security

now browsing by tag

 
 

What the #Eir #breach and #GDPR can teach us about #multilayered #data #security

Source: National Cyber Security – Produced By Gregory Evans

Amit Parbhucharan analyses the recent Eir data breach and what it says about the state of GDPR at this early point in its tenure.

Recently, Irish telecommunications company Eir experienced a data breach event in which the theft of a staff member’s laptop resulted in the potential exposure of personal data belonging to 37,000 of its customers. While the laptop itself remained password-protected, the data on it was wholly unencrypted having unfortunately been stolen during a window of time in which a faulty security update from the previous working day rendered the device decrypted and vulnerable.

Because the computer held customer data that included specific names, email addresses, phone numbers and other legally protected data, Eir followed the procedure dictated by the General Data Protection Regulation (GDPR) that went into effect on 25 May, reporting the incident to the Irish Data Protection Commissioner.

‘Portable devices with access to sensitive data will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur’

GDPR introduced data privacy regulations requiring companies to meet specific standards when handling the personal data of EU citizens and residents, including the responsibility to notify the information commissioner’s office within 72 hours of discovering a data breach. GDPR is enforced through steep penalties for non-compliance, which can reach as high as the greater of €20m or 4pc of a business’s total worldwide revenue for the previous year.

However, GDPR regulators will consider an enterprise’s organisational and technological preparedness, and intentions to comply when judging whether such penalties are necessary.

Risky human behaviour

It appears that Eir did many things right in its data breach response. The company demonstrated its established capability to recognise the breach and to report it promptly.

That said, data was still put at risk. Laptops and other such portable devices with access to sensitive data (phones, USB drives etc) will always be an area of potential data breach risk to organisations, and the worst-case scenarios can and will occur. Loss and theft are facts of life, as are other high-risk circumstances that can be much more difficult to anticipate.

In one odd case from our experience, a resident of an in-patient healthcare organisation actually threw a laptop containing protected health data out of a window due to frustration that those devices were for staff use only. A technician deployed to site to understand why the laptop wasn’t online discovered it near the street, where it lay for hours before (luckily, that time) being recovered.

Obviously, wild circumstances like these are unforeseen, but they need to be prepared for nevertheless. There are also those cases where an employee’s lapse in judgement opens the possibility for dire consequences. Laptops get left unattended during credentialed sessions, passwords get written on sticky notes for convenience and stolen along with devices. To ‘Eir’ is human, if you’ll excuse the pun, and small windows of risk too often turn into major (and costly) incidents.

Beyond encryption

This is why organisations need to implement robust, layered data security strategies such that devices have more than one line of defence in place when challenges pop up. Encryption is essential to protecting data, and should serve as the centrepiece of any data security strategy – GDPR compliance requires as much.

But measures must also go beyond encryption. Employee training in secure practices is certainly another critical component to a successful execution. Similarly, capabilities such as those that enable remote data deletion when a device is out of hand offer a reliable safeguard in those circumstances where encryption is rendered ineffective.

‘Each effective layer of data security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy’

Ensuring the security of customer data has always been critical to protecting an organisation’s reputation and maintaining customer trust – GDPR only raises those stakes.

In the unfortunate event that a data breach must be reported under GDPR, and regulators conduct an official audit, each effective layer of security in place beyond encryption demonstrates a genuine commitment to protecting individual privacy. That commitment serves as a positive factor in the eyes of both those auditors and the public who must continue to trust the organisation with their data going forward.

By Amit Parbhucharan

Amit Parbhucharan is general manager of EMEA at Beachhead Solutions, which provides cloud-managed PC and mobile device encryption, security, and data access control for businesses and managed service providers.

Source: https://www.siliconrepublic.com/enterprise/eir-breach-encryption-layered-data-security

The post What the #Eir #breach and #GDPR can teach us about #multilayered #data #security appeared first on National Cyber Security .

View full post on National Cyber Security

Security & Counter Terror Expo

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 March 6 – 7, 2018 | London, United Kingdom

Cybersecurity Conference Description 

Cyber-attacks are the newest and potentially most disruptive threat to national security. The NHS and Deloitte have recently been hit by cyber-attacks, threatening the security and infrastructure of these integral organisations. The National Cyber Security Centre reported more than 1,000 attacks in its first year of operation.

As the number of threats to cyber infrastructure increases, so does the vital need to secure and protect all communications, banking, personal information and documents transmitted online. The market is growing rapidly and is now estimated at £3.4 billion, opening the way for new innovation to protect against these threats.

Join over 1,000 leading experts, government, law enforcement, military and security leaders at SCTX 2018 at the UK’s fastest growing cyber security event.

The post Security & Counter Terror Expo appeared first on National Cyber Security .

View full post on National Cyber Security

Does #Cyber Security Really Need #Machine Learning #Technology?

Source: National Cyber Security – Produced By Gregory Evans

Amidst the escalating number of high-profile hacks and cyber attacks, organizations are now embracing various forms of artificial intelligence (AI) – including machine learning technology and neural networks – as a new cyber security defense mechanism. At a time when human skills and competencies appear to be overmatched, the thinking goes, machines have a nearly infinite ability to analyze threats and then respond to them in real-time.

Is machine learning really the silver bullet?
However, putting one’s faith in the ability of machines to defend entire organizations from hacker attacks and other forms of security intrusions ignores one basic fact: cyber security is an arms race, and the same weapons that are available to one side will soon be available to the other side. Put another way, the same machine learning technologies being embraced by the world’s top corporations and data scientists will soon be co-opted or adopted by the world’s top hackers.

Moreover, there is still quite a bit of work to be done before any machine learning cyber defense is fully robust. Right now, machine learning excels at certain tasks, but still needs significant human intervention to excel at others. For example, machines are extremely good at “classification,” which enables them to label and describe different types of hacker attacks. As a result, machines can differentiate between spoofing attacks, phishing attacks and other types of network intrusions.

The idea here is simple: just show a machine many different examples of hacker attacks, and they will eventually learn how to classify them very efficiently. The more raw data and data points you show machines (think of all this data as “training data”), the faster they will learn. In many ways, it is similar to the machine learning techniques used for image recognition tools – show a machine enough photos of a dog, and it will eventually be able to pick out a dog in any photo you show it.

Thus, it’s easy to see an obvious implication for machine learning and cyber security: machines can help security teams isolate the most pressing threats facing an organization and then optimize the defenses for those threats. For example, if an organization is facing a hundred different potential threats, a machine can easily sort and classify all of those threats, enabling humans to focus only on the most mission-critical of these.

The use cases of machine learning in cyber security
One of the most obvious ways to apply machine learning in cyber security involves the creation of stronger spam filters. For many organizations, a constant security threat is the ability of hackers to get inside the organization simply by sending spam emails filled with all kinds of malware. Once an employee clicks on a bad link or opens a bad attachment that makes it past conventional spam filters, it may be possible for malware to spread throughout an organization’s network.

Thus, you can immediately see why adopting machine learning for email security makes so much sense – it can provide a first layer of defense against these spam emails laden with malware. If you frame email as a “classification” problem, then machines can play an important role in sifting out the “good” emails from the “bad” emails. You simply show a machine many, many different examples of “bad” emails as well as many, many different examples of “good” emails, and it will eventually become 99.9% efficient in sorting them out (or so one common myth about machine learning goes).

Another common use case for machine learning in cyber security involves spotting irregular activity within an organization’s network traffic. For example, an unexpected surge of network activity might signal some sort of looming cyber attack (such as a DDOS attack). Or, activity in the accounts of certain employees that is out of the norm might indicate that one or more of these accounts have been compromised. Again, it matters how you frame the problem for machines: organizations must be able to show them what “normal” looks like, so that they will then be able to spot any irregular deviations from the normal state of network affairs.

Machine learning, cyber security and the enterprise
To get cyber security executives thinking more deeply on the matter (without delving too deeply into the complex data science behind machine learning), the technology research firm Gartner has proposed a PPDR model, which corresponds to the various uses of machine learning for cyber security within the enterprise:

Prediction
Prevention
Detection
Response
In short, with machine learning technology, organizations will be able to predict the occurrence of future attacks, prevent these attacks, detect potential threats, and respond appropriately. With the right machine learning algorithms, say experts, it might be possible to shield even the largest and most vulnerable organizations from cyber attacks. In the big data era, when organizations must grapple with so much data, it’s easy to see why they are turning to machines.

With that in mind, Amazon is leading the way with an application of machine learning for the cloud. At the beginning of 2017, Amazon acquired a machine learning startup, harvest.ai, for just under $20 million. The goal of the acquisition was to be able to use machine learning to search for, find and analyze changes in user behavior, key business systems and apps, in order to stop targeted attacks before any data can be stolen or compromised.

Then, in November 2017, the company’s cloud business, Amazon Web Services (AWS), unveiled a new cyber security offering based on machine learning called Amazon Guard Duty. The allure of the new offering is easy to grasp: companies with a lot of data in the cloud are especially vulnerable to hackers, and they are easy “sells” for any company that is able to promise that their cloud offerings will be safe from attack. Already, big-name companies like GE and Netflix have signed on as customers of Amazon’s new machine learning-based offering.

Clearly, there is a tremendous amount of potential for machine learning and cyber security within the enterprise. Some industry experts have estimated that, in the period from 2015-2020, companies will spend a combined $655 billion on cyber security. Other estimates have been even more aggressive, suggesting that the total could be closer to $1 trillion.

If companies are spending so much money on cyber security, though, they will want to be certain that new solutions featuring machine learning actually work. In order for machine learning to live up to the hype, it will need to offer a fully robust security solution that covers every potential vulnerability for a company – including the network itself, all endpoints (including all mobile devices), all applications and all users. That’s a tough order to fill, but plenty of organizations are now betting that machines will be up to the task.

The post Does #Cyber Security Really Need #Machine Learning #Technology? appeared first on National Cyber Security .

View full post on National Cyber Security

Information Security Compliance Associate

The nature of audit is changing as the systems which underlie our operations become more sophisticated and robust. With this increased sophistication comes increased reliance on technology-related controls to mitigate operational and financial risk, as well as increased access to transaction-level data. You will be responsible for assisting in all aspects of execution: from identifying opportunities for us to focus on, to developing the infrastructure and analyses to make progress in those areas. Further, you will serve as an Information Technology subject matter specialist and support the execution of Operational, Financial and Technology-related reviews. 

In this capacity you will execute planned audit procedures, working to identify any issues and solve problems at the root cause. You’ll help the team understand how the audit function supports our overall business objectives and participate in scoping internal audits and risk assessments through an established process. You’ll be on top of deadlines and will create scalable reporting systems to communicate results of audits to both internal audiences and regulatory compliance agencies. You have a hands-on, tactical approach for resolving issues, and an eye for detail ensures that everything is balanced at the end of the day.

https://www.indeed.com/viewjob?jk=4935c12a6c9c3e00&tk=1ci6t2i20b960c6c&from=serp&vjs=3

advertisement:

The post Information Security Compliance Associate appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mimecast acquires Ataata to improve #cyber #security #training

Mimecast Limited today announced it has acquired cyber security training and awareness platform Ataata The acquisition aims to allow customers to measure cyber risk training effectiveness by converting behavior observations into actionable risk metrics for security professionals.

According to research Mimecast conducted with Vanson Bourne, 90 percent of organizations have seen phishing attacks increase over the last year, yet only 11 percent responded that they continuously train employees on how to spot cyberattacks.

The acquisition of Ataata will offer customers a single, cloud platform that is engineered to mitigate risk and reduce employee security mistakes by calculating employee security risk based on sentiment and behavior, while connecting them with relevant training that is content based on their score and recommended areas for improvement.

“Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn’t work. As cyberattacks continue to find new ways to bypass traditional threat detection methods, it’s essential to educate your employees in a way that changes behavior,” said Peter Bauer, chief executive officer and founder of Mimecast.

“According to a 2017 report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020.  The powerful combination of Mimecast’s cyber resilience for email capabilities paired with Ataata’s employee training and risk scoring will help customers enhance their cyber resilience efforts.”

Source: https://www.techradar.com/news/mimecast-acquires-ataata-to-improve-cyber-security-training

advertisement:

The post Mimecast acquires Ataata to improve #cyber #security #training appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

IT Security Analyst Intern

Chenega Professional & Technical Services (CPTS) is seeking an IT Security Analyst, Intern to provide support to NASA – AMES Research Center (ARC) within the Information Technology Services.
Essential Duties and Responsibilities:(Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions of this position)
  • Under direct supervision, performs packet analysis, identifies malformed packets, and analyzes the payload of a pack of network protocols and routing.
  • Writes and maintains processes, procedures, test/assessment results, presentations, papers, articles, and other types of documents as required.
Non-Essential Duties:
  • Other duties as assigned.
Supervisory Responsibilities:
  • None.
Minimum Qualifications:(To perform this job successfully, an individual must be able to perform each essential duty satisfactorily.)
  • High School Diploma or GED.
  • Zero (0) to Two (2) years of related experience.
  • Must have an understanding of commonly used network services (e.g. domain name server (DNS), mail, web, and other less common network services)
  • Must be able to obtain required NASA badge.
  • Must be able to provide a certified Birth Certificate (with state seal), Passport, or INS Citizenship documents on date of hire (candidate will be sent home if this paperwork is not provided upon arrival on date of hire).
  • Must have, and maintain, a valid driver’s license.
Knowledge, Skills and Abilities:
  • Good organizational and planning skills
  • Excellent communication skills
  • Proven ability to pay close attention to detail
  • Ability to work independently but follow specific detailed instructions
  • Ability to interface with various levels of personnel in a multi-cultural, team- oriented environment
Diversity:
  • Shows respect and sensitivity for cultural differences; Educates others on the value of diversity; Promotes a harassment-free environment; Builds a diverse workforce.
Ethics:
  • Treats people with respect; Keeps commitments; Inspires the trust of others; Works with integrity and ethically; Upholds organizational values.
Physical Demands:
  • The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
  • While performing the duties of this Job, the employee is regularly required to sit and talk or hear. The employee is frequently required to walk; use hands to finger, handle, or feel and reach with hands and arms. The employee is occasionally required to stand; climb or balance and stoop, kneel, crouch, or crawl. The employee must occasionally lift and/or move up to 25 pounds. Specific vision abilities required by this job include close vision.
Work Environment:
  • The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job.
  • The employee will normally work in a temperature-controlled office environment, with frequent exposure to electronic office equipment.
  • During visits to areas of operations, may be exposed to extreme cold or hot weather conditions. Is occasionally exposed to fumes or airborne particles, toxic or caustic chemicals, and loud noise.
Chenega Corporation and family of companies is an EOE.
Equal Opportunity Employer Minorities/Women/Veterans/Disabled/Sexual Orientation/Gender Identity
Native preference under PL 93-638.
We participate in the E-Verify Employment Verification Program.

Qualifications

Minimum Qualifications:(To perform this job successfully, an individual must be able to perform each essential duty satisfactorily.)
  • High School Diploma or GED.
  • Zero (0) to Two (2) years of related experience.
  • Must have an understanding of commonly used network services (e.g. domain name server (DNS), mail, web, and other less common network services)
  • Must be able to obtain required NASA badge.
  • Must be able to provide a certified Birth Certificate (with state seal), Passport, or INS Citizenship documents on date of hire (candidate will be sent home if this paperwork is not provided upon arrival on date of hire).
  • Must have, and maintain, a valid driver’s license.
JobInformation Security
Primary LocationUnited States-California-San Francisco
OrganizationChenega Professional & Technical Services
RecruiterAnne Goldberg

Source:https://nationalcybersecurity.com/it-security-analyst-intern

advertisement:

The post IT Security Analyst Intern appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Enterprise Security IT Intern

As an Enterprise Security IT Intern you will assist in driving a global Identity Access Management program, and will be responsible for fulfilling access requests, revoking access rights, troubleshooting incidents and user issues, and completing projects as determined by the Team Lead and Manager.
This position has responsibility for ensuring successful completion of user access requests across Diebold Nixdorf globally, and at all levels of the organization. This position has responsibility for the entire life-cycle of access management, including access provisioning, modification, and revocation.
  • Quickly, accurately, and appropriately provision access rights for users according to access requests
  • Quickly, accurately, and appropriately work through the termination process for users who have left the Company, including identifying all access rights for terminated users in all disparate systems, and disabling those rights to prevent unauthorized access
  • Troubleshooting user access related issues and incidents to ensure end users are successfully able to use systems and perform job functions
  • Completing projects as determined by Team Lead and/or Manager, possibly including audit remediation efforts, system access clean up efforts, analysis of inappropriate access rights, process/procedure improvement projects, etc.

Qualifications

Requirements:
  • Must be currently attending a college or university pursuing an Information Technology, Cyber Security or related degree
  • Must have and maintain a 3.0 GPA or above
  • Experience in PC hardware and software – installing, troubleshooting, resolving issues
  • Microsoft Office (Word, PowerPoint, Excel, Outlook)
  • Interest in troubleshooting issues and resolving problems and being mentally capable of dealing with problems and challenges on a daily basis
  • Ability to communicate effectively verbally (face to face and over the phone) as well in writing (Email, instant messaging, documents

Diebold Nixdorf, Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, marital status, age, national origin, genetic information, disability or protected veteran status.

Source: https://www.indeed.com/viewjob?jk=dfc04d90556f95ce&tk=1ci5atlsobv0mbt5&from=serp&vjs=3

advertisement:

The post Enterprise Security IT Intern appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

US #Gov’t #Agencies Fail to #Implement #Anti-Hacking #Security #Measures

Chief Information Officers (CIOs) at 24 US government agencies have yet to act on hundreds of recommendations to improve cybersecurity and protect personal information, the Government Accountability Office (GAO) said in a report on Wednesday.

“GAO’s preliminary results suggest that none of the 24 selected agencies have policies that fully address the role of their CIO, as called for by federal laws and guidance,” a press release summarizing the report said.

In recent years, the GAO has made 2,700 recommendations to improve the security of US federal information systems, the release explained.

“These recommendations identified actions for agencies to take to strengthen their information security programs and technical controls over their computer networks and systems,” the release said.

As of May 2018, about 800 of the information security-related recommendations had not been implemented, the release concluded.
In April, the Democratic National Committee (DNC) sued the Trump campaign, WikiLeaks and Russia over the 2016 hack of its emails.

The sphere of cybersecurity gains importance in the modern world, as with the development of technology states’ critical infrastructure increasingly depends on data security. In July 2017, Donald Trump’s administration announced it was finalizing plans to revolutionize the US’ military command for defensive and offensive cyber operations, in hopes of intensifying America’s ability to wage cyberwar against foes.

advertisement:

The post US #Gov’t #Agencies Fail to #Implement #Anti-Hacking #Security #Measures appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Information Security & Privacy Associate Analyst

Partners HealthCare(PHS) – Somerville, MA

As a not-for-profit organization, Partners HealthCare is committed to supporting patient care, research, teaching, and service to the community by leading innovation across our system. Founded by Brigham and Women’s Hospital and Massachusetts General Hospital, Partners HealthCare supports a complete continuum of care including community and specialty hospitals, a managed care organization, a physician network, community health centers, home care and other health-related entities. Several of our hospitals are teaching affiliates of Harvard Medical School, and our system is a national leader in biomedical research.

We’re focused on a people-first culture for our system’s patients and our professional family. That’s why we provide our employees with more ways to achieve their potential. Partners HealthCare is committed to aligning our employees’ personal aspirations with projects that match their capabilities and creating a culture that empowers our managers to become trusted mentors. We support each member of our team to own their personal development—and we recognize success at every step.

Our employees use the Partners HealthCare values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

General Overview

With guidance from senior members of the team, this individual assists with the Partners HealthCare enterprise-wide information security risk management program through active engagement with business owners including information gathering, risk analysis, and reporting.

The Information Security & Privacy Associate Analyst (ISPAA) is responsible for coordinating and scheduling information security & privacy assessments with business owners, working with team members to conduct assessments and develop remediation plans using evolving business processes and tools, documenting the effort in Archer, and following up with business owners on remediation plans.

Principal Duties and Responsibilities

1. Work with team members to coordinate and perform information system and third-party risk assessments, following a NIST-based methodology.

2. Assist in guiding business owners and end-users on the implementation of solutions that comply with IS security policies and standards.

3. Assist in prioritizing departmental tasks including new risk assessments and cybersecurity variance requests according to departmental processes.

4. With guidance from other team members, document assessments, variances, findings, and remediation plans in Archer.

5. Maintain a current knowledge of applicable federal and state privacy laws and accreditation standards, and monitor advancements in information privacy and security technologies to ensure adaptation and compliance.

6. Maintains awareness of new technologies and related opportunities for impact on system or application security.

7. Conduct information security research in keeping abreast of latest security issues and keeps abreast of testing tools, techniques, and process improvements in support of security event detection and analysis.

8. Uses the Partners HealthCare values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

9. Local travel to PHS Sites

10. Performs other duties as assigned.

Qualifications
Bachelor’s degree (B.A. / B.S.) or equivalent in computer science, business administration, or equivalent discipline from an accredited college or university required.

1-2 years of experience in IT/IS required.
1-2 years of exposure to information security or information privacy functions.
Knowledge of HIPAA, HITECH, Mass ID Theft regulation 201 CMR 17, and other appropriate information security and information privacy regulatory requirements for healthcare entities a plus.
Knowledge of NIST 800-53, ISO 27K, GDPR, PCI-DSS is desirable.
Legal background is desirable.
Any of the following certifications is a plus:
ITIL, any of the following Information Security Certifications: CISSP, HCISSP, CISM, CISA, CIPP, CIPM, CIPT, CPHIMS, PCIP, GSEC, GCIH, GCFE, GCFA, CEH, GPEN, and PMP

Skills, Abilities and Competencies

1. The candidate for this role must have very strong business and analytical skills to represent the information security & privacy office policies.
2. Outstanding time management and organizational skills required.
3. An ability to work under the required guidelines and deliver on business/project requirements.
4. Ability to work with both team members and staff in a professional manner.
5. Comfortable working in a dynamic environment with multiple work streams, goals, and objectives.
6. Possess ability to recommend to ISPO leadership team to prioritize project related tasks.
7. Excellent written and verbal communication and effective interpersonal skills is critical.
8. Understanding of Windows, Unix/Linux operating systems, security administration, virtualization, and TCP/IP networking.
9. Ability to work independently with minimal supervision.

EEO Statement Partners HealthCare is an Equal Opportunity Employer & by embracing diverse skills, perspectives and ideas, we choose to lead. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law.

Primary Location
: MA-Somerville-Assembly Row – PHS
Work Locations
:
Assembly Row – PHS
399 Revolution Drive
Somerville 02145
Job
: Information Security
Organization
: Partners HealthCare(PHS)
Schedule
: Full-time
Standard Hours : 40
Shift
: Day Job
Employee Status
: Regular
Recruiting Department : PHS Information Systems
Job Posting
: May 24, 2018

advertisement:

The post Information Security & Privacy Associate Analyst appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Pen #testers #break down #bank security #flaws

While banks have built effective barriers for external attacks, researchers warn they have not done nearly as much work to fight threats on their internal networks.

Earlier this month, a third-party software vulnerability resulted in a Mexican bank heist that scored at least $15.4 million.

In early 2017 there was a surge of attacks targeting card processing in Eastern Europe which scammed nearly $100 million and later that year, intruders attacked the Far Eastern International Bank in Taiwan by making transfers to accounts in Cambodia, Sri Lanka, and the U.S which totaled at $60 million.

Positive Technologies researchers examined how cybercriminals are able to pull off such massive financial heists from behind their keyboards and acted like cybercriminals to gain insight on common vulnerabilities shared among banks.

The firm said it found vulnerabilities in all of the banks they have performed penetration tests on and that half of the banks had insufficient protection against recovery of credentials from OS memory, a quarter used dictionary passwords, and nearly a fifth, 17 percent, had sensitive data stored in cleartext.

Positive Technologies would not specify the number of banks in its study but did emphasize the need for banks to enact strong password policies as 50 percent of those tested used dictionary passwords.

Researchers added that a quarter of these banks used the password “P@ssw0rd” as well as such common combinations as “Qwerty123,” empty passwords, and default passwords such as “sa” or “postgres”.

The most common vulnerabilities were outdated software which were found in 67 percent, sensitive data stored in clear text, 58 percent, dictionary passwords, 58 percent, use of insecure data transfer protocols, 58 percent, remote access and control interfaces available to any user, 50 percent.

Less common vulnerabilities included anti-dns pinning, sql injection, arbitrary file upload, XML external entity, and cross-site scripting 25 percent.

Other common vulnerabilities that allow infections usually consist of use of outdated software versions and failure to install OS security updates, configuration errors, and absence of two-factor authentication for access to critical systems

As a result of these vulnerabilities, attackers would be able to obtain unauthorized access to financial applications at 58 percent of banks and penetration testers were able to compromise ATM management workstations used at 25 percent of the banks studied.

Researchers were also able to move money to criminal-controlled accounts via interbank transfers at 17 percent of the banks tested.

It’s important to realize that banks suffer from the same problems as other companies and typical attack vectors stem from a weak password policy and insufficient protection against password recovery from OS memory.

Similar to physical bank robberies, cybercriminals survey and prepare in advance to attack their targets sometimes leveraging insider personnel.

“Since use of external resources can be detected by security systems, in order not to get caught during this initial stage, criminals resort to passive methods of obtaining information: for example, identifying domain names and addresses belonging to the bank,” researchers said in the report. “At the survey stage, unscrupulous bank employees are actively engaged as well.

Researchers found numerous on web forums from insiders looking to disclose their employers’ information for a fee.

“The bottom line is, banks are not ready to defend attacks from the internal intruder today,” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies told SC Media. “Despite the high level of protection of the network perimeter, attacks using social engineering techniques and so-called watering hole attacks allow attackers to enter the internal network of the bank”

Galloway went on to say that Cybercriminals can covertly be present in the infrastructure for a long time while learning the actions of employees and administrators all while hiding their attack from security systems under the guise of the legal actions of employees whose computers they hacked int

advertisement:

The post Pen #testers #break down #bank security #flaws appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures