now browsing by tag
#bumble | #tinder | #pof ‘I don’t feel like a burden … Why should I act like one?’ | romancescams | #scams
When Kirby Hough meets a man for a first date, she deceives him until she believes he is worthy of the truth. © Jill Toyoshiba/Kansas City Star/TNSKirby Hough recently had […] View full post on National Cyber Security
_________________________ I’m not sure if it’s because I’m in my 30s, or if more guys are leading women on so they’re being more cautious, but there’s a question I’m getting […] View full post on National Cyber Security
Singles decide whether relationships should flourish naturally or whether a ‘discussion’ is required | #facebookdating | #tinder | #pof | romancescams | #scams
Poll At what point does dating transition into a relationship? After three dates 2 votes After a conversation 19 votes After you become exclusive 29 votes An Australian relationship coach […] View full post on National Cyber Security
#bumble | #tinder | #pof From STIs to malaria, here are six disease trends we should heed during the pandemic | romancescams | #scams
The number of COVID-19 deaths globally – more than 750,000 – is now greater than the amount of people who succumb to malaria most years. Meanwhile, national statistics show lockdown […] View full post on National Cyber Security
#childsafety | Should Ofsted visit schools in England when they reopen? | Education | #parenting | #parenting | #kids
As parents and teachers worry about school safety, Ofsted, the schools watchdog, will start a “phased return” to inspections in September, starting with all schools graded “inadequate”, plus a sample […] View full post on National Cyber Security
Simplicity should underpin enterprise security in a Covid-19 world: Magda Chelly surveys the global infosec landscape | #corporatesecurity | #businesssecurity | #
Responsible Cyber co-founder will focus on education, communication, and more at this year’s RSA Conference
Infosec recruitment flaws and adapting cybersecurity posture for a global pandemic are two notable topics being discussed at tomorrow’s virtual RSA Conference.
These themes will be the focus of three talks from Magda Chelly, head of cyber risk consulting for Marsh Asia.
She is a certified CISO, on the advisory board for the Executive Summit of Black Hat Asia 2020, runs a popular YouTube channel focused on cybersecurity, and has won a string of accolades for being a cybersecurity influencer. Chelly is also the co-founder of Singapore-based security-as-a-service company Responsible Cyber.
Speaking to The Daily Swig, Chelly gives the inside track on her RSA presentations and reflects on the global disparities in cybersecurity maturity and the career opportunities open to female infosec professionals.
How did you get into cybersecurity?
I started being interested in cybersecurity when I was doing my PhD in telecoms engineering.
I evolved into an IT/CRM [customer relations management] consultant and even worked in sales and business development roles.
Since then I have had advisory roles [in cybersecurity], which have mostly evolved from governance to more technical cybersecurity – for example, cloud security with AWS, Microsoft Azure, Office 365 – to a more global approach when it comes to being a CISO.
That means building the whole cybersecurity strategy and rolling it out across one to three years, especially with regulated businesses like insurance. It was exciting because I needed to ensure that the company was not only getting up to speed, but also that they didn’t get themselves into trouble.
Please tell us about your role at Marsh…
Marsh Asia provides cyber risk consulting. It focuses on risk quantification, as companies are still facing challenges evaluating and quantifying cyber risks to find out the related financial losses.
Unlike other risks, there is limited historical data about cybercrime, mainly because it is a relatively new risk area, but also due to its constantly changing form.
Cyber risk management has not yet been ‘reduced to practice’ on a wide scale.
This approach enables point estimates of the financial cost – the severity – of cyber events with good accuracy.
YOU MIGHT ALSO LIKE Virtual cybersecurity conferences: An expanding list
Having credible quantitative estimates for both severity and likelihood will allow risk managers to answer the fundamental question: “What is the likelihood that our organization will experience a cyber event causing a loss of greater than, say, $100 million in the next 12 months?”
Most often, it is the likelihood question that derails many attempts at quantifying cyber risk, due to the unpredictable nature of a human-initiated threat.
So we’re talking dollars here – how data loss might happen, how much my business might lose, and how much I can get in terms of investment.
What can RSA Conference attendees expect to hear about ‘Getting the Security and Flexibility Balance Right in a Covid-19 World’?
I’ll be addressing how to be aware of the evolving risks within an uncertain environment.
And I’ll be [urging attendees to make] simplicity [a pillar of their cybersecurity approach] because fundamentals can be applied. You can, for example, apply your NIST compliance checklist every time a risk changes. I will be talking about alternatives.
I will be presenting about use cases and some additional changes that are super interesting.
I believe that cybersecurity professionals tend to be over confident about their capabilities.
We’re talking about an environment with a lot of factors that might impact our security. We’re not talking about traditional corporate security and enterprise boundaries. We cannot take the same approach.
RELATED How to become a CISO – Your guide to climbing to the top of the enterprise security ladder
If you go into an employee’s ecosystem and you understand how they work, you realize that they will find a way to [surmount] technical challenges by using their personal emails, etc, so that of course raises additional risks. And working in a quarantine environment raises risks that were not considered.
And the fact that some [employees] will go back to the office, some will stay working remotely – how do you manage that securely?
Cybersecurity professionals also have a challenge communicating with employees, who [sometimes] do not even know that there is a [security] team.
We tend to make employees feel that we are not reachable. If you’re a CISO of a big company then, obviously, you’re very busy. You have a team and you cannot spare time to talk to everyone, but it’s extremely important to go beyond just sending a newsletter and make sure that employees see cybersecurity as part of the culture.
So don’t talk about only corporate requirements. Talk about how they need to consider cybersecurity in everyday activities – no matter if it’s a corporate requirement or not.
This year’s RSA Conference is taking place virtually
And what about your other talk: ‘Hacking the Cybersecurity Job Market: A Primer for Students and Grads’?
This is about helping the student understand the different [available] career paths.
We hear about a big skills gap globally. Sometimes [this is exacerbated by] the fact that HR will request everything and anything in the job description. From a hacker to a compliance manager, to a CISO, [all skills and experience] is put in one job description, which is of course impossible. [Or they ask for] someone junior, but already with experience, so it just doesn’t make sense.
So [I will talk about] finding the right balance, and how to address the challenges and start the discussions with HR teams.
How does Singapore, or Asia more widely, compare to Europe or North America in terms of its cybersecurity maturity?
I would say it’s very different. The Asian market is very fragmented. Every country has different maturity, different initiatives, and different – especially regulatory – requirements.
Singapore is one of the most mature in terms of regulations – we have the PDPA privacy law, the Cybersecurity Act, the MAS TRM guidelines.
In countries where maturity is much lower, companies just do not feel that they need to do anything [to strengthen cybersecurity].
The Asian market compared to Europe or the US is still much, much lower in terms of general maturity, which means, again, there is a greater opportunity to help those companies.
You founded the Singapore chapter of Women of Security, or WoSEC. How would you summarize the chapter’s aims?
I’m trying to help female professionals get the right support, to give them a safe environment with talks, workshops, social gatherings where we can talk about challenges, we can give some job opportunities, and recommend mentors.
How much progress are you seeing in terms of achieving parity of opportunity between female and male professionals?
I think there are a lot of unconscious biases, but it is changing.
I’ve seen a very positive change in the US and Europe. Asia is still trying its best but it’s not there yet. There’s a lot of work to do.
Companies like Marsh have diversity programs, and they are supporting WoSEC, so the problem is not there as such.
But general feedback from the top of other companies in the region [suggests that] the problem is that the HR process doesn’t [encourage] that inclusion or diversity very well. And then unconscious biases don’t help female professionals [once they do get roles].
It really depends on the country and the culture.
Finally, you noted that cybersecurity is often seen as exclusively the domain of IT teams. Experts also often feel that cybersecurity’s status as a cost center devalues its importance. Are attitudes improving in the boardroom?
Small and medium-sized enterprises are generally focused on increasing sales.
They still lack awareness around cyber risk and do not consider it as a business risk. So they try to get it outsourced. But they are ignorant of the risks that they are exposed to, because the IT or managed service provider [might not be] doing anything about security because it’s not in the contract. This is something I have seen in Singapore and abroad.
What mostly drives change is the regulatory requirement. We cannot just assume that a company will raise their understanding of cybersecurity just because then they are aware [of the problem] – unless the business owner is technologically savvy.
It needs a regulatory push. In Singapore, we have the Monetary Authority of Singapore technology guidelines, for example.
READ MORE Strategies for combating increased cyber threats tied to coronavirus
View full post on National Cyber Security
NEW DELHI: City-based Virendra Shekhawat, founder of Delhi Photography Club, which teaches photography to beginners through workshops was the target of a cyber-attack in December 2017. The company’s Facebook page which had 2 lakh followers and 10,000 paid subscribers was hacked and Shekhawat was logged out of his own account.
Despite filing a police compliant and paying a ransom, Shekhawat failed to secure access to his account. He finally accessed it after Facebook reset his account. Shekhawat made just ₹12,000 from the page that month compared with monthly earnings of ₹3,00,000 and ₹4,00,000 prior to the attack.
Cyber-attacks on small- and medium-sized businesses (SMBs) have been on the rise. According to a 2019 study by Accenture, 43% of cyberattacks worldwide are aimed at SMBs. India has 6 crore SMBs that account for 30% of the GDP as per the Confederation of Indian Industry and with the adoption of technology their contribution is only likely to grow.
Consulting firm Zinnov expects SMBs in India to consume digital services worth $80 billion in the next 5 years.
Unlike large enterprises, many SMBs often do not have resources and manpower to deal with the evolving threat landscape. On top of it, they feel that they are not at risk.
A July 2019 study by UK based cyber-security firm Keeper Security found that decision makers in 62% of companies between $1 million and $500 million did not think they would be the target of cyber-attacks. It is this perception which may discourage them to spend enough on cyber-security.
“Small budgets certainly have a role to play for small companies that might forego hardware security via firewalls and unified threat management devices, and certainly would find it difficult to hire IT staff with the skill and experience to implement security measures,” said Samir Mody, vice president, CyberThreat Lab, K7 Computing, an Indian cyber-security firm.
To cut down on spending, many are tempted to use cracked or pirated software. Mody warned that using pirated or outdated operating systems also leads to the risk of cyber-attacks since they may not get security updates.
According to an August 2019 report by Russian cyber-security firm Kaspersky, despite the availability of newer versions of software, around 41% of consumers still use either an unsupported or approaching end of support desktop operating system such as Windows XP or Windows 7.
About 40% of very small businesses and 48% of SMBs continue to rely on these operating systems. Microsoft recently killed all support including security updates and patches for Windows 7.
SMBs in banking, financial services and insurance sector are more vulnerable as they allow cyber-criminals to make monetary gain and steal sensitive data at the same time.
Similar to SMBs, startups also feature high the list of potential targets of cyber-criminals. Despite founders of startups having a better understanding of modern day cyber-security risks, and a higher likelihood of them taking steps to protect their assets, there have been frequent cyber-attacks on startups. Among Indian startups, Zomato suffered a security breach in 2017.
Also, targeting startups can sometimes be more lucrative than SMBs. “Most important thing that a startup needs to protect is its IP (intellectual property). Many of these startups have no funding for first 6 to 12 months but they have a great idea. If the idea or source code is leaked, they can lose what makes them unique,” said Mukul Shrivastava, partner, Forensic and Integrity Services, EY India.
Credibility is also important. If a customer data base is breached, startups lose credibility, which can stall future investment in addition to heavy penalties they may have to pay, added Shrivastava. A 2019 study by US-based National Cyber Security Alliance suggests that 60% of SMBs that face a cyberattack tend to go out of business within six months.
Cyber-attacks have a catastrophic effect on startups as they are characteristically anchored in technology and operate on a lean infrastructure. If this infrastructure gets compromised, it usually compromises their business entirely, warned Rakesh Kharwal, managing director, India/South Asia & ASEAN, Cyberbit – an Israeli cyber-secuirty firm.
“Any cyber-attack primarily complicates a business in three ways, i.e. operations, market perception, and legal. Now, startups also have meagre capital. A report by Data Security Council of India (DSCI) also states that the average cost of cyber-attacks has increased by 8% in India. So, for startups, it becomes tough to sustain unit economics,” added Kharwal.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | WhatsApp is under attack and you should be aware of this growing risk
Along with WhatsApp, other firms being targeted in these scams include PayPal, Facebook, Microsoft and Netflix.
If you are concerned about these types of online attacks then the UK’s National Cyber Security Center has some good advice for consumers.
Here’s their top tips for avoiding phishing scams online.
• Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
• Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
View full post on National Cyber Security
What Mr. Pierson describes is low-hanging fruit — the kind of security flaws that can quickly be fixed with a little knowledge and attention to detail. Even then, he said, it takes time for the true nature of clients’ vulnerability to sink in. “They’re shocked when we give them their password and tell them where we found it, but it doesn’t hit as hard as when we tell them their entire home automation system has been potentially online and viewable for three or five or eight years,” he said.
When it comes to a Bezos-style breach — potentially at the hands of a nation-state’s intelligence service — high-profile targets would likely be even less prepared. As Mr. Bezos’s lengthy investigation into the 2018 attack shows, it’s difficult to get straight answers even when you have the money and resources to run full forensics.
Of course, it’s not just wealth that turns somebody into a person of interest for hackers. Journalists, government employees, workers at energy companies and utilities could all be targets for someone. Those who work for financial firms, airlines, hospitals, universities, Hollywood studios and tech firms are all potentially at risk. To mitigate that risk, there are plenty of things you can do. You can take steps to secure yourself from corporate data collection using privacy settings on your phone. And to protect yourself from cyberattacks there are helpful guides you can use that have been vetted by security professionals.
For most of us, the attack against Mr. Bezos isn’t the death of privacy, but a reminder of the risks of living a connected life. It should be a moment to think as critically about what you do online as you might in the real world. Invest in a password manager. Turn on dual factor authentication. Be skeptical of any communication that looks out of place.
For the ultrarich and influential, the Bezos hack should be a terrifying revelation that, as the former State Department employee and whistle-blower John Napier Tye told me last autumn, “For someone who’s truly a high-value target, there is no way to safely use a digital device.” The stakes are astronomically high. Not just personally, as Mr. Bezos found, but professionally. Company secrets, matters of national security, access to critical infrastructure and the safety of employees could all be compromised by lax security at the top.
The internet has long been thought of as a truly democratic tool, flattening and democratizing the ability to publish and communicate. It’s also the great privacy equalizer. Money can buy a lot of things. But on a dangerous internet full of exploits, flawed code, shady actors and absent-minded humans, total, foolproof security is not one of them.
The post #deepweb | <p> Opinion | Jeff Bezos’s Phone Hack Should Terrify Everyone <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans The debate over who the CISO should report to is a hot topic among security professionals, and that shows no sign of changing soon. That’s because there is still no standard or clear-cut answer. Ask CISOs themselves for their opinion, and you will get a variety […] View full post on AmIHackerProof.com