Use Wufoo integrations and get your data to your favorite apps.

Category: online security

There are 10 posts published under online security.

Why Business Continuity Planning Is Critical For Your Business

Disaster often strikes without warning. On August 2, 2013, a hardware failure on a Utah based data center resulted in more than 5 million websites across the world affected by a server outage. Endurance International Group, the company that operated the data center was a partner to a number of leading web hosting companies like Blue Host, HostGator and HostMonster. So was data lost? No. All the leading web hosting companies store their client data on multiple data centers across the world so that a failure in one or even multiple centers at the same time still keeps customer data safe.

Business Continuity Planning is a critical process for every organization to ensure that their loss in business is kept at a minimum due to server outages or any other form of disasters. According to an article on the ExpertIP blog, a study found that 43% of companies who faced a “major loss” of computer records were immediately put out of business while another 51% shut doors within two years of a major disaster striking.

Given the potential consequences, businesses need to take business continuity and disaster recovery seriously. There are three important elements with respect to business continuity planning (BCP) – resiliency, recovery and contingency. Resiliency ensures that operations continue to run even during outages and during the immediate aftermath of a disaster. Recovery is the process of quickly and effectively bringing failed systems back into operation mode, and contingency is the process of setting up alternate systems that can take the place of the default systems in case the resiliency and recovery process do not work as planned.

With growing awareness about disasters and the consequences they have on business, more and more client businesses are today keen on partnering only with organizations that have robust BCP processes in place. In a way then, BCP is not only a measure of your operational preparedness during times of crisis, but it is also a critical selling point for your business.

There are a number of standards available across the world today that can help you benchmark your BCP preparedness. This includes the ISO 22301:2012, BS 25999, ASIS/BSI BCM.01.2010 and HB 292-2006. By getting certified through these standards, your business can sell the disaster preparedness of your company as a factor to consider for potential clients.

Despite the potential consequences of a disaster, awareness about BCP remains low. One primary reason is that businesses see disasters as a rare occurrence and because the financial implications due to such disasters can often be recovered through insurance, it is not given sufficient thought. However, this line of thought completely misses the point that the impact from such disasters are more on the credibility of the business and the trust that customers have on the business, rather than on the financial blow itself. Consequently, BCP is mainly about ensuring that the trust placed on your business by your customers are not hit.

Has your business got a continuity plan in place? Tell us your strategies in the comments below.

2372

Marissa Mayer on Yahoo!, Microsoft, and Government

At yesterday’s TechCrunch Disrupt, Marissa Mayer, CEO of Yahoo!, discussed much with the topics ranging from Yahoo! to Microsoft to government with Michael Arrington, founder of TechCrunch.

Arrington opened the floor with what Mayer had done with Yahoo! up until now. Former Google vice president, Mayer had only been at Yahoo! for 1 year and 2 months and was able to double its stock. She attributed a good portion of this grand feat to the investments of her predecessors, but her revamp of how Yahoo! did things played a major part in this. She focused, in order, on: hiring the right people, product, traffic, and revenue.

 

To help explain the impact of Yahoo!’s newfound success, Mayer said that “the company receives 12,000 resumes a week” and that the company only has 12,000 positions—this means that every week, Yahoo! gets a resume for every possible position. In addition to this boom in potential employees, 10% of the company consists of boomerangs—employees who left and then returned to Yahoo!. She also mentioned that Yahoo! has 800 million users worldwide, and that value does not include Tumblr as well. To drive home the point that Yahoo! is still a strong contender, she asked the audience show how many used Yahoo! for any of its services in the past month; over half raised their hands.

 

The discussion then drifted towards her plans for Yahoo!. Arrington asked what changes she was planning, especially considering her prior position as vice president of Google. Mayer touched a bit upon Yahoo! mail, stating that its simpler design offers faster speeds than Google. She also plans on growing her mobile team by a factor of 10. After all, the mobile market is booming—a lot of people are using their smartphones to get information that Yahoo! already offers: mail, news, finance, sports, communication, etc.

 

Arrington then shifted the topic towards one of the two questions he always asked at the event: Who should be the new CEO of Microsoft? Mayer never did give a direct answer. She started off by saying that she admires both Bill Gates and Steve Ballmer and continues off by stating her observation of Microsoft being strong in the enterprise area, so it should look for someone who’s strength is in enterprise. Arrington then built upon her comment, asking about the weaknesses of CEOs. She said that there is actually a community of CEOs and that “they want to see each other succeed,” but what is most shocking about being a CEO is that there are so few decisions to be made, yet each of them are of the utmost importance to the fate of the company.

 

The second of Arrington’s favorite questions is about government requests for user data. Like Facebook, Mayer said that Yahoo! is trying to protect as much user privacy as they can from government. Unfortunately, companies cannot refuse to comply with the government, but Yahoo! plans to and does analyze and scrutinize all requests by the government, pushing them back as much as possible.

 

While this chat between Mayer and Arrington covered a few important topics, the conversation brings up a few key questions.  Is Yahoo!’s focus on mobile the best way to go? Who should be the next CEO of Microsoft? What should and can companies do about government requests for user? What do you think?

367

Top Startup and Tech News Today-7 Things You Missed Today

1. How eBay Could Rescue Bitcoin From the Feds

 

Bitcoin exchanges have run into a hurdle in the form of the U.S. banks. There are questions about whether or not they “meet federal and state money transmission business regulations.” While this is quite a setback, another company is in prime position to take advantage of the situation: eBay. It had a “virtual currencies” section, allowing people to sell and purchase Bitcoins—it’s a forum for Bitcoin exchange, bypassing the federal and state regulations via PayPal.

 

The only thing preventing eBay from taking advantage of this opportunity, should they choose to do so, is the fact that Paypal allows chargebacks. Someone could purchase Bitcoins on eBay and simply state that the Bitcoins weren’t delivered, defrauding the seller. If eBay manages to solve this problem, PayPal could be in even bigger competition with Bitcoin. “They could very well find their business model outdated,” states financial regulations lawyer, Van Cleef.

 

2. Google is joining the Open edX platform

 

Google released Course Builder, an experimental platform, last year to test the waters in online education. It was well received with a multitude of different online courses available with various institutions experimenting with MOOCs (massive open online course). To continue with the online education front, Google has decided to join Open edX, a non-profit aiming to provide interactive online courses, as a contributor.

 

The effects of the combined efforts of both companies will provide much for the developers and consumers. Director of Research, Dan Clancy says, “We hope that our continued contributions to open source education projects will enable anyone who builds online education products to benefit from our technology, services and scale. For learners, we believe that a more open online education ecosystem will make it easier for anyone to pick up new skills and concepts at anytime, anywhere.”

 

3. Consumer: Stay Smart to Avoid WiFi Hackers

 

Becoming a super connected metropolis with free WiFi everywhere sounds great, but it also has its cons. One glaring problem is the presence of WiFi Hackers. Leeds is one such city that hopes to realize this vision.  A survey done on Britons was done to examine their WiFi use and determine how safe people really are.

 

Half of the surveyed do not know if the WiFi hotspot they use is secure, opening them up to identity fraud. Two thirds use the hotspots to check their email, a smorgasbord of personal information. Even more surprising, ten percent of people access their bank accounts with the public WiFi.

 

A brief list from these findings states that: important online tasks should stay at home, remove automatic connections on your mobile device, and don’t use apps whose encryption method is unknown.

 

4. Microsoft Seeks Cloud, Mobile, and Gaming Startups in London’s Tech City

 

Microsoft launched a 12 week accelerator program for UK cloud, mobile, and gaming startups in East London Tech City. 20 startups will have the opportunity to gain mentorship from executives from Microsoft, Train2Game, Lift London, and more.  This program is the latest of 10 around the world by Microsoft. The success rate of companies, from a total of 119, getting funding (within 6 months of the program’s end) is 85 percent! The kicker, though, is that Microsoft does not plan on taking equities from the startups. Rather, they will hope that the accelerator program will help to create future successful partnerships and additions to the Microsoft family.

 

5. Facebook Rolls Out “Professional Skills” Section on User Profiles

 

Facebook tries its hand at doing what LinkedIn has been already been doing, acting as a professional outlet for users. It recently included a new feature that allows users to add professional skills to their profile. Facebook takes this one step further than LinkedIn in that they connect skills to relevant interest groups, giving potential hires even more exposure. For those who worry about privacy, there is an option to adjust the privacy settings on the resume.

 

“If Facebook’s Professional Skills feature takes off, you’ll be able to browse through friends’ vacation picks and potential hires, all at the same time.”

 

6. What Startups Need to Know about Obamacare

 

With Obamacare coming out soon, startups have more health insurance options available to employees. Plans will come in 4 flavors—the typical Bronze, Silver, Gold, and Platinum setup, each with increasing cost and coverage.

 

Exchanges will start on October 1st, 2013—small businesses can take advantage of this time and look at the exchanges and plans. Since insurance companies will not be able to deny anyone, the rates for insurance will increase, especially for those below the age of 30. However, most of the regulations placed onto small businesses are delayed until 2015 instead of 2014.

 

7. Fun: First Actual Computer Bug Was Found Today, 66 Years Ago

 

It’s time to celebrate the 66th birthday of the first discovered computer bug! In 1947, the Mark II Aiken Relay Computer in Harvard had a peculiarity in its system—a bug. For all the technophiles out there, it, unfortunately isn’t the metaphorical bug we all know of; it was literally a bug; a moth. The person who helped to publicize this and coin the term “bugging” and “debugging” is Grace Hopper. The moth itself exists in a logbook in the Nation Museum of American History, but, unfortunately, is not on display.

5312

Top Startup and Tech News Today - 7 Things You Missed Today

1. Microsoft to Buy Nokia Units and Acquire Executive

 

Microsoft and Nokia have both reached an agreement where Microsoft will acquire the Nokia handset and services business for $7.2 million. What are the ramifications of this deal for both sides?

 

Nokia used to be a powerhouse in the mobile phone industry, but those days have since passed. In 2010, they held 64% share of China’s cell phone market—that value has dropped down to 1% in the first two quarters of 2013. Microsoft, on the other hand, needs to evolve its business to adapt to the mobile era.

 

Carolina Milanesi, an analyst at Gartner says that “Microsoft cannot walk away from smartphones, and the hope that other vendors will support Windows Phone is fading fast. So buying Nokia comes at the right time,” and also that the deal between the two could help them to “respond more quickly to the dynamism of the mobile market.”

 

2. How Much It’s Worth to Be #1 on Hacker News For a Day

 

Arshad Chowdhury runs a blog that averages 500 visitors per month, profiting through affiliate links with amazon (8% commission), sales of an app called “Power 20” ($2.99 ad-free), and sales of a diet and exercise program known as “One Month Madness” ($39.00). Recently, a blog post of his made it to the number 1 spot on Hacker News for 10 hours, resulting in a boom in traffic and revenue.

 

Being on Hacker News opens up big doors as it provides a surge of publicity—their stories are usually picked up by other news outlets. In this case, Chowdhury gained exposure as he was asked to appear on Fox Business, written about in Huffington Post France, and featured on Yahoo’s homepage. From days 1 to 3, his blog received 73,398, 52,169, and 12,910 visitors, respectively. The Power 20 app page had 3,999, 5,334, and 959 visitors.  The One Month Madness app also received 562, 1,295, and 369 visitors for the first three days after making it to Hacker news. This traffic wave boosted his revenue by $3,880.84, increased subscribers, brought in new customers.

 

“[While] having a popular post on HackerNews leads to a nice, fleeting bump in traffic…it’s not a business strategy and won’t necessarily make one rich,” Chowdhury finishes.

 

3. Hackathons Harness Data for Sustainability, Fun and Maybe Profit

 

GreenBiz Group’s “VERGE” conferences attempts to use data and intersect technology and sustainability in the hopes of increasing the efficiency of both society and individuals. They are harvesting and harnessing data to “improve cities’ infrastructures,eliminate landfills, improve street lighting, accelerate energy-efficient buildings, reduce water leaks and boost innovation.”

 

GreenBiz Group also hosts a set of weekend long hackathon events called Hack City. While there are varying subject matters for hackathons, Hack City focuses on finding a means for cities, businesses, and households to withstand and recover from extreme weather or disasters. In addition to Hack City, Data Jam is an event that consists of executives, entrepreneurs, technologists, investors and policy experts working together to design solutions based on a list of challenges and given data sets with the goal of sustainable retrofits.

 

Krys Freeman, GreenBiz’s director of technology and head of Hack City, says, “If we use the data, we can do something really compelling that wouldn’t have been able to be done otherwise.”

 

4. Facebook Awards Hacker for Reporting Photo Security Flaw

 

The internet is rife with security flaws; recently, Arul Kumar, and Indian engineer, found and reported a hole with Facebook security. Now fixed, the exploit consisted of a two-step process that allowed one to delete the photos of others. By modifying the URL of a photo removal request, it could be directed into the user’s account where the user could then delete it as if it were his own. As per Facebook’s white hat program, Kumar was awarded $12,500 for his findings.

 

5. Fantasy Football With Startups – Let’s Make it Happen

 

The time for starting Fantasy Football has just ended, but what if one isn’t interested in such matters and are more inclined towards technology and the likes? Martin Bryant toys with the idea of having a Fantasy Football analogue in the form of tech startup companies. While the rules, or the game really, Bryant makes a few proposals.

 

First and foremost, pick and name a co-founding team consisting of a CEO, CTO, and CFO. Points will be given or penalized based on performance, e.g. have they been acquired, did an app get launched, did they go out of business?

 

While these are musings, it’s a viable concept that only needs the answer to one main, important question: “How do we sort out scoring for a game like this?

 

6. Bitcoin in India: Drivers and Barriers to Adoption

 

Bitcoin, a digital currency may be poised to help with financial problems in countries with high inflation rates or capital regulation. Essentially, bitcoin allows for individuals anywhere in the world to send money directly to each other without going through banks of government, bypassing regulations between borders.

 

India is in a prime position to take advantage of bitcoins with the value of their currency has fallen against the dollar and the restrictions placed by the Reserve Bank of India (RBI) on overseas investment. Users of bitcoins can invest overseas without having to go through an intermediary, removing the monetary cap placed by the RBI. To further pave the way for bitcoin, the RBI stated that it “does not immediately intend to regulate bitcoin.”

 

Other countries like Argentina, China, and Cyprus have successfully taken advantage of bitcoin; will India and other financially situation countries?

 

7. How Facebook, Twitter and Other Startups Got Big

 

There’s a saying that goes like this “it takes money to make money,” but how much does it take? startups like Facebook, Twitter, and Zynga were able to achieve an incredible about of users while spending less money on advertising than other companies. “Growth Hacking” is the term used to describe the model resulting in their high-growth trajectories.

 

startup advisor, Andrew Chen, describes growth hackers as a “hybrid of marketer and coder,  one who looks at the traditional question of ‘How do I get customers for my product?’ and answers with A/B tests, landing pages, viral factor, email deliverability, and Open Graph.” Growth hackers basically focus on company growth rather than visibility—instead, companies that take advantage of growth hacking have implemented referral systems, performed publicity stunts, or more to grab users.

 

Growth hacking is the marketing future, maximizing gains through eschewing wasteful marketing.

218

5 Things About Data Leakage

As more and more employees work away from the office - at home and on the go - and collaborate online, sensitive corporate information is increasingly leaked, often unintentionally.

Mobile employees tend to adopt personal cloud share services such as Dropbox and Google Drive that are intuitive to use and easily solve file synchronization and share needs, but increase security risks and locate the organization’s data at uncontrolled locations. The cost of data loss is very high, both in terms of financial losses, leaking of IP to competitors and damage to the corporate brand.   In response,   many organizations are taking action by training employees, setting up restrictions and requiring certain data usage policies. However, as efficient as the instructions and company regulations may be, there is never a full guarantee that they will be followed.

 

Educating employees about the importance of sharing data securely is critical, but simply not enough. As employees become more sophisticated and tech-savvy, they are finding creative ways to circumvent corporate policy, ignoring the security risks and regulatory implications to the enterprise.

 

Here are some facts about data leakage showing why enterprise-grade security technology is a critical ingredient for keeping data secure in storage and in transit.

 

1) Employees will find shortcuts and workarounds to security policies

Employees are increasingly “going around” IT by sharing critical information through webmail, file sharing services, cloud storage, USB sticks and smart devices, simply because they perceive them as easier to use than traditional corporate file transfer tools.  They use their personal email to send confidential company documents and data, and consumer-grade file transfer for business purposes, both lacking sufficient security protection.  Often employees do so in order to “get the job done” more quickly, not realizing the unnecessary risk and that can result from data loss.

 

2) Corporate computers are often misused

According to Cisco sponsored research many employees share work devices and sensitive information with non-employees. Approximately one fourth of the employees surveyed admitted to sharing sensitive information with friends, family, or even strangers, while almost half of the employees surveyed share work devices with people outside the company, without supervision.

 

3) Email causes the most enterprise data loss

E-mail continues to be the primary source of data-loss risk.   Federal information security and email management professionals say standard email is the number one way unauthorized data leaves an agency based on a study by Meritalk and sponsored by Axway. According to the report, a single federal agency sends and receives an average of 47.3 million emails each day, averaging 1.89 billion emails per day for the federal government overall. While 79 percent of federal information security and email management professionals say cyber security is a top priority, only one in four give the security of their current email solution an “A.”

 

4) Web servers can be the weakest link

Stealing sensitive information can be done fairly easily by using a personal Web mail account or uploading information to a Web-based file-sharing site.  Web servers, by their very nature, tend to be at the network perimeter and connect with the external Internet. They provide a direct gateway for external attackers to gather information about the internal network and possibly even acquire actual files and data that were meant for internal company eyes only.

 

 5) Security policies are written in a language foreign to the average employees

Most explanations about the security risks faced by the organization are stored in a long tedious report, that few employees have patience or time to read, and those that do may not understand.  Security policy and procedure manuals are written in a complex legal language to impress regulators, lawyers and auditors; the average employee doesn’t stand a chance.

 

Data Leakage is a complex problem that requires a solution that involves people and technology.  Like most complicated situations the best solution is often a simple one that works with the existing business processes to work in the background with minimal user education and intervention.

To learn more about an integrated solution that makes security policies easier to enforce click here.

433

Kaspersky Labs explains: How to Protect Your Business from Cyber Attacks Part II

In the first part of this article, we told you about targeted cyber attacks and how cyber criminals penetrate corporate networks, attacking the computers of employees who use their desktops for social networking and other cyber-skiving.

 

Along with targeted cyber attacks there are other threats. Intentionally or by chance, employees may be guilty of disclosing confidential data or breaking copyright laws, which might result in law suits against the company.

 

We will tell you about some incidents related to the storage and transfer of corporate documents via a personal mailbox or a cloud service and the use of software for P2P file sharing. We will explain what technologies and security policies allow system administrators and IT security specialists to prevent such incidents.

 

Reputation loss

Your company’s reputation is worth protecting - and not only from cyber criminals.  Employees who send professional correspondence to their personal mailboxes, download illegal content, or use pirated software on corporate computers never think they might damage their company’s reputation.

 

Confidential information disclosure

One company faced an accident in which extremely confidential information was disclosed.  Data security specialists started the investigation by checking the leaked documents and were surprised to learn that the metadata contained important information - the company’s name, computer’s name, where the document was stored for the last time, authors’ names, e-mail addresses, telephone numbers, and more. Criminals usually delete this data to hide the source of the leak.  During the investigation, the experts found that the copies of disclosed documents were stored on the computers of five employees.  None of them admitted to handing the documents over to a third party; moreover, having learnt about the accident at the interview with the security, all of them were genuinely surprised.  After analyzing the corporate proxy-server logs, it was revealed that one of those five employees had uploaded copies of the disclosed files to a mail service.

 

At the second interview, this employee confessed that he had used his personal mailbox a few times to store corporate documents.  It was convenient: if he had no time to finish or read a document, he sent it to his personal mail and finished it at home.  Any employee could gain remote access to his corporate mailbox on request, but the employee hadn’t set up any extra protections.  He didn’t anticipate any problems with using his personal mailbox for work.

 

Having gained access to his personal mailbox, data security specialists checked the list of IP addresses used to connect to the e-mail.  Along with the employee’s home and corporate IP addresses, a lot of other addresses of proxy-servers from different countries surfaced.

 

While investigating the employee’s computer security, specialists discovered spyware that logged all the account data for different systems - sites, social networks, mailboxes, and online banking services.  Having used the malware to gain access to the employee’s mailbox, the criminal found a lot of corporate documents stored there.

 

Though the guilty employee was fired; the reputational damage to the company lingers on.

9

 

Breach of copyright

It’s widely known that pirate content download is a violation of copyright law.  However, few people remember that when you use the Internet from your corporate network, you use the IP address of your company.  This means that if a violation is discovered, it is the company who will be liable.

 

A small company suffered an unpleasant incident.  At certain times, there was a sharp drop in Internet connection speeds.  Network traffic statistics showed one computer using 80% of the network capacity, with in-coming and out-going connections going off the scale.  The sysadmin assumed that the computer was used to share files on a P2P network.

 

It turned out that one employee had brought his personal laptop and connected it to the corporate network. A BitTorrent client installed on the laptop was set to run automatically when the system started.  The employee had forgotten all about it and the program running on his laptop caused trouble with the Internet connection.

 

Three months later, local law enforcement authorities came to the office with a search warrant and took many hard drives and documents, because they suspected that the company had used pirated software, in breach of copyright rules.  In the end, the company was fined and, since then, stronger restrictions against pirate software have been introduced in the security policy.  Now, employees face serious sanctions for a first offense, and lose their jobs if there is any repeat.  In addition to those punishments, illegal content (hacked software, video, music, e-books, etc.) is forbidden whether it is downloaded to a corporate computer from the Internet, or if it is brought from home.

 

Solution

We described just two cases in which the violation of corporate policies by employees led to serious incidents.  In everyday life, there are many more scenarios like this.  Fortunately, there are also some simple methods, which, together with security policies, can help to prevent the majority of these incidents.

 

Network Traffic Control

In the incident described above - corporate documents leaked and unlicensed content loaded via P2P - the corporate network served as a channel to send and receive data.  Firewall, IPS, HIPS, and other technologies allow system administrators and IT security specialists to limit or block:

  • Access to public services and their servers - mail services, cloud storages, sites with forbidden content, etc.
  • Use of ports and protocols for P2P sharing
  • Sending corporate data outside the corporate network

 

It’s worth remembering that no single control of network traffic can provide the highest level of corporate network security.  In order to bypass security policies, employees can use traffic encryption methods, connect to the copies (mirrors) of blocked online services, or use proxy servers and anonymizers.  Moreover, many applications can use other application ports and embed their traffic into various protocols, which cannot be forbidden.  In spite of these obstacles, network traffic control is important and necessary, but it needs to be combined with application control and file encryption.

 

Application control

 

Using application control, a system administrator or data security specialist can not only forbid any unwanted software, but also track what applications employees use, as well as when and where they use them.  It’s almost impossible to prohibit all pirated software, as a lot of varieties of an application may be created and they may be almost identical.  So, the most effective approach is to use application control in default deny mode to ensure that all employees use only authorized software.

 

File encryption

 

It’s often impossible to track how employees use cloud services and personal mailboxes to store corporate data, which may include confidential information.  Many mail services and cloud storages encrypt files transmitted by a user but cannot guarantee protection against intruders - a stolen login and password will give access to the data.

 

To prevent this type of theft, many online services attach cell phone numbers to their accounts.  Along with the account data, a criminal will need to intercept a one-off confirmation code, sent to a mobile device during authorization.  Note that this protection is safe only if the mobile device has no malware that will let the criminal see the code.

 

Fortunately, there is a safer way to provide security for corporate documents transmitted beyond the corporate network - file encryption technology.  Even if intruders get access to a mailbox or cloud storage where an employee stores corporate papers, they won’t be unable to access the content of these documents, since they have been encrypted before their transmission to an external server.

 

Security policies

Network traffic control, application control, and data encryption are important security measures that can detect and automatically prevent data leaks as well as restrict the use of unwanted software on the corporate network.  It’s still necessary, however, to implement security policies and increase employee awareness, since many users do not realize their actions may threaten their company.

 

In case of repeated violations, security policies should lead to administrative sanctions towards the offender, including dismissal.

 

Security policies should also stipulate the actions that should be taken if a former employee has access to confidential information or critical infrastructure systems.

 

Conclusion

Incidents like confidential data leaks or unlicensed content loaded from a corporate IP address may cause significant damage to a company’s reputation.

 

To prevent this damage, companies should limit or completely block employee access to online resources that may be a threat to a company, and also limit or block the use of those ports, data transmission protocols, and applications that are not required for work.  File encryption technologies should be used in order to ensure the confidentiality and integrity of corporate documents.

 

IT security experts should keep in mind that, along with incident detection and prevention, they should pay attention to administrative protection measures. Users should be aware of what is allowed and prohibited by a security policy and the consequences of any violation.

646

How to Protect Your Business From Attacks Without Really Trying

You trust your employees, right? Maybe you shouldn’t…

 

At least, not in issues of network security.  Whether you like it or not, employees use office computers to communicate on social networking sites, share links to online entertainment, or download files from suspicious sources. At the same time, cybercriminals use social networking sites for phishing and malware distribution. They infect personal blogs, entertainment sites, file-sharing services, and torrent trackers. They regularly hack passwords to email accounts.  To protect your network, here is a list of security threats and protection techniques you should know:

 

Targeted attacks

 

Because the majority of threats target mass audiences, antivirus software can prevent most accidents. Targeted attacks are different: hackers perform them secretly, often using a non-standard approach; they are highly sophisticated and well organized.  These are the attacks you should worry about the most.

 

Social Engineering Attacks

In 2009, over 20 major software companies fell victim to the Operation Aurora targeted attack. In one incident, hackers lured company employees with social networking sites and IM clients. Using social engineering techniques, the scammers got acquainted with their victims, gained their confidence, and did whatever was necessary to make the recipients open a link. The fraudsters only needed to:

 

-Collect widely available information about the user from social networks

-Create an account with the victim’s personal information

-Become “friends” with the people from the victim’s list of contacts

-And get in touch with the victim using an established “cover”

 

When an account has been so thoroughly prepared, it can easily trick victims into clicking a suspect link. If this fails, the scammer can try a more sophisticated trick; hacking the account of a user whom the victim trusts and sending links from there. This is especially easy if the victim’s trusted contacts include vulnerable users like elderly people, children, or teenagers.

 

In a targeted attack, a link may lead the victim to a site with 0-day exploits, which allow criminals access to vulnerable computers. By communicating on social networks from the office computer, employees may unwittingly help hackers penetrate the corporate network.

 

Watering Hole Attacks

In ​​this type of attack, hackers infect the sites that your employees use the most. Recently, the U.S. Ministry of Labor site was infected, but the real target of the attack was the Department of Energy.  The criminals had tried to infect the computers of DOE employees who regularly visited the Ministry of Labor’s website.

 

Once targeted employees open an infected page,  malware redirects their browser to a malicious site, which may contain 0-day exploits.  By hiding malware in such a way, scammers can also hide their targeted attacks from antivirus companies and IT security experts.

 

Before you assume that your network is secure, remember that fraudsters will try to infect trusted sites. Even when users must carry out additional steps, like turning on JavaScript, they may innocently click “Allow” and “Confirm.”

 

Protection through Policy

Users may cause targeted attacks by allowing scammers to access the system. Unfortunately, there is no technology to eliminate human error from corporate network security. However, reinforcing security policies provides protection by combating targeted attacks at every stage - from the first attempt to exploit a vulnerability to attempts to compromise the network.

 

Protection Against Exploits

Since targeted attacks use unique malware, signature-based detection isn’t enough to identify the malicious code. Yet, antivirus programs have long had more weapons at their disposal than signature-based detection. AEP technology methods of heuristic analysis and control over executable code can block execution of malicious code when it exploits a 0-day vulnerability.

 

If fraudsters can attack the system, network traffic and application controls may prevent further penetration into the corporate network.

 

Network traffic control

Once malicious code gets in the system, it usually attempts to:

 

-Establish connection with a command center

-Open ports for incoming connections

-Download additional modules

-Implement malicious code in other processes to maintain connection with the command center

-Gather information about the network like its systems and users

-And send the harvested information to the fraudsters’ server.

 

Having connected to the system, scammers collect information about it and the computer’s corporate network. To collect local information, the fraudsters don’t need extra privileges.  They can find a list of running processes, installed software, and more, with little effort. They collect information about the corporate network using special scripts and utilities for masking activity and bypassing security systems. Then they analyze this information before the next stage of attack.

 

Using network traffic control technology, system administrators and IT security specialists can block dangerous network activity and detect any penetration into the corporate network. For instance, Firewall and IPS / IDS can:

 

-Block incoming/outgoing connections by port, protocol, domain name, and IP address.

-Generate statistical analysis of traffic for anomalies

-Collect suspicious network traffic for further analysis

-Detect or block outgoing commands or similar output sent online, downloads of suspicious files from the Internet, and transmissions of confidential information

 

Firewall and IPS / IDS can detect anomalies in the interactions of network nodes once the malicious code tries to contact the command center or scans the corporate network for other systems like open ports. This anomaly detection allows IT security experts to respond to the threat, preventing further intrusion into the corporate network.

 

Application control

Having accessed the target system, the criminals aim to consolidate their success.  By downloading additional modules, malicious code, and utilities onto the system, they incorporate a connection with the command center into trusted processes like explorer.exe.

 

Application Control can block the launch and download of untrusted programs and modules from the scammer’s hacker set.  HIPS policies should also block dangerous non-standard behavior from legitimate software. Browsers shouldn’t open ports for incoming connections. System processes and other applications shouldn’t be connected to external servers to deploy malicious code to other trusted processes.  This behavior should be prohibited.

 

To prevent criminals from gaining control of the system, IT security specialists should:

 

-Stop trusted or vulnerable programs from implementing code in other processes

-Restrict applications’ access to critical system resources and files only

-Block dangerous functions that aren’t a default feature of the applications

-Safeguard systems that require the highest protection level with the Default Deny mode.  This mode can block programs from starting up if they aren’t included in the white list, stored locally, or in the cloud.

 

File encryption

If the scammers seize control of the system and penetrate the corporate network, they may try to find and upload files that contain important information like:

 

-Corporate documents, including security policies

-Files containing credentials

-Configuration files

-Source codes

-Private keys

 

This information appears on the main victim machine as well as in open network folders on other systems. To prevent a data leak, IT security specialists should use file/disk encryption to restrict local access to the confidential information. Data is also transferred in an encrypted form. Even if the criminals manage to download something, they couldn’t read the content of the encrypted files.

 

Security policies

In isolation, none of the above technologies can prevent a targeted attack. To protect the corporate network, all these technologies must be well integrated and carefully tuned.

 

However, system administrators and IT security specialists should also use administrative protection measures:

 

All users must:

-Know and observe company security policies

-Understand the ​​possible consequences of the Internet threats, such as phishing, social engineering, or malware sites

-Inform the security service about all incidents.

-Accept user access rights and privileges:

-Scan the systems for vulnerabilities and unused network services:

-Detect and analyze vulnerable network services and applications

-Update vulnerable components and applications. If there is no update, vulnerable software should be restricted or banned.

 

Rights and privileges should be granted only when necessary and recorded.  Many of these measures can be automated. If security policies are violated, special software shows the user a warning message. Systems Management technology can be used to search for network services and unauthorized devices, vulnerabilities, and automatic updates of vulnerable applications.

 

Conclusion

Misuse of company resources can lead to direct financial losses and a serious IT security incident. While communicating on social networking sites or viewing websites on the office computer, employees can become unwitting victims and involuntary allies of criminals who plan targeted attacks.  Though they may have honest intentions, it’s never a bad idea to have a backup plan.

282

Resilience - The Way To Survive A Cyber Attack

The claim that any Western, information technology dependent society could be brought down by a fifteen-minute cyber attack has recently provoked intense discussion.

 

In reality, a well-prepared cyber attack does not need to last for 15 minutes to succeed.  It takes only seconds to conduct an attack that could hit targets next door or on the other side of the world.

 

Society’s capability to withstand the attack determines whether or not it will lead to chaos - and in what time.  As a general rule, it takes a lot longer than 15 minutes for all consequences to manifest themselves and for Society to absorb and react to them. Re-establishing the equilibrium that existed before the attack may take years.

 

There is no such thing as absolute security; neither in the physical nor in the virtual world.  While technology could eliminate human error from the threat catalogue through automation, with it brings novel and constantly evolving threats.  Information technology vows to enhance situational awareness for security, yet carries unknown vulnerabilities with it.  Incomplete security is nothing new in itself, but the enmeshment of physical and virtual worlds creates new kinds of security opportunities and needs to address.

 

Today’s overall threat catalogue is versatile and in constant change.  As it includes both unemerged and just gradually appearing threats, it forces Society to plan and prepare for the unknown.  Preparing for the unknown can only take place through strengthened resilience. Resilience refers to the continuation of operations even when Society faces a severe disturbance in its security, the capability to recover from the shock quickly, and the ability to either remount the temporarily halted functions or re-engineer them.

 

Resilience is a multidimensional phenomenon. It affects Society at present, but will affect its future even more . Resilience is not only a headache for the decision-makers, but also a feature of states, organizations, corporations, and individuals.  Society’s overall resilience builds upon the capabilities of its parts to prevent and resist exceptions from the usual and adapt to them rapidly.

 

Resilience can be categorized as “infrastructure resilience,” “community resilience,” “business continuity” and “corporate resilience.” All of these are important for the survival of Society in a contemporary security environment. Resilience is not only physical - it is mental as well. Hence it also includes, for instance, the capability to make justifiable decisions and act upon them under distress. Tolerance for crisis should be seen as a function vital to society.

 

Western societies are used to a prevailing state of peace and have managed to construct well-functioning societal operations based on the utilisation of technology.  As a drawback to this state, however, they have lost some important survival capabilities.  Their mental ability to deal with distress is especially declining because of the lulling belief that nothing can go too wrong. This belief can lead to a situation in which the physical features of Society recover from an attack relatively quickly, but poor mental tolerance keeps it from re-balancing itself for years or decades.

 

Developing and maintaining resilience is a central demand presented by contemporary security thinking. Its importance will only heighten in the future as the world becomes more interconnected, threats become more complex and cooperation becomes a necessity to address complicated security questions. Resilience enables both efficient operating in times of distress and smooth societal functioning. The intertwinedness of physical and virtual worlds requires that preparation, acting, and learning take place in the intermingled reality .  This enables the utilisation of opportunities information technology and cyberspace create without exposing oneself to unnecessary risk.

 

Even the virtual world breaks sometimes. But minor disturbances, like temporal interruptions in communications networks or defunct ATMs, are only beneficial because we tend to trust the operability of bytes too much. If bytes do not function, we become helpless.

 

Temporal cyber disturbances and shocks will always happen. This could save us, because they keep us alert. Our future depends upon our resilience and our resilience depends on Society’s ability to protect itself from cyber attacks.

264

Security Cameras – Who’s Watching Anyway?

Look up. They’re all around us.

 

Wherever you cast your eyes, there’s a security camera, recording your every movement, day in and day out. But don’t worry. Less than 2% of that video will ever be watched and then only if something bad has occurred. And usually long after the fact.

 

Which poses the question: if almost no one’s making use of recorded video, what’s driving the exponential growth in surveillance and security camera installation around the world?

 

There are several reasons why surveillance has been growing: better security camera quality coupled with lower camera costs, security consultant recommendations, insurance premium discounts, and a general sentiment that it is better to have videotaped and not watched than never to have videotaped at all.

 

Surveys have also shown that, in general, people feel that video surveillance – at least in public spaces – is less invasive than surveillance of phone calls or emails.  Surveys have also shown that public cameras give people a feeling of safety.

 

But again, if no one is making good use of the video, are those feelings justified?

Generated from pure research

 

BriefCam came into being in response to the problem of “too much video, not enough eyes to watch it.” Like many an Israeli start-up, BriefCam grew from pure research.  Prof. Shmuel Peleg of the Hebrew University, a world-renowned expert in computer vision, was trying to solve a particular problem. It required taking the video frame, separating static backgrounds from dynamic moving objects, then databasing and indexing those objects. The resulting technology – Video Synopsis – enabled users to call on those objects and display them simultaneously on the background – even though they occurred at different times.

 

The summary video was significantly shorter than the original, with hours of video reduced to minutes of video review runtime.

 

In December 2007, Video Synopsis was licensed for commercialization through Yissum, the technology transfer arm of the Hebrew University to BriefCam.  This arm of the University is attempting to  revolutionize the way surveillance video is reviewed.

The video reality

 

I don’t use the term “revolution” lightly. To date, video review has been so painstaking and time-consuming that the industry has come to accept that there will never be “enough eyes to watch it all” with only the most critical of crimes ever being investigated. Yet security cameras continue to proliferate, further exacerbating the issue.

 

There are solutions and tools. On the professional level, Video Management Systems (VMS) manage thousands of security cameras and employ identification and analytical tools, many of which attempt to automate the video review process with varying levels of success; analytics often fail at differentiating between events that pose a threat and those that do not. For example, a human being can tell in an instant whether a slap on the back is friendly or aggressive. A software algorithm will most likely not be able to sense this ambiguity.

 

BriefCam maintains that video review cannot be fully automated and that human operators – their eyes and minds – must always be engaged.

 

Fast video review – either for post-event investigation or for real-time investigation – makes it possible for people to go over video rapidly and take action as needed. Investigations that once took protracted periods of time can now be reviewed in a matter of days and even hours.  It took months to review the video used in the 2005 London bombing investigation and weeks to review 5000 hours of video from the Vancouver riots.  All of that could change soon.

Video value extracted

 

Day to day, the full value of the investment in a surveillance system could be maximized if a higher percentage of recorded video were reviewed. There would be a greater likelihood of discovering events previously unnoticed. These include shoplifting, graffiti, staged “slip and fall” accidents (used to dupe insurers), and a range of other petty crimes currently deemed too insignificant to warrant investigation.

 

Take the example of shoplifting.  A storeowner knows exactly when a robbery has occurred – and doesn’t need BriefCam to tell her when the till was emptied. But the storeowner could have earned 10 times the amount of money stolen from the till if she had learned to review footage effectively. A periodic review of the day’s video could provide valuable information that would, within a fairly short time, bring a return on investment.

 

Commercial enterprises can also leverage their video’s value by applying it to business intelligence. For instance, they can examine customer behavior patterns or monitor employees to boost profitability.

 

The issue of ROI will become even more critical as private users acquire surveillance systems. All research indicates that the consumer/SMB surveillance market is growing rapidly with exponential growth predicted in the coming years. These are people with family and property to protect, and no time to spare going over hours of video. They’ll want Video Synopsis accessible over computers, mobile phones, and tablets. They’ll want it on-demand or, in the case of an alarm, they’ll want to receive an immediate 5-second Synopsis of the 5 minutes recorded prior to the alert. They will want their investment in video to be meaningful. For them, rapid video review will be essential.

Get to the point. Fast

 

Our society lives with security cameras, large and small. We accept their presence in the public arena out of a feeling that they safeguard us and that, should something go wrong, the recorded video will provide evidence. This perception is flawed as most video goes unwatched or is watched only long after the fact. For this reason, rapid review is essential to our videoed society. It meets the public’s expectation that video will be reviewed when necessary and evidence pinpointed as fast as possible, so that action can be taken or preventative measures made on their behalf. It also unleashes video’s full potential, whether for saving time, for saving money, and, most importantly, for saving lives.

 

 

Links in this article:

Poll Finds Strong Acceptance for Public Surveillance

http://www.nytimes.com/2013/05/01/us/poll-finds-strong-acceptance-for-public-surveillance.html

London bombers staged ‘dummy run’

http://news.bbc.co.uk/2/hi/uk_news/4263176.stm

How the FBI Will Analyze Thousands of Hours of Boston Bombing Video

http://www.popsci.com/technology/article/2013-04/how-analyze-thousands-hours-boston-bombing-video

 

390

Are You Dating the Next Aaron Hernandez Online?

We’re all shocked.

Someone is not who he appeared to be.

(Insert sarcastic gasp.)

The Aaron Hernandez soap opera, which now includes blue bubblegum, once again reminds us that appearances can be deceiving. A person we once thought was worthy of respect now seems far from deserving any reverence.

 

Will these charges against Hernandez have all of us suspect those we idolize? Perhaps.  What we need to take from Hernandez’s story is that we must not take anyone at face value, whether in the real world or online. When meeting people in the real world, you can glean a certain amount about them through in-person interaction. The online world is a bit more secretive. I have created a roster of tips that will ensure that you trust the right people in your online interactions with strangers.

 

Your Roster for Safer Online Meetings

 

The QB – You’re the Quarterback. You call the shots and you are in control of your online transactions. If something seems too good to be true, like you’re a Wide Receiver being totally open, remember to check the Safety (pun intended). Remember, if someone is unwilling to provide the information you need to feel safe, whether that be a real name, a real address, or a photo, then keep on moving.

 

The Offensive Line – You want someone to cover your blindside. When using dating sites (Match, eHarmony, Zoosk, and Plenty of Fish), P2P Sites (Airbnb, Relayrides, and Flightcar), and Commerce Platforms (Craigslist, Autotrader.com, and Angie’s List) you must make sure that they’re watching out for your best interest. Large platforms are the gatekeepers and have the ability to make the rules for what types of individuals they allow on their systems.

 

So, to that end, here are some good considerations when choosing platforms:

  • Background Checks – Does your platform run them and in what capacity? If the person you’re communicating with online were coming to your house, wouldn’t you like to know if she has a long list of burglary offenses?
  • Social Media Verifications – Is your platform actually using OAuth to connect social media accounts, which you’ll rely on for information, or are they permitting users to just drop in URL’s, which could be someone else’s?
  • Photo Verification – Is there any sort of check and balance on the photo? Does it come from a semi-reliable source like LinkedIn?
  • Certificates and Seals – See what other’s are saying about your platform and if it’s been vetted by anyone.
  • Safety Policies - How does the platform vet its users (if at all), and what information does it allow users to share for transparency. In the NFL, you want the best watching your butt.  So demand the same of your online platforms.

 

The Receiver  - Deals get done when two parties connect, whether it’s for a date or the selling of a car.  You want the other party in the transaction to be on the same page as you. For online transactions, make sure that you both feel comfortable with each other and that no red flags arise.

 

Sample Red Flags

  • Online Dating - No picture or a picture that is obviously photoshopped should make you think twice.
  • Online Dating – Is s/he too hot for you? Like your parents always said, if it’s too good to be true, it probably is.
  • House Rental – Pay attention to questions that seem out of the ordinary – “Do you have a place off the street to “hide” my car?” should send you running for the hills.
  • House Rental –Hesitate if your prospective renter makes inquiries for someone else.  Do you want to be turning over your keys to someone other than the person you checked out online?
  • Craigslist – Just like with dating, you should be suspicious if the deal seems way too good to be true.  Extreme urgency and prices well below market value should really make you question the goods.

 

The Defensive Line – Online, just like in the real world, the best offense is a good defense.  You need to surround yourself with a barrier to prevent the other party from getting too much of your personal info. Just like you tell the guy you met on Craigslist to meet you at a public place, you want to have some semblance of control when translating the online relationship into a real world relationship.  Consider ways in which you may control the information with systems like REPP.

 

The Kicker – In the future, we will all be meeting increasing amounts of strangers online in ways and for reasons that we’ve never imagined. Unfortunately, what comes hand in hand with these new opportunities are new ways that unsavory individuals can take advantage of you.  So, remember to always watch out for those little guys both on and off the field, with one small action, they can send you home disappointed.

 

While it’s very unlikely that you’re communicating with someone who’s the center of three murder investigations, it’s better to know that now than to find yourself being interviewed by CNN later.  No longer can you just assume that if he’s on a dating, commerce, or networking site, he must be everything he appears.  You must be vigilant to make sure that your time, trust, and safety are in the right place.


 

320