Category Archives: Featured

Breached Mathway App Credentials Offered on Dark Web

Over 25 million user logins and passwords from a popular math app are being offered for sale on the dark web following a data breach.

Mathway, a popular app for iOS and Android devices, recently uncovered evidence of the breach after a hacking group announced it was selling Mathway user data on the dark web for roughly $4,000 in Bitcoin. 

ShinyGroup, a hacking group notorious for selling compromised data, announced that they had breached Mathway in January 2020. It is currently unknown if the salts and hashes used to encrypt the passwords can be deciphered, but if they are the value of the data to hackers would increase significantly.

“We recently discovered that certain Mathway customer account data–emails and hashed and salted passwords–was acquired by an unauthorized party.  Upon learning of this, we retained a leading data security firm to investigate, address any vulnerabilities and remediate the incident,” Mathway announced after discovering the breach.

Mathway users are urged to update their account passwords and monitor their accounts for suspicious activity.

The post Breached Mathway App Credentials Offered on Dark Web appeared first on Adam Levin.

Google’s New Ad Policy Overlooks A Bigger Threat

Google has announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply. 

On its face, this seems like common sense and a good idea. The Internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures and price gouging on hard to acquire products. The reality is less clearcut.

Where’s The Data?

The first issue here is Google’s track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media. 

While it’s fairly common knowledge that Google’s Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what’s wrong with this latest initiative. 

There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan. 

Occam’s Razor points to two explanations. First, Google is doing what it does best: collecting more information. Two, Google is doing what it does best: using information to solve an information problem. Either way, it’s not a very memorable solution.  

Ignoring the Realities of Business Identity Theft

it seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era where Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on video conference calls, faking a document or credentials is child’s play for any scammer worth his or her Bitcoin. 

For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google’s verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.

This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business’s credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google. 

We’ve seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.

Security Theater

The term “security theater” gained popularity after the implementation of TSA security measures in the wake of the 9/11 attacks, and it seems applicable here. 

Google’s new policies seem like marketing more than security. While it’s likely to make customers and businesses that use its online advertising platform feel more safer, it could easily have the opposite effect. 

A company with Google’s reach, resources, and oftentimes incredibly granular data isn’t likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise. 

The post Google’s New Ad Policy Overlooks A Bigger Threat appeared first on Adam Levin.

International Fraud Ring Stealing Unemployment Funds

Several state governments have been targeted by a sophisticated fraud campaign that has likely siphoned millions of dollars in unemployment payments earmarked for the record number of Americans seeking benefits as a result of the pandemic, a new Secret Service memo warns.

According to an internal memo, a group of Nigeria-based criminals have been filing phony unemployment claims in multiple states using a personally identifying information (PII), specifically stolen or compromised Social Security numbers. The information being used was most likely procured through various forms of identity theft and/or known data breaches and compromises.

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” stated the memo

The fraud campaign comes in the wake of a massive increase in unemployment as a result of the Covid-19 pandemic. State unemployment offices are vulnerable to this kind of fraud as they scramble to get funds to Americans in need as quickly as possible.

The Secret Service has identified Washington as the primary target of the fraud campaign, but has seen “evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida,” according to the memo. 

The post International Fraud Ring Stealing Unemployment Funds appeared first on Adam Levin.

Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack

The hackers who attacked a major entertainment and media law firm have now doubled the sum they’re demanding, and have included a threat to reveal compromising data on President Donald Trump.

Grubman Shire Meiselas & Sacks represents high-profile clients including U2, Madonna, Lizzo, Drake, and Lady Gaga among many others. The firm was targeted with ransomware earlier this month, which led to the reported exfiltration of 756 gigabytes of data, including contracts and client correspondence. REvil, the hacking group claiming responsibility for the attack, initially demanded $21 million in ransom and released contracts relating to a recent Madonna tour as proof of their access to the firm’s data. They have since doubled their demand.

“The ransom is now $42,000,000,” the hackers announced in a statement on the dark web. “The next person we’ll be publishing is Donald Trump… Grubman, we will destroy your company down to the ground if we don’t see the money.”

Donald Trump is not a client of the firm, which raises questions as to what data, if any, they have access to.

Grubman Shire Meiselas & Sacks has refused to cooperate with the hackers’ demands.

“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others,” the firm said in an announcement.

The post Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack appeared first on Adam Levin.

Magellan Health Ransomware Attack Exposes Customer Data

In the wake of an April ransomware attack, Fortune 500 healthcare company Magellan Health announced that a hacker exfiltrated customer data.

The ransomware attack was first detected by Magellan Health April 11, 2020, and was traced back to a phishing email that had been sent and opened five days earlier. Subsequent investigation revealed that customer data had been exfiltrated prior to the deployment of the ransomware.

“The exfiltrated records include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords,” stated the company in a letter sent to affected individuals.

This incident comes months after the company announced several of its subsidiaries had been targeted by phishing attacks that resulted in the compromise of the health information of more than 55,000 members.

 

The post Magellan Health Ransomware Attack Exposes Customer Data appeared first on Adam Levin.

The KonMari Method: Sparking Joy with a Tidy Security Closet

Japanese decluttering expert Marie Kondo has taken the world by storm with her book, “The Life-Changing Magic of Tidying Up”. The KonMari Method is a decluttering and organizing system that promises improvements in every aspect of your life. Marie Kondo meticulously goes through every item one by one to understand which items really “spark joy.” If something doesn’t spark joy, she recommends thanking it and letting it go.

It seems this underlying philosophy could be relevant to security. Think about this for a minute. Security organizations are grappling with anywhere from five to 50+ different security vendors. It is getting increasingly difficult to empower security teams to make decisions based on complete and actionable insights.

Imagine if we could “tidy up” security using the KonMari method.

Complexity is the worst enemy of security

Security expert Bruce Schneier summed it up best when he said, “Complexity is the worst enemy of security.”  Your teams are constantly undertaking ambitious projects to take the next exponential leap. And they have continued to onboard products from best-of-breed vendors to meet their evolving security needs. We have fallen into the trap of bolting on more and more security technologies. Over 30% of survey respondents in ESG’s 2020 Integrated Platform Report stated that their organization uses more than 50 different security products, while 60% said they use more than 25. This constant onboarding of new technology has led to a massive proliferation of siloed data sets and a lack of accountability from vendors. It is becoming increasingly difficult to enable a unified front-end experience for your team to collaborate effectively, which causes gaps in your security ecosystem. We’ve increased the level of complexity to the point where your teams are spending the majority of their time finding the needle in the haystack while the legitimate threats are left unattended. The siloed technologies fail to connect the dots and improve the fidelity of your alerts.

How does one deal with the increasing noise and the cacophony of alerts?

We need a new security paradigm; one that simplifies the way you secure your business so you can confidently pursue key initiatives such as digital transformation. The bottom line is that the simpler we can make our security platforms, the more secure you will be.

According to Marisa Chancellor, senior director of the Security & Trust Organization at Cisco, “If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together.”

Isn’t it time to rewrite the rules?

At Cisco, we’ve are doing that with SecureX, an integrated platform approach that changes the way you experience your security environment. We believe that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it simpler and effective.

Taming the chaos

Coming back to the KonMari Method, your first step is to imagine your ideal security ecosystem. If you’re serious about tidying in a way that will change your team’s productivity, this step is critical. Visualize how your team members will collaborate with one another. Imagine how you could automate manual tasks. What will a day look like for your incident response teams? What role will analytics play in driving your decisions? These are the sorts of questions to consider before you tackle your cybersecurity tidying. Then, follow the guiding philosophy and evaluate your security choices to support your broader vision. Check out these practical recommendations from ESG analyst, Jon Oltsik, featured in the Cisco ESG Research Insights paper for CISOs:


  1. Commit yourself to tidying up :Assess current challenges across people, process, and technology. Leading platforms should go beyond technology alone, helping organizations increase staff productivity while streamlining operations. CISOs should look for current bottlenecks impacting areas like employee training, MTTD/MTTR, and process automation. This assessment should help produce a list of platform requirements beyond technology integration alone.
  1. Identify the players: Include IT and network operations in RFIs and product evaluations. Remember that security is a collective activity, dependent upon strong communications and collaboration between security and IT/network operations teams. Smart CISOs will work with IT peers to uncover current challenges and then seek solutions in RFIs, product evaluations, and testing/piloting that can be used effectively by both groups.
  1. Plan for the long term: Cybersecurity technology platforms will likely grow organically, integrating more product categories and capabilities over time. Therefore, platform research should go beyond what’s available today. CISOs should press vendors for a 24 to 36-month roadmap. Leading vendors should have comprehensive plans but also be willing to work with customers as new requirements arise. On the enterprise side, CISOs should create metrics so they can assess progress and create programs for continual improvement as they deploy cybersecurity technology platforms more broadly through phases.
  1. Ask your peers if it sparks joy: Reach out to the community. Note to CISOs: You are not alone—just about every other enterprise organization is going through a similar transition. CISOs should seek out guidance from other industry organizations of a similar size. In this way, organizations may be able to work together to press vendors on some industry-specific nuances that can be added to cybersecurity technology platforms over time.

                                                                                                                                                                                                                                                                                                                                                 Author: Jon Oltsik


Sparking joy with Cisco SecureX

Many of the aspects discussed above – such as automation, integration, collaboration, and a platform approach to security – are addressed by Cisco SecureX. Just as Marie Kondo advises individuals to evaluate every item and ask whether it sparks joy, organizations should reconsider their technology choices and ask whether they support an integrated, platform approach to security that will simplify and strengthen defenses. A security platform like Cisco SecureX ties together various technologies (including those from third parties) to unify visibility, enable automation, and strengthen security across network, endpoint, cloud, and applications. With Cisco SecureX, you can:

  • Reduce complexity and maximize portfolio benefits by adopting an integrated platform.
  • Create a foundation that allows you to meet the security needs of today and tomorrow.
  • Reveal the true potential of your tools and people by redefining your security experience through collaboration.

Let the tidying up conversations begin in your organization, and may your security stack soon resemble Marie Kondo’s perfectly organized linen closet. Consider products that fit into a platform that harmonizes your security architecture and brings you unparalleled joy. If that is not the case, thank the piece of technology for everything it’s given you, and politely say goodbye.

 

Learn more about Cisco SecureX and read the detailed ESG Research Insights Paper to find out why organizations should consider a more integrated cybersecurity approach.

 

 

The post The KonMari Method: Sparking Joy with a Tidy Security Closet appeared first on Cisco Blogs.

Celebrity Data Stolen in Major Data Breach

A major entertainment and media law firm experienced a massive data breach that may have compromised the data of many celebrities including Bruce Springsteen, Lady Gaga, Madonna, Nicki Minaj, Christina Aguilera, and others.

Grubman Shire Meiselas & Sacks, a New York-based law firm, was hit by a ransomware attack that compromised at least 756 gigabytes of client data, including contracts, non-disclosure agreements, contact information and personal correspondence. The hackers appear to have used REvil, or Sodinkobi, a ransomware strain behind several high-profile cyberattacks on targets including Kenneth Cole, Travelex, and Brooks International.

Whoever is behind the hack has threatened to publish the stolen data in nine installments unless the law firm pays an undisclosed ransom. They have since released documents belonging to Madonna and Christina Aguilera on the dark web to prove they have the goods and are willing to make them public.

Grubman Shire Meiselas & Sacks has yet to issue a statement on the breach. As of May 12, their website is still currently offline. 

The post Celebrity Data Stolen in Major Data Breach appeared first on Adam Levin.

Do Password Managers Make You More or Less Secure?

It’s World Password Day, and much like every other day of the year, the state of password security is terrible. 

Despite repeated warnings from security experts and IT departments, “123456” is still the most common password for the last seven years, narrowly edging out “password.”

The problem isn’t limited to easily guessed passwords: a recent study of remote workers found that 42 percent of employees physically write passwords down, 34 percent digitally capture them on their smartphones, and at least 20 percent admit to using the same password across multiple work accounts. 

Enter the password manager: an application or service that consolidates the credentials for all a user’s accounts. If you stop reading here: Password managers are not failsafe. 

While password managers provide a convenience to users, they are hackable. So while it provides a convenient place to store your long and complex passwords, the whole collection of access data is protected by a single, hackable password. 

If you’re in the habit of using the same or similar passwords across your universe of accounts, a password manager with a very strong password offers more security.

The issue with password managers from a security point of view is that they trade one of the biggest threats to account security–credential stuffing through the re-use of leaked or hacked passwords, for a potentially more serious one: The skeleton key for all of your accounts. Because password managers offer a one-for-all proposition, they make an appealing target for hackers who wouldn’t otherwise try to crack a unique password.

Additionally, password managers are not immune to the security issues that plague any other online service. A number of well-known password managers have either been breached or found to have severe vulnerabilities. 

Take away: While password managers add a layer of protection for online accounts, they’re not a silver bullet, and have the potential to open the door to even greater online threats. Regardless of the method to keep track of passwords, any account should also be protected with other measures such as multi-factor authentication, up-to-date security software, and a close eye on account activity.

 

The post Do Password Managers Make You More or Less Secure? appeared first on Adam Levin.

Indecent Exposure: 7TB of Adult Streaming User Data Unsecured on Server

Users on an adult streaming platform may have experienced the wrong kind of exposure when over seven terabytes of data was found on an unprotected database online. The damage done could include the dissemination of amateur pornographic user images. 

CAM4, a video streaming service primarily for adult amateur webcam content, reportedly left more than 11 million user records online on an unprotected Elasticsearch server. The error was unintentional. The data was discovered by researchers at Safety Detectives, a security review website.

Leaked customer data potentially included, but was not limited to, names, email addresses, countries of origin, gender preferences, sexual orientation, user names, credit card types, user conversations, payment logs, email correspondence transcripts, token information, password hashes, IP addresses.

“The fact that a large amount of email content came from popular domains…that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example,” wrote Safety Detectives in a blog describing their findings.

The post Indecent Exposure: 7TB of Adult Streaming User Data Unsecured on Server appeared first on Adam Levin.

68% of Pharma Executives Have Had Credentials Breached Online

The online credentials for 68% of pharmaceutical executives analyzed for a study have been compromised recently.

The study, conducted by cybersecurity firm Blackcloak, found that the email accounts of over two-thirds of pharmaceutical executives had been compromised within the last five to ten years. Of the compromised emails, 57% were found on the dark web and had been either cracked or stored in plaintext format.

While the primary source (85%) of the email account information was a 2015 data breach of the professional social network LinkedIn, Blackcloak CEO Dr. Chris Pierson assigns much of the blame to weaker cybersecurity via personal devices and accounts belonging to executives, referring to it as “the path of least resistance” for hackers.

“Hackers and cybercriminals spot the opportunity to effortlessly gain access and control over the executives’ home network, enabling them to migrate into the company network from that point. Every day the executive brings their company home, where the security controls are nonexistent and weak ‒ so every night, their corporate networks and company are at risk for a cyberattack,” wrote Pierson.

C-suite executives have been a frequent target for hackers and scammers, but Pierson identified some vulnerabilities specific to the pharmaceutical industry.

“In the pharmaceutical world, executives appeared to move from job to job across a tier of companies and with this they brought their old passwords with them and showed consistent use over a period of sometimes 15 years of same and/or similar passwords,” wrote Pierson.

 

The post 68% of Pharma Executives Have Had Credentials Breached Online appeared first on Adam Levin.

Ghost Blogging Platform Hacked To Mine Cryptocurrency

Hackers successfully breached the servers of a popular blogging platform and used them to mine cryptocurrency.

Ghost, a Singapore-based blogging platform with 2,000,000 installations and 750,000 active users, announced that hackers had breached their systems. 

“The mining attempt… quickly overloaded most of our systems which alerted us to the issue immediately,” the company announced May 3, adding that “[t]here is no direct evidence that private customer data, passwords or other information has been compromised. 

The hackers compromised Ghost’s servers by exploiting two major vulnerabilities in SaltStack, a network automation tool typically used by IT support and system administrators. Ghost is just one of several companies and organizations that have been compromised since the vulnerabilities were disclosed, including LineageOS, an Android-based operating system, and Digicert, a security certificate authority. 

As of May 4, Ghost announced that it had successfully purged the cryptocurrency mining malware from its systems. The company also stated that they would be notifying their customers, which include NASA, Mozilla, and DuckDuckGo.

 

The post Ghost Blogging Platform Hacked To Mine Cryptocurrency appeared first on Adam Levin.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

The report, “Coronavirus-themed Threat Reports Haven’t Flattened the Curve,” shows a direct correlation between confirmed Covid-19 cases and malware attacks exploiting the crisis.

These findings confirm a similar report that showed a 30000% increase in Covid-19-themed attacks from January to March.

“Countries that have reported the largest number of Coronavirus-themed [scams] seem to have also been those hit hardest by the pandemic,” the report stated, showing a concurrent increase in both confirmed cases and malware attacks in South Africa in April as an example.

Data from the Bitdefender report also indicated a connection between an increase in phishing campaigns in areas where testing for Covid-19 has become available.

“[W]e can safely infer that people who get tested are interested in learning more about potential treatments, medicine, medical best practices, and maybe even other patient’s experiences… those spending more time online looking for information about COVID-19 are more likely to fall prey to scams and malware related to Coronavirus,” the report stated. “Receiving an email claiming to have new and interesting information about the pandemic with more exclusive information embedded within the attachment is the perfect lure.”

Read the full report here.

The post Cybercriminals Are Exploiting the Covid-19 Pandemic appeared first on Adam Levin.

What E-Commerce Sites Can Learn from the Covid-19 Pandemic

For the last few years, cybersecurity experts have been sounding the alarm on something called e-skimming. In this kind of attack, hackers intercept payment card data and personal information from e-commerce sites by exploiting the architectural complexity of those e-commerce sites. 

While there have been several major breaches that were the result of e-skimming, including Macy’s and British Airways, the bulk of these hacking campaigns have been attributed to an individual or a group of hackers called Magecart. S/he or they usually target the Magento platform, often by injecting rogue code into outdated plugins and extensions for websites.

Magento isn’t the Covid moment here. E-skimming is. 

Enter WooCommerce 

Security researchers discovered what could be a game changer in e-skimming attacks earlier this month, one that exponentially expands our collective attackable surface.

Magento has about a 12% market share and represents less than 1% of the entire assemblage of code that comprises the Internet. 

The discovery I mentioned is that a new e-skimming hack has been targeting WooCommerce, which is a far more ubiquitous online shopping plugin used in 26% of all e-commerce sites. WooCommerce is native to and powered by WordPress, a platform that represents over 35% of websites currently online. It would be hard to find a larger attackable surface on the Internet.

The threat posed by a hack targeting WooCommerce isn’t bad only because of the technology’s ubiquity. The issue has to do with who uses it. The quick answer is: Anyone. Contrast that with Magento, which is designed for enterprise-level sites that have detailed inventory needs and other layers of complexity. Magento requires installation, development, and maintenance by trained web professionals certified by the company to understand its many nuances. 

WooCommerce, on the other hand, is easy to use and install; a user with little to no experience building websites—and even less knowledge of cybersecurity best practices—can use it to get an e-commerce site up and running with ease. 

This would be a bad situation in normal times, but with the Covid-19 pandemic making many businesses more reliant on e-commerce and virtual transactions, the potential for an increase in poorly secured websites built on the fly is a matter for concern. 

That said, the bigger issue may be the nature of the hack itself. While e-skimming attacks have usually involved the compromise of vulnerable third-party software, e-skimming injects malicious code into the core source code of WooCommerce which makes it much harder to detect–particularly for non-expert site builders.

“With credit card swipers it’s common for attackers to simply include/append malicious javascript from a third-party website,” said Sucuri researcher Ben Martin, who first wrote about the attack. “The fact that the malware lodged itself within an already existing and legitimate file makes it a bit harder to detect.”

There are parallels with the early days of the Covid-19 pandemic. A relatively familiar threat has surfaced in a more dangerous form that is harder to detect and has the potential to impact a significantly larger number of victims. 

Like Covid-19 in January, the current WooCommerce hack is a nascent threat, but unlike the virus, you can prepare for the threat and mitigate the potential damage. 

A good place to start is for businesses and consumers to use a system I call the 3 Ms:

Minimize the Threat: Businesses doing e-commerce need to keep their website and security software up-to-date. Those companies that have the technical know-how should run regular scans for the presence of rogue code on their websites. If they don’t have that resource in house, they would be well advised to hire a cybersecurity expert to do it for them. Most important is to practice good data hygiene, especially when relying on a remote workforce. A single login and password hooked by a phishing email could provide hackers with the necessary credentials to compromise a website, as well as its customer and payment data. 

When making payments online, consumers should use credit cards instead of debit/bank cards, which can provide hackers a direct conduit to their bank accounts.

Monitor Accounts: Keep track of your bank and credit card accounts to know as quickly as possible when something isn’t right. The most effective way to do this is to sign up for transaction monitoring—offered for free by banks, credit unions and credit card companies— which notifies you of any activity in your credit or bank accounts.

Manage the Damage: If a business falls prey to an e-skimming campaign, it’s crucial to act as quickly as possible to alert the authorities, notify consumers and identify the source of the hack. Customers affected by an e-skimming breach should immediately contact their payment card companies, request new cards, and lock down any potentially impacted accounts.

Malware and viruses are opportunistic. With more businesses relying on e-commerce to make up for shuttered physical storefronts, newly remote workers struggling to secure their home offices from cyberthreats, and more customers using e-tailers for their day-to-day shopping, the circumstances are ideal for a new strain of malware to spread. 

The post What E-Commerce Sites Can Learn from the Covid-19 Pandemic appeared first on Adam Levin.

Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security

If you’re among the many looking for a new video conferencing tool after adding “zoombombing” to your vocabulary, you’re in luck. While a one-size-fits-all solution doesn’t exist, there are many other options with proven security features. Here’s a roundup of some of Zoom’s competitors and their privacy and security features.

Webex

The Webex video conference platform has been around since 1995 and is a favorite of the privacy-conscious health care, information technology, and financial services industries. This is partially due to the fact that all three industries commonly relied on virtual meetings well before the Covid-19 pandemic, but mostly because Webex has a reputation for maintaining robust cybersecurity. Cisco, its parent company, is an industry leader in network hardware, software, and security products.

Webex offers end-to-end encryption. Using it, however, limits popular video options, including remote computer sharing and personal meeting rooms. Worth noting: Webex and Cisco products have had security issues in the past.

Microsoft Teams

Like Zoom, Microsoft Teams experienced an uptick in the recent crisis, in part due to its integration with the company’s flagship Office365 cloud and productivity services. Microsoft says that Teams are encrypted “in transit and at rest,” but details about support for end-to-end encryption are vague.

Like Webex, one advantage of Teams is that its parent company is a major provider of networking, software, and cybersecurity services. Microsoft has an internal rating system for the security of its products, and has designated Teams to be Tier-D compliant, which means that it can adhere to the strictest government and industry security standards and legal requirements.

Neither Microsoft nor Teams are immune to security vulnerabilities, but as a company, Microsoft’s bandwidth to address them when they occur is probably unparalleled. Microsoft also has a more transparent privacy policy and a better track record when it comes to protecting user and customer data than many of its competitors, including Zoom.

Google Hangouts/Google Duo

Google offers Hangouts and Duo as its two primary video meeting platforms–both offer “free” and paid versions bundled in with its G Suite line of applications. While Google Hangouts offers similar functionality to Zoom, it has a limit of 25 attendees per video conference. Other considerations include a long history of security and privacy concerns and the fact that Google Hangouts don’t offer end-to-end encryption.

Duo is end-to-end encrypted, and can support video meetings with up to 12 attendees.

Like Cisco and Microsoft, Google has more resources dedicated to cybersecurity, but the company has a lengthy track record of mining user data, especially for “free” services. The company is also notorious for quickly and unceremoniously dropping support for many of its projects, and has done so with several previous video conferencing and meeting apps.

Is Zoom Worth Sticking With?

It depends on your business needs. Zoom’s rapid increase in popularity in an already crowded market is a testament to its many qualities, features, and ease of use.

The company has made some misleading claims about user privacy and data, and the recent discovery of multiple serious security vulnerabilities will test the company’s ability to support and sustain its user base.

A good sign is that Zoom announced a 90-day freeze on any new features so it can focus on security and privacy issues. This move could help the platform and the company to continue the meteoric rise in the number of people using the service.

For industries with stringent data privacy and security requirements, platforms like Webex or Microsoft Teams may be a better fit, but every company, platform, and technology has its own set of drawbacks and vulnerabilities. The main takeaway is that every company, regardless of size, needs to have a solid understanding of what its own internal security needs are in order to make an informed decision.

The post Rethinking Zoom? How WebEx, Teams, and Google Meet and Duo Compare on Privacy and Security appeared first on Adam Levin.

7 Steps to Building a Cybersecurity Strategy from Scratch

When your organization is young and growing, you may find yourself overwhelmed with a never-ending to-do list.  It can be easy to overlook security when you’re hiring new employees, finding infrastructure, and adopting policies.  Without a proper cybersecurity strategy, however, the business that you’ve put your heart and soul into, or the brilliant idea that you’ve spent years bringing to life, are on the line. Every year, businesses face significant financial, brand, and reputational damage resulting from a data breach, and many small businesses don’t ever recover.

Not only that, but as you grow you may be looking to gain investors or strategic partners.  Many of these firms are not willing to give organizations that don’t take security seriously a chance. A strong security stance can be your differentiator among your customers and within the Venture Capital landscape.

One thing’s for sure: you’ve spent a great deal of time creating a business of your own, so why throw it all away by neglecting your security?  You can begin building your own cybersecurity strategy by following these steps:

1.  Start by identifying your greatest business needs.

This understanding is critical when determining how your vulnerabilities could affect your organization.  Possible business needs could include manufacturing, developing software, or gaining new customers. Make a list of your most important business priorities.

2.  Conduct a third-party security assessment to identify and remediate the greatest vulnerabilities to your business needs.

 The assessment should evaluate your organization’s overall security posture, as well as the security of your partners and contractors.

Once you understand the greatest risks to your business needs, you can prioritize your efforts and budget based on ways to remediate these.

3.  Engage a Network Specialist to set-up a secure network or review your existing network.

A properly designed and configured network can help prevent unwanted users from getting into your environment and is a bare necessity when protecting your sensitive data.

Don’t have a set office space?  If you and your team are working from home or communal office spaces, be sure to never conduct sensitive business on a shared network.

4.  Implement onboarding (and offboarding) policies to combat insider threat, including a third-party vendor risk management assessment.

 Your team is your first line of defense, but as you grow, managing the risk of bringing on more employees can be challenging.  Whether attempting to maliciously steal data or clicking a bad link unknowingly, employees pose great threats to organizations.

As part of your onboarding policy, be sure to conduct thorough background checks and monitor users’ access privileges.  This goes for your employees, as well as any third parties and contractors you bring on.

5.  Implement a security awareness training program and take steps to make security awareness part of your company culture.

Make sure your training program includes topics such as password best practices, phishing identification and secure travel training.  Keep in mind, though, that company-wide security awareness should be more than once-a-year training.  Instead, focus on fostering a culture of cybersecurity awareness.

6.  Set-up multi-factor authentication and anti-phishing measures.

Technology should simplify your security initiatives, not complicate them.  Reduce the number of administrative notifications to only what is necessary and consider improvements that don’t necessarily require memorizing more passwords, such as password managers and multi-factor authentication for access to business-critical data.

7.  Monitor your data and endpoints continuously with a Managed Security Services Provider.

As you grow, so does the amount of endpoints you have to manage and data you have to protect. One of the best ways to truly ensure this data is protected is to have analysts monitoring your data at all hours. A managed security services provider will monitor your data through a 24/7 security operations center, keeping eyes out for any suspicious activity such as: phishing emails, malicious sites, and any unusual network activity.

You’re not done yet: revisit your security strategy as you evolve.  

It’s important to remember that effective cybersecurity strategies vary among organizations. As you grow, you’ll want to consider performing regular penetration testing and implementing an Incident Response Plan.  

And, as your business changes, you must continually reassess your security strategy and threat landscape.

For more information, get the Comprehensive Guide to Building a Cybersecurity Strategy from Scratch.

The post 7 Steps to Building a Cybersecurity Strategy from Scratch appeared first on GRA Quantum.