Do you remember back in 2012 when LinkedIn was hacked? Around 6.5 million user passwords were posted on a Russian blog. There was a mandatory password reset for affected users, and LinkedIn released a statement advising people to enable two-step verification and use stronger passwords.Four years later, and the passwords of 117 million accounts were compromised.Worryingly, this came to light only when a hacker put them up for sale, offering data from 167 million accounts in total. If you haven’t changed your LinkedIn password since 2012, you could be at risk. Tech savvy is no protection, as evidenced by the fact that a hacker group used the LinkedIn password dump to hack Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.To read this article in full or to leave a comment, please click here
Do you remember back in 2012 when LinkedIn was hacked? Around 6.5 million user passwords were posted on a Russian blog. There was a mandatory password reset for affected users, and LinkedIn released a statement advising people to enable two-step verification and use stronger passwords.Four years later, and the passwords of 117 million accounts were compromised.Worryingly, this came to light only when a hacker put them up for sale, offering data from 167 million accounts in total. If you haven’t changed your LinkedIn password since 2012, you could be at risk. Tech savvy is no protection, as evidenced by the fact that a hacker group used the LinkedIn password dump to hack Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.To read this article in full or to leave a comment, please click here
Earlier we delved into disaster recovery and network security. Now it’s time to take a look at Critical Security Controls 13, 14 and 15, which cover data protection and access control. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS), a nonprofit dedicated to improving cybersecurity in the public and private sectors.A company’s data is its crown jewels, and because it’s valuable, there will always be people looking to get their hands on it. Threats include corporate espionage, cybercriminals, disgruntled employees and plain old human error. Fortunately it’s relatively easy to reduce your potential exposure. It calls for protecting your data, using encryption and authentication, and carefully restricting access.To read this article in full or to leave a comment, please click here
Earlier we delved into disaster recovery and network security. Now it’s time to take a look at Critical Security Controls 13, 14 and 15, which cover data protection and access control. The Critical Security Controls are best practices devised by the Center for Internet Security (CIS), a nonprofit dedicated to improving cybersecurity in the public and private sectors.A company’s data is its crown jewels, and because it’s valuable, there will always be people looking to get their hands on it. Threats include corporate espionage, cybercriminals, disgruntled employees and plain old human error. Fortunately it’s relatively easy to reduce your potential exposure. It calls for protecting your data, using encryption and authentication, and carefully restricting access.To read this article in full or to leave a comment, please click here
The business of bug hunting is a potentially lucrative one for both seasoned security researchers and amateurs with an interest in hacking. It’s an area that’s gaining legitimacy thanks to official bug bounty programs and hacking contests, but there’s still a seedy underbelly that unscrupulous bounty hunters can take advantage of if they successfully identify a vulnerability.The average cost of a data breach is $3.8 million, according to research by the Ponemon Institute. It’s not hard to understand why so many companies are now stumping up bounties. It can also be very difficult, time consuming and expensive to root out bugs and flaws internally. Turning to the wider security community for help makes a lot of sense, and where there’s need there’s a market. To read this article in full or to leave a comment, please click here
The business of bug hunting is a potentially lucrative one for both seasoned security researchers and amateurs with an interest in hacking. It’s an area that’s gaining legitimacy thanks to official bug bounty programs and hacking contests, but there’s still a seedy underbelly that unscrupulous bounty hunters can take advantage of if they successfully identify a vulnerability.The average cost of a data breach is $3.8 million, according to research by the Ponemon Institute. It’s not hard to understand why so many companies are now stumping up bounties. It can also be very difficult, time consuming and expensive to root out bugs and flaws internally. Turning to the wider security community for help makes a lot of sense, and where there’s need there’s a market. To read this article in full or to leave a comment, please click here
Wearables are rapidly invading the workplace in much the same way that smartphones did. Fitness trackers, smartwatches, head-mounted displays and other new form factors are beginning to capture the public imagination. Sales of wearable electronic devices topped 232 million in 2015, and Gartner forecasts they’ll rise 18.4% this year, when another 274.6 million devices are sold.These wearable devices represent some appealing opportunities for businesses to increase efficiency and gather data, but in the rush to win market share, security concerns are taking a backseat for many manufacturers and app developers. The potential ramifications of unchecked wearable device usage within the enterprise are alarming.To read this article in full or to leave a comment, please click here
If you have even a passing interest in security vulnerabilities, there’s no chance that you missed the news about the DROWN vulnerability. It’s one of the biggest vulnerabilities to hit since Heartbleed, potentially impacting a third of all HTTPS websites. By exploiting the obsolete SSLv2 protocol, this flaw makes it possible for an attacker to eavesdrop on a TLS session.Because we use SSL and TLS encryption to shop, send messages, and send emails online, DROWN potentially allows attackers to access our messages, passwords, credit card details, and other sensitive data.To read this article in full or to leave a comment, please click here
We discussed building malware defenses the last time out, but today we’re going to focus on Critical Security Controls 10, 11, and 12 covering data recovery, secure network configuration, and boundary defense.It’s unrealistic to think that you can completely avoid cyberattacks and data breaches, so it’s vital to have a proper data recovery plan in place. You can also tighten your defenses significantly by ensuring all of your network devices are properly configured, and by putting some thought into all of your potential network borders.To read this article in full or to leave a comment, please click here
Ransomware is big business. Over the last few years we've observed the steady rise of ransomware, with some trepidation. It is fast becoming a multi-billion dollar business, and it's getting surprisingly sophisticated. The ransomware industry is continually innovating, offering cybercriminals new technology, various business models, and all the support they need to conduct successful attacks on unsuspecting individuals and companies.Changing face of ransomware
Ransomware has come full circle since it first appeared on the scene in 2005. Early crypto ransomware soon gave way to misleading apps, fake antivirus tools, and lockers. But it's back now, it's mature, and it's here to stay, according to Symantec's Evolution of Ransomware report.To read this article in full or to leave a comment, please click here
We may welcome in the New Year with open arms, but we must also prepare for the cybersecurity threats ahead of us. The 2015 Cost of Data Breach Study from IBM and the Ponemon Institute put the average cost of a data breach at $3.79 million, and that figure is expected to grow in the year ahead. With the right resolutions, you can drastically reduce your chances of falling prey to cybercriminals.Here are five major trends in cybersecurity that you should have in mind when updating your InfoSec plans for 2016.To read this article in full or to leave a comment, please click here
Our last article looked at applying Critical Security Controls 4, 5, and 6 to your organization, covering vulnerability assessment, administrative privileges, and audit logs. Now it’s time to move on to CSCs 7, 8, and 9.Email programs and web browsers are still the most common points of entry for attackers, too many companies have woefully inadequate malware defenses, and a failure to control ports and limit services is like leaving a window open for cybercriminals.Critical Control 7: Email and Web Browser Protections
Human behavior is still the path of least resistance for cybercriminals, and they often employ social engineering techniques to gain access to systems. Despite the rising profile of phishing, 23% of recipients open phishing messages and 11% click on attachments, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).To read this article in full or to leave a comment, please click here
It's a heartache, nothing but a heartache. Hits you when it's too late, hits you when you're down. It's a fools' game, nothing but a fool's game. Standing in the cold rain, feeling like a clown.When singer Bonnie Tyler recorded in her distinctive raspy voice "It's A Heartache" in 1978, you'd think she was an oracle of sorts, predicting the rocky road that encryption would have to travel.Just a year earlier in 1977 the Encryption Standard (DES) became the federal standard for block symmetric encryption (FIPS 46). But, oh, what a disappointment encryption DES would become. In less than 20 years since its inception, DES would be declared DOA (dead on arrival), impenetrable NOT.To read this article in full or to leave a comment, please click here
For those of you old enough to remember the TV comedy series "Get Smart" featuring a spy that used his shoe for a phone, the good guys belonged to an agency called "Control," and the bad guys were affiliated with "Chaos." This month "Get Smart" celebrates its 50th anniversary, yet CIOs continue to struggle in a seemingly never-ending battle to restore control in a chaotic, cloudy world in which data security is less than transparent.Much like the BYOD trend, the use of cloud-based services for sharing files is widespread and it's likely that if you're a CIO, your employees are already using them, whether they are officially sanctioned or not. Dropbox has led the charge to offer cross-platform file syncing for your personal files, and all the major players have followed suit, from Google (Google Drive), to Microsoft (SkyDrive), to Apple (iCloud). There's also Box, Sugarsync, and many others. For consumers, they are perfect, providing easy instant access to photos and documents from any device. That familiarity and accessibility is why they've crept into the enterprise.To read this article in full or to leave a comment, please click here
If you don't have a written information security program (WISP) in place for your business, then you could be risking data theft, legal action, and punitive fines. The law in many states now dictates that you must take steps to safeguard personal information. They vary in strictness, but there are nearly 50 different regulations you need to cater for if you're doing business across the United States.You can't afford to bury your head in the sand and assume it will never happen to you. Research from the Identity Theft Resource Center (PDF) shows an alarming rise in incidences of personal data theft every year since they started recording. They report 783 breaches last year, compared to just 157 in 2005.To read this article in full or to leave a comment, please click here
How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There's evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them.There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.To read this article in full or to leave a comment, please click here
Android has a bad reputation when it comes to security, which is unfortunate because it's the biggest mobile platform around in terms of market share. Gartner says Android claimed 80.7% of the worldwide smartphone market in 2014. We know that the BYOD trend has sparked a dramatic rise in personal mobile devices being used for work, and the bulk of those devices are running Android.
As the most popular mobile platform around, it's inevitable that Android is going to be targeted by cybercriminals. Cisco's 2014 Annual Security Report found that 99% of mobile malware in 2013 targeted Android devices.To read this article in full or to leave a comment, please click here
Michelle Drolet