4 information security threats that will dominate 2017

Cybercriminals are becoming more sophisticated and collaborative with every coming year. To combat the threat in 2017, information security professionals must understand these four global security threats.

Security Threats

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.

“2016 certainly lived up to expectations,” says Steve Durbin, managing director of the ISF. “We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don’t think anybody would have anticipated some of the stuff we’ve seen of late in terms of the Russians getting involved in the recent elections.”

The ISF says the top four global security threats businesses will face in 2017 are the following:

  1. Supercharged connectivity and the IoT will bring unmanaged risks.
  2. Crime syndicates will take quantum leap with crime-as-a-service.
  3. New regulations will bring compliance risks.
  4. Brand reputation and trust will be a target.

“The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations,” Durbin says. “In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target’s weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events.”

The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.

Supercharged connectivity and the IoT bring unmanaged risks

Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.

Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.

“The thing for me with 2017 is I describe it as an ‘eyes-open stance’ we need to take,” Durbin says. “We’re talking about devices that never ever had security designed into them, devices that are out there gathering information. It’s relatively simple to hack into some of these things. We’ve seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they’re designed to link.”

Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That’s not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.

“Critical infrastructure is one of the key worry areas,” Durbin says. “We look at smart cities, industrial control systems — they’re all using embedded IoT devices. We have to make sure we are aware of the implications of that.”

“You’re never going to protect the whole environment, but we’re not going to get rid of embedded devices,” he adds. “They’re already out there. Let’s put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices.”

Crime syndicates take quantum leap with crime-as-a-service

For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they’ve been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.

“I originally described them as entrepreneurial businesses, startups,” Durbin says. “What we’re seeing is a whole maturing of that space. They’ve moved from the garage to office blocs with corporate infrastructure. They’ve become incredibly good at doing things that we’re bad at: collaborating, sharing, working with partners to plug gaps in their service.”

And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.

“They’re interested in anything that can be monetized,” Durbin says. “It doesn’t matter whether it’s intellectual property or personal details. If there is a market, they will go out and collect that information.”

He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.

New regulations bring compliance risks

The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it’s coming from, what it’s being used for, where and how it’s being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

“The challenge in 2017 for organizations is going to be two-fold,” Durbin says. “First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?”

“The scope of it is just so vast,” he adds. “You need to completely rethink the way you collect and secure information. If you’re an organization that’s been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you’re protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I’ve spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you’re taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to.”

Brand reputation and trust are a target

In 2017, criminals won’t just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull’s eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

“With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization’s reputation than ever before,” Durbin says. “In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we’re no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come.”

While most information security professionals will point to people as the weakest link in an organization’s security, that doesn’t have to be the case. People can be an organization’s strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop “stop and think” behavior and habits.

“2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain,” Durbin says. “They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior.”

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.

Article Provided By: CIO

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

5 Emerging Data Security Technologies Set to Level The Battlefield

data security technologiesThe war between data defenders and data thieves has been described as a cat-and-mouse game. As soon as the white hats counter one form of black-hat malicious behavior, another malevolent form rears its ugly head. How can the playing field be tilted in favor of the infosec warriors? Here are five emerging security technologies that may be able to do that.


 

1. Hardware authentication

The inadequacies of usernames and passwords are well known. Clearly, a more secure form of authentication is needed. One method is to bake authentication into a user’s hardware. Intel is moving in that direction with the Authenticate solution in its new, sixth-generation Core vPro processor. It can combine a variety of hardware-enhanced factors at the same time to validate a user’s identity.

Intel has built on previous efforts to dedicate a portion of the chipset for security functions to make a device part of the authentication process. Good authentication requires three things from users: what they know, such as a password; who they are, such as a username; and what they have, such as a token. In the case of Authenticate, the device becomes the what-you-have.

“This isn’t new,” said Scott Crawford, research director for information security at 451 Research. “We’ve seen this in other manifestations, such as licensing technologies and tokens.”

Hardware authentication can be particularly important for the Internet of Things (IoT)where a network wants to ensure that the thing trying to gain access to it is something that should have access to it.

However, Crawford noted, “The most immediate application for the technology is for authenticating an endpoint in a traditional IT environment — laptops, desktops, and mobile devices using Intel chipsets.”

2. User-behavior analytics

Once someone’s username and password are compromised, whoever has them can waltz onto a network and engage in all kinds of malicious behavior. That behavior can trigger a red flag to system defenders if they’re employing user behavior analytics (UBA). The technology uses big data analytics to identify anomalous behavior by a user.

“There’s a lot of interest in this in the enterprise,” 451′s Crawford said.

“User activity is the number one concern of security professionals.”

He explained that the technology addresses a blind spot in enterprise security. “Once an attacker gains entry into an enterprise, what happens then?” he asked. “One of the first things they do is compromise credentials. So then the question becomes, Can you differentiate between a legitimate user’s activity and an attacker who has gained entry, compromised a legitimate user’s credentials and is now looking for other targets?”

Visibility into activity that does not fit the norm of the legitimate user can close a blind spot in the middle of the attack chain. “If you think of the attack chain as initial penetration, lateral movement, and then compromise, theft, and exfiltration of sensitive data, the middle links in that attack chain have not been very visible to enterprise security pros, and that’s why the interest in user behavior analytics today,” Crawford said.

Comparing a user’s present behavior to past behavior isn’t the only way UBA can identify a malicious actor. “There’s something called ‘peer analysis’,” explained Steven Grossman, vice president for program management at Bay Dynamics, a threat analytics company. “It compares how someone is behaving compared to people with the same manager or same department. That can be an indicator that the person is doing something they shouldn’t be doing or someone else has taken over their account.”

In addition, UBA can be a valuable tool for training employees in better security practices. “One of the biggest problems in a company is employees not following company policy,” Grossman said. “To be able to identify those people and mitigate that risk by training them properly is critical.”

“Users can be identified and automatically signed up for the training appropriate for the policies they were violating.”

3. Data loss prevention

A key to data loss prevention is technologies such as encryption and tokenization. They can protect data down to field and subfield level, which can benefit an enterprise in a number of ways:

  • Cyber-attackers cannot monetize data in the event of a successful breach.
  • Data can be securely moved and used across the extended enterprise — business processes and analytics can be performed on the data in its protected form, dramatically reducing exposure and risk.
  • The enterprise can be greatly aided in compliance to data privacy and security regulations for protection of payment card information (PCI), personally identifiable information (PII) and protected health information (PHI).

“There’s been a lot of security spending over the last several years, and yet the number of records breached in 2015 went up considerably over the prior year,” noted 451′s Crawford. “That’s contributing to the surge in interest in encryption.”

However, as John Pescatore, director of Emerging Security Trends at the SANS Institute, points out, authentication plays an important role in data loss prevention.

“There can’t be strong encryption without key management, and there can’t be key management without strong authentication.”

4. Deep learning

Deep learning encompasses a number of technologies, such as artificial intelligence and machine learning. “Regardless of what it’s called, there a great deal of interest in it for security purposes,” 451′s Crawford said.

Like user behavior analytics, deep learning focuses on anomalous behavior. “You want to understand where malicious behavior deviates from legitimate or acceptable behavior in terms of security,” Crawford explained.

“When you’re looking at activity on the enterprise network, there’s behavior that’s not user behavior but is still malicious. So even if it’s looking at behavior, it’s looking at a slightly different application of behavioral analytics.”

Instead of looking at users, the system looks at “entities,” explained Brad Medairy, a senior vice president with Booz Allen. “Exact business analytics and recent developments in machine-learning models mean we are now able to look at the various entities that exist across the enterprise at the micro to the macro levels. For example, a data center, as an entity, can behave a certain way, similar to a user.”

Use of machine learning can help stamp out the bane of advanced persistent threats, added Kris Lovejoy, president of Acuity Solutions, maker of an advanced malware detection platform. “With its ability to decipher between good and bad software, at line speed, machine-learning technologies will offer a significant boon to security practitioners who seek to decrease time to advanced threat detection and eradication,” she said.

Crawford said he expects investments in deep learning for security purposes to continue. He added, however, that “the challenge for enterprises is there are a lot of companies coming to market with similar approaches for the same problem. Differentiating distinctions from one vendor to another is going to be a major challenge for enterprises in the coming year and beyond.”

5. The cloud

“The cloud is going to have a transformative impact on the security technology industry generally,” Crawford said.

He explained that as more organizations use the cloud for what has traditionally been the domain of on-premises IT, more approaches to security that are born in and for the cloud will appear. On-premises techniques will be transitioned to the cloud. Things such as virtualized security hardware, virtualized firewalls, and virtualized intrusion detection and prevention systems. But that will be an intermediate stage.

“If you think about what an infrastructure-as-a-service provider can do on a very large scale for all of its customers, there may not be the need to pull out all the defenses you need on-prem,” Crawford said. “The infrastructure-as-a-service provider will build that into their platform, which will relieve the need to do that for the individual cloud customer.”

SANS’ Pescatore added that government agencies and private industry have increased the security of their data centers by using IaaS services such as Amazon and Firehost. “The GSA FedRAMP program is a great example of ‘certified secure-enough’ cloud services that make it easier for the average enterprise to have above-average data center security,” he said.

These five should help out the infosec warriors get the upperhand. Any we missed? Which technologies do you suggest will move the needle on information security? Weigh in via the comments below.

Article Provided By: TechBeacon

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

 

The Cyber Risk of Mixing Business with Pleasure

Cyber Risk – Technical and Process Controls for the Enterprise Must Extend to Employees and How They Engage in Personal Services

Cyber RiskThe ubiquitous use of social media has blurred the lines between business and personal lives. A lot has been written about the importance of keeping the two separate, with an emphasis on the potential risk to an individual’s reputation. A photo or casual comment meant for a friend can have a detrimental effect when viewed by a business associate or employer. But there’s another important reason why separating business from pleasure should be a concern – the potential for increased cyber risk to your business stemming from credential compromise to social media accounts.

Barely a week goes by without reports of a leaked database. At the same time, dumps of stolen credentials are regularly sold, traded and shared online across paste sites, file-sharing sites and online marketplaces. Credential compromise is not new, but how these credentials become available is often directly related to the lack of separation between business and pleasure.
The LinkedIn and MySpace databases were recently exposed by threat actors using the names “Peace of Mind” and “Tessa88”. Breaches of dating services like Ashley Madison and Adult Friend Finder also were the source for credentials. And although proportionally low, even gaming services have been responsible for leaked credentials. It may be surprising but many of the credentials used for these sites were corporate accounts. That’s right. Many employees reuse their corporate emails for other services and, when these services are breached, it also reveals their credentials.

Cyber Risk

Employees who have reused corporate emails and passwords for personal use can put their employers at risk of account takeovers, credential stuffing and extortion attempts.
Account takeovers
On May 23, 2016, OurMine Team reportedly compromised a number of social media profiles for various business personnel and celebrities. The accounts that were affected included Twitter, Tumblr and LinkedIn profiles. The group initially claimed the use of zero-day exploits to compromise accounts, but later confirmed access was secured through the use of information from the recently exposed dataset from LinkedIn. More recently, it was reported that the alleged Dropbox leak also occurred from password reuse of the LinkedIn breach. The likelihood is that people have neglected to change their passwords since 2012, and proceeded to recycle the same password for multiple services.
Credential stuffing
Threat actors can automatically inject breached username and password pairs in order to fraudulently gain access to user accounts. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inputted into websites until a match with an existing account is found. An attacker can then hijack that account for a variety of purposes, such as draining stolen accounts of funds, the theft of personally identifiable information, or to send spam. According to the Open Web Application Security Project (OWASP), credential stuffing is one of the most common techniques used to take-over user accounts.

Extortion attempts
Hundreds of thousands of corporate email addresses were leaked as part of the Ashley Madison breach. Following the breach of online dating site Ashley Madison in July 2015, extortion attempts were directed against specific individuals identified within the compromised dataset. Users received extortion emails threatening to share the exposed information with the victim’s partner, unless one Bitcoin was paid into a specified Bitcoin wallet. A number of automated post-breach extortion services also emerged including one site that reportedly spammed users with unsolicited bulk emails that suggested their spouses or employers may find out their details were exposed.
By better understanding that corporate credentials are being reused for personal services and how threat actors may exploit credentials, security teams can better prepare for and mitigate instances of credential compromise. Here are a few tips.
Set policies

• Establish a policy for which external services are allowed to be associated to corporate email accounts.
• Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
Monitor activity

• Proactively monitor for credential dumps relevant to your organization’s accounts and evaluate these dumps to determine if the dumps are new or have been previously leaked, in which case you may have already addressed the matter.
 • If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g., accessing resources that have not been accessed in the past.)
Educate employees

• Update security awareness training to include the risks associated with password reuse.
• Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.
The number of compromised credentials that are available online is staggering, providing a goldmine for attackers. In fact, Verizon’s 2016 Data Breach Investigations Report found that breached credentials were responsible for 63 percent of data breaches. As the lines between personal and professional become blurred, so too must the approach that organizations take to deal with cyber risk. Technical and process controls for the enterprise must extend to employees and how they engage in personal services.
Article Provided By: SecurityWeek

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Cost of data breaches increasing to average of $3.8 million

data breaches

Data Breaches

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.

The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.

The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.

“Most of what’s occurring is through organized crime,” said Caleb Barlow, vice president of IBM Security. “These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them.”

IBM, which sells cyber-security services to companies, has a vested interest in highlighting the costs of data breaches.

The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.

The study’s authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.

The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person’s medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

Article Provided By: Reuters

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Don’t Become a Cybersecurity Big Data Pack Rat

Enterprise Security Teams Must Think More About How to Reduce Big Data Into Real-time Answers

Security teams are always looking for new and efficient ways to find threats, and the emerging field of security analytics is proving to be one of the most promising areas of innovation. Security analytics encompasses a wide range of analytical techniques which can be performed on an equally diverse set of data sources, such as network traffic, host-based indicators, or virtually any type of event log.

In many ways this description sounds like a version of big data analytics – the analysis of very large data sets to find unexpected correlations. However, while big data is obviously a powerful tool, it is not a silver bullet for every problem. When it comes to finding active attacks, too much data can actually overwhelm staff to the point that threats get lost in the noise. Without a clear notion of how to use the data, a big-data security analytics project can turn IT teams into the cybersecurity version of pack rat, with data piled up to the point that it becomes unusable and paralyzes the organization.

A few lessons from the past and present

We don’t have to look back very far for a lesson on how more data doesn’t always mean more value. Since the 1990s SIEM and log management vendors posited that a central collection point for all enterprise logs could be used to answer virtually any enterprise question. And while SIEMs obviously have proven essential to many organizations, they have fallen well short of becoming the all-knowing oracle of IT. Organizations have learned the hard way that mountains of data don’t magically turn into insight.

Human expertise is typically at the heart of a successful SIEM project. Specialists are required in order to understand the different types of data and to build highly complex rules to interpret the data. Human analysts are typically required to ask the SIEM the right set of questions. This often leads to highly bespoke operations that can be very brittle and hard to change, and heavily dependent on human care and feeding. In short, simply collecting the data is the easy part. Making use of that mountain of data can be far more challenging.

Security teams actually need data reduction

Big DataThe big data approach to security analytics is poised to replicate many of the same things that plagued SIEMs for years, albeit with much more data, and by extension, much more complexity. To avoid the pitfalls of the previous generation, we need to avoid the magical thinking that says, “if we just collect enough data, the answer will reveal itself.” The burden of this thinking almost invariably falls on the shoulders of human analysts, who must sift through the many alerts and anomalies in search of the point that matters.

The fundamental issue is that the more data we collect, there is parallel requirement for automated data reduction. By data reduction I mean the ability to quickly reduce the many figurative haystacks down to the few points that matter. Today, we are creating a situation where the generation of haystacks is automated, but the process of finding the needles remains manual. Staff can spend all of their time investigating events that are “unusual”, but may not be an actual threat. This can lead to the pack rat scenario where everything is kept in the hope it will be useful, but actually makes normal operation impossible.

As a result, security analytics projects need to be evaluated in terms of how does the data get turned into intelligence. How is analysis automated? When an issue is detected, how conclusive is it? How much additional investigation and verification is required by staff, and how much time does it take? Once again, collecting the data is relatively easy – the value of security analytics solutions will rest in how well they reduce that data into answers.

Of course, keeping a repository of all data is not a bad thing in itself. In fact, it can prove to be very valuable when used in a forensic context. In such a case, the security teams have a very good sense that something has gone wrong, and a complete data set can allow them to go spelunking for answers. However, this is a very different use case than proactively finding and stopping an active attack in progress. Both approaches have their place. But frankly, the industry is not lacking in forensic tools that can verify and analyze a known attack. The piece that most organizations are missing is the ability to reveal the attacks that they don’t already know about. This requires us to think more about how we reduce big data into real-time answers.

Article Provided By: Security Week

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

 

So you’re caught in a data breach. Now what?

data breach

Reacting to a data breach can feel like you’re shuffling deck chairs on the Titanic or slamming the barn door after the horses have bolted. But there are some concrete steps you can take to minimize the harm from breaches and make yourself safer in case it happens again.

Last week, we found out when a hacker started selling a massive database of LinkedIn customer information that a 2012 data breach affected 167 million accounts, 161 million more accounts than originally reported. Other major breaches include those of Target in 2013JPMorgan Chase in 2014, and the U.S. government’sOffice of Personnel Management in 2015.

Many of the steps you can take after learning that your data has been involved in a breach might feel ineffective, says Paul Stephens of the Privacy Rights Clearinghouse, a consumer advocacy organization. But consumers are not as powerless as they might feel, he adds.

“Consumers need to get in the mindset that you assume that you’ve been breached and [are] proactive to begin with,” he says. “If you go with that premise, then I think a lot of the breach fatigue will be eliminated.”

Think of having your personal information stolen in a data breach like getting sick. You don’t (or at least shouldn’t) just roll over and moan until it goes away: To prevent it from getting worse as your body recovers, you take some medication or homeopathic remedies. If you find that your data is part of a breach, you can do certain things to recover faster and make it harder for hackers to harm you after future breaches.

A Data Breach, also known as security breaches, take on various forms. Someone could have stolen your credit card information from a point-of-sale terminal through a scheme known as skimming. Someone could have stolen information about you from a computer, phone, or hard drive. Or, more commonly, someone could have hacked into a massive customer database containing information about you.

Responding to  a data breach is complicated, in no small part because of the patchwork of state and federal laws governing how companies that have been breached are required to notify you. In the United States, 47 states require varying degrees of notification. You may not immediately or even directly learn that your data has been involved in a breach. You might receive a notification via email or a physical letter, or read or listen to a news report about it.

“Often, consumers aren’t given accurate information by the entity that was breached,” Stephens says. “Checking your credit report is not going to do a thing if the only thing that was in the breach was your credit card number.”

Taking the correct action for the kind of breach you’re involved in, and making sure that your accounts are as secure as possible before another breach occurs, can go a long way. Here are five things to do, if you hear that your information has been involved in a data breach.

DETERMINE WHETHER IT’S LEGIT

Make sure that the breach actually happened, and that you’re not falling prey to a phishing attack or other scam to get you to hand over your vital data. Contact the organization, which can include looking for a message about the breach on its website, looking up its phone number (not the one in the email sent to you) and calling it directly, or keeping an eye out for media reports of the breach.

Do not respond to the email, call the phone number included in the email, or click any links in the email, as the email could be an attempt to steal your personal information known as phishing. If you’re concerned about the veracity of the breach notification, we’ve compiled some tips to avoid phishing scams and phone call scams.

FIGURE OUT WHAT WAS STOLEN

The actions you take depend on the information stolen. Was it a credit or debit card number? A username or password? Or was it something more closely related to your identity, such as your date of birth, Social Security number, driver’s license number, or passport number? Your next actions depend on what’s been pilfered.

UPDATE YOUR AUTHENTICATION METHOD

Don’t let accounts with potentially compromised passwords linger. Compromised accounts can lead to more fraudulent activity in your name, and they can be used to send even more phishing spam. Wherever possible, choose new passwords at least 16 characters in length that include uppercase and lowercase letters, as well as numbers, symbols, and spaces. Do not reuse passwords.

Also, wherever possible, take advantage of two-factor authentication, which provides an extra layer of security to your accounts. So even if someone steals your password, he or she can’t access your account. Here’s our regularly updated guide to two-factor authentication.

And when answering identity verification questions such as, “What is your mother’s maiden name?” or “What was your first car?” you should lie. Make the lie easy for you to remember and hard for others to guess—the answer to the question about your mother’s maiden name could be something like, “Donald Trump is scary.”

REPLACE YOUR CARD(S), AND MONITOR YOUR CREDIT

If the breach involves your bank or credit card information, contact the financial institution immediately. It will guide you through fraud protection, a process that most likely will place a hold on your account until it can issue you a new card or account number.

Ask the institution to watch for fraudulent activity on your account, and ask a major credit-reporting agency (Equifax, Experian, or Trans Union) to monitor your account for fraud. If you’ve been offered free credit monitoring as part of a breach notification, take advantage of it.

CONTACT THE GOVERNMENT

If the stolen data includes government-issued identification, such as your Social Security number, or identity numbers that can’t be changed, such as your birth date, get in touch with the authorities. The U.S. government has a site dedicated to helping people who need to change their government-issued identification numbers at IdentityTheft.gov.

There are pre-emptive steps you can take too. For example, the IRS offers residents of some states a unique identification number to cut down on tax return fraud.

REGISTER FOR FUTURE DATA BREACH NOTIFICATION

Security expert Troy Hunt runs a free subscription site called Have I Been Pwned, which will notify you by email if your information has been stolen as part of a data breach.

If your email has been part of a breach, and you’re using the same password as before the breach, it’s likely been compromised and you need to change it immediately.

Although it can be easy to slip into “breach fatigue,” it’s not enough for consumers to presume they’ve been breached. “Why wait for the breach to happen?” asks Stephens, who encourages consumers to take action “before it occurs.”

Article Provided By: The Paralla

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

 

Why is everyone covering up their laptop cameras?

Stickers and slides serve to ease concerns that spooks could be watching our every move, as even the FBI director says he puts tape on his cameras

cameras

For the past half decade, the technology industry has been racing to build better cameras into the hardware we use every day.

Yet the surveillance age has inspired an odd cottage industry battling against this trend: a glut of cheap stickers and branded plastic slides designed to cover up the front-facing cameras on phones, laptops, and even televisions.

For years, security researchers have shown that hackers can hijack the cameras to spy on whoever is on the other end. To put that in perspective, think of all the things your devices have seen you do.

Such warnings have finally caught on. Last month, the FBI director, James Comey, told an audience: “I put a piece of tape over the camera because I saw somebody smarter than I am, had a piece of tape over their camera.”

The corporate swag company Idea Stage Promotions describes its Webcam Cover 1.0 as “the HOTTEST PROMOTIONAL ITEM on the market today”. The cable channel USA Networks sent journalists a “Mr. Robot” webcam cover for the popular hacker thriller’s upcoming season.

Covering cameras isn’t new for those who know that the internet is always watching. Eva Galperin, a policy analyst for the Electronic Frontier Foundation, says that since she bought her first laptop with a built-in camera on the screen, a MacBook Pro, in 2007, she’s been covering them up.

EFF started printing its own webcam stickers in 2013, as well as selling and handing out camera stickers that read: “These removable stickers are an unhackable anti-surveillance technology.”

“People purchase these regularly,” a spokesman said.

The fear over web cameras has penetrated deep into popular culture. The trailer for Oliver Stone’s forthcoming biopic Snowden, on the US spy contractor, features a clip of actor Joseph Gordon-Levitt, who plays the title character, looking nervously at his laptop camera during an intimate moment with his girlfriend.

So are we all being paranoid? Well, it’s not science fiction. Researchers in 2013showed how they could activate a Macbook’s camera without triggering the green “this-thing-is-on” light. One couple claimed a hacker posted a video of them having sex after hacking their smart TV. And federal court records shows that the FBI does know how to use laptop cameras to spy on users as well.

So, naturally, where there’s fear, there is money to be made.

The DC-based CamPatch describes itself as “the Mercedes Bens [sic] of putting tape over your webcam”. Its founders started the company in 2013 after hearing a briefing from Pentagon cybersecurity experts on how webcams were a new “attack vector”, said Krystie Caraballo, CamPatch’s general manager.

Caraballo wouldn’t disclose financials other than to say the company has had “six-figure revenues for the last several years” and that it has distributed more than 250,000 patches. The company advertises bulk pricing “as low as $2.79”.

Yet not everyone is on the camera-covering bandwagon. Brian Pascal, a privacy expert who has worked for Stanford and Palantir Technologies says a cost-benefit analysis led him to conclude he’d rather have a usable camera, which he can use to record his son. But he acknowledged such stickers are a way for people signal that they too worry about Big Brother.

“Security actions without threat modelling are just performative,” said Pascal.

Others just haven’t gotten around to it yet.

“Because I’m an idiot,” replied Matthew Green, an encryption expert at Johns Hopkins University when asked why he doesn’t cover his cameras. “I have no excuse for not taking this seriously … but at the end of the day, I figure that seeing me naked would be punishment enough.”

Of course, webcam paranoia is likely to be only the first of many awakenings as consumers bring more devices into their lives that can be turned into unwitting spies. Amazon.com has had enormous success with its Echo smart speaker that, by default, is always listening for its owners’ commands. Google plans to release a similar product this year called Google Home.

In a hearing on Capitol Hill in February, the US director of national intelligence,James Clapper, acknowledged how the so-called “internet of things” could be used “for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials”.

Article Provided By: theguardian

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Cybersecurity Needs a Moonshot!

cybersecurity

“We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.”

~ President John F. Kennedy, September 12, 1962

Coming out of the 2016 RSA Conference, it is clear we have hit a watershed moment in the history of the IT industry. After several years of hundreds of billions of dollars invested across a range of security technologies, it is self-evident that cyber presents a huge paradox to organizations of all types. The growth of cloud, mobile, and agile computing capabilities has delivered a golden renaissance of innovation.

• The iPhone is the digital equivalent of Hitchhikers Guide to the Galaxy

• Amazon Web Services is eating the infrastructure world like a black hole

• Today is a software company, embracing agile development to support business initiatives

In the cybersecurity space, though, we have nearly conceded defeat. People are going around saying: “assume not that you will not be hacked, but that you will be hacked.” How uplifting!

Cybersecurity – It is time for things to change.

Forty-three years ago, when President Kennedy called for a man on the moon, many were skeptical. Today, people are equally skeptical about our ability to re-establish control of our own computing systems.

What happens if this was the time when things changed? What happens if we committed to leveling the playing field between attackers and defenders? What happens if we take a clean piece of paper to how we think about restoring trust to our computing—where cybersecurity enables innovation rather than stifles it?

What happens if we acknowledge that no one vendor has the entire solution?

The vendor part of the cybersecurity industry—yes, I am calling myself out—has failed its customers. Einstein allegedly defined insanity as “doing the same thing over and over again and expecting different results.”

Companies claim to innovate, but all they do is present different versions of old models. A firewall that runs on a software platform is still a firewall. If your cybersecurity is tied to infrastructure, you are leashed to a world where you have to own the infrastructure—sorry AWS, Azure—and more onerously, need to upgrade the infrastructure to upgrade your security.

I would never claim that my company has the answer for cybersecurity. But we represent a movement that unshackles security from the past to make it responsive to the dynamic, distributed, heterogeneous, and hybrid world into which we are moving.

Here are my 7 points to a cybersecurity moonshot program:

1. Turn everything inside out.  We take back our computing from the inside out, from the applications out and not the infrastructure in.  In the cyber world, the perimeter attacker only has to be right once and the defender has to slip once. Why not shift the logic so the attacker only has to make one mistake and the defender will catch it?

2. Trust nothing. Start with the premise that everything is untrusted and establish trusted relationships between users and applications in a granular and controlled way. This is the heart of a whitelist model.

3. Build tighter and tighter segmentation around smaller and smaller attack surfaces.The biggest challenge to granular segmentation has been complex and fragile networks, firewall rules, and outdated application-entitlement strategies. The smaller the surface, the less damage. The tighter the segmentation, the fewer false positives.

4. Make security part of the application life cycle. Today security is most frequently added after applications are built.  What happens if developers are equal participants in cybersecurity? Eliminate the false boundaries among application, infrastructure, and security teams. From a security perspective, all three groups must work hand in glove.

5. Decouple and automate. Infrastructure security has enormous benefits in most cybersecurity approaches but it comes with two distinct disadvantages: what happens when you don’t own the infrastructure (e.g., AWS), and what happens when you do not want to upgrade your infrastructure to keep up with your security needs. Moreover, security that requires detailed oversight and management of every command by human middleware is bound to fail. Computers (and a lot of math) were instrumental to the moonshot program. Algorithms and machine learning will play a role in our cyber future.

6. Manage both sides of the equation: applications and clients. Today people see end-point and infrastructure security as two separate issues. Through Adaptive User Segmentation, it is possible to fuse these two areas and make data center computing more secure.  Do not create gaps in protection.

7. Make security part of the business, not just IT. A lot of pundits talk about Board of Director oversight of IT security. Having been a board member several times in my career, I agree it is a key area of risk that boards must monitor. But long before Board oversight of cyber needs to occur, management teams must make it a priority.  Where is it baked into the reward system of an executive team? Which of the CEO’s direct reports owns cyber end-to-end for a business?

Regaining control of the cyber landscape will not be easy. There is no magic bullet. But a steady plan that both builds on the best practices of today and anticipates and takes action for the world we are moving into presents the last best hope for creating trust again in IT.

Article Provided By: Security Week

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Hackers Are Tapping Into Mobile Networks’ Backbone, New Research Shows

Hackers

Hackers

Hackers have been known to use all manner of remote access tools to break into mobile phones, often by finding vulnerabilities in an operating system like Android or even in SIM cards. It’s more rare to try and tap into the network infrastructure that routes these calls for mobile operators themselves. Yet new research shows that one nefarious kind of network surveillance is happening too, across the world.

A survey of a handful of large mobile operators on each continent showed that hackers have been exploiting a key signalling protocol for routing cellular calls known as SS7, to track the location of certain mobile users and in some cases, listen in on calls.

Across a range of operators, 0.08% of SS7 packets being sent across a network in Africa were deemed suspicious. In Asia the rate was 0.04% and in the Americas it was 0.025%, according to research by Dublin based research firm Adaptive Mobile.

While these are low percentages they relate to the millions of SS7 packets being sent every day.

“That can add up to tens of thousands a day which can mean someone being tracked or some fraud transactions,” says Cathal Mc Daid, head of Adaptive Mobile’s cyber security unit. “These are low-volume, high-impact events.”

Location tracking is the most popular reason for exploiting the SS7 protocol, says Mc Daid. His team recorded 1,140 separate SS7 requests to track 23 unique subscribers over a two-day period, with some subscribers tracked many hundreds of times.

There are a handful of known players in the market for selling SS7 vulnerabilities.

One three-person startup called CleverSig was recently selling access to their “remote SS7 control system” for $14,000 to $16,000 a month. Their price was divulged when emails from the Italian information surveillance company Hacking Team were posted on the web.

Other network surveillance companies with names Circles (based in Bulgaria, according to Adaptive Mobile) and the Rayzone group, also operate within the grey area of selling access to their SS7 exploitation platforms to governments and other surveillance companies like Hacking Team.

The going rate for looking up someone’s physical location through the SS7 network, as advertised on the dark web, was about $150 about two years ago, according to Mc Daid. He expects that price hasn’t changed much since. “A lot of those offers have gone underground.” That is partly due to relatively recent press on SS7.

In late 2014 security researchers were reported by the Washington Post to have initially discovered the security flaws that could let hackers, governments and criminals intercept calls through the global SS7 network. Adaptive Mobile conducted its research through 2015 to show that the exploit wasn’t just theoretical but actually being carried out by hackers.

“The news is yes, we are seeing exploits in every operator in every part of the world,” says Mc Daid – though it should be stressed that his team partnered with just one operator per continent to get a representative sample.

Africa and the Middle East seemed to have to highest rates of exploitation, Mc Daid says, adding that he couldn’t name the operators who took part in the research due to agreements with the carriers. Mobile operators have been “surprised this is actually occurring within their networks,” he adds.

“It’s very serious,” says Mc Daid. “The SS7 networks is the cornerstone of how carrier operators work and tens of billions of dollars have been invested in network architecture around the world. It’s not going to be replaced overnight.”

Article Provided By: Forbes

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com