Stop

now browsing by tag

 
 

How to Stop Reacting in Anger When You’re Triggered | #uplifiting | #empowering | romancescams | #scams

Source: National Cyber Security – Produced By Gregory Evans

“Freedom is taking control of the rudder of your life.” ~Yukito Kishiro “What’s for dinner?” It’s a simple enough question. Yet it’s one that has made me lose my mind […]

The post How to Stop Reacting in Anger When You’re Triggered | #uplifiting | #empowering | romancescams | #scams appeared first on National Cyber Security.

View full post on National Cyber Security

‘Scambaiting’ is racist and dangerous, so let’s stop celebrating it | #romancescams | romancescams | #scams

Source: National Cyber Security – Produced By Gregory Evans

Fraud has reached “epidemic” levels in the UK over the past 12 months, costing up to £190 billion a year and constituting what the Royal United Services Institute has called […]

The post ‘Scambaiting’ is racist and dangerous, so let’s stop celebrating it | #romancescams | romancescams | #scams appeared first on National Cyber Security.

View full post on National Cyber Security

Why can’t I stop having affairs? | Agony Aunt | #Cheating | #Cheater | #marriage | romancescams | #scams

Source: National Cyber Security – Produced By Gregory Evans

Columnist and trained counsellor Fiona Caine answers another set of reader dilemmas. I have a destructive streak where relationships are concerned, and I simply don’t seem to be able to […]

The post Why can’t I stop having affairs? | Agony Aunt | #Cheating | #Cheater | #marriage | romancescams | #scams appeared first on National Cyber Security.

View full post on National Cyber Security

Ask Annie: He’s having sex with mother-in-law. Stop playing games! | #bumble | #tinder | #pof | #onlinedating | romancescams | #scams

Source: National Cyber Security – Produced By Gregory Evans

Dear Annie: I’m a 34-year-old man with a superb wife. We’ve been married eight years, and things are great between us. The problem is my mother-in-law. I’m sleeping with her. […]

The post Ask Annie: He’s having sex with mother-in-law. Stop playing games! | #bumble | #tinder | #pof | #onlinedating | romancescams | #scams appeared first on National Cyber Security.

View full post on National Cyber Security

Churches statewide help raise $68,000 to stop sex trafficking | #tinder | #pof | #match | #sextrafficking | romancescams | #scams

Source: National Cyber Security – Produced By Gregory Evans

LEESVILLE, La. (KALB) – Churches in Louisiana raised $68,000 to help fight sex trafficking. The First Assembly of God Church in Leesville helped contribute to that total by participating in […]

The post Churches statewide help raise $68,000 to stop sex trafficking | #tinder | #pof | #match | #sextrafficking | romancescams | #scams appeared first on National Cyber Security.

View full post on National Cyber Security

#relationshipscams | #dating | How to Spot and Stop Robocalls | romancescams | #scams

Robocalls are an annoying epidemic for both consumers and businesses. The Federal Communications Commission (FCC) cracked down on the scam callers, and creative, tech-savvy individuals are coming up with ways to block […] View full post on National Cyber Security

API Management and Security: No One Stop Shop Yet

Source: National Cyber Security – Produced By Gregory Evans

From what used to be a purely technical concept created to make developers’ lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere – at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.

When dealing with APIs, security should not be an afterthought

In a world where digital information is one of the “crown jewels” of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring or a multitude of other purposes.

As it often happens in such scenarios, security quickly becomes an afterthought at best or, even worse, it is seen as a nuisance and an obstacle on the road to success. The success of an API is measured by its adoption and security mechanisms are seen as friction that limits this adoption. There are also several common misconceptions around the very notion of API security, notably the idea that existing security products like web application firewalls are perfectly capable of addressing API-related risks.

An integrated API security strategy is indispensable

Creating a well-planned strategy and reliable infrastructure to expose their business functionality securely to be consumed by partners, customers, and developers is a significant challenge that has to be addressed not just at the gateway level, but along the whole information chain from backend systems to endpoint applications. It is therefore obvious that point solutions addressing specific links in this chain are not viable in the long term.

Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based and actionable automation for security analysts one can ensure consistent management, governance and security of corporate APIs and thus the continuity of business processes depending on them.

Security challenges often remain underestimated

We have long recognized API Economy as one of the most important current IT trends. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.

Unfortunately, many organizations tend to underestimate potential security challenges of opening up their APIs without a security strategy and infrastructure in place. Such popular emerging technologies as the Internet of Things or Software Defined Computing Infrastructure (SDCI), which rely significantly on API ecosystems, are also bringing new security challenges with them. New distributed application architectures like those based on microservices, are introducing their own share of technical and business problems as well.

KuppingerCole’s analysis is primarily looking at integrated API management platforms, but with a strong focus on security features either embedded directly into these solutions or provided by specialized third party tools closely integrated with them.

The API market has changed dramatically within just a few years

When we started following the API security market over 5 years ago, the industry was still in a rather early emerging stage, with most large vendors focusing primarily on operational capabilities, with very rudimentary threat protection functions built into API management platforms and dedicated API security solutions almost non-existent. In just a few years, the market has changed dramatically.

On one hand, the core API management capabilities are quickly becoming almost a commodity, with, for example, every cloud service provider offering at least some basic API gateway functionality built into their cloud platforms utilizing their native identity management, monitoring, and analytics capabilities. Enterprise-focused API management vendors are therefore looking into expanding the coverage of their solutions to address new business, security or compliance challenges. Some, more future-minded vendors are even no longer considering API management a separate discipline within IT and offer their existing tools as a part of a larger enterprise integration platforms.

On the other hand, the growing awareness of the general public about API security challenges has dramatically increased the demand for specialized tools for securing existing APIs. This has led to the emergence of numerous security-focused startups, offering their innovative solutions, usually within a single area of the API security discipline.

Despite consolidation, there is no “one stop shop” for API security yet

Unfortunately, the field of API security is very broad and complicated, and very few (if any) vendors are currently capable of delivering a comprehensive security solution that could cover all required functional areas. Although the market is already showing signs of undergoing consolidation, with larger vendors acquiring these startups and incorporating their technologies into existing products, expecting to find a “one stop shop” for API security is still a bit premature.

Although the current state of API management and security market is radically different from the situation just a few years ago, and the overall developments are extremely positive, indicating growing demand for more universal and convenient tools and increasing quality of available solutions, it is yet to reach anything resembling the stage of maturity. Thus, it’s even more important for companies developing their API strategies to be aware of the current developments and to look for solutions that implement the required capabilities and integrate well with other existing tools and processes.

Hybrid deployment model is the only flexible and future-proof security option

Since most API management solutions are expected to provide management and protection for APIs regardless of where they are deployed – on-premises, in any cloud or within containerized or serverless environments – the very notion of the delivery model becomes complicated.

Most API management platforms are designed to be loosely coupled, flexible, scalable and environment-agnostic, with a goal to provide consistent functional coverage for all types of APIs and other services. While the gateway-based deployment model remains the most widespread, with API gateways deployed either closer to existing backends or to API consumers, modern application architectures may require alternative deployment scenarios like service meshes for microservices.

Dedicated API security solutions that rely on real-time monitoring and analytics may be deployed either in-line, intercepting API traffic or rely on out-of-band communications with API management platforms. However, management consoles, developer portals, analytics platforms and many other components are usually deployed in the cloud to enable a single pane of glass view across heterogeneous deployments. A growing number of additional capabilities are now being offered as Software-as-a-Service with consumption-based licensing.

In short, for a comprehensive API management and security architecture a hybrid deployment model is the only flexible and future-proof option. Still, for highly sensitive or regulated environments customers may opt for a fully on-premises deployment.

Required Capabilities

In our upcoming Leadership Compass on API Management and Security, we evaluate products according to multiple key functional areas of API management and security solutions. These include API Lifecycle Management core capabilitiesflexibility of Deployment and Integration, developer engagement with Developer Portal and Tools, strength and flexibility of Identity and Access Control, API Vulnerability Management for proactive hardening of APIs, Real-time Security Intelligence for detecting ongoing attacks, Integrity and Threat Protection means for securing the data processed by APIs, and, last but not least, each solution’s Scalability and Performance.


Alexei Balaganski is lead analyst at KuppingerCole. Read more KuppingerCole blogs here.

Source

The post API Management and Security: No One Stop Shop Yet appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Hacking should be taught in schools ‘like sport’ to stop children becoming criminals, says Lauri Love 

Source: National Cyber Security – Produced By Gregory Evans

Hacking and other cybersecurity skills should be taught in schools in a similar way to sports, said alleged hacker Lauri Love.

The activist, who won a legal battle in 2018 to block his extradition to the US over allegations that he hacked into computer networks including NASA, the Federal Reserve and the US Army, said schools in the UK need to be more sophisticated in the way they teach technical skills to students.

“We need to treat this a bit like we treat sport,” Mr Love said at an event in London run by cybersecurity business Redscan.

Mr Love said that students should be given a “structured, controlled environment” to learn cybersecurity skills in order to stop them engaging in criminal behaviour….

Source link

The post #hacking | Hacking should be taught in schools ‘like sport’ to stop children becoming criminals, says Lauri Love  appeared first on National Cyber Security.

View full post on National Cyber Security

Hackers have #taken down #dozens of #911 #centers. Why is it so #hard to stop #them?

When news broke last week of a hacking attack on Baltimore’s 911 system, Chad Howard felt a rush of nightmarish memories.

Howard, the information technology manager for Henry County, Tennessee, faced a similar intrusion in June 2016, in one of the country’s first so-called ransomware attacks on a 911 call center. The hackers shut down the center’s computerized dispatch system and demanded more than $2,000 in bitcoin to turn it back on. Refusing payment, Howard’s staff tracked emergency calls with pencil and paper for three days as the system was rebuilt.

“It basically brought us to our knees,” Howard recalled.

Nearly two years later, the March 25 ransomware attack on Baltimore served as another reminder that America’s emergency-response networks remain dangerously vulnerable to criminals bent on crippling the country’s critical infrastructure ─ either for money, or something more nefarious.

There have been 184 cyberattacks on public safety agencies and local governments in the past 24 months, according to a compilation of publicly reported incidents by the cybersecurity firm SecuLore Solutions. That includes Atlanta, which fell victim to a ransomware attack a couple days before the one on Baltimore, scrambling the operations of many agencies, but not the 911 system.

911 centers have been directly or indirectly attacked in 42 of the 184 cases on SecuLore’s list, the company says. Two dozen involved ransomware attacks, in which hackers use a virus to remotely seize control of a computer system and hold it hostage for payment.

Most of the other attacks involve “denial of service,” in which centers are immobilized by a flood of automated bogus calls. One of the first occurred in October 2016, when Meetkumar Desai, then 18, of Arizona, distributed a computer bug on Twitter that overwhelmed 911 centers in 12 states. The motivations for such attacks are often less about the money than doing damage — sometimes as a form of protest, as when the “hacktivist” group Anonymous took down Baltimore’s city website after the death of Freddie Gray while in police custody, experts say. Desai reportedly told authorities he meant his attack more as a prank.

“911 is the perfect [target] because it can’t afford to be down,” said Tim Lorello, SecuLore’s president and CEO.

This is how 911 works: When someone dials for help ─ typically from a mobile phone ─ the call gets routed from a cell tower to a 911 center, where a “telecommunicator” answers the phone and gathers basic information. The telecommunicator enters that information into a computer-aided dispatch system, where a dispatcher picks it up and coordinates a response from firefighters, police officers or ambulances.

This 911 system relies on redundancy, meaning that call centers that are taken out of service by a hacking attack can work around the disruption by shutting down the computer-aided dispatch system and sharing information person-to-person, or by sending calls to a nearby center. But depending on the type of attack and a 911 center’s resources, those disruptions can make it more difficult for people to reach someone in case of an emergency. A July 2017 investigation by Scripps News on the vulnerabilities of 911 systems noted the case of a 6-month-old Dallas boy who died after his babysitter’s 911 calls were delayed during an apparent denial-of-service attack.

J.J. Guy, chief technology officer at the cybersecurity firm Jask, said that the spread of ransomware attacks on public safety agencies and other key government operations shows the potential for cyberterrorists to target the country’s critical infrastructure.

Last month, the Department of Homeland Security outlined in a report how Russian hackers have gained access to American power plants. The hackers did not cause service interruptions, but the fact that they could gain access at all is troubling to security experts.

“To date, if you don’t have credit cards or lots of personal information, attackers had little motivation and thus you were mostly safe,” Guy said in an email. “This will change those dynamics. Manufacturing, logistics, etc — any field with an operations mindset that loses money when ‘the line is down’ will be targeted.”

The attack on Baltimore was discovered March 25, after a morning breach of its computer-aided dispatch system, officials said. The city’s cybersecurity unit took the system down, forcing support staff to pass 911 calls to dispatchers using paper rather than electronically. Call-center operations returned to normal early the next day, officials said. Investigators later determined that the intrusion was an attempted ransomware attack, but “no ransom was demanded or paid,” a city spokesman James Bentley said. He declined to explain further, saying that “could compromise the investigation.”

Most ransomware cases end similarly, with governments refusing to pay hackers, choosing instead to switch to a more primitive version of 911 services while they rebuild their systems. Governments have caved at times, however, although officials decline to say much about those incidents, out of concern that it will encourage more attacks.

Another problem with the current 911 system is that it doesn’t accommodate the ways people communicate in the modern world ─ through texts, photos, videos, etc. That is why the 911 industry is pushing telecommunication companies and state and local governments to adopt what it calls Next Generation 911, which allows callers to send data through approved telecommunications carriers and internet service providers (while still taking calls from landlines).

Adoption of Next Generation 911 has been slow and costly, said Brian Fontes, CEO of the National Emergency Number Association, or NENA. A tiny fraction of America is on Next Generation 911; the short list includes Maine and Vermont, with Indiana, Washington state’s King County and part of Texas getting close, Fontes said.

The Next Generation 911 systems will have advanced security baked into their foundations, including the ability to instantly identify suspicious activity, immediately shut down in response to intrusions, and simultaneously move incoming calls to other centers in a way that is undetectable to someone dialing for help, officials say.

But the increased connectivity also opens the modern systems to new potential modes of attack, experts say. No matter how sophisticated a defense, all it takes is one overlooked vulnerability to let hackers in, experts say.

That makes it essential to develop sophisticated defense systems run by in-house cybersecurity teams, they say.

In Baltimore’s case, the ransomware attack was discovered and repelled by Baltimore City Information Technology, which maintains defenses across the local government. It determined that the hackers had found access after a technician troubleshooting the computer-aided dispatch system made a change to a firewall and mistakenly left an opening, the city’s chief information officer, Frank Johnson, said in a statement. The FBI is now helping the city investigate.

Howard, in Tennessee, knows how his attacker obtained access to the 911 center — by finding a weak password left by a deceased former system administrator. The FBI told him it looked as if the attack came from Russia. But he still isn’t sure.

Howard cleaned and rebuilt his system, but struggles to maintain patches for his outdated CAD system. “It’s been a nightmare,” he said.

No one has been caught or prosecuted in the Tennessee or Baltimore attack.

advertisement:

The post Hackers have #taken down #dozens of #911 #centers. Why is it so #hard to stop #them? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #pros don’t feel #equipped to stop #insider #attacks

Source: National Cyber Security News

Based on interviews with nearly 1,500 cybersecurity professionals over three years, Haystax Technology released a study that makes it clear that organizations are feeling the pressure from insider threats and are ramping up detection, prevention and remediation.

“One consistent message we heard in all of these interviews was that cybersecurity professionals don’t feel equipped to stop insider attacks, despite an increase in funding for things like better controls and training,” said Haystax CEO Bryan Ware. “I’m not surprised that so many are now using analytics, as they need actionable intelligence to proactively identify and defend against threats from both malicious insiders and negligent users.”

Key findings
In 2017, 90 percent of organizations reported feeling vulnerable to insider attacks, up from 64 percent in 2015. Haystax predicts 99 percent of organizations will feel vulnerable this year as they struggle with excessive access privileges and an increasing number of devices with access to sensitive data.
Privileged users were cited as the biggest insider threat concern for 55 percent of organizations in 2017. Haystax predicts that 2018 will be the year when regular employees surpass trusted insiders as the greater risk.
Just 19 percent of organizations deployed user behavior analytics (UBA) solutions in 2016 to proactively monitor employee populations, a figure that jumped to nearly 30 percent last year.

Read More….

advertisement:

View full post on National Cyber Security Ventures