now browsing by tag
It’s time to take advantage of all those holiday specials and spend all your hard-earned bitcoin — er, I mean money — buying gifts for friends, family and, of course, yourself. Many retailers, large and small, online and brick-and-mortar, run holiday promotions as early as September. Gone are the days of waiting until Black Friday or Cyber Monday to take advantage of sales and specials.
The bad guys will be shopping, too — just not for the same items you are. Instead, they will be shopping for your wallet.
It’s true that some cyber Grinches ramp up their malicious activities during the holiday season, perhaps in the form of holiday-specific spam, spear phishing or compromised sites. While increased vigilance is encouraged during this time, there are a number of cybersecurity tips and best practices consumers and retailers should follow throughout the year to help mitigate threats. Having the right controls and awareness in place before the holidays can go a long way during the busy shopping season.
For Retailers: Vigilance Encouraged Throughout the Year
Black Friday and Cyber Monday are heavy shopping days and are likely to remain so for the foreseeable future. However, IBM X-Force research conducted over the past few years revealed that there was no significant uptick in network attacks targeting X-Force-monitored retailers during the traditional holiday shopping period in late November. In fact, last year, the volume of attacks for those two days fell below the daily attack average for retailers.
However, now that the shopping extravaganza lasts for two or more months, it’s possible that this four-day window is too short of a time period to identify notable network attack trends.
So far in 2017, network attacks targeting retail networks were highest in Q2, with June being the most-targeted month. Attacks dropped notably beginning in August and have been steadily declining, with the volume of attacks monitored for October below the monthly average for the year.
Time to celebrate? Not necessarily. In 2016, we observed a notable surge in the volume of attacks targeting retailers in mid to late December. Additionally, malware compromises occurring earlier in the year that have gone undetected can wreak havoc once the busy season commences. In December 2016, a security researcher discovered that nearly 7,000 online stores running Magento shopping cart software were infected with data-stealing skimmer malware capable of logging credit cards and passwords and making them available to attackers as image files for exfiltration.
Furthermore, bad actors do not have to steal anything to wreak havoc on the retail industry. A distributed denial-of-service (DDoS) attack is enough to cost the sector millions. In fact, the average cost of DDoS attack for organizations across all industries rose to over $2.5 million in 2016.
Retailers are encouraged to monitor their networks with increased vigilance during this holiday season. Vulnerable point-of-sale (POS) systems, compromised websites, and targeted spam and phishing campaigns can be costly.
To help keep your security posture strong over this holiday shopping season and all year long, review and implement the recommendations outlined in the IBM report, “Security Trends in the Retail Industry.”
For Consumers: What Cybersecurity Tips Are Missing From Your Repertoire?
Many online consumers have improved their security awareness as media coverage and education opportunities have increased. However, below are a few cybersecurity tips that many consumers likely haven’t thought of.
Assess Convenience Versus Risk
Our digital interactions leave data trails. Finding the right balance between personalization and privacy is the consumer’s responsibility, not just the retailer’s. Many sites have the option to save your card data for future use. While this feature offers convenience to the consumer, the stored data can be stolen via SQL injection attacks or other database compromises — after all, there are billions of leaked records due to misconfigured servers. Always look for the green lock icon in the browser address bar to ensure a secure connection to websites.
Be Wary of Unsuspicious Emails
Criminals have gotten really good at devising phishing lures that are extremely difficult to recognize as fraudulent. Receive an attachment from someone that appears to be in your contact list? Call them to confirm. Order something online? Before clicking the “track package” link in the confirmation email, ensure that it is actually an item you purchased from the correct vendor.
Use Passphrases and Multifactor Authentication
Exercise strong password hygiene by choosing to use a long, easy-to-remember passphrase, such as “ipreferpassphrasesoverpasswords,” instead of complex passwords containing a combination of letters, numbers and special characters. Unfortunately, this is not always an option since many websites now require a password that contains this combination. Use different passphrases for each site. If this seems too daunting, use a password manager. Rather than managing dozens of passphrases on your own, you’ll just have to remember the one key to your digital vault.
Always opt for multifactor authentication when available, and figure out which option is the most secure when choosing a real-time short message service (SMS) text message, an email message or an automated phone call.
Get Creative With Security Questions
When setting up new accounts, opt for security and password reset questions that aren’t public to make it harder for fraudsters to get their hands on your information. For example, don’t use your mother’s maiden name, which could be easily found online. Even answers to opinion-based questions, such as favorite movie, food, etc., can be found on social media. For increased security, lie about your answers or use passphrases as the answers.
By now, you have most likely heard of skimmers being placed on the card readers at gas stations and bank ATMs. A skimmer is a hidden device placed inside the mouth of a payment card reader that is designed to copy your card data for criminals to user later. But what about in-store POS systems? Be on the lookout for suspicious-looking card swiping terminals that could be skimmers, or cash register attendants who seem to swipe your card on two different readers. Maintain this vigilance not only during the holiday season, but all the time, especially if you travel to other countries.
Know Your Card Security Features
Banks and credit card companies have implemented some great security features, such as being able to set limits on the number of times the card can be used within an hour or on the amount that can be spent on one purchase. However, if you’re unaware of these limits for your personal accounts or your phone number is not up to date in your bank profile, you may end up with a declined card.
Cover Your Card
Is the person in line behind you taking a selfie, or is he or she taking a picture of your card as you make a purchase? By obtaining the credit card number, name, expiration date and the card security code or card verification value on the back, an attacker may be able to use the information to make online purchases.
Keep Your Guard Up Year-Round
The holiday season is a great time to take stock of the past year while relaxing and spending time with loved ones, but it’s no time to let your guard down, especially given the increasing sophistication of cybercriminal tactics targeting holiday shoppers and sellers alike. We encourage retailers and consumers to follow best practices not only this holiday season, but also all year long to help mitigate attacks and compromise.
View full post on National Cyber Security Ventures
Since the 2013 Target breach, it’s been clear that companies need to respond better to security alerts even as volumes have gone up. With this year’s fast-spreading ransomware attacks and ever-tightening compliance requirements, response must be much faster. Adding staff is tough with the cybersecurity hiring crunch, so companies are turning to machine learning and artificial intelligence (AI) to automate tasks and better detect bad behavior.
What are artificial intelligence and machine learning?
In a cybersecurity context, AI is software that perceives its environment well enough to identify events and take action against a predefined purpose. AI is particularly good at recognizing patterns and anomalies within them, which makes it an excellent tool to detect threats.
Machine learning is often used with AI. It is software that can “learn” on its own based on human input and results of actions taken. Together with AI, machine learning can become a tool to predict outcomes based on past events.
Using AI and machine learning to detect threats
Barclays Africa is beginning to use AI and machine learning to both detect cybersecurity threats and respond to them. “There are powerful tools available, but one must know how to incorporate them into the broader cybersecurity strategy,” says Kirsten Davies, group CSO at Barclays Africa.
For example, the technology is used to look for indicators of compromise across the firm’s network, both on premises and in the cloud. “We’re talking about enormous amounts of data,” she says. “As the global threat landscape is advancing quite quickly, both in ability and collaboration on the attacker side, we really must use advanced tools and technologies to get ahead of the threat themselves.”
AI and machine learning also lets her deploy her people for the most valuable human-led tasks. “There is an enormous shortage of the critical skills that we need globally,” she says. “We’ve been aware of that coming for quite some time, and boy, is it ever upon us right now. We cannot continue to do things in a manual way.”
The bank isn’t alone. San Jose-based engineering services company Cadence Design Systems, Inc., continually monitors threats to defend its intellectual property. Between 250 and 500 gigabits of security-related data flows in daily from more than 30,000 endpoint devices and 8,200 users — and there are only 15 security analysts to look at it. “That’s only some of the network data that we’re getting,” says Sreeni Kancharla, the company’s CISO. “We actually have more. You need to have machine learning and AI so you can narrow in on the real issues and mitigate them.”
Cadence uses these technologies to monitor user and entity behavior, and for access control, through products from Aruba Networks, an HPE company. Kancharla says that the unsupervised learning aspect of the platform was particularly attractive. “It’s a changing environment,” he says. “These days, the attacks are so sophisticated, they may be doing little things that over time grow into big data exfiltration. These tools actually help us.”
Even smaller companies struggle with the challenge of an overload of security data. Daqri is a Los Angeles-based company that makes augmented reality glasses and helmets for architecture and manufacturing. It has 300 employees and just a one-person security operations center. “The challenge of going through and responding to security events is very labor-intensive,” says Minuk Kim, the company’s senior director of information technology and security.
The company uses AI tools from Vectra Networks to monitor traffic from the approximately 1,200 devices in its environment. “When you look at the network traffic, you can see if someone is doing port scans or jumping from host to host, or transferring out large sections of data through an unconventional method,” Kim says.
The company collects all this data, parses it, and feeds it into a deep learning model. “Now you can make very intelligent guesses about what traffic could potentially be malicious,” he says.
It needs to happen quickly. “It’s always about the ability to tighten up the detection and response loop,” he says. “This is where the AI comes in. If you can cut the time to review all these incidents you dramatically improve the ability to know what’s happening in your network, and when a critical breach happens, you can identify and respond quickly and minimize the damage.”
AI adoption for cybersecurity increasing
AI and machine learning are making a significant difference in how fast companies can respond to threats, confirmed Johna Till Johnson, CEO at Nemertes Research. “This is a real market,” she says. “There is a real need, and people are really doing it.”
Nemertes recently conducted a global security study, and the average time it took a company to spot an attack and respond to it was 39 days — but some companies were able to do it in hours. “The speed was correlated with automation, and you can’t automate these responses without using AI and machine learning,” she says.
Take detection, for example: “The median time for detection is one hour,” she says. “High-performing companies typically do this in under 10 minutes — low performing companies take days to weeks. Machine learning and analytics can bring this time to effectively zero, which is why the high-performing companies are so fast.”
Similarly, when analyzing threats, the median time is three hours. High performing companies take just minutes, others take days or weeks. Behavioral threat analytics have already been deployed by 21 percent of the companies surveyed, she says, and another 12 percent says they would have it in place by the end of 2017.
Financial services firms in particular are on the leading edge she says, since they have high-value data, tend to be ahead of the curve on cybersecurity, and have money to spend on new technologies. “Because it’s not cheap.”
When it comes to broader applications of AI and machine learning, the usage numbers are even higher. According to a Vanson Bourne survey released on October 11, 80 percent of organizations are already using AI in some form. The technology is already paying off. The single biggest revenue impact of AI was in product innovation and R&D, with 50 percent of respondents saying the technology was making a positive difference, followed by customer service at 46 percent and supply chain and operations at 42 percent. Security and risk wasn’t far behind, with 40 percent seeing bottom-line benefits.
The numbers are likely to keep going up. According to a recent Spiceworks survey, 30 percent of organizations with more than 1,000 employees are using AI in their IT departments, and 25 percent plan to adopt it next year.
Seattle-based marketing agency Garrigan Lyman Group is deploying AI and machine learning for a number of cybersecurity tasks, including monitoring for unusual network and user activity and to spot new phishing emails. Otherwise, it’s impossible to keep up, says Chris Geiser, the company’s CTO. “The hackasphere is a volunteer army and it doesn’t take much education or knowledge to get started,” he says. “They automated their operations a long time ago.”
AI and machine learning gives the company an edge. Although the company is small — just 125 employees — cloud-based deployment makes it possible to get the latest technology, and get it quickly. “We can have those things up and running and adding value within a couple of weeks,” he says. The Garrigan Lyman Group has deployed AI-enabled security tools from Alert Logic and Barracuda, and Geiser says that he can see the products getting smarter and smarter.
In particular, AI can help tools adapt quickly to a company’s requirements without significant up-front training. “For example, an AI model can automatically learn that for some companies if the CEO is using a non-corporate email address it is anomalous,” says Asaf Cidon, VP of content security services at Barracuda Networks, Inc. “In other companies, it is totally normal for the CEO to use their personal email when they are communicating from their mobile device, but it would not be normal for the CFO to send emails from their personal address.”
Another benefit of cloud delivery is that it’s easier for vendors to improve their products based on feedback from their entire customer base. “Cybersecurity is a lot like neighborhood watch,” Geiser says. “If I didn’t like what I saw on the other end of the block, it tips everyone off that there could be a problem.”
In the case of phishing emails or network attacks, new threats can be spotted when they first show up in other time zones, giving companies hours of early warning. That does require a level of trust in the vendor, Geiser says. “We’ve gone on reputation, references, on a number of different due diligence paths to make sure that the vendors are the right vendors to use, and follow best practices for audit and compliance to make sure that only the right person has access,” he says.
As companies first transition from manual processes to AI-based automation, they look for another kind of trust — in addition to having visibility into the vendors’ operations, it helps to have visibility into the AI’s decision-making process. “A lot of the AI out there right now is this mysterious black box that just magically does stuff,” says Mike Armistead, CEO and co-founder at Respond Software, Inc. “The key in expert systems is to make it transparent, so people trust what you do. That gets even better feedback, and creates a nice virtuous cycle of reinforcing and changing the model as well.”
“You always need to know why it made the decision,” confirmed Matt McKeever, CISO at LexisNexis Legal and Professional. “We need to make sure, do we understand how the decision was made.”
The company recently began using GreatHorn to secure email for its 12,000 employees. “If we start getting emails from a domain that looks similar to a legitimate one, it will flag it as a domain look-alike, and it tells us, ‘We flagged it because it looks like a domain you normally talk to, but the domain header flags don’t look right,’” says McKeever. “We can see how it figured that out, and we can say, ‘Yes, that absolutely makes sense.’”
As the level of trust increases, and accuracy rates improve, LexisNexis will move from simply flagging suspicious emails to automatically quarantining them. “So far, the results have been really good,” McKeever says. “We have high confidence that we’re flagging is malicious email, and we’ll start quarantining it, so the user won’t even see it.”
After that, his team will expand the tool into other divisions and business areas at LexisNexis that use Office 365, and look at other ways to take advantage of AI for cybersecurity as well. “This is one of our early forays into machine learning for security,” he says.
How AI gets ahead of the threat landscape
AI gets better with more data. As vendors accumulate large data sets, their systems can also learn to spot very early indications of new threats. Take SQL injections, for example. Alert Logic collects about half a million incidents every quarter for its 4,000 customers, about half of which are SQL injection incidents. “There’s not a security company in the world that can look at each one of those with a human set of eyes and see if that SQL injection attempt was a success or not,” says Misha Govshteyn, Alert Logic’s cofounder and SVP of products and marketing.
With machine learning, the vendor is not only able to process the events more quickly, but also correlate them across time and geography. “Some attacks take more than a couple of hours, sometimes days, weeks, and in a few cases months,” he says. “Not only are they taking a long time to execute, but also coming from different parts of the Internet. I think these are incidents that we would have missed before we deployed machine learning.”
Another security vendor that is collecting a large amount of information about security threats is GreatHorn, Inc., a cloud-based email security vendor that works with Microsoft’s Office 365, Google’s G Suite, and Slack. “We’re now sitting on almost 10 terabytes of analyzed threat data,” says Kevin O’Brien, the company’s co-founder and CEO. “We’re starting to feed that information into a tensor field so we can start to plot relationships between different kinds of communications, different kinds of mail services, different kinds of sentiments in messaging.”
That means that the company can spot new campaigns and send messages to quarantine, or put warning banners on them days before they’re conclusively identified as threats. “Then we can retroactively go back and take them out of all email inboxes where they were delivered,” he says.
Where AI for cybersecurity is headed next
Looking for suspicious patterns in user behavior and network traffic is currently the low-hanging fruit for machine intelligence. Current machine learning systems are getting good at spotting unusual events in high volumes of data and carrying out routine analysis and responses.
The next step is to use artificial intelligence to tackle more thorny problems. For example, the real-time cyber risk exposure of a company depends on a large number of factors. Those include unpatched systems, insecure ports, incoming spear phishing emails, number of privileged accounts and insecure passwords, amount of unencrypted sensitive data, and whether it is currently being targeted by a nation-state attacker.
Having an accurate picture of its risks would help a company deploy resources most efficiently, and create a set of metrics for cybersecurity performance other than whether the company has been breached or not. “Today, if you were to try to describe your environment, this data is either not being gathered correctly or not being converted into information,” says Gaurav Banga, founder and CEO at Balbix, Inc., a startup that is specifically trying to tackle the problem of predicting the risk of a breach.
AI is key to solving that challenge. “We have 24 different types of AI algorithms,” Banga says. “We produce a bottom-up model, a risk heat map that covers every aspect of the environment, clickable so you can go down and see why something is red. It is prescriptive, so it tells you that if you can do these things, it can become yellow and eventually green. You can ask questions — ‘What is the number one thing I can do now?’ or ‘What is my phishing risk?’ or ‘What is my risk from WannaCry?’”
In the future, AI will also help companies determine what new security technologies they need to invest in. “Most companies today don’t know how much to spend on cybersecurity and how to spend it,” says James Stanger, chief technology evangelist at CompTIA. “I think we need AI to help provide metrics, so that as a CIO turns around and talks to the CEO or talks to the board, and says, ‘Here’s the money we need and here are the resources we need,’ and have the true and useful metrics to justify those costs.”
There’s a lot of room for progress, says Alert Logic’s Govshteyn. “There is very little use of AI in the security space,” he says. “I think we’re actually behind other industries. It’s amazing to me that we have self-driving cars before we have self-defending networks.”
In addition, today’s AI platforms don’t actually have an understanding of the world. “What these technologies are very good at are things like classification of data based on similar data sets that they’ve been trained on,” says Steve Grobman, CTO at McAfee LLC. “But AI isn’t really intelligent. It doesn’t understand the concept of an attack.”
As a result, a human responder is still a critical component of a cyber defense solution. “In cyber security, you’re trying to detect an adversary who is also human and is trying to thwart your detection techniques,” Grobman says.
That’s different from any other areas where artificial intelligence is currently being applied, such as image and speech recognition or weather forecasting. “It’s not like the hurricane is saying, ‘I’m going to change the laws of physics and make water evaporate differently to make it more difficult to track me,’” says Grobman. “But in cybersecurity, that’s exactly what’s happening.”
Progress is being made on that front. “There’s a research area called generative adversarial networks, where you have two machine learning models where one tries to detect something and the other sees if something was detected and tries to bypass it,” says Sven Krasser, chief scientist at CrowdStrike, Inc. “You can use things like that for red teaming, for figuring out what new threats can be.”
The post How #AI can help you stay ahead of #cybersecurity threats appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Hackers using stolen iCloud credentials have been able to use Apple’ Find My Device features to remotely lock down computers and demand Bitcoin ransoms from affected users. However, that doesn’t mean Apple’s iCloud was hacked. Instead, hackers are likely trying their luck with some of the many available username and…
The post Hackers are locking people out of their MacBooks – here’s how to stay safe appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ Dating apps are a great way to connect with people, but meeting a complete stranger comes with the very real side effect of Stranger Danger. Plus, with personal information more accessible than ever, you never know…
The post Online Dating Tips: How to Stay Safe Using Dating Apps appeared first on Become007.com.
View full post on Become007.com
Better Business Bureau warns if you are traveling this summer and taking advantage of free WiFi, double check before connecting your device. Scammers use fake WiFi hotspots to steal personal information or gain access to your device. “Say you’re at a coffee shop, airport, hotel lobby, or other public place,…
The post Stay safe online this summer, watch out for fake WiFi networks appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Hackers, spammers and cybercriminals have a multitude of methods they can use to infiltrate computer systems, steal data, plant malware or compromise your personal information. One of the most long-standing tactics is targeting ‘phishing’, also known as spearphishing.
View full post on National Cyber Security Ventures
View full post on Education Week: Bullying
#pso #htcs #b4inc
The post Teen suspect in shooting outside school to stay in custody – Education Week appeared first on Parent Security Online.
View full post on Parent Security Online
This article first appeared on QuietRev.com
Do you encounter decision fatigue every time you face the prospect of trying to talk yourself into going out? Do you secretly celebrate a last-minute cancellation of plans by a friend—even though you theoretically adore said friend? Well, have we got the tool for you!
This chart will help you decide whether you should go out or stay in on any given occasion.
(Secret piece of trivia: Marzi said this is her longest chart ever. All for you, dear readers.)
Every Friday night, writer Jill Savage and her husband have conflicting opinions on how they’d like to spend the weekend.
“My extrovert husband gets to Friday night and thinks, ‘It’s the weekend, who can we get together with?’ she explained, “I, on the other hand, get to Friday and think to my introvert self, ‘I’m so glad it’s the weekend because I don’t have to see any people until Sunday at church!’”
Like many couples in mixed introvert-extrovert relationships, Savage and her spouse usually come to some kind of compromise. Below, therapists, relationship writers and real-life couples share their best advice for introverts and extroverts in love.
The post How To Stay Married When You’re An Introvert And He’s An Extrovert appeared first on Parent Security Online.
View full post on Parent Security Online
It may be difficult, but spouses with polar-opposite political views can make it past voting day, said Pepper Schwartz, a professor of sociology at the University of Washington and an expert on FYI’s reality series Married at First Sight.
“There are some things, including disagreements over politics, that cannot be resolved but they can be ignored or considered off limits,” she told The Huffington Post. “I have known more than a few couples that have campaigned hard for opposing candidates but still love each other.
The post How To Stay Married When You’re With Hillary But He’s With Trump appeared first on Parent Security Online.
View full post on Parent Security Online