Quantcast
Channel: Kayla Matthews – IT SECURITY GURU
Viewing all 22 articles
Browse latest View live

50 Percent of Americans Don’t Trust Institutions to Protect Their Data

0
0

Have you had one – or many – of your accounts hacked? According to a report from Pew Research Center, a vast majority of Americans have.

In fact, the study also shows that people believe cyberattacks are a way of life in today’s world. This may be a surprise to some, while to others it may not. In fact, 35 percent of respondents have had a form of sensitive information compromised or stolen, while 41 percent have seen fraudulent charges on their credit cards, likely from identity theft.

That information is concerning, to say the least. It also explains why so many Americans are wary of sharing sensitive data with organizations.

Who Can Protect Our Data?

Another thing the study revealed is that most Americans feel institutions just cannot and will not protect their data. As many as 28 percent of Americans feel the federal government is not capable of keeping their data safe from cybercriminals.

A further 24 percent believe social media platforms cannot protect their personal data accurately, either.

However – and perhaps this is even more interesting – respondents claim they are not overly worried about cyberattacks. About 60 percent say that the thought of being hacked does not cause them any anxiety. Does this lend more credence to the idea that it’s a way of life now?

Think for a moment: How many times you have received an email or notice that one of your accounts has been compromised? How many times have you been a victim of identity theft or fraud, especially with credit cards?

It is frighteningly prevalent. Worse yet, cybercrime damage is expected to surpass $6 trillion by 2021. That’s a significant jump from $3 trillion in 2015.

The increased frequency in cyberattacks has also given birth to many advanced security protocols that work against a hacker or thief’s favor.

Virtual identity servers (VIS) are one such solution, and one that is becoming more common in business circles. VIS systems can combine data from multiple sources to provide one comprehensive database view, while simultaneously adding additional security and control over the original data sources. This architecture can also reduce IT expenses, which likely has something to do with its popularity.

What Other Security Protocols Work?

The best way to prevent access to a personal account is to enable two-step or two-factor authentication if it’s available. Any time you want to login from a new device or new location, the system will send a randomly generated code. You must also enter this code – on top of your account and password info – to gain access. Usually, you can have the code sent to your mobile device.

In the Pew report, about half of all respondents – 52 percent – said they use two-step authentication to protect their online accounts where applicable.

That doesn’t mean people always take the necessary precautions. In fact, many respondents revealed they are not doing everything they should to beef up their digital security. Only 12 percent said they change their passwords regularly. This is important, especially if you use the same password across multiple accounts – which is something you should never do.

Less than half – or 41 percent – admitted to sharing their password for online accounts with a friend or family member. This is a definite no because even if you do everything you can to protect your password, there’s no guarantee anyone else who knows it will. The solution to this is pretty simple: don’t share your passwords.

However, an egregious 39 percent admitted to using the same password for all accounts. As we already said, you should never do this. If one account is compromised, then hackers have access to all your accounts. The first thing they’ll try is a password they already have.

What’s the Biggest Takeaway?

What you need to learn from all this is that Americans – and likely a lot of others – do not trust institutions to protect their data. This is not a good thing, believe us, especially since big data is starting to catch on.

It may even be time for organizations to start educating clientele on good personal security habits.

If you don’t trust companies to protect your data, take these steps to help ensure your safety. They can make a big difference and give you a little extra peace of mind.

The post 50 Percent of Americans Don’t Trust Institutions to Protect Their Data appeared first on IT SECURITY GURU.


Shadow IT Is a Bigger Problem Than Most of Us Realize

0
0

Maybe you’ve only heard about shadow IT in passing or think it’s not very likely to impact your workplace, so it’s not important. It’ll soon be clear shadow IT is wreaking havoc in ways most people aren’t aware of, making it a worthwhile subject to discuss.

Shadow IT Weakens Organizational Standards

When you first started working at a new place, you were probably given a computer that was set up in certain ways and only included software that had been approved by the organization’s IT department. Many offices follow that practice because it allows representatives to ensure all computers in the building are properly secured against threats.

If organizations have standards about which software and apps are allowed, it makes it easier for IT specialists to find vulnerabilities after hacking attempts occur. However, many employees may not realize they’re breaking rules by downloading certain apps or software offerings. Many software companies let people check out products with free trials and permit paying for the full versions via PayPal to make transactions simpler.

Shadow IT compromises tech standards within an organization because the use of unauthorized software might mean each computer has different capabilities. Even worse, the software potentially puts the entire network at risk because of security flaws and makes it harder for IT professionals to manage their respective systems.

Shadow IT Could Let Unauthorized Parties See Confidential Files

There are many high-tech products available that facilitate sharing files across great distances. Many are cloud based, meaning users can access content across multiple devices from where they are without running into location-based difficulties.

However, shadow IT has also become a common problem in the cloud computing sector. According to a recent survey, 78 percent of IT managers said users had gone behind their backs multiple times to set up and start using unauthorized cloud-based services.

This is also known as “rogue IT.” Some examples of it include using Skype to conduct work-related conversations, downloading an instant-messaging app onto a company-owned tablet or using Google Drive to collaborate on a shared project.

If people use unauthorized cloud services to compose, share or view company files, those actions could understandably cause huge confidentiality breaches. In some cases, ex-employees can still access confidential material, too.

A 2014 survey about rogue access revealed that 89 percent of ex-employees were still able to access content stored through cloud-based services like PayPal, Basecamp and Office 365 — and that’s merely because they left the company in possession of valid login credentials.

Things probably would not go wrong if workers left companies on good terms, but it’s not hard to imagine what could happen if employees were upset with their workplaces and wanted to retaliate.

The Risk Is Particularly Great in the Health Care Industry

If you don’t think shadow IT poses a pressing problem in today’s society, consider that analysts warn the associated risks are especially troubling in the health care industry. Health professionals receive ongoing training to understand how to handle sensitive patient data in accordance with national standards. However, on average they also use dozens of cloud-based interfaces while going about their work. Many health care workers don’t actively break rules by going rogue, but because they don’t know which cloud services are the most secure, they unintentionally expose their workplaces to problems.

Hackers specifically target health care records because they contain a wealth of information. When health professionals tap into the shadow IT market by using any product that’s not authorized by their companies, they could help hackers carry out successful attacks.

Shadow IT creates major issues. Keep your employees informed about company practices and use programs that prevent people from accessing sites not explicitly approved if you want to avoid trouble.

The post Shadow IT Is a Bigger Problem Than Most of Us Realize appeared first on IT SECURITY GURU.

Why 61% of hacked webmasters don’t receive a notification

0
0

As part of its #NoHacked campaign, Google released a report about website security trends, including hacking.

Unfortunately, one of the major statistics within the report indicates there’s a lot of progress yet to be made in reducing successful hacks. That’s because, in 2016, the number of hacked sites went up by about 32 percent.

Google’s representatives don’t expect that statistic to decrease over time. Hackers are notoriously aggressive and they often target outdated sites. Both characteristics set the stage for successful hacks.

There was another disturbing piece of data within the report, that 61 percent of webmasters didn’t receive notifications from Google that hackers infected their sites because they weren’t properly set up in Search Console.

What Is Search Console?

Once known as Google Webmaster Tools, Search Console tells a wealth of information about your site. Want to know which pages on the site are most popular, how many visitors you’re getting and whether they’re viewing the content on mobile devices? All of those things are revealed through Search Console.

Even more importantly in the context of hacking, Search Console is the primary way Google communicates with webmasters about problems with site health, including indicators of hacking. If you’re part of the statistic about people who did not receive site notifications, it’s easy to make a positive change by getting your website added and verified through Search Console.

Information Aids Proactive Behavior

Besides getting your site set up in Search Console, stay abreast of hacking trends and do what you can to be proactive by preventing them. To aid in hacking prevention, Google released new resources for webmasters.

One discusses the top ways spammers hack sites and another gives advice about how a webmaster can know if a site is hacked. There are also specific help documents about common hacks, such as the Gibberish Hack.

Adherence to Best Practices Is Also Crucial

Researchers found only six percent of hacked businesses recover when they experience a major data loss. You can put yourself in the minority and triumph over hackers, and the likelihood of that happening is higher after recruiting assistance from experts who know best practices in data security and will teach your organization how to apply them.

If you haven’t had problems with hackers attacking your site yet, that’s not a good reason to breathe easily and assume they aren’t interested. Some hackers monitor vulnerable networks for a while before actually infiltrating them.

That’s why it’s essential to get up to speed in terms of data security best practices. Then, if problems are discovered either immediately or after a while, make sure to strengthen the weak areas to prevent hackers from sniffing around your site.

Don’t Assume Immunity

Some site owners or managers fall into the trap of thinking their website is either so small that hackers won’t waste their time tampering with it or believe the site is so massive, it’ll be intimidating to hackers. It’s not a good idea to think either of those cases are true and assume you’re immune to hackers.

Recently, hackers took over a bank’s entire online presence for several hours. If your site is on the other end of the spectrum in terms of size and scope, hackers might think it’s an easy target, precisely because they think you have a low-key attitude about site security.

Protecting your site from hackers requires a multi-prong approach but getting it linked up with Google Search Console is your first order of business. After that, follow the other suggested courses of action you’ve just learned to send a clear message to hackers that your site’s well protected.

 

The post Why 61% of hacked webmasters don’t receive a notification appeared first on IT SECURITY GURU.

The biggest security problems with robotics

0
0

Robotic devices and automation platforms — which are similar in many ways — seem to be exploding in the IoT market, and for good reason. The idea behind these systems is to automate or carry out basic tasks so we have more time to do the important stuff.

But a new study from authors at IOActive, reveals that robots are just like many other technologies that exist today — they are not inherently secure and present a lot of risks. The paper that presents this info is called Hacking Robots Before Skynet and comes from Cesar Cerrudo, the CTO at IOActive, and Lucas Apa, Senior Security Consultant for the same company.

Cerrudo and Apa present several reasons why this innovative and growing technology may be dangerous in terms of security, privacy and stability. They explain how robot technology is insecure — as is anything connected to the internet — and that lack of security could pose risks.

Since forecasts show global spending on robotics and similar technology will approach $188 billion by 2020, it’s time to start talking about these things.

What Are the Major Security Problems in Robotics?

You can read more about it in Cerrudo and Apa’s report, but below you’ll find the primary reasons why modern robotics are insecure. They rely on insecure wireless connections, don’t follow proper privacy and security protocols, employ poor user authentication measures and lack strict security policies for their default configurations.

Keep in mind, fixing all these points is crucial to building stronger security. Security and privacy are not to be taken lightly, and these problems present sizable vulnerabilities. And that’s unfortunate because there are lots of things we’d rather let robots do — like vacuum.

Robotic smart vacuums can roam around the home on a schedule and clean. They vacuum dirt, dust and nasties so you don’t have to spend your weekends lugging around a machine or sweeping. If you do have to clean at the end of the week, there’s a lot less to do thanks to your little robotic buddy.

This is just from the consumer side of things and only looks at a single type of device, but it’s an example of something seemingly innocuous that represents a real security risk. Corporations have thousands of robotic options, from the enterprise and corporate world to industrial setups. Amazon even uses robots in their shipping and packaging warehouses.

An insecure robot with access to millions of addresses — and their preferred spending habits — could be a hacker’s dream. Such risks don’t even factor in security risks from external sources, like employees. Regardless of intent, it’s entirely possible for your workforce to cause security breaches.

Their personal devices can be a liability for an internal network. Even unsanctioned activities and usage on company devices and systems can pose major security risks. Making sure employees have the proper training in security and technology is crucial to the safety of your business.

Perhaps even more important is fixing the following security issues in robotics and autonomy systems.

  1. Insecure Connections

Most robotic devices or IoT devices rely on Bluetooth and Wi-Fi wireless protocols to access the internet and interface with other tech. While these connection methods are perhaps not the most secure, the problem isn’t the technology itself. The problem is how data is being transmitted.

Most data is being sent as clear, unhindered content, and, when it’s encrypted, the methods used are poor. Poor encryption methods mean anyone who gets access to the data has all the information they need to carry out attacks or cause harm.

  1. Privacy Falls by the Wayside

As most platforms do, robotic and IoT devices report data remotely to various servers and company systems, sometimes even without user consent or permission. In some cases, data collection and reporting is necessary, while in others it is not. Permission doesn’t necessarily matter. The real problem is that sensitive data is not just being transmitted, it’s also at risk.

The data at risk could include mobile network and device details, user trends or patterns, current GPS data, tracked stats and much more. If a hacker gains access to the data being transmitted, they could cause a lot of harm, but most of the users would be none the wiser as to what’s happening, at least until the company involved announces the finer details.

  1. User Authentication Is Not Strict

It doesn’t matter what a robotic unit is doing, only authorized users should be able to deliver commands and control it. You don’t want an outsider tapping into your system wreaking havoc. Often, there are no authentication measures employed — users don’t even have to login or prove their identity to interface with these devices.

In the few cases where an authentication system is used, it’s easy to bypass. The last thing you need is your robot vacuum being hacked and used as a spy tool when a built-in camera and sensors were meant to help it avoid obstacles, not output a live feed. It just goes to show that even something as simple as a robot vacuum needs proper security and privacy measures.

  1. Default Configuration Security Is Lacking

When you get a new modem or router, there is a user-based administrative account, and then there is a higher-level service account. Most consumers don’t even know about the service account or have the information to access it — even if it’s readily available.

Because it’s a high-level account with unfettered access to the system, most companies adhere to strict security policies to ensure someone who isn’t supposed to can’t gain access. Robots and IoT devices are not securely protected by such measures. The default configuration, settings, passwords and accounts are super easy to access even by guessing.

Imagine what kind of damage a stranger could do to a platform or system after gaining unhindered, administrative access?

Enhance Security for Robots

Robots are a part of our lives today — whether it’s because we ordered a gift for Mother’s Day from Amazon and had it shipped to her directly or that we own a bot ourselves to help with the cleaning. And, no matter how we use them or how inconsequential it seems, we need to ensure proper measures have been put in place to avoid a security breach.

The post The biggest security problems with robotics appeared first on IT SECURITY GURU.

3 Cybersecurity Risks It’s Time to Outgrow

0
0

Sun Tzu probably would have suffered a stroke if you told him that thousands of years in the future, sprawling and complex communications systems capable of semi-autonomous thought would unify communications across the globe and make the business world reliant on a finite set of technologies.

While the context is different, “know thine enemy” is a concept as applicable to network security as it ever was to physical combat.

The number of network-based threats that CSOs, IT teams and even the self-employed have to think about every day is growing more rapidly than ever. While it can seem overwhelming at times, the first step in a good security policy is remembering to guard against the devil you know, rather than fret over the one you don’t. Here are a few examples of cybersecurity risks any business should be prepared to defend against.

1. Bring Your Own Disaster

Many modern businesses have lightened their employees’ load by removing the once-illustrious work phone from their everyday carry. Rather than saddle employees with multiple devices, companies have implemented a policy allowing people to access work communications on their personal devices.

Bring-your-own-device (BYOD) policies can be liberating, and can ensure the proper people get notified if an occasion requires after-hours attention. However, they can also expose your network to threats.

Before you implement a BYOD policy, make sure that enrolled devices are running monitoring software and that the network they use is separated from high-profile company information by a strong firewall. Should someone access your work network with an infected personal device, the results could be disastrous.

  1. Shadow IT

Sometimes even things we think are altruistic can put company systems at risk. In the early days of network technology, IT companies coined the term shadow IT to refer to groups of employees setting up their own one-off networks within the company infrastructure. While the groups meant well, standing up such networks without proper security policies in place creates an obvious vulnerability.

Today there’s a new kind of shadow IT, this one comprised of rogue technology as opposed to groups of employees.

With modern cloud solutions allowing anyone to spin up a remote server in a matter of an hour or less, all it takes to put your business at risk is one brazen support technician connecting their homebrewed server to the company network. Avoid this situation by implementing a layered security policy that can stop threats at the firewall and application level, with forensic technology to track the origin of the attacks.

  1. DDoS

Here’s a threat type that dates back to the earliest cyber-attacks. DDoS stands for distributed denial of service. In simple terms, this type of attack involves simply overwhelming a server by sending it more requests than it can handle. While it seems incredibly simple, this type of threat is tough to defend against simply because it can be difficult to distinguish legitimate traffic from an attack.

While we may never entirely eliminate the threat of DDoS attacks like the Dyn attack executed by the Mirai botnet last year, there are ways of identifying simpler DDoS-type attacks and re-routing traffic to keep servers from freezing up. Some of these are best practices, while others involve the use of a dedicated DDoS mitigation appliance.

We still have yet to see the day when cyber-criminals have to fear immediate retribution for the acts they commit. A would-be thief plotting to shoplift might think twice when they see a police officer on duty, but cyber-criminals’ activities often go completely unnoticed. Even when a culprit is identified, the perpetrator has typically had days or weeks to cover their tracks.

One day this will change and the easy money cyber-criminals seek will become less attractive, but until that day comes, it’s important to remain vigilant.

The post 3 Cybersecurity Risks It’s Time to Outgrow appeared first on IT SECURITY GURU.

Deep Root Analytics Is in Deep Trouble With Voter Data Breach

0
0

Cybersecurity experts speculate that in our current state, up to 70% of cyber attacks, including breaches, go undetected in a given year. Part of identifying and stopping breaches is knowing what kind of information cybercriminals are after, and election season creates hotbeds of public information that are prime targets for a breach.

The companies that house this information are, of course, responsible for keeping your data protected, but things don’t always go according to plan. Case in point: During the 2016 election season, GOP analytics firm Deep Root Analytics left the door wide open for crooks to access 198 million Americans’ voting information.

Politicians Prosper, Voters Are Exposed

Deep Root was hired to gather the information to support what would become the successful 2016 GOP presidential campaign. It included names, birthdays, phone numbers, voting information and even home addresses.

The company stored all this information on a database which researcher Chris Vickery discovered was misconfigured. The error meant there was no access protection for the database. Anyone with an internet connection could view and potentially steal the personal information of nearly 2 million Americans.

The database also included modelled positions, strategic information used by the GOP to market its campaign to voters. Had a major retailer allowed this type of information about their customers to get out, it probably would have been all over the news. Thankfully, it appears that while the door was left open, there were no nefarious attempts to access the data made during the 12 days it was unprotected.

Deep Root Responds to the Breach

With the number of cybersecurity issues surrounding the 2016 election year already staggering, Deep Root has taken a transparent stance toward the information leak. In a statement, the company encourages voters to monitor their accounts for fraudulent activity. They also attempt to temper the blow by pointing out that much of this info is public domain in some states.

Presumably, not all of Deep Root’s customers are political parties, and the field of data analytics is growing rapidly. In a business setting, critical analysis of data not unlike what Deep Root gathered can help businesses decrease operating costs by 60 percent or more. That’s a service you can charge for, and chances are Deep Root doesn’t want to forfeit any more customers than it has to in the wake of such a major error.

To remedy the exposed database, Deep Root updated access settings to the information, adding the layers of security that should have been in place to begin with.

White Hat Probing Uncovered the Error

While it might sting a little now, Deep Root is fortunate that consultancy firm UpGuard was around to point out the issue. Had it been left unattended to, there’s no telling where the information could wind up. Probably on the dark web, just like the Yahoo account information that has been up for sale there for half a year now.

Chris Vickery, the man who located the flaw in Deep Root’s system, is just one of many researchers engaged in locating and reporting these types of errors every day. While you might not hear about them, they play a critical role in ensuring the security of your data.

Google’s Project Zero is one such operation, a dedicated department of the 800-pound internet gorilla focused solely on uncovering vulnerabilities and thinking like cybercriminals. Their goal is to find the flaws before bad guys get there, and oftentimes they do. When an issue is found, the Project Zero coders report it to the organization responsible so they can apply a patch or remove the vulnerability.

Is Privacy a Reasonable Expectation Anymore?

Can the efforts of these good-guy hackers ever fully curtail the leak of information that has been gushing out of the internet since, well, probably before we even know?

Maybe not, but through careful regulation and fastidious maintenance, we can patch the easy holes. Deep Root got lucky — it committed a blatant error and wasn’t punished for it.

Just like burglary, data breaches are nearly always a crime of opportunity. If you leave the front door wide open, you had better expect someone to come waltzing in.

The post Deep Root Analytics Is in Deep Trouble With Voter Data Breach appeared first on IT SECURITY GURU.

New Patent Uses Circuit Boards to Protect Cryptographic Information

0
0

It’s everywhere. Seemingly everywhere you turn, there’s somesort of virtual attack happening. Ever since the invention of the computer hackers, have been around. But, it has only been in the last decade or so that hackers have come to the forefront of society. Today, attacks such as the WannaCry incident prove that online security is something that is of the utmost importance.

Ransomware, malware and all of the other types of attacks have become commonplace. Phishing leads to the extraction of data from users without the users even knowing that it’s happening. For security, you have to have some device that will act as a line of defense when hackers turn their targets on you.

Luckily, cyber security is a thriving industry in today’s society. From huge corporations to smaller scale operations, the security of the Internet and any online endeavors is a business with a never-ending supply of enemies. In fact, the spending on cyber security is increasing at a rapid pace. It’s an industry in which crime continues to thrive despite the advances made on the security side of things.

Although cyber security has become increasingly complex and useful, there’s always a new challenge to tackle. And one of these challenges involves the physical makeup of the circuitry boards that help provide encryption keys and codes.

The Problem

Encryption of information is vital to the security of society in an age where the Internet is everywhere. Almost everyone has some information floating around online. To combat attempts to steal this information, corporations and individuals encrypt their data.

However, one of the biggest problems with encryption is related to the circuit boards that it requires.

The circuitry and modules placed on these boards often warp them over time, and the plastic or resin doesn’t interact well with the board. Hackers can also physically manipulate the boards. IBM has a solution to this.

IBM’s Solution

To combat this issue, the tech giant developed a new printed circuit board setup. What sets IBM’s creation apart from other PCBs is that it doesn’t require plastic that wraps around the modules. Instead, IBM wrapped the modules in layers of PCB circuitry. This reduces heat and expands the life of the board. It’s a fantastic solution that combines the creative and intellectual aspects of IBM’s innovative technology.

IBM says that it will improve the manufacturing yield. This means the company can produce more PCBs, which will lead to wider availability. Since this PCB board won’t have as many parts as its predecessors, the number of repairs should decrease as well. The invention will help prevent common PCB issues and other general problems with the circuitry.

How Does This Effect Encryption?

Encryption requires a lot of skill and a mind that can work with codes and see patterns. Although it is complex, there are always people out there who want to break these encryptions and steal the information they protect. It’s a war that is ongoing.

Sometimes, they do this manually by changing the physical makeup of the board. IBM’s new PCB board will help stop this manual manipulation. The circuitry that wraps around the board where plastic usually is will act as a physical barrier. The ability to place circuitry anywhere on the board will also make it harder to tamper with.

Encryption is already a crucial part of security operations for corporations and will continue in this role well into the future. These PCB boards will make life easier for people looking to encrypt their information and make the job of the hackers more difficult.

The post New Patent Uses Circuit Boards to Protect Cryptographic Information appeared first on IT SECURITY GURU.

5 Security Updates Made With Android Oreo

0
0

There are some things you can count on when it comes to new Android operating systems. First, they’re all named after sweet treats such as Gingerbread and Lollipop. Also, each one includes progressively better security features. Below, we’ll examine five security enhancements associated with Android Oreo.

  1. Restrictions on System Alert Windows

Android Oreo, like other operating systems before it, includes what are known as System Alert Windows. As you might guess from the name, they let you know about problems with your system or changes being made to it.

However, it was discovered that some hackers distribute ransomware through the System Alert Windows. They could potentially cover up the phone screen and make it so an affected device becomes inoperable through “overlay malware.”

The System Alert Windows in Android Oreo have limited size dimensions so they can no longer block parts of the screen you may need to access for continued phone use. Furthermore, there’s also an associated notification you can dismiss which removes an applicable System Alert Window.

Together, these features prevent a System Alert Window from becoming so disruptive that it makes your phone useless.

  1. An Improved Verified Boot System

Android devices have included what’s called a Verified Boot System for the past four years. It performs standard checks to ensure your system is working properly before your phone loads fully once you turn it on from a powered-down state. In Android Oreo, the Verified Boot System got an upgrade.

In addition to performing its usual checks, the feature also prevents your phone from starting if it detects the device was rolled back to an earlier version of the operating system. If someone steals your phone and attempts to tamper with it after reverting back to something not as current as Oreo, the Verified Boot System prevents it from going through the start-up process.

  1. An Even-Better App Scanner

Among the numerous perks that are part of the Android Oreo operating system is a harder-working version of Google Play Protect. It scans over 50 billion apps every day, regardless of if you’ve ever checked them with your phone’s protective software, such as a virus scanner. Machine learning enables the service to spot whether an app is behaving erratically. Google Play Protect effectively keeps your device safeguarded from apps that don’t do as they claim or may be developed by people with ulterior motives.

This feature is particularly handy considering how many professionals choose to integrate their mobile phone into their employer’s phone network to enjoy seamless communications whether talking to a best friend or a client. If doing so involves downloading and using a third-party app, the beefed-up Google Play Protect could make taking that action less risky for the employee and employer.

  1. A Google-Powered Wi-Fi Assistant

Android Oreo marks the first time the Wi-Fi Assistant is available for Android in such a broad form. Once restricted to Nexus devices and Google Pixel phones, it automatically connects you to trustworthy open hotspots, making it possible to save data without thinking.

Besides doing that, it also connects you to a Google-managed VPN so all your data goes through a private tunnel and stays secure. Since public hotspots are undeniably convenient but notoriously unsecured, this feature offers the best of both worlds.

  1. New Kernel Protections to Benefit Developers and Users

Kernel bugs reportedly accounted for one-third of all Android security issues last year. It’ll be interesting to see if that figure drops in the years ahead — especially since all Android devices with Oreo include better kernel protections, including some tailored to developers who could find such vulnerabilities before shipping new devices to users.

You’ve just read about five impressive security boosters contained in Android Oreo. Although many of them work in the background, they’ll do a lot to keep your device free from problems and safer from hackers.

The post 5 Security Updates Made With Android Oreo appeared first on IT SECURITY GURU.


Pay Attention to These 5 Security Tips When Buying Cryptocurrencies

0
0

There are many ongoing discussions about the use of blockchain across various industries and markets.

 

In short, it is the distributed ledger technology or underlying foundation of Bitcoin, one of the most high-profile cryptocurrencies.

 

There are both public and private blockchains, and each has its own set of strengths and weaknesses regarding security. But the system itself, which records transactions, is reasonably secure, which strengthens the belief that cryptocurrencies are secure. Sadly, that couldn’t be any farther from the truth.

 

Blockchains aren’t entirely safe for a number of reasons. The most important thing you need to understand is that the network used to facilitate the blockchain and transactions is vulnerable in many forms – thanks to decentralization.

 

But Bitcoin and related cryptocurrencies aren’t completely secure either. In 2016, hackers were able to steal nearly $70 million worth of the virtual currency, by tapping into a Bitcoin exchange. In early 2014, a similar attack resulted in the loss of an estimated $350 million in Bitcoins. Cyberattacks and thefts are not unheard of, even for a virtual currency such as Bitcoin.

 

This brings to light several security concerns regarding the ownership and transfer of modern cryptocurrencies. If you’re going to dabble in things like Bitcoin, what are the security risks you should remain aware of?

 

  1. Cryptocurrency Is Not Backed By Anything

 

In the real world, you have insurance to protect your belongings and yourself. If something unfortunate happens, the insurance policy will hopefully help you bounce back. If a hacker breaks into a bank system and steals virtual money, you don’t actually lose your money. There are ways to get it back, and plenty of ways to file grievances. There are various ways to fix the situation.

 

With cryptocurrency such as Bitcoin, that’s not the case.

 

You might as well be holding cash in your hand. If someone runs by, snatches that money and disappears into the crowd, it’s gone, for good. The same is true of cryptocurrencies, with few exceptions. In fact, a cryptocurrency called Aureus is the only cryptocurrency available that’s based on the real-world economy.

 

So, unless you use Aureus, your digital wallet could be as much of a liability as it is an opportunity.

 

If you lose the encryption access to your wallet, you lose everything contained within. If someone hacks your computer or system and gains access to it, they can transfer everything to a source of their choosing, and it’s gone.

 

If you invest everything in Bitcoin, and then you lose that money, it’s gone for good. Be smart about it. Manage the amount of Bitcoin you handle or invest in different kinds of cryptocurrencies. Keep multiple wallets and don’t store everything in one place. Furthermore, always back up your wallet encryption keys and data.

 

  1. You Need a Core Wallet

 

There are many types of wallets or “digital banks” where you can keep your cryptocurrencies. But if you’re going to store your money offline, often referred to as cold storage, it’s critical that you use a core wallet.

 

Wallets are constantly changing and receiving development and update solutions. Core wallets, however, are guaranteed to have keys and file formats that are compatible across all versions, old and new. You won’t ever lose access to your currency because the wallet or software was updated and can no longer interface with older versions.

 

Furthermore, these tools are not infallible. It’s entirely possible to lose your money or see it drop into limbo because of a coding mistake or an issue in the code. Bitcoin can also get stuck during exchanges. If you can fix the problem, great! It may take you a while, but at least you get your currency back. If you can’t, well, then you lose everything.

 

  1. It’s Inherently Data

 

Virtual, digital, invisible, whatever. Describe it how you want. Just know that cryptocurrencies are nothing more than sets of data. They are no different than a bank statement stored in your computer documents, a photo or image of your family or a risque video file tucked away in a hidden sub-folder. It’s data, plain and simple. That means, people can manipulate it, copy it and delete it, and it can even be corrupted.

 

Treat your cryptocurrency like sensitive data it is. Ensure that you encrypt your content, and then encrypt it again before dropping it into cold storage. Move it around between systems or portable drives, and then password protect the content. Keep backups, and keep those backups secure.

 

If and when a hard drive fails, you lose all data, media and content stored on the drive. In the back of our minds, we’re always worried about this happening. It’s why we back up our data. It’s why we keep multiple versions of important files. Do the same for your cryptocurrencies and wallet. Because once you lose access to them – whether you just forgot a password or someone accidentally deleted a file – they’re gone for good.

 

  1. Protect Your System

 

As Andreas Antonopoulos said, “nothing teaches [you] about [cyber]security faster than having Bitcoin on a Windows machine.”

 

The data you have is only as secure as the system or source where you have it stored. If you make a habit of opening questionable documents or attachments, you’re opening yourself up to a world of hurt. If the system where you have your wallet stored gets a virus, malware, spyware or ransomware, it may affect your access to your money. Lose control of your system, and you lose control of your money.

 

Security begins and ends with your computer. Keep your virus and malware software up-to-date. Install all necessary OS updates and security fixes. Don’t install questionable apps or download unknown media and files. Don’t ever trust strangers or unknown contacts and screen everything you’re not sure of. A file attachment from someone unfamiliar, for example, should be scanned by a virus or malware tool before you open it.

 

  1. Just Say No to Mobile Wallets

 

Mobile wallets have cropped up as a useful way to carry cryptocurrencies with you and even pay for goods and services in the real world. Best practice is not to use them at all unless you absolutely need to. Even then, don’t store a lot of cash in your mobile wallet.

 

Think about it. You would never put thousands of dollars in your real wallet or purse.

 

In the rare cases where you might have a lot of cash, you get nervous, real quick, for obvious reasons. It’s just not a smart thing to do, and it’s incredibly risky.

 

The same is true of mobile cryptocurrency wallets. If you’re going to use them, don’t carry more than you need.

The post Pay Attention to These 5 Security Tips When Buying Cryptocurrencies appeared first on IT SECURITY GURU.

New Report: 30% of CEO Emails Exposed in Breaches

0
0

The phrase “new normal” usually offers little comfort — particularly when stolen secrets are in the mix.

It’s true. Data breaches have become so commonplace that we’re nearly numb to them. But now a new report indicates, the damage might be more widespread than any of us wanted to believe.

As many as 30 percent of CEOs may have had their email credentials — including passwords and the contents of their correspondence — exposed in recent breaches.

The Report

The findings in question come from F-Secure — and they’re not terribly encouraging. The sample size was relatively small, admittedly, but it included 200 CEOs from some of the world’s most prominent companies in their respective fields. Of those 200, 30 percent were confirmed to have had some of their email passwords and other credentials “leaked” to online databases.

If you look closer, you find something remarkable: Of the technology companies represented in the sample of 200 CEOs, a nearly two-thirds (63 percent) saw their credentials stolen. That makes this new revelation something of a paradox. The more closely your company works with and depends upon secure and confidential technologies, the more likely you are to be targeted by folks who wish you harm.

That’s a problem for businesses of any size whether you’re big enough to show up in an F-Secure poll of CEOs or not. So what can you do about it? The good news is twofold — you’re not alone, and you have steps you can take to protect yourself.

How to Keep Your Company Email Secure

Email accounts are famously susceptible to hacking and false-flag operations, as driven home by the 2016 presidential election in America. Even when state secrets and bad behaviour aren’t being aired publicly, though, there’s plenty at stake. Neither your company nor anybody else’s deserves to be compromised by data thieves. Here are some steps you can take to keep your company secure.

Tip 1: Keep up With Software Updates

It is popular to complain that software updates arrive too frequently to keep up with. It is also popular to ignore the ways modern operating systems make frequent updates painless to perform.

Both of the current mainstream desktop operating systems — your team is likely to use either Windows or MacOS or both for business — give options to perform updates automatically and/or at times of your choosing, such as early in the morning before work begins. They don’t have to be an inconvenience.

Individual pieces of software require regular updates to keep you safe as well. Don’t skip or postpone these. Just as vectors of attack seem to proliferate over time, developers keep on their toes to patch vulnerabilities as they become known. Skipping a software update just once could mean leaving your trade secrets and private correspondence unprotected.

Tip 2: Improve Your Password Practices

The year might be 2017, but lots of folks still don’t take “password hygiene” seriously. The truth is, the quality of our passwords is often the weak link in an otherwise robust security regimen — but it doesn’t have to be that way.

If you rely on lots of passwords for work or company operations, invest in a password manager like 1Password, Dashlane, LastPass or KeePass. Most of these services have individual and team-based subscription offerings. Some are free to use.

Beyond that, change your passwords regularly and, if you can manage it, choose something unique but also simple enough to remember. An emerging consensus is to choose meaningful but apparently random words and string them together into a password. This makes it easy to remember and type in, but unintuitive for a would-be hacker to guess.

Tip 3: Use Encrypted Email or Nothing at All

You likely wouldn’t enter your Social Security or credit card number on a website without the telltale “https” or padlock icon beside the URL. Similarly, shifting away from unencrypted email is a common-sense step you can take to avoid unnecessary risk to your correspondence.

Encryption can happen at the server level either as part of your provider’s basic services or as a third-party software solution. To put it another way, encryption is available to you no matter your budget. If you rely on all-in-one webmail solutions, make sure the service you use is encrypted as a matter of course and uses two-factor authentication. Some trustworthy choices include ProtonMail, Hushmail, Tutanota, NeoMailbox and more.

Tip 4: Keep Your Employees Educated on Security Measures

A lot of what we’ve talked about here today sounds like something that starts with management and trickles on down, but the truth is that a great deal of security depends on the smallest of human actions to get right. That means making sure your employees always have a practical working knowledge — and an up-to-date one — about the current security landscape and how it should inform their conduct at work.

If your company allows employees to conduct business on personal mobile devices, for example, that’s great. Just make sure you provide security measures for those employees, as this is a common avenue of attack for data thieves and hackers.

Another example? You might be surprised about how many employees click suspicious links in emails from senders they don’t recognise. This kind of “blended attack” accounts for about 42 percent of email-based phishing attempts. This is just about as basic as you can get when it comes to email security best practices, but it’s also something that gets neglected without regular reinforcement. Emails themselves don’t always contain the malicious code or program — but clicking a mysterious link might take you to a download page.

Ensure Everyone Is in the Security Loop

Consider assembling some company resources on this topic. Keep them available in a central company directory, so anyone can refresh their memory when they need to. Make security a regular part of training for new hires. As new tools and practices become available, help your teams organise team get-togethers to make sure everybody knows how to use them.

Like it or not, keeping our private information private has become a full-time job. Happily, it doesn’t have to be a difficult one, too. By seeking out more robust technologies and making simple changes to your company’s everyday practices, you can keep your organisation from becoming a statistic.

The post New Report: 30% of CEO Emails Exposed in Breaches appeared first on IT SECURITY GURU.

6 Things That Make You a Target for Hackers

0
0

Viruses and malicious software both top the list of common computer threats in the 21st century, but we can’t lose focus of one of the more traditional dangers: hacking.

A criminal art form that once required hours of scanning computer code and immense knowledge of networking infrastructure is now accessible to nearly anyone with a few hours of spare time and an Internet connection — and companies and consumers are paying the price.

But some systems make better targets than others. Many consumers and businesses even make it easier for a hack to occur — and they don’t even realize it.

 

  1. Reusing Your Password Among Different Websites

We spend a lot of time choosing our online passwords. As sites require passwords of increasing length and complexity, most of our focus goes into selecting a phrase we can easily remember, yet is still secure enough to meet modern security demands.

But this causes us to overlook another common problem — reusing the same password across different websites.

If a hacker gains access to one site, they’ll easily have access to the email address you used to sign up and your password — and you can bet they’ll plug this information into other login portals and sites, too.

 

  1. Falling for Online Scams or Fake Emails

Online scams and fake emails are everywhere on the modern Internet. It’s hard enough for a tech-savvy IT expert to avoid falling victim to one of these ploys — and the odds are even worse for someone who is new to the online world.

Although there isn’t one strategy you can rely on to avoid scams or malicious email, a little bit of common sense goes a long way. As a rule of thumb, if something sounds too good to be true, you’re best off avoiding it altogether.

 

  1. Being Careless With Your Data

Those who are careless with their data also make prime targets for next-gen hackers. It doesn’t matter if it’s your personal data, insight into your business or details on other consumers — hackers and identity thieves want that information.

Not only can they potentially sell that information on the dark web, but the ramifications of that stolen data could cost you additional money.

Every lost or stolen piece of personal information costs an average of $141, with the average total cost of a data breach sitting around $4 million.

 

  1. Ignoring Two-Factor Authentication

If you’re familiar with cloud computing, you’ve probably heard the term “two-factor authentication.” Simply put, users who log in to a site using two-factor authentication, or 2FA, must pass two different avenues of verification to gain access to the account. The two factors typically consist of a standard password login and an accompanying secret code generated via text message or email.

Since 2FA requires access to a completely separate account or device, it’s exponentially safer than standalone password protection. Many cloud providers already use 2FA, and some experts predict a significant rise in its usage in the future.

 

  1. Failing to Back up Your Data

Those who fail to back up their data on a regular basis are also highly susceptible to hacks and other online threats. A hacker might not even be aware that you don’t have a backup — the brunt of the damage could occur without the intruder even realizing it.

Users who back up their data will find it much easier to recover from an attack after it occurs. According to recent stats, approximately 60 percent of companies that lose their data will cease operations within six months following an incident — this could be catastrophic if you’re an entrepreneur or small business owner.

 

  1. Hosting Confidential or Sensitive Data

This one applies to businesses and organizations more than consumers, but computer systems that house confidential or sensitive data, like classified information or personal details on customers and shoppers, are a huge target for today’s hackers. The issue of corporate espionage is a real threat that even drew the attention of former FBI director James Comey.

Besides online cyber-spies, many hackers just get a thrill from wreaking havoc wherever possible. Others might be seeking revenge. There are numerous reasons a hacker or criminal might want to gain access to such information, and it’s up to today’s IT experts to cover all their bases and protect all fronts.

 

Avoiding Hackers and Other Online Threats

Today’s online landscape is a scary and downright dangerous place. Between identity theft, online harassment and large-scale data breaches, there are hazards to businesses and consumers alike.

Although we can’t protect ourselves from every single threat out there, there are plenty of steps we can take to avoid online threats and minimize our risks of encountering a modern-day computer hacker.

The post 6 Things That Make You a Target for Hackers appeared first on IT SECURITY GURU.

Data Breach Risks 2.9 Million Norwegians’ Health Care Information

0
0

Norway was among the latest successful targets for cybercriminals, and this recent attack involved health information.

The victimized organization was Health South-East RHF, which manages hospitals in nine Norwegian counties in the southeastern part of the country.

It received a notification on Jan. 8 when HelseCERT, a computer response team for the health sector, advised the company of suspicious traffic on their network.

Then, IT professionals at Sykehuspartner HF, the parent company of Health South-East RHF, investigated. Their findings confirmed a severe data breach that potentially affects more than half the population of Norway, or just under 3 million people.

Representatives Waited Too Long to Disclose the Issue

Norway is subject to an upcoming European Union legislation called the General Data Protection Regulation (GDPR). Approved and adopted by members of the European Union Parliament in April 2016, it will come into effect on May 25.

Besides applying to EU member countries, all destinations that provide goods and services to people in the European Union or track their behaviors must abide by the GDPR.

Although the standard has many specifications about data use and storage, one of the particulars is that reports of data breaches to regulatory authorities and affected individuals must occur within 72 hours of the initial knowledge.

A 2017 survey from analytics company SAS revealed 58 percent of respondents were not fully aware of what happens for organizations not in compliance by the deadline.

Regardless of whether the team at Health South-East RHF learned about GDPR noncompliance, they didn’t follow the rules for data breach notifications in this instance, and in fact, waited a week to give disclosure.

Health South-East RHF did not provide a reason for the delay in notifying anyone about the breach. Since the GDPR is not in effect yet, the organization will not get fined. However, analysts warn the prolonged period that passed could highlight the problems other companies might have regarding compliance.

The GDPR takes a tiered approach to non-compliance fines. In the most egregious cases of failure to comply, the amount imposed is €20 million, or up to 4 percent of annual revenue. However, the failure to notify regulatory officials in time results in a potential 2 percent fine.

How Should Health Organizations Respond to This Breach?

Content within the GDPR spells out requirements for handling consumer data. Also, it emphasizes organizations must provide a reasonable level of data protection and privacy to EU citizens. However, the standard does not define what “reasonable” means.

Most personal information forms people fill out include fine print that gives details about an individual’s rights and the responsibilities of the service provider. As the GDPR comes into effect, individuals within and outside the European Union can expect those documents to include full disclosures of data use practices. That may require organizations to edit existing forms to add details or make the material more relevant.

The Norwegian incident should also serve as a wake-up call to remind health facilities that they are continually at risk for data breaches.

Hackers consider patient information especially valuable because it’s highly personalized, and parts of it are valid for a long time. Cybercriminals often sell the data on the black market for top-dollar amounts.

That reality is why it’s so important for health organizations to implement best practices in their facilities and keep data as safe as possible. Several groups can help organizations improve their strategies and make recommendations.

Carrying out a detailed risk analysis is the first step. Then, depending on its findings, organizations may realize the need to patch vulnerabilities, start using more robust encryption technologies or adjust an incident response plan to ensure it minimizes the damage caused.

Having a course of action after a breach is crucial because it eases public fears.

A persistent criticism about how Health South-East RHF handled its incident was that the organization has only given vague responses when speaking about the extent of the breach, the kind of data compromised or what exactly they are doing to stop another infiltration.

The incident in Norway reminds everyone no business, industry or type of data is safe from hackers.

The best response is to take decisive preventive measures that make it harder for cybercriminals to gain access to what they want most.

The post Data Breach Risks 2.9 Million Norwegians’ Health Care Information appeared first on IT SECURITY GURU.

Is Investing in Cryptocurrency Worth the Security Threats?

0
0

Even people who aren’t familiar with investing have heard of cryptocurrency — especially lately since it has frequently made headlines.

Some of those news stories about digital currencies focus on the rapid rises — and seemingly inevitable declines — of Bitcoin, one of the most well-known cryptocurrencies.

Others discuss how people had relatively stable lifestyles but lost most of what they had after becoming interested and investing in cryptocurrency. Some people who have had substantial successes in cryptocurrency realm live in anonymity, not wanting to attract too much attention.

These potential downsides and others have some people wondering if the potential to get rich as a cryptocurrency investor is appealing enough to make the less-profitable outcomes less frightening. Indeed, when things go wrong, security is often the first thing people lose.

Cryptocurrencies Becoming More Attractive to Hackers

Cryptocurrency investors keep their virtual funds in digital wallets. Pickpockets have swiped physical currencies for generations, and the same is true for cryptocurrencies. Increasing interest levels makes them more tempting to hackers. In January 2018, hackers stole more than half a billion dollars worth of digital currency from Coincheck, a Japanese exchange.

Analysts say investors should expect more attacks of the same kind. Sometimes, the hacks occur on investors’ computers through a process called cryptojacking, which involves taking control of a victim’s browser and using it to create or “mine” cryptocurrencies fraudulently.

According to research collected by Check Point, a cybersecurity company, mining malware has affected 55 percent of organizations worldwide. Statistics from December 2017 indicate the most widely used threat of this kind is called Coinhive.

Cybercriminals depend on botnets, too, which are groups of internet-connected devices infected by a common type of malware. Botnets were once not considered financially viable, but experts say newer cryptocurrencies are easier to mine, and people can rent botnets for as little as $40.

The growing likelihood of getting hacked is one of the many reasons people prefer investing in traditional physical currencies, such as silver. Compared to cryptocurrencies, statistics show silver is historically stable. Even after experiencing downturns, it often makes a complete rebound in 12 to 15 months.

People Are Losing Access to Their Digital Wallets

The stress of losing an actual wallet is severe enough, but for individuals who cannot gain access to their digital wallets after forgetting the password or deleting a file that contains cryptocurrency information, the anxiety can be even worse.

Mark Frauenfelder, an investor who lost $30,000 of cryptocurrency after forgetting a PIN, knows that reality all too well. He eventually recovered it, but not without going through months of anguish and failed efforts.

A software architect using the alias Dave Bitcoin launched a website called Wallet Recovery Services to help people in Frauenfelder’s predicament. Dave relies on a computer program to try millions of passwords in a short timeframe — otherwise known as brute force decryption. He has about a 30 percent success rate and charges individuals 20 percent of whatever is in the recovered wallets.

Dave reports his business has boomed, due in large part to the rising popularity of cryptocurrencies. Even as currencies evolve, the fact that humans forget things remains constant.

Cryptocurrency Wealth and Its Connection to Personal Safety

As mentioned earlier, people who have reaped the rewards of cryptocurrency in significant ways typically stay tight-lipped. Sometimes, they don’t disclose the kinds of digital currency they own — their closest friends and relatives may not know how much they possess. Fellow investors who want to have the same victories could hound those who divulge more details, too.

The primary reason investors stay quiet about their cryptocurrency holdings is that they fear getting robbed or otherwise targeted. The decentralized nature of cryptocurrencies is appealing to many people, but it also means they can’t put their wealth in banks to reduce the personal safety risk.

Cybercriminals have also tried to tap into investors’ paranoia for gain by using an online death threat scam. It tells victims’ their lives are in danger unless they pay a specific amount of cryptocurrency.

Evaluating the Plausibility of Disaster

At the beginning of the year, the Utah Division of Securities warned that cryptocurrency dealings could become risky for several reasons, including evidence of digital money used for fraud. With all these factors in mind, potential investors must take stock of the circumstances surrounding their situations and determine those most likely to cause threats to security.

Then, it’s crucial for them to take action to minimize the likelihood of something devastating happening. That may mean going to great lengths to prevent losing a digital wallet access code, investing in a home monitoring system or beefing up malware protection on their computers.

The inherent uncertainty of cryptocurrency investing is even higher for individuals who do not assess possible threats and decide how they can reduce them.

After all, if cryptocurrencies continue to flourish, the efforts to scam people and steal their wealth will increase, too.

The post Is Investing in Cryptocurrency Worth the Security Threats? appeared first on IT SECURITY GURU.

Changes Made to White House Security Clearance Policies

0
0

The recent history of security clearances in the Trump White House has raised eyebrows.

Jared Kushner’s clearance application contained errors and omissions of a type “never seen” by some who are close to the approval process for clearances.

Another recent headline saw questions raised about Rob Porter — the former White House staff secretary — and why he was granted temporary security clearance despite FBI warnings about domestic abuse allegations in his past.

It is the second story that seems to have gotten the necessary parties interested in overhauling White House security clearance policy. Let’s take a look at what we can expect next.

What Effect Will This Have on White House Intelligence?

General John Kelly, the current White House Chief of Staff, has outlined his intentions to broaden the restrictions on which types of classified intelligence the interim security clearance-holders are allowed to access.

And although Porter’s story was certainly a tipping point, Kelly cites a colorful history of White House staff members who have handled highly classified information without permanent security clearances. Any staff member with a pending background check more recent than June 2017 will see their SCI-level privileges stripped from them.

The aforementioned Jared Kushner still does not have a permanent security clearance, despite this administration being more than a year old and despite his continued presence at high-level government meetings. Kushner could be one of the first to see his access revoked under these new rules.

With respect to elevating concerns over the content of an applicant’s character, as the FBI attempted to do in Porter’s case, Kelly has outlined plans to require the Federal Bureau of Investigation to, in his words, “hand-deliver” background checks for potential staff additions and place a special emphasis on “significant derogatory information” about those employees.

Critics have been vocal about Kelly’s proposed changes to the application process. One attorney with experience in security clearances and FOIA requests, Mark Zaid, called Kelly’s memorandum “troubling” and asserts that the application and approval process “worked fine before this Administration.” The failure, according to Zaid and other experts, is a cultural one rather than a procedural one.

For example, anybody who is familiar with the Rob Porter situation knows that the question is not “whether” Trump’s White House knew about the allegations against him, but “when.” The next conclusion is that high-level staff in the White House had as much information as they needed to draw actionable conclusions about Porter’s fitness for government work.

How Will This Affect the Release of Digital Information From the White House?

It’s clear that the digital frontier brings challenges that might never have perfectly acceptable solutions. Every safeguard we dream up to fight against the access or dissemination of sensitive information reduces transparency on some level, even as it makes important information safer. Making changes to how government contractors handle even unclassified information is a critical point of interest these days.

The question is whether Kelly’s memorandum and proposed changes are just to save face or whether they will actually succeed in changing something the American people want changed.

Nevertheless, Kelly’s plan would also require that temporary security clearances older than 180 days expire automatically or be extended for an optional 90 days if background checks come back clean. It is not uncommon for security clearance approvals in a new administration to take as long as Kushner’s has. But given the very long list of responsibilities handed to him by his father-in-law, Donald Trump, these new restrictions are certain to change how he performs his work — if he can perform it at all.

In fact, part of the reason so many White House staff members have seen lengthy delays with their clearance approvals is that this administration has a higher percentage of first-time civil servants than previous administrations. And, ultimately, the president of the United States can grant security clearance to whomever they want, further complicating things.

Kelly has it part right: There was either a failure of communication or failure of judgment. Some of the fixes he describes should make it easier for concerned parties to elevate their concerns about appointees and applicants to sensitive roles. But some of the detractors are right too: The process would have worked as intended if somebody in the Trump White House had reacted appropriately when the FBI voiced their concerns about Rob Porter.

The Fallout

The only institution in America at this time with the power to strip the president of his security-clearance-granting prerogatives is Congress. So even if Trump or persons within his circle “dropped the ball” on Porter, it’s fairly clear that checks and balances aren’t quite what they should be when it comes to this particular process.

The FBI has had recent problems of their own, including the loss of personal data on thousands of employees in 2016. However, it’s clear that if their role in preventing stories like Porter’s wasn’t taken seriously by the Trump administration, it was for other reasons entirely.

The stakes are high, as we’ve seen. The Trump White House has seen a stream of leaks to journalists and other parties. It isn’t hard to see how automatic time-outs for temporary security clearances and limited access to highly classified documents could help reduce the number of information leaks this administration has weathered, which are either unprecedented or merely statistically interesting, depending on whom you ask.

General John F. Kelly is right to want to protect the sanctity of high-stakes intelligence. He’s applying what he knows of military culture to the “problem” of information porosity in this current White House. What the rest of us can’t ever forget, though, is that some information needs to be leaked.

Breaking state-mandated silence to bring wrongdoing to light is the sort of revolutionary spirit Americans are supposed to value.

Nobody wants a less-transparent American government, but some of the growing pains we’re seeing now are the result of entrusting its operation to people who don’t know how it works. Some of these people have ulterior motives, but many others do not.

Kelly, who believes digital information leaks are tantamount to treason, proposes making life more difficult for both types.

The post Changes Made to White House Security Clearance Policies appeared first on IT SECURITY GURU.

Cybersecurity Is About More Than Reacting to Attacks

0
0

Reacting quickly to cyberattacks is a vital aspect of cybersecurity. A prompt response can be the difference between minimal damage and catastrophic data loss.

Additionally, cybersecurity experts value the importance of preventive and offensive measures, whose presence is as important, if not more so, for cybersecurity professionals to master as a quick response.

A quick, effective response combines with preventive measures for an ideal cybersecurity solution.

Offensive Cybersecurity Measures

Hackers today are sophisticated and up-to-date, making a defensive stand not enough on its own for many companies. In fighting a cyberwar against very skilled hackers, companies need to approach security with an offensive mindset.

Whereas defense relies on waiting for a hacker to make a move, offensive strategies involve identifying the network’s vulnerabilities in addition to the hacker’s weak spots and methods, applying preventive measures with this information in mind.

Although the term offensive may imply attacking hackers first, the offensive aspect more so regards an IT environment as a battleground, with the protection of that battleground requiring visibility into the environment.

Organizations should strive to know their battlefield better than hackers, with the ability to quickly recognize when something seems awry.

Daily, real-time analysis can help to spot any vulnerabilities, just like how the military routinely performs reconnaissance missions to scout an environment.

Preventive Methods

In addition to offensive measures providing effective risk management, cybersecurity experts value the effectiveness of preventive measures, which can stop hackers in their tracks before they access any sensitive data.

Cybersecurity should eliminate exposure of control system devices to an external network. Some companies are not aware that their control systems face the internet, presenting a cyber threat.

Cybersecurity experts should also apply firewalls and network segmentation, which involves classifying and categorizing data and IT assets into specific groups, which they then restrict by access.

Placing resources into various areas of the network can make it more difficult for hackers to access in its entirety. Additionally, network segments and boundaries help to monitor, restrict and regular communication flow, which helps in identifying suspicious activity.

For precautionary reasons, all networks should also have system logging. Logging helps identify cyberattacks in real time, in addition to providing information that can help prevent such attacks in the future through root-cause analysis. Also, program auditing can ensure your systems are operating at peak efficiency, which helps reduce expenses and liability.

The IT team should also inform employees to use only strong passwords, to prevent against brute force attacks, when hackers try millions of different characters with tools to break into an account. IT should also enforce policies on mobile devices, since hackers can take advantage of the “bring your own device” (BYOD) trend in some workplaces.

In general, companies should implement an employee cybersecurity training program. Although cybersecurity is a broad field, several topics require immediate attention, such as social engineering methods like email phishing.

Smart internet practices, like recognizing illegitimate websites and malware, are also useful to teach, as well as emerging hacking methods like voice hacking.

Cybersecurity Incident Response Plan

In addition to offensive and preventive measures, cybersecurity experts should organize an incident response plan. The plan can involve anti-virus software, intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to help detect early-stage attacks.

Many IPSs and IDSs can detect malware, port scans and irregular network communications. An effective response plan can help to minimize damage and soothe customers and partners. The plan should involve collaboration among all departments, from IT to top executives. In business, everyone is responsible for cybersecurity prevention.

Cybersecurity is about more than reacting to attacks. Offensive and preventive measures must be in place to ensure damage is minimal.

Additionally, an effective cybersecurity incident response plan can invite collaboration among all departments to improve a company’s cybersecurity strength.

The post Cybersecurity Is About More Than Reacting to Attacks appeared first on IT SECURITY GURU.


There Are Some Big Problems With This Data Breach Bill. Retailers Want Them Fixed.

0
0

We are reaping the proverbial whirlwind of our long years of relentless technological advancement.

Cyber-insecurity and constant data breaches are some of the growing pains of digital and wireless technologies. And even now, the private and public sectors can’t seem to agree on how to solve it or how bad things need to get before we do.

An illustrative example of this collision — between vulnerable technologies, corporate profit margins and insufficient government regulation — is the National Retail Federation’s response to a new bill concerning data breaches.

The bill, now in committee in the House, seeks to improve the robustness of our laws as they pertain to the handling of customer data and the corrective actions undertaken by regulatory bodies.

This bill, says the Federation, doesn’t go nearly far enough to protect the peace-of-mind of the average American.

National Retail Federation vs. House Financial Services Committee

Here are the NRF’s major grievances in their vice president’s own words:

“The legislation being considered by the committee is an important step forward but has significant loopholes that would allow major data breaches to be kept secret from the public. We want to work with the Committee to develop an airtight bill that covers all industries and ensures that all data breaches are subject to notification no matter where they occur.”

Translation: This legislation is good, but it needs more work. The standards it proposes aren’t nearly high enough and don’t protect enough people.

To grant their arguments weight, the NRF drew upon research gathered in the Verizon 2017 Data Breach Investigations Report, which approached the problem across the entirety of modern industry.

Previous reports covered only the types of businesses which are explicitly required by law to disclose data breaches to their customers and to the public. As of this writing, financial institutions — themselves close partners of every retailer in America — are subject only to “discretionary” disclosure of breaches.

The NRF argues that a holistic approach, and nothing less, can deliver meaningful, consumer-centric regulation for data breaches across the entire economy.

A significant portion of the NRF’s “case” against the bill in its current form is the apparent protections it affords to banks. They also pointed to vagueness in the definition of key terms such as “service provider” as well as the structure of the requirements themselves, which, in their words, is a “one size fits all” solution to a multifaceted solution.

A better idea, they contend, would be to build-out different rulesets for different types of businesses — most notably telecommunications companies, banks, card processing companies and any other types of business which come into contact with sensitive data.

More specifically, they argue, actions undertaken by regulators to prevent data breaches should be based on the inherent “risk” of specific industries as well as the “sensitivity” of the data involved.

Whether this “parceling out” of different types of risk is a slippery slope remains to be seen — and American law explicitly provides protections against “unlawful search and seizure.” Such a concept needn’t concern itself with the specific contents of what’s being protected.

Nevertheless, the NRF does have a point — and we can see why when we look at the most recent examples of what happens when ethically-compromised regulators attempt to respond to data and trust breaches.

A Recent History of Public and Private Sector Clashes Over Customer Protections

The approach now favored by the federal government against banks who mistreat their customers usually involves fines so small that the defendants laugh about them during Congressional hearings.

Elsewhere, technology companies great and small are drawing attention to the low protection standards for the technology-based financial service providers that power modern retail businesses.

In other words, even if regulations at the federal level seem to peter out a few months after every data breach, and if regulations can vary widely from state to state, the private sector is all the while making ever-more-sophisticated tools available for retailers and many other industries to deliver what regulation alone currently cannot.

In other words, even if government can’t hold every company to a uniform standard, each company can choose to hold itself to high standards by working with the right partners and technology platforms. It’s not perfect, but it’s a start. And a needed one.

In its dealings with Equifax, the federal government took precisely the approach the NRF warns about. People who have studied the government’s response and the rules considered, but not enacted even months later, have declared the measures proposed to be wholly insufficient. Insufficient to the point where Equifax might literally turn a profit as a result of their data breach.

The NRF Has a Point

It’s clear the NRF is vindicated in their claims that the small amount of regulation proposed, and the even smaller amount of regulation passed into law, don’t provide adequate or lasting protections for Americans.

Their argument that sensitive information should be “typified” by “sensitivity” is a slippery notion so long as “privacy in general” is still an inalienable right. But their argument that our current Congress and its Committees don’t appear to consider this a major priority is perfectly sound and fully backed up by recent history.

The post There Are Some Big Problems With This Data Breach Bill. Retailers Want Them Fixed. appeared first on IT SECURITY GURU.

Cybersecurity Experts Put Burden of Hacking Protection on Device Makers, Not Users

0
0

Two new reports from lead author Professor Nick Jennings of Imperial College London and other cybersecurity experts assert that device manufacturers have a larger burden to protect consumers from cybersecurity attacks than the device users themselves.

The report points out that although it’s important for users to be as proactive as possible in that regard, many people don’t know the most effective ways to do so.

It suggests using a safety mark system that acts as a guarantee that device manufacturers are protecting people from hackers and performing updates as needed.

It also brings up how government regulations could be imposed to force manufacturers to bring their cybersecurity practices in line with modern standards.

On the consumer side of things, this report recommends making good cybersecurity practices part of the grade school curriculum. This ensures people have early exposure to the things they need to do to keep themselves as safe as possible from hackers.

The report also mentions how people should keep their devices updated regularly.

Beneficial Devices With a Potential Dark Side

Information in the report clarifies that internet-connected devices have considerable potential for helping society, especially within the elderly and disabled populations.

However, it points out that hackers could take control of medical devices like pacemakers and diabetes management equipment and cause dangerous or fatal consequences.

Also, if a smart home includes lightbulbs or plugs, those could be used to spy on people or cause fires, respectively. Because many intelligent devices for residences detect patterns, cybercriminals could snatch data from some of them and learn when homes are typically unoccupied.

If manufacturers have to comply with these proposed protective measures, there are some industries and products likely to be especially affected. They’re covered in detail below.

1.       Medical Devices

The scenario mentioned above, whereby hackers could take control of medical equipment and cause it to malfunction and cause deaths, makes it particularly likely that if such regulations on smart devices exist, they will apply to medical equipment.

If people know such gadgets have a guarantee of safety from the manufacturers, they may be more likely to use them than if the makers did not give that promise.

Also, hospital representatives go through detailed processes when making purchasing decisions for their facilities. If some medical device companies refuse to take responsibility for protecting people from hackers, they’ll have trouble making sales to health facilities.

2.       Educational Gadgets

Schools are already using internet-connected devices to do things like track school buses and provide Wi-Fi that lets kids connect to the internet and do their homework in areas that ordinarily lack coverage. Facilities management becomes easier too, primarily because administrators can monitor energy usage or secure the premises while staying off-site.

If teachers make internet-connected devices part of school curriculums, the data collected rises significantly. This makes infiltration of educational tech products particularly attractive to hackers, especially when the data contains personal details like Social Security numbers.

3.       Smart Home Equipment

The report mentioned earlier discussed how hackers could break into homes filled with smart equipment and use those high-tech additions to invade privacy or cause risks to life and possessions.

Since many people now secure their homes with smart door locks, hackers are eager to figure out how to trick those gadgets. Even though most have integrated security measures to reduce the likelihood of that happening, some still fall short.

Such was the case with the Amazon Key system that allows a delivery person to enter a home and leave as a resident watches on a camera. There was reportedly a vulnerability that allowed a person to freeze the camera on a single frame and go back inside the house after it appeared they’d left.

A survey published by iQor revealed that about 70 percent of consumers are worried about their smart home devices getting hacked.

If manufacturers don’t start taking steps to prevent that and showing buyers how they have, the marketplace momentum currently enjoyed by smart home gadgets may start slowing down.

Consumers may decide that the lack of security they perceive with connected home devices is not worth the convenience.

It’s too early to say whether regulations for smart devices will arise and how soon they’ll impact industries.

Even if regulatory measures don’t get established for a while, manufacturers can still take a responsible approach to reduce the probability of cybersecurity breaches and prove they have applied those measures.

The post Cybersecurity Experts Put Burden of Hacking Protection on Device Makers, Not Users appeared first on IT SECURITY GURU.

16,500 Student Loan Borrowers’ Information Exposed in Data Leak

0
0

Data sent to a third-party vendor that was not authorized to receive it led to a data breach involving 16,500 people associated with student loans. The affected company is Access Group Education Lending, and the company became aware of the situation on March 23.

What Kind of Information Was Leaked?

The public doesn’t know the third-party vendor’s name, but the company is reportedly a student loan lender. That vendor got data containing student names, Social Security numbers and driver’s license numbers.

The Data Was Reportedly Destroyed

Nelnet, a company that processes data for Access Group, is the entity at fault for distributing that sensitive information to the unnamed outside vendor that shouldn’t have seen it.

Representatives from Nelnet say they don’t believe inappropriate data use occurred following the leak. Instead, they clarified the data traveled to the third-party vendor through an encrypted channel. Also, that company recognized the data transfer happened in error, then got rid of the information.

According to details released in SC Magazine, a relevant manager for the third-party vendor agreed to sign a sworn document confirming the destruction of the information with nothing retained.

A Year of Credit Monitoring Offered

When making a statement about the issue to the press, Access Group said the exposure of personal details was “limited.”

Even so, the company will provide a year of complimentary credit monitoring to affected parties who want to ensure the data leak won’t have negative repercussions. It notified those individuals in writing, and provided the same disclosure to the respective attorney generals at the state level.

A survey of more than 10,000 people around the world indicates a growing concern among consumers regarding data breaches. The results found 69 percent of respondents don’t think enterprises take data protection very seriously, and two-thirds feared becoming victims of future data breaches.

Preventing Similar Future Events

Access Group monitors its vendors and will continue to do so as a preventive measure against other data breaches. Furthermore, it will mandate written data transfer protocols for third-party companies and double-check the recipients before starting to send files.

Data leaks can happen externally, as well as from inside organizations. Efforts to reduce internal threats require carefully screening individuals who have access to a company’s data, issuing role-based permissions for sensitive information and establishing clear, documented employee expectations.

This breach did not originate within Access Group, but since the company works with third-party vendors, it must continue to treat those representatives as if they were employees working onsite.

Plus, tightening up internal security measures would be a smart move, since Access Group already attracted negative publicity with this breach and wouldn’t want to be associated with other problems.

The Three-Week Delay Before Notifying Customers

Access Group didn’t get word of the incident until five days after the mistaken data transfer. It has also emerged that the company did not begin letting customers know about what happened until three weeks after learning the details.

That delay is in line with a trend that causes concerned individuals to assert that affected companies aren’t being sufficiently prompt and transparent.

For example, Facebook waited two years before notifying customers about data obtained by Cambridge Analytica, also a third-party company. Then, there’s Equifax, the credit monitoring company that didn’t alert consumers until weeks after one of the most massive breaches in recent history happened.

It’s important to realize, though, that U.S. laws require companies to tell consumers about breaches, but don’t get specific about timeframes. Abnormally long delays put companies at risk of scrutiny by federal authorities and queries about why disclosures didn’t happen more efficiently.

The Potential Risk of Data Breaches as Companies Depend on Partnerships

The Access Group incident illustrates how it can become more challenging to maintain control of data when using external providers to take care of some aspects of a business.

Although none of the involved companies engaged in malicious actions, that won’t always be the case for future data-related mishaps.

The post 16,500 Student Loan Borrowers’ Information Exposed in Data Leak appeared first on IT SECURITY GURU.

Why Health Care Gets Such Flak for Its Cybersecurity

0
0

The health care industry is consistently under attack thanks to cybercriminals who eagerly attempt to snatch valuable data, costing organizations substantial financial and reputational damage.

People often weigh in and wonder why the overall industry can’t sufficiently beef up its cybersecurity strategies. However, the headlines they see that alert the public about breaches and other issues don’t tell the whole story.

The Health Sector Appeals to Hackers

Besides the scope of the records to steal and the details that range from Social Ssecurity numbers to home addresses, hackers set their sights on the health care industry because, historically, it hasn’t kept up with the times.

A 2015 Sophos survey found 20 percent of respondents in the medical industry didn’t use encryption at all. Hackers are typically ahead of their targets. That means they likely knew about the widespread lack of encryption before researchers did.

Also, a profile of health care-related attacks in 2017 is especially eye-opening. In numerous cases, more than one security issue occurred on the same day in different locations. The frequency of attacks is a factor that’s urging health care organizations to spend billions of dollars over the next several years to make improvements.

Some facilities aren’t equipped to deal with large-scale attacks, which is alluring to hackers that want to earn notoriety for their efforts. In February 2016, ransomware attacks forced a medical center in California to endure a week-long computer shutdown while its employees relied on paper records and fax machines.

Internal Threats Are Severe

A recently released report from Verizon found the medical industry was the only one whereby internal members were the biggest risks to organizations.

The study found almost half — 48 percent — of the people on the inside who compromised data security were financially motivated, presumably aiming to use stolen data to open new lines of credit or take similar actions.

However, problems also arise when employees don’t treat data correctly due to human error or a lack of training. They might throw sensitive data into trashcans instead of shredding it, or make mistakes when sending paper documents to external companies.

Numerous Challenges Exist

Outsiders are not always aware of the massive number of obstacles involved in getting the health care industry well-equipped against cybersecurity attacks.

For example, all communications platforms used to transmit patient data must comply with the Health Insurance Portability and Accountability Act (HIPPA). This means that health care organizations have to follow strict rules in regards to the security of how they send and receive all patient information. While  this does help with potential security issues, it can be extremely time consuming, though some organizations hope to change that soon.

Another issue is that people in the medical field are characteristically time-starved and focused on patient care. That means they often find it difficult to fit security training into their schedules or understand why it’s relevant.

St. Luke’s University Health Network received recognition from the American Hospital Association for its all-encompassing data security strategies. St. Luke’s sends out a quarterly scenario for employees to go through and see why cybersecurity matters. That approach is reportedly working well, probably because it keeps hospital workers’ valuable time in mind.

Ransomware Attack Mitigation Is Getting Better

The news about health care and cybersecurity is not all bad. An investigation about efforts to implement ONC SAFER Guides — which include updated material about stopping ransomware — found that hospitals are taking the recommended strategies against seriously.

Although only 18 percent of the hospitals studied showed complete adoption, more than 81 percent fully implemented the infrastructure-related guidelines.

The recommendations aim to prevent and reduce downtime of critical hospital systems. When the guidelines are in place, fiascoes such as the one experienced by the previously mentioned Californian facility should become less prevalent.

A Collective Effort Is Necessary

The most effective cybersecurity strategies are ones applied across organizations. Since many hospital systems span across states and countries, keeping everyone on the same page isn’t easy.

Exercising compliance is not enough. Instead, all people associated with respective health care organizations must work together to reduce the damage caused by cybersecurity shortcomings and promote improvements.

The post Why Health Care Gets Such Flak for Its Cybersecurity appeared first on IT SECURITY GURU.

5 Enterprise Cybersecurity Threats and How to Minimize Them

0
0

The top companies of generations ago didn’t have to worry about cybersecurity because the internet didn’t exist yet. Because it’s so prevalent in our society now, criminals turn to the online realm to wage war against victims — and often target entire organizations in the process.

It’s essential for business leaders to be aware of potential cybersecurity threats to enterprises and know how to reduce them.

  1. Disgruntled Former Employees

Individuals who become upset after terminations, being laid off or getting denied an opportunity for promotion are all people who could use their insider knowledge to put a company’s data at risk after they leave the organization.

Factors that motivate malicious insiders include greed, thrill-seeking and the desire to get revenge after a perceived wrongful action.

Companies can reduce the malicious insider risk by immediately deactivating credentials after people leave the company and carefully monitoring any sensitive material, including encouraging people not to print out or take home confidential documents.

  1. Attacks From International Hackers

It’s crucial for companies not to have a solely domestic mindset when thinking about cybersecurity. Whereas government agencies usually have the resources to deal with cybercriminals from other countries and prevent their attacks, the same is not often true for entities at the enterprise level, making potential attacks particularly costly.

A 2014 attack at Sony that was reportedly launched by state-sponsored hackers from North Korea and resulted in the loss of substantial amounts of data — plus over 47,000 social security numbers — swiped from computers.

The cybersecurity team at a business must realize the organization is not out of reach of international attackers. They should keep that in mind when securing their networks and monitoring for threats. It’s also necessary to immediately begin communicating with law enforcement officials after a suspected attack to tap into their resources.

  1. Staff Mistakes

Untrained and careless staff members also cause a significant percentage of cybersecurity incidents. Data collected in 2016 found that 57 percent of security issues in the government sector happened due to human error, producing 14 percent of the system downtime in those situations.

Sometimes, training itself isn’t adequate, especially if employees don’t realize their roles in keeping an enterprise safe from threats. All-encompassing training that evolves as new threats arrive is instrumental in minimizing risks due to staff mistakes.

It’s also useful to consider having cybersecurity experts speak to your teams to help solidify learned concepts and give staff members the opportunity to ask questions.

  1. Unsecured Devices Brought From Home

BYOD workplaces that involve employees bringing gadgets like laptops and tablets from home into the enterprise environment can save companies money and allow people to work on devices that they know well and feel comfortable using. However, these devices are also vulnerable to hackers, especially if not properly secured.

One way to cut down on the risk to an enterprise is to write and uphold a BYOD policy that spells out how employees should handle their devices, whether or not they’re at work.

For example, keeping all software up-to-date, avoiding connecting to public Wi-Fi networks and locking down computer interfaces with passwords can all cut down on security risks on portable devices, regardless of where people are when using them.

The IT team at an organization should also adopt a practice of periodically checking BYOD devices to ensure they comply with the policy.

  1. Outdated or Nonexistent Cybersecurity Practices

Statistics indicate there are 59 records lost every second. Whether due to insufficient internal practices alone or successful hacking attempts from cybercriminals that target organizations, that number suggests companies are not doing enough to lock down their data.

A survey of over 4,000 organizations found that seven out of 10 were not prepared for cyberattacks. In some cases, that might mean the enterprise has not updated its security strategies for several years. However, perhaps they have never formally incorporated cybersecurity efforts into business operations.

Carrying out a security audit is an excellent activity that allows business leaders to see where their companies stand and pinpoint the most glaring shortcomings. The insights gleaned enable enterprises to get a strong start when addressing cybersecurity from the ground up or to edit current practices so that they more adequately meet emerging needs.

Stay Vigilant to Avoid Catastrophes

This list details some of the most substantial threats to modern enterprises.

Fortunately, it also addresses how to make those risks less prominent. Business executives cannot afford to assume hackers won’t target them.

They must be aware of the daunting possibilities and rely on skilled cybersecurity experts — and the workplace at large — to keep costly and stressful threats minimized.

The post 5 Enterprise Cybersecurity Threats and How to Minimize Them appeared first on IT SECURITY GURU.

Viewing all 22 articles
Browse latest View live




Latest Images