Access – Peace Sign Pics Could Give Hackers Your Fingerprints

AccessBiometric Access – Finger Prints

Researchers at Japan’s National Institute of Informatics have claimed they can accurately copy fingerprints from digital photographs, raising fears that the access security of biometric authentication systems could be undermined.

Isao Echizen from the Institute told the Sankei Shimbun that his team was able to copy firngerprints based on photos taken from as far away as three metres, as long as they’re in focus and with strong lighting, AFP reported.

“Just by casually making a peace sign in front of a camera, fingerprints can become widely available,” the researcher claimed.

He argued that anyone could do so—without the need for advanced technology.

Social media, especially in Asia, is filled with the images of individuals doing the two-fingered ‘peace’ sign, taken with the increasingly powerful digital cameras found on smartphones.

That could lead to fears over the security of fingerprint-based authentication systems, although it’s not clear how easy it would be to transfer a captured fingerprint into a form which could be used to authenticate.

Researchers famously ‘cracked’ Apple’s TouchID system in the iPhone 5 and 6 models, but the method required a laser-printed image of the fingerprint and then a convoluted process of creating a mould with pink latex milk or white wood glue.

The skill, patience and time needed to do so would deter most criminals.

However, some commentators said the research still serves a valuable purpose in highlighting the problem with static biometric identifiers.

Robert Capps, VP of business development at biometrics firm NuData Security, argued that humans leave fingerprint data behind on everything they touch, adding that researchers have also been able to use photographs to trick iris scanners.

“Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user’s accounts and identity will persist for that person’s lifetime. As the most stringent of authentication verifications deploy physical biometrics, such as immigration and banking, physical biometric data will become very desirable to hackers,” he argued.

“We can expect more creative attempts by hackers to capture this information. The benefit of passive behavioural biometrics is that the information used to uniquely identify a user is passively collected and dynamically analyzed, and has an extremely limited shelf life of usefulness—making theft and successful reuse of raw behavioural signals nearly impossible.”

For consumers, another option would be to wait two years until the NII launches a new transparent film currently in development, which is designed to hide the wearer’s fingerprints.

Article Provded By: Info Security Magazine

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

How to Quantify the Risk of an Insider Threat

Insider Risk

risk

Never before have there been so many platforms that let a growing number of people touch, manipulate, download, and share sensitive data.

But there’s a dark side to all that access: It exposes a company to malicious intent and theft of information worth thousands, sometimes millions, of dollars. More alarming is the fact that less than half (42 percent) of all organizations have the appropriate controls in place to prevent these attacks, according to the Insider Threat Spotlight Report.

How do you get a handle on this threat? Mitigation begins with assigning risk levels to employee roles. Who has access to sensitive information, intellectual property, trade secrets, customer lists, and any other proprietary data? That’s the foundation of your risk model. Many companies use a simple numerical scale of 1-10, with 10 as the highest risk. Others may prefer simpler categories like Low, Medium, and High or yellow, orange, and red alerts.

It turns out that nearly 80 percent of employee fraud takes place in accounting, operations, sales, senior management, customer service, and purchasing. But it’s critical to establish a risk profile for everyone in the company, no matter which department. Take into account employees’ current roles, levels of privilege, and required access to proprietary information. Senior IT people and C-Suite executives obviously have more privilege and access than mid-level managers and clerical workers. And, of course, the higher the risk in a potential disaster, the greater the need to monitor an employee’s activities.

Prepare to update the risk profile of an individual. Organizations are dynamic, and employees regularly make lateral moves or get promoted. Someone who doesn’t touch sensitive information in one role may very well have access and new privileges in a different assignment.

Employees’ personal lives change constantly, too. A traumatic event, like a death in the family or divorce, psychological problems, or a shift in financial circumstances for the worse—any of these can cause behavioral changes in people. And they all may require re-evaluation of an individual’s level of risk.

Once you’re committed to the process, we recommend taking the following steps:

  1. Create an insider-risk team. While IT and its security team may oversee the monitoring of user activity, the process really requires support from the most senior ranks, as well as other departments. Your legal department help can help decide how to monitor while complying with the law and act as a critical liaison between executives and the security group. Human resources can help support the need and processes for monitoring, as well document employee cases—and put a “human” face on the operation.
  2. Designate risk levels. This, of course, is what I’ve been discussing in this post all along: using job titles to assign a scale of risk, depending on levels of privilege and access.
  3. Pinpoint inappropriate conduct. Just because you’ve assigned someone a high-risk level doesn’t necessarily mean that he’s committing an offense. Conversely, an employee’s inappropriate behavior can sometimes be misread as performance of normal job-related tasks. That’s why it’s critical to develop ways to identify truly improper conduct through changes in an individual’s communication and behavior. You can do that through software that is known as user-behavior analytics and, less technically, by means of procedures your employees can follow to report troublesome behavior.
  4. Set up a system of insider monitoring. When you’re establishing a system to keep an eye on employee activity and behavior, it helps to decide what level of monitoring goes along with the different risks they may pose to your organization. For example, someone in a low-risk category probably can’t interact with sensitive information and therefore needs little more than the less-technical sort of monitoring suggested above. Medium-risk employees do have access to proprietary data and, so, may require monitoring additionally with user-behavior analytics. So, too, with those high-risk individuals who should probably be subject to the most active monitoring and review.

Quantifying risk is just the start of mitigating insider threats. But if you develop the initial baseline—starting with job title and access to privileged information—you can get a better handle on which employees you will have to monitor during such critical periods as hiring, job title and personal changes, and the high-risk exit period.

Article Provided By: Info-Security Magazine

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

5 Emerging Data Security Technologies Set to Level The Battlefield

data security technologiesThe war between data defenders and data thieves has been described as a cat-and-mouse game. As soon as the white hats counter one form of black-hat malicious behavior, another malevolent form rears its ugly head. How can the playing field be tilted in favor of the infosec warriors? Here are five emerging security technologies that may be able to do that.


 

1. Hardware authentication

The inadequacies of usernames and passwords are well known. Clearly, a more secure form of authentication is needed. One method is to bake authentication into a user’s hardware. Intel is moving in that direction with the Authenticate solution in its new, sixth-generation Core vPro processor. It can combine a variety of hardware-enhanced factors at the same time to validate a user’s identity.

Intel has built on previous efforts to dedicate a portion of the chipset for security functions to make a device part of the authentication process. Good authentication requires three things from users: what they know, such as a password; who they are, such as a username; and what they have, such as a token. In the case of Authenticate, the device becomes the what-you-have.

“This isn’t new,” said Scott Crawford, research director for information security at 451 Research. “We’ve seen this in other manifestations, such as licensing technologies and tokens.”

Hardware authentication can be particularly important for the Internet of Things (IoT)where a network wants to ensure that the thing trying to gain access to it is something that should have access to it.

However, Crawford noted, “The most immediate application for the technology is for authenticating an endpoint in a traditional IT environment — laptops, desktops, and mobile devices using Intel chipsets.”

2. User-behavior analytics

Once someone’s username and password are compromised, whoever has them can waltz onto a network and engage in all kinds of malicious behavior. That behavior can trigger a red flag to system defenders if they’re employing user behavior analytics (UBA). The technology uses big data analytics to identify anomalous behavior by a user.

“There’s a lot of interest in this in the enterprise,” 451′s Crawford said.

“User activity is the number one concern of security professionals.”

He explained that the technology addresses a blind spot in enterprise security. “Once an attacker gains entry into an enterprise, what happens then?” he asked. “One of the first things they do is compromise credentials. So then the question becomes, Can you differentiate between a legitimate user’s activity and an attacker who has gained entry, compromised a legitimate user’s credentials and is now looking for other targets?”

Visibility into activity that does not fit the norm of the legitimate user can close a blind spot in the middle of the attack chain. “If you think of the attack chain as initial penetration, lateral movement, and then compromise, theft, and exfiltration of sensitive data, the middle links in that attack chain have not been very visible to enterprise security pros, and that’s why the interest in user behavior analytics today,” Crawford said.

Comparing a user’s present behavior to past behavior isn’t the only way UBA can identify a malicious actor. “There’s something called ‘peer analysis’,” explained Steven Grossman, vice president for program management at Bay Dynamics, a threat analytics company. “It compares how someone is behaving compared to people with the same manager or same department. That can be an indicator that the person is doing something they shouldn’t be doing or someone else has taken over their account.”

In addition, UBA can be a valuable tool for training employees in better security practices. “One of the biggest problems in a company is employees not following company policy,” Grossman said. “To be able to identify those people and mitigate that risk by training them properly is critical.”

“Users can be identified and automatically signed up for the training appropriate for the policies they were violating.”

3. Data loss prevention

A key to data loss prevention is technologies such as encryption and tokenization. They can protect data down to field and subfield level, which can benefit an enterprise in a number of ways:

  • Cyber-attackers cannot monetize data in the event of a successful breach.
  • Data can be securely moved and used across the extended enterprise — business processes and analytics can be performed on the data in its protected form, dramatically reducing exposure and risk.
  • The enterprise can be greatly aided in compliance to data privacy and security regulations for protection of payment card information (PCI), personally identifiable information (PII) and protected health information (PHI).

“There’s been a lot of security spending over the last several years, and yet the number of records breached in 2015 went up considerably over the prior year,” noted 451′s Crawford. “That’s contributing to the surge in interest in encryption.”

However, as John Pescatore, director of Emerging Security Trends at the SANS Institute, points out, authentication plays an important role in data loss prevention.

“There can’t be strong encryption without key management, and there can’t be key management without strong authentication.”

4. Deep learning

Deep learning encompasses a number of technologies, such as artificial intelligence and machine learning. “Regardless of what it’s called, there a great deal of interest in it for security purposes,” 451′s Crawford said.

Like user behavior analytics, deep learning focuses on anomalous behavior. “You want to understand where malicious behavior deviates from legitimate or acceptable behavior in terms of security,” Crawford explained.

“When you’re looking at activity on the enterprise network, there’s behavior that’s not user behavior but is still malicious. So even if it’s looking at behavior, it’s looking at a slightly different application of behavioral analytics.”

Instead of looking at users, the system looks at “entities,” explained Brad Medairy, a senior vice president with Booz Allen. “Exact business analytics and recent developments in machine-learning models mean we are now able to look at the various entities that exist across the enterprise at the micro to the macro levels. For example, a data center, as an entity, can behave a certain way, similar to a user.”

Use of machine learning can help stamp out the bane of advanced persistent threats, added Kris Lovejoy, president of Acuity Solutions, maker of an advanced malware detection platform. “With its ability to decipher between good and bad software, at line speed, machine-learning technologies will offer a significant boon to security practitioners who seek to decrease time to advanced threat detection and eradication,” she said.

Crawford said he expects investments in deep learning for security purposes to continue. He added, however, that “the challenge for enterprises is there are a lot of companies coming to market with similar approaches for the same problem. Differentiating distinctions from one vendor to another is going to be a major challenge for enterprises in the coming year and beyond.”

5. The cloud

“The cloud is going to have a transformative impact on the security technology industry generally,” Crawford said.

He explained that as more organizations use the cloud for what has traditionally been the domain of on-premises IT, more approaches to security that are born in and for the cloud will appear. On-premises techniques will be transitioned to the cloud. Things such as virtualized security hardware, virtualized firewalls, and virtualized intrusion detection and prevention systems. But that will be an intermediate stage.

“If you think about what an infrastructure-as-a-service provider can do on a very large scale for all of its customers, there may not be the need to pull out all the defenses you need on-prem,” Crawford said. “The infrastructure-as-a-service provider will build that into their platform, which will relieve the need to do that for the individual cloud customer.”

SANS’ Pescatore added that government agencies and private industry have increased the security of their data centers by using IaaS services such as Amazon and Firehost. “The GSA FedRAMP program is a great example of ‘certified secure-enough’ cloud services that make it easier for the average enterprise to have above-average data center security,” he said.

These five should help out the infosec warriors get the upperhand. Any we missed? Which technologies do you suggest will move the needle on information security? Weigh in via the comments below.

Article Provided By: TechBeacon

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

 

The Cyber Risk of Mixing Business with Pleasure

Cyber Risk – Technical and Process Controls for the Enterprise Must Extend to Employees and How They Engage in Personal Services

Cyber RiskThe ubiquitous use of social media has blurred the lines between business and personal lives. A lot has been written about the importance of keeping the two separate, with an emphasis on the potential risk to an individual’s reputation. A photo or casual comment meant for a friend can have a detrimental effect when viewed by a business associate or employer. But there’s another important reason why separating business from pleasure should be a concern – the potential for increased cyber risk to your business stemming from credential compromise to social media accounts.

Barely a week goes by without reports of a leaked database. At the same time, dumps of stolen credentials are regularly sold, traded and shared online across paste sites, file-sharing sites and online marketplaces. Credential compromise is not new, but how these credentials become available is often directly related to the lack of separation between business and pleasure.
The LinkedIn and MySpace databases were recently exposed by threat actors using the names “Peace of Mind” and “Tessa88”. Breaches of dating services like Ashley Madison and Adult Friend Finder also were the source for credentials. And although proportionally low, even gaming services have been responsible for leaked credentials. It may be surprising but many of the credentials used for these sites were corporate accounts. That’s right. Many employees reuse their corporate emails for other services and, when these services are breached, it also reveals their credentials.

Cyber Risk

Employees who have reused corporate emails and passwords for personal use can put their employers at risk of account takeovers, credential stuffing and extortion attempts.
Account takeovers
On May 23, 2016, OurMine Team reportedly compromised a number of social media profiles for various business personnel and celebrities. The accounts that were affected included Twitter, Tumblr and LinkedIn profiles. The group initially claimed the use of zero-day exploits to compromise accounts, but later confirmed access was secured through the use of information from the recently exposed dataset from LinkedIn. More recently, it was reported that the alleged Dropbox leak also occurred from password reuse of the LinkedIn breach. The likelihood is that people have neglected to change their passwords since 2012, and proceeded to recycle the same password for multiple services.
Credential stuffing
Threat actors can automatically inject breached username and password pairs in order to fraudulently gain access to user accounts. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inputted into websites until a match with an existing account is found. An attacker can then hijack that account for a variety of purposes, such as draining stolen accounts of funds, the theft of personally identifiable information, or to send spam. According to the Open Web Application Security Project (OWASP), credential stuffing is one of the most common techniques used to take-over user accounts.

Extortion attempts
Hundreds of thousands of corporate email addresses were leaked as part of the Ashley Madison breach. Following the breach of online dating site Ashley Madison in July 2015, extortion attempts were directed against specific individuals identified within the compromised dataset. Users received extortion emails threatening to share the exposed information with the victim’s partner, unless one Bitcoin was paid into a specified Bitcoin wallet. A number of automated post-breach extortion services also emerged including one site that reportedly spammed users with unsolicited bulk emails that suggested their spouses or employers may find out their details were exposed.
By better understanding that corporate credentials are being reused for personal services and how threat actors may exploit credentials, security teams can better prepare for and mitigate instances of credential compromise. Here are a few tips.
Set policies

• Establish a policy for which external services are allowed to be associated to corporate email accounts.
• Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
Monitor activity

• Proactively monitor for credential dumps relevant to your organization’s accounts and evaluate these dumps to determine if the dumps are new or have been previously leaked, in which case you may have already addressed the matter.
 • If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g., accessing resources that have not been accessed in the past.)
Educate employees

• Update security awareness training to include the risks associated with password reuse.
• Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.
The number of compromised credentials that are available online is staggering, providing a goldmine for attackers. In fact, Verizon’s 2016 Data Breach Investigations Report found that breached credentials were responsible for 63 percent of data breaches. As the lines between personal and professional become blurred, so too must the approach that organizations take to deal with cyber risk. Technical and process controls for the enterprise must extend to employees and how they engage in personal services.
Article Provided By: SecurityWeek

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Cost of data breaches increasing to average of $3.8 million

data breaches

Data Breaches

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.

The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.

The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.

“Most of what’s occurring is through organized crime,” said Caleb Barlow, vice president of IBM Security. “These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them.”

IBM, which sells cyber-security services to companies, has a vested interest in highlighting the costs of data breaches.

The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.

The study’s authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.

The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person’s medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

Article Provided By: Reuters

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com