now browsing by tag
Source: National Cyber Security – Produced By Gregory Evans BLOG Do you KNOW what it’s like, dear reader, when the electricity goes off? Several times a month if you’re lucky, up to several times a day if not? You’re trying to run a guest house. It’s winter, and you’re not in Mestia or Ushguli, so […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Do you know what you were doing 3736 days ago? We do! (To be clear, lest that sound creepy, we know what we were doing, not what you were doing.) Admittedly, we didn’t remember all on our own – we needed the inexorable memory of the […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | How to Really ‘Own IT’ for National Cybersecurity Awareness Month – Homeland Security Today
National Cybersecurity Awareness Month (NCSAM) is in its 16th year. The theme for 2019 – Own IT. Secure IT. Protect IT. – is focused on encouraging personal accountability and proactive behavior in security best practices and digital privacy. Considering that individually we are picking up our smartphones on average of 77 times a day and spending nearly 12 hours a day in front of a screen, the digital lines between work and personal lives are all but gone. With nearly every facet of our lives impacted by what we do online, NCSAM calls to action this year include:
- Own IT. If you are reading this, you are using a digital device. Whether you own the device or not, we are all responsible for how we use them – from the data they store and transmit to the information we post online about ourselves and others, or share with other third parties. We are all responsible for our digital footprints, including the data apps collect and transmit from these devices.
- Secure IT. If you own it, you must secure it, from strong credentials (unique usernames, passwords/passphrases, and multifactor authentication) to physical access. This includes securing computers, laptops, tablets, smartphones, apps, and website logins.
- Protect IT. If you own it, you must protect it with security updates and safe browsing practices. Stored information, including personal and customer/consumer data that you gather from others, must also be protected. Every organization has a duty to safeguard the confidentiality, integrity, and availability of data obtained from other persons.
Struggle with Passwords Continues
After all of these years, we are still terrible at creating and managing passwords. Year after year the most commonly used (and breached) passwords still include – you got it – ‘password’ and ‘12345678.’ Variations like ‘p@$$w0rd’ are not any better as they contain common substitutions such as ‘@’ for ‘a,’ etc. Given these shortcomings, password hygiene is a leading topic any time of year, but as National Cybersecurity Awareness Month continues it is a good time for another reminder for organizations to do better at helping employees improve password management.
It is no secret that passwords alone are not the best method to safeguard our digital assets, especially weak passwords. Password security firm LastPass recently published its 3rd Annual Global Password Security Report, which highlights how employees’ continued poor password habits weaken the overall organizational security posture. To affect positive password changes, it is up to organizations to take action to improve password hygiene. Read on for three simple and effective low-cost and no-cost solutions companies and their employees should apply today to start improving overall security and reduce risk posed from stolen passwords.
Longer Passwords Take Longer to Crack
Enforcing the use of longer passwords or passphrases can go a long way. Depending on computing power (and other factors), it could take approximately 23 seconds to crack ‘football1’ (or similar) vs. over 10,000 centuries to crack ‘R73&nebp@98backyard45’ or ‘tHe!weatheriscoLd67outside?’. In addition to making passwords longer, not reusing them across multiple sites and services cannot be overstated. Even if a password is stolen, if it is only used for a single site or service, cyber thieves can only potentially compromise that single account, not the entire kingdom.
Passwords Aren’t Perfect, but MFA Could Save the Day
Adding multifactor authentication (MFA) is another quick win. MFA does not guarantee an account will not be compromised, but it does significantly reduce that likelihood. Authenticator apps like Duo, Authy, and Google Authenticator provide low-cost, no-cost, hassle-free options to add an additional layer of security to the authentication process. This extra step reduces the risk a malicious attacker would be able to successfully log in and compromise valuable accounts, even with a stolen password.
The “Problem” with Password Managers
Password managers store passwords and create strong (and long) passwords so you do not have to – what’s wrong with that? Skeptical about password managers? Password managers don’t have to be perfect, they just have to be better than not having one, says cybersecurity expert Troy Hunt (founder of haveibeenpwned). Other quips by Troy: The only secure password is the one you can’t remember, and when accounts are “hacked” due to poor passwords, victims must share the blame. There are several reputable password managers to choose from, but if you are looking for “go here, do this” for picking a “good” one, check out Troy’s post on why he partnered with 1Password. On a final note, the aforementioned LastPass Global Security Report found that password manager adoption increases when it is convenient. If employees can access and use password managers from their smartphone or other device of their choice, they are more likely to use it. So, what IS the “problem” with password managers? They simply are not used enough.
Cybersecurity Awareness All Year
While October is designated NCSAM, cybersecurity awareness is far from a once-a-year activity. NCSAM materials provide proactive awareness content to use throughout the year. So, while you are sipping that long-awaited (or 100th) pumpkin spice latte, review NCSAM materials for tips, resources, webinars, and workshops. In addition, it is not too late to demonstrate your cybersecurity awareness commitment by becoming an NCSAM Champion. Some of the best NCSAM Champions come from the information-sharing community – WaterISAC, Research & Education Networks ISAC (REN-ISAC), Information Technology ISAC (IT-ISAC), Retail & Hospitality ISAC (RH-ISAC), National Council of ISACs (NCI), Faith-Based ISAO (FB-ISAO), InfraGardNCR, and InfraGard Los Angeles – and they are ensuring organizations and consumers have the resources to stay safer and more secure online. Follow #BeCyberSmart and #CyberAware on social media for great security awareness tips from the NCSAM Champions and others.
Finally, NCSAM is a great time to bolster or jump-start your cybersecurity awareness program. Interested in a ready-made program to plug into your organization? The Cyber Readiness Institute (CRI) may have just the program! Founded by the CEOs of Mastercard, Microsoft, the Center for Global Enterprise, and PSP Partners, CRI’s Cyber Readiness Program is a no-cost, practical, step-by-step guide to help small- and medium-sized enterprises become cyber ready. Completing the program will help make your organization safer, more secure, and stronger in the face of cyber threats.
15 Steps to Keep Foes from Hacking and Hurting Our Water Infrastructure
(Visited 50 times, 1 visits today)
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Approximately 70 percent of Americans use social media to connect with one another, engage with news content, and share information. Most users access social media platforms and consume content on their smartphone, just one of the many smart devices we use to monitor our health, fitness, […] View full post on AmIHackerProof.com
#cybersecurity | Cyber Security Today – Stalkerware and ransomware increasing, password advice and updates to watch for
Stalkerware and ransomware increasing, password advice and updates to watch for.
Welcome to Cyber Security Today. It’s Friday October 4th, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
A few months ago I warned about stalkerware, which are apps installed on a smartphone or tablet that lets another person keep an eye on what you’re doing. Usually this app gets installed when you’re not looking by a spouse, lover or friend who has access to your device. This is not a parental control app a parent installs on a child’s device. This is is an illegal snooping app. This week security vendor Kaspersky put out some numbers that may give an idea of how common their use is, based on the number of detections from its security software. In the first eight months of the year there were more than 518,000 cases where the software either registered the presence of stalkerware on users’ devices or detected an attempt to install it. And remember, that number is only for devices that use Kaspersky software. Huge numbers of people either don’t use antivirus software on their mobile devices, or use another brand. Some of these apps hide themselves on devices, so victims don’t know its there. Stalkerware has to be installed directly by someone. So think twice before letting a friend, or someone closer, use your phone.
As I mentioned on Wednesday, this is Cyber Security Awareness Month. As part of that Google released a public opinion poll that, if representative, shows a lot of Americans aren’t cyber aware. Twenty-four per cent of respondents said they use weak passwords like “admin” and “1234.” Fifty-nine per cent have used a name or birthday in an online password. Many people must know others use weak passwords because 27 per cent of respondents say they’ve tried to guess someone else’s password — and of those 17 per said they guess right. Well, if you can guess right, so can criminals. Look, it isn’t easy to have to remember lots of passwords. That’s why there are password managers. Google has one it just improved, which is why it released the survey. There are lots of password managers. Go online, do a search, use one of them.
The FBI this week issued a reminder to organizations that ransomware is crippling those who aren’t prepared. The latest hit were three rural hospitals in the same group in Alabama. For a time new patients had to be sent to Birmingham. Last week a major hospital in downtown Toronto was hit. The FBI urges organizations to regularly back up their data and verify its integrity. Ensure backups can’t be infected by being connected to live networks. Focus on employee awareness and training to recognize suspicious email. And make sure all software gets security patches as soon as they are available.
Finally, some product updates to watch for: If you use WhatsApp on an Android device running version 9 or 8 of the operating system, make sure you upgrade to the latest version of WhatsApp. There’s a serious bug that could let a hacker into your device by sending you a repeating video called a GIF. Like one of those videos of a cat doing something silly.
And Microsoft has put out another Windows update to fix a printing problem. This patch is to fix ones that were issued over a week ago. It also updates Internet Explorer.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
View full post on National Cyber Security
Watch out for this iPhone call scam, prominent Germans hacked, Android spyware found and an Acrobat update.
Apple iPhone users should be on the lookout for a phone phishing scam. According to security writer Brian Krebs, it works like this: You get a call and when you look at the phone’s screen to see who it is, the Apple logo, real phone number and real address is displayed. The target in this case didn’t answer the call so a message was left asking her to call a 1-866 number. It probably led to a scammer who would have asked for personal information. So iPhone users, ignore calls purporting to be from Apple. Apple won’t phone you. And for those who use other phones, hang up on anyone who tries to get personal information or passwords.
Hackers somehow have gotten access to private emails, memos and financial information of hundreds of German politicians, reporters, comedians and artists. The information was then published through a Twitter account. At this point no one knows if this was the work of a mischievous activist or a foreign country, or exactly how it was done. But British security writer Graham Cluley suspects victims fell for a phishing lure and gave away a password to one of their email or social media accounts. The hacker then went from there. Victims may have also used the same password for different accounts, which also makes a hacker’s job easier. If so, it’s another example of why you shouldn’t use the same password on more than one site, and, where possible enable two-factor authentication to make sure someone else can’t log into your account. Two factor authentication usually sends a six-digit number to your smart phone that you have to enter in addition to your password. Check your applications’ settings to see if you have it.
UPDATE: According to the Associated Press, a popular German YouTube contributor who was victimized said the perpetrator somehow first gained access to his email account and then convinced Twitter to disable a second security check — presumably two-factor authentication — required to take control of his account on the social networking site.
Twitter didn’t immediately respond to a request for comment and it wasn’t clear how many of those affected by the leak had such “two-factor authentication” enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
As hard as Google tries to keep malware out of the Google Play store, criminals manage to find ways to evade detection. Trend Micro reports it discovered spyware hidden in six seemingly legitimate Android applications including a game called Flappy Bird, a presumably copycat called Flappy Birr Dog, FlashLight, Win7Launcher and others. All have been removed from the app store. The spyware would have stolen information like user location, text messages, contact lists and device information as well as try to phish for passwords. Owners of any computing device have to be cautious when deciding what to download, advises Trend Micro.
Finally, Adobe usually issues security updates on the second Tuesday of the month, which is tomorrow. However, it has already issued an emergency patch for Acrobat and Acrobat Reader. So if you use either of these applications check you have the latest versions.
View full post on National Cyber Security
Source: National Cyber Security News
The campaign, sponsored by an insurance company, intends to demonstrate how often hacking attempts are made on a typical small business site.
A variety of recent campaigns have employed digital billboards to show imagery in response to data from weather, traffic conditions, social posts from passersby and commute times.
Today, a new week-long campaign launches in the UK: Dozens of digital displays will demonstrate the frequency of hacking attempts on a typical small business’s website.
Called the Honeypot Poster by campaign sponsor Hiscox insurance, the displays show dots that demonstrate live hacking attempts on custom, “honeypot” proxy servers of the sort that might host a typical small business website, except there was no virus or firewall protection. The servers hold some data but no personal or sensitive info.
The displays show changing dots inside the words “Cyber Attack,” with each dot representing a hacking attempt and a numerical counter showing the daily attacks thus far. During the trial period for the campaign, the hacking attempts averaged 23,000 daily, sometimes peaking as high as 60,000, from Russia, Vietnam, the UK and elsewhere around the world.
The point, Hiscox Head of Marketing and Partnerships Olivia Hendrick said in a statement, is to make “small businesses more aware of the very real threat that cybercrime poses and challenging the belief that cyber criminals only target larger organisations.
View full post on National Cyber Security Ventures
As hackers become smarter and healthcare facilities rely more and more on the cloud and technology to share and store personal and sensitive information, we’ve seen an increase in security breaches in businesses across the country. In fact, the Identity Theft Resource Center found that breaches are up 25 percent this year.
Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. What’s more is that basic security features like firewalls and antivirus protection aren’t enough in today’s “smart” marketplace.
But where should businesses start if they want to avoid the repercussions of a major data breach? Here are 8 tools for businesses to consider to stay ahead of the game and help protect sensitive data and private information in 2018.
Developed specifically for Windows (sorry, Mac users!), the Enhanced Mitigation Experience Toolkit is a tool to help keep a software’s vulnerabilities from being exploited by outside hackers. Often employees unaware of proper security protocols compromise a business’s security. This toolkit helps to prevent these leaks.
With the increase of sensitive data on the move, it’s important to protect the information stored on laptops, external hard drives and IoT devices. ExactTrak uses embedded security to take data protection beyond basic encryption. Both system- and Internet-independent, the technology works to protect information, even when devices are turned off.
Supported on Exchange Online, Office365, G Suite, and Exchange, MailControl works to protect email accounts from Spyware hidden in emails. Spymail can be used to track location, email open rates and browser information through metadata. MailControl works to detect remove and report spymail to protect customer’s private information and data.
If you’re a small business owner just dipping your toes into cybersecurity, and worried about making too large of an initial investment, Comodo is a great place to start. They offer multiple solutions, all either free or low cost, that meet the needs of different businesses. Some include malware prevention, IT management platforms, security for POS systems and SSL certificates.
If you operate a business that is responsible for handling other people’s personal data, you know the stress and risk that comes with the handling of secure data. There is also the added responsibility of organizing and managing this sensitive data. Evident ID serves business by taking them out of the middle of the process. Businesses are able to verify users’ and customers’ information with minimum disclosure, and minimize their security risks.
A recent cybersecurity concern for many businesses is a hacker’s use of ransomware, a malicious software that holds a computer system “hostage” until the ransom is paid.If Ransomware is a concern for you, Cryptostopper is a great line of defense. CryptoStopper uses Watcher Files to detect ransomware in real time and stop the software from running.
Lookout Mobile Security
If mobile security is your main concern, Lookout Mobile Security should be on your list. Lookout recognizes that there are multiple threats to mobile security, and uses 10 years of research to provide threat remediation and app security assessments.
The post Eight #cybersecurity tools your #healthcare facility needs #today appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
In my previous article, I raised a red flag about the diminishing practical returns of “mom and pop” threat research as a proxy for mitigating vulnerabilities and bad consequences. Threat assessment is often both difficult and incomplete, and sometimes best left to those who have timely access to the best possible data (and the even then, left to those with the military and intelligence means to act on it).
In that piece, I also begged an obvious question.
If chasing threats are not the best allocation of an organization’s security resources, what is? Where should we be focused and how can we best translate that attention to more effective—and efficient—cybersecurity?
Allow me to answer that with a brief portrait of a driven, iconoclastic, 20th century American financial entrepreneur named William Francis Sutton, Jr. Beginning in the early 1930s, Sutton began his extremely successful and profitable 40-year career—as a bank robber. Not only did his particular skill set net him an estimated $2 million and earn him the nicknames “Slick Willie” and “Willie the Actor,” his most famous insight also left us with a truism that is now referred to as “Sutton’s Law.”
Upon arrest, the legend goes, Sutton was asked by a newspaper reporter why he robbed all those banks. Sutton replied, “Because that’s where the money is.”
Which is why we should consider Sutton’s quote as particularly relevant to cybersecurity today: Why do threat actors go after cyber assets? Because that’s where the consequences of significance are.
From financial information and personal data, to access to trade secrets, customer information and patterns—data has become the most consequential asset for many organizations, and the most valuable target for threat actors. Whether their motive is financial gain or maliciousness, they are hoping for two things: easy access to what they are after and maximum impact for their efforts.
Which aligns directly to the cybersecurity risk paradigm: a triangle comprising and illustrating three components of risk: Threat, Vulnerability and Consequence. We have already established it is challenging for individual companies to accurately characterize threat, or successfully mitigate it even if characterized. That leaves Vulnerability and Consequence.
Vulnerability and Consequence are the two components of cybersecurity that organizations have the most control over and can most efficiently use to dramatically improve their level of protection.
Not necessarily in that order though—unfortunately, many organizations are not nearly focused enough on closing known vulnerabilities that allow breaches. I won’t name names here—any news site on any day will give plenty of examples, and many CISOs breathe silent sighs of relief that it’s not their turn today. It’s remarkable to think about how much damage can be prevented with just fundamental, basic security hygiene. Most people would be stunned at how much that inattention to vulnerability management is responsible for the data breaches we so often hear about.
That said—and for the sake of discussion, assuming basic hygiene protocols are indeed followed and signature-based blocking of known threats is employed—let’s apply Sutton’s quip of “that’s where the money is” to the most-overlooked aspect of cybersecurity risk: avoiding bad consequences.
We need to identify the most destructive potential results of a realized threat or exploited vulnerability, and engineer-out those consequences so they cannot happen or so the damage incurred is not as big if they do. Either can be effective threat mitigation—because threat actors will quickly conclude that their attempts require too much difficulty, or there would be little or no return on investment for their efforts even if they successfully penetrate a system.
Were he alive today, Willie would surely advise us: Don’t make it easy to get to the money, and don’t put the money all in one place. When we focus our attention on the things we can control—Vulnerabilities and Consequences —we create a dramatic increase in protection, and fully comply with Sutton’s Law.
Next time, we will use these principles to explore some fundamental best practices of cybersecurity—some obvious, some not and some controversial—that can greatly improve the security of any network.
The post How #Sutton’s #Law applies to #cybersecurity today appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Windows 10 users at a risk from a “critical” vulnerability that lets cybercriminals take over their PCs, unless they update their computers now, Microsoft have patched dozens of major security vulnerabilities that affect all supported versions of Windows. One “critical” vulnerability enabled a hacker to exploit how Windows Search handles…
The post Windows 10 users need to update their PC TODAY, or hackers could take control appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures