. Their employees can have poor security habits. Their ex-employees might want to get vengeance this way. Your online connection might not be secure and your traffic unencrypted. There are tons of flaws out there that could expose your credentials.

How your online accounts are interconnected

Second of all, here’s why it should be strong (and what does “strong” mean):

Most people have weak passwords. They use family or pets names, favorite songs, birth dates and so on. This type of information nowadays is readily available online – usually posted directly by us, on social networks or blogs or forum comments.

If a cyber criminal really wants to hack your account and you use such a password, all they’ll have to do is spend some time finding out more information about you.

They also have the technical skills to test out millions of passwords combinations in a short period of time. So there’s that.

SplashData released its annual list of top worst passwords of 2017, where we see that people continue using the classic”123456″.


Source: Teamsid.com

We strongly RECOMMEND using strong and unique passwords, and this step-by-step guide will show you how to manage passwords like an expert.

And here are some tools that you can play with to find out how secure a password is considered (don’t test using your real passwords!).

Another great tool can estimate how long it would take for your password to be cracked by a hacker: Estimating Password-Cracking Times

how secure is my password

Password managers

Constantly coming up with strong, unique passwords is hard. We get it.

It’s hard to remember to change them, and it’s even harder to remember them. Especially since it’s not recommended to write them down – not in a document on your desktop, not in an email draft, not in your phone or written on a paper that stays under your mouse pad. No, no, no, no.

And since not all of us have an elephant memory, some smart guys created tools that make it easier for us to manage passwords.

Passwords managers are easy to use. You install them as browsers plug-ins and they help us save passwords and keep them encrypted. When we log in to a new account, the password manager will ask us if we want to save the password.

All we have to do is remember the password that we use for the password manager tool account.

Here are some of the most popular apps for password management:

  • LastPass – it’s one of the oldest and most known password managers.
  • Sticky Password
  • 1Password – not exactly free, but offers a free trial that lasts 30 days

password

Activate two-factor authentication

Ok, so this is plan B. If passwords fail and a cybercriminal somehow manages to find out your beautiful, strong, unique and completely random password, the second-factor authenticator will work as an extra shield.

Two-factor authentication adds an extra layer of protection. This way, the password will not be enough to access your account, you’ll also have to prove your identity using the second method. This usually consists of a unique, time-sensitive code, that you receive using your mobile phone.

In order not to do this every time you log into your account, you can choose to remember the devices you use and only require the second way of authentication when you want to log in from a new device (laptop, PC, tablet, browser, whatever that may be).

I always wonder why the companies don’t enable this option by default. It would help avoid a lot of accounts that end up compromised because of poor passwords habits.

If you want to check what services offer users the possibility to activate two-factor authentication, use this tool:

Two Factor Auth

Was your account hacked?

There are several projects out there that store a huge database of leaked, stolen or compromised passwords. Other projects gather all the past data breaches. You can use them to confront with your passwords or accounts and check their databases. If someone ever used a password that’s the same with yours and was leaked in a past breach, you’ll have to change it.

You can also check if you have any accounts that were compromised in any of those data breaches.

Use these services:

Here are more projects that you can use to inform yourself about data breaches:

World's biggest data breaches (Feb 2016)
Source

SOCIAL MEDIA SECURITY

Geo-tag removal on social accounts

It’s highly recommended that you avoid checking in from your social accounts – especially from your home.

Something so common and apparently innocent as a social media check-in can turn into a nightmare. You can never control who can access your social network posts. You never know who else benefits from the information you shared.

There have been many cases of people who checked in while on vacation, bragged about the wonderful places they visited, only to come back home and find out that they were robbed. Burglars were tipped off thanks to the posts on social media.

However, if it’s already too late and you already have plenty of check-ins made online, you can remove your previous ones.

For Facebook, you’ll have to do that manually for each post you published and then turn off location for future posts. However, for Instagram, there’s an easier batch solution that you can use.

Instagram is constantly updating its network and has changed the geo-map feature for mobile that let you control geotag location. Now you have the option to save photos you see and like on Instagram, save and add them to your photos collections.

Revoke access to third-party apps

You probably logged in with your social accounts to any third-party apps – games, other social networks, streaming services and so on.

For privacy matters, it’s recommended that you only allow access to trustworthy apps. Those apps have access to your profiles and personal information.

From time to time, make sure you check every single app that you allowed to access your account and remove the ones that you don’t use anymore.

Here’s how you can remove access to external apps from every major social network:

Third party apps on Facebook

Do a security check-up

Google and Facebook are among the networks that offer the possibility to do a security check-up. They will take you through the steps you need to check or activate in order to enhance your account’s protection.

Facebook security checkup

Other communication tools

Here are other communicating tools that are focused on anonymity and encryption:

  • Signal – free mobile app that you can use for encrypted communications (phone calls and messages). They also have a partnership with WhatsApp and helped them integrate end-to-end encryption.
  • Off The Record – encrypted app used for instant messaging.
  • Safe Pad – an online notepad that is encrypted end-to-end.

Smartphone

SAFE BROWSING

Keeping malicious software under control

There are some major software apps that are buggy and expose you to global cyber attacks. “Software” and “buggy” might just be pleonasms for the moment, as all software have bugs and vulnerabilities.

What you should bear in mind is that you can reduce your odds of being infected just by keeping those buggy apps up to date. Or disabled until you really need them and activate them punctually. Or uninstalled, if they aren’t vital to your work.

By “apps” we mean browsers, plug-ins, add-ons. Chrome, Firefox, Flash Player, Java, and Adobe Reader, just to name a few of them, but you should take a look over the infographic published here to find out more about the top most vulnerable apps.

8 software apps make 99 percent of computer vulnerable heimdal security

Here’s how you can reduce your odds of getting infected:

1. Keep those vital apps up to date. You can use an automated patching tool that will take care of that for you, silently (Heimdal FREE does that).

2. Use a tool that will scan your traffic and restrict your access to infected web pages (our product also does that, and also makes sure that none of your data goes out to the bad guys).

3. No clicking on suspicious links or attachments, short links that you don’t know where they’ll lead you, nothing that you never requested or sounds fishy (even if it’s coming from your online buddies). Staying away from dangerous web locations also is vital (that means no websites that host illegal content, such as torrents).

4. Keep activated a good, trustworthy antivirus. Here’s how to choose it.

5. Use an app that will block those plug-ins and apps.

You can see in the infographic below how a global ransomware infects your operating system:

simple ransomware infection chain

Some tools that will come in handy:

    • AdBlock – you’ll get rid of annoying ads, but you’ll also reduce your chances of ending up with spreading ransomware from malvertising.
    • NoScript – an add-on for Firefox that allows plugins to be executed only by trusted web sites of your choice.
    • Script Safe – same as NoScript, but for Chrome.
    • Flashblock – Firefox add-on that blocks Flash
    • Flash control – Chrome add-on that lets you take more control over Flash
    • Dragon Internet Browser – a free tool based on Chromium technology that will provide a higher level of protection
    • Google Chrome Cleanup Tool – this app will scan and remove software that can cause problems  with Chrome browser

Extra Encryption, Privacy, and Anonymity

If you want extra anonymity, here is a list of tools that are focused on encryption and privacy:

  • Tor Project – we’re sure you already know about this one. You can use Tor to browse the web while staying anonymous.
  • Comparison VPN – the name is pretty much self-explanatory, right? “VPN” comes from “Virtual Private Network” and it’s used to encrypt your outgoing and ongoing traffic. This tool will help you compare between different VPN services.
  • Duck Duck Go – it’s a free search engine but, unlike others, it doesn’t track you, doesn’t collect or share any of your personal information.
  • Disconnect – the basic version will block trackers from websites.
  • uBlock – a lightweight free and open source browser extension that will help you filter our annoying or unwanted content, such as tracking cookies and ads (available for Mozilla, Chrome, Safari and even Microsoft Edge).
  • Https everywhere – it’s an extension for your browser that encrypts your communications with major websites; resulted in a collaboration between The Tor Project and the Electronic Frontier Foundation.
  • Ghostery – a free browser extension that lets you control trackers from the websites that you visit.

Puzzle chaos

Redirect checkers

If you want to avoid any phishing or malware attacks, it’s best that you don’t click on any links that you don’t know where they’ll lead you. They might be links shortened using services such as Bit.ly or Unshorten or links that look similar to perfectly legitimate ones but use a variation in spelling or domain.

Use one of these services to check where a link will redirect you:

Other dedicated and useful tools that you can use to detect links to malware websites:

Phishing

Remote screenshots

As an alternative to remotely check where a short link will take you, you can also use a service that remotely takes screenshots of a given website.

This kind of services are usually used by developers, to see how a website will look on different resolutions and browsers used by users, but they can also come in handy when it comes to Internet security.

This way, you’ll see how a website looks like and where you’ll end up if you click on that link, without actually visiting it.

You can use one of these services:

Scan for advanced threats

There are services that will help you check if a website has been reported for phishing, malicious code, unwanted software or has a poor reputation. This way, you’ll know to avoid it.

You can check using one of these:

You can also find useful this list of free online anti-malware scanners.

Safety first
Photo credit

BACKUP, BACKUP, BACKUP

How valuable are the work documents that you keep on your desktop, your email or in the cloud?

What about your collection of photos or private conversations? Would you miss them if they were ever deleted or lost?

What if they were stolen? Or, even worse, encrypted in a ransomware attack?

Stop telling yourself “it can’t happen to me”. The odds for ending up with malware attacks are against you.

And most of these attacks are automated, nobody hand picks you as a victim. It’s enough for you to have files and outdated browsers, plugins or apps. You don’t even have to click or download anything to end up infected – nowadays you can be compromised even on perfectly legit websites.

For example, BBC, The New York Times and AOL were recently hit with a malvertising campaign that delivered notable ransomware to users.

Bad news is that even if you pay the ransom, there’s no guarantee that you’ll receive the encryption key to gain back access to your files. Or the encryption might have gone wrong and corrupted the files. It’s one of the reasons why the FBI advises against paying the ransom.

Let’s not forget about the recent cyber attacks (WannaCry, Petya ransomware) impacting big organizations and institutions (Telefonica, Renault, FedEx, the National Health Service (NHS) in England and Scotland, Maersk, Government of Ukraine, and many more) that saw their computers compromised and lost access to valuable information.

No matter how many Internet security layers you have in place, always have a backup. Set in place at least two automatic backups. If everything else fails, at least you’ll be covered.

It’s not complicated to set them up, you don’t need advanced tech skills. Our colleague Andra explained in a separate blog article how you can easily backup your data.

And here are two more tools that will help you out:

  • Best Backup – helps you choose the backup solutions suited to your needs
  • Spider Oak – backup solution focused on encryption and Internet security

Cloud backup

REPORTING

Although ignored by most people, this step is also important to cyber security. Take your time and file a report if you run into anything that looks fishy.

If you have a hunch that something is wrong and you might have fallen into a trap, immediately contact your bank or credit card institution and close the accounts you believe they may have been compromised.

If this is not the case and you simply ran into spam, scams or phishing attempts, it’s best that you report them to government organizations or even cyber security companies.

Here are some of the places where you can do that:

MISCELLANEOUS

A few tools that didn’t fit into any other major category, but we also wanted to mention them.

  • Eraser – Windows tool that allows you to completely remove data from your hard drive, by overwriting it several times.
  • Cvedetails.com – check how many vulnerabilities your favorite apps have and how severe they are..
  • Header Analysis – analyse email header. And here’s how you can read the header details.
  • Free Shredder Software Programs – A very useful list of 36 free software tools that will help you delete files on your computer.
  • Site Safety – A tool that helps you identify whether a site is safe or not
  • Deseat.me – It help you clean up your online presence
  • IP Feeds – This tool analyzes all security IP Feeds that are related to online attacks
  • WhatisMyBrowser – An online service providing data about your browser’s capabilities.
  • Scrim – This tool helps you convert your email address into a short and safe link

We also recommend checking these quizzes to help you test and update your Internet security knowledge:

For the ones with advanced technical skills, here are some tools that show vulnerabilities in software:


Found this super useful list of free #cybersecurity tools, check it out:
Click To Tweet


Conclusion

In the cyber security game, the good guys and the bad ones constantly try to outrun each other. That’s why you should always remember that no tool is bulletproof. Don’t rely exclusively on a software or an app to keep you safe, as they all have flaws and vulnerabilities.

Instead, try to think and act like a journalist. Question everything that you receive or run into in the digital world, even if it only looks slightly suspicious. Triple check it before you act on it, be sure that you don’t throw yourself into anything fishy.

Continue to improve your cyber education. In time, you’ll train your intuition and it will become increasingly easier to spot potential compromises.

It’s essential that you never give up on healthy Internet security habits. Add as many security layers as possible – onion style – in order to decrease the impact of a potential attack.

Hope for the best and prepare for the worst, right?

This article was initially published by Cristina Chipurici in May 2016 and it was republished in July 2017.

The easy way to protect yourself against malware
Here's 1 month of Heimdal PRO, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Heimdal PRO

The post The Ultimate List of 50 Free Security Tools, Tested For You appeared first on Heimdal Security Blog.

Lessons From the Cold War: Data Security Through Obscurity

During a long-term project in 2016, my team was tasked with reviewing the security features of a popular Soviet-era GPS satellite constellation. The client used it to obtain more exact positioning for workers who were attempting to locate underground utilities. After much digging and poring over the obscure technical diagrams, we discovered that this particular class of satellites did not encrypt GPS communications to a civilian end-user device — and it never would.

The constellation was not designed to support cryptography or data security of any kind. However, the communications channels were steady and reliable. The constellation was accessible to nearly every hand-held GPS device on the market. The coordinates were seldom (if ever) off — not even by a meter.

This widely used GPS platform had no encryption at all. But how did the communications stay so reliable for over three decades — with no service disruptions, successful hacks that made headlines or global “blackouts”?

Data Security: Lessons From the Cold War

The answer appears to be relatively simple (and is the hallmark of a beautiful mind): All GPS communications are split up into chunks of data and hidden in thousands of bytes worth of garbage. The receiving device is programmed to use the proper phase shift to pick the real data out of the garbage pile and decode the satellite signals.

The design is akin to hiding a needle in a haystack — and it’s brilliant.

This type of out-of-the-box thinking is typical of countries that had little money to spend on scientific advancement during the Cold War but still had a need to maintain a very high level of security. It’s also something the data security field needs to expand.

Why? Many people are paranoid about data in today’s world: personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, social media data, voter data, political donor data, data about the dog, data about the cat — the list goes on. Now with the General Data Protection Regulation (GDPR), it’s all about the “right to be forgotten” — the right to be scrubbed from the historical pages of social media. (Let’s all ignore the fact that social media is used voluntarily.) Every time another set of regulations is rolled out, security professionals have yet another hoop to jump through.

Meanwhile, criminal cartels and crime syndicates just laugh (and laugh) because they don’t think like everyone else — and they don’t play by the rules.

Creative Security Data Strategies

What if today’s data security practices could be changed by a bit of Cold War-era creative thinking? What if data securrity could be personalized and tailored to each individual?

Consider the following security data strategies:

  • Dodgy data scrapers: If governments are going to regulate access to PII, PHI, PCI and the like, then they should also regulate the companies that scrape this data and publish it to search engines. It is an entirely worthless practice to demand companies and hospitals protect the personal information of employees when anyone can type a name into Google and get at least 15 entries from information brokerages that are more than happy to cough up the goods on anyone for $14.95.
  • Secure smartphones: Smartphones should be capable of supporting Vernam ciphers, which is the principle behind a one-time pad, for simple text messaging. Now, there isn’t anything wrong with the SMS equivalent of pretty good privacy (PGP), but one-time pads are the most secure of all. One-time pads could also work on offline personal storage.
  • Homegrown solutions: Homegrown cryptography is generally not a good thing to have in a corporate environment. But considering the increasing number of hacks that target encryption mechanisms, this may become a plausible solution for specific enterprises.
  • Dumpster-worthy data: Cloud providers could scramble all of the customer data that is stored in their cloud by merely dumping several terabytes of garbage into it. Then, if an attacker wants to get at the data, they are going to work for it. Where do you get all that dumpster-worthy data? Simple: Scrape social media posts and sentiments for one week — there will be enough useless information to deter anyone.
  • Extreme data access: Self-brokered data auctions are extreme, but they might be lesser than other evils. The next time a major corporation is hit with ransomware and held hostage, they could just publish all their customer data to the world. There is nothing to hold hostage if everyone has equal access to the data.
  • Empowered drivers: Give consumers who purchase connected cars (i.e., cars that connect to a personal device via Bluetooth or Wi-Fi) the ability to both secure and scramble the data channel between the car and device.
  • Trash brokers: Hire a garbage data broker. If an individual needs to hide personal information (perhaps they have a high-profile job that requires exceptional cybersecurity), have your garbage data broker flood the online market with so much false information that attackers would have to construct algorithms to pick through it all.

Academic institutions, although beneficial for researching new technologies and methods, seldom send researchers outside the polished halls to have discussions with businesses and consumers. It’s only a matter of time before every mathematical method for encrypting and decrypting data is discovered — and methods for constructing and passing synchronous or asynchronous keys is known.

Quantum cryptography, lattice-based cryptography or homomorphic encryption might be the answer. Then again, maybe not. The answer to the future of data security may lie in scientific fields that are not yet known.

The post Lessons From the Cold War: Data Security Through Obscurity appeared first on Security Intelligence.

It’s time to embrace GDPR

The noise around the General Data Protection Regulation (GDPR) has been unavoidable, and for good reason. GDPR is coming into effect in a few short days (May 25 to be exact). The large fines associated with not complying with the regulation have encouraged organizations to prey on the large number of businesses that are unprepared. Everyone claims to have the one cure-all solution that will solve the compliance challenge. The truth is, there’s no universal … More

The post It’s time to embrace GDPR appeared first on Help Net Security.

Why Encryption Is Now a ‘Need to Have,’ Not Just a ‘Nice to Have’

By Linus Chang, CEO and Founder at Scram Software, Cloud-based services are so commonplace today that it’s tempting to simply trust them with your data. After all, everyone else is

The post Why Encryption Is Now a ‘Need to Have,’ Not Just a ‘Nice to Have’ appeared first on The Cyber Security Place.

Insider Threat Controls: What Are the GDPR Implications?

Now that we’ve very nearly reached the deadline for General Data Protection Regulation (GDPR), insider threat management is more crucial than ever. What is an insider threat? It’s when an insider’s credentials and access are used — either directly by malicious actors or indirectly by criminals with stolen or acquired credentials — to obtain sensitive data from an organization.

These threats are especially dangerous when an insider gets hold of access that manages personal data about customers or other employees. This is where GDPR comes into play.

Read the white paper: Prevent Unauthorized Access to Personal Data

CIAM: Doing Something New

At this point, you are likely well-versed on the implications of GDPR for your business. One element is allowing customers in the European Union (EU) to express consent about the management of their personal data, which ties into consumer identity and access management (CIAM), a specific segment within the identity space.

CIAM systems typically collect attributes like name, email address, social network accounts, age, gender and location. But without the user’s explicit consent, the collection of this type of data will likely violate GDPR.

So, what’s needed to align with the new regulation? There must be clear methods for customers to see what personal data is being collected and what the processing activities are on that data. Based on this information, customers should then be able to change or revoke their level of consent.

There has also been a lot of varying industry interest in the CIAM component of GDPR. Many industries are paying close attention — as they know auditors will check what they are doing to achieve GDPR requirements.

Insider Threat Controls

In managing insider threats and becoming GDPR compliant, there are two discovery questions you must begin with: Where is personal data in your company stored? Who has access to that personal data? The answers to these questions will lead to awareness and the ability to take action. They will also confirm whether company insiders have access to the appropriate data.

Personal data can appear in many places:

  • Applications and content, such as records and attributes
  • Unstructured data, such as files and folders
  • Structured data, such as database tables and columns

During the discovery phase, you must be able to look at these three types of data repositories to find personal data. This data could be everything from email addresses to credit card numbers and more. Of course, this will likely require some digging. There could be 2,000-plus files in a folder, but only five might be relevant to GDPR. How do you identify the five out of the 2,000?

GDPR Compliance: Finding the Needles in the Haystack

Identifying personal data is the most critical element of the process — and it’s not an easy job to do. Once you’ve found the personal data, how do you make the information consumable, presentable and understandable for applying controls?

Controls will bring business users to attention, rousing them to make a judgment call. This is where governance comes into play: The three repositories need to converge as one unified, protected user interface. This interface should allow even the least tech-savvy user to understand what they’re looking at and feel confident in determining whether or not the access is appropriate. Dedicated solutions, such as IBM Guardium, could help accomplish this goal.

To remain GDPR compliant, you will need to make sure the right people have access to personal data — and remove those who do not. You can address this requirement through leveraging governance and intelligence (IGI). In addition to these necessary controls, IGI provides the reviewer with context throughout the process.

Deliver awareness and actionable controls to minimize your insider threat exposure. And remember: There is no such thing as a solution that delivers compliance.

Read the white paper: Prevent Unauthorized Access to Personal Data

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

To remain GDPR compliant, you will need to make sure the right people have access to personal data and remove those who do not. You can address this requirement through leveraging
governance and intelligence (IGI). In addition to these necessary controls, IGI provides the reviewer with context throughout the process.

The post Insider Threat Controls: What Are the GDPR Implications? appeared first on Security Intelligence.

America’s Dirty Little Secrets: Opening the Door to Protected Data

It’s 2018. Digital assistants have started taking over our homes, with adoption growing tenfold. These smart speakers know everything about us, from our shopping habits to our music tastes — they likely know more about our daily lives than we do. This ever-growing, ever-changing relationship between humans and devices highlights the importance of protecting data – verbal or otherwise – in the home. With connected devices using our personal data to be the most comprehensive in-home assistants possible, we need to prioritize Internet of Things (IoT) security, awareness and the implications of using such devices.

It’s estimated that by 2022, over half of U.S. households will have at least one smart speaker in their home — that’s over 70 million households, topping 175 million installed devices. These devices are aimed at making our lives easier and more convenient than ever before, but to do so they require that we willingly share access to our personal and private information. Whether it’s banking and home address stored directly on the device, or learnings it’s picked up from our conversations, the amount of private data that these devices carry opens up a new array of threats. New research from McAfee reveals that 60% of Americans have considered their digital assistants could be recording or listening to them. If so, what are the security implications of using a digital assistant?

From answering a quick question to ordering items online, controlling the lights, or changing thermostat temperature, digital assistants have become a pseudo-family member in many households, connecting to more IoT things than ever before. But if one of these devices is breached, it can open up an entire home Wi-Fi network and our valuable information could get into the wrong hands. Beyond this, many Americans have developed a very personal relationship with their devices, with 50% admitting to being embarrassed if friends or family knew what questions they asked their digital assistants. Now imagine if any of that information fell into the hands of cybercriminals — it could open the door to your personal data and threaten your family’s security.

In addition to the sensitive data that our smart speakers have stored, and the conversations they may or may not be recording, there are other security risks associated with this technology in the home. In 2016, it was determined that music or TV dialogue could take control of our digital assistants with commands undetectable to human ears. Known as the “Dolphin Attack,” this occurrence essentially hides commands in high-frequency sounds that our assistant-enabled gadgets can detect, but we are unable to hear. Instances of TV commercials activating digital assistants have already been reported, so we can see how this technique could be quite easy for cybercriminals to imitate if they wanted to access our smart homes’ network.

The growing trend of connecting these always-listening assistants to our home appliances and smart home gadgets is only exacerbating these concerns. Aside from digital assistants, other IoT devices such as game consoles, home security systems, thermostats, and smartphones may be at risk and must be secured to avoid becoming targets for cybercriminals. We must proceed with caution and be aware of who, or what could be listening in order to protect ourselves accordingly. Whenever bringing any kind of new, connected device into the home, prioritize safety and privacy.

Here are some top tips to securely manage the connected devices in your home:

  • Vary your passwords. Create passwords that are difficult to crack to ensure accounts are secure and update your passwords on a regular basis. Use multi-factor authentication whenever possible. Simplify password management by using a password manager.
  • Consider setting up a PIN code. Particularly for voice command purchases. Keep cybercriminals away from your data by setting up an extra layer of security.
  • Invest in a router that delivers security for all your connected devices. It’s important to secure your entire connected home network. And the launch of McAfee Secure Home Platform skill for Alexa is set to make this easier and more convenient than ever before.

Technology is changing our everyday lives but being aware of the security concerns is the key to becoming an empowered consumer.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post America’s Dirty Little Secrets: Opening the Door to Protected Data appeared first on McAfee Blogs.

Verifying data processing for privacy and GDPR

GDPR has been a topic of conversation in the security risk and management world since the regulatory action was proposed in 2012. Recent events have led to a greater interest in GDPR as a means to protect personal identity data, especially as the regulation will be put into effect on May 25. With the regulation date quickly approaching, GDPR is having its moment in the public discourse. However, those who work to protect Identity data … More

The post Verifying data processing for privacy and GDPR appeared first on Help Net Security.

Data Security and GDPR: You Can’t Protect What You Don’t Know

Last month, I spoke to an audience of sales and marketing professionals at the General Data Protection Regulation (GDPR) Summit in London. I thoroughly enjoyed the experience. My presentation and live demo focused on data security and how basic defense measures can help with several of the key GDPR obligations.

When GDPR was first discussed, many feared that it would force businesses to be more insular and defensive about their data. Thankfully, the reality has been very different. Instead of seeing GDPR as a threat, many businesses see it as a welcome opportunity to get their house in order and, for once, tackle the thorny question of data protection head-on.

Understanding Your Data Security Posture

At the event I explained that the data security journey should start with understanding your data because you can’t protect what you don’t know. A necessary first step to tackling the GDPR requirements is to identify the personal data and where it is stored. As you get started, it’s also important to assess the other vulnerabilities within your environment and across your data sources to determine where your additional weaknesses are and how to address them. Some examples include missing patches, wrong user privileges and default configurations, such as usernames and passwords.

Once you understand the gaps and exposures, you can take immediate steps to address those gaps and harden the personal data sources. This might involve data minimization, encryption and pseudonymization. For instance, Dutch multinational bank and financial services company Rabobank is working with IBM to use cryptographic pseudonyms on its clients’ personal data to innovate around new financial regulations in the European Union (EU).

The next step is to start monitoring data sources that contain personal data and take action if any suspicious behavior occurs. Monitoring also provides security of processing reports for authorized and unauthorized activities to personal data and enables security teams to detect and investigate data breaches.

Mapping Your GDPR Journey

GDPR compliance is a long journey that involves a combination of adapting processes and procedures and implementing strong technical controls. If you haven’t already done so, this is the time to begin identifying and mapping how all your GDPR-related data is collected and used, where it’s stored, and who can access it. The better you understand where you are in your GDPR journey, the easier it will be for you to identify what you need to do next to reach your destination. That’s where IBM can help you move forward.

For security and privacy leaders who need to address the rules established by the EU GDPR, IBM Security is a trusted solutions provider. With a holistic GDPR-focused framework, offering software, services and GDPR-specific tools, IBM can help organizations prepare to protect personal data and operate in conformance with GDPR requirements — regardless of where they may be in their readiness journey.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Data Security and GDPR: You Can’t Protect What You Don’t Know appeared first on Security Intelligence.

How can blockchain help companies meet GDPR provisions?

Enforcement of the EU’s General Data Protection Regulation (GDPR) is approaching fast, officially affecting foreign and domestic companies starting on May 25. The legislation is meant to give EU citizens

The post How can blockchain help companies meet GDPR provisions? appeared first on The Cyber Security Place.

Critical Data: How Exposed Is Your Personal Information?

Until recently, many of us likely never gave a second thought to the security of our personal data online. Then, when news broke on a largescale social media data breach, millions of users were suddenly outraged and demanded that their information be better protected.

While these scandals have been covered extensively in the media, they actually highlighted a problem that isn’t exactly unique. Almost every organization that holds customers’ critical data is guilty of not doing enough to protect this information.

Most customers don’t know who has access to their sensitive material. The bigger issue, however, is that those in charge of protecting this data may not know who has access either.

Welcome to the Critical Data Show

We like to believe that when we turn our personally identifiable information (PII) over to a company, it is only accessed by those who absolutely must see it. But that’s simply not true: On average, nearly one-quarter of all internal work folders are available to everyone within an organization, according to a 2018 report from Varonis Systems. Also, almost half of the surveyed companies had at least 1,000 sensitive files open to all employees.

Organizations are overwhelmed with unsecured and overexposed data — a problem of its own. Compounding the matter, most don’t realize how much sensitive information is at risk of compromise simply because the wrong person has access to more files than is absolutely necessary. When your critical data is open to everyone in the organization, any data security strategy you have in place to protect it is practically null.

“It only takes one leaked sensitive file to cause a headline-making data breach,” wrote Brian Vecci, technical evangelist at Varonis, in a company statement.

What Do Cybercriminals Want? Critical Data

When they gain access to PII and other sensitive files — such as proprietary research or corporate financial records — cybercriminals can perform a number of sinister acts. They could sell the information on the darknet or use it themselves to directly steal from your bank account. They could also use your research to develop knock-offs of your products or conduct identity theft. Just like burglars who ransack homes or offices, cybercriminals want to find the easiest way inside.

“Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files,” wrote John Carlin, former assistant attorney general for national security, in the Varonis statement.

When too many people have access to sensitive files, it opens up more opportunities for a mistake to be made that leads to a breach. It also means that people can see information they shouldn’t be reading and can share that data (perhaps unknowingly) beyond its intended scope.

The 2017 Verizon Data Breach Investigation Report found that 58 percent of its security incidents are the result of insiders, with 33 percent of the incidents resulting from errors — and almost 30 percent from misuse of data. Much of this happens because the wrong people can access sensitive information. Having access to critical medical files across a wide spectrum of employees is necessary. However, when that access isn’t kept in check, it is easy to abuse or open the network to more nefarious actions.

Frightening Concerns: ‘Ghost’ Users and Stale Data

Organizations often continue to hold on to stale data or information that is no longer necessary for business operations. This information is likely no longer monitored. Not only is the company paying to store unneeded data, but it is also opening up this information to insider threats. A nosy or malicious insider could access old records or gather details about former clients or employees without anyone noticing.

Ghost users are also a problem: The Varonis report found that 46 percent of organizations had more than 1,000 users with passwords that never expire. Also, 34 percent of user accounts are enabled on average — but “ghost” users still have access to files and folders. In other words: An employee who has transferred to a new department or left the company still has network access. Again, the doors are left open for someone without permission to read critical data.

With the General Data Protection Regulation (GDPR) going into effect on May 25, organizations that do business with data subjects of the European Union (EU) will have no choice but to address the matter of who has access to critical data. And even if your company isn’t doing business with the EU, your customers want to know their privacy is being protected.

Do you know who can see the sensitive files on your network? If you can’t answer that, chances are PII and other critical materials are being seen by not only insiders but cybercriminals who are grateful for the easy access.

Read the complete Forrester report: The future of data security and privacy

The post Critical Data: How Exposed Is Your Personal Information? appeared first on Security Intelligence.

Spotlight Your Data Within Shadow IT

What you don’t know can hurt you. This slight twist on a commonly used cliché illustrates the difficulties that many organizations experience when trying to secure sensitive data in the cloud.

While there are various hurdles to protecting cloud data, shadow IT is a growing obstacle that often goes undetected because corporate employees are using cloud services that aren’t authorized by IT. Employee usage of popular cloud services, such as file sharing apps and collaboration tools, help to increase workforce productivity. However, the other side of the coin reveals potential compromises in your cloud security, such as data loss, unauthorized access to data, increased exposure to malware infections and violation of compliance regulations when these apps are not recognized by IT.

A 2016 Gartner study estimated that by 2020, one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources. While this statistic helps us comprehend the size and depth of this matter, the story is not complete without understanding employee usage of these cloud services. A 2013 survey by McAfee revealed that over 80 percent of corporate workers store company data in unsanctioned apps.

Today’s organizations must give employees’ easy access to resources to help them remain productive without compromising the security of critical data. As long as this burden exists, shadow IT will run rampant throughout the enterprise.

Shadow IT: You Can’t Protect What You Can’t See

As cloud adoption becomes more prevalent, many companies are forced to address how they will monitor and secure sensitive data moved to the cloud. The growing presence of shadow IT invites both security and compliance risks as organizations store or share their data within unknown cloud services.

Even sanctioned cloud services can expose sensitive data without the proper controls in place. This “shadow data” occurs when users upload, share or store information in the cloud. From employees uploading sensitive data into shadow IT apps without data loss prevention (DLP) controls to users sharing critical or regulated data with unauthorized individuals, companies cannot protect data that don’t have the visibility to manage.

Related to this Article

Managed CASBs Bridge the Shadow IT Visibility Gap

Managed cloud access security brokers (CASBs) help to remediate shadow IT through a combined solution that delivers both the expertise of a managed security services provider (MSSP) and the data protection capabilities of a CASB. A managed CASB acts as a gatekeeper that monitors and safeguards all data traveling between your cloud services and on-premises infrastructure.

The primary benefits of this solution include visibility into cloud applications, use of data security policies to protect sensitive assets, threat protection of malicious user activity and management of compliance regulations.

To secure cloud data and provide visibility into shadow IT, managed CASBs:

  • Identify all cloud services used within the organization.
  • Generate a complete risk assessment of each cloud service to determine which apps should be sanctioned.
  • Employ security policies to monitor usage and protect data within cloud services.

Security is not just a one-time event. As the value and volume of cloud-based critical data increases, so does the need for managed CASB solutions.

Managed Cloud Data Protection (MCDP) from IBM, a managed CASB solution, provides the industry-leading tools, technology, operational experience and expertise security teams need to discover and control shadow IT use. In partnering with CASB leaders McAfee and Symantec, MCDP enforces data security, compliance and governance policies across all cloud apps, users and devices to help organizations manage and adapt their security needs as the technology environment changes.

Watch the on-demand webinar: Protecting Critical Data and Policy Management in the Cloud

The post Spotlight Your Data Within Shadow IT appeared first on Security Intelligence.

4 Social Engineering Tricks That Fool Unsuspecting Employees

Do you have iron-clad defense systems in place to secure your organization? If your employees aren’t trained to recognize some of the most common social engineering tricks, your system still has a wide-open gap.

These tactics help criminals fool unsuspecting employees by getting them to hand over the goods. Social engineers seek access to information, systems or secure buildings — and these criminals get what they want by taking advantage of human psychology.

How to Spot Common Social Engineering Tricks

What are some of the most common tricks used by social engineers? Explore four that frequently trip up well-meaning employees — and learn how to educate users so they can be prepared to ward off these nefarious methods.

1. Going Phishing

Phishing has been around since near the beginning of email — and it is sadly not going anywhere. Approximately 250 million phishing redirection attempts were detected by security firm Kaspersky in 2017. Phishing techniques have evolved and become more sophisticated over the years. Spear phishing, for example, refers to a phishing email that is created with specific information intended to fool a specific target.

According to the Infosec Institute, attackers use email, SMS, social media and instant messaging to trick victims into providing sensitive information or visiting a malicious URL in an attempt to compromise their systems.

Do any of these email subject lines sound familiar?

  • Your account has been locked! Click here to gain access and unlock it.
  • You owe the Internal Revenue Service $2,300 in taxes. See the notice in this attachment — pay now or face jail time!
  • Someone sent you $1,000. Click here to claim your money!

What can you do to combat this trick? Educate employees to notice the hallmarks of phishing emails (e.g., misspellings) and make sure they understand that certain official transactions just don’t take place via email. A bank, for example, will never email to advise of an account lock. If the employee is concerned, he or she should contact their bank directly and never click on a link or an attachment in a suspicious email.

2. The Other Kind of Tailgating

Gaining access to a secure office or building is often just as lucrative for a criminal as getting into a computer. Many social engineers take advantage of smoking areas or busy doorways to trick employees into letting them into unauthorized places.

The ruse goes like this: The criminal smokes a cigarette in an area where smokers who work in the building take their breaks. When the employees finish, the attacker slips in with them when they use their access badges to open the door. No one suspects the casual fellow smoker! Tripwire outlined another technique that involves a social engineer posing as a delivery person.

What can you do to combat this trick? Let employees know that even if someone looks OK, it is important to follow the rules for building access. If someone asks to be let in because he or she has a delivery — or because he or she claims to have forgotten their access badge — the employee must verify their identity first.

3. Crank Call: Phone Impersonation

One common scenario involves a social engineer who calls and claims to be IT support.

“Hello, this is the help desk,” he or she will say. “We’re noticing some strange activity to your machine. We need access.”

The helpful employee will begin to work with the technically savvy criminal to allow him or her remote access. Then, it’s all over! Once he or she gets into the machine, the social engineer has access to all the files and systems.

According to CSO, a social engineer might also call and pretend to be a fellow employee or a trusted outside authority, such as a law enforcement officer or an auditor. A social engineer might learn the corporate lingo to make the person on the other end think he or she is an insider. Another successful technique involves recording the “hold” music a company uses.

What can you do to combat this trick? Employees should be aware that phone scams are a common tactic of criminals. As with tailgating, they must be trained to verify. That doesn’t mean calling the person back at a number he or she provides — because criminals are prepared for this. It means getting off the call, calling the corporate number listed for the actual help desk and asking them to confirm someone is trying to reach them about their machine.

Related to this Article

4. Oversharing: Social Media Pretexting

Criminals often create fake social media profiles to collect information from people they connect with for later use. By learning more about their targets (e.g., where they work, where they live, whom they know), criminals can send convincing messages asking for money — or encouraging their victims to click on malicious links or download malware-laden documents. On LinkedIn, for example, a criminal might send fake job inquiry with bad links in the message.

What can you do to combat this trick? Employees must understand that the more they post about themselves on social media, the more information they are giving to potential hackers. This information can be used to exploit them or their employer. While sharing is the wonderful experience inherent to social media use, it also comes with risks. A user should always have their guard up during interactions with new connections, and all communications should be verified. Privacy controls should be checked regularly and secured as tightly as possible.

Social engineers will always have a new trick up their sleeves but learning about some of the most common tactics could help you — and your employees — stay one step ahead of modern criminals.

Listen to the podcast: Social Engineering 101 — How to Hack a Human

The post 4 Social Engineering Tricks That Fool Unsuspecting Employees appeared first on Security Intelligence.

Are you ready for the GDPR deadline?

The General Data Protection Regulation (GDPR) compliance deadline looms four days away, but only 29 percent of companies will be ready, according to a new global survey by ISACA. Not only are most unprepared for the deadline, but only around half of the companies surveyed (52 percent) expect to be compliant by end-of-year 2018, and 31 percent do not know when they will be fully compliant. Top GDPR challenges According to the research, the top … More

The post Are you ready for the GDPR deadline? appeared first on Help Net Security.

Kaspersky Lab official blog: GDPR is coming

In less than a week, the European Union’s General Data Protection Regulation (GDPR) will come into effect. Therefore, businesses operating in Europe — or just processing or collecting European citizens’ personal data — need to comply with this directive starting May 25.

There is no universal advice on what you should do to comply — it depends on your business and your processes. However, it is clear that from now on, data protection will have to be a major priority as cybersecurity’s significance grows. We have prepared a small infographic as a reminder of what GDPR is and what businesses can do to boost personal data security.

Our next-generation technologies and solutions can help your organization achieve its cybersecurity goals as part of its overall GDPR-compliance strategy.



Kaspersky Lab official blog

Ready to Try Threat Modeling? Avoid These 4 Common Missteps

More organizations are using a threat-modeling approach to identify risks and vulnerabilities and build security into network or application design early on to better mitigate potential threats.

“Threat modeling gives you the way of seeing the forest, and a frame for communicating about the work that you (and your team) are doing and why you’re doing it,” said Adam Shostack, president of Shostack and Associates, in an article for MIS Training Institute. “More concretely, [it] involves developing a shared understanding of a product or service architecture and the problems that could happen.”

Threat Modeling Missteps

The benefits seem clear, but it’s still a relatively new strategy. So, you can expect a few stumbles along the learning curve. Here are four common threat-modeling missteps — and how to avoid them.

1. Thinking One Size Fits All

“There are so many different ways to threat-model,” said Shostack. “I routinely encounter people who read the same advice and find it doesn’t quite work for them.” Approaching threat modeling as a single, massive complex process is overwhelming and sets you off on the wrong foot, he stressed.

“I think the biggest thing I see is people who treat it as a monolith,” said Shostack. “We need to communicate the steps as if they are building blocks. If one doesn’t work for you, don’t throw out threat modeling. There is no one-size-fits-all approach.”

One well-known approach is STRIDE:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of Service
  • Elevation of privilege

Of course, this may be more appropriate for some teams than others. Regardless of approach, Shostack advises teams to look at the process as a set of building blocks that go together and break the process up into easily digestible chunks.

2. Starting With the Wrong Focus

When getting started, should you focus on assets? No. What about shifting your focus to thinking like an attacker? No again. Why?

“It’s a common recommendation, but the trouble is it’s hard to know what an attacker is going to do. It’s hard to know what their motivations are,” said Shostack. “For example, when SEC [Syrian Electronic Army] took over the Skype Twitter handle (in 2014), no one expected they were going to break into the law enforcement portal at the same time. Focusing in on the attacker might have distracted people from what they would do — rather than theorizing about their motivations.”

Shostack advocates for starting the process with software at most organizations.

“People building software or systems at a financial institution, a supply chain or a healthcare company should start from the software they’re building because it’s what they know best,” he noted in a post for The New School of Information Security blog. “Another way to say this is that they are surrounded by layers of business analysts, architects, project managers and other folks who translate between the business requirements (including assets) and software and system requirements.”

3. Neglecting the Business Side

Threat modeling is pointless if solely focuses on the network and applications, believes Itay Kozuch, director of threat research at IntSights.

“Many teams conduct common assessments from their network,” said Kozuch. “But it must come from the business side too. When an organization is trying to evaluate risk and do threat modeling, they need to understand the complete assets of the organization. That means not just IT — but on the business side as well.”

This means going beyond just the technology in the threat-modeling process. Failing to involve all of the business’s key stakeholders, Kozuch stressed, leads teams to incorrectly calculate the probability of the threats that need to be considered. He believes there are a lot of angles and perspectives for every threat.

“Management must be part of it,” said Kozuch. “It is a business issue. Risk is there because of business.”

4. Miscalculating the Shelf Life of Results

“Threats are always changing,” said Kozuch. “Often — even soon after you’ve completed the process — the results are no longer valid. You can’t base the next few years off of what you’ve uncovered because it doesn’t represent future threats.”

Archie Agarwal, founder and CEO of ThreatModeler Software agrees. A threat model, he said in a post for CSO, cannot be static. He cautioned that you can’t take a critical application, do a threat model on it once and assume you are done.

“Your threat model should be a living document,” Agarwal said. “You cannot just build a threat model and forget about it. Your applications are alive.”

Wherever you are in your exploration or implementation of threat modeling, there are many resources out there to help you get started. Check out this series on threat modeling basics for an overview of approaches and essential elements for a successful program.

The post Ready to Try Threat Modeling? Avoid These 4 Common Missteps appeared first on Security Intelligence.

Five Final Checks To Ensure GDPR Compliance

It is just one week until the EU update to General Data Protection Regulation (GDPR) compliance deadline of 25 May. The build-up to this date has already seen vendors offering

The post Five Final Checks To Ensure GDPR Compliance appeared first on The Cyber Security Place.

Most firms struggle to comply with GDPR deadline

With GDPR coming into effect in just over a week from today, 85 percent of firms in Europe and the United States will not be ready on time. Additionally, one in four will not be fully compliant by the end of this year. Capgemini’s Digital Transformation Institute surveyed 1,000 executives and 6,000 consumers across eight markets to explore attitudes to, readiness for, and the opportunities of GDPR. A race against the GDPR clock With the … More

The post Most firms struggle to comply with GDPR deadline appeared first on Help Net Security.

Achieving More Effective Security With Collaborative Defense in Depth

The cybersecurity industry today remains fragmented, with some organizations having as many as 85 security tools from 45 different vendors. Many of these technologies have been acquired over multiple years to address specific challenges across the complex threat landscape. Each new product needs to be properly installed, configured and managed over its life cycle — and many of these technologies sit in silos, which limits their ability to deliver more effective security.

At the same time, highly collaborative cybercriminals are launching sophisticated attacks that are hard to see and stop, and traditional security practices are unsustainable. That’s why security teams must adopt a new strategy that is rooted in collaboration — an approach that connects the dots across products, people and processes for faster, more effective threat detection and response.

Collaborative Defense: External and Internal Pressures

Every day, we hear about new breaches that impact organizations’ reputations, bottom lines and supply chains. What’s more, these breaches affect customer sentiment, particularly incidents that expose personally identifiable information (PII).

With the number of Internet of Things (IoT) devices forecast to reach 20.4 billion by 2020, according to Gartner, keeping these devices secure will become an even greater challenge. Cybercriminals will undoubtedly continue to collaborate on the darknet to obtain and exchange this high-value PII and use social engineering to steal records to the tune of trillions of dollars.

Compliance mandates will also be a top priority and challenge for organizations. The General Data Protection Regulation (GDPR), for example, will go into effect on May 25. This mandate doesn’t just impact European countries — any organization that process, stores or uses data related to European Union (EU) citizens must be compliant.

Organizations are also struggling to cope with the growing skills gap in cybersecurity, both in terms of the sheer quantity — there will be 1.8 million unfilled positions over the next few years — and the associated expertise. This lack of resources is compounded by the growing number of disparate security tools and alerts. Still, many organizations attempt to integrate these products themselves by purchasing even more solutions.

Listen to the podcast: Collaboration — The Secret to More Effective Security

Advanced Threat Detection and Response

There is somewhat of a misconception around product coverage in many of today’s organizations. Are you really protected by simply checking the box and having an array of products across endpoints, networks, users and cloud? It’s absolutely critical to have that coverage, but it needs to be in conjunction with products integrating together to deliver best-of-suite solutions that translate into more effective security.

Here are some key questions to consider:

  • Are your security products working together across teams — or do your IT and security teams work in silos?

  • Are those same products working together across all your locations and heterogeneous platforms?

  • Do your security tools integrate in a manner that provides the security operations center (SOC) with real-time visibility and control across the diverse threat landscape?

  • Is your organization moving away from compliance-based security and moving toward a more threat-aware, risk-based security approach?

Security must become more agile to account for the diverse threat landscape while enabling organizations to thrive. This includes a deeper integration of technologies to deliver repeatable use cases centered on better threat detection and response.

As a foundation for integrated security, organizations should leverage a security intelligence platform that can apply real-time analytics and correlate the massive amount of threat information across users, endpoints, networks and cloud. This comprehensive platform must be able to sense, track and prioritize the most significant alerts that pose the greatest risk to enterprise data.

Additionally, security leaders should infuse artificial intelligence (AI) into their strategy to aid analysts in threat investigation, enabling them to rapidly and confidently understand scope and veracity of threats, including links to broader malware campaigns. This is critical against the backdrop of the cybersecurity skills shortage and the troves of untapped threat intelligence data that AI platforms can ingest, analyze and understand at unprecedented speed and scale.

The above factors can significantly aid security analysts, but what does your incident response plan look like? An orchestration layer that is architected in with a security information and event management (SIEM) solution can help bridge the gaps across people, processes and technology to enable organizations to rapidly respond to threats with confidence.

Collaborative Defense in Depth

A dynamic security analytics platform that embeds AI and integrates orchestration across the diversity of threats (as well as people and processes) can help set the foundation for a strong security strategy. Collaboration is the glue that integrates disparate point products in a manner that extends their security capabilities beyond what each technology could provide on its own.

At the product level, more open collaboration is critical to the evolution of security technology. Over the past few years, IBM has invested in technologies and partnerships to achieve this goal. One powerful collaborative defense technology is the IBM Security App Exchange, an ecosystem for the entire security community, including IBM and its partners and vendors, to develop and share applications that integrate with IBM Security solutions. To date, the App Exchange has 140 partner and IBM apps and over 100,000 downloads. These apps are extensively tested and validated before they are published on the App Exchange.

An example of the value of the IBM Security App Exchange is the recent launch of the Cisco ISE App for QRadar, which gives security analysts insights into risky users and devices, resulting in faster threat detection and containment and policy enforcement. This app enables analysts to rapidly drill down from QRadar into ISE pxGrid for deeper, faster analysis of policy violations and then remediate affected users and devices — all in a single integrated dashboard.

To learn more about the ISE + QRadar app and how collaborative defense in depth can strengthen your security, register for the IBM Security + Cisco webinar on June 15.

Register for the June 15 webinar: Cisco Security Integrations with IBM QRadar SIEM & IBM Resilient

The post Achieving More Effective Security With Collaborative Defense in Depth appeared first on Security Intelligence.

Most businesses believe stronger data protection policies will lead to fewer breaches

In light of new data privacy legislations, a new Webroot report looks at how businesses in the U.S., U.K., and Australia are adjusting to new data security measures in order to meet compliance requirements. Specifically, the report measures organisations’ readiness to comply with the General Data Protection Regulation (GDPR), and Australia’s Notifiable Data Breaches (NDB). The results reveal that 95 percent of IT decision makers (ITDMs) surveyed agree that there will be fewer data breaches … More

The post Most businesses believe stronger data protection policies will lead to fewer breaches appeared first on Help Net Security.

GDPR will help businesses boost security

The upcoming regulation presents an opportunity for businesses to improve data privacy and security.Over half (60%) of organisations are embracing the General Data Protection Regulation (GDPR) as an opportunity to improve

The post GDPR will help businesses boost security appeared first on The Cyber Security Place.

Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.

McAfee Blogs: Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.



McAfee Blogs

72 Hours: Understanding the GDPR Data Breach Reporting Timeline

We’re down to the wire with respect to the General Data Protection Regulation (GDPR) compliance deadline of May 25, 2018.

Organizations that fail to comply could face fines of up to €20M (roughly $22M) or 4 percent of their annual global turnover from the prior year and we’ll soon see just how EU regulators will enforce the GDPR regulations.

One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.” We recently launched a new infographic that summarizes the various requirements and response mechanisms related to this rule, and we’ll aim to now help you break down the requirements under the rule, and how to effectively prepare.

72 Hour Countdown

Simply put: Under GDPR requirements, organizations have just 72 hours to gather all related information and report data breaches to the relevant regulator. This is a significant undertaking for any organization and involves the development and provisioning of a comprehensive containment plan. Here’s a simple example:

 

The steps are pretty clear: Carry out an investigation, quickly inform regulators and individuals of a breach, and be specific with respect to what data was impacted and how the issue will be addressed moving forward… all within 72 hours. It’s worth noting that if — for whatever reason — a notification is not made within the 72-hour window, the GDPR requests that the controller provide reasonable justification for the delay; potentially adding additional disruption to regular business operations and exasperating administrative hassle.

GDPR Article 33 also specifies what type of information the notification must include. At a minimum, the data protection authority will expect to see:

Clearly, the information expectations are high, and the timeline is quite short- thereby posing a significant challenge to the organization as it scrambles to meet the requirements while trying to simultaneously address the issues associated with the breach and maintain ongoing operations.

Further, for security teams, in particular, the challenge of identifying data breaches becomes even more pressing, given that many data breaches are not discovered for weeks, months and sometimes years. Even then, once breaches are discovered, understanding the impact and reporting in accordance with the Article parameters – i.e., who’s been affected, what data was breached, how it happened, and how to remediate the situation – within 72 hours may be a daunting task.

So, what can organizations do to navigate the GDPR’s data breach notification requirements and minimize their impact? Put differently, how can they reduce the risk and fallout associated with a data breach and the subsequent 72-hour reporting notification requirements:

Identify Suspicious Data Access

To ultimately detect and report on a data breach you need to be able to answer the question of whether or not your data has actually been accessed, and if the access is truly suspicious in nature. Therefore, it is important to have a handle on the appropriate approvals, intent, and actions of every user within your organization to ensure internal and approved/intentional users, and unintentional insider threat risks are accounted for. You need to fully understand what users are doing with enterprise data, so you don’t miss the vital context associated with a breach incident.

Detecting suspicious data access can be challenging, as organizations have to give employees access to data to perform their job. The key lies in implementing appropriate policy, process, training, and technologies to help determine what authorized, day-to-day data access looks like, and detect anything that might be abusive.

Prioritize and Categorize True Incidents

Today’s security teams are typically inundated with information and alerts related to activity and incidents associated with data access and use within an organization. With privacy requirements and industry regulations such as GDPR tightening the reigns and requiring transparency and detailed reporting on data breaches; the ability to effectively (and efficiently) sift through volumes of daily alerts to determine which qualify as a ‘true’ incident becomes critical. Furthermore, in many cases, security professionals do not have the context needed to identify and prioritize critical incidents as they’re not database experts and don’t have deep knowledge of what is and isn’t okay.

This is where database monitoring technology, machine learning, data access processes and analytics come into play. Understanding access requirements and processes and leveraging purpose-built technologies to enable the implementation and monitoring thereof help to easily distill billions of data access events into a small number of ‘real’, actionable, high-value events. They improve the fidelity of alerts and allow you to focus on incidents that matter, reducing the time it takes to investigate potential breaches and increasing the effectiveness of security teams. Trying to accomplish this without the aid of technology comes with an increased cost, resource time, and risk.

Monitor & Log Access and Activity

Monitoring is a key piece of the puzzle in terms of adhering to the 72-hour rule; that is, the monitoring and detecting of incidents, and the effective and efficient reporting of those that are material and true under the requirements of GDPR. In order to determine whether data access and activity is good or bad, companies need to continuously monitor data access and capture/record/log those events — which will also serve organizations well with respect to their reporting and proof of best efforts in the event of a data breach and GDPR compliance violations.

The question is: how can you determine if something is good or bad if you don’t even know about it? The key is database monitoring as it provides a critical foundation that gives you the necessary visibility and confidence that your data is secure, and your compliance is in check. It’s not a simple exercise, however, as you need to monitor all users, including applications that access data and privileged users, and all databases… ALL THE TIME.

Sure, this can be a daunting task, but one that can be augmented greatly with effective data security tools like database monitoring and activity reporting technologies. The ability to accurately monitor, detect, and prioritize access and activity is the key to accelerate breach detection without causing business disruption. In the meantime, the solution can automatically collect all the breach details and allow you to provide a detailed report internally and to the regulator under the provisions of the 72-hour requirement.

Provide the Forensic Report

Additionally, GDPR requires that data controllers document not only the facts relating to the breach but also its effects and all related impact information and remedial action taken; and then report all of this activity in writing. As previously outlined, Article 33 requires the reporting of specific information related to the breach, including (among other things):

  1. The nature of the breach
  2. The likely impact and consequences of the breach
  3. The measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects

The information needed to support this requirement comes in the form of a forensic report, conducted either internally, or by third-party expert support. The forensic report is what the investigators provide and helps organizations understand how the attack happened, what vulnerabilities were exploited, what data was compromised, etc. By continuously and effectively monitoring and logging all data access, organizations can better understand the specifics of what was compromised, by whom, and how in a much quicker fashion; thereby shortening investigation time and compliance with the 72-hour requirement.

Technologies to Support Compliance

Supporting GDPR compliance overall, and the requirements under Article 33 requires a variety of process and procedure enhancements, along with a robust and multi-layered data security strategy- one that leverages robust, proven, and GDPR-supportive technologies.

Imperva offers a host of data security solutions that can help with these challenges and support your efforts in better monitoring your data and suspicious activities, helping shorten both identification and investigation times. This is now made even easier with our out of the box GDPR monitoring compliance capabilities and a robust reporting set that provides details on who accessed what data and when. Effectively implementing these tools will get you on the right track as you prepare for the 72-hour GDPR breach notification requirements.

Contact us to learn more about Imperva’s GDPR compliance capabilities and explore our data security solutions in detail.

More on the GDPR:

Achieving GDPR Compliance: The Spark That Will Light a Fire of Change

It is said that innovation and creativity best flourish under pressure and constraint. Think about what the engineers and flight controllers had to do during the Apollo 13 moon mission after an explosion on the vessel. They were constrained by time, fuel, air and many other factors. They had to do things that had never been done before to save the lives of the astronauts.

Another example is the movie “Jaws.” The mechanical sharks used for the movie were extremely problematic, so director Stephen Spielberg changed the way he made the movie, using the shark only sparingly to create a more dramatic impact. Arguably, this actually created a better movie.

As a final example, American musician Jack White has said that it is essential for him to use things like self-imposed tight deadlines to force his creative hand. He said that having all the money, time or colors in the palette ultimately kills creativity.

The process of complying with General Data Protection Regulation (GDPR) could present organizations with this same type of unexpected opportunity. IBM Security and the IBM Institute for Business Value wanted to understand if there was a group of organizations that was using their GDPR preparations as an opportunity to transform how they were approaching security and privacy; data and analytics; and customer relationships. Were organizations turning this compliance challenge into an impetus for broader transformation?

To answer this question, we surveyed 1,500 GDPR leaders — such as chief privacy officers (CPOs), chief data officers (CDOs), general counsels, chief information security officers (CISOs) and data protection officers — representing 15 industries in 34 countries between February and April 2018. We wanted to capture their practices and opinions as close to the May 25 GDPR compliance deadline as possible.

The results of that research are captured in the new report, The End of the Beginning: Unleashing the Transformational Power of GDPR.

Common GDPR Compliance Challenges

During the last couple years as organizations have been preparing for GDPR, they have been tested by both the effort involved and the cost of compliance. Organizations have been busy changing processes and developing new ones; creating new roles and building new relationships; training employees; and deploying new tools and technologies. Hopefully, all this can be leveraged for more than just compliance.

IBM’s CPO, Cristina Cabella, agrees. She has said, “In the market, I see GDPR as a great opportunity to make this culture shift and make privacy more understandable and more leveraged as an opportunity to improve the way we protect data, rather than be perceived as a very niche area that is only for technical experts … So, I think it is a great opportunity in that sense.”

The first thing we found was that many organizations still have a lot of work to do before they can achieve full GDPR compliance, even at this late a date. Only 36 percent of surveyed executives say they will be fully compliant with GDPR by the enforcement date and nearly 20 percent told us that they had not started their preparations yet, but planned to before the May deadline. Organizations could be waiting because of a lack of commitment from organizational leadership — or they are willing to risk taking a wait-and-see approach to see how enforcement works.

Using GDPR Compliance as an Opportunity for Innovation

And yet there was some good news in our respondents’ views of GDPR. The majority held a positive view on the potential of the regulation and what it could do for their organizations. Thirty-nine percent saw GDPR as a chance a transform their security, privacy and data management efforts, and 20 percent said it could be a catalyst for new data-led business models. This is evidence that organizations may see GDPR as a means to improve their organizations in the longer term by enabling a stronger overall digital strategy, better security, closer customer relationships, improved efficiency through streamlined data management and increased competitive differentiation.

In our research, we identified a group of leaders who met a specific set of criteria and see GDPR as a spark for change. Among other insights, we found that:

  • Eighty-three percent of GDPR leaders see security and privacy as key business differentiators.
  • Nearly three times more GDPR leaders than other surveyed executives believe that GDPR will create new opportunities for data-led business models and data monetization.
  • Ninety-one percent of GDPR leaders agree that GDPR will enable more trusted relationships and new business opportunities.

We have crossed a threshold and entered a new era for data, security, privacy and digital customer interactions. While many organization may not have completed all GDPR compliance activities yet, it is vital for organizations large and small to ask themselves how GDPR can help position them for long-term success by unlocking new opportunities and unleashing their creativity.

To learn more about how organizations are using GDPR to drive transformation, please register for the May 22 live webinar, The Transformative Power of GDPR for People and Business, and download the complete IBV study.

Read the study: The End of the Beginning — Unleashing the Transformational Power of GDPR

The post Achieving GDPR Compliance: The Spark That Will Light a Fire of Change appeared first on Security Intelligence.

GDPR compliance: Identifying an organization’s unique profile

After a two-year transition period, the General Data Protection Regulation (GDPR) becomes enforceable beginning 25 May 2018. Presumably, many large companies have been working on a compliance program for months now. As the deadline approaches, many organizations are finding that ensuring compliance is a more complex endeavor than they had initially expected. GDPR replaces the 1995 Data Protection Directive (Directive 95/46/EC), and the new regulation imposes a substantial increase in requirements, reflecting major technological changes … More

The post GDPR compliance: Identifying an organization’s unique profile appeared first on Help Net Security.

Playing It Smart for Data Controllers and Processors

Lots of people have been asking me lately about managing vendor relationships with General Data Protection Regulation (GDPR) in the mix. I tell them to think about watching a group of kids playing a board game where the kids have come up with their own rules. Those kids are having a great time until an adult steps in and tells them they need to play by the rules that came in the box.

At first, there’s going to be lots of frustration. Some kids may throw tantrums and leave the game, but others will decide to figure out how the rules change things. In the end, there’s a good chance they agree that the new rules actually make the game more fun. Even the kids who walked away are likely to end up rejoining. And then they all live happily ever after.

Of course, in real life, nothing is ever that simple.

So, when it comes to GDPR, how do we change the game midplay and deal with new obligations regarding controller and processor governance?

Defining the Roles of Data Controllers and Processors

Let’s start by defining what GDPR means when it refers to data controllers and processors:

  • A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
  • A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

For example, a department store (controller) collects the data of its customers when they make purchases, while another organization (processor) stores, digitizes and catalogs all the information produced by the department store. The processors can be data centers or document management companies, but both the controller and the processor are responsible for handling the personal data of the store’s customers.

In the pre-GDPR world, European Union (EU) data protection responsibilities were outlined in the Data Protection Directive (officially Directive 95/46/EC), and controllers were responsible for compliance. Now, however, both data controllers and data processors have a shared level of responsibility and duty. They need to be in sync about what personal data is transferred and how it’s transferred, processed (respective of all active data subject rights and choices) and reported (providing accountability, access control and incident breach reporting). That means managing your entire data supply chain, regardless of where in the world the data processors and other parties are located. And there’s one more thing: Now you’ll likely need to have a contract in place unless the controller and processor are part of the same organization.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Developing a GDPR Governance Plan

Given all these changes, here are some things to keep in mind when you’re deciding how to develop your controller and processor governance plan.

Cover the Basics

Start with some basic rules. In general, you should consider three stages for your vendor compliance program: contractual readiness, ongoing governance, and compliance and audit. Contractual readiness entails enhancing your contractual relationship with your vendor in accordance with the tougher provisions of the GDPR statutes. Ongoing governance means enhancing your vendor prequalification and onboarding programs. And when it comes to compliance and auditing, consider which tools and processes you’ll need to implement to ensure your vendors are meeting their obligations and providing audit trails where necessary.

Classify Vendors by Risk Level

Take a time-out to create buckets so you can classify your vendors according to categories and their potential level of risk. You might want to consider what kind of data they collect, manage or process, the type and volume of processing involved and where that data is going to end up. It’s possible that you’ll need to take these steps more than once for a single vendor. For example, you could have multiple types of relationships with the same vendor, who might be providing both support and development — or even hosting.

Contact Your Vendors

Decide how you plan to contact vendors and which contracts you’re likely to put in place. If you’re a processor, you may want to reach out to your data controllers to get the ball rolling if they haven’t already done so.

Define Your TOMs

Bring your buddy TOM into the game. As you may recall from our earlier blog posts, TOM stands for technical and organizational measures. These are the uniform practices and standards you should require your vendors to adopt. If you’re a controller, be sure to have your TOMs well-defined and identify the specific controls you need. And if you’re a processor, take the time to assess your current contracts and any existing controls that could help meet these new obligations. It’s all good preparation for vendor discussions.

Communicate

If you’re a controller, you should create a formal communication plan for contacting vendors. For example, you could launch a mass mailing that sets out the new contract, terms and TOMs. Then confirm that the documents were received by the right individual and track your progress until you’ve succeeded in reaching everyone on your list.

Processors should review the new controls with everyone on their team, including the appropriate IT and security people. You should also perform a gap analysis and create an implementation plan that includes monitoring and reporting. Anticipate — and prepare for — controller audits and complaints from controllers or the Data Protection Authority (the GDPR-designated regulator).

Educate

As a controller, be aware that your smaller vendors may not even know about GDPR — so don’t assume otherwise. Consider providing some of the same training that you gave your employees. You’ll also want to educate your vendor management team, along with your marketing, human resources and product development groups. They often have greater insight into the nature of the supplier relationships, the types of data being handled and the relative maturity of the vendor. And that can help determine how you work with your vendors and handle any issues that may arise.

Document Your Moves

Create a central supplier lookup repository to help you gain visibility into your vendors. It should provide details about who has been notified, signed a contract, completed education and who has been audited. It should also include information about any exceptions that need to be addressed. And if you’re a controller, your repository should also provide a link into your data mapping repository, since Article 30 of GDPR requires that you identify both those processors who work with personal data and any additional vendors that may be involved.

Stay in the Game

If you’re a controller, you should specify the types of audits you’re planning to conduct, how frequently you plan to conduct them and how you’re going to track your progress. And you need to figure out how you’ll deal with vendors who aren’t meeting their obligations. Meanwhile, if you’re a processor, you need to determine who’s going to handle your audits.

In conclusion, vendor management requires an ongoing vendor governance and compliance program.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Playing It Smart for Data Controllers and Processors appeared first on Security Intelligence.

Chili’s Restaurants Hit by Payment Card Breach

People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

read more

Syn/Ack Unique Proactive Protection Technique

McAfee’s Advanced Threat Research team has performed analysis on samples of Syn/Ack ransomware implementing Process Doppelgänging.  For those who are concerned about the potential impact of this ransomware but are currently unable to implement McAfee product protections, we have found a simple but interesting alternative method.  Prior to encryption and ransom, the malware first checks if one of several hardcoded keyboards or languages is installed on the target machine.  If found, the malicious code will terminate, effectively resulting in an extremely simple “patch” of sorts. We have tested the following steps to be effective on several versions of Windows 7 and theoretically on Windows 10 – preventing the malware from encryption and ransom.  These steps can be taken proactively.  Due to limited scope of testing at this time, this technique may not work on all systems, release versions, and configurations.

Windows 7 – Adding Keyboard Layout:

Control Panel > Clock, Language, and Region > Region and Language > Keyboards and Languages

Click the “Change Keyboards” tab

In the Installed Services section click “add”

Select Keyboard – For example: Russian (Russia) > Keyboard > Russian

Click “Ok”

Click “Apply”

Click “Ok”

Here is the list of keyboards layouts you can add – any will suffice:

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

Windows 10 – Adding Language Support:

Control Panel > Language > Add a language

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

That’s all it takes!  Please note – this should not be considered a fully effective or long-term strategy.  It is highly likely the malware will change based on this finding; thus, we recommend the McAfee product protections referenced above for best effect.

The post Syn/Ack Unique Proactive Protection Technique appeared first on McAfee Blogs.

Connect the Dots: IoT Security Risks in an Increasingly Connected World

Nowadays, there is a lot of noise about the Internet of Things (IoT), as the technology has finally emerged into mainstream public view. IoT technology includes everything from wearable devices equipped with sensors that collect biometric data and smart home systems that enable users to control their lights and thermostats to connected toothbrushes designed to help improve brushing habits. These devices typically come with built-in electronics, software, sensors and actuators. They are also assigned unique IP addresses, which enable them to communicate and exchange data with other machines.

IoT devices make our lives easier. Smart home technology, for example, can help users improve energy efficiency by enabling them to turn on (and off) lights and appliances with the tap of a touchscreen. Some connected devices, such as smart medical equipment and alarm systems, can even help save lives.

However, there are also serious security risks associated with this technology. As the IoT ecosystem expands, so does the attack surface for cybercriminals to exploit. In other words, the more we rely on connected technology in our day-to-day lives, the more vulnerable we are to the cyberthreats that are increasingly tailored to exploit vulnerabilities and design flaws in IoT devices.

This presents a daunting challenge for cybersecurity professionals. They must not only protect their own devices, but they must also defend against threats targeting external machines that might connect to their networks.

Avoiding IoT Security Pitfalls

Potential consequences of an IoT data breach include loss of sensitive personal or enterprise information, which can lead to significant financial and reputational damage, massive distributed denial-of-service (DDoS) attacks designed to take down major websites and more. These incidents often stem from misconfigurations, default or easy-to-guess passwords and inherent vulnerabilities in the devices themselves.

Although many experts are calling for regulatory bodies to implement industrywide standards to hold IoT device manufacturers and developers accountable for these pervasive flaws, progress has been slow on that front. In the meantime, IT professionals and device owners must take security into their own hands by following basic IoT best practices.

The most important rule of thumb for IoT devices manufacturers is to test security during each phase of the development process. It is much easier (and less costly) to nip security issues in the bud during the prerelease stages than to waste resources fixing bugs after devices have infiltrated the market. Once developed, devices should undergo rigorous application security testing, security architecture review and network vulnerability assessment.

When devices ship to end users, they should not come with default passwords. Instead, they should require users to establish strong, unique credentials during the installation process. Since IoT devices collect so much personal data, including biometric information, credit card details and locational data, it’s important to embed encryption capabilities according to the least privilege principle.

Protecting Data Privacy

For organizations deploying IoT technology, it’s crucial to establish an incident response team to remediate vulnerabilities and disclose data breaches to the public. All devices should be capable of receiving remote updates to minimize the potential for threat actors to exploit outlying weaknesses to steal data. In addition, security leaders must invest in reliable data protection and storage solutions to protect users’ privacy and sensitive enterprise assets.

This is especially critical given the increasing need to align with data privacy laws, many of which impose steep fines for noncompliance. Because some regulations afford users the right to demand the erasure of their personal information, this capability must be built into all IoT devices that collect user data. Organizations must also establish policies to define how data is collected, consumed and retained in the IT environment.

To ensure the ongoing integrity of IoT deployments, security teams should conduct regular gap analyses to monitor the data generated by connected devices. This analysis should include both flow- and packet-based anomaly detection.

Awareness Is the Key to IoT Security

As with any technology, an organization’s IoT deployment is only as secure as the human beings who operate it. Awareness training and ongoing education throughout all levels of the enterprise, therefore, are critical. This applies to both device manufacturers and the companies that invest in their technology.

The IoT has the potential to boost efficiency and productivity in both domestic and enterprise settings. However, the exposure of IoT data — or the illegal takeover of devices themselves — can cause immeasurable damage to a business’ bottom line and reputation. The keys to unlocking the benefits and avoiding the pitfalls of this technology include embedding security into apps and devices throughout the development life cycle, investing in robust data protection solutions and prioritizing security education throughout the organization.

Listen to the podcast series: Five Indisputable Facts about IoT Security

The post Connect the Dots: IoT Security Risks in an Increasingly Connected World appeared first on Security Intelligence.

Keep Your Mum Safe This Mother’s Day!

On my first Mother’s Day 21 years ago, I received a pair of gorgeous fluffy pink slippers. Last year – it was a sleek shiny green Fitbit! Technology has absolutely transformed our gift giving and Mother’s Day is no exception.

The rising popularity of internet connected gifts means many lucky mums will receive a glossy new device on Mother’s Day. It may be a digital home assistant, a fitness tracker or even a big new Smart TV. Whatever it is, we must understand the potential risks involved when giving or receiving an internet enabled device. Because we don’t want to put our mums (or our families) at risk.

But don’t let this change your shopping plans! Like anything in life, if you’re prepared you can minimise the risks and avoid getting caught out by cyber threats. So, here is the low-down on threats posed by some of the more popular gifts this Mother’s Day and tips on how to protect against them.

Digital Home Assistants

Regardless of which brand you might choose, a digital assistant can be a massive help for any busy mum.  Whether it reading the kids a bedtime story or a recipe while you cook, or setting timers – it’s the closest thing many mums can get to another set of hands!

However, there are risks associated with these mother’s helpers. If your home assistant is hacked, your personal information could be at risk. Which means your  bank accounts details or your identity could be put at risk. And as the device is ‘always on’, your personal assistant can listen to and record what is being said around your house – a definite privacy issue.

What to Do to Stay Safe

  • Protecting your Home Wi-Fi is an essential step to ensuring your home assistant is secure. Solutions such as McAfee’s Secure Home Platform, available soon on D-Link routers, will secure all your devices that connect to your Home Wi-Fi, including your home assistant. So, you have protection and peace of mind.
  • Always change the manufacturer’s default password when setting up the Wi-Fi and ensure you create a complex, unique one instead. A combination of lower and upper-case letters, numbers and special characters is ideal.
  • Don’t allow your home assistant to store your private information. I also advise against allowing your home assistant to store passwords, credit card data, or any of your contact information.

Fitness Trackers

A wearable fitness tracker might be at the top of your mum’s wish list this Mother’s Day. But there are some surprisingly worrying security risks surrounding the popular gift that she should be aware of.

Researchers have found it is possible to crack PINs and passwords by hacking into the motion sensors to track hand movements. Additional research shows that the encryption offered by wearable fitness tracker manufacturers is quite easily intercepted. This means all your personal data stored on the device can easily be hacked. And while info like your calorie intake and step count many not seem valuable to a hacker, information like where you worked out and how long you were away from home can paint a very valuable picture of who you are!

What to Do to Stay Safe

  • Keep your fitness tracker up-to-date. Just like with any connected device, as soon as software updates become available, download them immediately to prevent cyber criminals from hacking your device.
  • Set up your fitness tracker and any associated online accounts with an obscure user name and unique passwords, that are completely unrelated to any of your other accounts.
  • Read the Privacy Policy of the device or app you are considering buying. Make sure you are comfortable with the company’s commitment to protecting your data.
  • Consider disabling certain features of the fitness tracker if you feel that your privacy many be jeopardised.

Smart TVs

Whilst buying mum a smart TV would certainly make her feel spoilt this Mother’s Day, they can come with a more sinister side. In March 2017, news emerged that it may be possible to hack into smart TVs to spy on users. Since then, several critical vulnerabilities have been found in Vestel firmware, which is used in more than 30 popular TV brands. These vulnerabilities could be easily leveraged to spy on smart TV users through the microphones and cameras.

What to Do to Stay Safe

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities.
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, must connect to a home Wi-Fi network to run. If they’re vulnerable, they could expose your network as a whole. Since it can be challenging to lock down all the IoT devices in a home, again a solution like McAfee Secure Home Platform can provide protection at the router-level.

If you are shopping online for mum, please remember to keep your guard up. Only shop from secure websites where the URL begins with ‘https://’ and a lock icon appears in the address bar. NEVER, EVER shop using unsecured Wi-Fi. It can leave you vulnerable to all sorts of nasty attacks and your private information may be hacked by a third party.

Finally, and most importantly, don’t forget to thank your wonderful mum for everything she has done for you. A handwritten card with a few lines of thanks is extremely powerful!!

Happy Mother’s Day!!

Alex xx

 

The post Keep Your Mum Safe This Mother’s Day! appeared first on McAfee Blogs.

Data Breach Statistics Q1 2018: Disclosure Times Remain High as Total Numbers Fall

Data breaches are down year-over-year. As noted by Infosecurity Magazine, almost 1.4 billion records were exposed in 686 breaches reported between Jan. 1 and March 31 this year.

As eye-popping as those numbers are, they represent a big improvement from 2017, when 1,442 incidents exposed a total of 3.4 billion records. In addition, tax phishing attempts for W-2 data fell from 214 attacks last year to just 31 in 2018.

Despite the downward trends in data breach statistics, however, new research revealed that disclosure remains a trouble spot for organizations, especially in light of upcoming regulations. Despite year-to-year improvement, according to Computer Weekly, the average time between incident and disclosure is still more than five weeks.

Digging Into Data Breach Statistics

As Help Net Security reported, 2018 is off to a relatively secure start, at least in terms of data breach statistics. The recent spike in cryptocurrency value may provide an explanation: Crypto-mining malware, which leverages unused central processing unit (CPU) cycles to dig for digital currency, saw a significant boost at the beginning of this year, which could account for the shift away from traditional breach methods that may attract more attention from IT security professionals.

In general, however, the nature of data breaches has not changed significantly over the past 12 months. According to Risk Based Security’s “Q1 2018 Data Breach QuickView Report,” fraud remains the top breach type compromising the most records (1.27 billion) while unauthorized access held its spot as the most common breach cause. Skimming, inadvertent disclosure, phishing and malware rounded out the top five, just as they did in 2017.

Data Breach Disclosure Times Remain High

According to the Risk Based Security report, the average time between data breach detection and disclosure is decreasing. In 2015, it took companies 82.6 days on average to disclose a breach. By 2017, this figure was cut nearly in half to 42.7 days, and it dropped even further to 37.9 days in the first quarter of 2018, showing a trend of continuous improvement over the last four years.

The challenge is that, as noted by the Computer Weekly piece, upcoming data privacy regulations include disclosure timelines. The General Data Protection Regulation (GDPR), for example, imposes a 72-hour notification rule for data breaches. Despite the encouraging year-to-year progress in the effort to reduce breach disclosure times, organizations still have a long way to go to meet this requirement.

The Risk Based Security report noted that Q1 2018 has been “the quietest first quarter for breach activity since 2012.” While some trends, such as the move to crypto-mining malware and away from W-2 phishing, help account for these numbers, the researchers identified no underlying pattern, suggesting that these data breach statistics are likely to evolve throughout the rest of the year.

The post Data Breach Statistics Q1 2018: Disclosure Times Remain High as Total Numbers Fall appeared first on Security Intelligence.

What Matters Most During a Data Breach? How You React

The Ponemon Institute’s 2017 study on the cost of a data breach showed companies have a one in four chance of experiencing such a breach within a two-year period. In my experience working in the cybersecurity industry, I’ve seen the damage a breach can inflict firsthand. And unfortunately, this unsettling trend will continue for the foreseeable future.

Far too often, companies are more concerned about the incident itself: How did it come to fruition? How long will it last? Where did it start? The questions are seemingly endless. While these are valid concerns, the breach is only the beginning of the trouble.

It’s what happens after a data breach that causes most companies to falter. The extent of the damage largely depends on the organization’s preparedness level. According to the Ponemon study, one of the most effective ways to reduce the cost of a data breach is to implement a cybersecurity incident response plan (CSIRP).

GDPR Regulations Impact the Cost of a Data Breach

The General Data Protection Regulation (GDPR), which goes into effect on May 25, requires companies to notify users of a data breach within 72 hours. With significant financial penalties at stake, it is even more critical to develop and test your CSIRP before a breach occurs. When you’re dealing with your company’s brand and reputation, the worst time to find out your CSIRP is flawed is in the middle of an emergency.

A CSIRP is a road map to guide your response to a cyberattack:

  • It defines the roles and responsibilities of all respondents.
  • It determines who is authorized to make major decisions.
  • It outlines communication flows and notification procedures pertaining to GDPR.

A comprehensive CSIRP — that is regularly tested and updated — can help incident response teams save valuable time and resources in the event of a breach.

Learn more about intelligent threat prevention and incident response

Building a CSIRP to Contain the Damage of a Breach

The IBM X-Force Incident Response and Intelligence Services (IRIS) team has worked with hundreds of clients to prepare for and respond to security incidents. IRIS consultants have found that nearly 50 percent of the CSIRPs they’ve evaluated show no evidence of a formal document life cycle or a history of continual revisions.

IRIS experts are noted for investigating some of the world’s top security incidents. In helping clients respond to declared incidents, these experts have observed what works well in a CSIRP — and what doesn’t. IRIS can help clients evaluate and improve an existing CSIRP or build a custom plan from the ground up. It can also help security leaders develop custom tabletop exercises to test their strategy.

In the event of an incident, it’s critical to answer three key questions: What has happened? What data have the attackers accessed? How can the damage be quickly contained and remediated? A robust incident response plan is absolutely crucial for getting these answers — especially given the strict data privacy regulations coming into effect this year.

Take Action: Get Your GDPR Plan in Place

Learn more about intelligent threat prevention and incident response

The post What Matters Most During a Data Breach? How You React appeared first on Security Intelligence.

Despite Major Data Breaches, Users’ Bad Password Security Habits Haven’t Improved

Even though password security is a top priority for organizations, only 55 percent of users would change their credentials after a breach. That’s the sobering state of affairs detailed in “The Psychology of Passwords: Neglect Is Helping Hackers Win,” a new report from password management firm LastPass.

And bad habits don’t stop there. The report also found that 59 percent of respondents use the same password across multiple accounts. Despite the rising costs of data breach recovery and ongoing, large-scale compromises, LastPass found that “password behaviors remain largely unchanged from two years ago.”

A Persistent Problem

Companies around the world and across all sectors are struggling to protect user passwords. As noted by Wired, Twitter recently disclosed that it had inadvertently stored unencrypted passwords in an internal system. While Twitter typically hashes user passwords using bcrypt, a bug in its hashing protocol led to the unprotected storage of credentials that were kept even after hashing was complete.

Although the company said it doesn’t believe the information was accessed or used by cybercriminals, it advised all users to change their passwords for good measure. As noted by the LastPass report, however, just over half of users are likely to comply.

Also problematic is the common practice of employees sharing passwords for internal resources using tools such as Trello. According to Krebs on Security, simple web searches revealed “unprotected personal Trello boards that listed employer passwords and other sensitive data.”

This lines up with LastPass data, which found that, while 5 million records are compromised every day, it still takes organizations an average of 66 days to contain a breach. Posting passwords on public collaboration forums makes containment that much more difficult.

The Password Security Paradox

As noted by TechRepublic, the new report “confirms the paradoxical views many people have about passwords and highlights alarming trends in personal online security.” For example, 90 percent of users said they believe their online accounts are at risk regardless of the strength of their passwords and 91 percent recognize that password reuse heightens this risk. Meanwhile, 39 percent reported that they would never change their password if they were not required to do so.

Users also underestimated their total number of online accounts. While 79 percent of those asked said they had between one and 20 online accounts, LastPass found that, on average, employees were responsible for 191 passwords. Still, 59 percent of respondents said they mostly or always use the same password for different accounts, 51 percent don’t believe that cybercriminals can figure out their password, and 21 percent said they don’t see a problem with repeating the same password across accounts.

There’s a gap between user belief and behavior. Ninety-two percent of respondents said password security was a “serious matter,” yet 61 percent said they refuse to change passwords for fear of forgetting their login information.

Sandor Palfy, chief technology officer (CTO) of identity and access management at LastPass parent company LogMeIn, put it simply: “The cyberthreats facing consumers and businesses are becoming more targeted and successful, yet there remains a clear disconnect in users’ password beliefs and their willingness to take action.”

The post Despite Major Data Breaches, Users’ Bad Password Security Habits Haven’t Improved appeared first on Security Intelligence.

Trivia Time: Test Your Family’s Password Safety Knowledge

Strong PasswordPasswords have become critical tools for every citizen of the digital world. Passwords stand between your family’s gold mine of personal data and the entirety of the internet. While most of us have a love-hate relationship with passwords, it’s beneficial to remember they do serve a powerful purpose when created and treated with intention.

But asking your kids to up their password game is like asking them to recite the state capitals — booooring! So, during this first week of May as we celebrate World Password Day, add a dash of fun to the mix. Encourage your family to test their knowledge with some Cybersavvy Trivia.

Want to find out what kind of password would take two centuries to crack? Or, discover the #1 trick thieves use to crack your password? Then take the quiz and see which family member genuinely knows how to create an awesome password.

We’ve come a long way in our understanding of what makes a strong password and the many ways nefarious strangers crack our most brilliant ones. We know that unique passwords are the hardest to crack, but we also know that human nature means we lean toward creating passwords that are also easy to remember. So striking a balance between strong and memorable may be the most prudent challenge to issue to your family this year.

Several foundational principles remain when it comes to creating strong passwords. Share them with your family and friends and take some of the worries out of password strength once and for all.

5 Password Power Principles

  1. Unique = power. A strong password includes numbers, lowercase and uppercase letters, and symbols. The more complicated your password is, the more difficult it will be to crack. Another option is a password that is a Strong Passwordpassphrase only you could know. For instance, look across the room and what do you see? I can see my dog. Only I know her personality; her likes and dislikes. So, a possible password for me might be #BaconDoodle$. You can even throw in a misspelling of your password to increase its strength such as Passwurd4Life. Just be sure to remember your intentional typos if you choose this option.
  2. Diverse = power. Mixing up your passwords for different websites, apps, and accounts can be a hassle to remember but it’s necessary for online security. Try to use different passwords for online accounts so that if one account is compromised, several accounts aren’t put in jeopardy.
  3. Password manager = power. Working in conjunction with our #2 tip, forget about remembering every password for every account. Let a password manager do the hard work for you. A password manager is a tech tool for generating and storing passwords, so you don’t have to. It will also auto-log you onto frequently visited sites.
  4. Private = power. The strongest password is the one that’s kept private. Kids especially like to share passwords as a sign of loyalty between friends. They also share passwords to allow friends to take over their Snapchat streaks if they can’t log on each day. This is an unwise practice that can easily backfire. The most Strong Passwordpowerful password is the one that is kept private.
  5. 2-step verification = power. Use multi-factor (two-step) authentication whenever possible. Multiple login steps can make a huge difference in securing important online accounts. Sometimes the steps can be a password plus a text confirmation or a PIN plus a fingerprint. These steps help keep the bad guys out even if they happen to gain access to your password.

It’s a lot to manage, this digital life but once you’ve got the safety basics down, you can enjoy all the benefits of online life without the worry of your information getting into the wrong hands. So have a fun and stay informed knowing you’ve equipped your family to live their safest online life!

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Trivia Time: Test Your Family’s Password Safety Knowledge appeared first on McAfee Blogs.

Does Your Family Need a VPN? Here are 3 Reasons it May Be Time

At one time Virtual Private Networks (VPNs) used to be tools exclusive to corporations and techie friends who appeared overly zealous about masking their online activity. However, with data breaches and privacy concerns at an all-time high, VPNs are becoming powerful security tools for anyone who uses digital devices.

What’s a VPN?

A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your activity by encrypting (or scrambling) your data when you connect to the internet from a remote or public location. A VPN allows you to hide your location, IP address, and online activity.

For instance, if you need to send a last-minute tax addendum to your accountant or a legal contract to your office but must use the airport’s public Wi-Fi, a VPN would protect — or create a secure tunnel in which that data can travel —while you are connected to the open network. Or, if your child wants to watch a YouTube or streaming video while on vacation and only has access to the hotel’s Wi-Fi, a VPN would encrypt your child’s data and allow a more secure internet connection. Without a VPN, any online activity — including gaming, social networking, and email — is fair game for hackers since public Wi-Fi lacks encryption.

Why VPNs matter

  • Your family is constantly on the go. If you find yourself conducting a lot of business on your laptop or mobile device, a VPN could be an option for you. Likewise, if you have a high school or college-aged child who likes to take his or her laptop to the library or coffee shop to work, a VPN would protect data sent or received from that location. Enjoy shopping online whenever you feel the urge? A VPN also has the ability to mask your physical location, banking account credentials, and credit card information. If your family shares a data plan like most, connecting to public Wi-Fi has become a data/money-saving habit. However, it’s a habit that puts you at risk of nefarious people eavesdropping, stealing personal information, and even infecting your device. Putting a VPN in place, via a subscription service, could help curb this risk. In addition, a VPN can encrypt conversations via texting apps and help keep private chats and content private.
  • You enjoy connected vacations/travel. It’s a great idea to unplug on vacation but let’s be honest, it’s also fun to watch movies, check in with friends via social media or email, and send Grandma a few pictures. Service to some of your favorite online streaming sites can be interrupted when traveling abroad. A VPN allows you to connect to a proxy server that will access online sites on your behalf and allow a secure and easier connection most anywhere you go.
  • Your family’s data is a big deal. Protecting personal information is a hot topic these days and for good reason. Most everything we do online is being tracked by Internet Service Providers (ISPs). ISPs track us by our individual Internet Protocol (IP) addresses generated by each device that connects to a network. Much like an identification number, each digital device has an IP address which allows it to communicate within the network. A VPN routes your online activity through different IP addresses allowing you remain anonymous. A favorite entry point hackers use to eavesdrop on your online activity is public Wi-Fi and unsecured networks. In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware. Using a VPN cuts cyber crooks off from their favorite watering hole — public Wi-Fi!

As you can see VPNs can give you an extra layer of protection as you surf, share, access, and receive content online. If you look for a VPN product to install on your devices, make sure it’s a product that is trustworthy and easy to use, such as McAfee’s Safe Connect. A robust VPN product will provide bank-grade encryption to ensure your digital data is safe from prying eyes.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Does Your Family Need a VPN? Here are 3 Reasons it May Be Time appeared first on McAfee Blogs.

How To Start Taking Control Of Your Data – Essential Privacy Tools

Late in 2017, the Cambridge AnalyticaFacebook scandal finally woke people up and raised serious privacy concerns. More and more social media users found out exactly what and how their information was used for. The result was not pretty.

Millions of people had their data harvested, analyzed and turned into a tool powerful enough to elect President Trump and push Brexit into reality.

If you want to take control of your data, in this article we outline the risks of data sharing, the current landscape, and we list the best, easiest to use tools for your privacy. Continue reading

Cloud Clustering Vulnerable to Attacks

The authors thank John Fokker and Marcelo CaroVargas for their contributions and insights.

In our upcoming talk at the Cloud Security Alliance Summit at the RSA Conference, we will focus our attention on the insecurity of cloud deployments. We are interested in whether attackers can use compromised cloud infrastructure as viable backup resources as well as for cryptocurrency mining and other illegitimate uses. The use of containers has increased rapidly, especially when it comes to managing the deployment of applications. Our latest market survey found that 83% of organizations worldwide are actively testing or using containers in production. Applications need authentication for load balancing, managing the network between containers, auto-scaling, etc. One solution (called a cluster manager) for the automated installation and orchestration of containers is Kubernetes.

Some key components in the Kubernetes architecture appear below:

High-level Kubernetes architecture.

  • Kubernetes master server: The managing machine oversees one or more nodes
  • Node: A client that runs tasks as delegated by the user and Kubernetes master server
  • Pod: An application (or part of an application) that runs on a node. The smallest unit that can be scheduled to be deployed. Not intended to live long.

For our article, we need to highlight the etcd storage on the master server. This database stores the configuration data of the cluster and represents the overall state of the cluster at a given time. Kubernetes saves these secrets in Base64 strings; before Version 2.1 there was no authentication in etcd.

With that knowledge, security researcher Giovanni Collazo from Puerto Rico started to query the Shodan database for etcd databases connected to the Internet. He discovered many and by executing a query, some of these databases started to reveal a lot of credentials. Beyond leaking credentials from databases and other accounts, what other scenarios are possible?

Leaking Credentials

There are several ways that we can acquire credentials for cloud services without hacking into panels or services. By “creatively” searching public sites and repositories, we can find plenty of them. For example, when we searched on GitHub, we found more than 380,000 results for certain credentials. Let’s assume that half of them are useful: We would have 190,000 potentially valid credentials. As Collazo did for etcd, one can also use the Shodan search engine to query for other databases. By creating the right query for Django databases, for example, we were able to identify more cloud credentials. Amazon’s security team proactively scans GitHub for AWS credentials and informs their customers if they find credentials.

Regarding Kubernetes: Leaked credentials, complete configurations of the DNS, load balancers, and service accounts offer several possible scenarios. These include exfiltrating data, rerouting traffic, or even creating malicious containers in different nodes (if the service accounts have enough privileges to execute changes in the master server).

Creating malicious containers.

One of the biggest risks concerning leaked credentials is the abuse of your cloud resources for cryptomining. The adversaries can order multiple servers under your account to start cryptomining, enriching their bank accounts while you pay for the computing power “you” ordered.

Open Buckets

We have heard a lot about incidents in which companies have not secured their Amazon S3 buckets. A number of tools can scan for “open” buckets and download the content. Attackers would be most interested in write-enabled rights on a bucket. For our Cloud Security Alliance keynote address at RSA, we created a list of Fortune 1000 companies and looked for readable buckets. We discovered quite a few. That is no surprise, but if you combine the read-only buckets information with the ease of harvesting credentials, the story changes. With open and writable buckets, the adversaries have plenty of opportunities: storing and injecting malware, exfiltrating and manipulating data, etc.

McAfee cloud researchers offer an audit tool that, among other things, verifies the rights of buckets. As we write this post, more than 1,200 writable buckets belonging to a multitude of companies, are accessible to the public. One of the largest ad networks in the world had a publicly writable bucket. If adversaries could access that network, they could easily inject malicious code into advertisements. (As part of our responsible disclosure process, we reported the issue, which was fixed within hours.) You can read an extensive post on McAfee cloud research and how the analysts exposed possible man-in-the-middle attacks leveraging writable buckets.

Clustering the Techniques

To combat ransomware, many organizations use the cloud to back up and protect their data. In our talk we will approach the cloud as an attack vector for spreading ransomware. With the leaked credentials we discovered from various sources, the open and writable buckets created a groundwork for storing and spreading our ransomware. With attackers having a multitude of credentials and storage places such as buckets, databases, and containers, defenders would have difficulty keeping up. We all need to pay attention to where we store our credentials and how well we monitor and secure our cloud environments.

The post Cloud Clustering Vulnerable to Attacks appeared first on McAfee Blogs.

Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy

A huge part of modern-day customer service is the chat functionality, which allows customers to converse easily with representatives of the organization in order to find a solution to their problem. This chat functionality is often a service offered by a third-party provider. And just last week, one of these service providers, [24]7.ai, reported that an unspecified cyberattack affected online payment data collected by a “small number of our client companies.” A few of these companies include Delta Airlines, Sears, Kmart, and Best Buy.

The breach was the result of an unspecified malware attack on the service’s chat tool, which occurred between Sept. 26 and Oct. 12, 2017. The malware permitted cybercriminals to obtain unauthorized access to customer data, including payment card numbers, CVV numbers, and expiration dates, in addition to customers’ names and addresses.

Delta Airlines, Sears, Kmart, and Best Buy all have not yet determined how many customers have been impacted so far. But it is believed to be totaling up to hundreds of thousands. So, for those who have been affected – what are the next steps? Start by following these security tips here:

  • Place a Fraud Alert. If you know your data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report, so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account. Then, make sure you correct your credit report by filing a dispute with each of the three credit bureaus.
  • Freeze Your Credit. This allows you to seal your credit reports so no one else can take out new accounts or loans in your name. You can do this without impacting your existing lines of credit, such as credit cards. If you want to apply for services or open new accounts, you can temporarily “unfreeze” your credit using a personal identification code only you have.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Service Provider [24]7.ai Breached, Leaking Customer Data from Delta Airlines, Sears, Kmart, and Best Buy appeared first on McAfee Blogs.

10+ Critical Corporate Cyber Security Risks – A Data Driven List [Update 2018]

Companies are under extreme pressure, and they’re constantly struggling to keep our information safe.
Wondering why so many big companies manage to let hackers steal your information? As a corporate employee or executive, do you know what cyber security is and what you should expect coming your way?

Here are the answers – use the links to quickly navigate this collection of corporate cyber security risks:

1. Failure to cover cyber security basics
2. Not understanding what generates corporate cyber security risks
3. Lack of a cyber security policy
4. Confusing compliance with cyber security
5. The human factor is the weakest link
6. Bring your own device policy (BYOD)
7. Funding, talent and resources constraints
8. No information security training
9. Lack of a recovery plan
10. Constantly evolving risks
11. Aging infrastructure
12. Corporate inflexibility
13. Lack of accountability
14. Difficulty in integrating data sources
15. Holding on to a reactive mindset
16. Disconnect between spending and implementation

Before diving in, let’s see a few of the pressures put on companies and corporations, so we can understand where things start to crack.

They have to:

    • grow and perform at a pace that pleases investors or shareholders.
    • innovate and keep making new products and building new services to satisfy the customers’ needs.
    • keep their employees happy and nurture them to become better specialists, else those employees will jump ship
    • invest in the communities they activate in and be careful about their impact both more fronts – both their immediate surroundings and the area they specialize in.
    • keep the business going uninterrupted by cyber attacks and other security incidents.

The list could go on, but these are just some of the key challenges that I wanted to outline.

What the news does every day is to point out that companies everywhere are vulnerable. This is true irrespective of their sector, size and resources.

There are two forces at work here, which are pulling in different directions:
the attackers, who are getting better at faster at making their threats stick
And the companies, which still struggle with the overload in urgent security tasks.

We’ve all seen this happen, but the PwC Global Economic Crime Report confirms it:
31%

Cybercrime climbs to 2nd most reported economic crime affecting 31% of organisations.

Cybercrime climbs to 2nd most reported economic crime affecting 31% of organisations.

Internet-delivered attacks are now the main concern, even as companies still struggle with internal fraud.

It would seem that only the those with serious tech skills truly grasp the severity of the issue, but these people can’t fix the problems by themselves.

That’s why everyone who works for a company or helps run it should read this article.

Top security threats can impact your company’s growth

Vulnerabilities in your company’s infrastructure can compromise both your current financial situation and endanger its future.

Companies everywhere are looking into potential solutions to their cyber security issues, as The Global State of Information Security® Survey 2017 reveals.

Integration seems to be the objective that CSOs and CIOs are striving towards. Getting all the ducks in a row could paint a clearer picture in terms of security risks and vulnerabilities – and that is, indeed, a must-have.

Antivirus-replacement-statistics-2018

Source

So amid this turbulent context, companies desperately need to incorporate cyber security measures as a key asset. It’s not just about the tech, it’s about business continuity.

If you are concerned with your company’s safety and prospects, then you’re in the right place. There are solutions to keeping your assets secure. The first step is to acknowledge the existing cyber security risks that expose your organization to malicious hackers.

Otherwise, you could join a list of companies like Uber, Equifax and others, who now face serious backlash from their users.

16 corporate cyber security risks to prepare for

Information security is a topic that you’ll want to place at the top of your business plan for 2018 or any of the years to come. Having a strong plan to protect your organization from cyber attacks is fundamental. So is a recovery plan to help you deal with the aftermath of a potential security breach.

These plans can also become leverage for your company. Investors think highly of those managers who are prepared to deal with every imaginable scenario that the company might experience.

Below you’ll find some pointers to help you create an action plan to strengthen your company’s defences against aggressive cyber criminals and their practices.

1. Failure to cover cyber security basics

The common vulnerabilities and exploits used by attackers in the past year reveal that fundamental cyber security measures are lacking.

Cyber criminals use less than a dozen vulnerabilities to hack into organizations and their systems, because they don’t need more.

  • The top 10 external vulnerabilities accounted for nearly 52 percent of all identified external vulnerabilities Thousands of vulnerabilities account for the other 48 percent.
  • The top 10 internal vulnerabilities accounted for over 78 percent of all internal vulnerabilities during 2015. All 10 internal vulnerabilities are directly related to outdated patch levels on the target systems.

Source: 2016 NTT Group Global Threat Intelligence Report

For example, something as simple as timely patching could have blocked 78% of internal vulnerabilities in the surveyed organizations. And the same goes for external security holes.

Moreover, relying on antivirus as a single security layer and failing to encrypt data is an open invitation for attackers. It just screams: “open for hacking!”

World Wide Web exploits are multiplying aggressively, so protecting your company also entails keeping an eye out for new dangers. It’s not an easy job, I know.


Check out this collection of useful statistics on corporate #cybersecurity risks:
Click To Tweet


2. Not understanding what generates corporate cyber security risks

Companies often fail to understand “their vulnerability to attack, the value of their critical assets, and the profile or sophistication of potential attackers”. This issue came up at the 2015 World Economic Forum and it will probably still be relevant for a few more years (and, hopefully, not longer).

Security risks are not always obvious. The categories below can provide some guidance for a deliberate effort to map and assess these risks and plan to mitigate them in the long term.

most-frequent-external-threat-vectors

Source: Ponemon Institute – Security Beyond the Traditional Perimeter

Technology isn’t the only source for security risks. Psychological and sociological aspects are also involved. This is why company culture plays a major role in how it handles and perceives cyber security and its role.

3. Lack of a cyber security policy

Security standards are a must for any company that does business nowadays and wants to thrive at it. Cyber criminals aren’t only targeting companies in the finance or tech sectors. They’re threatening every single company out there.

The increasing frequency of high-profile security breaches has made C-level management more aware of the matter. This is an important step, but one of many.

External attacks are frequent and the financial costs of external attacks are significant. The 505 enterprises and financial institutions surveyed experienced an average of more than one cyber attack each month and spent an average of almost $3.5 million annually to deal with attacks.

Source: Ponemon Institute – Security Beyond the Traditional Perimeter

Not prioritizing the cyber security policy as an issue and not getting employees to engage with it is not something that companies nowadays can afford.

This piece of advice shared in an article on Fortune.com is worth pondering on:

Just as companies seek outside expertise for legal and financial matters, they should now be looking for experts in cyber security and data privacy.

As part of their cyber security policy, companies should:

  • identify risks related to cyber security
  • establish cyber security governance
  • develop policies, procedures and oversight processes
  • protect company networks and information
  • identify and address risks associated with remote access to client information and funds transfer requests
  • define and handle risks associated with vendors and other third parties
  • be able to detect unauthorized activity.

4. Confusing compliance with cyber security

Another risk businesses have to deal with is the confusion between compliance and a cyber security policy.

Ensuring compliance with company rules is not the equivalent of protecting the company against cyber attacks. Unless the rules integrate a clear focus on security, of course.

Enterprise risk management requires that every manager in the company has access to the parts of the security system that are relevant to them. Security is a company-wide responsibility, as our CEO always says. As a result, managers (and everyone else) should oversee how data flows through the system and know how to protect confidential information from leaking to cyber criminal infrastructure.

Most companies are still not adequately prepared: 48.7% of incident response teams say that they lack resources to face cyber attacks.

Source: 2017 Sans Incident Response Survey

Clearly, there is plenty of work to be done here.

5. The human factor is the weakest link

There are also other factors that can become corporate cyber security risks. They’re the less technological kind.

The human factor plays an important role in how strong (or weak) your company’s information security defenses are.

It turns out that people in higher positions, such as executive and management roles, are less prone to becoming malicious insiders. It’s the lower-level employees who can weaken your security considerably. Be mindful of how you set and monitor their access levels.

As you can see for this recent statistic, privilege abuse is the leading cause for data leakage determined by malicious insiders.

insider-data-misue

Source: Verizon 2016 Data Breach Investigations Report

That is one more reason to add a cyber security policy to your company’s approach, beyond a compliance checklist that you may already have in place. Protecting sensitive information is essential, and you need to look inside, as well as outside to map and mitigate potential threats.

6. Bring your own device policy (BYOD)

In the quest to providing your employees with better working conditions and a more flexible environment, you may have adopted the “Bring Your Own Device” policy.

But have you considered the corporate cyber security risks you brought on by doing so?

The BYOD & Mobile Security 2016 study provides some compelling figures:

One in five organizations suffered a mobile security breach, primarily driven by malware and malicious WiFi.

Security threats to BYOD impose heavy burdens on organizations’ IT resources (35 percent) and help desk workloads (27 percent).

Despite increasing mobile security threats, data breaches and new regulations, only 30 percent of organizations are increasing security budgets for BYOD in the next 12 months. Meanwhile, 37 percent have no plans to change their security budgets.

The bright side is that awareness on the matter of BYOD policies is increasing. Key decision makers know what they should be focused on preventing:

main-security-concerns-related-to-byod

And we also have a guide for employees who want to still enjoy their BYOD benefits, while keeping their jobs.

As long as we keep the security aspect in mind, there’s plenty that both companies and employees can do to safeguard data and prevent malicious intrusion.

When it comes to mobile devices, password protection is still the go-to solution. I was glad to see that encryption is in the top 3 security measures, but I hope it will grow in popularity in the coming years.

risk-control-measures-for-mobile-devices

Source: BYOD & Mobile Security 2016

Overall, things seem to be going in the right direction with BYOD security. But, as with everything else, there is much more companies can do about it.

7. Funding, talent and resources constraints

We know that there are plenty of issues to consider when it comes to growing your business, keeping your advantages and planning for growth. So budgets are tight and resources scarce. That’s precisely one of the factors that incur corporate cyber security risks.

Think of this security layer as your company’s immune system. It needs funding and talent to prevent severe losses as a consequence of cyber attacks.

A good approach would be to set reasonable expectations towards this objective and allocate the resources you can afford.

I won’t lie: it won’t be easy, given the shortage of cyber security specialists, a phenomenon that’s affecting the entire industry.

cybersecurity job postings

Source: 2017 Global Information Security Workforce Study

8. No information security training

Employee training and awareness are critical to your company’s safety.

In fact, 50% of companies believe security training for both new and current employees is a priority, according to Dell’s Protecting the organization against the unknown – A new generation of threats.

The specialists’ recommendation is to take a quick look at the most common file types that cyber attackers use to penetrate your system. This will tell you what types of actionable advice you could include in your employees’ trainings on cyber security.

gsiss-financial-services-threats

Source: The Global State of Information Security® Survey 2017

The human filter can be a strength as well as a serious weakness. Educate your employees, and they might thank you for it. This training can be valuable for their private lives as well.


This mapping of sources for #cybersecurity risks in companies is very useful:
Click To Tweet


9. Lack of a recovery plan

Being prepared for a security attack means to have a thorough plan. This plan should include what can happen to prevent the cyber attack, but also how to minimize the damage if is takes place.

Unfortunately, the statistics reveal that companies are not ready to deal with such critical situations:

Observing the trend of incidents supported since 2013, there has been little improvement in preparedness In 2015 there was a slight increase in organizations that were unprepared and had no formal plan to respond to incidents

Over the last three years, an average of 77 percent of organizations fall into this category, leaving only 23 percent having some capability to effectively respond.

Source: 2016 NTT Group Global Threat Intelligence Report

organizations-who-are-preparing-response-capabilities

If 77% of organizations lack a recovery plan, then maybe their resources would be better spent on preventive measures. This way, companies can detect the attack in its early stages, and the threats can be isolated and managed more effectively.

But that doesn’t eliminate the need for a recovery plan. There’s no doubt that such a plan is critical for your response time and for resuming business activities. In fact, we can recommend 10 steps to critical steps to take after a data security breach that can have a real positive impact on building the plan and recovery process.

10. Constantly evolving risks

There is one risk that you can’t do much about: the polymorphism and stealthiness specific to current malware.

Polymorphic malware is harmful, destructive or intrusive computer software such as a virus, worm, Trojan or spyware. Its key asset is that it can change constantly, making it difficult for anti-malware programs to detect it. That is why you should take into account that your company might need an extra layer of protection, on top of the antivirus solution.

Your first line of defense should be a product that can act proactively to identify malware. It should be able to block access to malicious servers and stop data leakage. Part of this preventive layer’s role is to also keep your system protected by patching vulnerabilities fast.

As cyber risks increase and cyber attacks become more aggressive, more extreme measures may become the norm. Such tactics include shutting down network segments or disconnecting specific computers from the Internet.

As this article by Deloitte points out:

This may require a vastly different mindset than today’s perimeter defense approach to security and privacy, where the answer is sometimes to build even higher castle walls and deeper moats.

One more thing to consider here is that cyber criminals have strong, fully automated systems that they use. Automation is crucial in your organization as well, given the sheer volume of threats that CIOs and CSOs have to deal with.

You’ll need a solution that scans incoming and outgoing Internet traffic to identify threats. It should also keep them from infiltrating the system.

You know what? A traffic filtering product may be just what you need.

As one CEO pointed out in CFO Signals – What North America’s top finance executives are thinking – and doing:

Criminals are all automated to the teeth and the only way for companies to counter that is to be automated to the teeth as well to find those vulnerabilities…the bad guys only have to find one hole. We have to find them all.

11. Aging infrastructure

As you know, cyber security is not all about software. Hardware can be a major issue as well.

This is especially true since the lifecycle of devices is becoming increasingly shorter nowadays.

If the hardware you use doesn’t allow you to install the newest patches for the software on it, then this breeds trouble. If you use certain types of software that require older versions of plugins, such as Java, than that can also cause security issues.

When purchasing new hardware, consider how many updates it will be able to support. Carefully monitor all devices as they age and deteriorate.

It’s not about having the latest gadgets, it’s about ensuring that you can run the latest versions of the software you need.

12. Corporate inflexibility

We all know that the bigger a company is, the slower it moves.

While this is not time nor the place to debate the causes behind this, its impact on your data security is a key discussion topic.

The issue with a company’s lack of flexibility is that, if a breach happens, it will take a lot longer than recommended to contain and mitigate it.

While lower-level managers scramble to get approvals from their seniors and external experts on board, attackers will be hard at work. They’ll take advantage of this time to exfiltrate gigabytes of confidential data from your network.

Time is critical when dealing with a data breach or any kind of cyber attack. Don’t waste it!

That’s why having a plan in place to deal with such situations is fundamental. This is especially relevant since most organizations strongly agree that detecting external cyber threats is extremely difficult.

how-difficult-it-is-to-detect-and-contain-external-threats

Source: Ponemon Institute – Security Beyond the Traditional Perimeter

Don’t let bureaucracy slow you down when fighting for your company’s data.

13. Lack of accountability

On a similar note, another contributing factor to your company’s exposure to cyber threats is the lack of accountability. This is a cultural issue that often permeates corporations. But it can happen to smaller companies too.

Building a culture where employees are not afraid to take on responsibilities is crucial for successfully dealing with cyber attacks.

Being able to trust your employees and colleagues is key in moments when the pressure is high and the stakes are even higher. You need to have designated people in your company who can make the right decisions when the time comes.

I have to insist that these critical employees be well trained and capable of acting in the company’s best interest in the event of a cyber breach.

As with all important things, this isn’t something that can be arranged on the spot. Preparations are in order and the sooner you start them, the sooner you’ll see the improvements. Empowering people has that positive effect.

14. Difficulty in integrating data sources

The amount of data flowing through an organization could overwhelm anyone, no matter how experienced that person is.

There are just too many information sources to handle: details about employees, partners, contractors, service providers, customers, etc.

But integrating these data sources is crucial if you want to have a clear overview of the internal and external risks for your organization.

For example, CIOs and CISOs work with multiple products, each with its own dashboard, and they have to correlate a lot of data to get a clear image of the vulnerabilities in their organizations.

A focus on data sharing policies and identity management comes to mind. As it turns out, these are some of the primary security services that companies turn to:

use-of-managed-security-services

Source: The Global State of Information Security® Survey 2017

Try to single out the most important things you want to look at. Choose security platforms that will also help you mitigate risks and block attacks, not only help you identify these risks and attacks. A CIO’s or CSO’s toolbox is never complete without such a platform.

15. Holding on to a reactive mindset

Unfortunately, this is a mistake that most organizations still make.

While trying to pull together as many resources possible and constantly prioritizing what to do next, decision makers often focus only on the reactive side of information security. This perspective is still commonplace, but the current state of affairs clearly shows that it’s not a viable strategy anymore.

Investing in proactive cyber security may benefit you in aspects you’re already familiar with, but in new ways as well. Here are some of the benefits:

  • Proactive information security can help you mitigate risks before they turn into security breaches;
  • It enables you to comply with legal requirements (such as the EU GPRD);
  • It helps strengthen the customers’ trust in the organization;
  • It proves to investors, shareholders and other stakeholders that the organization’s management has a clear vision and is prepared to deal with cyber risks and attacks;
  • It helps build trust within the organization, among employees, who can rest assured that the company can resume to business as usual after a cyber attack happens.

When you decide to plan ahead for your business’s cyber security, you set your own priorities.

If, instead, you stick to the reactive way of doing things, the attackers will set your agenda. I’m sure you already know how powerless it can make you feel when someone else calls the shots on critical matters.

What’s more, being proactive about information security is cheaper. So you can stick to your budget and keep your company’s data safe at the same time. Even EUROPOL highlighted this in their latest Internet Organised Crime Threat Assessment (2016 edition):

When it comes to addressing volume crimes, investing resources in prevention activities may be more effective than investigation of individual incidents.

The good news is that there’s an industry-wide movements away from reactive solutions and toward preventive measures. And the statistics related to cyber security spending show it:

current-cyber-security-spending-areas

Source: SANS INSTITUTE – IT Security Spending Trends

16. Disconnect between spending and implementation

Another big risk for organizations comes from a disparity between cyber security spending and how the tools and services are actually used.

It’s not uncommon for companies to purchase security solutions and not install or use them for months. Many things get in the way, as CSOs and CIOs are often burdened with too many tasks.

areas-of-technology-spending

Source: SANS INSTITUTE – IT Security Spending Trends

Implementing all these solutions takes time and resources (especially the human kind), which IT/cyber security departments often lack. What’s more, some of these solutions are complex and have a learning curve, and time is something that cyber security specialists often don’t have.

As a result, spending money on information security products and services does not guarantee they’ll be used to their full potential.

On the other hand, most organizations still don’t have enough resources to ensure a decent level of protection.

A lack of necessary tools and resources in most organizations diminishes the ability to respond to external threats. Only 42 percent of respondents believe their company has the tools to mitigate external threats.

The lack of tools also affects the ability to monitor, analyze and understand external threats. Specifically, only 41 percent of respondents say they have the tools and resources necessary to analyze and understand external threats and only 39 percent of respondents believe their companies have tools to monitor external threats.

Source: Ponemon Institute – Security Beyond the Traditional Perimeter

We should all keep in mind that the reality on the ground is more complex than what we assume. And that’s why we still have a long way to go in terms of keeping data safe from external and internal threats alike.

Conclusion

It takes time and involvement to strengthen your company’s defenses against cyber security risks. However, this process can help your organization maintain shareholder value and even achieve new performance peaks.

It may take some time to create a cyber security policy, train your employees and implement it in all the branches of your company. But the results are worth it! Being thoroughly prepared for the worst case scenario can be a competitive advantage.

You’ve already taken the first step by reading this article. Now act on what you’ve learned.

This article was initially written by Andra Zaharia in March 2015 and was updated with current data by Ana Dascalescu in April 2018.

The post 10+ Critical Corporate Cyber Security Risks – A Data Driven List [Update 2018] appeared first on Heimdal Security Blog.

Teen Gaming, Cybersecurity Specialist Training

Many of us parents have a love/hate relationship with teen gaming. While it seems to cast a spell over many kids and lure them into a trance, gaming does provide some quite welcome ‘time-out’ for all family members! But I can honestly say that in my household, disputes over allocated ‘Xbox’ time would be by far the most common variety. And they can drive me insane!!

Now new research from McAfee may just get me rethinking my often negative attitude to gaming. The Winning The Game report investigates the key challenges facing the IT Security industry in the ongoing fight against cyber threats. Just under 1000 cybersecurity managers across the US, UK, Germany, Singapore, Australia and Japan took part in the research which found that gamers may play a very big role in keeping cybercriminals at bay!

Click to view Winning the Game report

The Cybersecurity Skills Shortage

Worldwide the cybersecurity industry currently has a zero-percent unemployment rate. Many experts predict that this will remain the case until at least 2021. While this is great if you are job hunting, it isn’t great news for Government departments, corporations and businesses. The increasing number of cyberattacks means these organisations are struggling to find cybersecurity professionals to help deal with these threats. Which is ultimately putting a lot of us at risk.

In addition to the skills shortage, many IT professionals believe cybersecurity defences are under unprecedented levels of attack. With malware, ransomware, sophisticated advanced threats and modes of attack, many professionals see the cyberthreat landscape as more complex than ever. Nearly half of the cybersecurity professionals who participated  in the survey expressed concern that they will find it difficult or impossible to keep up with the increase and/or complexity of threats over the next year.

So, amid these constantly evolving cyberthreats the pressure is on to find a solution to the skills crisis.

Gamers Could Be the Answer

Well apparently the long list of skills gamers acquire while learning their craft are precisely those required by cybersecurity professionals. Whether it’s cracking systems, avoiding counter attacks or deciphering codes, these talents are very easily transferrable to a security professional role.

Many of us parents might struggle to believe that the hours our teens have spent playing games could in fact have set them up for a career in cybersecurity. But the skills learnt during these ‘training’ hours – including understanding how to approach adversaries, perseverance and logic – are exactly what sets gamers apart ‘from the pack’. The statistics from the report confirm that.

  • Almost all respondents to the survey (92%) believe that gamers possess skills that make them well-suited to a career in cybersecurity. Further, they provide a fresh outlook compared to traditional cybersecurity hires.
  • 72% of respondents agreed that hiring experienced video gamers into their IT departments is a good way of plugging the cybersecurity skills gap.
  • 75% of respondents said they would consider hiring gamers even if they had no prior cybersecurity experience or training.

It’s clearly time to change our perspective, parents!

Everything in Moderation, Kids!

Whether you decide to share this information with your offspring or not, this research is clearly compelling. However, don’t think for a minute that I am suggesting a 24/7 game fest. No, no, no! Time limits, input into/supervision of game purchases and respectful online gaming behaviour still apply!

And please keep an eye out for any signs of addiction. We all know how children’s mood and behaviour can change after lengthy periods in front of a screen. But if you think your child’s interest has gone beyond enthusiasm and that there may be an issue, work through this checklist for gaming addiction. If required, please seek professional help.

Where to From Here?

In my house, nothing will change. There will still be no gaming Monday to Friday, and pre-agreed time limits will still apply. And I’m just wondering how long I can keep this information away from my four boys? Because as soon as they find out, I will be accused of ruining their prospective cybersecurity careers with my strict regime! How dare I!

Take care,

Alex x

 

The post Teen Gaming, Cybersecurity Specialist Training appeared first on McAfee Blogs.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

MyFitnessPal, Panera Bread, Saks Fifth Avenue: What to Know About the Recent Data Breaches

This blog has been updated as of 4/4.

Practically everything has become digitized in 2018. We’ve developed thousands of health apps and gadgets to help monitor our fitness, implemented online ordering services for restaurants, the list goes on. And just this past week – two of these very innovations have been breached for customer data, as well as two traditional brick-and-mortar sites. MyFitnessPal, Panera Bread, and Saks Fifth Avenue and Lord & Taylor have all been faced with data breaches, which have compromised millions of customers.

Let’s start with MyFitnessPal. Just last week, it was revealed that 150 million accounts for the health app and site were breached. As of now, few details have emerged about how the attack happened or what the intention was behind it. While the breach did not compromise financial data, large troves of other personal information were affected. The impacted information included usernames, email addresses, and hashed passwords.

MyFitnessPal, which is a subsidiary of Under Armour, has notified affected customers of the breach (see below), and Under Armour has released an official statement making the public aware of the attack as well.

Then there’s Panera Bread. The popular food chain actually leaked customer data on their website in plain text. This data includes names, email addresses, home addresses, birth dates and final four credit card digits. It’s not clear whether anyone malicious actually accessed any of this data yet, which was supplied by customers who had made online accounts for food delivery and other services. What’s more – a security researcher first flagged this error to Panera Bread eight months ago, which did not acknowledge it until just now. And though the initial number of impacted users was said to be fewer than 10,000 customers, security reporter Brian Krebs estimates that as many as 37 million Panera members may have been caught up in the breach.

Finally there’s Saks Fifth Avenue and Lord & Taylor. A group of cybercriminals has obtained more than five million credit and debit card numbers from customers of the two high-end clothing stores. It appears this data was stolen using software that was implanted into the cash register systems at brick-and-mortar stores and siphoned card numbers.

So, for the millions of affected MyFitnessPal, Panera Bread, and Saks and Lord & Taylor customers, the question is – what next? There are a few security steps these users should take immediately. Start by following these pointers below:

  • Change your password immediately. If you are a MyFitnessPal or Panera Bread customer, you should first and foremost change the password to your account. Then, you should also change your password for any other account on which you used the same or similar information used for your MyFitnessPal or Panera Bread account.
  • Stay vigilant. Another way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With these breaches, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

 

The post MyFitnessPal, Panera Bread, Saks Fifth Avenue: What to Know About the Recent Data Breaches appeared first on McAfee Blogs.

The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day

At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks?  It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)

And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines.  It took me a minute to realize the expiration was May 25.  So, other than the sardines, what happens?  Are we done?

First the bad news:  We won’t ever be done.  GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate.  And of course, the biggest question: What will the data regulators do?  Will there be an immediate fine? (My bet is no.)

But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:

  • You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
  • You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
  • You know who your vendors are, and more about your high-risk and cloud vendors.
  • You have determined what needs securing and made sure you are securing it “appropriately.”
  • You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait.  Something often  seems to happen in the doubter’s personal life that makes them get it – and big time.  Real examples:  Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.

Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection.  And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.

It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes.  But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

10 Alarming Cyber Security Facts that Threaten Your Data [Updated]

The cyber security industry is growing as you’re reading this. More specialists join the ranks, more malware is being launched every day than ever before. In 2015, 230,000 new malware sample were recorded daily. Naturally, more resources are being deployed to counter cyber attacks. That’s why I thought it would be helpful to sum up 10 cyber security facts that define the current information security landscape.

Don’t think that hackers are only targeting corporations, banks or wealthy celebrities. They go for individual users like you and me also.

Cost-of-Cyber-Crime-statistics 2017 ponemon accenture

Source: 2017 Cost of Cyber Crime Study: Global by Accenture and Ponemon

As long as you’re connected to the Internet, you can become a victim of cyber attacks.

So that’s why we wanted to walk you through some of the most shocking cyber security facts that you maybe wish you’d known until the present moment.

These will give you a much more accurate idea of how dangerous it really is to go online without proper protection.

 

1.The most wanted cyber criminals in the world

In 2016, there were 19 individuals on FBI’s Most Wanted List for cyber criminals you. Each of them was responsible responsible for consumer losses ranging from $350,000 to more than $100 million. In 2018, that same list has 41 cybercriminals from around the world.

most wanted cyber criminals in the world heimdal security

For example, on the list of FBI’s most wanted cyber criminals are the JABBERZEUS subjects, a group of individuals involved in a wide-ranging racketeering enterprise and scheme that installed, without authorization, malicious software known as Zeus on victims’ computers.

This type of financial malware was used to capture bank account numbers, passwords, personal identification numbers, and other confidential information necessary to log into online banking accounts.


Who are the most wanted cybercriminals in the world? Find out + 9 other cyber security facts.
Click To Tweet


Starting in September of 2011, the FBI began investigating a modified version of the Zeus Trojan, known as GameOver Zeus (GOZ), which we covered in depth. Thousands of corporations were infected with GameOver Zeus and as many as 1.2 million computers were infected prior to the take down of Zeus. It is believed GameOver Zeus is responsible for financial losses of more than $100 million.

How it affects you and what can you do to get protected:

  • Zero Day attacks can be powerful and very dangerous.
  • If you keep up to date with major news in the cyber security industry, it might help you identify attacks and know what to do about them.
  • Keep your software updated and take all necessary precautions to keep your financial and confidential information safe.

 

2. The most expensive computer virus of all times

 

Ever wondered how much damage a computer virus can do? Let us give you a compelling example through this next cyber security fact. MyDoom is considered to be the most expensive virus in the world and in cyber security history, having caused an estimated financial damage of $38.5 billion!

MyDoom was first spotted in January 2004 and it became the fastest-spreading email worm ever, exceeding all previous records. The virus’s origins are believed to be in Russia, but its author was never discovered.


The most expensive computer virus of all times cause damage worth $38.5 billion!
Click To Tweet


Mydoom was mainly transmitted by email, disguised as spam email. A user might inadvertently open the attachment in the email and the worm would re-send itself to every address it could find. The original version contained a payload that did two things: it opened a backdoor into the user’s computer, allowing remote control of it, while also conducting a DDoS attack (Direct Denial Of Service) against SCO group’s website.

most expensive computer virus heimdal security


How it affects you and what can you do to get protected:

  • Viruses such as MyDoom can be extremely dangerous, because if a cyber criminal gains control over your computer, there’s no telling if and how you may regain control over your device.
  • Severe malware usually morphs and has a very low detection score, so antivirus solutions can’t detect it.
  • You need a proactive solution that can work as a supplement for your AV, scanning your Internet traffic and warning you when potential threats appear, while also blocking access to hacker controlled servers and keeping your data from leaking. We explained this in-depth here and, to put it in perspective, here is the volume of malware on a yearly basis.

malware-yearly statistic 2018

Source

3. Social media – a hackers’ favorite target

Currently, according to in depth statistics, there are more than 3 billion active social network users worldwide.


Find out which kind of attacks hackers use most often in social media + 9 other infosec facts!
Click To Tweet


This is precisely why cyber attackers love social media as well!

Users that spend a lot of time on social networks are very likely to click links posted by trusted friends, which hackers use to their advantage. After the entire Facebook and Cambridge Analytica data breach, the threat of using social media to sway elections and the pervasiveness of political of bots should make you pause.

Here are some of the most popular types of cyber attacks directed at social media platforms:

  • Like-jacking: occurs when criminals post fake Facebook “like” buttons to webpages. Users who click the button don’t “like” the page, but instead download malware.
  • Link-jacking: this is a practice used to redirect one website’s links to another which hackers use to redirect users from trusted websites to malware infected websites that hide drive-by downloads or other types of infections.
  • Phishing: the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by disguising itself as a trustworthy entity in a Facebook message, Tweet or other social media message
  • Social spam: is unwanted spam content appearing on social networks and any website with user-generated content (comments, chat, etc.). It can appear in many forms, including bulk messages, profanity, insults, hate speech, malicious links, fraudulent reviews, fake friends, and personally identifiable information.

social media hacking heimdal security

Why are cyber attacks on social media so frequent?

Because social media users usually trust their circles of online friends. The result: more than 600.000 Facebook accounts are compromised every single day! Also, 1 in 10 social media users said they’ve been a victim of a cyber attack and the numbers are on the rise. Now this is a cyber security statistic which we don’t want you to become part of.

How it affects you and what can you do to get protected:

 

4. 99% of computers are vulnerable to exploit kits

Cyber security fact: Oracle Java, Adobe Reader or Adobe Flash is present on 99% of computers. That means that 99% of computer users are vulnerable to exploit kits (software vulnerabilities).

Why? Because the vulnerabilities that these types of software often present are extremely critical: all it takes is one click on an infected advertising banner to give a hacker full access to your computer.

99 percent of computers are vulnerable heimdal security

Adobe Flash has a huge number of vulnerabilities, so cyber criminals target it in the majority of their attacks. By using these security holes in Flash, attackers can infect your computer with ransomware, such as various CryptoLocker variants or Teslacrypt and CTB-Locker.


99% of computers are vulnerable to cyber attacks. Find out why and how to get protection.
Click To Tweet


The rise of exploit kits-as-a-service and the increasing use of automation has led to more sophisticated and aggressive attacks. Without adequately protecting your browsers and your entire system, you’ll leave yourself vulnerable to a huge range of cyber threats.

How it affects you and what can you do to get protected:

  • Keep your software updated at all times (the experts say so, not just us) or install a solution that does that automatically and silently.
  • Keep your operating system up to date.
  • Install an AV solution and a supplement that can do what AV fails to do: protect your system proactively from cyber threats by scanning incoming and outgoing Internet traffic.

 

5. Security warning: inside jobs

Maybe you’ll be surprised to find out that a shocking 59% of employees steal proprietary corporate data when they quit or are fired. But there are more types of insider threats to get protection against:

  • Malicious insiders are the least frequent, but have the potential to cause significant damage due to their level of access. Administrators with privileged identities are especially risky. According to the Ponemon Institute, “data breaches that result from malicious attacks are most costly.”
  • Exploited insiders may be “tricked” by external parties into providing data or passwords they shouldn’t.
  • Careless insiders
  • Careless insiders may simply press the wrong key and accidentally delete or modify critical information. A badly configured Amazon S3 leaked the data of over 150.000 Americans.

cyber security insider jobs heimdal security

These types of security risks is being acknowledged by companies everywhere, and strategies are put together to mitigate them:

“Almost half of European organizations believe that insider threats are now more difficult to detect, with senior IT managers being very worried about the things their own users can do with corporate data”

said Andrew Kellett, principal analyst at Ovum.


Did you know that 59% of employees steal proprietary corporate data when they quit or are fired?
Click To Tweet


How it affects you and what can you do to get protected:

  • If a soon-to-be-ex-colleague decides to do some damage before he/she leaves the company, make sure your work goes unaffected.
  • Be careful how you manage your passwords: use a password management application, use strong passwords and change them regularly.
  • Protect your shared documents and keep updated backups of all the information you’re working on.

 

6. Social engineering – cyber criminals’ favorite way to manipulate victims

People are the weakest link when it comes to cyber security, which is why psychological manipulation of cyber attack victims is so common.

According to the definition, social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or system access, and the first type of attack of this kind known in history is the Trojan horse itself (not the computer virus, but the Greek mythical event).


Do you know that social engineering is one of the most dangerous cyber criminal tactics?
Click To Tweet


For example, in this attack, an international cyber crime ring based out of Eastern Europe managed to steal $1 billion in 2 years from 100 different banks in nearly 30 countries using spear phishing emails targeting bank employees. The spear phishing technique is, by far, the most successful on the internet today, accounting for 91% of attacks!

social engineering cyber hacking heimdal security

How it affects you and what can you do to get protected:

  • Always check the recipient of an email and the source of a message.
  • Don’t click any strange links and know what a phishing attack looks like.
  • Don’t install software from untrusted sources.
  • Don’t trust people blindly and don’t give away confidential information to strangers.

 

7. Your government is making you more vulnerable

Cyber security fact: governments around the world are creating malware and using it as digital weapons or in espionage programs. In the past 5 years, more than a handful of government malware have been discovered (such as Stuxnet), but their origins have yet to receive full attribution. The worst of those was the leaked NSA exploit EternalBlue which lead to the spread of WannaCry, the worst ransomware attack in history. If you also look at how North Korea forces programmers into indentured servitude and has them creating ransomware, things are looking pretty grim.

Besides civilians and private organizations becoming collateral damage, there are also other severe consequences.

 

government malware heimdal security

In an article on Dark Reading, some key points are made as to how governments are making all of us more vulnerable to cyber attacks:

  • Government malware accelerates the evolution of criminal malware – cyber criminals do a lot of reverse engineering on government malware, and use its tactics and technical approach to create new, more advanced malware of their own.
  • Governments have fortified zero day vulnerability black markets – Zero Day vulnerabilities auctions have become common, but governments are buying the intelligence related to these vulnerabilities and weapon zing them, instead of disclosing them responsibly, as is the norm in the cyber security industry.
  • Governments try to restrict/backdoor/break encryption – in the name of transparency and protection against cyber criminals and terrorists, governments all over the world are trying to limit every individual’s right to encrypt confidential information. This is why “cyber policies” can do more damage than good.

changing attacker profiles

Source: McAfee Labs Threats Report, August 2015


Find out how governments are exposing us to increasingly stronger cyber attacks.
Click To Tweet


How it affects you and what can you do to get protected:

 

8. There is a real-time map that shows cyber attacks in action

Ever wondered how cyber attacks look on a global scale? Check out this real-time map put together by Norse.

real time map of cyber attacks heimdal secuity

You might notice that the U.S. is one of the favorite targets for cyber criminals. For example, Chinese attackers alone caused more than $100 million worth of damage to U.S. Department of Defense networks according to leaked documents from Edward Snowden. Back in 2012, the same department used to suffer more than 10 million cyber attacks per day, and, given the evolution of cyber criminals, we can assume that these figures have climbed dramatically since then. For example, the U.S. Navy, which receives 110.000 cyber attacks every hour.

 

9. Hacktivism is the main motivation that drives cyber attacks

 

Hacktivism accounts for half of the cyber attacks launched in the world. The term represents a subversive use of computers and computer networks to promote a political agenda. With roots in hacker culture and hacker ethics, its ends are often related to the free speech, human rights, or freedom of information.

hacktivism statistic heimdal security

Although it may seems like the terms has a positive spin, it really depends on who is using the term. Hacktivism can be a politically motivated technology hack, a constructive form of anarchic civil disobedience, or an undefined anti-systemic gesture. It can signal anticapitalist or political protest; it can denote anti-spam activists, security experts, or open source advocate.


Hacktivism is one of the major causes for cyber crime + 9 other essential #cybersecurity facts.
Click To Tweet


Hacktivists use code, website mirroring, geo-bombing and anonymous blogging to achieve their objectives, the oldest events of this type dating back to 1989. Anonymous may be the most widely known hacktivist group in the world, but there are many others that carry on cyber attacks of this kind.

How it affects you and what can you do to get protected:

  • Be careful about the websites you visit and always make sure they use the SSL security protocol.
  • Keep your passwords long, complicated, updated often and managed through dedicated app (NEVER store them in your browser).
  • Keep your system and software updated and also keep an eye out for trouble.

 

10. 68% of funds lost as a result of a cyber attack were declared unrecoverable

 

Cyber crime is not only costly, but poses other problems as well for organizations worldwide.

It’s becoming increasingly difficult to detect cyber attacks and resolve the security issues created by them: the average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days (according to a research conducted by the Ponemon Institute). Moreover, no industry is safe: all business sectors are affected to a higher or lower degree.

financial losses cyber hacking heimdal security

The same research conducted by the Ponemon Institute found the average annualized cost of cyber crime incurred by a benchmark sample of U.S. organizations was $12.7 million, representing a 96% increase since the study was initiated 5 years ago.

As a result, organizations experienced a 176% increase in the number of cyber attacks, with an average of 138 successful attacks per week, compared to 50 attacks per week when the study was initially conducted in 2010.


More than half of funds stolen through cyber crime will never be recovered. #infosec
Click To Tweet


And what’s more worrisome is that 68% of all these funds that were lost as a result of a cyber attack were never recovered and will probably never be.

How it affects you and what can you do to get protected:

  • Keep your financial information protected by using a password manager application to enter your passwords in your online banking website.
  • Be aware of phishing attempts and never give your confidential information over email or other means of electronic communication.
  • Get additional protection through software that can detect cyber threats and block them before they infect your system and leak financial data.

 

No threat is too small, no protection is too strong

 

However big or small, cyber security threats should be treated with caution. You may not be a millionaire (yet) or a C-level manager, but that doesn’t mean that you’re protected against a potential hacker attack. Don’t spare any precautions you can take and try to develop your own protection system with the tools and information you find online, such as this list of cyber security facts.

We recently published a guide to help you choose the best antivirus solution for you and there are plenty more security guides you can use to secure your social media accounts, your email, your operating system and more. Use them and navigate the web with a lot more peace of mind.

See the full infographic below:

Cyber Security Facts Infographic

Share This Infographic On Your Site

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice

INSTALL IT, FORGET IT AND BE PROTECTED

Download Heimdal FREE

*This article was initially published by Andra Zaharia in May 2016 and updated with current information in March 2018 by Ana Dascalescu.

The post 10 Alarming Cyber Security Facts that Threaten Your Data [Updated] appeared first on Heimdal Security Blog.

#DeleteFacebook: Do You Really Need To?

Is it time to #deleteFacebook? Facebook’s long line of dramas has many of us rethinking our dependence on Mark Zuckerberg’s largest social media platform. While many of us were alarmed at the fake news allegations last year, the recent scandal with Cambridge Analytica has us genuinely spooked and now asking ourselves this question.

The fact that Facebook allowed British data analysis firm Cambridge Analytica to tap the Facebook profiles of more than 50 million users without their knowledge has many of us questioning both our – and our children’s – relationship with the social media platform. How compromised is our privacy? What’s really happening with our data? Is our every online move really being monitored?

The immediate reaction of many is to delete their Facebook accounts and insist their kids do the same. When news broke of the Cambridge Analytica scandal, the #deleteFacebook hashtag trended heavily on Twitter. Many high profile tech types deleted their personal and business Facebook accounts and, consequently, drove the Twittersphere into a frenzy.

To #DeleteFacebook Or Not To #DeleteFacebook?

But many of us can’t really afford to be idealists. Some of us run online businesses and rely heavily on Facebook. Others use Facebook for our jobs. Many of us (and our kids) use Facebook to run our social lives – organise events and parties, remember birthdays and stay in touch with friends and family across the world. And for nearly all of us, it is our digital scrapbook that preserves our important life events, shared moments and memories. In short, we would be lost without it.

While the black and white idealist in me absolutely agrees that we should delete Facebook, the realist in me acknowledges that life is often lived in the shades of grey. Facebook has spent more than a decade making itself a deeply entrenched part of our modern society. Saying farewell to this part of your life is a decision that I believe many of us would find almost impossible to make.

So, while deleting Facebook from your online life is the most drastic way of protecting your data, there are steps you can take to keep your account more secure and your personal information more private. Here are my top recommendations:

  1. Set up new logins for each app you are using.

    Setting up a new login and password for each app you’re using is a great way to protect yourself and your data online. Login may take fractionally longer but it will help ensure your data is not shared between different services.

  2. Review your third party apps – the ones you joined using Facebook.

    Facebook has made it just so easy for us to download apps using our Facebook settings that many of us have acquired quite the collection of apps. The problem is that Facebook provides these apps with our data including our name, location, email or even our friends list. So, review these apps, people! Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you. Tedious but worth it!

  3. Don’t overshare on social media.

    Oversharing online gets many of us including our kids into trouble and allows cybercriminals and ‘data analysis types’ the ability to form an accurate picture of us very quickly! Being conscious of what is publicly available from your social media profiles is essential. Ensure every member of the family knows to NEVER share their telephone number, address or details of their school online. Also rethink whether you really want your relationship status made public, or the city of your birth.

  4. Cull your Friends list.

    The Cambridge Analytica scandal should provide us all with a reality check about how we manage online friends. In 2015, an app entitled ‘this is your digital life’ was developed by Cambridge Professor Dr Aleksandr Kogan and then downloaded by 270,000 users. Those who opted in allowed the app access to their information – including their friends – which then gave Kogan access to the data of over 50 million Facebook users. Facebook have reportedly since changed their terms of service and claim app developers can no longer access this detail, or at least, not at the same level of detail. So, go through your friend list and delete those you barely know or who were just passing acquaintances. Do you really want to share your personal or family updates with these people?

  5. Choose a different social media platform to connect to apps.

    If an app lets you choose which account you use to login, pick one which holds limited data about its users. Twitter could be a good choice as it tends to hold less personal information about you.

And while I salute those who are bold enough to #deleteFacebook and insist their kids do so, I know that it isn’t for me. I choose to stay. I’ll navigate my way around the risks and flaws, so I can enjoy the upside – belonging to my community, keeping my job and adding to my digital scrapbook.

Till next time,

Alex x

The post #DeleteFacebook: Do You Really Need To? appeared first on McAfee Blogs.

Facebook Privacy & Security Guide: Everything You Need to Know [Updated]

The news about Cambridge Analytica firm harvesting personal data taken from millions of Facebook without user consent in 2014 hit the headlines these days.

Everyone is talking about it and everyone should take a few moments of reflection about the privacy of our data on the Internet. Users even started deleting their Facebook accounts (probably) inspired by the big movement #DeleteFacebook (urging people to leave the social network), while others may be really concerned about the exploitation of personal data.

You can follow this thread on Twitter and see what people have to say about it. However, if you aren’t ready to delete your FB profile, or you don’t see this as a viable solution, here’s how to use Facebook in the safest way and take control of privacy settings.

It’s worth reminding that Facebook will *still* know things about you, but at least you can limit its access to your private data.

Almost everyone has a Facebook account, but the problems occur when the distinction between public and private space become blurred. Without a clear understanding of our security and privacy settings, we easily may end up victims to identity theft, phishing attacks or other malicious actions.

Before we begin, here’s a set of helpful links to help you navigate the guide and see what you can learn by reading on:

General Account Settings
Security Settings
Privacy settings
Timeline and tagging settings
Blocking
Mobile
Public post filters and tools
Apps
Ads

Facebook News Feed

Here’s how to keep your Facebook account secure

Start by accessing your Facebook account settings.

To do this, log into your Facebook account and go to the top right corner of the screen and select “Settings” from the drop-down menu.

We’ll take each section and discuss it separately before we continue to the next one, as they appear in the Settings menu.

 1. General Account Settings

After you click on the Settings button, it will take you to the General Account Settings.

Your profile tells a story to the one who’s viewing it, so you can choose how you can want to appear online. From there you’ll be able to manage and edit the basics information about you like name, surname, email address, or choose your legal contact settings.

You can inform Facebook in advance whether you’d like to have your account memorialized after you’ve passed away or permanently deleted from Facebook.

You can also download a copy of your Facebook data. This includes your Timeline info, shared posts, messages, photos, ads you have clicked on, the IP addresses where you’ve logged into your account, and more other details.

You can also have the option to download a copy of your Facebook data. This includes your Timeline info, shared posts, messages, photos, ads you have clicked on, the IP addresses where you’ve logged into your account, and more other details.

Deactivate Your Account

If you are planning on quitting the social network for a while, from this place you can choose to temporarily deactivate your account. Some information will still be available to others, such as your name in their friends list, or the messages you exchanged. You should know that this option doesn’t permanently delete your account and you’ll be able to reactivate it at any time you want.

However, if you’re serious and you want to permanently delete your account, you can do that from here. Keep in mind that it may take up to 90 days before the deletion process begins. You might also want to consider downloading an archive of your data beforehand.

2. Security Settings

We continue to the Security and Login Settings.

From here you’re able to set:

Choose friends to contact if you get locked out

Facebook recommends this feature for its users in case they are locked out of their account. From this place, you can select your close friends that will help you in case you ever have trouble accessing your Facebook account.The option lets users nominate 3 to 5 trusted contacts.

By clicking on Choose friends you will receive instructions to follow. After you have selected your friends, they’ll be able to send you a recovery code with a special URL you can use to get back into your account. You can always change or edit the chosen friends. Find out more info here.

Where you are logged in

This feature provides details about your current location and what browser used. Facebook also tracks your previous sessions offering the following information: logging time, device, address, and IP.

Login

Here you have the option to Change your current password. We highly recommend setting a strong and unique password.

Strong: so that nobody with malicious intentions will be able to guess it. That means no easy and common passwords, no family names, no nicknames, no birth dates, no favorite songs or movies or mottos, no nothing that can easily be found out about you.

Unique: because if one of your accounts is breached, all your other accounts where you used the same password will end up compromised. It doesn’t even have to be your fault.

You might have heard that about 1.9 billion data records were exposed in breaches in the first half of 2017, according to the Breach Level Index.

If you don’t remember your current password, you can reset it by clicking Forgot your password? and follow the steps to reset it. Keep in mind that you’ll need access to the email associated with your account.

Log in with your profile picture

If you are using the Facebook mobile app, you have the option to log in with your profile photo by just tapping on the picture, instead of using a password. Once enabled this feature, you can use it when you log out of the app or uninstall it, and need to log in again. Facebook requires explicit permission to enable it, so you can choose to turn it on or off.

Setting up extra security

To enhance protection, we suggest using the following extra layers of protection. First off, you can enable to receive notifications via email if anyone logs in from a device or browser you don’t usually use. If it doesn’t recognize your usual login, an alert will be sent to your email.

Use two-factor authentication

By activating this option, the network will require you to authenticate with a second security code every time you’ll want to access your account on a new browser or device. Read our dedicated article on why you should use two-factor authentication feature.

You have 7 options:

  • Turn on two-factor authentication;
  • A security code sent by SMS to your mobile device;
  • Security keys for safer logins;
  • Generate a security code using Code Generator from your Facebook mobile app;
  • Recovery codes when you don’t have your phone with you;
  • App passwords you can use instead of your Facebook account password;
  • Authorized logins.

To activate two-factor authentication feature, click the Setup button, confirm this action by enabling it and re-enter your password. You will receive an email (see the photo above) informing you that you’ve activated it. To disable this feature, follow the steps described in the Settings section.

Security keys

You can use a Universal 2nd Factor (U2F) security key to log into your account through USB or NFC.

Code Generator

Use this option together with Login Approvals to create new authentication codes. You’ll use these to access your Facebook account from a new device.

App Passwords

This option helps you create single-use passwords in order to access third-party apps on Facebook and keep your main password safe.

When you’ll log out of the app, the password will not be saved. To access the app again, you’ll need to generate a new, single-use password.

Authorized Logins

This option shows a list of devices where you won’t have to use a login code.

Advanced (Encrypted notification emails)

Facebook offers users the option to add extra security with an Open PGP public keys to their profiles and select to receive encrypted notification emails from Facebook (only you can decrypt these emails).

3. Privacy Settings

The next section is the Privacy Settings and Tools one. From here you’ll be able to tweak basic privacy settings and make sure that your past and future posts won’t be seen by intruders.

Who can see my stuff?

From here you can control the privacy of future posts. Select the appropriate audience for your future posts, you can share them with:

  • Public (if you want everybody to see them)
  • Friends
  • Friends with Acquaintances
  • Only Me
  • Custom Audience (if you use Friends Lists)

It is recommended that you set the default sharing option to Friends. Unless you manually change it, Facebook will remember this option and post all your future statuses as only available to your Friends.

From the same location, you can also review your activity by using the Activity Log.

Keep in mind that even if you choose to hide a post or photo from your Timeline, the post or photo will still be uploaded online. From there on, you can either choose to Remove Tag or even Request the post to be deleted.

And one last feature available in this section: “Limit the Audience for Old Posts on Your Timeline” – guess this is pretty much self-explanatory, right? By using this tool, all the audience for the content from your timeline will be changed.

Who can contact me?

From here you can choose who’s able to send you friend requests.

If you want to be added as a friend by anyone in the world, even if you don’t have any connections in common, you need to set this option to everyone.

Who can look me up?

In this place, you can choose if you want people to find you using your email address or phone number.

From here you can also select if you want search engines, such as Google or Bing, to index your profile and link to it. If you deactivate this setting, your profile will be found only by people searching for your name directly on Facebook.

4. Timeline and Tagging Settings

Next in line: Timeline and Tagging Settings. This place allows you to set other privacy settings, such as who can post to your timeline, timeline visibility, and tagging.

We’ll take each separately.

Who can add things to my timeline?

This one is pretty straightforward. You can choose who can post on your timeline – if you also hate birthday wishes from unknown people who choose to post on your timeline, select “Only Me” instead of “Friends”.

From here you can also choose to review the posts you were tagged in by your friends before they appear on your timeline. Enable this option to keep spam or untrusted posts away.

Don’t forget that these posts will remain online and still appear in Facebook’s search or news feed. You’ll have to manually remove each tag or even ask the friends who uploaded them to delete them.

Who can see things on my timeline?

This option will help you review what other people see when they look at your profile.

From here you’ll be able to see how your Timeline looks like to the public (to users who aren’t connected to you in any way), to your Friends or even to a specific person.

You can use this last feature in case you ever choose to hide a post from specific people and you want to see how it looks like when they look at your profile.

Before you post something on the timeline, you can choose to share the post with a Custom Audience (a specific list of Friends), specific Friends (if you want to manually add their names) or NOT share it with specific Friends (anyone you include here won’t be able to see that post unless you tag them).

From here you can also select who can see posts you’ve been tagged in on your timeline and who can see what others post on your timeline.

How can I manage tags people add and tagging suggestions?

If you activate the option to “Review tags people add to your own posts before they appear on Facebook”, you’ll be able to check and approve those tags. Thus, when someone adds a tag to one of your posts, you’ll be asked to review it before they appear on Facebook.

This is an option for tags added by friends. If someone who’s not your Facebook friend will add a tag to one of your posts, you’ll always be asked to review it.

Another setting from here: when you’re tagged in a post, who do you want to add to the audience if they aren’t already in it? Choose “Friends” if you want them to see the post you were tagged in, “Only Me” if you don’t want your friends to see it, or you can create a custom audience.


I found this comprehensive guide on how to secure my Facebook account
Click To Tweet


5. Blocking

From the Blocking tab, you can restrict the way in which other Facebook users, apps or pages interact with you.

Here’s what exactly you can set from here:

Restricted List

This option is probably extremely popular among kids who don’t want their parents to see what they post, but they still want them to be friends on Facebook.

Here’s how it works: if you want to restrict a friend from seeing anything that you post, you add them to this list. They’ll still be able to see your public posts, those where you are both tagged in or where a mutual friend was tagged in, but that’s it.

Facebook won’t notify them when you add them to this list, so they won’t know.

Keep out

Block users, messages, the app invites, event invites

In case you want to get rid of annoying users, games or events, this is the place to go.

From here you’ll be able to:

  • Block users that you don’t want them to see your Facebook profile, add you as a friend, see what you comment on other profiles or pages or send you any kind of invitations (events or groups).
  • Block someone from sending you messages and video calls. Yes, this one’s separate from the first option. Unless you also block their profile, they’ll still be able to post on your Timeline, tag you, and comment on your posts.
  • Block a page – they won’t be able to interact with you anymore, with your posts or like or reply to your comments. If you currently like that page, by blocking it you will unlike it and unfollow it.
  • Block any other kinds of app invites from someone.

Block event invites from someone – this way, you’ll automatically ignore future event requests from that friend. Use this for those PR people from your list, who try to exploit you by sending you all kind of irrelevant event invites.


I found lots of useful info in this Facebook security and privacy guide:
Click To Tweet


6. Mobile

From the Mobile section, you can enter your mobile phone number (or numbers). You’ll use it when you activate your login credentials and need to receive the unique code for the second-factor authentication.

Here’s also the place where you can activate text messaging from. Facebook Texts are not currently supported by all countries or mobile service providers, but you’ll have a list here.

7. Public Post Filters and Tools

This section also has a few important privacy settings, from here you can:

  • Choose who can follow you. Friends follow you and your posts by default, once you add them to your friends list, but you can also allow people who are not your friends to follow your public posts.
  • Choose who can comment on your public posts. In case you want to somehow keep weird users away (or at least not have them interact with you and your friends).

8. Apps

This one is among the most important privacy settings for your Facebook account.

The Apps section shows you what third-party apps you connected in the past, such as:

  • Games;
  • Other social media apps (Instagram, for example);
  • Other social media websites (Medium, for example);
  • Any other kind of apps or websites where you connected to your Facebook account.

Keep in mind that all these external apps can access all the tons of data collected by Facebook about us.

Review what permissions you gave to each of those apps and if they are allowed to post on Facebook on your behalf (and to what audience).

Decline any kind of intrusive apps and permissions allowed in the past. Disconnect any apps that you don’t remember giving them access or you don’t use anymore. All those are potential vulnerabilities to your security and privacy.

For more details on how to master app permissions, you can read the security guide from our colleague, Andra.

9. Ads

Do you want to allow third-party sites access to your personal information? Do you want Facebook telling your friends what you like? If you want to opt-out from these two options, simply select “No” or “No one” to these options. You are free to take control over your ad experience.

iPhone 5s

Useful tips and tricks to enhance your Facebook security & privacy

  • Stop accepting friend requests from people you don’t know.

You may be targeted by online scammers who want to collect data about users by creating fake Facebook profiles.

Also, if you ever have enough time, do a clean-up of your friends list and remove anybody you don’t know or never interacted with.

  • Do not disclose your password to any of your friends or work colleagues.

Trust me, you’ll regret this!

Even if they are your best friends now and you can’t imagine your life without them, you never know how your relationship is going to evolve.

All that information can end up being used against you (seen that happen way too many times by vengeful ex-employees, ex-lovers or friends who felt betrayed).

  • Keep your browser updated.

This also goes for your plugins and add-ons, but also your operating system.

Keep them patched and up to date, in order to close all the security holes. It will help you reduce the chances of a cyber attack that exploits those vulnerabilities.

  • Use good cyber security software.

A multi-layered security system will help you keep cyber attackers away.

Start by installing a good, trustworthy antivirus (if you don’t already have such a thing).

You can also enforce your security system with a traffic filtering software that works in a proactive way and blocks second generation malware (such as ransomware attacks). Heimdal is that kind of a software.

Pay attention to the various messages you receive from users asking for your personal data.

Follow the previous link for a guide that exposes them and also gives tips on how to stay safe.

  • Limit the connections to free, public wi-fi networks.

You can easily be tracked when you connect to one of those networks, so try to stay away from them as much as possible. However, if you do have to connect, try working through a VPN.
More tips here.

  • Don’t forget to log out of your Facebook account.

In case you have to connect to Facebook from a different computer, one normally used by other persons, don’t forget to log out of your account at the end of the session.

1

Final thoughts

When a website becomes popular, you can also assume that scammers will be there, somehow trying to take advantage of it. Facebook is no exception to that because it is the most popular social network in the world.

Recently, cyber attackers threatened the Facebook users by spreading a suspicious link on Messenger.

It could happen again, so you need to keep your account safe and secure.

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice

INSTALL IT, FORGET IT AND BE PROTECTED

Download Heimdal FREE

* This article was written by Cristina Chipurici, in June 2016 and updated in September 2017. It was also updated in March 2018.

The post Facebook Privacy & Security Guide: Everything You Need to Know [Updated] appeared first on Heimdal Security Blog.

Don’t Get Duped: How to Spot 2018’s Top Tax Scams

It’s the most vulnerable time of the year. Tax time is when cyber criminals pull out their best scams and manage to swindle consumers — smart consumers — out of millions of dollars.

According to the Internal Revenue Service (IRS), crooks are getting creative and putting new twists on old scams using email, phishing and malware, threatening phone calls, and various forms of identity theft to gain access to your hard earned tax refund.

While some of these scams are harder to spot than others, almost all of them can be avoided by understanding the covert routes crooks take to access your family’s data and financial accounts.

According to the IRS, the con games around tax time regularly change. Here are just a few of the recent scams to be aware of:

Erroneous refunds

According to the IRS, schemes are getting more sophisticated. By stealing client data from legitimate tax professionals or buying social security numbers on the black market, a criminal can file a fraudulent tax return. Once the IRS deposits the tax refund into the taxpayer’s account, crooks then use various tactics (phone or email requests) to reclaim the refund from the taxpayer. Multiple versions of this sophisticated scam continue to evolve. If you see suspicious funds in your account or receive a refund check you know is not yours, alert your tax preparer, your bank, and the IRS. To return erroneous refunds, take these steps outlined by the IRS.

Phone scams

If someone calls you claiming to be from the IRS demanding a past due payment in the form of a wire transfer or money order, hang up. Imposters have been known to get aggressive and will even threaten to deport, arrest, or revoke your license if you do not pay the alleged outstanding tax bill.

In a similar scam, thieves call potential victims posing as IRS representatives and tell potential victims that two certified letters were previously sent and returned as undeliverable. The callers then threaten to arrest if a payment the victim does not immediately pay through a prepaid debit card. The scammer also tells the victim that the purchase of the card is linked to the Electronic Federal Tax Payment System (EFTPS) system.

Note: The IRS will never initiate an official tax dispute via phone. If you receive such a call, hang up and report the call to the IRS at 1-800-829-1040.

Robo calls

Baiting you with fear, scammers may also leave urgent “callback” requests through prerecorded phone robot or robo calls, or through a phishing email. Bogus IRS robo often politely ask taxpayers to verify their identity over the phone. These robo calls will even alter caller ID numbers to make it look as if the IRS or another official agency is calling.

Phishing schemes

Be on the lookout for emails with links to websites that ask for your personal information. According to the IRS, thieves now send very authentic-looking messages from credible-looking addresses. These emails coax victims into sharing sensitive information or contain links that contain malware that collects data.

To protect yourself stay alert and be wary of any emails from financial groups or government agencies Don’t share any information online, via email, phone or by text. Don’t click on random links sent to you via email. Once that information is shared anywhere, a crook can steal your identity and use it in different scams.

Human resource/data breaches

In one particular scam crooks target human resource departments. In this scenario, a thief sends an email from a fake organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). 

Using the collected data criminals then attempt to file fraudulent tax returns to claim refunds. Or, they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and Social Security Numbers to commit other identity theft related crimes. While you can’t personally avoid this scam, be sure to inquire about your firm’s security practices and try to file your tax return early every year to beat any potentially false filing. Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

As a reminder, the IRS will never:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

If you are the victim identity, theft be sure to take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS to phishing@irs.gov (and then delete the emails).

This post is part II of our series on keeping your family safe during tax time. To read more about helping your teen file his or her first tax return, here’s Part I.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Don’t Get Duped: How to Spot 2018’s Top Tax Scams appeared first on McAfee Blogs.

Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected

We all love a good getaway, and as we look ahead to spring and summer, most of us are already planning our next vacation. To do that, we’ll tap one of the many online travel agencies out there to help us organize our plans. Only now, some travel-goers may have to stop trip planning so they can start planning for credit monitoring, as one of the most popular travel agencies, Orbitz.com, was hit with a data breach that may have exposed as many as 880,000 payment cards.

The online travel agency reported two separate data disclosures, as an attacker may have accessed customers’ personal information shared on Orbitz.com and a handful of associated websites between Jan. 1, 2016 between Dec. 22, 2016.

What’s more – in addition to the payment cards, hackers may have also stolen customers’ full name, date of birth, phone number, email address, physical and/or billing address and gender information. Now, with all this personal information potentially out in the open, it’s important affected customers start thinking about protecting their personal identities. To do just that, follow these tips:

  • Regularly review your online account info. Things like regularly reviewing transactions online and making sure account contact info hasn’t changed are good for keeping tabs on anyone trying to hijack your account.
  • Set up an alert. If you know there’s a chance your personal data has been compromised, place a fraud alert on your credit so that any new or recent requests undergo scrutiny. This also entitles you to extra copies of your credit report so you can check for anything suspicious. If you find an account you did not open, report it to the police or Federal Trade Commission, as well as the creditor involved so you can close the fraudulent account.
  • Consider an identity theft protection solution. With this breach and others before it, consumers are faced with the possibility of identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Travel Agency Orbitz Hit with Data Breach, 880,000 Payment Cards Affected appeared first on McAfee Blogs.

7 Digital Safety Tips for Teens Filing Their First Tax Returns

Landing that first part-time job in high school and filing your first tax return is a rite of passage for a young person. So why am I so anxious about my daughter becoming a taxpayer and sharing her pristine personal data with the U.S. government?

Where do I begin? The fact is, the more widely her personal information travels, the more digital risks she faces. Adding to my angst is my own experience with identity theft over a decade ago that still haunts me and is the last stress I’d wish upon my child or anyone else’s.

So as my daughter waves her W-2 at me and elatedly chatters about how she’s going to spend her refund, I — like so many other parents across the country — put on my coach’s hat for a key talk around the digital risks that come with tax season.

7 Tax Filing Safety Tips for Families

  1. Allow your child to file. Sometimes it’s easier just to file a 1040-EZ form for your child and be done with it. The wiser route is to take the time to teach your child the few steps needed to file correctly and the legal reasons we all must pay taxes. Part of this discussion is going over the digital risks of tax season such as identity theft, malware and viruses, tax fraud, and identity theft.
  2. Discuss the power of a SSN. Talk about the responsibility and power of owning a Social Security Number (SSN) and why it must be safeguarded. A SSN is the most critical piece of government-issued identification an American citizen can possess. It is tied to personal credit, identification, and is the primary way the way the government tracks earnings of an individual during his or her lifetime. The SSN is the golden ticket for cyber thieves who make a career of stealing and selling social security numbers and identities online.
  3. Secure all digital doorways. One of the ways cyber thieves gain access to personal information is through hacking, and the best way to slam that door is by creating strong passwords. Easy passwords are the #1 way hackers unlock our data. Tax time is a perfect opportunity to challenge your child to create stronger passwords for all of his or her devices and email accounts. At the same time you upgrade password security, make sure updates on software, PCs, phones, and web browsers are current to protect your devices against viruses and malware that can grab login information.
  4. File early. Start the habit of early filing. The sooner you file your tax return and teach your child to do the same, the more you lessen the chance of a thief using yours or your child’s identity to claim a refund before your return goes through. According to the Identity Theft Resource Center, tax return fraud is on the rise due to more significant security breaches and the number of identities now for sale online.
  5. Be overly cautious every step of the way. Use a reputable firm or company to handle yours and your child’s tax return. Legitimate tax preparers must sign all forms with their IRS preparer identification number. If you end up filing the 1040-EZ form on paper, be sure to hand deliver your returns to the post office mailbox. Thieves target March and April as prime for stealing tax information from curbside, residential mailboxes. Filing online? That’s fine if you make sure you do so over secured wifi. The local coffee shop or library isn’t going to protect your tax information from unscrupulous, prying eyes. Look for the HTTPS web designation at the front of the Internal Revenue System’s web address before submitting your documents.
  6. File a fraud alert. Because your child has rarely used his or her social security number, set up a fraud alert. By submitting a fraud alert in your child’s name with the three main credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  7. Celebrate. Tax time tends to bring out the anxiety in just about everyone. Change that mentality with your child if possible. Make tax time rewarding. Go out for a celebration dinner or dessert. Congratulate him or her on filing safely and responsibly. And, don’t forget to recognize the even bigger accomplishment of stepping into the workforce and taking on the challenge of a first job.

This post is the first of a two-part series focused on digital safety during tax season. Next week, we will highlight some of the scams thieves use and how to safeguard your family.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 7 Digital Safety Tips for Teens Filing Their First Tax Returns appeared first on McAfee Blogs.

9+ Free Encryption Software Tools To Protect Your Data [Updated 2018]

What exactly is data encryption?

You probably know that data encryption is one of the best protection methods out there you can use to keep all your digital assets safe.

The encryption process uses a key and an algorithm to turn the accessible data into an encoded piece of information.

To decode the encrypted data and render it back to its original form (that can be easily understood), one needs access to the ciphering algorithm and the secret key that was used.

Public key encryption keys 1

Source.

Encryption helps you secure sensitive information from cyber criminals or other online threats and make access harder to them. At the same time, it’s a way that can be used to archive large amounts of data or to secure private communication over the Internet.

Finding the best encryption software to keep your data secure could prove to be a daunting task. This is why we thought it is useful to make this list and help you choose the best encryption software tools.

Free encryption tools are very useful in keeping valuable information hidden from cyber criminals, because it renders the data inaccessible to malicious actors. We strongly advise you to use some encryption to protect your valuable data, no matter if it is stored locally, on your PC, or sent over the Internet.

So which are the best encryption tools? Read on below and choose the free encryption software that can help you keep your data safe.

Before we jump to the best ways to encrypt your files, we have to remind you about the importance of using strong passwords. When setting up your encryption process, you’ll be asked to choose a password that will act as the decryption key. So your encryption is only as good as your password.

CHECK YOUR CYBER SECURITY HABITS
Do you use any encryption tools to protect your sensitive data?

These security tips will help you manage your passwords like a pro and make them unhackable:

  • Set unique and strong passwords, which contain different character types, like uppercase and lowercase letters and numbers, and are more than 15 characters long. There are even several ways you can test if your passwords are strong enough.
  • Also, you’ll need to set passwords which are not easy to remember or guess, and which aren’t used for more than one online account.
  • For your online security, you should not keep your passwords saved in text files or browsers;
  • Never use/reuse the same password for more than one account;
  • Do not share your passwords in emails, instant messages or other online platforms.

We carefully curated and selected some of the best free encryption software tools you can use to keep your most valuable data safe and secure.

Use strong passwords for your online accounts

1. LastPass

lasspass password generator

LastPass is both a password manager and generator we recommend using to better secure your passwords and personal data. With the help of a free encryption software tool like this one, you’ll no longer have to remember or note a password in a notebook or other place.

LastPass is easy to use and can simplify things for you. It has extensions for the main web browsers, such as Mozilla Firefox and Google Chrome. Also, you can use the mobile app available for both Android and Apple.

When you create a new online account, it offers the option to save the new credentials.

This tool encourages you to set a unique and hard to break password and discourages users to reuse it. If you’re using the same password for multiple accounts, it simply recommends selecting a different password.

Other password management tools that are easy-to-use and can offer good password security are Sticky Password  or RoboForm

Managing passwords safely can really become much easier if you follow the steps included in this guide and if you use two-factor authentication whenever you can.

Encryption software tools for your hard drive

2. BitLocker

Bitlocker for Windows 10

Source: Windows Central

There is a large number of encryption tools available out there, which can be used to encrypt data locally. For most users, the easiest way to encrypt sensitive information or maybe the entire hard-disk is to use Microsoft’s BitLocker software, which can be found on most Windows operating systems.

BitLocker is a full-disk encryption tool built-in in the latest Windows operating systems (Windows 10), which uses AES (128 and 256-bit) encryption to encrypt data on the drives.

The Advanced Encryption Standard has been tested and improved and is now used worldwide by most security vendors due to its high level of security and optimization.

Why should you use BitLocker:

  • Easy to use and it’s already integrated into your Windows operating system, so there’s no need to add another encryption software;
  • It’s mainly a free data encryption software tool you can use to prevent data breaches and data exfiltration from your hard disk.
  • It encrypts your entire drive, which makes it impossible for malicious actors stealing your laptop to remove the hard drive and read your files.
  • It’s also a great encryption software if it happens to lose your PC/laptop or get it stolen.
  • When BitLocker Drive Encryption is activated, and you add new files, BitLocker will encrypt them automatically.

Read these in-depth resources about BitLocker in our security guide dedicated to Windows 10.

3. VeraCrypt

Another free encryption software we recommend trying is VeraCrypt which is available for Windows, OS X and Linux operating systems. If you’ve been familiar with the TrueCrypt encryption software that’s been discontinued in 2014, then you will have no problem using VeraCrypt.

Just like BitLocker, it supports Advanced Encryption Standard (AES) and can hide encrypted volumes within other volumes.

veracrypt screenshot 1

This encryption software is a great alternative to TrueCrypt tool and is constantly getting improvements and security enhancements.

You can use its dedicated beginner’s step-by-step guide to get started and download it from here.

4. FileVault 2

Are you interested in encrypting your data stored on your Mac safe? We recommend evaluating this free encryption software tool which is Apple’s implementation of encrypting data on macOS and Mac hardware.

Just like BitLocker and VeraCrypt tools, FileVault 2 (FileVault full-disk encryption) uses XTS-AES-128 encryption with a 256-bit key “to help prevent unauthorized access to the information on your startup disk”.

This version appeared in 2011 and is available in OS X Lion or later to secure users’ data. Use this guide to turn on FileVault.

FileVault

5. DiskCryptor

It is another Windows-only free encryption software you can use to encrypt your internal and external drive, including system partition, and even ISO images.

This software tool provides multiple encryption algorithms such as AES, Twofish, and Serpent, and the working system is quite simple: select your drive and click on “Encrypt” to protect your data available on it.

The file encryption software can be used as a good alternative to TrueCrypt tool and has a quick and easy installation procedure requiring a computer restart to finish. Here’s a tutorial and full review of DiskCryptor.

Source: Lifewire.com

DiskCryptor can also encrypt external USB flash drives or any other storage devices and use it to mount or unmount them. You can download it from here

Software encryption for your files

6. 7-Zip

Many users are not interested in encrypting the entire hard disk, but only specific files and documents that store valuable data or information.

7-Zip is a free encryption software with open source, a powerful and lightweight solution well-known for its simplicity. This software tool is capable of extracting most archives and it features strong AES-256 encryption.

The program is easy to get used to when encrypting your own files and it uses one of the best compression formats. It’s also available in 87 languages and compatible with even the oldest of Windows versions, plus Linux.

7. AxCrypt

Just like 7-Zip, AxCrypt is a free and open source encryption tool for Windows which can be used mainly for protecting essential files from users’ system.

It is a lightweight tool (around 1MB in size) and is efficient to encrypt a file, an entire folder or a group of files with a simple right-click.

The files can be encrypted for a specific period of time and can auto-decrypt later on when that file reaches the destination.

As I said in the beginning, its main purpose is to protect specific files and not entire hard drives, although it does offer protection against major cracking methods used by cyber criminals. Plus, you can use it to encrypt your sensitive data before backing it up in the cloud or on external hard drives. AxCrypt can be downloaded here.

If you’re looking for even more tools and programs that you can use to encrypt computer hard drives or your sensitive data, this list is a great resource to explore!

Software tools to encrypt your online traffic

Encrypting your files is not enough. To enhance protection, you need to make sure no one can eavesdrop on your communication over the Internet.

So, how can I increase my online security without creating too many barriers that may slow down my access to information posted online?

See below a few simple tools you can use to access online content and stay safe from data breaches at the same time.

8. HTTPS Everywhere 

To make sure you always access secure web pages that use encryption mechanisms, we recommend trying a browser extension like HTTPS Everywhere, which is compatible with Mozilla Firefox, Opera, and Google Chrome.

While some security analysts argue that even secure websites aren’t bulletproof, it’s much better than doing nothing. After all, these secure websites have encryption and authentication standards that are meant to ensure the confidentiality of your online activities.

When you use HTTPS Everywhere, your browser will go through an authentication process while connecting to a secure website. This process uses cryptography to verify that a secure connection is maintained.

Using a little extension like HTTPS Everywhere, which encrypts your communication with major websites, will make your online activities more secure from the dangers of cybercrime.


This is a good list of 9+ free #encryption tools to use if you’re concern about your data…
Click To Tweet


9. Tor Browser

If you want something close to complete privacy, try the Tor browser which allows you to access Internet anonymously using the Tor network of computers.

The special Tor browser has been designed to be used by anyone who wants to conceal any browsing activity from prying eyes.

The most recent version of this browser, Tor Browser 8.0a2, is now available and it features many updates and improvements, both in terms of stability and privacy.

For those who don’t know,  Tor is the short version of “The Onion Router” and directs your Internet traffic by encrypting the IP address from where it came. Using an encryption software like Tor will make it more difficult for any Internet activity to be traced back to the user: this includes “visits to Web sites, online posts, instant messages, and other communication forms”

You can read more details in this review.

10. CyberGhost

Another alternative to becoming anonymous online and encrypt your communications is to use a Virtual Private Network (VPN).

This private network is able to spread across the normal Internet space, using its resources to create an encrypted channel that can keep your communication safe from interception attempts.

Usually, employees who work remotely use a VPN to access the private company network. This way, they can run online operations or transfer highly confidential documents in complete privacy.

But that doesn’t mean VPN software is just for corporate users. I recommend you use this type of software when connecting to unsafe public networks or when you want to access content whose distribution is restricted to a certain geographical area.

CyberGhost is a popular VPN solution to ensure that your web traffic and valuable information remain encrypted. Configuration is simple and easy to use and includes 256-bit AES encryption, to enhance online privacy. Once you activate CyberGhost, you’ll be able to browse anonymously from another country and get access to more than 1,000 servers across 50+ countries.

If you need VPN for day-to-day or occasional use ( free Wifi in airports, hotels, coffee shop and any other places you go), the free ad-supported plan should be a good option to choose.

Source: TechRadar.com

It includes a 30-day money-back guarantee for everything else and friendly support. A VPN service provider like Cyberghost helps you keep your data protected and secure your digital assets. Cyberghost works with Windows, macOS, iOS, Android, Linux or routers.

This video will show you how a VPN works and for more details about this service, you can read this review.

11. ExpressVPN 

For privacy enthusiasts, here’s another VPN service you can use to encrypt your data and keep cybercriminals at bay. Just like CyberGhost, this one uses 256-bit AES encryption technology and the set-up is simple. All you have to do is download, install and connect to ExpressVPN with a few clicks.

Compatible with multiple devices, it works on Windows, Mac, iOS, Android, or Linux and connects to more than 148 locations in 90+ countries. It’s not entirely free, but you can use it free of charge for up to one month and get a 30-day money back guarantee. Here are more free VPN services you can try.

Source: VPNMentor.com

12. Online Proxy Server – Hide Your IP Address

If you find the process of installing and using a VPN or the Tor browser too difficult, you can still rely on a basic privacy measure: an online proxy server. Using a proxy server, you can simply hide your IP address and surf online accessing various sites anonymously.

Keep in mind that a web proxy server can’t offer the encryption channel you get from a VPN solution and can’t hide your online communication through an entire network like Tor. But you’ll still have an indirect link between your computer and the website you access. This should provide basic protection for small browsing activities.

If you’re a Windows 10 user and want to see how you can set up a proxy, use this guide to learn more.

Protection guide to enhance your online safety

To keep your valuable information safe from malicious actors, encryption is not enough. In our blog posts, we often emphasize that no single security solution is enough to offer the best protection for your digital assets. You need multiple layers of security to keep your data safe against online threats like ransomware, data-stealing malware, financial Trojans. Learn more about our product, Heimdal PRO, and what can do for you.

The cyber criminals’ arsenal includes a lot of weapons that we need to shield our systems from. They continuously work on changing their tactics during the cyber attacks, so it’s for your own best to take all the security measures needed.

Since there are so many online threats out there, here what you can do to improve your online security:

  • Keep your browser and operating system updated with the latest security patches. Make sure you have the latest versions running on your system. Online criminals spread malicious tools by using security exploits to take advantage of your system’s vulnerabilities. Patching is key, as the experts said it again and again.
  • Use a reliable security solution from a trusted company. To keep your system safe from the latest threats, the software should include a real-time traffic scanning engine. This ensures that every connection to and from the Internet is scanned for threats. Start with an antivirus, but don’t forget that it, too, is not enough.
  • Be very careful when connecting to public and free wireless networks. One of the favorite methods used by online criminals to retrieve your credentials is to use wireless sniffers to access data you send over unprotected networks.
  • Education remains the main key to better secure your digital assets, so we recommend signing up for this free educational resource, The Daily Security Tip, and learn how to stay safe online.

When you think about encryption, have in mind the whole picture and consider its role in your overall security strategy: it’s a great, reliable way to ensure that your personal information doesn’t get harvested by cyber criminals when you browse the Internet.

How do you see encryption in the bigger picture of Internet security? Are you using any type of encryption for your data at the moment?

Share your thoughts and please let us know what other free encryption software you are using.

Spend time with your family, not updating their apps!
Let Heimdal FREE Silently and automatically update software Close security gaps Reinforce your antivirus of choice

INSTALL IT, FORGET IT AND BE PROTECTED

Download Heimdal FREE

The post 9+ Free Encryption Software Tools To Protect Your Data [Updated 2018] appeared first on Heimdal Security Blog.

McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals

The nonperishable nature of medical data makes an irresistible target for cybercriminals. The art of hacking requires significant time and effort, encouraging experienced cybercriminals to plot their attacks based on the return they will see from their investment. Those who have successfully gained access to medical data have been well rewarded for their efforts. One seller stated in an interview that “someone wanted to buy all the … records specifically,” claiming that the effort had netted US$100,000.

While at a doctor’s appointment with my wife watching a beautiful 4D ultrasound of our unborn child, I noticed the words “saving data to image” flash on the screen. Although this phrase would not catch the attention of most people, given my research on how cybercriminals are targeting the health care industry, I quickly began to wonder why an ultrasound of our child would not instead save to a file. Intrigued, I decided to dig into the world of medical imaging and its possible security risks. The results were disturbing; ultimately, we were able to combine attack vectors to reconstruct body parts from the images and make a three-dimensional model.

PACS

Most hospitals or medical research facilities use PACS, for picture archiving and communication system, so that images such as ultrasounds, mammograms, MRIs, etc. can be accessed from the various systems within their facility, or through the cloud.

A PACS setup contains multiple components, including a workstation, imaging device, acquisition gateway, PACS controller, database, and archiving—as illustrated in the following graphic:

The basic elements of PACS infrastructure.

The imaging device creates a picture, such as an ultrasound or MRI, which is uploaded to an acquisition gateway. Because much of the imaging equipment in use by medical facilities does not align with security best practices, acquisition gateways are placed in the network to enable the digital exchange of the images. The acquisition gateway also often acts as the server connecting to the hospital’s information system (using the HL7 protocol) to enrich images with patient data.

The PACS controller is the central unit coordinating all traffic among the different components. The final component in the PACS infrastructure is the database and archiving system. The system ensures that all images are correctly stored and labeled for either short- or long-term storage.

Larger implementations might have multiple imaging devices and acquisition gateways in various locations, connected over the Internet. During our investigation, we noticed many small medical practices around the world using free, open-source PACS software, which was not always securely implemented.

To determine how many PACS servers are connected depends on on how you search using Shodan, a search engine for finding specific types of computers connected to the Internet. Some servers connect over TCP 104; others use HTTP TCP 80 or HTTPS TCP 443. A quick search revealed more than 1,100 PACS directly connected to the Internet, not behind a recommended layer of network security measures or virtual private networks (VPNs).

PACS systems connected to the Internet. Darker colors represent more systems.

Our eyebrows began to rise very early in our research, as we came across “IE 6 support only” messages or ActiveX controls and old Java support; many of these products are vulnerable to a plethora of exploits. For example, one of the PACS generated an error page when we changed one parameter. This is a very basic common way of testing if the application developers did proper input sanitation check to prevent attackers inserting code or generating failures that could reveal data about the application and can give clues to compromise the system.

A stack-trace error.

The stack-trace dump revealed the use of Apache Tomcat Version 7.0.13, which has more than 40 vulnerabilities.

When communicating with the DICOM (digital imaging and communications in medicine) port, TCP 104, it is possible to grab the banner of a server and get a response. As we queried, we recorded different responses. Let’s look at one:

\x02\x00\x00\x00\x00\xbe\x00\x01\x00\x00ANY-SCP         FINDSCU         \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x151.2.840.10008.3.1.1.1!\x00\x00\x1b\x01\x00\x00\x00@\x00\x00\x131.2.840.10008.1.2.1P\x00\x00>Q\x00\x00\x04\x00\x00@\x00R\x00\x00"1.2.826.0.1.3680043.2.135.1066.101U\x00\x00\x0c1.4.16/WIN32

 

The FINDSCU string refers to the findscu tool, which can be used to query a PACS system. The DICOM standard defines three data models for the query/retrieve service. Each data model has been assigned with one unique ID for the C-FIND, one for the C-MOVE, and one for C-GET; so all together there are nine unique IDs, three for each model. In the preceding banner, we retrieved two of those IDs:

  • 2.840.10008.1.2.1: A transfer unique ID that defines the value “Explicit VR Little Endian” for data transfer
  • 2.826.0.1.3680043.2.135.1066.101: A value referring to the implementation class

Another value in the banner, “1.4.16/WIN32,” refers to the implementation version. In the context of the medical servers, this refers to the version of XAMPP, aka Apache with MariaDB, PHP, and Perl. This server was running Apache 2.4.9, which is publicly known to contain nine vulnerabilities.

In other cases, there was no need to search for vulnerabilities. The management interface was wide open and could be accessed without credentials.

What does this mean? It is possible to access the images.

Vulnerabilities

In addition to expensive commercial PACS systems, open-source or small-fee PACS are available for small health care institutions or practices. As we investigated these systems, we found that our fears were well founded. One web server/client setup used the defaults “admin/password” as credentials without enforcing a change when the server is started for the first time. We found more problems:

  • Unencrypted traffic between client and server
  • Click jacking
  • Cross-site scripting (reflected)
  • Cross-site scripting stored as cross-site request forgery
  • Document object model–based link manipulation
  • Remote creation of admin accounts
  • Disclosure of information

Many of these are ranked on the list of OWASP Top 10 Most Critical Web Application Security Risks list, which highlights severe flaws that should be addressed in any product delivered to a customer.

We have reported the vulnerabilities we discovered to these vendors following our responsible disclosure process. They cooperated with us in investigating the vulnerabilities and taking appropriate actions to fix the issues.

But why should we spend so much time and effort in researching vulnerabilities when there are many other ways to retrieve medical images from the Internet?

Medical Image Formats

The medical world uses several image formats for different purposes. Each format has different requirements and works with different equipment, protocols, etc. A few format examples:

  • NifTi Neuroimaging Informatics Technology Initiative
  • Dicom Digital Imaging and Communications in Medicine
  • MINC Medical Imaging NetCDF
  • NRRD Nearly Raw Raster Data

Searching open directories and FTP servers while using several search engines, we gathered thousands of images—some of them complete MRI scans, mostly in DICOM format. One example:

An open directory of images.

The DICOM format originated in the 1980s, before cybersecurity was a key component. The standard format contains a detailed list of tags such as patient name, station name, hospital, etc. All are included as metadata with the image.

Opening an image with a text editor presents the following screen:

An example of the DICOM file format.

The file begins with the prefix DICM, an indicator that we are dealing with a DICOM file.  Other (now obscured) strings in this example include the hospital’s name, city, patient name, and more.

The Health Insurance Portability and Accountability Act requires a secure medical imaging workflow, which includes the removal or anonymizing of metadata in DICOM files. Researching the retrieved files from open sources and directories, we discovered most of the images still contained this metadata, such as in the following example, from which we extracted (obscured) personally identifiable information (PII).

Metadata discovered in a DICOM file.

Combining Vulnerabilities and Metadata

We combined possible vulnerabilities and the metadata to create a test scenario, installing information from a dummy patient, including an x-ray picture of a knee, to the vulnerable PACS server.

Our test patient record, followed by an x-ray of a knee. 

Using vulnerability information gathered in an earlier phase of research, we launched an attack to gain access to the PACS server. Once we had access, we downloaded the image from our dummy patient and altered the metadata of the image series, changing all references of “knee” to “elbow.”

Altered metadata of the test patient image.

We then saved the picture and uploaded it to the server. Checking the records of our dummy patient, we found our changes were successful.

Changes successfully updated.

Reconstructing Body Parts

In the medical imaging world, a large array of software can investigate and visualize images in different ways, for example, in 3D. We took our collection of images, and using a demo version of 3D software, we reconstructed complete 3D models of vertebrae, pelvis, knees, etc. and, in one case, we reconstructed a partial face.

Because we firmly believe in protecting privacy, the following example—a series of images from a pelvis—comes from a demo file that accompanies the software.

An example of a series of images.

After selecting areas of interest and adjusting the levels, we generated a 3D model of the pelvis:

A 3D model of the pelvis.

The application that generated the 3D model has a feature that allowed us to export the model in several data formats to be used by other 3D drawing programs. After the export, we imported the data into a 3D drawing program and converted the file to STL, a popular format for 3D objects and printers.

In short, we began with files from open directories, transformed them into a 3D model, and printed a tangible model using a 3D printer:

Our 3D model of a pelvis.

Conclusion

When we began our investigation into the security status of medical imaging systems, we never expected we would conclude by reconstructing body parts. The amount of old software used in implementations of PACS servers and the amount of vulnerabilities discovered within the software itself are concerning. We investigated relatively few open-source vendors, but it begs the question: What more could we have found if we had access to professional hardware and software?

Default accounts, cross-site scripting, or vulnerabilities in the web server could lead to access to the systems. Our research demonstrates that once inside the systems, the data and pictures can be permanently altered.

In May 2017, one report claimed that through artificial intelligence pictures could be studied to determine how long a person will live. What if criminals could obtain that information and use it for extortion?

We understand the need for quickly sharing medical data for diagnosis and treatment and for storing medical images. We advise health care organizations to be careful when sharing images on open directories for research purposes and to at least scrape the PII data from the images.

For organizations using a PACS, ask your vendor about its security features. Employ a proper network design in which the sharing systems are properly secured. Think not only about internal security but also about the use of VPNs and two-factor authentication when connecting with external systems.

 

For more on the health care industry follow @McAfee_Labs and catch up on all threats statistics from Q417 in the March Threats Report.

The post McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals appeared first on McAfee Blogs.

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.


The GDPR: A guide for international business - A Sage Infographic

GDPR Material and Territorial Scopes

The new EU General Data Regulation will enter into force 25 May of this year. The GDPR contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data. The new regulation is not revolutionary but an evolution from the previous Data Protection Act 1998 […]

The GDPR Basics: What Consumers Need to Know

What companies do with consumer data has always been a hot topic – and becomes hotter after every security breach, when consumers learn more about what can go wrong with their data and worry about the implications of their personal information in the wrong peoples’ hands. In the United States, most states and several cities now have laws about data breaches and many have laws regarding some form of consumer data protection. Europe has had a data protection law covering its residents for more than twenty years.

But the past twenty years have seen lots of changes in technology and in the way data can help consumers, so the European Union has refreshed the former law – the Data Protection Directive – with a more robust law, the General Data Protection Regulation (GDPR). But what exactly does GDPR entail for consumers? Let’s take a look. 

What is GDPR?

The General Data Protection Regulation (GDPR) updates EU law to consider the internet, e-commerce, online advertising, and the increase in data driven marketing.  Many of the provisions of the prior law are restated in the GDPR, but now companies face tougher fines for non-compliance.  The new Regulation also requires companies to report breaches to their regulators and often to consumers, and allows people to ask what companies they work for and they do business with do with their data. Replacing the Data Protection Directive, GDPR is more of an evolution of existing rules rather than a revolution, but it brings in important changes and reduces the number of country-specific laws that will be allowed. These changes have been introduced due to the changing nature of the world we live, the volume and prevalence of data, and the value of personal data in an increasingly connected world.

Who Does It Affect?

With enforcement of the Regulation starting on May 25th, 2018, it’s important to know what this legislation specifically impacts. The scope of “personal data” is broad, ranging from online identifiers such as IP addresses to social identities in addition to the usual names and contact information (both personal and work in the EU), but basically GDPR will cover anything that can be traced back to you as a specific individual, aiming to better enforce the protection of personal data as a basic human right. It protects the data of EU residents– in fact, it is irrelevant where a company collecting data is based in the world as long as they have EU customers. GDPR places a requirement on companies to “implement appropriate technical and organizational” measures to ensure the security of the personal data.

The Regulation requires companies to look at how they collect and store consumer data, keep records of certain kinds of consent, and be transparent about how they use personal data.  The Regulation allows EU residents to ask companies questions about how their data was obtained, to opt out of marketing, and – in some cases – to ask that their data be deleted.

How to Prepare for It

With GDPR enforcement fast approaching, the most important thing both companies and European Union consumers can do is be educated and prepared. Companies have to review their practices and make sure they are complying with the Regulation. Consumers need to know their rights and how GDPR will enable them to ask questions about what happens to their personal data. They’ll likely see more “consent” requests attached to any data collection – and notices about data breaches.   But like any new law, the true meaning of the GDPR regarding consumer data may take years of court cases to truly unravel.

Stay on top of the latest consumer and security news by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post The GDPR Basics: What Consumers Need to Know appeared first on McAfee Blogs.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS