now browsing by tag
#cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity
A 29-year-old British man has been jailed for nine months after admitting using hacking tools to break into UK National Lottery gambling accounts.
Anwar Batson, of Notting Hill, West London, downloaded the readily-available Sentry MBA hacking tool to launch a credential stuffing attack against the National Lottery website.
Credential stuffing takes lists of usernames and passwords exposed in data breaches and uses the same credentials to see if they will unlock other accounts online. As so many users make the mistake of reusing passwords on different websites, credential stuffing is a technique commonly deployed by attackers and tools such as Sentry MBA make the process even easier for the attacker.
Prosecutors told Southwark Crown Court that after Batson downloaded Sentry MBA he joined a WhatsApp group devoted to hacking under the alias of “Rosegold,” and provided to accomplices a configuration file specifically designed to launch Sentry MBA against the National Lottery website.
The attack, in late 2016, caused National Lottery operators Camelot to issue a warning to thousands of gamblers that their accounts may have been accessed, and forced a password reset on affected accounts.
Batson’s accomplices, Daniel Thompson and Idris Akinwunmi, were jailed in 2018 after admitting their involvement in the attack.
Batson was arrested in May 2017 by the National Crime Agency (NCA), and initially denied that he was involved in the attack – claiming that his devices had been cloned or hacked
by online trolls.
But when NCA officers examined his devices they uncovered the conversations between Rosegold and others on WhatsApp where they discussed hacking, the buying and selling of lists of usernames and password, and more.
In addition, officers found at Batson’s flat clothes which had been addressed to someone calling themself “Rosegold”.
Time and time again, people roll out the adage that “crime doesn’t pay.”
Well, it certainly doesn’t pay in the case of Batson.
As the NCA reports, Batson gave the username and password of one National Lottery player to Akinwunmi, who stole the entire contents of the account – a grand total of £13. Batson’s split of the ill-gotten gains? A mere £5.
Lottery operator Camelot says that responding to the attack cost it £230,000, and that 250 players had closed their accounts due to the negative publicity.
View full post on National Cyber Security
#nationalcybersecuritymonth | DFARS / CMMC for 2020: Culmination of Efforts to Protect National Security Data and Networks – Cybersecurity and Privacy Alert | Bradley Arant Boult Cummings LLP
Updated: May 25, 2018:
JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.
Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the “My Account” dashboard (available if you are logged into your JD Supra account).
Collection of Information
Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account (“Registration Data“), such as your:
- First Name
- Last Name
- Company Name
- Company Industry
Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.
Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.
How do we use this information?
We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:
- Operate our Website and Services and publish content;
- Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
- Measure readership and usage of the Website and Services;
- Communicate with you regarding your questions and requests;
- Authenticate users and to provide for the safety and security of our Website and Services;
- Conduct research and similar activities to improve our Website and Services; and
- Comply with our legal and regulatory responsibilities and to enforce our rights.
How is your information shared?
- Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
- If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
- Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
- Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
- Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
- To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.
How We Protect Your Information
JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at email@example.com.
Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.
Links to Other Websites
Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.
Information for EU and Swiss Residents
JD Supra’s principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.
- Your Rights
- Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
- Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
- Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.
You can make a request to exercise any of these rights by emailing us at firstname.lastname@example.org or by writing to us at:
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965
You can also manage your profile and subscriptions through our Privacy Center under the “My Account” dashboard.
We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use “automatic decision making” or “profiling” as those terms are defined in the GDPR.
- Onward Transfer to Third Parties: As noted in the “How We Share Your Data” Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.
California Privacy Rights
Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.
You can make a request for this information by emailing us at email@example.com or by writing to us at:
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965
Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.
Access/Correct/Update/Delete Personal Information
For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to firstname.lastname@example.org. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the “My Account” dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to email@example.com.
Contacting JD Supra
As with many websites, JD Supra’s website (located at www.jdsupra.com) (our “Website“) and our services (such as our email article digests)(our “Services“) use a standard technology called a “cookie” and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.
- Improve the user experience on our Website and Services;
- Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user’s login session and requires a valid username and password to obtain. It is required to access the user’s profile information, subscriptions, and analytics;
- Track anonymous site usage; and
- Permit connectivity with social media networks to permit content sharing.
There are different types of cookies and other technologies used our Website, notably:
- “Session cookies” – These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
- “Persistent cookies” – These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
- “Web Beacons/Pixels” – Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.
JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.
Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:
- HubSpot – For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
- New Relic – For more information on New Relic cookies, please visit www.newrelic.com/privacy.
- Google Analytics – For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.
Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the “Like,”https://www.jdsupra.com/”Tweet,” or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.
Controlling and Deleting Cookies
The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser’s “Help” function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.
Updates to This Policy
Contacting JD Supra
The post #nationalcybersecuritymonth | DFARS / CMMC for 2020: Culmination of Efforts to Protect National Security Data and Networks – Cybersecurity and Privacy Alert | Bradley Arant Boult Cummings LLP appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Applied Cybersecurity Club wins National Collegiate Penetration Testing Competition for 3rd consecutive year
Source: National Cyber Security – Produced By Gregory Evans A six-person team from Stanford’s Applied Cybersecurity club placed first for the third straight year at the annual National Collegiate Penetration Testing Competition (CPTC) last month. Since it began competing in CPTC in 2017, the team has won first place every year. The fast-growing club — which […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | Gov. Ricketts, Nebraska National Guard Celebrate National Guard’s 383rd Birthday
LINCOLN – Today, Governor Pete Ricketts and Major General Daryl Bohac joined more than 100 members of the Nebraska Army and Air National Guard to mark the National Guard’s 383rd birthday and Nebraska National Guard’s 165th birthday.
“Happy birthday to the men and women of the National Guard,” said Governor Ricketts. “The Nebraska National Guard has a long tradition of protecting our state and our country at home and abroad. This past year, Guard members stepped up to aid our communities during record flooding, heroically saving numerous lives along the way. Nebraskans support our National Guard, and they stand behind our servicemen and women who sacrifice so much. Thank you to all our troops for their selfless service to our country and for protecting the freedoms we hold dear.”
“Since before Nebraska gained statehood, the men and women of the Nebraska National Guard have protected our homeland, fought our nation’s wars, and built partnerships that have kept us safe and allowed freedom to flourish,” said Nebraska’s Adjutant General, Maj. Gen. Daryl Bohac. “In 2019, we responded quickly to one of the largest natural disasters our state has ever experienced. We also deployed nearly 400 Soldiers and Airmen overseas, and we brought them all home safely. I am proud of them and forever grateful for the support from our families, communities, and employers here in Nebraska.”
The National Guard, which was founded on December 13, 1636, draws its heritage back to the Massachusetts Bay Colony when the Massachusetts General Court, for the first time in America, established that all able-bodied men between the ages of 16 and 60 were required to join the militia. Since that day, members of the National Guard have fought in each of America’s wars and continue to serve overseas and participate in combat operations in support of the United States’ continuing international efforts.
Closer to home, the National Guard continues to provide support for such emergencies as floods, hurricanes, tornadoes, earthquakes, and wildfires, while also building partnerships both at home and internationally.
In 2019, Nebraska experienced the most widespread natural disaster in the state’s history. Guard members helped keep people safe during flooding, and delivered critical relief to communities around the state. The severe weather made for poor flying conditions, and put air crews at risk. But that didn’t stop them from completing their missions. In the month after the flood, 461 soldiers with the Guard:
- Drove nearly 45,000 miles and put in 335 hours of flight time.
- Rescued 112 people and 13 pets. 66 of these were hoist recues by helicopter.
- Air dropped hay bales to ranchers and pallets of water and medical supplies to communities in need.
- Delivered 1,100 vertical sandbags and 1,000 small sandbags.
December has been a busy month for the Guard. At the beginning of the month, the newly created 179th Cyber Protection Team mobilized for its first deployment. The unit will spend the next year at Fort Meade, Maryland, working for U.S. Cyber Command to identify and prevent cybersecurity threats. Earlier this week, Nebraska National Guard air crewmen and coordinators were honored at the Capitol for heroism shown during the 2019 flooding in Nebraska. In addition, Maj. Gen. Bohac recently returned to Nebraska from Rwanda where he officially formalized a partnership between the Nebraska National Guard and the Rwandan Defense Force on December 12th.
Although not quite as old as the larger National Guard, Nebraska National Guardsmen will mark their 165th birthday this month. The Nebraska National Guard was founded when Nebraska’s acting Territorial Governor Thomas B. Cuming issued a proclamation on December 23, 1854, recommending that the citizens of the territory organize, in their respective neighborhoods, into volunteer companies. The territory’s first legally authorized militia consisted of two regiments, one north and one south of the Platte River.
View full post on National Cyber Security
#nationalcybersecuritymonth | India’s National Cybersecurity Policy Must Acknowledge Modern Realities – The Diplomat
Earlier this year, it was discovered that India was the target of two cyberattacks in the same month. The malware attacks at the Kundankulam Nuclear Power Plant and the Indian Space Research Organization (ISRO) are believed to be the outcomes of phishing attempts on employees. In 2018, it was reported that an officer of the Indian Air Force was sharing sensitive information on Facebook with two women who had honey-trapped him. None of these incidents are known to have resulted in severe harm, but the possibility that they could have is reason enough for India to cultivate and shape international discussions on cyberspace.
As is the case with both international terrorism and protection of the environment, cooperation is a prerequisite to deal with cyberthreats given their borderless nature. India’s National Cyber Security Policy (2013) did not assign much weight to this aspect and defined no measurable outcomes against which progress could be judged. With its upcoming National CyberSecurity Policy (2020-2025), India has the opportunity to align its domestic policy with its global aspirations.
Warfare in Cyberspace Is Unique
Cyberspace is an amalgamation of the virtual with the physical. Actions in the virtual realm can affect the physical domain. With low barriers to entry, cyberspace provides attractive options for the launch of attacks and allows actors to achieve strategic outcomes both within and outside of the information domain. From crumbling critical infrastructure to designing a smart misinformation campaign that can influence democratic processes, the spectrum of outcomes that cyberattacks can achieve is broad. The Stuxnet malware, a U.S.-Israel joint operation to target Iran’s nuclear enrichment plant in Natanz, displayed the capabilities of a highly sophisticated and targeted cyber-offensive operation. Operations against Ukraine’s power grid in 2015, misinformation campaigns targeting U.S. presidential elections in 2016, and the WannaCry and NotPetya ransomware outbreaks in 2017 all showed the potential for real-world impact and collateral damage.
There are two features that distinguish these attacks from conventional ones. First, cyberattacks are hardly predictable. Accurately determining an incoming attack is at present not possible. Second, as long as there is plausible deniability, attribution is tough. As such, warfare in cyberspace poses a unique challenge to national security and the lack of rules to govern it intensifies this challenge.
Security in Cyberspace
The United Nations Charter, the Laws of Armed Conflict (LOAC), and other regional arrangements provide a general overarching framework for governments to manage problems of security across all domains. Cyberspace differs from conventional domains of warfare because it functions as both a battlefield and a weapon. It is therefore risky to assume that existing rules of conflict can be extended to cyberspace as well.
American political scientist Joseph Nye has discussed the absence of coherence among existing norms that govern cyberspace. Existing practices are based on agreements between private players (largely multinational corporations) with only a mild degree of enforceability. Since providing security is a critical function of government and it is most susceptible to attacks, only governments are properly incentivized to set the rules. Numerous track two groups and various private conferences and commissions continue to work on the development of norms. Successive UN-GGEs (Governmental Groups of Experts) have developed a consensus that the UN Charter and international law apply to cyberspace. But cyberspace is changing faster than countries can legislate internally and negotiate externally.
There is no denying that all security efforts need to be collaborative. But as with international terrorism and environmental protection, effective norms and rules can only be set if all stakeholders consensually arrive at what the rules should be. Currently there are two camps on the global stage: a Sino-Russian camp and a rival one comprising the United States, Western Europe, Japan, Australia, and New Zealand. The former espouses the supremacy of national sovereignty in the governance of domestic cyberspace, risk of destabilization by the application of existing international humanitarian law to cyberspace, and the need for new, binding international agreements. The latter advocates for a free and open internet as well as the full applicability of international law (including the right to self-defense, use of countermeasures) to cyberspace. Resolutions sponsoring the formation of the Russia-backed Open Ended Working Group (OEWG) and the UN-GGE 2019-21 were both passed in the United Nations General Assembly in 2018. The UN now has two parallel tracks working toward the establishment of norms in cyberspace. The OEWG is open to all member states and will hold consultations with stakeholders across members, NGOs, and private industry while the UN-GGE is comprised of 25 member states with consultation typically limited to regional organizations. The prevailing atmosphere of mistrust portends further deterioration rather than improvement. This variance between great powers has weighed heavily on international discussion on norms while cyberattacks continue to happen, quietly.
There is some scope for optimism yet. At a panel in the recently concluded Internet Governance Forum in Berlin, the Global Commission on the Stability of Cyberspace (GCSC) proposed eight norms including protection of the public core of internet and infrastructure essential to elections, referenda, and plebiscites. This was followed by informal consultations at both the OEWG and UN-GGE in early December. Through the Paris Tech Accords, Digital Geneva Convention, and Charter or Trust, private companies have also sought to play a more active role in the shaping of norms, which is significant as they operate a significant portion of the public internet.
What Has India Done So Far?
In 2011, India’s proposal for a Committee on Internet Related Policies (CIRP) comprising 50 member states was met with the criticism that it would create an exclusive club. Since then, an analysis of India’s contribution to debates on internet governance by the Center for Internet and Society (India) has revealed a tendency to shift between support for multilateralism and mutli-stakeholderism. Researchers have termed this “nuanced multilateralism,” where a broad range of stakeholders are consulted, but not involved in implementation and enforcement. On the question of cyberspace sovereignty, India seems to share common ground with the Sino-Russian camp, but has refrained from commenting definitively on the issues dividing the two camps. India was one of the member states that backed both UNGA resolutions that resulted in the formation of the OEWG and the UN-GGE (2019-2021). It is also a member of the UN-GGE and has not yet contributed formally to OEWG proceedings. On the multilateral front, it has stayed out of the Osaka Track for Data Governance and the Budapest Convention on Cybercrime.
Get first-read access to major articles yet to be released, as well as links to thought-provoking commentaries and in-depth articles from our Asia-Pacific correspondents.
There is no single approach that captures India’s engagement with multilateral institutions. Its rule-taker instinct is evident from India’s support for the United Nations’ peacekeeping operations. Contrary to this is the rule-breaker approach, which is evident from India’s endeavor to be recognized as a nuclear weapon state while also challenging the norms established by the Nonproliferation Treaty. The expectation that India will be a rule-maker all by itself is unrealistic. In the multipolar world that exists today, no single country, let alone India, can become make the only rule-maker. A more achievable goal for India would be to play the role of a rule-shaper, an active voice among rising powers. This goal finds its strength in India’s economic prowess and diplomatic experience in working with alliances.
India’s success in shaping the international narrative on climate change has already proven its ability as a rule-shaper. With its upcoming National Cybersecurity Policy (2020-2025), India must look to articulate and justify its position on the applicability of international law to cyberspace. It should bring its domestic policy in line with its global aspirations. Given the importance of private companies in this exercise, it must also consider creating an office of a tech ambassador that will present its position consistently. This level of transparency can serve as an important confidence-building measure as it engages across multiple stakeholders and fora to shape future norms.
Prateek Waghre and Shibani Mehta are Research Analysts at The Takshashila Institution, an independent center for research and education in public policy.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans DETROIT – Michigan’s IT professionals already know about the crucial shortage of properly trained and educated Cybersecurity professionals. In fact, you can’t open a newspaper, or a browser, without seeing an article publicizing the critical shortfall of Cybersecurity workers. Worse, the gap shows no sign of […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | How to Really ‘Own IT’ for National Cybersecurity Awareness Month – Homeland Security Today
National Cybersecurity Awareness Month (NCSAM) is in its 16th year. The theme for 2019 – Own IT. Secure IT. Protect IT. – is focused on encouraging personal accountability and proactive behavior in security best practices and digital privacy. Considering that individually we are picking up our smartphones on average of 77 times a day and spending nearly 12 hours a day in front of a screen, the digital lines between work and personal lives are all but gone. With nearly every facet of our lives impacted by what we do online, NCSAM calls to action this year include:
- Own IT. If you are reading this, you are using a digital device. Whether you own the device or not, we are all responsible for how we use them – from the data they store and transmit to the information we post online about ourselves and others, or share with other third parties. We are all responsible for our digital footprints, including the data apps collect and transmit from these devices.
- Secure IT. If you own it, you must secure it, from strong credentials (unique usernames, passwords/passphrases, and multifactor authentication) to physical access. This includes securing computers, laptops, tablets, smartphones, apps, and website logins.
- Protect IT. If you own it, you must protect it with security updates and safe browsing practices. Stored information, including personal and customer/consumer data that you gather from others, must also be protected. Every organization has a duty to safeguard the confidentiality, integrity, and availability of data obtained from other persons.
Struggle with Passwords Continues
After all of these years, we are still terrible at creating and managing passwords. Year after year the most commonly used (and breached) passwords still include – you got it – ‘password’ and ‘12345678.’ Variations like ‘p@$$w0rd’ are not any better as they contain common substitutions such as ‘@’ for ‘a,’ etc. Given these shortcomings, password hygiene is a leading topic any time of year, but as National Cybersecurity Awareness Month continues it is a good time for another reminder for organizations to do better at helping employees improve password management.
It is no secret that passwords alone are not the best method to safeguard our digital assets, especially weak passwords. Password security firm LastPass recently published its 3rd Annual Global Password Security Report, which highlights how employees’ continued poor password habits weaken the overall organizational security posture. To affect positive password changes, it is up to organizations to take action to improve password hygiene. Read on for three simple and effective low-cost and no-cost solutions companies and their employees should apply today to start improving overall security and reduce risk posed from stolen passwords.
Longer Passwords Take Longer to Crack
Enforcing the use of longer passwords or passphrases can go a long way. Depending on computing power (and other factors), it could take approximately 23 seconds to crack ‘football1’ (or similar) vs. over 10,000 centuries to crack ‘R73&nebp@98backyard45’ or ‘tHe!weatheriscoLd67outside?’. In addition to making passwords longer, not reusing them across multiple sites and services cannot be overstated. Even if a password is stolen, if it is only used for a single site or service, cyber thieves can only potentially compromise that single account, not the entire kingdom.
Passwords Aren’t Perfect, but MFA Could Save the Day
Adding multifactor authentication (MFA) is another quick win. MFA does not guarantee an account will not be compromised, but it does significantly reduce that likelihood. Authenticator apps like Duo, Authy, and Google Authenticator provide low-cost, no-cost, hassle-free options to add an additional layer of security to the authentication process. This extra step reduces the risk a malicious attacker would be able to successfully log in and compromise valuable accounts, even with a stolen password.
The “Problem” with Password Managers
Password managers store passwords and create strong (and long) passwords so you do not have to – what’s wrong with that? Skeptical about password managers? Password managers don’t have to be perfect, they just have to be better than not having one, says cybersecurity expert Troy Hunt (founder of haveibeenpwned). Other quips by Troy: The only secure password is the one you can’t remember, and when accounts are “hacked” due to poor passwords, victims must share the blame. There are several reputable password managers to choose from, but if you are looking for “go here, do this” for picking a “good” one, check out Troy’s post on why he partnered with 1Password. On a final note, the aforementioned LastPass Global Security Report found that password manager adoption increases when it is convenient. If employees can access and use password managers from their smartphone or other device of their choice, they are more likely to use it. So, what IS the “problem” with password managers? They simply are not used enough.
Cybersecurity Awareness All Year
While October is designated NCSAM, cybersecurity awareness is far from a once-a-year activity. NCSAM materials provide proactive awareness content to use throughout the year. So, while you are sipping that long-awaited (or 100th) pumpkin spice latte, review NCSAM materials for tips, resources, webinars, and workshops. In addition, it is not too late to demonstrate your cybersecurity awareness commitment by becoming an NCSAM Champion. Some of the best NCSAM Champions come from the information-sharing community – WaterISAC, Research & Education Networks ISAC (REN-ISAC), Information Technology ISAC (IT-ISAC), Retail & Hospitality ISAC (RH-ISAC), National Council of ISACs (NCI), Faith-Based ISAO (FB-ISAO), InfraGardNCR, and InfraGard Los Angeles – and they are ensuring organizations and consumers have the resources to stay safer and more secure online. Follow #BeCyberSmart and #CyberAware on social media for great security awareness tips from the NCSAM Champions and others.
Finally, NCSAM is a great time to bolster or jump-start your cybersecurity awareness program. Interested in a ready-made program to plug into your organization? The Cyber Readiness Institute (CRI) may have just the program! Founded by the CEOs of Mastercard, Microsoft, the Center for Global Enterprise, and PSP Partners, CRI’s Cyber Readiness Program is a no-cost, practical, step-by-step guide to help small- and medium-sized enterprises become cyber ready. Completing the program will help make your organization safer, more secure, and stronger in the face of cyber threats.
15 Steps to Keep Foes from Hacking and Hurting Our Water Infrastructure
(Visited 50 times, 1 visits today)
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans By Gifty Amofa/ Eric Appah Marfo, GNA Accra, Oct. 26, GNA – The 5-day celebration of the National Cyber-Crime Awareness Month has come to an end with a call on citizens to be extra-cautious when using the internet. The media was also called to avoid being […] View full post on AmIHackerProof.com
#school | #ransomware | U.S. National Guard ready for potentially devastating domestic cyberattack – Defence Blog
Source: National Cyber Security – Produced By Gregory Evans The U.S. National Guard has confirmed that it is ready to mobilize its cyberdefenses in case of a potentially devastating domestic attack. Everyday the National Guard and other state agencies are preparing and battle to protect and deter malicious cyberattacks to U.S. cyberinfrastructure, according to a […] View full post on AmIHackerProof.com
We are headed into the final stretch of the 16th annual National Cybersecurity Awareness Month (NCSAM). The annual initiative is co-led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).
As the name suggests, it’s aimed at raising awareness around cybersecurity. Those that work in the space know we’ve all become more reliant on networks and cybercrime has proliferated – and the initiative is a way to spread the word about things everyone can collectively do to improve security. But spreading the word is a big challenge, so NCSAM is designed to be a public-private partnership.
Or, in the words of the official kickoff announcement:
“…a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the nation against cyber threats.”
That got us thinking: what are some of the ways the private sector is supporting NCSAM this year? Below are a few ways we found the industry is helping to build awareness.
1) Champions of NCSAM.
A “champion” is a simple and voluntary pledge an organization can make on the official website for NCSAM – StaySafeOnline.org. The pledge asks applicants how they will participate and how many people the applying organization thinks it will reach. Afterward, the NCSA asks participants to, “please collect and report to us any metrics you collect as a result of your NCSAM initiatives.”
Here is the list of the growing ranks of companies, nonprofits, schools and other organizations that have publicly signed onto the program.
2) Full-day workshops for employees.
Tech analyst Cynthia Brumfield cites a CISA representative for her story in CSO Online describing activities by “an unnamed science and research company in Bethesda.” The CISO at that organization held an all-day workshop complete with “expert speakers to educate employees on what they need to do to protect the information and data the company is building through its research efforts.”
It’s a pretty big deal for any organization to pause work for a full-day and encourage employees to attend training like this, but they weren’t alone, according to Ms. Brumfield’s reporting:
“Another big corporation, a retail giant that CISA requested remain anonymous, is holding a host of internal activities for their employees throughout the month, training and educating workers at every level, starting at headquarters all the way down to individual stores.”
3) Customer tips for safely banking online.
First Bank & Trust Company, a regional financial services company in Virginia published a list of security tips consumers should follow in online banking. The list includes current best practices such as monitoring your accounts, being wary of emails from people you don’t know, and enabling two-factor authentication (2FA), among many others.
Notably, it also highlights a recurring issue in financial scams driven by events such as disasters:
“Con artists take advantage of people after catastrophic events by claiming to be from legitimate charitable organizations when, in fact, they are attempting to steal money or valuable personal information.”
4) Hollywood-style, micro-learning videos.
Corporate training isn’t always fun, engaging or memorable, and therefore it’s not effective. That’s the thesis behind NINJIO, which makes “Hollywood-style, micro-learning videos.” These are basically short videos with important learning points about cybersecurity. However, the company goes one step further – the lessons in the video are “ripped from the headlines” meaning the videos are modeled after real security events.
In support of NCSAM this year, the company offered “organizations, employees, and families free access to a selection of their award-winning library of animated video content until the end of October 2019.”
The videos focus on three areas including:
- email compromise and wire fraud;
- social media engineering; and
- spear phishing.
For example, one of the videos being offered is described as follows:
“Business Email Compromise and Real Estate Wire Fraud
NINJIO Season 2, Episode 2: ‘Homeless Homebuyer’ was inspired by the many wire fraud incidents that happen every day. In this episode, NINJIO educates learners about using verbal authorizations on any transfer of funds.”
If you are wondering, the company does have some real professional entertainment cache as the videos are “developed and co-produced by Hollywood writer and producer Bill Haynes, best known for CSI: NY and Hawaii Five-O.”
NINJIO has had about 50 companies, ranging from small and mid-sized businesses to mid-market enterprises, signed up in response to the company’s contribution to NCSAM this month, said Matt G. Lindley the CISO for NINJIO, in an email exchange with Bricata.
5) Networking and panel event.
“We will be featuring three amazing lightning round speakers who will cover this year’s themes of ‘Own IT. Secure IT. Protect IT.’ Attendees will be introduced to the latest tech advances used to ramp up security for their personal lives and learn tips to bring to the office.”
This struck us as a very simple and effective way to support NCSAM and it can be easily replicated. As this post is being published, there’s still time to register and attend the event if you live or work in the Golden Gate City.
6) Free online training for non-technical personnel.
Several training-oriented organizations are offering free training and resources for the month. For example, KnowBe4 has an NSCAM resource kit and Global Knowledge has compiled videos, articles, white papers and primers into a cybersecurity awareness resource page.
Separately, Inspired eLearning has put together an impressive weekly curriculum with a variety of free resources – posters, webinars, videos and more. Here’s the outline they are offering:
- Week 1: Email Phishing
- Week 2: Alternative Phishing Methods: Vishing, SMiShing, & USB Baiting
- Week 3: Physical Social Engineering
- Week 4: Prevention, Protection and Training Best Practices
7) Free online training for your security pros.
The Infosec Institute provides a variety of online training courses aimed at security and IT professionals. Typically, the Institute offers a 7-day free trial, but have extended that to 30-days in support of NCSAM. Access is unlimited and includes more than 400 on-demand courses the organization offers and 50 skill and certification learning paths such as the CISSP and CCSP.
Finishing Strong and Planning for Next Year
As of today, there’s a little more than a week left for NCSAM, which offers some time to get on board with the initiative for this year – if you haven’t already. Likewise, we hope this list will give you a creative jumpstart on planning for it next year.
As Forrester Principal Analyst Jinan Budge wrote in a post titled, What CISOs Need To Do To Maximize Cybersecurity Awareness Month, “Plan for it as you would for any other security project…stay on top of planning and start organizing your Cybersecurity Awareness Month campaigns well in advance.”
If you enjoyed this post, you might also like:
6 Tips for Building an Effective SOC
*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: https://bricata.com/blog/cybersecurity-awareness-month-industry/
View full post on National Cyber Security