Tech

now browsing by tag

 
 

Cybersecurity #Expert on #Tech #Giants Collecting Our #Data: ‘It’s Not #Surprising’

Software developer Dylan McKay discovered that Facebook has been collecting caller history and SMS data from outside the app. According to McKay, he became interested in what Facebook had collected on him after political consultancy Cambridge Analytica was accused of improperly harvesting the information of nearly 50 million Facebook users.

According to reports, Facebook became aware of Cambridge Analytica’s access to personal data back in 2015, after which it demanded that the acquired information be deleted.

While the firm assured the tech giant that its requirements have been fulfilled, Facebook recently learned that the data has not been completely destroyed.

Radio Sputnik discussed this with Kenneth Shak, senior cybersecurity consultant at LGMS, a professional information security service firm from South Asia.

Kenneth Shak: It’s not surprising that these tech giants are actually collecting our data. For example, from my own experience, I have come across when discussing some sort of information with my colleagues or my friends, for example, and, all of a sudden, in my Facebook or in my Google I can see ads targeted to what I was actually discussing. So there’s actually no fine line on how much these tech giants are actually collecting data from, so it’s quite scary, to be honest. All in all, it all boils down to the permissions given to the applications. It is not only the main Facebook application.

You have the Messenger application; you have the Messenger Lite application. I’m not sure that you realized upon installing and using these applications the first time on your phone you are actually asked a few questions. In the first, installing and using this application they will actually ask if you would like to link and upload your phone’s contacts to Facebook because you will make things easier for users to find or add friends on Facebook with all this contact data.

This step, though, is optional but not only on the Facebook application. Messenger will actually ask users for permission to access the SMS and call data on your phones for a similar purpose. But for Messenger, in particular, not the plain Facebook app, you’ll also be able to access your SMS messages and also your call log logs directly from your Messenger application. Think of it as an all-in-one messenger. When you have given all these permissions to Facebook to access all this data that was actually how they have managed to update all this data they have stored. Outside of the application and not just inside what you have given to Facebook and all these things are actually stored on your phone.

Sputnik: Do you think that in the future we can expect that there will be some kind of way to opt out of certain permissions?

Kenneth Shak: They should give a bit more convenience to the users to choose what they want to share. Actually, on your phones you can explicitly disable what you can share, for example the phone, the contacts, the storage, the camera. You can actually disable all those but they need all these permissions in order to work properly.

I’m not sure if you know, back February this year, Germany actually came to a ruling that how Facebook actually collects and uses the personal data of these users to be illegal. The reason is because there is insufficient information provided by Facebook to the users in order for the users to run their meaningful consent. So the users actually don’t know what exactly they are giving consent to. Facebook actually asked the users to agree to give access to camera, to the contacts, to the SMSs, to the address books but they do not tell the users to what extent they are giving or how much data they’re actually giving. This is actually a very-very vague consent given to Facebook.

Sputnik: So, now after that ruling, were there any changes made or was Facebook subjected any fines? What happened with Facebook in that situation?
Kenneth Shak: It depends very much from country to country. Since Facebook actually asked the users for their consents, no matter how vague they are, to gather and store this data during the installation, it may actually be legal for Facebook to do so. It’s a very-very fine line. It also boils down to the regulations imposed by different countries or their governments and where the Facebook actually operates. Germany can’t do much.

They can just rule that, this information, how they gather it, is very illegal. But since Facebook operates in Ireland and the US, users outside of these countries mainly are not able to do anything except filing a lawsuit from where Facebook is operating from, for example US or Ireland. For example, from our side, users from Malaysia definitely wouldn’t be able to do anything in regards to this issue because Facebook is not sanctioned under our Malaysian laws.

Sputnik: Do you think that we could see some serious legal action that’s going to have some really huge impact, not only on Facebook but on other tech companies as well?

Kenneth Shak: Definitely this is just the tip of the iceberg, but again as you know this is not the first kind of problem relating to personal data that actually surfaced. So for Facebook we actually see quite a number of lawsuits coming in and several governments are actually inquiring into this particular issue. Of course, all this amounts to Facebook losing nearly $50 billion off their share price. There is a long road ahead for Facebook trying to recover from all this. In light of all these issues Facebook, and not just Facebook, in particular and social media platforms like Instagram may be imposed with further regulations as well. This problem brings to light many other enhancements and additions of the regulations for other companies or tech giants as well in the future, not just for Facebook. The world will actually start to learn from this particular big issue and we will see further developments to this question as investigations on this issue are still on going.

advertisement:

The post Cybersecurity #Expert on #Tech #Giants Collecting Our #Data: ‘It’s Not #Surprising’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

PayThink #Users are #compromising #most #security #tech

Source: National Cyber Security – Produced By Gregory Evans

It took Bonnie and Clyde three years to rob about a dozen banks, but the scourge of bankers today is a quiet Russian hacking group called, appropriately enough, MoneyTaker, and they don’t need nearly as much drama to abscond with cash.

Using often tailor-made hack attacks that regularly rely on near-undetectable fileless malware, the MoneyTaker gang has, in barely a year and a half, robbed millions from 20 banks so far and counting. What’s worse is that the gang has stolen data that could let it hijack Swift transactions, leading Swift for the first time to issue a report on cyber-vulnerabilities with the banks it works with.

While hackers usually don’t discriminate, they’ve got no problem attacking servers at hospitals, schools and corporations with trade secrets and valuable intellectual property, banks hold a special place in their heart as that is where the money is, as yet another famous Depression-era bank robber once said.

Once a bank’s security is compromised, hackers can pay themselves from the funds on hand, transferring sums large and small to their accounts. However, with information about the global payment systems like Swift that’s also available only at the bank, hackers can do a lot more damage.

Hackers are getting better at “data mining” all the time. According to Kaspersky, Russian hackers operating just a couple of Darknet marketplaces in 2017 were offering this year an astounding 85,000 servers for sale (meaning, the authentication information that will let a hacker take control of the server), some for as little as $6! In 2016 there were “only” 70,000 such servers for sale, meaning that whatever we are doing to keep hackers at bay, it isn’t enough.

Included in those compromised servers are apparently some containing key Swift information, and it’s just a matter of time before the MoneyTaker gang will also use that information for fun and profit.

How are gangs like MoneyTaker getting away with this, especially with servers belonging to banks which are presumably protected by the latest cybersecurity systems? According to a study by the SANS Institute, it’s the “human factor” that is at work: As many as 95% of all attacks on enterprise networks begin with a spear phishing attack in which hackers dispatch their malware hidden inside email attachments. That attack could consist of trojans that pave the way for malware that allows hackers to take over servers, or the newer fileless malware attacks (where an agent installs itself in memory, hijacking servers for the use of hackers).

Cybersecurity systems, as sophisticated as they are, are clearly not doing the job — and maybe they never will, given that in the end the effectiveness of those systems can be overridden by workers inside the organization. The best systems then are the ones that take away from users and employees any opportunity to override security by responding to the phishing messages that get them, and their organizations, into trouble.

Systems like that need to be able to analyze messages and incoming files for malware or threats, and remove them before passing the file or message on to workers.

In addition, the system has to be robust and innovative enough to arrest malware that is passed on in innovative ways with traditional cybersecurity systems, like sandboxes that are perhaps not up to date on phenomena like fileless malware. With thousands of security systems out there, organizations are understandably confused about what systems are the most effective. But in our opinion, the systems that will perform best are the ones that limit opportunities for spearphishers to have their way with employees.

The post PayThink #Users are #compromising #most #security #tech appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Feds Eye #Cybersecurity Risks of #Tech #Providers

Source: National Cyber Security – Produced By Gregory Evans

Financial regulators just named cybersecurity as one of their top concerns going into 2018, with a heap of worry specifically about third-party contractors supporting the financial system.

So for compliance officers looking for yet another reason to move third-party risk management up the priority scale, now you have one.

The alarm was raised last week in the 2017 report of the Financial Stability Oversight Council. (That’s the council of U.S. financial regulators mandated by the Dodd-Frank Act, to help coordinate regulatory policy and anticipate future financial crises.) Financial firms have come to rely on technology service providers so much, the report said, that a poor understanding of their cybersecurity postures could create risk for the financial system overall:

Maintaining confidence in the security practices of third-party service providers has become increasingly important, particularly since financial institutions are often serviced by the same providers. The Council encourages additional collaboration between government and industry on addressing cybersecurity risk related to third-party service providers, including an effort to promote the use of appropriately tailored contracting language.

What’s more, the FSOC even raised the idea of regulating tech providers in a more uniform fashion, so the current patchwork of supervision doesn’t allow cracks in the system that others could exploit:

[T]he authority to supervise third-party service providers continues to vary across financial regulators. The Council supports efforts to synchronize these authorities and enhance third-party service provider information security. The Council recommends that Congress pass legislation that grants examination and enforcement powers … to oversee third-party service providers and encourages coordination among federal and state regulators in the oversight of these providers.

Wow. When a group of Republican regulators tell a Republican Congress that they might need more regulation, you know things are bad.

Will Congress actually respond to these ideas? Probably not, given the floundering leadership in Washington these days. But the fundamental point — that service providers can now pose dire cybersecurity risk to the financial sector and many others — is not news to compliance officers. So let’s ponder a few other points about how to manage third-party risk in useful ways right now.

The Business Imperative
First, consider the FSOC’s true worry here. Regulators are one party, acting to protect the interests of a second party: the public, which ultimately supports and pays for the financial system. Regulators do that by imposing standards on third parties (financial firms) — and now regulators are worried about the tech service providers supporting those financial firms.

In other words, the FSOC is really worried about fourth-party risk to the financial system.

This underlines a point I’ve been making for a while: the better your firm is at at managing third-party risk, the more attractive you become as a third party yourself. After all, your third parties are your customer’s fourth parties. Fourth-party risk is where your customers start to get antsy, because they can’t easily see what those risks might pose to them. They don’t have visibility into those distant parties.

And that’s what third-party risk management is all about: making your supply chain more transparent, so you can see those risks more clearly. So any compliance program that can achieve that transparency, and pass that assurance along to your customers, will have a strategic advantage over your rivals.

The compliance community likes to talk a lot about the strategic advantage of a strong compliance program. This is the most urgent example. When your board or CFO start complaining about that budget request for more investment in third-party governance, remind them: “If we can’t govern our third parties and possible cybersecurity risk, eventually we’ll get locked out of courting financial services firms.” That’s why investing in third-party governance is worth it.

Three Practical Challenges
So what bumps will compliance and audit officers hit on the road to better cybersecurity assurance? A few come to mind.

Scoping SOC 2 audits. A SOC 2 audit examines a service provider’s data security controls. A Type I audit determines whether vendor’s controls are designed properly at a certain point in time; a Type II audit examines whether the controls work as designed for a set period of time.

Yes, your big firm can probably squeeze an eager vendor to pay for the SOC 2 audit — but scoping the audit correctly is still your responsibility. If the scope is too narrow, you might miss risks that the vendor has, but weren’t audited; if the scope is too broad, you’ve wasted money on “over-compliance” for risks you won’t face.

I wrote a longer essay about scoping SOC 2 audits earlier this year for Reciprocity Labs, if you want to read more there. Suffice to say, you need to understand your own firm’s cybersecurity risks, and the risks of outsourcing some data functions to a vendor, and the vendor’s own security protocols, to do this well.

Implementation of NIST protocols. NIST has several sets of controls it recommends for cybersecurity. They are an outstanding resource, and should be adopted. The FSOC praised NIST, and urged financial regulators to keep current with new advances in the NIST standards as they evolve.

In the private sector, compliance officers, audit executives, and internal control departments should examine the standards and see how to implement those controls into your own operations — and this is especially true for tech service vendors themselves. NIST 800-171 is the standard government contractors are supposed to use to comply with DFARS, which spells out cybersecurity standards if you want to bid on defense contracts.

I have another essay, and companion white paper, about the NIST standards that I wrote for Rapid7 earlier this year. Companies may have a long want to go for compliance, but the NIST standards are the clear destination.

Preparing for more scrutiny. The Securities and Exchange Commission already pressures companies to disclose cybersecurity concerns as risk factors. Good news: many more companies are. According to a report from Intelligize released last week, the number of firms disclosing cybersecurity as a risk factor went from 426 in 2012 to 1,680 this year.

The bad news: those disclosures usually don’t say much, and they certainly don’t capture the full picture of risk from tech service providers. Hence the SEC is talking about enhanced disclosure of cybersecurity risk, or even required disclosure of cybersecurity incidents. (Imagine filing a Form 8-K to disclose a breach every time you have one.)

Likewise, the Public Company Accounting Oversight Board wants audit firms to step up their scrutiny of your cybersecurity risks. I still struggle to understand what that scrutiny will look like in practice, since cybersecurity breaches rarely lead to a material risk of misstated financial results — but that’s the point, really. Regulators know they need to do more about cybersecurity; they just aren’t quite sure what.

I suspect many of us feel the same way.

The post Feds Eye #Cybersecurity Risks of #Tech #Providers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity: The #Tech #Companies More #Important than the #FANGs.

Source: National Cyber Security – Produced By Gregory Evans

The products and services provided by the behemoths of the tech industry may seem indispensable, and the most fundamental features of the technological environment, however, there are a group of less glamorous firms that arguably are the necessary foundations of the whole industry: cybersecurity firms.

Cybersecurity is defined as the measures taken to ensure protection against unauthorised or criminal use of electronic data.

The world has become acutely aware in recent years that data is the new oil- and reserves are plentiful and exponentially growing. The amount of data in the digital world is growing so rapidly due to trends such as the ‘internet of things’ and ‘bring your own device’ (BYOD); the enormous amount of devices connected to the internet makes data abundant and cybersecurity a constant war ground.

The main antagonist in the cybersecurity realm is ransomware which is a pernicious software emanating from cryptovirology that poses the threat of making a victim’s data public, or permanently blocking access to it, unless a ransom is paid.

Therefore, as more data is created, more ransomware will inevitably be deployed. The ubiquity of ransomware is debilitating for anyone with data and internet access, but it represents a pot of gold for cybersecurity firms – the mercenaries of the technological age.

The Casualties

Everyone reading this will likely be aware of some large organisation that has been attacked by ransomware during 2017. Ransomware victims range from multinational companies such as Equifax and WPP to state institutions such as the NHS.

One of the most malicious attacks that has been seen was this year’s ‘WannaCry’ attack, which impacted 230,000 computers and 10,000 companies throughout 150 countries.

WannaCry infected 47 NHS hospitals, starkly highlighting the callous nature of these attacks. They are not just against multi-billion dollar institutes that are considered to line the pockets of the top 1%, but are also instigated much like actual warfare and terrorism, with no consideration for the innocence or relevance of its victims.

No sector is immune from cyber attacks and over 20% of institutions in financial services, education, entertainment, media, IT and telecoms have all been targeted recently.

One reason for the rapid increase in attacks is that it is becoming increasingly easy to launch a malware attack due to the ability to hire malware. By having the option to hire malware, criminals can launch attacks online with rented viruses which in turn opens up the battlefield to low-skilled, street criminals as well as highly-educated criminals.

The Figures

The opportunities available to cybersecurity firms are plentiful, providing they have the ability to innovate and stay ahead of the malware. The industry is so dynamic as attackers are constantly evolving and producing more vicious, efficient attacks and providing cybersecurity firms can produce the solutions to these attacks: they are indispensable to helpless victims.

The growth that has already been witnessed in this industry is evidence of the huge future potential for growth: the global cybersecurity market was worth $3.5bn in 2004, $64bn in 2011, $138bn in 2017, and is projected to be worth $232bn by 2022.

Furthermore, the US Bureau of Labor Statistics reports that by 2024 there will be an increase in the demand for cybersecurity staff by 36% – double the demand compared to digital workers in other fields.

The vast increase in demand for workers in cybersecurity corroborates the notion that this industry is on track to being one of the most important and lucrative sectors out there.

The Firms

Fortinet is arguably the market leader in cybersecurity and has a very large, diverse product base which enables it to trade with large and small firms. Its reports from 2017 Q1 showed a 20% increase in revenue and an increase in net income of 410% YTD, taking it to $10.7 million. Fortinet’s expected revenue for the entire year is estimated at $1.77bn.

CyberArk Software primarily focuses on protecting internal digital infrastructure, keeping privileged accounts safe, which includes the most sacred and hence potentially dangerous data.

In essence, if an attack manages to breach an initial firewall, CyberArk’s security will keep the crown jewels safe. CyberArk currently has flat earnings but is debt free and has amassed cash assets of $287m.

Furthermore, CyberArk is one of the pioneering companies in the industry and has an impressive client list of 3,200 and does business with 45% of Fortune 100 companies. Additionally, CyberArk acquired Conjur this year ($42m) which will allow it to expand into other areas of security.

Palo Alto Networks focuses on protecting data infrastructure and sells its products and services to 85 of the Fortune 100 companies. This year adjust EPS rose 32.6% to $0.61 and the 3Q revenue report showed a record of $432m, as well as gaining the second highest number of new customers since the business began.

Going Forward

It is clear that the growth potential for cybersecurity is enormous. In fact, some might even say that it is terrifying how dependent society will be on this industry in the near future. People must also not approach cybersecurity in a myopic sense and assume that it only has applications for large firms that have the capital to pay high-price ransoms.

The futuristic phrase of ‘cyberwarfare’ may seem reserved for the cinema screens, however, if hackers sitting in their bedrooms can wreak havoc on some of the biggest institutions in the world, imagine what a government-funded group of experienced, ruthless ‘cyber soldiers’ could do. Less than 10 countries have nuclear capabilities but any country with an internet connection could have access to cyber arms.

Conclusion

Finishing on a more positive note, cybersecurity is currently one of the most highly paid careers in technology with 39% of its employees earning more than £87,000 and 75% earning more than £47,000.

In the past, one would have to risk their lives for almost no remuneration to complete patriotic duty. Now, one can fulfil this moral craving whilst sitting at home, rather than in a dilapidated barracks.

The post Cybersecurity: The #Tech #Companies More #Important than the #FANGs. appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Main #cybersecurity #management #challenge? People, but simple #tech can help

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Alissa Johnson doesn’t hesitate when asked whether people or technology is the harder-to-crack cybersecurity management challenge. It’s people, the Xerox Corp. CISO told SearchCIO at Gartner Symposium/ITxpo in Orlando, Fla., earlier this month. “You can tell technology exactly what you want it to do, and it’s […] View full post on AmIHackerProof.com | Can You Be Hacked?

Mac Certified Tech/ IT Operations Support Engineer

Source: National Cyber Security – Produced By Gregory Evans

Mac Certified Tech/ IT Operations Support Engineer

Position Summary
Chegg is looking for a strong Desktop Support Engineer to join its lean but highly visible and productive team. This person will provide day-to-day hands on support to Chegg’s end user desktop and applications. There will be a ton of interaction with all areas of the company, directly with internal customers and various departments, troubleshooting user desktop issues to resolution.

Other areas of responsibility are LAN support, workstation deployments, break/fix, software/hardware upgrades, patch management, Anti-Virus management, workstation security, image management, application installs, user support and training, etc. Ever the collaborative role, there are a number of additional specific processes and services outside the desktop support role that this position may also be involved in. Most notably, this position will also act as first level support to critical systems and applications during normal business hours.

The role reports to our Sr Manager of IT Operations and is located in our Santa Clara, CA headquarters.

Responsibilities:

Maintain detailed and up-to-date licenses and hardware/software inventory
Deployments and Break/Fix
for workstations, printers, faxes, etc.
IT Equipment and Supplies Procurement
Hardware/Software installs and upgrades
Workstation Patch Management
User Support and Training
Maintain WDS Image Library
Manage IT Department documentation
Perform Preventive Maintenance
LAN Support
Exchange/Outlook Support and Active Directory support
Blackberry / iPhone/ wireless devices deployment and support
Windows 7 Enterprise/ Microsoft Application Support
Avaya IP phone support
VPN Account Setup and Support
- Desktop Security
AntiVirus Management and Support

Qualifications:

Education and/or Experience

A Bachelor’s degree in a related field or IT related degree and/or combination of directly related work experience commensurate to 2-5 years experience

Computer / Technical Skills
LAN / WAN experience required
Desktop and Laptop Break/Fix experience
WDS (Windows Deployment Services) experience
Exchange/Outlook 2010, 2013 (Mac 2011) experience
Lenovo IBM Hardware / MacBook and MacBookPro experience required
Desktop Security Best Practices required
Solid and current experience in the following: Windows7 Enterprise, FTP Server, Symantec AntiVirus, DNS/DHCP Administration; Active Directory
Proficient in Microsoft Office (Excel, Word, PowerPoint, Access)
Demonstrated work experience in project and task management proficiency with the ability to prioritize and execute accordingly
Must be able to work varied work hours, ‘On-Call’, including evenings, weekends and holidays

The post Mac Certified Tech/ IT Operations Support Engineer appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Democrats’ Biggest Cybersecurity Upgrade Is Their New Tech Chief

Source: National Cyber Security – Produced By Gregory Evans

The Democratic National Committee is upping its cybersecurity efforts — and it’s getting some help from a former Silicon Valley exec. Back in June, the committee hired Raffi Krikorian — a former top engineer at Uber and Twitter — as chief technology officer. Since his hire, Krikorian has instituted better…

The post Democrats’ Biggest Cybersecurity Upgrade Is Their New Tech Chief appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

UK university hackers read up on secret military tech

Source: National Cyber Security – Produced By Gregory Evans

UK university cyberattacks have doubled in the last two years alone, with hackers found to be focusing on critical information connected to national security. Areas including research pertaining to missiles, scientific developments and medical advances are among the areas that cyber adversaries have shown an acute interest in. This information…

The post UK university hackers read up on secret military tech appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Online radicalisation and cyber attacks to be among the high tech crimes targeted by new facility at the University of Bradford

Source: National Cyber Security – Produced By Gregory Evans

A HIGH tech centre dedicated to cyber security has been opened at the University of Bradford, and one of its first projects it to look at how to deal with online radicalisation. The Cyber Security Interdisciplinary Centre will see students using top technology to research the ever evolving online world…

The post Online radicalisation and cyber attacks to be among the high tech crimes targeted by new facility at the University of Bradford appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Britain asks tech and social media giants to censor militant content

Source: National Cyber Security – Produced By Gregory Evans

Britain’s interior minister will use a visit to Silicon Valley on Tuesday to ask Facebook, Microsoft, Twitter, and YouTube to step up efforts to counter or remove content that incites militants. After four militant attacks in Britain that killed 36 people this year, senior ministers have repeatedly demanded that internet…

The post Britain asks tech and social media giants to censor militant content appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures