annadianecass
Sec U R IT y - Tag! You're it!
2951 posts
Don't wanna be here? Send us removal request.
Last Seen Blogs
dorezy
Milk Beans Safe Place
eyecare201
Untitled
holhorsing
bullet
nautileesys
The Nautilee Systers
gashu-satou-daily
GASHU SATOU MOMENT(S)
Video
My Local Marketing Vault Review from Anna Cass on Vimeo.
If you have actually been doing marketing the same way considering that 2010 then you need to adapt. The old methods of doing things are altering and have actually been altering, however that does not indicate they are wrong. It just suggests it is time to start taking a look at things in a different way and leveraging other approaches of producing traffic. The local marketing vault is the ideal place to start!More info here whackahost.com/review-local-marketing-vault/
0 notes
Text
CISO Chat – Alvaro Hoyos, Chief Information Security Officer at OneLogin
Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.
To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.
The next instalment of CISO Chat is with OneLogin‘s CISO, Alvaro Hoyos, who has highlighted a few threats to look out for in 2018:
As a CISO, what is your objective?
Simply put, my objective is to safeguard the confidentiality, integrity, and availability of data. However, how I go about achieving that objective, is a much more complex answer.
What is the goal of information security within your organization?
The goal of information security within OneLogin echoes my own mission of safeguarding the confidentiality, integrity, and availability of OneLogin. To expand on that, this includes safeguarding OneLogin customer data due to compromise, misuse, loss, or damage, and just as importantly, in line with legal and regulatory requirements. By doing so, we aim to build and maintain customer trust.
What is more important for cybersecurity professionals to focus on, threats or vulnerabilities?
Vulnerability management, as a process, focuses on discovering and addressing existing vulnerabilities in addition to potential threats. Cybersecurity professionals simply can’t focus on one and ignore the other. Countless security incidents in the last few years have demonstrated that either of these areas cannot be ignored.
What do you see being the biggest threats for 2018?
The biggest threats I see for 2018 are:
AI – AI is poised to be the biggest innovation for mankind, however with ‘great power comes great responsibility’. Businesses of all sizes and sector have the ability to greatly benefit from the use of AI to improve business processes and alleviate employees from mundane time-consuming admin tasks, freeing up time for high-ticket items that can free-up margin or areas of untapped profit. However, in the wrong hands, AI can also be used as a tool by cybercriminals to target vulnerable businesses on a widespread scale.
GDPR – In a rush to ensure compliance ahead of the European General Data Protection Regulation, businesses need to be careful not to shift their attention away from cyber security practises in general.
APIs – Threat vectors and surfaces have skyrocketed in the past few year, mostly down to open application programme interfaces, also known as APIs. The nature of web-based APIs are constantly access by a high-volume of devices, from desktops, mobile devices, tablets, smart TVs and more connected appliances you can even imagine with the advent of the Internet of Things (IoT). With more interfaces, comes more points of entry for cybercriminals to manipulate and data for them to get their hands on.
How do you believe we can improve the cyber skills gap? What advice would you give to anyone wanting to go into the cybersecurity industry?
The cyber-skills gap, in the short term, can only be addressed by providing training opportunities to existing personnel. Interest in cybersecurity is at an all time high; not just for those entering or about to enter the workforce, but also for professionals across a wide variety of sectors. In the long term, the growth of cybersecurity programs in curriculums for children and young adults of all ages will help resolve the issue, but it will take some time for us to see a return on investment at a business level. The number one advice I would give to those starting out in the industry is to focus on an area of security you truly feel passionate about. Cybersecurity is a demanding and ever evolving field, and if you are only in it for a paycheck, you will be quickly burned out by the demanding nature.
Today, IoT and AI have become real big focus’ for organisations with almost every device, toy and appliance created has this technology built in. Worryingly, security seems to be an afterthought. Why is this the case and how can this be changed?
Home appliance manufacturers are working at lightning fast speed to get the latest product to market and the reality is cybersecurity is the last thing they think about in the rush against competitors. Eventually, consumers will be the ones that have to pay the ultimate price when a hacker finds an ‘open back door’ into the consumer home through an unsecured device. To tackle this issue head on, there needs to be a change of attitude across the manufacturing sector that makes cybersecurity part of the conversation from the very moment an idea from the latest connected product is conceived.
With GDPR less than five months away, how prepared is your organisation? What is your biggest worry or concern regarding the regulation?
We are actively working on the various angles of compliance we need to address. As a global company with global customers, we are both a data controller and a data processor, which means we need to make sure we are addressing all applicable angles. Unfortunately, like any new regulation, there are always grey areas which tend to not resolve until enforcement begins. Meaning, once fines start being assessed, interpretations of the framework will start crystallising more than they are now.
What’s your worst security nightmare? What would be your plan to prevent and mitigate it?
How often do you have to report to the boardroom level? In light of the major attacks in 2017, have they become more responsive and shown a better understanding for the work you and your team do?
Social media is everywhere. So how much of it is a security issue in the workplace? Have you had to run training exercise plans for employees within your organisation?
Social media is a security risk companies can no longer ignore, especially when companies have been founded just to deal with the risk social media poses. For us, social media, even more than a security risk, is a brand risk. As a security service provider, we cannot afford to have a social media account hijacked. There is the risk that it could be used for a social engineering attack, but we typically do not use these accounts for operational purposes, so the risk is lower.
What would be your no.1 piece of cyber security advice as we begin 2018?
Don’t plan on throwing more security tools and technology at the problem, plan on maximizing current tools and fine-tune processes and controls.
Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.
The post CISO Chat – Alvaro Hoyos, Chief Information Security Officer at OneLogin appeared first on IT SECURITY GURU.
from CISO Chat – Alvaro Hoyos, Chief Information Security Officer at OneLogin
0 notes
Text
46 Percent of Organizations Fail to Change Security Strategy After a Cyber Attack
According to the CyberArk Global Advanced Threat Landscape Report 2018, nearly half (46 percent) of IT security professionals rarely change their security strategy substantially – even after experiencing a cyber attack. This level of cyber security inertia and failure to learn from past incidents puts sensitive data, infrastructure and assets at risk.
Security Starts with Protecting Privileged Accounts
An overwhelming number of IT security professionals believe securing an environment starts with protecting privileged accounts – 89 percent stated that IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured.
Respondents named the greatest cyber security threats they currently face, including:
Targeted phishing attacks (56 percent)
Insider threats (51 percent)
Ransomware or malware (48 percent)
Unsecured privileged accounts (42 percent)
Unsecured data stored in the cloud (41 percent)
IT security respondents also indicated that the proportion of users who have local administrative privileges on their endpoint devices increased from 62 percent in our 2016 survey to 87 percent in 2018—a 25 percent jump and perhaps indicative of employee demands for flexibility trumping security best practices.
The Inertia that Could Lead to Data Compromise
The survey findings suggest that security inertia has infiltrated many organizations, with an inability to repel or contain cyber threats – and the risks that this might result in – supported by other findings:
46 percent say their organization can’t prevent attackers from breaking into internal networks each time it is attempted
36 percent report that administrative credentials were stored in Word or Excel documents on company PCs
Half (50 percent) admit that their customers’ privacy or PII (personally identifiable information) could be at risk because their data is not secured beyond the legally-required basics
Inertia and a ‘Hands-Off’ Approach to Securing Credentials and Data in the Cloud Create Cyber Risk
The automated processes inherent in cloud and DevOps mean privileged accounts, credentials and secrets are being created at a prolific rate. If compromised, these can give attackers a crucial jumping-off point to achieve lateral access to sensitive data across networks, data and applications or to use cloud infrastructure for illicit crypto mining activities. Organizations increasingly recognize this security risk, but still have a relaxed approach toward cloud security. The survey found that:
Nearly half (49 percent) of organizations have no privileged account security strategy for the cloud
More than two-thirds (68 percent) defer on cloud security to their vendor, relying on built-in security capabilities
38 percent stated their cloud provider doesn’t deliver adequate protection
Changing the Security Culture
Overcoming cyber security inertia necessitates it becoming central to organizational strategy and behavior, not something that is dictated by competing commercial needs. According to the survey:
86 percent of IT security professionals feel security should be a regular board-level discussion topic
44 percent said they recognize or reward employees who help prevent an IT security breach, increasing to nearly three quarters (74 percent) in the U.S.
Just 8 percent of companies continuously perform Red Team exercises to uncover critical vulnerabilities and identify effective responses
“Attackers continue to evolve their tactics, but organizations are faced with cyber security inertia that is tipping the scales in favor of the attacker,” said Adam Bosnian, executive vice president, global business development, CyberArk. “There needs to be a greater urgency in building cyber security resilience to today’s attacks. This starts by understanding the expanding privileged account security attack surface and how it puts an organization at risk. Successfully battling inertia requires strong leadership, accountability, clearly defined and communicated security strategies, and the ability to adopt a ‘think like an attacker’ mindset.”
The post 46 Percent of Organizations Fail to Change Security Strategy After a Cyber Attack appeared first on IT SECURITY GURU.
from 46 Percent of Organizations Fail to Change Security Strategy After a Cyber Attack
0 notes
Text
UK’s Top PLCs at Risk of Breaching GDPR Guidelines with Three Months to D-Day
Digital threat leader RiskIQ, has discovered that one third of web pages belonging to 30 companies within the Financial Times Index are collecting personal data without adequate security measures, potentially breaching GDPR guidelines.
RiskIQ’s research found 120,072 live websites belonging to the companies and 18,457 pages across those sites that collect personal data. 35 per cent of these pages were found to be collecting data insecurely. The research suggests that with an average of 615 login and data collection forms spread across an average of 4002 web sites per organisation, businesses are struggling to gain a complete view of their security and compliance postures ahead of the GDPR deadline.
With a chronic skills shortage and cyber threats at an all-time high, the findings highlight one of the key challenges businesses face in the protection of Personally Identifiable Information (PII) as required by GDPR. A recent survey by RiskIQ identified data breach as a top fear cyber security leader’s face in 2018 yet 67 per cent don’t have sufficient staff to handle the daily barrage of cyber alerts they receive.
Fabian Libeau VP EMEA at RiskIQ explains: “Companies that haven’t already implemented encryption for all collection and transmission of personal information will have missed the boat in order to comply with the fast approaching regulation.”
“Now more than ever companies need to be aware of their digital footprint. With the ever expanding volume of PII it’s crucial companies ensure they are tracking all of their digital assets and consistently monitoring for potential breaches and gaps in their security.”
The post UK��s Top PLCs at Risk of Breaching GDPR Guidelines with Three Months to D-Day appeared first on IT SECURITY GURU.
from UK’s Top PLCs at Risk of Breaching GDPR Guidelines with Three Months to D-Day
0 notes
Text
Elizabeth Denham, Information Commissioner, tops the 2018 DataIQ 100
Now in its fifth consecutive year, the DataIQ 100 has been revealed once again to highlight the UK’s key industry leaders who drive business success from the intelligent use of data.
The Information Commissioner, Elizabeth Denham, secured this year’s number one position and celebrated the success of the organisations which recognise the need to champion best practice in data-driven business, at the launch of the 2018 power list on February 28th in Central London.
Denham comments “DataIQ provides an important forum for data professionals to share best practice and learning – essential in such a fast paced and changing environment.
“Leaders and practitioners in this space – everyone in data and analytics – should learn from data, and augment their services through data intelligence, but also ensure that they don’t lose sight of their brand and the essence of their service.
“Data is a powerful tool; when used ethically and responsibly it can be used to empower and enrich all our lives. It is incumbent on all of us as data professionals to earn the trust and confidence of the public in how their personal data is used, so that everyone benefits in a data driven world.
“The General Data Protection Regulation (GDPR) is a game changer and a powerful incentive for businesses to embrace good data protection practice. I am encouraged by the many organisations that see the data opportunities the law presents, rather than the barriers it throws up.
“My role allows me to engage with progressive companies and public bodies looking to adopt privacy by design solutions. I am struck by entrepreneurial development of products which minimise the amount of personal data processed, and which maximise the control people have over their data.
“As the head of the agency charged with protecting UK citizens’ information rights, I am honoured to work with 500 staff dedicated to innovative regulation and excellent public service.”
The top ten professionals in the 2018 DataIQ 100 are:
Elizabeth Denham, Information Commissioner
Gillian Tomlinson, CDO, RSA
Andrew Day, CDO, Sainsbury’s
Jon Hussey, Managing Director, Data and Strategic Analytics, Barclays
Michael Greene, Group Data and Analytics Director, Tesco
Paul Lodge, CDO, Department for Work and Pensions
Lauren Sager Weinstein, CDO, Transport for London
Orlando Machado, Global Director of Customer Analytics and Data Science, Aviva
Martin Squires, Global Lead, Customer Intelligence and Data, Walgreens Boots Alliance
Katia Walsh, Chief Global Data and Analytics Officer, Vodafone
DataIQ compiles the list using a set of objective criteria including recognising those with the greatest regulatory powers, industry contribution and influence, data privacy best practice, and innovation in digital and mobile. Extra ‘points’ were awarded to those with a high public profile.
David Reed, Director of Strategy, DataIQ comments, “Choosing the candidates for the DataIQ 100 2018 edition was a unique opportunity to understand how far data and analytics practitioners have come since our first list five years ago.
With 475 nominations, it was the most diverse set of candidates that we have ever considered and the final line-up is our strongest yet. It also reveals that 2017 was a breakthrough year for individuals, even more than it was for the industry as a whole. This is because they are finally benefitting from the status, resources and rewards that have long been merited, but not always realised. We have 27 chief data officers represented among our Data Titans – the end-users whose investment into data and analytics is bringing about such profound changes to the economy, society and business.
Appointing a CDO is a sure sign of a fast-maturing practice and a necessary step to formalise all the individual processes that are required to be data-driven, from leadership to deep data diving, customer insight to business intelligence. Alongside them stands a spectrum of senior professionals whose diversity of titles speaks of the ongoing need for standardisation, not least to make clear the career paths industry. We need to maintain and build the flow of talent if this list, five years from now, is to continue to represent the brightest and best.
When asked why they chose data, the most common answer our candidates gave was, “data chose me.” We are glad it did and that they responded to its call because it means that, based on the incredible performance and depth of commitment they have shown, we have been able to choose them, too.”
Lindsay McEwan, Vice President and Managing Director, EMEA of Tealium, the headline partner of the 2018 DataIQ 100, added “In an age where data has become the driver of change, Tealium is proud to sponsor the DataIQ 100, recognising the leaders carrying the industry forward.
With the imminent implementation of the GDPR, businesses are being forced to focus on data governance. At Tealium, we strongly advocate data transparency and encourage businesses to adopt a similar mindset.
Through building consumer trust, gathering data from all entry points, and bridging data silos into a centralised hub, we can obtain a 360-degree customer view; companies will then be best-placed to provide engaging, personalised, and real-time experiences.”
You can view the full list and detailed profiles of the 2017 DataIQ 100 at http://www.dataiq.co.uk/dataiq100
The post Elizabeth Denham, Information Commissioner, tops the 2018 DataIQ 100 appeared first on IT SECURITY GURU.
from Elizabeth Denham, Information Commissioner, tops the 2018 DataIQ 100
0 notes
Text
Are Your Employees Putting Your Organisation at Risk?
By Ronald Sens, EMEA Director for A10 Networks
We’ve just undertaken some new research which shows that UK employees are unwittingly putting their organisation as risk through their use of unapproved apps. The problems associated with ‘Shadow IT’, where employees download apps or use services without the consent of the IT department, have escalated in line with cloud adoption, and the use of personal smart devices in the workplace.
Even though the use of unsanctioned apps can be a real security headache for IT – the apps can act as gateways to the network for cybercriminals looking to gain access to an organisation’s valuable data – there seems to be no stopping employees’ actions.
The research Application Intelligence Report which was conducted across ten territories shows the UK has the highest percentage of employees (41 percent) who use apps without permission from IT, or not knowing if those apps have been approved to use at work.
Of those who use non-sanctioned apps, more than half (57 percent) use the excuse that “everybody does it” – more than any other European country questioned in the report.
Other respondents say their IT department doesn’t have the right to tell them what apps they can and can’t use, while some claim that their company’s IT department doesn’t give them access to the apps they need to do their jobs.
The research highlights a notable lack of understanding among UK employees as to the potential damage they are inflicting on their organisations’ security. In fact, many companies still don’t realise the risks that come with this growing reliance on disparate and app-dependent workforces.
In the UK, 54 percent of respondents have experienced at least one data breach, 41 percent have experienced a DDoS (Distributed Denial of Service) attack, and 30 percent have fallen victim to ransomware attacks – both higher than the global averages.
As the high-profile data breaches have shown over the past 12 months, all it takes is one DDoS attack to damage an organisation’s brand, its reputation with customers, and its revenue stream.
There is also the issue of app security, and who is ultimately responsible for protecting the personal information and identity of employees who use approved business apps at work? The application developers, the IT department or the end users themselves?
Globally, only a fifth of IT decision-makers think employees take accountability for protecting their personal information and identity. When it comes to using personal apps at work, 44 percent of IT professionals assume employees take responsibility for securing their own personal information.
A third of respondents say the security team is most responsible for protecting employee’s identity followed by the CIO or VP, and then the IT department.
Drilling down into individual countries’ attitudes, most German IT heads believe the CIO or VP (46 percent) is ultimately responsible for securing employee identity and personal information, while those from Brazil (32 percent) most often place responsibility on all IT practitioners, regardless of the team.
Brazilian, Indian, Chinese, and US IT chiefs believe that employees place a greater amount of responsibility on the vendor or developer of the applications.
So how does the UK compare to other countries? Interestingly, while most firms globally think IT leaders should be held accountable, the UK’s IT leaders point the finger at service providers (36 percent), more so than the company or app developer.
When it comes to app password security, UK IT chiefs have more faith in their employees than some of their counterparts around the world – 23 percent think employees “always” change their passwords, and 56 percent say they “sometimes” do so. China and Japan ranked lowest for how regularly employees change their passwords.
Across the board, more than half of IT decision-makers are agreed that mobile business app usage will increase in the next fiscal year. By 2020, most UK IT pros (84 percent) believe that mobile business apps will be used more than those on a laptop or a PC, almost in line with the global figure of 88 percent.
The good news is that 20 percent of UK IT departments say they are looking to grow their security budgets to combat the explosion of threats. The slightly less good news is that the UK ranks join bottom with Japan for companies that expect to grow their security budget by 10 percent or more, at 14 percent, less than the global average of 27 percent.
Globally, security is the top discipline for which IT teams are hiring, followed by applications teams. More than a third (36 percent) of IT decision-makers believe the security team is the highest hiring priority – again with the UK unfortunately ranking lowest worldwide at only 20 percent.
Awareness and education must be a priority. Factoring in employee behaviour, IT professionals should focus on building enterprise-wide security awareness and education programmes and implement strong security and access policies to prevent bad behaviour, and in particular, rogue app usage.
The post Are Your Employees Putting Your Organisation at Risk? appeared first on IT SECURITY GURU.
from Are Your Employees Putting Your Organisation at Risk?
0 notes
Text
Germany said its government computers secure after ‘isolated’ hack
Germany said on Wednesday hackers had breached its government computer network with an isolated attack that had been brought under control and which security officials were investigating. A spokesman for the German Interior Ministry said the affected government agencies had taken appropriate measures to investigate the incident and protect data. “The attack was isolated and brought under control within the federal administration,” which oversees government computer networks, he said in a statement, adding that the authorities were addressing the incident “with high priority and significant resources”. The spokesman said he could give no further details immediately due to security and analysis measures that were still under way.
View full story
ORIGINAL SOURCE: Reuters
The post Germany said its government computers secure after ‘isolated’ hack appeared first on IT SECURITY GURU.
from Germany said its government computers secure after ‘isolated’ hack
0 notes
Text
Major data breach at Marine Forces Reserve impacts thousands
The personal information of thousands of Marines, sailors and civilians, including bank account numbers, was compromised in a major data spillage emanating from U.S. Marine Corps Forces Reserve. Roughly 21,426 people were impacted when an unencrypted email with an attachment containing personal confidential information was sent to the wrong email distribution list Monday morning. The compromised attachment included highly sensitive data such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information, Maj. Andrew Aranda, spokesman for Marine Forces Reserve said in a command release.
View full story
ORIGINAL SOURCE: Marine Corps Times
The post Major data breach at Marine Forces Reserve impacts thousands appeared first on IT SECURITY GURU.
from Major data breach at Marine Forces Reserve impacts thousands
0 notes
Text
Sexually explicit data breaches at Malahide library
The library records of 20 people in Dublin were edited to include “entries of a highly inappropriate, sexually explicit nature” last year, according to an audit by the data protection commissioner (DPC). Details of the data breach were included in the watchdog’s annual report which also warned Tusla, the child and family agency, of its poor record-keeping after the Maurice McCabe scandal. The report details audits of the Irish Prison Service, Virgin Media, Three, BT Ireland and others. At its publication yesterday, Helen Dixon, the commissioner, said that her organisation’s caseload had continued to increase in 2017 as it received 2,642 complaints and concluded 2,594.
View full story
ORIGINAL SOURCE: The Times
The post Sexually explicit data breaches at Malahide library appeared first on IT SECURITY GURU.
from Sexually explicit data breaches at Malahide library
0 notes
Text
Aldi says some stores hit by data breach
Aldi said Wednesday a recent data breach in which two men reportedly installed bank card skimmers at two Montgomery County stores did not affect shoppers at any of its its five Lehigh Valley stores. The Illinois-based supermarket chain said in a news release that it notified customers who shopped between approximately Jan. 16 and Jan. 30 at stores in Pottstown and Limerick about the possible breach of their financial information. The Philadelphia Inquirer reported that police were seeking two men who installed devices known as bank card skimmers at the affected Aldis. Before the devices were discovered on Jan. 30, police told the newspaper that “multiple victims had their debit card information compromised.”
View full story
ORIGINAL SOURCE: Mcali
The post Aldi says some stores hit by data breach appeared first on IT SECURITY GURU.
from Aldi says some stores hit by data breach
0 notes
Text
ShopRite pharmacy security breach affects 10K customers
Nearly 10,000 customers who signed for pharmacy purchases at the ShopRite in Millville have been exposed to a possible data breach after the electronic device used to record those transactions was thrown out in June. Wakefern Food Corp, which manages that ShopRite, announced the data breach this week for customers of the pharmacy between 2007 and 2013. Personal information that could have been stored on the device includes name, phone number, date of birth, prescription number, medication name, date and time of pick-up or delivery, signature and zip code.
View full story
ORIGINAL SOURCE: NJ.com
The post ShopRite pharmacy security breach affects 10K customers appeared first on IT SECURITY GURU.
from ShopRite pharmacy security breach affects 10K customers
0 notes
Text
Mueller probing what Trump knew about hacked emails
Special Counsel Robert Mueller’s investigators are asking witnesses about whether then-candidate Donald Trump knew that Democratic emails had been hacked before the theft was publicly known, NBC News reported on Wednesday. Mueller’s team also wants to know whether Trump was involved in releasing them in order to hurt Hillary Clinton and boost his own campaign for the White House, the network said, citing multiple sources. They have also asked about the relationship between longtime Trump adviser Roger Stone and WikiLeaks founder Julian Assange — who published the stolen emails — and why some of Trump’s policy positions favored Russia.
View full story
ORIGINAL SOURCE: NY Post
The post Mueller probing what Trump knew about hacked emails appeared first on IT SECURITY GURU.
from Mueller probing what Trump knew about hacked emails
0 notes
Text
Confused consumers go backwards to the future of technology
Confused consumers are struggling to get to grips with modern technological advancements new research has revealed.
More than seven out of 10 people say they feel devices such as smartphones and tablets have become far too complicated over the past five years, with users admitting they neglect basic IT security as a result.
Three quarters of those questioned in the survey by Lifeline IT said they failed to regularly back-up their laptop or computer because it is too complicated. Only four out of 10 feel confident their entire digital life is securely backed-up and a further 64% say they do not trust Cloud storage.
The research, carried out with 1000 consumers, revealed that only 33% are vigilant about password security, with half admitting to keeping passwords on post-it notes or in their phone because it is easier.
The survey was carried out by network support company Lifeline IT to gain a greater understanding of how changes in technology have affected people.
Surprisingly, it is the younger generation who are most concerned with the speed of change, with 78% of those aged 25-34 saying they feel IT has become more complicated, compared to only 65% of those aged 45-54 and 74% of those aged 55-64 years old.
Commenting on the findings, Lifeline IT founder and director Daniel Mitchell said: “This research shows that many people feel completely left behind by the rapid changes in technology. Five years ago, devices such as iPhones were simple to set-up and operate but now even experienced ‘techies’ can struggle to get to grips with them.
“What’s worrying about these findings is it that people are neglecting IT basics such as data back-up and security because they feel it’s all just become too complicated. The ramifications of this could not only be incredibly disruptive but, ultimately, very costly to an individual – losing all your digital personal information or being a victim of cybercrime can be expensive to put right.”
The survey also looked at attitudes towards improvements in internet and broadband performance, with 75% saying they felt internet speed had actually become worse in recent years because of the amount of downloading of visual and audio content people are now doing.
Although technology now enables consumers to run virtually their entire lives from a smartphone, two-thirds said they still do not feel safe using public Wi-Fi networks to make financial transactions or access their bank account.
And whilst 52% think high-tech identification methods such as face recognition or thumbprint verification are the safest ways to access a smartphone or tablet, people continue to neglect basic security. A quarter are still using simple passwords such as ‘password’ or ‘1234’, which negates the advantages of biometric security.
The post Confused consumers go backwards to the future of technology appeared first on IT SECURITY GURU.
from Confused consumers go backwards to the future of technology
0 notes
Text
The Perfect Storm: Cyberspace Requires Defence in the Cloud
By Rick McElroy, Security Strategist and Tom Kellermann, Chief Cybersecurity Officer, both at Carbon Black
Corporations are regularly under siege from multiple threat actors within the cyberspace. The underground cyber marketplace that flourishes around the world has allowed criminals and nations to wage long-term campaigns against corporations and government agencies. These attackers target businesses and consumers from the fog of the Dark Web.
Evidence suggests the Dark Web has become an economy of scale wherein the cyber-crime syndicates have begun to target the inter-dependencies of our networks, and the adoption of cloud technology has only made hindering these attacks more difficult. The cloud has given malicious actors blind spots to hide in and more avenues of attack. As our data moved to the cloud, our security programmes did not keep up.
When one starts to think of the risks facing organisations leveraging the cloud, one must begin to think about those brave fighters whose mission it was to fly into the clouds over enemy territory and deliver strategic bombing campaigns to weaken the enemy during World War II. Organisations that leverage the cloud are delivering services to customers and partners in a low visibility environment. Furthermore, as the cyber-criminal community burrows in to networks, we must appreciate that after the initial theft of data, they tend to hibernate. This hibernation allows for secondary monetisation schemes. Some of these criminal endeavours include reverse business email compromise against your customers and/or selective watering-hole attacks. Cyber criminals realise there is implicit trust in your brand – trust that can and will be exploited. The modus operandi of cybercriminals has been modernised and we should allow their offense to inform our defence, from who is accessing systems to what threats are hitting cloud endpoints. Even with anti-virus and other basic protections in place, organisations continue to be outpaced by attackers.
To analogise this challenge, consider how B17s were equipped with armour and machine guns and your servers may have AV and logging turned on, but much like early World War II, we continue to be outpaced in innovation and weaponry and we continue to lose the battles. The nickname given to the B17 was the “flying fortress.” However, it proved not to be.
One of the most complex cybercrime conspiracies of 2017 was leveraged by a group named StonePanda (that is, APT10.) Over the past year, these hackers have leveraged a sophisticated campaign of attack against Western corporations known as the “Cloud Hopper Campaign.” The BBC reported that firms in the UK, Europe and Japan were targeted by the group, and that by Infiltrating supply chains the attackers gained an easy route into many different targets. What began with a spear-phishing attack leveraging fileless malware escalated to hijacking the victim’s website and using their brand to target consumers. It then metastasized into the interconnected networks of their supply chain via cloud hopping. One important feature of this campaign was watering holes.
The Watering Holes executed a remote JavaScript-based reconnaissance to target MSSPs. Once in, they deployed HAYMAKER, a backdoor that can download and execute additional payloads in the form of modules and a secondary infection via an open-source, remote-access Trojan (RAT). These criminals were not conducting a burglary, but rather they were executing an invasion.
“During World War II, various methods were employed to protect high level bombers from flak, fighter aircraft and radar detection, including defensive armament, escort fighters, chaff and electronic jamming.”
To help ensure the success of bombing raids The Army (Air Force) failed fast and iterated through changes. One of the key takeaways was that their bomber would absolutely need fighter escorts in order to mitigate the risk of unseen attackers lurking in the clouds.
“Early models proved to be unsuitable for combat use over Europe and it was the B-17E that was first successfully used by the USAAF. The defence expected from bombers operating in close formation alone did not prove effective and the bombers needed fighter escorts to operate successfully.” The lesson here for cyber defenders is that trying to build a single “fortress” that is impervious to innovation on the attacker side is a recipe for repeated failure. Instead, organisations should deploy the following:
The use of escort fighter pilots to ensure the safety and success of the missions (protection)
The employment of the Norden bombsight and radar (visibility)
Next generation antivirus protection such as Cb Defense gives you prevention against attacks by interrupting attackers’ behaviour to ensure the systems supporting the strategic delivery of services for your organisation remain in service. It provides a proactive defensive posture, levelling the battlefield and tipping the advantage back to defenders.
Endpoint detection and response capabilities give visibility into tactics that attackers are using so that your team can respond and remediate faster. This raises the bar on each attack and forces the attacker to change what they are doing to attack you. It also allows your team to pinpoint root causes and remediate vulnerabilities more quickly. Furthermore, it gives them the ability to proactively find threats sooner, ensuring their strategic objectives.
It should also be noted that modern cyber operations consist of human(s) versus human(s). The adversaries want to interact with your systems when they get in. They want as much intel as possible to leverage against you and your partners. Whenever the offense pivots, so must defenders. The team that can better Observe, Orient, Decide and Act when under attack will be miles ahead of those that lack the basic visibility into what attackers are doing. This is especially true in a cloud environment. By employing both protection and visibility capabilities and partnering with a company that securely enables the cloud, organisations can move upstream of the problem and be well positioned to drive change.
So, in conclusion, how do you defend yourself from the cyber attackers looking to invade your cloud? You do it by securing the battlefield. You do it by providing better visibility into what the attackers are doing. You do it by rapidly providing visibility into what the enemy is doing and enabling teams to find them and remove them.
The post The Perfect Storm: Cyberspace Requires Defence in the Cloud appeared first on IT SECURITY GURU.
from The Perfect Storm: Cyberspace Requires Defence in the Cloud
0 notes
Text
Changes Made to White House Security Clearance Policies
The recent history of security clearances in the Trump White House has raised eyebrows.
Jared Kushner’s clearance application contained errors and omissions of a type “never seen” by some who are close to the approval process for clearances.
Another recent headline saw questions raised about Rob Porter — the former White House staff secretary — and why he was granted temporary security clearance despite FBI warnings about domestic abuse allegations in his past.
It is the second story that seems to have gotten the necessary parties interested in overhauling White House security clearance policy. Let’s take a look at what we can expect next.
What Effect Will This Have on White House Intelligence?
General John Kelly, the current White House Chief of Staff, has outlined his intentions to broaden the restrictions on which types of classified intelligence the interim security clearance-holders are allowed to access.
And although Porter’s story was certainly a tipping point, Kelly cites a colorful history of White House staff members who have handled highly classified information without permanent security clearances. Any staff member with a pending background check more recent than June 2017 will see their SCI-level privileges stripped from them.
The aforementioned Jared Kushner still does not have a permanent security clearance, despite this administration being more than a year old and despite his continued presence at high-level government meetings. Kushner could be one of the first to see his access revoked under these new rules.
With respect to elevating concerns over the content of an applicant’s character, as the FBI attempted to do in Porter’s case, Kelly has outlined plans to require the Federal Bureau of Investigation to, in his words, “hand-deliver” background checks for potential staff additions and place a special emphasis on “significant derogatory information” about those employees.
Critics have been vocal about Kelly’s proposed changes to the application process. One attorney with experience in security clearances and FOIA requests, Mark Zaid, called Kelly’s memorandum “troubling” and asserts that the application and approval process “worked fine before this Administration.” The failure, according to Zaid and other experts, is a cultural one rather than a procedural one.
For example, anybody who is familiar with the Rob Porter situation knows that the question is not “whether” Trump’s White House knew about the allegations against him, but “when.” The next conclusion is that high-level staff in the White House had as much information as they needed to draw actionable conclusions about Porter’s fitness for government work.
How Will This Affect the Release of Digital Information From the White House?
It’s clear that the digital frontier brings challenges that might never have perfectly acceptable solutions. Every safeguard we dream up to fight against the access or dissemination of sensitive information reduces transparency on some level, even as it makes important information safer. Making changes to how government contractors handle even unclassified information is a critical point of interest these days.
The question is whether Kelly’s memorandum and proposed changes are just to save face or whether they will actually succeed in changing something the American people want changed.
Nevertheless, Kelly’s plan would also require that temporary security clearances older than 180 days expire automatically or be extended for an optional 90 days if background checks come back clean. It is not uncommon for security clearance approvals in a new administration to take as long as Kushner’s has. But given the very long list of responsibilities handed to him by his father-in-law, Donald Trump, these new restrictions are certain to change how he performs his work — if he can perform it at all.
In fact, part of the reason so many White House staff members have seen lengthy delays with their clearance approvals is that this administration has a higher percentage of first-time civil servants than previous administrations. And, ultimately, the president of the United States can grant security clearance to whomever they want, further complicating things.
Kelly has it part right: There was either a failure of communication or failure of judgment. Some of the fixes he describes should make it easier for concerned parties to elevate their concerns about appointees and applicants to sensitive roles. But some of the detractors are right too: The process would have worked as intended if somebody in the Trump White House had reacted appropriately when the FBI voiced their concerns about Rob Porter.
The Fallout
The only institution in America at this time with the power to strip the president of his security-clearance-granting prerogatives is Congress. So even if Trump or persons within his circle “dropped the ball” on Porter, it’s fairly clear that checks and balances aren’t quite what they should be when it comes to this particular process.
The FBI has had recent problems of their own, including the loss of personal data on thousands of employees in 2016. However, it’s clear that if their role in preventing stories like Porter’s wasn’t taken seriously by the Trump administration, it was for other reasons entirely.
The stakes are high, as we’ve seen. The Trump White House has seen a stream of leaks to journalists and other parties. It isn’t hard to see how automatic time-outs for temporary security clearances and limited access to highly classified documents could help reduce the number of information leaks this administration has weathered, which are either unprecedented or merely statistically interesting, depending on whom you ask.
General John F. Kelly is right to want to protect the sanctity of high-stakes intelligence. He’s applying what he knows of military culture to the “problem” of information porosity in this current White House. What the rest of us can’t ever forget, though, is that some information needs to be leaked.
Breaking state-mandated silence to bring wrongdoing to light is the sort of revolutionary spirit Americans are supposed to value.
Nobody wants a less-transparent American government, but some of the growing pains we’re seeing now are the result of entrusting its operation to people who don’t know how it works. Some of these people have ulterior motives, but many others do not.
Kelly, who believes digital information leaks are tantamount to treason, proposes making life more difficult for both types.
The post Changes Made to White House Security Clearance Policies appeared first on IT SECURITY GURU.
from Changes Made to White House Security Clearance Policies
0 notes
Text
How Bad Biometrics Decisions Can Create a Lasting Brand Nightmare
Great brands earn the trust of their loyal customers over time. But, brands are created by businesses, businesses are created by people, and people make mistakes. Fixing a mistake can be an opportunity to build a stronger customer relationship, furthering loyalty. But, cybersecurity breaches are mistakes of a much great magnitude. Once trust is lost, the road back can be painful and costly. In some cases, brand damage can be permanent.
Verizon, in their latest annual Data Breach Investigations Report (https://goo.gl/atQnAX), estimates over 80% of breaches “leverage stolen or weak passwords”, directly compromising the attack surface (the login screen). Understandably, choosing the right biometric solution to fortify the attack surface now plays a critically important role in corporate strategies. The decision to use an inappropriate or badly performing biometric can have significant consequences.
Some early adopters buying into overreaching security claims have already felt the public sting of a bad biometrics choice. A while back, a respected US financial organization with a trusted brand chose a biometric that claimed having a user blink proved liveness – but it doesn’t. The weakness was exposed when a national science magazine easily spoofed it, and it was done without even using photo animation software like CrazyTalk.
In the past several years, Samsung has fumbled through a series of major new-product launches that cost it dearly. Hours after the launch, a YouTube video showed a user logging in with a digital photo, destroying the illusion of security (>820,000 views to date). Further, their iris scanner was hacked and the brand took another very public hit.
A very similar story has unfolded around the performance of Apple’s Face ID, which has been spoofed with masks, siblings, a 10-year-old child and even… pizza toppings. At this stage in the development of Face ID, it can only be considered an on-device convenience feature. The consensus is it will improve, and if any long term damage to the Apple brand will exist remains to be seen, but as is plainly evident in social media, it is shaking confidence and is not shedding a positive light on the flagship device.
John Williams, a San Francisco Bay Area-based global marketing and strategy veteran, is unequivocal: “Major breaches of any sort, like those at Yahoo!, Target and Equifax have a lasting, negative effect on the actual value of the company; and moreover, on a customer’s willingness to stay with the brand. Users will run the other way if they think they are personally exposed. This is true for businesses of any size or type. Spending focused time to match your organization’s specific needs to an appropriate biometric that meets your specific needs and performs as advertised can prevent very serious, lasting consequences.”
This is not to say the massive efforts to advance biometrics are insignificant. Quite the contrary. It’s a difficult problem to solve, not only because of the inherent complexity, but the problem and its solutions are truly global and will always be a moving target.
But, there are two salient issues to examine today. First, if a biometric is presented as a security feature, it should perform at a level commensurate with what it is purports to protect. If it opens a device or can open an app, the level of security is relatively low, and can be classified as more of a convenience. Face ID, for example, is likely more secure than Touch ID, but for it to protect higher-level transactions, it will require more development (which, no doubt, Apple will do). A latte and a scone, sure. But a $5K wire transfer, it’s not there yet.
This distinction is critical, because even if the spoofing of a biometric is contrived, like the Touch ID vs. cat’s paw video, the company’s brand is at risk because the general public can’t discern between real threats and contrived situations. Also, any demonstrable biometric spoof opens the door to liability for friendly fraud. A user can claim that since the biometric was not proven 100% secure, they had nothing to do with the $10,000 transferred overseas from their account, and insist that it had to have been done by an imposter.
With demand for biometrics high, but truly secure mobile biometric options low, many companies have settled for multi-factor solutions that compromise security. And in most of these cases the password isn’t actually being replaced, it’s simply being bypassed by the biometric. This means all of the security risks of the password are present, plus the added risk of the insecure biometrics, increasing the attack surface. Brands must realize that biometrics that are designed to unlock a device are not secure enough to replace a password when accessing a bank or healthcare account.
Reducing the attack surface is one of most effective means of improving security and the current trends toward multi-factor authentication embody this thinking: more login modalities strung together promise to increase security. But if one of the modalities can be easily spoofed, then it can’t really be considered a factor at all. So beware the false sense of security that comes when stringing weak factors together.
Some considerations companies should contemplate before adding a biometric to their app:
What percentage of the user base owns the specific hardware required to use the biometric? If users can’t try it because they don’t own the latest high-end device, or have not purchased a dongle, they will still have to use passwords by default and the company must continue to support both password and biometric logins indefinitely.
Is the biometric convenient enough for any customer to use daily? The biometric needs to be fast and be as secure as necessary with as few factors as possible
Transmitting digital images of faces or fingerprints to a server and then storing them long term in the cloud along with, passwords and other PII could prove problematic for the Brand if there is a breach.
Can the biometric be easily spoofed with readily available media? If it takes a 3D face scan and Hollywood mask-masking professionals weeks to fool your biometric, the general public will not likely see that as a real-world vulnerability. But if your biometric can be spoofed with a photo, slideshow, video, fingerprint copy or CrazyTalk7, then it’s entirely possible competitors, unhappy customers, or just YouTubers looking for views, may target your brand and expose the weakness.
Some additional considerations when making biometric decisions include:
Assess all related costs, like dedicated internal support resources and additional customer support requirements, as adding a biometric and keeping passwords may actually cost more to support.
The term “authentication” is not clearly defined today. A FIDO authenticator and Google authenticator are not the same thing and serve different purposes. True biometric authentication requires strong liveness detection.
Test and evaluate internally, but also look for reputable third-party verifications and certifications for the assurance of security.
Consider initiating your own third-party testing for independent verification.
The mobile security problem is global, and affects billions of people. The stakes for trusted brands are very high. The biometric your company chooses will directly impact your user’s security and your image . Give careful and deliberate consideration to not only the convenience level of any biometric you assess, but also the real-world security level, and determine from every angle whether that impact is net positive or negative.
————————————————————————————————————————-
John Wojewidka is the Director of Business Development for FaceTec, Inc. FaceTec improves security for businesses and consumers by providing intelligent, ultra-secure mobile biometric software to mobile app developers. Leveraging decades of Computer Vision, Artificial Intelligence and Machine Learning experience, FaceTec is changing mobile security by replacing app passwords on nearly all iOS and Android devices with ZoOm®, the world’s first universal 3D face login software for mobile apps. ZoOm’s patent-pending face authentication technology ensures not only positive identification, but also three-dimensionality and liveness. For more information, please visit www.ZoOmLogin.com.
The post How Bad Biometrics Decisions Can Create a Lasting Brand Nightmare appeared first on IT SECURITY GURU.
from How Bad Biometrics Decisions Can Create a Lasting Brand Nightmare
0 notes
Text
CoinDash: Hacker returns another $17m worth of stolen Ethereum to firm just months after ICO heist
An unknown hacker has returned over 20,000 more ETH worth over $17m to CoinDash just months after the firm was hacked last year. In July 2017, CoinDash lost millions of dollars worth of Ethereum just three minutes after the cryptocurrency portfolio management platform launched its initial coin offering (ICO) by swapping the firm’s wallet address for their own. At the time, the losses were estimated at $7m. Following the hack, CoinDash promised investors, who sent money to the hackers’ fraudulent wallet address, their funds back in CoinDash tokens.
View full story
ORIGINAL SOURCE: International Business Times
The post CoinDash: Hacker returns another $17m worth of stolen Ethereum to firm just months after ICO heist appeared first on IT SECURITY GURU.
from CoinDash: Hacker returns another $17m worth of stolen Ethereum to firm just months after ICO heist
0 notes