Risk

now browsing by tag

 
 

How to #Build a #Cybersecurity Risk #Management #Framework

Source: National Cyber Security News

When our country’s businesses are safe, our nation is safe. That’s the message that former President Obama gave when he talked about his executive order on “Improving Critical Infrastructure Cybersecurity” in his 2013 State of the Union address. Just a year later, the Obama administration launched the “Cybersecurity Framework,” which is a guide on enhancing cybersecurity developed by the private sector.

The cybersecurity infrastructures of our country’s businesses support national efforts toward economic security, public safety and health safety. The infrastructures of cybersecurity also affect our businesses’ bottom lines, profitability margins and reputations.

Regardless of their risk profiles or size, all companies should build a foundation of cybersecurity risk management based on good business principles and best practices.

Getting Started on a Risk Management Framework

There are many aspects to running a business. The issue of cybersecurity doesn’t usually make the top 10 list of priorities unless a problem rises to the surface that companies can’t ignore. At best, cybersecurity is often a knee-jerk reaction to a problem or new regulation. At worst, it’s an afterthought.

In today’s corporate world, companies need a well-thought-out, strategic plan for cybersecurity to protect themselves and everyone else from potential sources of harm.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Cyber #Risk — Next #Steps For #Evolving #Security?

Source: National Cyber Security News

Richard M. Frankel served for more than 25 years in public service, and the majority of his career has been with the FBI. Serving as Of Counsel at Ruskin Moscou Faltischek P.C., Frankel’s practice focuses on Cyber Security and White Collar Crime & Investigations. A recognized authority in complex investigations, asset recovery, cyber issues and crisis management, Frankel also provides regular insight on terrorism, criminal and intelligence related matters. He has extensive experience in understanding as well as investigating complex coordinated attacks. Frankel led several FBI field divisions as the Special Agent In-Charge.

Nicole Della Ragione is an Associate at Ruskin Moscou Faltischek, P.C., where she is a member of the firm’s Health Law Department, Cyber Security and Data Privacy Practice Group and the White Collar Crime and Investigations Practice Group. Since joining the firm, Della Ragione’s practice has focused in the cyber security arena as well as federal and state litigation. She has been engaged in numerous cyber security engagements ranging across industries and of all sizes. Her work includes advising businesses based on their level of cyber-preparedness and conducting risk and threat assessments, incident response planning and more.


Christopher P.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Is #compliance the best #insurance for #managing #cybersecurity #risk in 2018?

Source: National Cyber Security News

Cybersecurity challenges and risks continue to emerge as top threats to business as usual for large and small organizations alike. The ability to meet these threats requires understanding emerging standards. Compliance with these new standards can help organizations implement a proven risk management framework without having to reinvent the wheel. Demonstrable adherence to such frameworks helps with managing liabilities that may arise.

Compliance to many is a dirty word and often misunderstood especially in the area of information security and risk management. However, in response to the increasing number of data breaches and real economic loss as well as threats to national security, regulators and policy makers are increasingly responding with laws, policies and regulations. There is an increasingly prescriptive set of security requirements that must be met by businesses and organizations operating online. Some of the recent data breaches have shown that cybersecurity risk can originate from the supply chain of vendors and business partners.

Understanding this dynamic, the U.S. Department of Defense started the ball rolling in 2013 requiring businesses and contractors to implement 110 specific security requirements described in NIST Special Publication 800-171 as part of a modification to the Defense Federal Acquisition Regulation Supplement (DFARS).

Read More….

advertisement:

View full post on National Cyber Security Ventures

Taking #Facebook #Quizzes Could Put You at #Risk for #Identity Theft

Source: National Cyber Security – Produced By Gregory Evans

From phishing schemes to a thief pilfering your passport, there are plenty of ways to fall victim to identity theft. And now, participating in Facebook quizzes is one of them. As ABC News reports, the seemingly harmless surveys that populate your feed could wind up providing unscrupulous hackers with the answers to your online security questions.

Popular Facebook quizzes often ask users to answer a series of sharable personal questions, ranging from the name of their pet to their birth city. Some people see them as a fun way to bond with friends, or a way to make new ones. But as one local police department in Massachusetts recently noted on Facebook, many of these queries are similar—if not identical—to security questions used by banks and other institutions.

“Please be aware of some of the posts you comment on,” the Sutton Police Department in Massachusetts wrote in a cautionary message. “The posts that ask what was your first grade teacher, who was your childhood best friend, your first car, the place you [were] born, your favorite place, your first pet, where did you go on your first flight … Those are the same questions asked when setting up accounts as security questions. You are giving out the answers to your security questions without realizing it.”

Hackers can use these questions to build a profile and hack into your accounts or open lines of credit, the department said. They could also trick you into clicking on malicious links.

Experts say it’s OK to take part in a Facebook quiz, but you should never reveal certain personal facts. Take quizzes only from respected websites, and always carefully vet ones that ask for your email address to access the poll or quiz. And while you’re at it, consider steering clear of viral memes, like this one from 2017, which asked Facebook users to name memorable concerts (yet another common security question).

The post Taking #Facebook #Quizzes Could Put You at #Risk for #Identity Theft appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

1.4 #billion #hacked #passwords leaked #online, now you’re at #risk

Source: National Cyber Security – Produced By Gregory Evans

Staying protected from cybercriminals is something everyone needs to stay on top of now that we’re living in a digital world. New data breaches, malware and phishing scams are popping up constantly.

Having sensitive information fall into the hands of criminals is the last thing that we need. You definitely don’t want your identity stolen or hackers having access to your bank accounts.

Unfortunately, a massive archive of stolen credentials was recently discovered online that could put you at risk.

Have your credentials been exposed?

Security researchers at 4iQ recently discovered a 41GB archive that contains more than 1.4 billion stolen user credentials. The credentials, including passwords, are unencrypted on the Dark Web.

The database includes email addresses, passwords and usernames. This isn’t actually a new data breach, it’s a collection of information that had been stolen in previous data breaches.

Researchers who discovered the file said, “While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials–the largest aggregate database found in the dark web to date.”

More than 250 previous data breaches contributed to this collection of stolen credentials. The stolen information was well organized, even indexed alphabetically by the criminal who put it together.

Anytime there is a massive data breach, there are steps that you need to take to make sure your information is secure. Keep reading for suggestions.

Change your password

Whenever you hear news of a data breach, it’s a good idea to change your account passwords. This is especially true if you use the same credentials for multiple websites, which is a bad idea.

If your credentials are stolen from a breach, criminals can test them on other sites to log into those accounts as well.

Keep an eye on your bank accounts 

You should already be frequently checking your bank statements, looking for suspicious activity. It’s even more critical when sensitive information has been exposed through a data breach.

If you see anything that seems strange, report it immediately. It’s the best way to keep your financial accounts safe.

Set up two-factor authentication 

Two-factor authentication, also known as two-step verification, means that to log into your account, you need two ways to prove you are who you say you are. This is an extra layer of security that will help keep your accounts safe.

Investigate your email address 

This is a critical step and it will only take a few seconds of your time. You need to find out if your credentials are part of any recent data breach. The best way to find out if you’re impacted is with the Have I Been Pwned website. 

It’s an easy-to-use site with a database of information that hackers and malicious programs have released publicly. It monitors hacker sites and collects new data every five to 10 minutes about the latest breaches. You can even set up alerts to be notified if your email address is impacted in the future.

Beware of phishing scams 

Scammers will try and piggyback on data breaches like this. They will create phishing emails, hoping to get victims to click on malicious links that could lead to more problems. You need to familiarize yourself with what phishing scams look like so you can avoid falling victim to one.

FROM WEBCAMS, SIGN-INS, TO ALEXA, DON’T MAKE THESE MISTAKES

When our PCs work normally, we sometimes take them for granted. We recklessly fill up our hard drives with data, download files, install applications and browse the web as we please. But of course, all it takes is one installation of a malicious application to ruin your PC and worse, have all your information stolen.

The post 1.4 #billion #hacked #passwords leaked #online, now you’re at #risk appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Risk #assessment: The #first step in #improving #cyber security

Source: National Cyber Security – Produced By Gregory Evans

Despite the proliferation of high profile cyber-attacks over the last 18 months, many organisations are still too disorganised in their approach to security. While it is no longer feasible to guarantee 100% protection against a breach, businesses are setting themselves up for a fall by failing to adequately understand and prepare for the risks facing them.

PwC’s 2018 Information Security Survey, which surveyed more than 9,000 business and technology executives around the world, found that more than a quarter (28%) don’t know how many cyber-attacks they have suffered in total, and a third also don’t know how they occurred. While some security incidents are the result of high level attackers using advanced techniques to disguise their activity, the vast majority of cases are caused by common security failings and could be easily prevented with better governance and process control.

Perhaps the most important step an organisation can take to improve its security is to undertake a thorough IT risk assessment. This is crucial to understanding where the biggest vulnerabilities within the organisation are, as well as what potential external threats it may be facing. Any company attempting to create an IT security strategy without this knowledge will simply be throwing money at the problem. This approach will certainly miss the basic mistakes in IT management that enable attacks and lead to accidental breaches.

A comprehensive risk assessment needs to not only take into account the internal processes at the company, but also a variety of third parties including suppliers and contractors, as well as the role of an increasingly mobile workforce. With this in mind, a thorough assessment is no small task, and usually takes a great deal of planning and preparation to execute.

Choosing a risk framework

As a result of the complexity involved, most companies usually turn to one of the various pre-existing risk assessment frameworks that have been developed over the last few decades as the IT industry has matured. While these frameworks are extremely useful resources, companies should not rely on them to entirely shape their strategy. We still see too many organisations taking a premade framework and going through it as a tick-box exercise. No two businesses are the same, so assessment frameworks can only ever be a general guide and starting place.

Instead, companies need to base their assessment around their own unique structure and risk profile, incorporating elements of existing frameworks where they are appropriate. Encouragingly, 53% of respondents in PwC’s survey stated that spending on their information security budget was based exclusively around risk.

Perhaps the most popular choice of risk assessment frameworks are those created by NIST, the National Institute of Standards and Technology. The NIST 800-53 and NIST Cybersecurity Framework (CSF) are regularly used by governmental agencies and educational institutions as well as private enterprises.

Exploring NIST and ISO

The earlier framework NIST 800-53 was designed to support compliance with the U.S. Federal Information Processing Standards (FIPS). This special publication provides organisational officials with evidence about the effectiveness of implemented controls, indications of quality of risk management processes used and information regarding the strengths and weaknesses of information systems.

The CSF was designed to help organisations of all sizes and any degree of cyber security sophistication apply best practice of risk management. The framework is comprised of three components: framework profile, framework core and framework implementation tiers.

NIST’s roots with the US Commerce Department make it fairly US-centric, but the CSF also incorporates globally recognised standards, making it useful for risk assessment around the world. It is also designed to be flexible and can be used alongside other cybersecurity risk management processes, such as the ISO (International Organisation for Standardization) standards.

Indeed, the ISO/IEC 27000-series, jointly published by the ISO and the International Electrotechnical Commission (IEC), is another of the most well-known and widely used frameworks. Like NIST, the ISO frameworks are flexible enough to fit most organisational sizes and structures. The frameworks can be useful in dissuading an organisation from the tick box compliance mindset, as they encourage organisations to assess their own information security risks and implement controls according to their needs. The ISO series also promotes a continuous feedback approach to address changes in the threat landscape or within the company and implement iterative improvements.

Other strong framework choices to consider include OCTAVE, which has a broader, simpler approach that easy to integrate, and COBIT, an operational framework with a focus on uptime that is well-suited to manufacturing firms and others where uptime is important.

Taking risk assessment to the top

Whichever combination of frameworks the company decides to incorporate for its risk assessment, it is essential to relate the process back to the organisation’s unique operational structure and business objectives. One of the most important activities in preparing a comprehensive assessment is to conduct in-depth interviews with senior management, IT administrators and other stakeholders across the organisation. This will help to develop a much more realistic understanding of the organisation’s potential threats, likelihood of compromise and the impact of the loss, as well as relating everything back to its business priorities.

It is also essential that the risk assessment is understood and supported at the highest level of the organisation. PwC’s survey found that only 44% of boards are actively participating in their security strategy. Without buy-in from the board and other senior leaders, a risk assessment is likely to end up being little more than a series of recommendations that are never actually implemented. By aligning popular industry assessment frameworks with their business objectives, organisations can conduct an assessment that not only highlights potential threats, but goes on to implement real changes that improve its security posture.

The post Risk #assessment: The #first step in #improving #cyber security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Local small businesses may be at risk for hackers

Source: National Cyber Security – Produced By Gregory Evans

Local small businesses may be at risk for hackers

In the city of Rockford, small business are on every corner. Each one, a potential target for hackers.

“When you consider that 97 percent of all U.S businesses are small businesses the economic impact of hacking can be astronomical” said Director of Rockford Better Business Bureau, Dennis Horton.

The Better Business Bureau is working to bring awareness to the impact one unknown click can take on a small business.

“90 percent of them are through phishing e-mails. And through those phishing emails usually you will find ransom ware or other malicious software” said Horton.

The owners of Rockford Art Deli, say they’re keeping an eye out for these types of e-mails.

“You know you try to do as much as you can and it can still get through but if it did happen, as a cash based business, they can drain your accounts and you know you’re out until that comes back in” said Rockford Art Deli Owner, Jarrod Hennis.

Hennis says he recently got an e-mail from what seemed to be another local business, but after some digging that wasn’t the case.

“It was a random e-mail from a lender in town actually and it just had a link, everything looked legit when you went and clicked on it. But since I knew nothing was coming and I had nothing in the works, I didn’t click on it. So I kinda did some research on it before we opened it and you could tell it was fake” said Hennis.

Horton says one of most unknown facts is, the business owners are held responsible.

“Their business accounts, their bank accounts, were hacked and they suffered a loss that banks are not responsible for that loss” said Horton.

And being out of business, can be detrimental.

“50 percent of them said that after a month they would probably be out of business, if they were not able to recover that data” said Horton.

Source:

The post Local small businesses may be at risk for hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Manager, IT Security Risk Assessment

Source: National Cyber Security – Produced By Gregory Evans

The fastest growing Big Four professional services firm in the U.S., KPMG is known for being a great place to work and build a career. We provide audit, tax and advisory services for organizations in today’s most important industries. Our growth is driven by delivering real results for our clients….

The post Manager, IT Security Risk Assessment appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Severe flaws in DNS app create hacking risk for routers, smartphones, computers, IoT

Source: National Cyber Security – Produced By Gregory Evans

Google researchers found seven severe security flaws in the open-source DNS software package Dnsmasq. The flaws put a huge number of devices at risk of being hacked. Google researchers disclosed seven serious flaws in an open-source DNS software package Dnsmasq, which is is commonly preinstalled on routers, servers, smartphones, IoT…

The post Severe flaws in DNS app create hacking risk for routers, smartphones, computers, IoT appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Thousands of Australians could have pacemakers being recalled in US over hacking risk

Source: National Cyber Security – Produced By Gregory Evans

Thousands of Australians are believed to have pacemakers that have been recalled in the United States because they are vulnerable to being hacked. The US Food and Drug Administration (FDA) has recalled 465,000 devices from Abbott’s (formerly St Jude Medical) because hackers could remotely cause the batteries to rapidly go…

The post Thousands of Australians could have pacemakers being recalled in US over hacking risk appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures