now browsing by tag


Cybersecurity #experts #agree — expect more #ransomware this #year

Ransomware is one of the easiest cyberattacks to detect because it comes with an actual ransom note. However, 2017 gave way to new propagation mechanisms, which automated worming and increased infection rates.

Employee-facing services and technologies are a top concern to cybersecurity professionals. About 40% of employees use personal devices to send work emails and share or access company data without the IT department’s oversight.

The bring your own device policy is challenging for IT departments to combat. Ultimately, the policy leads to unintended shadow IT, which is often the Achilles heel of solid security practices.

Negligent employee actions can cost a company about $280,000 per incident. If the cost were not enough, companies need to come to terms with the fact that 64% of security breaches are caused by ignorant employee actions.

To help companies better track the most high-risk employees​, in terms of their cybersecurity incompetencies, vendors like Microsoft are including simulated ransomware or phishing attacks in their services.

Hackers will always take advantage of human error and poor judgment, so it’s up to security teams to educate line of business employees.


The post Cybersecurity #experts #agree — expect more #ransomware this #year appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack

Former U.S. Director of National Intelligence and Navy Vice Adm. Mike McConnell advocated today for stronger protection of digital data transfers and for universities to play a key role in filling cyber security jobs.

McConnell was among the keynote speakers at the 2018 SEC Academic Conference hosted by Auburn University. The conference, which is ongoing through Tuesday, is focused on the topic of “Cyber Security: A Shared Responsibility” and brings together representatives from the SEC’s 14 member universities along with industry experts in the area of cyber security.

McConnell is encouraging the use of ubiquitous encryption as a solution for stronger data protection.

“As we go to the cloud…ubiquitous encryption of some sort would be used so that if anybody accessed that data, you can’t read it. If you’re moving [the data] from point A to point B, it scrambles so you can’t read it,” he said.

McConnell understands that stronger data security can come at a cost for others, including law enforcement who may need to access data within a device during a criminal investigation.

“What I’m arguing is the greater need for the country is a higher level of [data] security. If that’s the greater need, then some things of lesser need have to be sacrificed. So when I say ubiquitous encryption, that’s what I’m attempting to describe. It is protecting the data that is the very lifeblood of the country,” McConnell said.

McConnell also addressed how academia can help in securing the nation from cyber attacks.

“We have about 300,000 job openings across the United States for which there are no cyber security-skilled people to fill those jobs,” he said. “Universities are debating academically ‘What is cyber security?’ and ‘How do you credit the degrees?’ and ‘How do you get consensus on what it is and what it should do?’”

He urged universities to move more quickly on coming to a consensus so they can get certified and accredited to start producing students who can fill those jobs.

Glenn Gaffney, executive vice president at In-Q-Tel, also spoke to the role higher education institutions can play in cyber security during his keynote address at the conference.

“It is at the university level where we don’t have to take a top-down approach,” Gaffney said, adding that universities can work together, through research and student involvement, to create proactive solutions to cyber security. “This is where the next generation of leaders will be developed. It’s here that these dialogues must begin. This is the opportunity.”

Ray Rothrock, CEO and chairman of RedSeal Inc., was the day’s third speaker, presenting on the topic of “Infrastructure: IoT, Enterprise, Cyber Physical.” Rothrock also held a signing for his new book, “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?”

Attendees at the conference are exploring computer and communication technology; the economic and physical systems that are controlled by technology; and the policies and laws that govern and protect information stored, transmitted and processed with technology.

Students at each SEC member university participated in a Cyber Challenge and presented posters displaying their work in the area of cyber security.


The post Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players

Source: National Cyber Security – Produced By Gregory Evans

Singapore is not alone in proposing a far-reaching Bill to beef up cyber security, said experts, even as it wins the support of stakeholders following a recently concluded public consultation on the issue.

Concerns about the Cyber Security Agency (CSA) of Singapore’s far-reaching powers had surfaced during the consultation. Firms must surrender any information requested when CSA investigates a suspected cyber attack, as its proposed Bill would take precedence over bank and privacy rules that prohibit data sharing.

Convinced that Singapore should not have it any other way, lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: “The far-reaching Bill is justifiable in the light of the potential damage from state-sponsored cyber espionage.”

CSA’s powers, like those of the police, are calibrated and are strictly meant to keep the lights on for essential services, Mr Leong said.

In announcing on Monday (Nov 13) its decision to keep most of its proposed ideas in the Bill, CSA responded to public feedback received during the consultation, and said the designation of a computer as critical information infrastructure would no longer be an official secret under the Official Secrets Act.

The proposed Bill, to be tabled for debate in Parliament next year, also mandates that owners of critical information infrastructure, such as those in banking, telecom and energy sectors, report security breaches and attacks “within hours”.

Similar mandatory data breach reporting requirements have been in place in the US, Europe, Japan, Australia and South Korea for years.

Mr Shlomo Kramer, founder and chief executive officer of Israeli cyber-security start-up Cato Networks, said Singapore is, in fact, playing “catch-up” with these nations in this respect.

“Such regulation will move the needle in a positive way and make organisations feel accountable,” said Mr Kramer, who also co-founded what was the first firewall solutions provider Check Point in 1993.

He spoke to The Straits Times three weeks ago when he was in Singapore to meet local cyber-services resellers ViewQwest and Quann.

Checks and balances – which are included in the proposed Bill – prevent the abuse of disclosed information, Mr Kramer noted. For instance, CSA officers may be held criminally liable if they are found to have misused the information.

Mr Bryce Boland, chief technology officer for Asia-Pacific at cyber-security firm FireEye, said laws are generally stronger in countries with a high dependence on technology. Thus, the far-reaching aspects of Singapore’s cyber-security Bill could be compared to similar laws in the United States and Britain, said Mr Boland.

Said lawyer Koh Chia Ling from law firm OC Queen Street: “The general global trend is that countries are enacting such laws and Singapore is essentially doing the same.”

Mr Jack Ow, technology partner at law firm RHTLaw Taylor Wessing, said Germany, the Czech Republic and China have similar cyber-security regimes. “The loss or compromise of such computers and computer systems could adversely affect national security or public health, safety and order,” said Mr Ow.

Technology lawyer Bryan Tan of Pinsent Masons MPillay said that debates are ongoing in the United States just like they have taken place in Singapore, arising from an ever-growing tension between security and privacy.

Referring to preserving privacy in the US, he added: “All bets are off when it comes to fighting terror or a national security issue – no one will compromise.”

Owners of critical information infrastructure said the Bill is necessary. They are waiting to work out implementation details with CSA and their sectors’ regulators.

A spokesman for telco Singtel said: “The risk of cyber-security breaches is growing, especially now as Singapore pursues its ambition to become a Smart Nation.”

An M1 spokesman said: “It is important that the powers under the Bill are exercised reasonably.”

Meanwhile, such stringent reporting requirements are not new to the banking sector.

Mr Patrick Chew, OCBC Bank’s head of operational risk management, said: “Under the Technology Risk Management Guidelines introduced in 2013, financial institutions in Singapore are already required to notify our regulator as soon as possible of any critical system failures arising from (technology) and cyber security incidents.”

The post Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Pacemakers and #patient #monitors can be #hacked in seconds, #San Diego experts discuss #threat

Source: National Cyber Security – Produced By Gregory Evans

 San Diego cyber security expert Ted Harrington with Independent Security Evaluators invited us to his Downtown office to see how quickly and easily he and his colleagues demonstrate successful hacks of modern medical devices. Medical devices like pacemakers and patient monitors are some of the newest vulnerabilities to cyber attack in the healthcare industry.

The threat hits home. According to the California Life Sciences Association, the state has more medical device jobs that anywhere in the nation, with 74,000 employees. A total of 7,700 of them are based in San Diego.

San Diego is a city that’s no stranger to malicious software or “malware” assaults on the medical sector. Last year, the 306-bed Alvarado Medical Center had its computer system affected by what it called a “malware disruption”. The hospital briefly considered doing an on-camera interview with us about the security changes that have been implemented since the incident, but then it backed out.

The hospital spokesperson cited in part, “A careless slip during an interview can reveal possible [vulnerabilities] in our ‘armor’ that a hacker can take advantage of.”

Also last year, nearby Hollywood Presbyterian Medical Center made headlines when it paid a $17,000 ransom to the hacker who froze its computer system for several days.

“Healthcare is attacked more than any other industry because that’s where the money is,” writes prominent cybersecurity company Sophos in its SophosLabs 2018 Malware Forecast report.

A records check on the U.S. Department of Health and Human Services’ Office of Civil Rights website shows a total of thirteen California healthcare facilities that are currently under investigation for reported hacks.

Now, the threat to patient privacy could be challenged by a threat to patient safety.

Harrington and his team connected my finger to a sensor that was attached to a patient monitor. My healthy vitals were displayed on the patient monitor screen and on the screen representing a nurse’s computer.

In a real-world setting, that nurse’s computer would be in a different room from the patient and his or her monitor. 10News Reporter Jennifer Kastner was asked to remove my finger from the sensor, to make it look like she was flat-lining, but Harrington and his team hacked the nurse’s computer in seconds to make the nurse’s computer show that she was still healthy.

He and his team also showed us they could hack a patient’s displayed blood type.

“If the physician thinks the patient is a certain blood type and orders a transfusion of a different blood type, that directly hurts the patient. It would most likely result in a fatality,” says Harrington.

In October, the FBI put out a warning about the growing concern over cyber criminals targeting unsecured “Internet of Things (IoT)” devices, including medical devices like wireless heart monitors and insulin dispensers.

Years ago, it was reported that former Vice President Dick Cheney had his pacemaker altered to prevent an assassination attempt.

“We can’t bury our heads in the sand anymore. These types of medical cybersecurity vulnerabilities are going to become commonplace,” says Dr. Christian Dameff with UC San Diego Emergency Medicine.

Dameff is also a self-described hacker. Despite the FDA’s claim that there aren’t any known cases of patients’ devices getting hacked, Dameff believes attacks have happened and they were likely accidental, but never got reported.

“These devices in our systems are not well equipped to even discover these types of attacks,” he said. “It’s essentially like asking a toaster to figure out if your house has been hacked. They’re just not designed to find out.”

The experts we spoke to want to make it clear that while there’s a threat of cyber attacks on medical devices, the likelihood of it happening to the average patient is low. They urge people to stay mindful of the risks and talk to their healthcare providers about solutions.

The post Pacemakers and #patient #monitors can be #hacked in seconds, #San Diego experts discuss #threat appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

College IT experts and students have opposing views on cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

University IT teams have differing perspectives from the students they serve on the state of cybersecurity, according to a recently released infographic from CDW-G.

The IT solutions company surveyed 250 higher education IT professionals and 300 students, examining their views of cybersecurity and what students expect from their schools versus what IT professionals are able to deliver. The company released the infographic, “Securing Higher Education — It Takes Two,” at this year’s EDUCAUSE annual conference.

The most surprising statistic, according to Nicci Fagan, director of higher education at CDW-G, was that 91 percent of IT pros who experienced a data breach alerted students — but just 26 percent of students said they were aware of the attack.

Another glaring discrepancy showed that 82 percent of IT pros say they require students to engage in cybersecurity training at least once a year. However, only 35 percent of students said that was required of them.

“You have IT professionals on campus who are communicating this out to students on campus, but it’s not resonating,” Fagan said in an interview with EdScoop. “It comes down to making sure that we’re communicating through multiple channels and getting consistent feedback from the student body.”

Jordan Cohen, a student intern at CDW-G who currently attends Rutgers University, added that students get their news from multiple sources and on several platforms.

“I think there’s a major difference in channels that are being used in sending news, and channels that students are accustomed to receiving news,” Cohen said. “Rutgers does a great job of getting information out, but I think part of it is making sure they’re interacting with students — you’re not just putting it on the university website, you’re taking advantage of social media.”

Fagan said that along with shoring up communications strategies, colleges and universities also need to offer ongoing training for students and educate them about the type of cyberattacks that can occur and what they can do to minimize or prevent them.

“Just like you have students going through orientation every year … it should be part of the university’s communication plan in terms of how they’re addressing cybersecurity for their students and how students are taking accountability for their own cybersecurity,” she said.

Sixty percent of institutions have experienced a data breach in the last year, according to the research, and 29 percent have experienced data loss. The most common breaches were malware attacks, followed by phishing attempts and distributed denial-of-service (DDoS) attacks.

Fagan said IT professionals are trying to combat breaches through network segmentation and advanced threat protection, among other methods.

“Universities are relying on their solution provider to offer outside penetration testing or security assessments,” she said. “They’re getting someone else’s opinion on where they might have vulnerabilities and that can be very helpful to universities as well.”

CDW-G works with about 3,000 higher education institutions across the country, and the company is a frequent presence at EDUCAUSE.

“I think exactly what we’re talking about continues to be the No. 1 issue: information security and helping customers navigate the opportunities that are out there,” Fagan said, echoing what EDUCAUSE leaders also pinpointed as the top issue in higher ed IT today.

Cohen, a history major, said he is involved with cybersecurity efforts at his school and through CDW-G because it has a direct impact on him and his peers.

“What’s really interesting about cybersecurity is it’s really the new frontier,” he said. “We’ve advanced past the Wild West stage and now we’re looking at all the new ways technology affects our lives. It’s important to protect our data, and as more and more data is stored in the cloud, I think students care about that, and, personally, I do as well.”

The post College IT experts and students have opposing views on cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

54% of #security #experts anticipate a successful #cyberattack on their #enterprise within the year

Source: National Cyber Security – Produced By Gregory Evans

54% of #security #experts anticipate a successful #cyberattack on their #enterprise within the year

A successful cyberattack on your enterprise may be imminent, and security experts say many companies aren’t doing enough to protect themselves. Increasingly, risks are coming from within.

Ask a cybersecurity expert or hacker to name the weakest link in any security plan and they will inevitably answer “the people.” Just like everything else, security can’t account for the unpredictability of the human factor. In an enterprise setting, employees will circumvent protocols for the sake of convenience, offer bits of information to strangers because they asked nicely, and generally make a mess of any well-laid enterprise-wide cybersecurity plan.

According to the Cybersecurity Trends 2017 Spotlight Report (PDF), 54% of cybersecurity professionals surveyed anticipate a successful cyberattack on their organization in the next 12 months. Some 40% of those professionals also view the lack of employee awareness as a major obstacle to stronger cybersecurity.

With increases in mobility and the adoption of a BYOD culture in the enterprise, 69% of the surveyed cybersecurity professionals are increasingly concerned about data leakage. Another 64% believe their organizations will have to deal with the download of unsafe applications and the introduction of malware stemming from portable storage devices and the like in the next year.

While workforce mobility and the culture of BYOD certainly produce tremendous benefits for modern enterprises, the technology presents a challenging risk for cybersecurity professionals. The only viable approach to overcoming, or at least mitigating, the human factor is to educate employees and establish a comprehensive policy to govern how personal devices, especially portable storage devices, will be introduced to an enterprise network.

TechRepublic’s premium sister site, Tech Pro Research, offers a ready-made Portable Storage Device Policy to help you regulate and secure usage of portable storage devices to help reduce the risks.

The post 54% of #security #experts anticipate a successful #cyberattack on their #enterprise within the year appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

During Cybersecurity Awareness Month, Experts Say Too Many Remain Unaware of Threats

Source: National Cyber Security – Produced By Gregory Evans

After an onslaught of hacking, breaches and malware this year, and the resultant waves of publicity, National Cybersecurity Awareness Month should be a bit anticlimactic. But for some people, the message never gets old. One of the organizations most aware of cyberthreats and most active in countering them is CIS,…

The post During Cybersecurity Awareness Month, Experts Say Too Many Remain Unaware of Threats appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Experts ‘threatcast’ potential cybersecurity risks in 2027

Source: National Cyber Security – Produced By Gregory Evans

The future starts as fiction. At least that is what the Threatcasting Lab at Arizona State University believes. On Wednesday and Thursday, 80 professionals from academia, government, industry and the military met at George Washington University in Washington D.C. to think about the cybersecurity threats of the future. Through a…

The post Experts ‘threatcast’ potential cybersecurity risks in 2027 appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

AFP calls in phone hacking experts

Source: National Cyber Security – Produced By Gregory Evans

The Australian Federal Police is trying to buy cutting-edge technology to hack into the smartphones of suspected criminals and terrorists. In the face of the rising use of encryption technology, the AFP has gone to the market this week offering contracts to experts who can “bypass user locks”, such as…

The post AFP calls in phone hacking experts appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers could gain access to passwords through USB sticks, cyber experts warn

Source: National Cyber Security – Produced By Gregory Evans

Using a USB stick that’s been left lying around is something many, if not most, of us have done — probably without thinking twice about it. But cybersecurity experts are warning against the practice after showing hackers can access personal information through malicious USB sticks which then transmit that information…

The post Hackers could gain access to passwords through USB sticks, cyber experts warn appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures