from

now browsing by tag

 
 

Web #security #guidelines from #FS-ISAC

Source: National Cyber Security – Produced By Gregory Evans

What are the main web security challenges for organisations and how are they best addressed?

Today’s CISO is juggling a lot – new attacks are emerging every day across a variety of channels and keeping up is no easy task, even if you are blessed with a large security team.

Whether your team is large or small, here is a quick cheat sheet of main web security challenges and how they could be best addressed:

Challenge 1: Protection vs functionality

The conflict between usability and security is nothing new. It is easy for the eager IT security person to block certain functionality across the board to keep all the bad stuff out, but a thoughtful IT security person will know not everything can be blocked because you run the risk of blocking critical functionality for your business – like access to corporate email, business applications, or even Google!

While there won’t be a one-size-fits-all solution to web security, each organisation has different access and security needs – network segmentation may help.

Think about cutting off the data, not the employee, from the web. If you have critical, valuable data, it should not be on a device that connects to the open internet.

Talk to your employees to understand what they need to access for their work and find out how that can be done in the most secure way. In short, balancing security and functionality is a security DO.

Challenge 2: Static controls, dynamic web content

More traditional measures for web security just don’t cut it with today’s internet. Static standards like black/whitelisting and URL filtering are not sufficient with the speed of content creation on the web today. Unfortunately, this speedy growth means that these new tailored websites can be vulnerable.

Hastily developed websites are not designed with security in mind and are open to many exploits like SQL injection (SQLi) and cross-site scripting(XSS) just to name a few. The data you do not want to be exposed could be sucked right out of your organisation if left unpatched.

Vulnerabilities left in exposed applications can also create additional hazard like several recent breaches have exposed.

These vulnerabilities are not just a problem for website owners but anyone who visits these compromised sites – or their company’s security team – can become a victim with watering hole or drive-by attacks where users get infected with malware just for visiting the site.

How does your organisation determine if a site is safe and do your controls reflect the explosive pace of content creation online? Dynamic security controls to address dynamic threats is a security DO.

Challenge 3: Human habits

People have been programmed to click on links and open attachments, especially if they think it is from a trusted source, and many organisations rely on links and attachments to function. Because of this, phishing attacks are a major threat to organisations. According to research this year by Cylance, malicious attachments and links are the most common attack vectors in organisations.

As much as you might like to, you cannot block all attachments or links without bringing work to a stop. Train employees about risks and empower them to avoid malicious links or attachments. On the other side, plan as if your employees will open every attachment and visit every site that you wish they wouldn’t with anti-malware protection and multi-factor authentication.

If they accidentally enter their password into a phishing site, multi-factor authentication acts as another layer of defence. Plan for the worst, train for the best. Creating security programs that acknowledge human habits is a security DO.

Web security is a complex and critical component of any enterprise security program. Organisations’ reliance on the web for daily operations is not going anywhere, and the threats aren’t either.

Phishing and ransomware attacks are on the rise. Defending against these threats requires keen knowledge of your organisation’s risks and needs. You need the right solutions, the best security professionals and wide-spread buy-in in the organisation. Aligning your security controls with the reality of the web security issue in your organisation is a security DO.

The post Web #security #guidelines from #FS-ISAC appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The #Wall of #Lava #Lamps That #Protects the #Internet From #Hackers

Source: National Cyber Security – Produced By Gregory Evans

With hackers hitting everyone from Equifax to HBO, you’d imagine something more advanced than lava lamps is protecting your information—but you’d be wrong.

With high-profile hackers stealing headlines, credit card numbers, and Game of Thrones scripts in the last six months, there’s no doubt been very important meetings called across the world to figure out how to keep hackers at bay.

So, what ingenious, impenetrable systems are keeping the world safe? 

The folks at Cloudflare, which handles encryption for around 10 percent of the internet’s total traffic, have to say “lava lamps” with a straight face.

Well, to be fair, that’s actually 100 lava lamps, a swinging pendulum in London, and a chunk of radioactive material in Singapore. 

It might sound like little more than a slightly more complex version of Mouse Trap, but together this weird assortment of junk keeps Cloudflare’s traffic encrypted through the magical, mathematical concepts of randomness and unpredictability. Also, Linux is involved. 

It’s interesting to see how encryption and chaos theory overlap—the pendulum mentioned in the video is probably similar to a double pendulum, which is a classic example of chaos theory (you probably learned about that in Jurassic Park).

A double pendulum is very sensitive to “initial conditions,” or what position it starts in, to the point that a small fraction in difference in two starting points can yield incredibly different swing patterns. This seeming unpredictability to outside observers makes it a great way to simulate randomness, and therefore create the basis for an extremely difficult encryption.

Still, lava lamps give Cloudflare way more style points.

We like to imagine the Chinese scientists who launched the world’s first quantum encryption satellite covertly including a lava lamp in their next satellite, just for that extra layer of security. Groovy, man.

The post The #Wall of #Lava #Lamps That #Protects the #Internet From #Hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

NSA #hacking #code lifted from a #personal #computer in #U.S

Source: National Cyber Security – Produced By Gregory Evans

NSA #hacking #code lifted from a #personal #computer in #U.S

Moscow-based multinational cybersecurity firm Kaspersky Lab on October 25 said that it obtained suspected National Security Agency (NSA) hacking code from a personal computer in the U.S. During the review of file’s contents, a Kaspersky analyst discovered it contained the source code for a hacking tool later attributed to what it calls the Equation Group.

Kaspersky said it assumed the 2014 source code episode was connected to the NSA’s loss of files. The antivirus software-maker spokeswoman Sarah Kitsos was quoted saying as “we deleted the archive because we don’t need the source code to improve our protection technologies and because of concerns regarding the handling of classified materials”.

Another spokeswoman Yuliya Shlychkova told Reuters that removals of such uninfected material happen “extremely rarely.”

Meanwhile, Democratic Senator Jeanne Shaheen sent a letter to the Department of Homeland Security (DHS) acting Secretary Elaine Duke and Director of National Intelligence Dan Coats, urging the U.S. government to declassify information about Kaspersky products.

In October this year, the U.S. NSA contractor came under scanner, whose personal computer was equipped with Kaspersky anti-virus software and confidential details were shared with the Russian company. The unidentified NSA contractor had reportedly downloaded a cache of classified information from his workplace, even though he was aware of the consequences that moving such a classified and confidential data without approval is not only against NSA policy, but it also falls under criminal offence.

Kaspersky Lab repeatedly denied that it has any unethical ties to any government and said it would not help a government with cyber espionage or offensive cyber efforts. It also highlighted that more than 85% of its revenue comes from outside Russia. It maintains that it has no connection with Russian intelligence but it is registered with the Federal Security Service.

To restore people’s and government’s trust again, Kaspersky on October 23 allowed to have his company’s source code audited independently by internationally recognized independent authorities in the first quarter of 2018. As part of comprehensive transparency initiative, the firm plans to open three transparency centers across the U.S., Europe and Asia by 2020.

According to Wall Street Journal, it was reported earlier this month that hackers working for the Russian government appeared to have targeted an NSA worker by using Kaspersky software to identify classified files in 2015.

The New York Times reported on October 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.

Following allegations Russian hackers interfered in 2016 U.S. elections, the DHS had banned the Kaspersky Lab software in September 2017, citing concerns the company may be linked to the Kremlin and Russian spy agencies.

The post NSA #hacking #code lifted from a #personal #computer in #U.S appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

6 Ways To #Protect Your #Smartphone #E-Tickets From #Hackers

Source: National Cyber Security – Produced By Gregory Evans

6 Ways To #Protect Your #Smartphone #E-Tickets From #Hackers

Security experts say there’s no need to go back to paper: A few easy steps can keep your e-tickets and smartphone safe.

From air travel to concerts and sporting events, we’re using mobile ticketing more than ever. The nation’s largest commuter rail systems—the Metropolitan Transit Authority’s (MTA) Long Island Rail Road and Metro-North in New York and NJ Transit in New Jersey—have all gone paperless, allowing customers to use apps to purchase tickets, which they then display on their smartphones for QR code scanning. And now, even the New York City subway and bus systems are testing mobile payments.

But as with any digital step forward, there is always a hacker or scam artist looking to trip us up—and some of the ways they do it may surprise you. Fast Company talked with Jonathan Donovan, chief product officer at London-based Masabi, the company behind the MTA e-ticketing project, for some tips on how to keep your tickets and phones safe.

REPORT STOLEN/LOST PHONES IMMEDIATELY

Having a mobile ticket stolen or losing your only digital copy of it can be easier to deal with than losing a physical ticket, says Donovan. And as with a credit card, it’s best to report the loss or theft to whoever issued the ticket as soon as possible.

“Mobile ticketing is better than traditional physical ticketing in the case of a passenger losing a ticket, or having the ticket stolen— especially if it is a commuter monthly or annual ticket worth hundreds/thousands of dollars,” writes Donovan in an email to Fast Company. “Once they have reported the loss to the transit agency, the old tickets can be blocked, and then when they get a new phone, a brand-new ticket can be issued to the original owner free of charge, with no risk to the transit agency that the old ticket might also be still in use.”

BE CAREFUL WITH SCREENSHOTS

“Overall, if you have an app QR code or e-ticket on your phone, the general sense is you should treat it as a password,” says James Nguyen, a product manager for mobile at Norton by Symantec. Just as you wouldn’t post your email password to social media, you should avoid posting pictures or screenshots of tickets that include those codes. That’s because they could be used by thieves to take a trip or go to an event in your name. Even taking screenshots that include the codes can be risky if your phone is set to sync pictures to a cloud provider, since you’re relying on that provider’s security to keep your tickets from falling into the wrong hands.

KEEP YOUR PHONE FREE FROM MALWARE

Smartphone malware could capture images of tickets and upload them to thieves, Nguyen says. That means digital tickets are another good reason to keep phones patched, only download apps from reputable stores and developers, and consider anti-malware software.

WATCH OUT FOR SHOULDER SURFERS

Depending on the value of a ticket, someone could theoretically even attempt to steal it by snapping a picture while it’s being displayed, says Andrew Blaich, a security researcher at San Francisco mobile security company Lookout. “If you’re showing your QR code on the screen and somebody may be looking at your screen, they could potentially take a picture of that,” he says. Just like with passwords, it’s best to keep your e-tickets out of view when they’re not needed.

KEEP AN EYE OUT FOR HIGH-TECH SKIMMERS

And while they haven’t been reported yet, there’s no reason why thieves wouldn’t be able to install decoy devices in public places like train stations or event venues that claim to validate tickets. Those would be like hidden credit card skimmers, which for years have cloned cards while customers used them at gas pumps and ATMs. As with credit cards, consumers should avoid using their tickets with any scanning machines that look suspicious, says Nguyen.

“Sometimes it’s difficult, but you can be diligent about noticing additional hardware or wires come out of the scanning equipment,” he says. When in doubt, skip the machines and talk to a human in a uniform, if there’s one around.

LOCK DOWN YOUR PHONE, BLUETOOTH INCLUDED

Locking your phone when it’s not in use, and using strong passwords and two-factor authentication when possible, will also help keep tickets and other confidential data safe from physical snooping, says Blaich.

Phone users should also keep unnecessary network connections, especially Bluetooth, disabled when they’re not using them, says Nadir Izrael, CTO of Armis. The Palo Alto-based security company made headlines in September by revealing a set of Bluetooth vulnerabilities it called Blueborne. Izrael says it’s quite possible someone armed with similar exploits will develop a Bluetooth-based virus that can hop from infected devices to nearby vulnerable ones. Such an attack could be launched in a busy area like a train station or stadium—exactly the kinds of places people would have their phones out to show mobile tickets.

“Someone will walk into a crowded space with an infected device, and it will likely just transmit from device to device like an infection would play out,” he says.

The post 6 Ways To #Protect Your #Smartphone #E-Tickets From #Hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Threats to #cyber security comes from #within- largely

Source: National Cyber Security – Produced By Gregory Evans

Threats to #cyber security comes from #within- largely

Contrary to the belief that cyber threats are perpetrated and orchestrated by ‘unknown hackers’ of the outside world, much of the risk persists within an organisation or those closely associated with it.

The latest PricewaterhouseCoopers (PwC) ‘Global State of Information Security Survey’ has found that staff, service providers, suppliers or business partners are among the biggest cyber risks for Kiwi companies.

According to the Survey, 29.6% of respondents said that current staff were responsible for cyber-attacks in New Zealand.

Of course, in each of the cases, the hacker is ‘Unknown.’

The Unknown Hacker

PwCPartner and Cyber Practice Leader Adrian van Hest said that the ‘Unknown Hacker’ syndrome continues.

“The ‘unknown hacker’ was picked as the largest category responsible for cyber-attacks and that is because attribution is difficult and most companies end up not knowing where or who the attackers are. However, it became clear that people known to the company were also among the biggest threats,” he said.

Mr van Hest said that while the amount invested in cyber security has been on the rise, the number of cost of incidents are also increasing. New business models present different cyber risks and the ongoing uptake of cloud computing and reliance on mobile devices bring new risks, not because the technologies are not safe, but because they require companies to take a different approach to the way they manage cyber security.

Investment in Identity Management

Mr van Hest said that investment in identity management is growing faster overseas because of rising cyber incidents through increased cloud usage.

“Kiwi companies are slightly behind the trend as most of our cyber incidents still seem to occur because of outdated software. However, as more businesses move to the cloud, it is only a matter of time before we face the same risks,” he said.

According to the Report, cyber security is no longer an issue for IT departments but a major problem that cuts across the entire digital society.

“Companies that stay competitive in our digital landscape cannot blindly trust that their businesses and customer data will stay secure. Building and maintaining trust will be the greatest differentiator for New Zealand businesses in our digital society and now is the time to start taking that seriously.”

The global scene

Despite a significant increase in cyber-attacks, many organisations still struggle to comprehend and manage emerging risks in an increasingly complex digital society.

“Executives worldwide acknowledge the increasingly high stakes of cyber insecurity. 40% of survey respondents cited disruption of operations as the biggest consequence of a cyberattack, followed by 39% of respondents who that compromise of sensitive data was the biggest consequence, 32% cited harm to product quality and 22% said harm to human life was the issue,” the Report said.

Yet despite this awareness, many companies at risk of cyberattacks remain unprepared to deal with them. 49% said that they did not have an overall information security strategy; 48% did not have an employee security awareness training programme; and 54% did not have an incident-response process.

The Attack and After

Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power, and many systems are impacted instantaneously or within one day, meaning that there is generally precious little time to address the initial problem before it cascades.

Interdependencies between critical and non-critical networks often go unnoticed until trouble strikes.

Many people worldwide, particularly in Japan, the United States, Germany, the United Kingdom and South Korea, are concerned about cyberattacks from other countries.

Tools for conducting cyberattacks are proliferating worldwide.

Smaller nations are aiming to develop capabilities like those used by larger countries. And the leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.

The post Threats to #cyber security comes from #within- largely appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Payday problems: Cyber thieves swipe paychecks from Atlanta school employees

Source: National Cyber Security – Produced By Gregory Evans

Atlanta Public Schools issued new paychecks to 27 employees who fell victim to what the superintendent called a phishing attack by cyber thieves. Superintendent Meria Carstarphen said Internet scammers stole $56,459 in payroll funds by rerouting direct deposit information from 27 unsuspecting employees. Another seven employees had their direct deposit…

The post Payday problems: Cyber thieves swipe paychecks from Atlanta school employees appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Copy-Pasting Malware Dev Made $63,000 From Mining Monero on IIS Servers

Source: National Cyber Security – Produced By Gregory Evans

A malware author (or authors) has made around $63,000 during the past five months by hacking unpatched IIS 6.0 servers and mining Monero. ESET researchers just recently uncovered the attacker’s operation. Experts say the malware author used CVE-2017-7269, a vulnerability in IIS 6.0 servers to take over vulnerable machines and…

The post Copy-Pasting Malware Dev Made $63,000 From Mining Monero on IIS Servers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers target govt websites in cyber spillover from Arakan crisis

Source: National Cyber Security – Produced By Gregory Evans

Hackers targeted several government websites this week, according to state media, apparently in retaliation for Burma’s treatment of the country’s Muslim minority, as international attention on the plight of the Rohingya in northern Arakan State intensifies. The Burmese-language state-run daily Kyemon reported on Tuesday that six government websites had been…

The post Hackers target govt websites in cyber spillover from Arakan crisis appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Briton accused of cyber attacks on Lloyds and Barclays is extradited from Germany

Source: National Cyber Security – Produced By Gregory Evans

The alleged fraudster behind a series of cyber attacks against two of the UK’s biggest high street banks has been extradited from Germany to face charges, according to the National Crime Agency (NCA). Daniel Kaye, 29, of Egham, Surrey, is accused of attempting to blackmail Lloyds and Barclays using an…

The post Briton accused of cyber attacks on Lloyds and Barclays is extradited from Germany appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

County Officials Didn’t Protect Computer Systems from Obvious Hacking Risks, Auditors Say

Source: National Cyber Security – Produced By Gregory Evans

Orange County officials failed to implement essential safeguards to protect county computer systems, which left the county unnecessarily vulnerable to hacking and other malicious activity until the problems were uncovered in recent months by a comprehensive audit. “We found that physical and [software access] security to data and programs WAS…

The post County Officials Didn’t Protect Computer Systems from Obvious Hacking Risks, Auditors Say appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures