Cybersecurity Advice
Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.
We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.
Feb 5, 2016 | Cybersecurity Advice, Network Security, Web Filtering
Organizations running WiFi networks are facing attacks from all angles. Many companies are choosing to implement web filters for WiFi networks to help mitigate risk from the growing number of malware variants that are being used to attack businesses via their WiFi networks.
A new report issued by Bilbao-based antivirus software developer Panda Security, has revealed the extent of the problem. Last year, over 84 million new malware samples were identified, which equates to 27% of all malware previously identified.
The proliferation in malware has been attributed, in part, to the rise in use of antivirus software and the effectiveness of those software programs. When a new malware is discovered, antivirus signatures are updated and shared with all antivirus software developers. In a very short space of time, all AV engines will block a particular malware.
Hackers have respondent by using software that modifies malware slightly, allowing hundreds or thousands of variants to be released. An increased number of malware variants are needed in order to get past antivirus software programs, as many AV engines are capable of detecting malware that has been modified slightly. The more variants are used, the higher the probability of malware getting past security software.
When Panda was formed in 1990, the company was detecting approximately 100 new malware variants a day. Today 230,000 new samples are discovered every day, on average.
Trojans are the most common malware form, with the full breakdown of new malware variants detailed below:
| Malware Type |
% of new malware discovered in 2015 |
| Trojans |
51.45% |
| Viruses |
22.79% |
| Worms |
13.22% |
| PUPs |
10.71% |
| Spyware |
1.83% |
Blocking Malware with a Web Filtering Solution
Malware is installed on user devices via a variety of different vectors. Spam email is one of the most common methods of malware delivery, but fortunately, one of the most straightforward to block. A robust anti-spam solution can be used to block the vast majority (over 99.7%) of spam emails from being delivered. Training users how to recognize malware can help to ensure that any rogue emails that get past the filter will be identified and deleted before any damage is caused.
Blocking malware from being installed via malicious websites can be more difficult. Hackers use exploit kits to probe for security vulnerabilities in browsers and browser plug-ins, and deliver malware in drive-by attacks without the knowledge of website visitors. Social engineering tactics are used to fool users into downloading malware, and malicious software can be installed on legitimate websites or placed on adverts displayed by those websites.
One of the best protections to implement to ensure users’ devices are not infected with malware is a web filter. A web filter will restrict access to websites known to contain malware, as well as categories of websites where malware is most likely to be located. As well as protecting users from objectionable website content such as pornography or religious extremist material, it will also keep their devices safe and free from Trojans, viruses, worms and other malicious software. A web filtering solution can be a highly effective protection against malware as part of a multi-layered security system.
Web Filters for Wi-Fi Networks Keep Internet Users Secure
One of the ways enterprises are keeping their wireless networks secure is by using web filters for WiFi networks. WiFi networks are particularly risky and need to be secured. Due to the risk of using wireless networks, many customers avoid networks that are unsecured.
Installing software solutions on individual devices that connect to wireless networks is far from ideal. Many companies have BYOD policies that permit the use of personal devices at work, and it would not be practical to install web filtering software solutions on each and every device used to connect to the network. In a coffee shop or hotel, this would simply not be possible.
The easy solution is to use DNS-based web filtering solutions, as they do not require the installation of any software on users’ devices. All that is required to run DNS-based web filtering is a simple change to the DNS server addresses on the company’s router.
Any user with a modicum of technical knowhow would be able to bypass a DNS-based web filter and access blocked content, although with some minor configuration changes to the router, users can be prevented from using any other DNS servers other that the one with the web filtering solution in place.
TitanHQ web filters for WiFi networks
TitanHQ’s web filters for WiFi networks offer highly granular controls. WebTitan Cloud for WiFi networks can be fine-tuned to suit any organization’s needs, allowing light control of Internet use to highly restrictive Internet filtering.
No software installations are required thanks to the 100% cloud-based system, and no additional hardware is required. Only very minor changes need to be made to point DNS servers to the correct location, and after basic parameters are set, WebTitan’s web filters for WiFi networks will be up and running.
It may not be possible to eliminate the risk of a malware attack, but with WebTitan Cloud for WiFi, risk can be reduced to a low and acceptable level.
Key benefits of WebTitan web filters for WiFi networks
- Create a family-friendly, safe and secure web browsing environment.
- Accurately filter web content through 53 pre-set categories and up to 10 custom categories.
- Filter by keyword and keyword score.
- Filter content in 200 languages.
- No hardware or software installations required
- Suitable for static and dynamic IPs
- No impact on broadband speed
- Suitable for use with multiple routers
- No limits on access points or users
- Scalable solution for businesses large and small
- Block access to inappropriate website content
- Block phishing attacks and malware and ransomware downloads
- Integrate the solution into existing billing, auto provisioning and monitoring systems through a suite of APIs
- Manage access points through a single web-based administration panel.
- Easy delegation of the management of access points
- Schedule and run reports on demand with real time-views of Internet activity and extensive drill down reporting.
- World class customer service
- Highly competitive pricing and a fully transparent pricing policy
Find out more about the benefits of installing web filters for WiFi networks by calling TitanHQ today
Jan 29, 2016 | Cybersecurity Advice, Web Filtering
A new report released by data privacy and security group Morrison and Foerster indicates the main privacy and security concerns of customers.
Don’t Ignore the Privacy and Security Concerns of Customers
If you ignore the privacy and security concerns of customers it is likely to have a significant effect on your bottom line.
A new report recently released by Morrison and Foerster suggests that consumers are even more concerned about their privacy than four years ago. Furthermore, many will take action if they feel their privacy is not protected. The survey indicates more than one in three consumers have switched companies they do business with due to privacy concerns, and one in five would switch after a breach of their personal data.
The company conducted a survey on 900 U.S. consumers in November, 2015. 35% of respondents said they had taken the decision switch companies or not buy products as a result of privacy concerns. When it came to a breach of personal information, 22% of individuals said they had taken the decision to stop purchasing products or had switched services as a result.
According to the report, more educated individuals and higher earners were the most likely to stop doing business with a company as a result of a data breach. 28% of respondents educated to college degree level or higher said they would make the switch after a data breach compared to 18% of individuals without a college degree.
For the upper income bracket, 33% said they stopped buying as a result of a data breach. That figure fell to 28% for the middle income bracket, and 17% for the low income bracket.
When the company conducted the survey back in 2011, 54% of consumers said that privacy concerns affected their decision to make a purchase. In 2015, 82% of consumers said that privacy concerns influenced their purchasing decisions.
Companies are not perfect, but consumers are intolerant of data breaches
In 2011, 16% of consumers believed no business was perfect, and were therefore likely to overlook privacy issues and data breaches, whereas in 2015 the figure had fallen to 9%.
The greatest concern is now the risk of identity theft, with the percentage of individuals worried about thieves stealing their identity jumping from 24% in 2011 to 52% in 2015.
The survey shows that not only must companies do more to earn the trust of consumers, they must also do more, and be seen to be doing more, to safeguard the data they store on consumers, especially Social Security numbers, passwords and personal IDs, payment card information, and user IDs, passwords and account information.
How to improve your security posture and prevent data breaches
It is essential to implement multi-layered security systems to prevent cyberattacks. For businesses, one of the biggest problems is how to stop employees from inadvertently compromising a network. Security training is therefore essential. Employees must be advised of security risks and given regular training to help avoid scams, malicious websites, and told how to identify phishing emails.
It is essential that risky behavior is eradicated. Internet and BYOD policies must be introduced that cover the acceptable uses of the devices, and the sites that are permitted to be accessed at work. However, not all employees will adhere to those policies. For maximum protection it is strongly advisable to implement a solution that reduces the risk of malware downloads.
A web filtering solution is essential I this regard. A web filter can block malicious websites and reduce the risk of malware infections, while also being configured to protect end users from malvertising.
A patch management policy must be implemented and software updates installed promptly to prevent zero-day security vulnerabilities from being exploited.
Anti-virus and anti-malware software must be used. A different engine for servers and end users is a wise precaution to maximize the probability of malware and viruses from being installed.
It is now an inevitability that a data breach will be suffered at some point in time, but reducing the likelihood of that happening is essential. It is important to pay attention to the privacy and security concerns of customers. Show consumers how dedicated you are to protecting their privacy, and implement a wide range of controls to prevent a data breach and you will reduce the risk of losing customers to better protected organizations.
Jan 14, 2016 | Cybersecurity Advice, Internet Security News, Network Security
Over the past four weeks we have seen numerous cybersecurity predictions for 2016 issued by security firms. Security experts are trying to determine which part of the now incredibly broad threat landscape will be most favored by cybercriminals in 2016.
Some companies have made very specific cybersecurity predictions for 2016. They have come out with very bold claims, even predicting the presidential elections will be disrupted by a major cyberattack. Others believe 2015 will be broadly similar to 2015, with just an increase in ransomware attacks and even more massive data breaches suffered.
What all of the cybersecurity predictions for 2016 have in common is that the next 12 months are expected to be tough for security professionals.
The number and types of devices now connecting to corporate networks is broader than ever before. People are now far more likely to own and use three or more Internet-connected devices and use them on a regular basis. Alternative payment methods are being used more frequently. There is now more than ever to attack and too many devices and systems to keep secure. Unsurprisingly, no one appears to be claiming that 2016 will be easier than last year for cybersecurity professionals.
Cybersecurity predictions for 2016
The attack surface is now incredibly broad, but where are cybercriminals most likely to strike? This is what we think. Here are cybersecurity predictions for 2016.
IoT – expect attacks on the Internet of Things
Let’s start with a bold prediction. The IoT is likely to come under attack this year. I say bold, but that is only in terms of the timescale. IoT devices will be attacked, shut down, altered, remotely controlled, and used as a launchpad for attacks on other devices. If a device is constantly connected to the Internet, it will only be a matter of time before an attack takes place.
One problem with adding IoT technology is the manufacturers of the devices are not security experts. A washing machine that can be controlled via Wi-Fi or a Smartphone app, and can be switched on remotely while you are at work, has been designed first and foremost to wash clothes. It has then had IoT functionality bolted on. It has not been designed with security at the core of the design.
Surely a washing machine is not going to be used to attack a corporation you may say. Well, a Smart heating and air conditioning system was used to attack Target and gain access to the credit card numbers of its customers. Hackers are certainly looking at IoT devices and are probing for weaknesses. Security needs to be first rate, but unfortunately in many cases it is not.
Crypto-ransomware evolution will continue – Increase in ransomware attacks to be expected
Over the past 12 months crypto-ransomware attacks have increased significantly. Cybercriminals are now developing new malware capable of locking computers with powerful encryption.
The encryption cannot be cracked. The devices can only be unlocked using a security key. That key is held by the attackers. A ransom is demanded by cybercriminals and it must be paid before the key is released. Ransoms are demanded in Bitcoin because the currency is next to impossible to trace.
Developing crypto-ransomware is a lucrative business and that is unlikely to change any time soon. At present, ransomware is sent via mass spam email and the victims are not really targeted. The aim is to infect as many devices as possible. More infections equal more ransoms.
What we are likely to see over the course of the next 12 months is an increase in the ransom amount demanded and a more targeted approach adopted. Businesses are likely to be targeted and crypto-ransomware used to hold companies ransom. Companies are likely to be able to pay more than individuals.
We also expect ransomware to make the jump over to OS X, and to a lesser extent iOS. Cybercriminals would love to start charging Mac prices!
Apple owners to come under attack
That neatly leads us on to Apple. Users of Macs and iPhones have had it too good for too long. Hackers have not been too bothered about Mac users in the past, as there are greater rewards to be had from writing malware to target the masses. Consequently, the majority of malware targets Windows-based devices. Apple’s market share has been too small to warrant the development of Apple-specific malware. That is now changing.
Apple’s market share is increasing. As more people make the switch to Apple, it will be more lucrative for criminals to develop malware to target OS X devices. Over the course of the last year we have seen new malware created specifically for Apple devices. The volume is still small in comparison to malware that infects Windows-based devices, but we can expect Apple to come under attack in 2016.
Increase in memory resident malware
Hackers are getting better at obfuscation. They are developing ever more complex ways of hiding malware to evade detection. One of the main problems faced by malware authors comes from the fact that if a file is downloaded to a computer it can be found.
However, if malicious code is injected into the memory of a computer and no files downloaded, it is very difficult to detect. Memory-resident malware is more difficult for hackers to create, but many are now developing new fileless malware in order to evade detection for longer.
Until now memory-resident malware has been short-lived. It only survives until the device is rebooted. However, we are now seeing new forms that are simply reloaded into the memory when the computer is rebooted. We can expect to see even more memory-resident malware attacks in 2016 as the use of fileless malware grows.
Major healthcare industry attacks will take place
In 2015, cybercriminals targeted the healthcare industry with increased vigor. Massive data breaches were suffered, the likes of which the industry had never before seen. Anthem was attacked last year and 78.8 million healthcare records were stolen. An attack on Premera BlueCross exposed 11 million records, and Excellus suffered a 10-million record data breach. These massive cyberattacks used to be a rarity. In fact, up until 2014 the largest U.S. healthcare data breach affected just 4.9 million individuals.
The healthcare industry has been slow to implement new technology and many security weaknesses remain. They are now being exploited with increasing regularity. Since the value of data stored by health insurers and healthcare providers is so high, and the volumes of Social Security numbers, health data, and personal information so large, successful attacks can be extremely profitable. Where there is profit, and poor security there will be cyberattacks. These massive breaches will therefore continue in 2016.
Attacks on employees to increase in 2016
Employees are the weakest link in the security chain and hackers and cybercriminals are well aware of this. They target employees to gain access to corporate networks, with phishing one of the easiest ways to gain access to corporate data. These attacks have proved to be highly successful and have resulted in huge volumes of data being obtained by criminals. Some of the largest data breaches of the last two years have started with phishing campaigns. The attacks on Sony, Target, and Anthem for example.
Employers are getting better at blocking phishing emails and employees are now being trained to identify them, but these attacks will continue and will become more targeted and sophisticated.
As more employees work from home, we expect them to be targeted there instead of work. Their home computers and personal devices will be used to gain access to corporate networks. They tend to have more security weaknesses. Those weaknesses are likely to be exploited with increasing frequency.
Do you agree with our cybersecurity predictions for 2016? What do you think the biggest threat will be over the next 12 months?
Dec 17, 2015 | Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
In the United States, healthcare phishing emails are being sent in increasing volume by cybercriminals looking for an easy entry point into insurance and healthcare providers’ networks. Healthcare employees are now being targeted with spear phishing emails as they are seen to be the weakest link in the security chain, resulting in HIPAA compliance breaches.
It is after all, much easier to gain entry to a healthcare network or EHR system if malware is installed by nurses, physicians, or administrative staff than it is to find and exploit server and browser security vulnerabilities. It is even easier if a member of staff can be convinced to divulge their email account or network login credentials. Hackers and cybercriminals are devising more sophisticated healthcare phishing emails for this purpose.
Clever healthcare phishing emails could fall any number of staff members
Even well trained IT security professionals have been fooled into responding to phishing scams, so what chance do busy physicians, nurses, and members of the billing department have of identifying healthcare phishing emails?
According to the Department of Health and Human Services’ Office for Civil Rights (OCR), employers will be held responsible if their staff fall for a phishing email, unless they have taken proactive steps to reduce the risk of that occurring.
This week, OCR announced it arrived at a settlement with University of Washington Medicine for a 90,000-record data breach that occurred as a result of staff falling for healthcare phishing emails. The settlement involved UWM paying OCR $750,000.
Small to medium-sized healthcare organizations could also be fined for members of staff accidentally installing malware. UWM may be able to cover such a substantial fine, but the average 1-10 physician practice would be unlikely to have that sort of spare cash available. Such a penalty could prove to be catastrophic.
Why was such a heavy fine issued?
The issue OCR had with UWM was not the fact that a data breach was suffered, but that insufficient efforts had been made to prevent the breach from occurring. U.S. healthcare legislation requires all healthcare organizations to conduct a comprehensive, organization-wide risk assessment to identify potential security vulnerabilities. In this case, University of Washington Medicine had not done this. A risk assessment was conducted, but it did not cover all subsidiaries of the organization, in particular, the medical center whose employee was fooled by the phishing email.
Healthcare phishing emails are such a major data security risk that efforts must be made to reduce the risk to an acceptable level. Had a risk assessment been conducted, the phishing risk would have been identified, and action could have been taken to prevent the breach.
OCR would not expect organizations to always be able to prevent employees from responding to healthcare phishing emails. OCR does expect healthcare organizations to make an effort to reduce risk, such as advising staff members about the threat from healthcare phishing emails, in addition to providing basic data security training at the very least.
Addressing the data security risk from healthcare phishing emails
Since the risk of cyberattack via phishing emails is considerable, healthcare organizations of all sizes must take proactive steps to mitigate the risk of employees falling for the email scams. Staff members must be informed of the very real danger from phishing, and the extent to which cybercriminals are using the attack vector to compromise healthcare networks.
They must be told to be vigilant, as well as being instructed what to look for. Training on phishing email identification must be provided, and in order to satisfy auditors, a signature must be obtained from each member of stall to confirm that training has been received.
Staff members should also have their ability to identify healthcare phishing emails put to the test. They should be sent dummy phishing emails with email attachments and fake phishing links to see if they respond appropriately. If they respond incorrectly after training has been provided, further help with phishing email identification must be given. These processes should also be documented in case auditors come knocking.
Due to the considerable risk of a healthcare phishing attack, and the ease at which networks can be compromised, additional protections must also be employed. Small to medium-sized healthcare organizations that can ill afford a regulatory fine should make sure automated anti-phishing solutions are put in place.
These protections do not need to be expensive. There are cost effective solutions that can be employed that will reduce risk to a minimal and acceptable level. If training is provided and anti-phishing controls have been employed, OCR and other regulatory bodies would be less likely to fine an organization if a phishing-related data breach is suffered.
Deven McGraw, OCR Deputy Director for Health Information Privacy, recently pointed out that it is not possible to totally eliminate risk, but it is possible to reduce risk to an acceptable level. That is what OCR wants to see.
Automated solutions to reduce risk from healthcare phishing emails
To reduce the risk of members of staff responding to phishing campaigns, a powerful email spam solution must be implemented. Anti-spam solutions such as SpamTitan are cost-effective, easy to configure and maintain, and will block 99.98% of all spam emails. If phishing emails are not delivered, staff members cannot respond to them.
An anti-spam solution will not stop members of staff visiting malicious websites when surfing the Internet. Links to these malicious websites are often located in website adverts, on legitimate sites that have been hijacked by hackers, or contained in social media posts. To protect networks from these attack vectors, a web filtering solution should be employed.
WebTitan blocks users from visiting sites known to host malware. The anti-phishing solution can also be used to restrict Internet access to work-related websites. This will greatly reduce the risk from drive-by malware downloads and phishing websites.
Access rights can be configured on an organization-wide level to block malware-hosting sites. Group level privileges can be set to prevent social media networks from being accessed, for example. This control allows certain groups to have access to social media networks for work purposes, while reducing risk that comes from personal use. Individual access rights can also be set if required.
Summary
Provide training to the staff, block email spam and phishing emails from being delivered, and implement a web filter to manage web-borne risks, and not only will it be possible to keep networks and email accounts secure, heavy regulatory fines are likely to be avoided.
Nov 30, 2015 | Cybersecurity Advice, Cybersecurity News, Internet Security News
Kaspersky Lab has made a number of web security predictions for 2016, alerting IT security professionals to what the company’s security experts believe next year has in store. The company has listed some of the biggest security threats that are expected over the coming year.
Kaspersky Lab is one of the leading anti-virus and anti-malware software developers, and is a supplier of one of the two AV engines at the heart of WebTitan Web filtering solutions.
The Kaspersky web security predictions for 2016 include opinions gained from over 40 of the company’s leading experts around the globe. The web security predictions for 2016 can be used by IT professionals as a guide to where the next cyberattack could come from.
The Biggest Cyberattacks of 2014 and 2015
Last year saw numerous high profile attacks on some of the world’s best known brands. Around this time last year, Sony was hacked and its confidential data was posted online, causing much embarrassment and considerable financial loss. Some of the biggest names in retail in the U.S. were attacked in 2014 including Target and Home Depot.
The start of this year saw attention switch to health insurers. In February, Anthem Inc. was attacked. The records of 78.8 million insurance subscribers were stolen. News of a cyberattack at Premera BlueCross closely followed. 11 million subscriber records were compromised in that attack. Later in the year, Excellus BlueCross BlueShield discovered hackers had potentially stolen the records of approximately 10 million subscribers. Healthcare providers were also hit. UCLA Health System suffered a data breach that exposed the records of 4.5 million patients.
The U.S. Government was also targeted this year. The Office of Personnel Management was hacked and, while the perpetrators have not been identified, the attackers are believed to be government-backed hackers based in China. Over 22 million records were potentially stolen in that cyberattack. The IRS was also hacked and 300,000 individuals were affected.
37 million highly confidential records were obtained from internet dating website Ashley Maddison, and Hacking Team – a somewhat controversial provider of spyware – was also hacked. 40 GB of its data was dumped online for all to see.
Many of these attacks were highly sophisticated, but were made possible after employees fell for spear phishing emails.
Web Security Predictions for 2016
Hackers have been developing ever more sophisticated methods of breaking through security defenses to gain access to confidential data, to sabotage systems, or to hold companies and individuals to ransom by taking control of their data. Phishing and social engineering techniques are often used. While these are likely to continue, Kaspersky Lab experts believe hackers are likely to concentrate on stealthier techniques over the coming 12 months. The company’s experts believe there will be a growth in silent attacks that are difficult for security professionals to detect. The main web security predictions for 2016 are listed below:
APT Attacks to come to an end
Advanced Persistent Threats have proved popular with hackers, yet Kaspersky believe these attacks will soon come to an end. Instead, hackers are expected to conduct more drive-by attacks using stealthy memory-based malware. Memory based malware is not downloaded but resides in the memory where it cannot be easily detected. While the injection of malicious code into the RAM of a computer could only previously be used for short term infections, new techniques have been developed that are capable of surviving a reboot. These are likely to grow in popularity over the coming year.
Off-the-shelf malware use to increase
Rather than criminals paying hackers to develop new exploits, there is expected to be an increase in off-the-shelf malware attacks. Instead of developing new malware from scratch, existing malware will be used and tweaked to avoid detection. There is no need to reinvent the wheel when malware exists that can be used or rented out cheaply. The malware will just be made stealthier and more difficult to detect.
Alternative payment systems will be targeted
Financial cyberattacks will continue, and banks and financial institutions will be targeted. Expect a rise in attacks on alternative finance providers and payment systems such as AndroidPay, SamsungPay and ApplePay.
No end to extortion and mafia-style tactics
Not all hackers are motivated by money. Kaspersky has predicted a rise in the number of hacktivist attacks, which aim to shame the rich and famous. Attacks will continue to be conducted on companies that have caused offense. The attack on Ashley Madison and the 2014 hacking of Sony being good examples. Some hackers will use the threat of publishing data to extort money from victims, others will just be keen to sabotage companies. The use of ransomware is also expected to increase, with companies large and small targeted with increasing regularity.
Nov 20, 2015 | Cybersecurity Advice, Internet Security News
Online shoppers now have the option of using Amazon two-factor authentication on their accounts to improve security. Any users concerned about the number of cyberattacks being suffered by large retailers should take advantage of the new security measure and add Amazon two-factor authentication to their Amazon account at the earliest possible opportunity.
It is not clear exactly when the retail giant implemented the new security feature, as an announcement was not made; however, some users started to notice the option this week. At the present moment in time it is not a mandatory security measure to use, but it is strongly advisable to add it to your account.
Large retailers are big targets for cybercriminals. Retailers such as Amazon may have invested millions or even hundreds of millions in data security solutions and cybersecurity protections, but no company is impervious to attack. One thing that is certain is a great many cybercriminals will attempt to break through Amazon cybersecurity defenses. The company’s colossal database of customer information would be a sizeable reward for all the effort. The retail giant has an estimated 244 million customers. 244 million credit card numbers could be sold for a considerable sum of money.
Why Amazon two-factor authentication doesn’t offer 100% security
It would be nice to live in a world where it is impossible to be hacked or have one’s account details compromised. Unfortunately, but there is no such thing as a 100% secure account because no system is totally foolproof. Two-factor authentication does however get pretty close and, even better, it is easy for companies to implement and straightforward for customers to activate.
Most of the global retailers and major internet brands use two-factor authentication for user accounts; although for some reason (only known to Amazon) the retail giant has refrained from adding this additional security measure until now. It is not a mandatory security measure and will not be added to accounts automatically. If users want enhanced account security, they can access their account settings and turn it on.
How to Add Amazon two-factor authentication to your account
Making your Amazon account more secure is a simple process. You will need to login to your account and access your account settings. The option is located in the “Your Account” dropdown menu in the upper right hand side of your screen. You will need to scroll to the “Change Account Settings” option, and at the bottom of the list click on “Edit” to the right of the “Advanced Account Settings” section.
You will be directed to the Amazon two-step authentication page. You just need to click on the “get started” option. If you enter your mobile phone number, you will be sent a code which will need to be added into your account settings. Once this has been done, no one other than yourself will be able to access your account even if your password is compromised. Unless a criminal also has your phone of course.
Retailers are being attacked with increasing regularity, so this additional security measure is strongly recommended. Target was targeted, Home Depot was hacked, and Amazon may well be the next major retailer to suffer a significant data breach. This additional security control will offer greater protection.
Nov 17, 2015 | Cybersecurity Advice, Network Security
In order to manage cybersecurity risk effectively, data protection policies must be developed. However, a new research study conducted by risk and business consulting firm Protiviti, suggests that a third of companies have not yet developed data protection policies. When data protection policies have been implemented, many are insufficient and leave the company vulnerable to a cyberattack.
Data protection policies are inadequate or non-existent in many cases
Over 700 information security professionals and executives were polled and asked about their company’s efforts to keep data secure. Questions were asked about data retention, storage and secure disposal, as well as governance, privacy policies and a wide range of cybersecurity controls. It would appear that many firms were not managing cybersecurity risk effectively, leaving them vulnerable.
Information security solutions may have been implemented, but basic controls such as the development and issuing of data protection policies had been neglected. When policies had been written and implemented, many were insufficient and did not cover even a fraction of the elements necessary to keep systems and data secure. Many security holes were allowed to persist.
To manage cybersecurity risk, start at the top
The board must become involved in cybersecurity decisions and should take a greater interest in keeping their organizations secure. Policies must be developed that set rules for the entire organization, and awareness of data and network security must be improved. All members of staff must be made aware of the current threat levels and a culture of security awareness developed. Best practices must be defined and all users monitored to make sure that those practices are being followed.
The study indicates that board level involvement in cybersecurity issues is becoming more common, yet only 28% of survey respondents indicated there was a current high level of board engagement in such issues. What is even more worrying is there has actually been a fall of 2% in high-level engagement year on year. 15% of respondents said board engagement in cybersecurity matters was low, while a third said engagement was at a medium level, better than in previous years.
You must identify the most critical assets to effectively manage cybersecurity risk
In order to protect assets, they must first be identified. This may sound obvious, but many companies are unsure what their critical assets are according to the study. A number of companies had failed to identify the data that cybercriminals were most likely to try to obtain. Appropriate protections were therefore not being put in place to keep the most sensitive data secure.
Confidence in repelling cyberattacks is low
The majority of organizations are not particularly confident that a targeted attack could be repelled, even though cybersecurity protections had been put in place. Companies were believed to be better at protecting their assets and keeping sensitive data secure than in recent years, although considerable efforts still need to be made.
According to the researchers, a lack of confidence is actually good news, as it should spur companies to keep on developing their security protections.
Nov 16, 2015 | Cybersecurity Advice, Internet Security News, Web Filtering
Think you have to open an infected email attachment or download a file to your computer to acquire a malware infection? Not with the latest memory based malware. Drive-by attacks are taking place that do not need any user-interaction. These file-less malware infections use malware that resides in the computer memory, and RAM memory is not scanned by most anti-virus programs.
The good news is attacks of this nature are rare. The bad news is the malware is being increasingly used by cybercriminals.
Fortunately, malware that resides in the memory doesn’t survive a reboot. Unfortunately, by the time your computer is rebooted, you may have already lost your sensitive data. How often do you reboot? At the end of your working day? That could potentially give a hacker a full 8 hours to record your keystrokes or download files to your computer. A lot of damage can be done in 8 hours.
There is another problem. Hackers are now creating memory-based malware that actually survives a reboot. The malware has been configured to hook into an API. When the computer is restarted, the malware is reloaded back into the RAM.
Memory-based malware exploits security vulnerabilities in outdated software
If a user is convinced to visit a malicious website, or responds to a spam email containing a link to one of those sites as part of a phishing campaign, their computer can be infected almost immediately. A user is usually directed to a web page containing an exploit kit: The Angler exploit kit for example. Code on the website probes the users’ browser for security vulnerabilities. Security vulnerabilities in Adobe Flash or Adobe Reader could be exploited, or Java, Silverlight or any number of plug-ins that the user has installed.
However, instead of the vulnerability being used to download a file to the hard drive, code is inserted into the memory. This does not trigger an Anti-Virus program because no files are downloaded to the computer. This allows the hacker to perform a drive-by cyberattack, stealing information quickly and silently. That information could include login names, passwords, bank account information, or anything entered via the keyboard.
These types of cyberattacks are not new. They have been possible for a long time, but cybercriminals have not favored memory based malware. Unfortunately, memory based malware is being used in exploit kits that are widely available online.
Sometimes a fast and stealthy attack is preferable to a long-term malware infection. If the aim is to avoid detection at all costs, then this is one of the easiest ways to gather intel or data without setting off any alarms. High-profile targets such as governments could be targeted, and they would be none the wiser as next to no trace of an attack is left by memory based malware.
Is an attack inevitable? Can nothing be done to prevent the installation of memory based malware?
The solution is not anti-virus software, but to prevent users from visiting a website that contains the exploit kit. It may not be possible to prevent a drive-by attack once a malicious site has been visited, but it is possible to avoid visiting that site in the first place. Hackers must still direct a user to the malicious site in order for an attack to be possible. There must also be security vulnerabilities in the browser that can be exploited.
To protect your computer from memory-based malware, you must ensure that your web browser and software are kept up to date with the latest security patches. As for avoiding malicious websites that contain the exploit, a web filtering solution should be used. A web filter can block users from visiting malicious sites, or from web ads from being displayed. Website adverts are often used as a method of getting users to visit a malicious website.
Phishing and spam emails containing links to malicious sites can be prevented from being delivered using a powerful spam filtering solution. SpamTitan Technologies offers both solutions. SpamTitan Anti-Spam software protects users by blocking spam emails from being delivered, while WebTitan software can be configured to prevent users from visiting malicious websites.
The threat landscape may be constantly changing, and new exploits used to compromise computers and steal data, but fortunately the risk can be effectively managed.
Nov 13, 2015 | Cybersecurity Advice, Cybersecurity News, Web Filtering
Using a Mac is safer than using a computer running Windows. That’s not to say it is not possible to inadvertently install a virus or malware on a Mac. It is just that hackers tend to focus more on PCs. From a hacker’s perspective, it is better to try to infect as many devices as possible and more people own PCs than Apple devices.
According to research conducted by IDC, sales of Macs have increased by just over 16% this year. However, while accurate figures are difficult to find, approximately 90% of computers use Windows software. This makes the operating system much more likely to be attacked. If you were a hacker would you concentrate on the 90%?
That does not mean that Mac users are immune to attack: BlackHole RAT, OS X Pinhead, Mac Flashback, and Mac Defender all targeted Mac users.
Mac users do face risks and must be cautious when using the Internet. They may not face such high risks, but they can just as easily fall for scams. Phishing websites will also work just as well on Macs users as they will on everyone else. That’s because phishing techniques are employed to fool the user of the device. It doesn’t matter what device is being used to access the Internet.
New phishing scam alerts iTunes users to account limitations
Mac users have recently been targeted by a campaign claiming iTunes accounts have been compromised. Most recently a phishing scam has been launched advising iTunes account holders that their accounts have been limited for security reasons.
They are informed of this by email and are provided with a link. If the link is clicked they are directed to a scam site and must enter information to lift the account limitation. A number of data fields must be completed and a credit card number entered.
This is an easy scam to identify as, even when accounts have been compromised, a service provider would not typically ask for a credit card number for identity verification.
If in doubt, just access your Apple account directly and check to see if there is a problem with your account. Never use the link supplied in an email.
Mac Internet scam reported offering urgent tech support
A Mac internet scam warning was recently issued after the discovery of a new tech support scam. A woman visited a webpage which flashed a warning that her Mac had been infected with malware. She was required to call a phone number to call to speak with tech support. On calling the number she was told she was speaking to an Apple employee, and she was required to pay for tech support to remove the infection. When asked for payment she tried to pay by AMEX, but was told American Express could not be used. This alerted her to the scam. Apple doesn’t have a problem taking AMEX as payment.
If you are warned of a virus infection, you can always visit an Apple store. They will be able to confirm if your Mac has really been infected.
Mac Internet scam warning! Your Mac is Infected with Malware!
Phishing scams targeting Mac users are far more common than malware infections targeting their devices, but malware is always a risk no matter what device is used. However, this year Apple has been targeted. A Mac Internet scam warning was issued earlier this year, again relating to Mac malware infections.
The scam is common with PC users, especially those using illegal file sharing websites, streaming services, and porn sites. However, a number of legitimate websites have been hijacked and are displaying pop-up windows announcing a virus infection has been detected.
The warnings come as a shock to Mac users and many will be convinced to click on the links. They direct the user to malicious websites offering fast and effective disinfection using Anti-Virus/Anti-Malware solutions. A click of a link will download a program called MacDefender that will conduct a full system scan.
The MacDefender Anti-Virus program is nothing of the sort. Instead of removing malware from the Mac, it is a form of malware. The fake Anti-Virus software appears to conduct a scan of the system and identifies apps that have been infected. Popup windows are launched to porn sites and other websites as a scare tactic.
In order to remove the infections, the user is required to purchase a license for the software. To do that a credit card is required. Once the license has been purchased the program stops launching browser windows. It also advises the user that the malware has been removed.
Unfortunately for the victim, they have just given their credit card details to the scammers. Card purchase can be made and the criminals can run up thousands of dollars of debt.
No matter what device you use to access the Internet or email, you are always at risk of falling for a phishing scam or inadvertently installing malware. Fortunately, the risk can be easily managed. WebTitan is available for Windows and OS X, and offers protection from malware, malicious websites and phishing campaigns.
To find out how WebTitan can protect you and your company’s employees, call the sales support team today.
Nov 12, 2015 | Cybersecurity Advice, Internet Security News, Web Filtering
If you want your employees to browse the Internet safely you should try to restrict access to websites that have a valid SSL certificate. It is now common knowledge that SSL certification means a website is secure and can be trusted; but is that true?
Does a SSL Certificate mean a website is safe to use? The answer is a definite no. The HTTPS or a SSL certificate alone is not a guarantee that the website is secure and can be trusted.
Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be. Just not always.
Unfortunately, phishers and other cyber criminals have discovered how to exploit trust in SSL certificates. Some phishing websites have valid SSL certificates in place. This means even when you think your employees have been restricted to safe websites, they are still not protected from phishing sites. Relying on a block on sites that do not use SSL certification is a mistake, and potentially a very costly one.
It is a good idea to restrict access to unsecure websites, but further protections will be required if you want to be sure that your employees and your network are properly protected.
Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free DemoWhat is a SSL Certificate?
In short, an SSL Certificate is a file that permanently binds a key to a company’s website. When an SSL certificate is installed on a company’s web server, connections with that website will be secure. Information will be sent via port 443 using the https protocol.
SSL Certificates are used by websites to secure sessions with web browsers. You will be able to tell which websites have an SSL certificate in place because they will have a padlock next the web address. This means that the connection with that website is via a secure connection. The information you enter when connected to the website can be used with confidence, and most importantly, it gives an indication that the site is not malicious.
The SSL Certificate lets a website visitor know that the site is trustworthy and informs those who look that the site belongs to a specific organization. It is important never to enter credit card details or bank information if a website does not have a valid SSL certificate. That would be an unacceptable risk to take.
Facebook, Twitter, and Google use SSL certification. When you visit those sites you will see a padlock next to the URL. If you click on the padlock, you will see the owner of the site and will know that ownership has been verified.
Some phishing websites have obtained SSL Certificates – How is this possible?
Unfortunately, phishing websites with SSL certificates are becoming more common. Many certificate authorities do not have a particularly strict vetting process. There have recently been a number of banking websites set up that use the certificates even though the sites are not genuine.
One recent scam involved the Halifax Bank in the UK. A phishing website was set up using a variation of the real website which is halifax-online.co.uk. The phishing site in question was halifaxonline-uk (do not visit this website). A very similar name, that would likely fool many account holders. Similar scams have been operated using variants of PayPal, and even Symantec has issued 30-day certificates to phishing websites.
The certificates are valid for long enough to allow a phishing campaign to be conducted. The phisher can then repeat the process with a different website, hosted with a different provider with a different SSL certificate.
Unfortunately, these certificates are one of the main ways of checking whether a website can be trusted. With a domain name that looks close enough to the real thing and an SSL Certificate and a padlock, many visitors will be fooled into thinking the website is genuine. When they enter in their login information, the data will be recorded by the site owner and can be used to login to the real website.
Some certificate authorities are better than others and can be trusted more, but unless they can all be trusted it makes a mockery of the SSL certificate. Unfortunately, all the SSL certificate does is confirm that the certificate owner owns the website, not that the particular website can be trusted.
WebTitan offers the additional protection your business needs to ensure access to malicious websites is blocked. See how with a FREE WebTitan demo.
Book Free DemoBlocking access to websites without a valid SSL Certificate
A website with a valid SSL certificate means the website can be trusted more than a site without one. All employers should implement controls restricting access to websites that do not have a valid SSL Certificate, or at least configure settings to alert the user that they are about to connect to a website with an invalid certificate or without one entirely.
It is a simple process to block access to websites that do not have a valid SSL certificate. You can do this through your browser settings or you can modify the hosts file for instance. The former option would be fine for individuals or small businesses with just a few computers. It is not practical do this if you have 1,000 computers, run BYOD, or if your end users have multiple browsers installed.
Make your life easier by implementing a cost effective web filtering solution
By far the easiest solution to protect yourself and your network is to use a web filtering tool. There are many to choose from, but WebTitan from SpamTitan Technologies is one of the best and a highly cost effective solution for SMEs.
Since some disreputable sites have SSL certificates in place, it can be virtually impossible for end users to tell if they are safe or at risk. WebTitan offers the additional protection your business needs to ensure access to malicious websites is blocked, phishing scams are avoided and malware is not downloaded. Without a powerful web filter in place, blocking access to malicious websites will be an uphill battle, and it will only be a matter of time before your network is compromised.
Try WebTitan DNS Filtering for Free today
Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free DemoNov 9, 2015 | Cybersecurity Advice, Cybersecurity News, Internet Security News
British mobile phone and broadband provider TalkTalk discovered it had been hacked late last month; however further information has emerged that suggests TalkTalk hacking scams are increasing in number. Over a million customers’ data are apparently being offered for sale on the dark net, with criminals already using the data to defraud victims.
Over four million customers were believed to have been affected by the hacking scandal at first, although not all of the company’s customers are now understood to have been affected.
A criminal investigation was launched a few days after the hack was discovered. Initial reports suggested an Islamic terrorist group from Russia were behind the attack, having publically claimed responsibility. This claim appears to be false.
The Metropolitan Police Cyber Crime Unit acted fast and just a few days after the attack was announced, a 15-year old teenage boy was arrested in Northern Ireland on suspicion of being behind the attack. A few days later, a second arrest was made, this time a 16-year old boy from West London. A 20-year old was arrested in Staffordshire in connection with the hack, and now a fourth individual has been arrested: A 16-year old boy from Norwich has been detained.
1.2 million email addresses obtained by the hackers
The official figures released by TalkTalk are much lower than the initial estimates, but the hack still ranks as one of the biggest UK hacking scandals to be reported in recent years.
A statement released by the company revealed that approximately 1.2 million email addresses had been obtained in the attack, customer names and phone numbers were also stolen, and 21,000 bank account numbers and sort codes were accessed, presumed stolen. A later press release indicated that 156,959 individuals had been affected, and the earlier figure was “bits of data,” including email addresses, names, and phone numbers.
Credit card numbers were compromised, but since they did not contain complete numbers there does not appear to be a risk of them being used inappropriately. However, that is not to say that the data will be useless. Phishers may well devise campaigns to obtain the remaining digits from unwary TalkTalk customers.
It is not clear how the attack was performed as reports have not been confirmed, but it would appear that the attack was made using a blind SQL injection which exploited a vulnerability in a video on a page of the TalkTalk website. The specific vulnerability was not disclosed, although Adobe Flash has been found to contain vulnerabilities that could be exploited by SQL injection. These vulnerabilities were addressed in a recent patch issued by Adobe. SQL injection is the insertion of code that allows access to be gained to a company database. It is a very common technique used by hackers to gain access to corporate databases.
What is clear is that the security staff were distracted dealing with a DDoS (Distributed Denial of Service) attack that was conducted by one of the team of hackers. A DDoS attack bombards a company’s website with huge volumes of traffic, overwhelming it. This is made possible by using systems that have been compromised with a Trojan or have been infected by a botnet.
It would appear that while TalkTalk was dealing with the DDoS attack, the criminals were able to gain access to the company’s data by exploiting the website security vulnerability. A report in the Daily Mail indicates one of the team of hackers behind the attack made a mistake and accidentally disconnected from a service that was being used to hide his real IP address.
Some sources have reported that a ransom demand was issued in which £80,000 was demanded in Bitcoin. If the ransom was not paid the criminals behind the attack would release the data or sell it on dark net websites to criminals. That appears to have already happened, with at least one individual appearing to have clocked up over 500 sales via dark net marketplace, AlphaBay.
Another online criminal was reportedly negotiating a deal to sell details of 500,000 accounts on the dark net, and claimed to have over a million records in his possession.
Businessinsider.com.au claims to have had been in contact with individuals who claim there were part of the attack, with figures of 1.3 million records mentioned. When asked why they carried out the attack, one person claimed it was for “sh*ts and giggles”, another for “lolz”, and “purely to like, own the ISP.” One of the persons behind the attack said it wasn’t for the money. The claim that a ransom was demanded were also denied.
While the total number of records exposed is not clear, and none of the reports from conversations with those claiming to have had a part in it have been confirmed, what is clear is that the security in place at TalkTalk was poor in some cases. One of the boys claims that one account had a password with just three digits. One quote obtained by Business Insider, from an individual operating under the name “Vamp”, claimed that the security in place was “terrible, that’s being honest with you, horrible.”
Reports in the press suggest that the vulnerability was shared, and between 20 and 25 people had access – although 5 individuals were reportedly behind the attack, including two in the UK and two in the U.S.
Beware of TalkTalk hacking scams
TalkTalk hacking scams have already been reported, with some customers having complained about being bombarded with phone calls following the security breach, as criminals attempt to use the contact information obtained to defraud victims. One victim was called after apparently having his internet connection slowed down, and was directed to a website, presumably containing malicious code.
TalkTalk hacking scams could be launched via email since 1.2 million email addresses were compromised in the attack. Phishing campaigns are often used by criminals to get users to reveal sensitive information, visit malicious websites or install malware on computers. The type of information obtained by the hackers, and subsequently sold to online criminals, could easily be used to launch highly convincing campaigns.
All of the company’s customers are advised to be exceptionally cautious, and not to reveal any personal information over the telephone, Internet or via email. TalkTalk hacking scams could be in operation for many months to come so it is vital that all customers remain vigilant and be on their guard.
Being hacked can have serious implications for a brand
A data breach such as this can have a major effect on an organization. Customers will lose trust in the brand, and it is difficult to regain trust once it has been lost. Many of the company’s 4 million customers are expected to change mobile phone/broadband provider as a result.
This is a highly competitive market and there will be no shortage of competitors looking to snap up new customers as a result of the security breach. Following the news of the hack, the company’s share price fell by 10%.
It will not be known for many weeks or months how much of an effect this, and other TalkTalk hacking scams, will have on the company’s brand image, but what is certain is it will certainly have a major financial impact. Many customers are also likely to lose out as scammers seek to take advantage.
Nov 5, 2015 | Cybersecurity Advice, Social Media
A new study conducted by CompTIA has highlighted the risks that are being taken by end users, and suggest low awareness of security threats. End users’ lack of knowledge of basic security measures continually frustrates IT security professionals. End users are usually seen as the weakest link in the security chain, and the results of this study are unlikely to see many minds changed. The study also suggested the persons most likely to take risks and jeopardize security are in their early twenties: Gen Y.
Gen Y Has Low Awareness of Security Threats
One of the tests conducted was a relatively straightforward but ingenious test of risk awareness. CompTIA researchers dropped 200 unmarked thumb drives in locations that received high volumes of foot traffic. The researchers wanted to find out how many individuals would pick up the drives and plug them into their computers.
Thumb drives can be purchased cheaply, but are extremely useful. Finding one in the street may be seen as a lucky find. However, plugging such a drive into a computer carries a huge risk. There is no knowing what software is installed on the drive, and simply plugging it into a computer could easily result in malware or viruses being installed.
In this case, doing that just resulted in a pop up message being displayed which prompted the new owner of the thumb drive to send an email to the researchers to let them know that the device had been found and plugged in. In total, 17% of the 200 thumb drives resulted in a response being received by the researchers. Not all of the individuals who picked up the thumb drive will have responded to pop-up request to send an email to the study organizers, so the number of individuals who did plug in the drive may well have been higher.
The company also conducted a survey to discover more about end user awareness of security threats. Over 1200 completed surveys were collected by the company, and the results show that many end users are taking considerable security risks. Those risks could result in laptops, computers, and mobile phones being compromised. If IT security professionals were worried about end user risk taking before, they are likely to be even more worried now.
Numerous questions were asked; however, the most worrying statistics for security professionals is the volume of individuals who use the same passwords for personal accounts as they do for their work computers. The study revealed 38% of respondents did this, while 36% used their work email address for personal accounts.
Gen Y end users were most likely to take risks, with 40% saying that they would pick up and use a flash drive they found in the street, and 94% of respondents connect either their laptop computer or mobile to public Wi-Fi networks. Nearly seven out of ten individuals said they use their laptops for work purposes or to handle work-related data and 6 out of ten employees used employer-supplied mobile devices for personal applications.
While IT security professionals reading the CompTIA’s statistics may break out in a cold sweat at the excessive risks being taken by end users, there is a solution. That is to provide more security awareness training to staff. End users may be the weakest link, but with training, risk can be managed.If awareness of security threats increases, organizations will be better protected from cyberattacks.
Less than half of respondents reported having received any cyber security training, so consequently awareness of security threats was understandably low. Employees were not aware of the level of risk they were talking. Unless end users are shown how to be more security conscious, risky behavior is unlikely to decrease.
Nov 2, 2015 | Cybersecurity Advice, Web Filtering
Liability for Employee Internet Usage: Can an Employer be Liable for an Employee’s Online Activity?
There are numerous benefits to be gained from allowing employees access to the Internet. Information can be found quickly, contacts can be easily developed, new suppliers easily located, products purchased, research conducted and many more benefits can be realized.
Unfortunately, the provision of Internet access to employees does occasionally lead to abuse. An employee could use the Internet to access personal gambling accounts and play online poker at work, or social media websites could be used excessively. Individuals can and do view pornography at work. Threats and disparaging comments may be posted online. You can also add the illegal file sharing, hacking of other corporations, and illegally accessing databases to that list.
There are plenty of other ways of abusing Internet access and, if it is possible to be done, an employee somewhere will have already done it.
The majority of these acts are committed only by a minority of employees. They rarely cause an employer, co-worker or other individual to come to any harm. However, this is not always necessarily the case. Should harm occur, or an employee breaks the law, the employer could be found to be liable for the employee’s actions.
There have been a number of cases when employers have been found to be liable for the actions of employees, such as when actions have adversely affected work colleagues. Some of the most common reasons for lawsuits have been sexual harassment of co-workers, threats of violence, racial harassment, and discrimination.
Respondeat superior – Employer Liability for the actions of an employee
The legal term for vicarious liability of an employer for actions committed by an employee is Respondeat superior. This is nothing new. It has been written into the law for over 100 years. Today, Respondeat superior does not only apply to verbal actions, it also applies to actions committed using email and abuse of the Internet. It is not limited to actions against co-workers either. Liability for employee Internet usage may result from comments posted on forums.
Typically, an employer would only be liable for an act committed by an employee while furthering the purpose of an employer. For instance, if an employee of the marketing department was posting links to a company website via Internet forums, an employer could be found liable for harm caused to a third party if those links defamed the character of a third party or were deemed to be slanderous.
In recent years, Internet abuse by employees does not necessarily have to have been conducted to further the purposes of an individual employee. Simply providing an employee with the opportunity to cause harm may come back on the employer. It doesn’t even matter if the employer is aware of the activity in many cases, it will not protect them from liability for employee Internet usage.
How can employers protect against liability under Respondeat superior?
There are four easy ways that employers can protect themselves from liability stemming from employees misusing the internet at work. The first is one of the simplest measures and the cheapest to implement. The other three controls involve software solutions.
Implement clear policies covering acceptable uses of the Internet and email at work
This measure is the simplest to implement, yet even this basic control has not been put in place by many SMEs. If an employer has not written clear and precise policies on allowable uses of the Internet and email in the workplace, employees cannot be expected to know whether they are committing acts that the company finds unacceptable.
If an employee is not informed that an activity is unacceptable they cannot be expected to guess. Accessing pornography at work and being fired for doing so could see that decision overturned in an employment tribunal if the employee was not informed that accessing porn would result in the immediate termination of his or her work contract. It is also essential that a signed copy of Internet usage policies is obtained from each employee.
Implement a system that monitors Internet and email usage in the workplace
Policies are only the first step. There must be a method of monitoring access to the Internet, otherwise there will be no way of telling if employees are adhering to company policies. It may not be necessary to constantly monitor Internet access, but regular audits should be conducted. Any individual found to have abused access rights must be subject to disciplinary procedures. There is no point implementing policies that are not enforced.
Liability for employee Internet usage is more likely if a web filter is not employed to control Internet access
Many employers choose not to take chances and restrict the websites that can be viewed in the workplace. There are many methods of achieving this, such as setting rules in browsers or on proxy servers used to access the Internet. Many of these methods can be implemented cheaply, and some without any cost other than the time it takes to set them up.
In some cases, the man-hours required to set up these rules makes it impractical. It is often far quicker, easier, and more cost effective to employ a powerful web filter. This will allow a system administrator to centrally control Internet access for individuals, groups, or the entire organization. A web filtering solution with a high degree of granularity will allow a wide range of controls to be applied for different roles within an organization and can be used to restrict access to pornography for the whole organization, limit the time that can be spent on social media websites, and set specific privileges for each individual if required.
Use an Anti-Spam solution to prevent email abuse at work
Internet abuse must be tackled, but it is important not to forget email. Email is used by virtually every company employee and is just as easy to abuse. It is difficult to control the content of messages to protect employees from sexual harassment, but it is possible to prevent individuals from emailing certain file types outside the company.
Anti-Spam products include a filter to protect users from incoming spam, but products such as SpanTitan also offer control over outgoing emails. The spam filter can be configured to prevent individuals from using company email accounts to conduct personal spamming campaigns.
If you put the controls in place to prevent Internet and email abuse, monitor activity, and make sure Internet and email usage polices are in place, it is possible to protect the business from liability. Liability for employee Internet usage will be avoided. It will be the employee, not the employer, that is likely to be found liable.
Oct 1, 2015 | Cybersecurity Advice, Network Security, Web Filtering
Visiting a coffee shop for a caffeine fix usually means having the opportunity to save some bandwidth by connecting to a free Wi-Fi network. In fact a coffee shop without free Wi-Fi is unlikely to be anywhere near as busy and those offering patrons the opportunity to connect to the Internet for free.
Even airports, restaurants, shopping centers and many pubs allow visitors to connect to their Wi-Fi for free. Many freelance workers even head to cafes to a full day’s work, while others just check email or surf the Internet. The ability to connect to someone else’s Wi-Fi is convenient and saves money. However, as many people discover, it may not be quite as free as they think. Connecting to free Wi-Fi hotspots carries considerable risks. There may actually a considerable cost. Identity theft and the emptying of a bank account!
The importance of a secure Wi-Fi connection
Many free Wi-Fi networks allow any user within range to connect without even having to register. These open networks really are open to anyone, and that means open to criminals as well. When users connect to these networks they allow any individual who is also connected to see a considerable amount of their data. Should a person with the inclination and a modicum of technical skill choose to inspect network traffic, they could potentially see the websites that are visited, read the emails that are sent, and even view login names and passwords. Installing malware on every device that connects is also pretty straightforward.
Not all Wi-Fi networks are open. Some coffee shops and free Wi-Fi hotspots require users to identify themselves. Access can only be gained if users logon. This requires the use of a token or password which is only provided to people who create accounts. These Wi-Fi networks use encryption that prevents data from being intercepted. That does not mean that these networks are entirely secure, only that additional security controls have been employed to make them safer.
If operators of public Wi-Fi networks really want to protect their users from the myriad of viruses and malware on the Internet, additional security controls should be employed. One of the best options in this regard is a web filter (often referred to as an Internet filter or content filter).
The importance of installing a web filter to protect users
A web filter will restrict the websites that can be visited while connected to a network. Many businesses have web filters in place to restrict the websites that employees can access while at work. Many homes have a parental filter in place that stops children (and adults!) from accessing pornographic content, gambling websites, dating sites and other types of website that contain inappropriate or potentially harmful content.
Coffee shops and cafes rarely have these web filters in place. They may filter the coffee, but they certainly do not filter the Internet. This means visitors could access pornographic material, gambling sites, and streaming services, and many of those websites contain really dangerous material – malware, viruses, and malicious code that could result in the users’ devices being infected. In some cases, their device could be compromised to the point that all data entered could be transmitted to a hacker.
Insecure or secure Wi-Fi – The choice is yours
When setting up a Wi-Fi network, the system administrator or operator of that network has a choice: Secure or insecure. The reality is that there is very little difference in terms of time when setting up a secure or insecure network, but there is a world of difference for users.
Even if an insecure network is chosen and kept totally separate from other networks, there is a risk that the insecure Wi-Fi network will be used by hackers to launch an attack on other networks that have been secured. Insecure Wi-Fi should therefore never be chosen.
Would you want your patrons or employees to be infected? What impact would that have on your business?
Are you waving a flag and shouting at hackers to come and attack your network?
Set up an insecure network and you might as well place a sign above your door saying hackers welcome! Attack our visitors and steal from our employees!
Fail to protect your network and your employees and loyal customers could have their privacy violated, devices compromised, and their most sensitive information revealed. The decision not to secure Wi-Fi, which is illegal in some parts of the world, could also be leaving you wide open to a lawsuit. It could also seriously damage your brand’s reputation and end up driving customers away.
Providing the public with free Wi-Fi access? Make sure you…….
Set up a secure password
An insecure password does not really offer much more protection than an open network. If your password is easy to guess, hackers will guess correctly before very long. Don’t use your shop name, use numbers and letters, include capital letters and even some symbols. Never use a name with a date appended to the end, or a number sequence such as 1234. Also do not use common words with a few specific characters replaced with numbers. You may think they are hard to guess, but not for a bot that tries many different common combinations.
Block the content that can be accessed through your network
Would you like a child to accidentally see the screen of someone viewing hardcore pornography while connected to your network? Would you like to deal with law enforcement officers when they visit you to find out why one your visitors are downloading terrorist manuals from your establishment? Of course not!
The answer is to restrict the content that can be viewed, and to do that you need to install a web filter such as WebTitan Wi-Fi. Its low cost, easy to set up, and it will restrict the websites that can be accessed through your network.
Filtering Wi-Fi should be as important to you as filtering your water and coffee. More so in fact. It protects you and it protects your customers. If your focus is providing a quality service for your customers, the provision of a web filter is essential. It could be the difference between a customer visiting your establishment or going to a more secure competitor.
Sep 17, 2015 | Cybersecurity Advice, Network Security
Most system administrators have a rather long to-do list. As soon as one item is cleared, another two seem to take its place. Oftentimes there are simply not enough hours in the day to deal with all of the issues. There are software problems, hardware problems, user problems, and it can be hard to find time to be proactive instead of reactive.
We would like to make your job easier and reduce the number of items on your future to-do lists. With this in mind we have listed five issues that you should avoid to prevent future headaches. They are basic, but that is why many system administrators forget them.
Network Security No No’s
Never host more than Windows Active Directory on a domain controller
Active Directory looks after the identities and relationships of your network. It will allow you to provide all employees with SSO (Single Sign-On) access. However, it is important that Active Directory is isolated and the machine you use is not used for anything else. Don’t mix up your assets, as in the event of one being compromised, anything else hosted on the same machine is also likely to be affected. After all, hackers are likely to have a snoop around and see what else is running on a server they have managed to gain access to. Keep everything separate, and you will be limiting the damage that can be caused in the event of a security breach.
Don’t access a workstation using your administrator credentials
Your administrator login credentials, if compromised, would allow a malicious insider or outsider to gain access to systems where a lot of damage can be caused. If you login to a compromised workstation using your administrator login, you could be giving your access rights to a hacker. Cached login credentials are not difficult to obtain. Github offers code that will allow anyone to change Local Admin privileges to Domain Admin privileges. If that happens, a hacker really can unleash hell.
Don’t ever reuse passwords
One of the most elementary data security measures is to ensure passwords are impossible to guess. In the unlikely event that your password is guessed, or is somehow compromised, it is essential that the password cannot be used to access any other systems, servers or workstations. Setting different access passwords for everything is a pain, but it is an essential security measure.
Don’t leave default logins active
Default logins are often exploited. Many can be obtained with a very quick search on the Internet. This applies for all networked devices, routers, and equipment. It is usually the first thing that will be attempted in order to gain access. How easy is this? Take hospital drug pumps as an example. There have been instances of patients searching online for the manufacturer’s website, obtaining the default login details, and then logging in to up their morphine doses. If patients can do it, it would not be too hard for a hacker.
Never, ever use an open Wi-Fi network
In a business environment, it is not possible to justify using an open Wi-Fi network. The risks that insecure Wi-Fi creates are simply too high. If you need to provide guest access, set up a guest login and password and make sure it is changed regularly. You may get a few complaints, but not as many as you will get when your system is compromised, data is exfiltrated, or heaven forbid, data is deleted or encrypted with ransomware.
Summary
It may be more convenient to share passwords, allow anyone to access Wi-Fi, share servers and use the same login to access everything, but it is a recipe for disaster. If anything goes wrong, and it eventually will, you must ensure that the damage caused is limited as far as is possible. Convenience should never jeopardize system security.
Sep 8, 2015 | Cybersecurity Advice, Network Security, Web Filtering
There has been a lot of talk recently about Social Engineering scams, but what is social engineering?. Social engineering is a term used in social science to describe the psychological manipulation of people into taking a particular action and influencing large groups of people. It is a technique used for good and bad. Politicians and governments use social engineering, and advertisers are known to use social engineering to convince the public to purchase products.
In recent months, most talk of social engineering has been about information security. Hackers and other online criminals are now using social engineering techniques to get Internet users to reveal their sensitive information, such as login names and passwords, and even credit card numbers and bank account details. The majority of large scale data breaches caused by hackers and malicious outsiders are usually discovered to include an element of social engineering.
How can you protect yourself from being manipulated into revealing information? How can you protect yourself and your company from employees falling for social engineering scams?
How is Social Engineering Used by Cybercriminals?
The commonest methods employed by cybercriminals to manipulate users into taking certain actions are detailed below. Being aware of how social engineering is used will help you to protect yourself and your employees from becoming victims of scams and phishing campaigns.
Abuses of Trust:
Online criminals know that if they want to get something from people, it is far easier to get what they want if they pretend to be someone that person trusts. People are wary of strangers after all. If a total stranger came up to you in the street and asked for your PIN number or email address and password, you would naturally not tell them. However, on the Internet it is not always so easy to tell if someone is actually a stranger. Seemingly legitimate reasons are also provided for disclosing such information.
Emails sent from colleagues, friends and family members
If you receive an email from someone you trust, chances are you will be more likely to respond to a request than if the same email had been sent by a stranger. If a family member sent you a link asking you to click, you may not even think twice before you click your mouse.
If your best friend, brother or sister sends you a URL saying, “You have got to see this, it is so funny!” You click the link, you see a video, and you wonder what on earth they were thinking about. The video wasn’t very funny at all!
Unfortunately, the reason the link was sent was not because it contained side-splitting humor, it was because clicking on the link caused malware being downloaded to your computer. The email was, of course, not sent from the person you thought it was, but by a hacker who was pretending to be someone you know.
It is not just “must see” images, jokes and videos that are sent. Many emails are sent that manipulate individuals by taking advantage of compassion or a desire to help a friend or family member in need. Emails are supposedly sent from individuals that find themselves in a spot of bother. A friend traveling abroad has had his wallet stolen and is stuck and can’t get home. He needs money transferred so he can buy a plane ticket to get home. In actual fact he is on the beach, and a hacker has gained access to his email account, not his wallet.
Phishing: Manipulating people into revealing confidential information
There has been a huge increase in the volume of phishing emails being sent in recent years. This is because these social engineering scams can be incredibly effective. They are used to get individuals to reveal highly confidential information that under normal circumstances they would never divulge.
Some of the most common social engineering scams used by online criminals to obtain sensitive information are detailed below. Be particularly wary if you receive one of these emails:
Urgent Charity Donation Required
Nothing brings out the scammers faster than a natural disaster. When people are suffering, have lost their homes, been flooded or hit by a hurricane, criminals take advantage and try to take their share of donations. If you get an email request money to help people in need, don’t respond to the email. Find the website of the charity and make a donation directly through the website or follow the instructions listed on the website. Don’t click the link provided. Criminals do not care about taking money from the needy, hence the huge volume of social engineering scams after a natural disaster.
You have won a prize draw, lottery or other prize
Don’t let the thrill of potentially receiving a large sum cash get the better of common sense. In order to win a prize draw, you first need to have entered. Don’t call the number supplied in the email and do not visit the link. You will need to supply bank information for a transfer (or your credit card details). There will only be one winner, and it will not be you.
Package or mail cannot be delivered
Courier companies do send emails informing you that you were out and they have not been able to deliver a parcel, but are you actually expecting one? Even if you have a birthday approaching or Christmas is just around the corner, do not respond to the email request directly. Use the tracking/consignment number to check, but check via the company website by entering in the URL into your browser. The links contained in emails could take you to a phishing website, and the information you enter will be collected by criminals.
Upcoming Elections – Party donations required
Want to do your bit for the Democrats or Republicans? Does the Green Party urgently need your cash for their campaign? Want to show your support for Labor or the Conservatives? Good on you! Just make sure that your donation goes to the right place. For that, you must find the official website and follow the instructions provided. Never click on a link in an email. Social engineering scams are very common in the run up to elections.
Summary of Good Practices to Avoid Social Engineering Scams
These tips will reduce the likelihood of you falling for social engineering scams. You need to be security aware and always be cautious about revealing any information, opening attachments or clicking on links.
- The first rule to avoid becoming a victim of a phishing campaign is never to click on an email link
- The second rule avoid becoming a victim of a phishing campaign is never to click on an email link
- Stop and think before you respond to any email request
- If you are not 100% sure of the genuineness of an email, mark it as junk or delete it
- If you are at work, and think an email may be a scam, seek advice from your IT department
- If you are asked to reveal login information or other sensitive data, report it. Do not respond
- If you want to respond to a request for a donation, search on google and find the official site. Get information on how to make a donation. Don’t trust the information provided in the email
- Never open an email attachment unless you are 100% sure it is legitimate
- If you have accidentally fallen for a scam (or think you may have) seek professional advice immediately, and change all of your passwords.
Aug 25, 2015 | Cybersecurity Advice, Network Security
Beware the threat from within: How to deal with insider threats
IT security professionals and C-suiters are well aware of the threat from hackers. Cyberattacks have been all over the news recently. Major security breaches have resulted in millions of files being stolen. Patient health records have been targeted with the cyberattack on Anthem Inc., the largest ever healthcare data breach ever recorded. That cyberattack, discovered in February this year, involved the theft of 78.8 million health insurance subscriber records.
Target was attacked last year and hackers managed to obtain the credit card details of an estimated 110 million customers. The finance industry was also hit hard in 2014, with 83 million J.P. Morgan Chase accounts compromised by hackers.
Cybersecurity defenses naturally need to be put in place, monitored, and bolstered to deal with the ever changing threat landscape. However, it is important not to forget the threat from within. Malicious insiders can be just as dangerous, and often more so than hackers. Just ask the NSA. They know all too well how dangerous insiders can be. Edward Snowden managed to steal and release data that has caused considerable embarrassment. In his case, he wanted the world to know what the NSA was up to. The NSA had gone to great lengths to make sure that what occurred behind its walls stayed secret.
Malicious insiders are often individuals who have been given access to patient and customer records, as well as the intellectual property of corporations, company secrets, product development information and employee databases. They are therefore potentially able to steal everything. The harm that can be caused by malicious insiders is therefore considerable.
It is not just theft of data that is a problem. Insiders may use their access to computer systems to defraud their employers, destroy data, or install malware and ransomware. Unfortunately, tackling the threat from within is a much more difficult task than preventing external attacks.
Bear in mind that insiders are not necessarily employees. They can include business partners and associates, contractors and past employees.
Which insiders pose the biggest threat
Unfortunately, any employee can steal corporate secrets and data; but the potential for damage increases as privilege levels increase. In a hospital, a physician may only have access to his or her caseload of patients. It may be possible for that physician to access the records of other patients of the facility, but not without triggering alarms. Those alarms may not be klaxons, but a flag would be raised that would alert anyone checking access logs that there may be some inappropriate activity.
A member of the IT department may have the highest level of privileges, and could potentially access huge quantities of data. One member of the IT department may not have access to everything, but in theory – and sometimes in practice – they could elevate their privileges for long enough to gain access to the data they require.
Recent research conducted by the United States Computer Emergency Readiness Team (CERT) shows that half of insider security breaches are conducted by individuals who have access to data. These individuals already have the authority to access systems containing valuable data. If you do not deal with insider threats, it is only a matter of time before a security breach is suffered.
It can be difficult to identify insider threats. Some say “it’s always the quiet ones,” but in reality, there is no way of being 100% certain which employees will steal data or sabotage systems. There are many potential reasons why an individual may decide to steal or delete data. Employers must therefore be aware of the risk and take action to mitigate that risk as far as is possible.
CERT research is useful in this regard. Studies have shown that that security breaches and data theft are most likely to occur in the time leading up to an employee leaving employment, and shortly after that employee has left – typically, a month either side of leaving a company.
As soon as an employee hands in his or her notice, place alerts on their accounts and conduct audits. If a worker is disgruntled or is unhappy at work, this could be a sign that they are looking for employment elsewhere and it would be wise to keep a close check on data access. It is a wise precaution to lower account privileges shortly before an employee leaves and to ensure that access is blocked as soon as they do. Many companies are a little lax when it comes to closing accounts and may not block access immediately.
Fortunately, risk can be managed. Adopt the following best practices to help you deal with insider threats and you will limit the opportunity for an insider to steal or delete data. You will also limit the damage that can be caused.
Best practices to deal with insider threats
- Minimum necessary information – Only give access to data critical for an individual to perform regular work duties
- Provide temporary access as appropriate – If tasks need to be conducted to perform atypical duties, temporarily escalate privileges to allow the task to be conducted and then lower those privileges when the task has been completed
- Monitor access to resources – Implement a system that monitors and logs access to data and regularly audit access logs to check for inappropriate activity
- Control access to physical resources – Restrict access to confidential files, stored backups, old computer equipment, and servers. Keep them under lock and key.
- Separation of duties – Restrict access as far as is possible: Do not assign full access to one individual, only allow part of a system to be accessed by a single employee. Use Privileged Access Management (PAM). This will limit the damage that can be caused.
- Implement policies and controls – Make sure these are communicated to all staff members.
- Restrict file transfers – As far as is possible, put controls in place to prevent data from being copied or exfiltrated. Prevent certain file types from being emailed outside the company and block peer-to-peer file sharing websites
- Encryption – Employ encryption for all stored data and control who is able to unencrypt files. Always protect data at its source.
Aug 4, 2015 | Cybersecurity Advice, Network Security
Not all habits are bad. Sure you should ease up on the alcohol, give up smoking, and stop biting your nails, but make sure you take some time to develop some good habits. Take a look at the best practices below, ensure you perform them regularly, and before long they will become second nature. You will then be able to legitimately rank yourself alongside the best system administrators. Even better, you should find you have far fewer bad days and even some when everything runs smoothly without a hitch.
Develop a ticket system and keep on top of requests
You are likely to receive more requests for assistance than you can deal with in a single day. If you are regularly flooded with requests, some will invariably be forgotten. Sometimes you will deal with an issue only for a user to complain that you have not. It is useful to be able to prove that you have dealt with a problem in a timely manner. A ticketing system will allow you to do this, as well as help you prioritize tasks and never forget a single reported system or computer issue.
Your system need not be expensive or complicated. If you work on your own in a small business, you can set up a very simple MS Access database to log all requests. Even a spreadsheet may suffice. A word document would also work. The important thing is that all requests are logged.
If there is more than one system administrator employed in your company, it is probable that you may need to have a more complex system. Helpdesk software is likely to be required if you are having to deal with hundreds of requests. They will need to be allocated to staff members, and follow-ups will be required. Making sure all queries have been answered and all reported problems resolved will be a nightmare without such a system in place.
Keep a log of your activity
If you ever have to justify what you have spent all your time doing, your ticketing system is your friend. You can show the volume of requests you have received/resolved on a daily basis, and use that information to show that your time has been well spent.
One clever way of reducing the requests you get is to log the requests and send the user (and his or her line manager) an email detailing the request received and the likely timescale for resolution. If a manager is involved, you may find the number of requests you are given will decrease. A formal request process and confirmation procedure is a wonderful way of cutting back on many of the requests for support that are usually sent to the desk of a Sys Admin.
Be proactive and avoid power/cooling issues
Overheating servers and power fluctuations cause many headaches and waste a lot of a Sys Admin’s time. It sounds obvious, and it is, but managing power and ensuring server rooms are effectively cooled are well worth the effort. Being proactive in this regard will save a great deal of time in the long run.
Power issues can be largely solved by installing an Uninterrupted Power Supply unit (UPS) on each of your servers. When purchasing a UPS, make sure it has sufficient power to last for an hour and that it will shut down the server properly, not just give up when it runs out of juice. The latter is particularly important as it will ensure files are not corrupted and will mean fewer reboots are required.
Are your routers, switches and servers locked away in a closet without any cooling systems installed? If you work in a small organization, this may well be the case. If your equipment frequently overheats, consider investing in a small air conditioning unit. Does your server overheat frequently at the weekend, yet is fine in the week? Oftentimes, air con systems are shut down at the weekend when there is no one in the office. A separate unit will solve this problem, just make sure it vents into the ceiling.
Monitor your network and devices connected to it
It is vital to monitor your network and systems. This will allow you to take action before they crash and services are lost. Install a system to monitor everything, and then install a system to monitor your monitoring system. Get the system to send you alerts, and you can prevent a lot of problems from occurring and avoid time consuming (and expensive) system outages.
If your Monday mornings are usually spent dealing with system crashes that have accumulated over the weekend, you can make the start of the week a lot easier if you put a monitoring system in place. Do you have a service level agreement in place with your ISP? If so, you may be able to add in a monitoring function on your switches and router as part of your service level agreement. This may not be possible though if you have a highly complex system or atypical network configuration. Fortunately, in most cases, monitoring systems are inexpensive, yet can save a lot of time, money, and hair loss from stress.
Cut back on time consuming manual chores
Repeating the same tasks over and over again wastes and extraordinary amount of time, plus each time a task is performed there is the possibility of mistakes being made. Use the automation and scripting controls on servers and other devices, and updates and installations can be performed automatically.
If you use Powershell for instance, Windows 2012 Server support will be streamlined. It may take a little time to set up, but it will save you hours in the long run. If you cannot do this, create a detailed checklist containing all of the settings for different applications to reduce the possibility of errors being made.
Don’t let users waste your time
OK, this is much easier said than done, but there are ways to reduce the time spent dealing with user issues. For instance, create a website page that lists the correct contact numbers and persons responsible for dealing with particular IT problems. Remember that users are non-technical individuals, so the language used must also be non-technical. “Server problems” rather than “Windows NT problems” for example.
Instruct all users visit the webpage before contacting you. You can then place updates on the webpage that may answer many of their questions. Also include a self-help section. (have you tried turning your computer off and on again?)
Include sections for changing passwords and the common problems you are asked to deal with that can easily be resolved by following a simple set of instructions. You will find the volume of helpdesk calls will reduce considerably. Also create a login banner to advise of maintenance schedules etc., to avoid being bombarded with calls when a planned outage takes place.
Get involved in the business
It is your job to deal with technical aspects of the business, yet you will need to be aware of how the business operates. In order to get authorization for IT upgrades or new equipment, it helps if you can explain, concisely, why the purchases are necessary, the impact they will have on the business, and the consequences if purchases are not made. Work on your communication skills and learn how to communicate effectively with non-technical staff members. It requires practice, and a great deal of patience sometimes, but it will make your life easier in the long run.
May 14, 2015 | Cybersecurity Advice, Network Security
Hackers and malicious insiders are trying to break through security defenses to get their hands on sensitive data, but what data are they actually looking for? Which data needs to be better protected?
There are federal laws that require physical, technical and administrative controls to be put in place to keep data secure. Fail to protect certain data types and there could be serious trouble, regardless of whether a hacker actually manages to compromise your network.
Some data types are obvious, others less so. Credit card numbers, bank account information, Social Security numbers and healthcare data all require robust security measures to keep the information secure. Have you made sure that each of the following 9 data types have appropriate controls in place to prevent unauthorized individuals from gaining access.
Financial Data
The goal of many hackers and cyber criminals is to gain access to bank account information, and the logins and passwords used to access online accounts. Once they have this information they can use it to make transfers and empty accounts. Credit/debit card numbers are also sought in order to make online purchases and create fake cards. PIN numbers, if stored, along with answers to security questions must similarly be protected with robust controls.
Medical Data
The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to put physical, technical and administrative controls in place to keep medical data secure. In the wrong hands, medical data can be used to discriminate and defame. It is also used in spear phishing campaigns, and used with other data to commit fraud. Failure to secure these data is a violation of HIPAA Rules, and financial penalties are sure to follow. Criminal charges can even be filed against individuals for failing to secure highly sensitive data.
Driver’s License Numbers
A valid driver’s license number can be used to create fake driving licenses. These are not only useful for people who are not legally allowed to drive, they can be used to obtain other forms of identification and commit identity theft and fraud.
Student Data
Student data is increasingly being sought by criminals in order to commit fraud and identity theft. Universities and schools are required to protect data under the Federal Educational Rights and Privacy Act (FERPA), which restricts the individuals who are allowed to access student records. Personal data, education information and test results must all be protected. Student Social Security numbers and dates of birth are highly sought after and often targeted by hackers.
Social Security Numbers
Social Security numbers (together with a limited amount of personal information) can be used to commit medical fraud, file false tax returns and steal identities. They are highly sought after by cyber criminals and often sold on darknet websites for big money. The SSNs of minors are particularly valuable, as they can be used for longer before fraud is identified. Social Security numbers are also covered by HIPAA rules and numerous other state and federal laws.
Health Insurance ID numbers
With health insurance information criminals are able to file claims for medical services that are not provided, and allow criminals to make fraudulent insurance claims. This data are highly sensitive and must be kept secure.
Intellectual Property Data
Your company’s secrets, product development information, computer codes, bespoke software, new product designs and blueprints are highly valuable to competitors. If your company has an edge, or is developing a new product or service, a competitor could use these data to develop similar products, and even bring a product to market first.
Human Resources Data
Human resources databases contain detailed information on employees such as salary information, bonuses, and confidential personal data. Criminals seek personal information of individuals in order to conduct convincing spear phishing campaigns. These data can also be used to blackmail individuals and discriminate.
Communications Data
Emails can contain highly sensitive information. When hackers gain access to an email account, they can obtain personal information, company secrets, and even many of the above data types. If an email account is compromised, it can be used to spread viruses and malware. Telephone records and text messages are also valuable.
Data must be secured at rest and in motion
Controls must be put in place to secure all forms of these data, whether they are in Word documents, PDFs, JPEGS, spreadsheets, EHRs or other databases. Just as paper files must be shredded when they are no longer required, the same applies to electronic data. Records must be securely and permanently erased when no longer required. It must not be possible to reconstruct any of these data once deleted.
It is essential to protect stored data, especially if it is housed on portable devices such as zip drives, laptop computers, portable hard drives and Smartphones. These devices are all too easily misplaced, lost or stolen. Data encryption should be considered to protect all stored sensitive data. Data must similarly be protected when in transit. Emails should be encrypted, as should SMS messages. A number of companies provide SMS and email encryption services to allow communications to be sent securely, with authentication controls to ensure only the desired recipient can view the messages.
Feb 11, 2015 | Cybersecurity Advice, Network Security
You are faced with an insurmountable problem: Your job requires you to keep the business secure from external attacks, and you must take action to deal with the threat from malicious insiders. It is your responsibility, and your job may well be on the line if something goes wrong and data is stolen, or your network is infected with a virus or malware.
Unfortunately, you have not had a budget increase and cannot afford to purchase the software solutions necessary to protect your business from attack.
This is a problem faced by many IT professionals. Management understands there is a risk and knows the risk is considerable, yet they expect you to work your magic with your hands tied behind your back.
You are not a magician; so, if management wants to be properly protected, it is your job to convince the powers that be that you need a bigger budget. We know you have already tried this. What you therefore need to do is improve your communication skills. You need to find a way to convince the management that additional funding is absolutely essential. One of the best ways of doing this is to explain that security risk is actually business risk.
You are not alone – 50% of IT professionals work with inadequate security measures
IT department funding is almost always limited. It is not possible to purchase the highest quality equipment, the best possible security measures, and have enough staff members to perform all of the required work. So if you are stressed, are suffering a critical lack of funding, or are desperately understaffed – you are not alone.
The situation has recently been assessed by the Ponemon Institute. Its latest survey probed IT security professionals and asked them about the level of security in their organization. It would appear that when it comes to cybersecurity protections, the management and IT department heads are often not on the same page.
The survey was large. Over 5,000 IT professionals send back responses to the survey and more than 2,500 of those respondents said their cybersecurity measures were inadequate. The problem for many was the fact that the upper management simply did not understand just how important it was to improve network security. Sure they understood there was a risk of attack, but they didn’t understand just how serious that risk was.
If a cyberattack occurs, it is their fault right? Unfortunately, you may have explained risk until you became blue in the face, but how well did you communicate?
A survey conducted two years ago by Ponemon suggests that when it comes to communicating with management, IT security professionals often have problems. In fact, 64% of IT staff were discovered not to have effectively communicated the seriousness of the threats, or had only started to communicate them properly following a data breach. Nearly half of the IT professionals taking part in the 2013 survey said communication between the IT department and management was “poor, nonexistent or adversarial”.
IT budgets rarely reflect the seriousness of security risks
When budgets for IT security are calculated, they are rarely sufficient to allow all risks to be effectively neutralized. Spending is often misaligned with the needs of the business. According to the Ponemon study, only 11% of the average security budget is devoted to protecting the application layer. Interestingly, 37% of organizations believe that the application layer poses the businesses threat to data security.
Why is this the case? According to Larry Ponemon, founder and CEO of the Ponemon Institute, it is because management has not been provided with the right information. He says that few organizations have actually performed a full security audit and that security risks have therefore not been identified. As a result, management is not aware of the level or risk, and budgets are not set accordingly.
Any organization that fails to invest in IT security is likely to have to cover far higher costs in the long term. Take Target for example. The money spent on resolving its data breach is far higher than the cost of implementing solutions that would have prevented the attack from being possible in the first place. The company now has to cover the cost of data breach resolution, in addition to investing in better security. The expected cost of the Target data breach is expected to top $1 billion!
If security intelligence technologies are implemented, companies are much better equipped to detect intrusions and contain attacks when they do occur. According to the study, the security breach resolution cost savings are, on average, $1.6 million less when security intelligence technologies are implemented prior to a security breach occurring.
IT security should not be an afterthought. Proper investment will see more security breaches prevented and the cost of resolution significantly reduced. It is therefore essential to communicate the need for investment. The most effective way to get your voice heard is to provide facts and figures to back up your argument and to explain security risk in the context of the financial cost, operational problems that will be suffered, and the likely damage to the company’s reputation if a breach is suffered.
Security tools are not cheap. Understand the business drivers that generate the funds that will cover the cost of security software and become more effective at communicating credible risk. Give management the information it needs to understand why greater investment is needed. You are then likely to be given the funding you need to effectively manage security risk.
