Archive

Category Archives for "Network World Security"

The year ransomware became one of the top threats to enterprises

On Feb. 5, employees at Hollywood Presbyterian Medical Center in Los Angeles, California, started having network access problems that prevented electronic communications. Over the next few days, they learned that the hospital was the victim of a ransomware attack that encrypted files on multiple computers.After several days during which staff had to resort to pen and paper for some record keeping, the hospital decided to pay the $17,000 ransom -- the equivalent of 40 bitcoins that the attackers had requested. It was deemed to be the fastest way to restore the affected files and systems.This was to be the first in a string of ransomware attacks that affected multiple healthcare organizations in the U.S. over the following months, including the Chino Valley Medical Center, the Desert Valley Hospital and Methodist Hospital in Henderson, Kentucky.To read this article in full or to leave a comment, please click here

Google open-sources test suite to find crypto bugs

Working with cryptographic libraries is hard, and a single implementation mistake can result in serious security problems. To help developers check their code for implementation errors and find weaknesses in cryptographic software libraries, Google has released a test suite as part of Project Wycheproof."In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long," Google security engineers Daniel Bleichenbacher and Thai Duong, wrote in a post announcing the project on the Google Security blog.To read this article in full or to leave a comment, please click here

IDG Contributor Network: IoT could be our downfall

The internet of things (IoT) is all about connecting devices to the internet so that they can talk to each other and to us, to make life more convenient. That might mean turning on the lights when we get up, or allowing us to use our phones to see who’s at the front door, even when we're at the office. The potential applications are endless. There are already more than 6 billion connected "things," and that's set to rise to more than 20 billion by 2020, according to Gartner. But the enthusiasm for all things IoT has blinded us to the potential risks. Too many companies, keen to gain a foothold in the market, have rushed out products that lack basic security protocols. The risks here are enormous.To read this article in full or to leave a comment, please click here

How to get more from your security budget

Infosec budgets. They are small, they largely come from IT, and CISOs/CSOs often complain they are not nearly big enough.It’s a constant subject of debate and rightly so; a security budget will indirectly influence how well a CISO protects their business and its assets - and frankly, how well they do their job (which, in turn, will determine how long they stay in it).This isn’t meant to be all doom and gloom however; clever CISOs/CSOs and CIOs understand they have to resource more carefully in today’s economically challenging times. For CISOs, that involves using money effectively, and making do with solutions they already have, in order to protect the assets they truly care about. It can also involve upskilling staff, and rolling out cost effective security awareness campaigns.To read this article in full or to leave a comment, please click here(Insider Story)

Privacy groups complain to FTC over Google’s ‘deceptive’ policy change

Privacy groups have complained to the Federal Trade Commission that Google is encroaching on user privacy through a policy change in June that allows it to combine personally-identifiable information with browsing data collected by its DoubleClick digital advertising service.The complaint by Consumer Watchdog and Privacy Rights Clearing House alleged that Google has created “super-profiles” as it can track user activity on Android mobile phones, with an 88 percent market share of smartphones worldwide, "and from any website that uses Google Analytics, hosts YouTube videos, or displays ads served by DoubleClick or AdSense."To read this article in full or to leave a comment, please click here

Stingray use could be unconstitutional, finds House report

Use of cellphone spying technology has become widespread among U.S. law enforcement agencies and should be better regulated, according to a new congressional report.Not only is the FBI deploying the technology, commonly called "Stingray" after one product made by Harris Corp., but so are state and local police. And there are concerns that some law enforcement agencies have used Stingrays without securing search warrants, said the report from House Committee on Oversight and Reform, published on Monday.“Absent proper oversight and safeguards, the domestic use of (Stingrays) may well infringe upon the constitutional rights of citizens to be free from unreasonable searches and seizures,” it said.To read this article in full or to leave a comment, please click here

Cisco execs foretell key 2017 enterprise networking trends

Interesting posts this week from a few Cisco executives taking a look forward into what should be a very interesting networking world in 2017.+More on Network World: 5 enterprise technologies that will shake things up in 2017+First up was Cisco’s Jeff Reed, Senior Vice President Enterprise Infrastructure and Solutions Group who had a blog on the top 10 list for future 2017 network trends. It reads as follow:To read this article in full or to leave a comment, please click here

On being a 24/7 organization and the 2016 leap second

If the cloud is real, software important, and system reliability paramount, then non-stop computing, computing across time zones, and invisibly short repair times ought to be mandatory, wouldn’t you think? Of many requirements lain in litigation, regulatory compliance, and other “best practices,” there is one that doesn’t seem to make the checklists. Let me lay it out for you: Can you get support 24/7/365.25?You get bonus points for knowing leap seconds are coming. Why? Because among other things, Kerberos time synchronization mandates pretty accurate timing. We’re about to insert a leap second into your life on western New Year’s Day. You may have zones that celebrate other years, but to be in sync with the time standards in the United States, there will be an extra second. The earth is slowing down. To read this article in full or to leave a comment, please click here

Medical data: Accessible and irresistible for cyber criminals

How valuable is personal healthcare data?Apparently it depends. Based on at least some price comparisons on the Dark Web – the underground online marketplace for cyber criminals – electronic health records (EHR) are not even close to premium goods.McAfee, now a division of Intel Security, reported recently that the price for an individual medical record ranges from a fraction of a cent to $2.50, while a so-called “fullz” record – name, Social Security number plus financial account information from a credit or debit card can fetch $14 to $25.To read this article in full or to leave a comment, please click here

Mobile banking trojans adopt ransomware features

Cybercriminals are adding file-encrypting features to traditional mobile banking trojans, creating hybrid threats that can steal sensitive information and lock user files at the same time.One such trojan is called Faketoken and its primary functionality is to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. The malicious app also displays phishing pages to steal credit card information, and it can read and send text messages.Faketoken's creators have added the ability to encrypt user files stored on the phone's SD card sometime in July and have since released thousands of builds with this functionality, according to researchers from Kaspersky Lab.To read this article in full or to leave a comment, please click here

IDG Contributor Network: 5 most common data privacy misconceptions

Average internet users are starting to realize they should be protecting their personal information better. But do they understand why?Protecting private data is more important than many people realize, and also quite simple. I’d like to unpack the top five most common misconceptions of cybersecurity to demonstrate why you should learn how to protect yourself and your data. 1. I have nothing to hide. Why do I need my data to be encrypted?No skeletons in your closet? No searches you’d prefer didn’t surface? That’s fine, but what about your credit card information, passwords and Social Security number? Just because you don’t have dirty laundry to air doesn’t mean your personal data isn’t worth protecting.To read this article in full or to leave a comment, please click here

Senators call for special committee to investigate Russian election hacking

The election is well over, but the storm is still brewing with no end in sight when it comes to trying to figure out what to do about Russian hacks aimed at influencing the election.On Sunday Dec. 11, US Senators John McCain, Chuck Schumer, Lindsey Graham and Jack Reed urged Majority Leader Mitch McConnell not to allow an investigation into Russian interference of the election to become a partisan issue. It’s an issue which “should alarm every American.”That same day, President-elect Donald Trump blew off the idea that the intelligence community had a clue as to whom was behind the hacks. His transition team later added, “These are the same people that said Saddam Hussein had weapons of mass destruction.”To read this article in full or to leave a comment, please click here

Cisco ONE simplifies security purchasing

'Tis the season to be jolly, they say, which is true unless you’re involved with enterprise security. For those individuals, tis the season to be wary as the number of highly publicized breaches continues to grow, as does the complexity of trying adequately secure the business. One of the biggest challenges is the vendor landscape has exploded with hundreds of point products. In fact, the 2016 ZK Research Security Survey found that large enterprises have an average of 32 security vendors deployed. + Also on Network World: What to expect from Cisco in 2017 + More security vendors doesn’t make companies more secure. It just makes things more complex. Despite the number of point products, finding a breach still takes well over 100 days. Think of the damage that can happen in over three months. A persistent threat can make its way around the company network, map out the whole environment and provide a blueprint for hackers to take whatever data they want. To read this article in full or to leave a comment, please click here

The new rulers of the cybersecurity realm: Automation, Analytics Artificial Intelligence

It may be a brave new world in 2017 but it’s also a darn scary one for IT security professionals.READ MORE ON NETWORK WORLD: 5 enterprise technologies that will shake things up in 2017+Just take a look at some recent Gartner assessments of the security situation: By 2020, 60% of digital businesses will suffer major service failures, due to the inability of IT security teams to manage digital risk. By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, which is an increase from less than 30% in 2016. By 2018, 25% of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls. Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices. So what technologies are going to change this scenario back in favor of IT? The new security AAA: Automation, analytics and artificial intelligence say proponents.To read this article in full or to leave a comment, please click here

New products of the week 12.19.16

New products of the weekImage by Cybereason.Our roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Cloud Foundry Training PlatformImage by altorosTo read this article in full or to leave a comment, please click here

Ransomware: at your service

RaaSImage by ThinkstockRansomware is on track to net organized cybercrime more than $1 billion in 2016, not taking downtime and other costs associated with it into account. And according to KnowBe4’s 2016 Ransomware Report, 93 percent of IT professionals surveyed are worried ransomware will continue to grow. To read this article in full or to leave a comment, please click here

10 biggest hacks of user data in 2016

You take great pains to come up with a strong password when registering for an account on a website -- only to see your efforts go for naught when that site gets hacked. Several sites had their databases of user accounts not only breached but stolen this year, which include the necessary information for logins (i.e. username, password). The following sites are ranked starting at the fewest number of user accounts with passwords that were taken.Also, these hacks were reported to have been executed during 2016. So this list does not feature Myspace (427 million user accounts stolen) or Yahoo! (a cool billion). Both were hacked supposedly before 2016, but were only reported this year. This list also does not include reports of user records that were exposed due to poor security, but where there is no evidence they were actually stolen.To read this article in full or to leave a comment, please click here(Insider Story)

Review: Threat hunting turns the tables on attackers

Advanced Persistent Threats are able to slip past even the most cutting-edge security defenses thanks in large part to a diabolically clever strategy. The threat actors behind successful APTs research the employees, practices and defenses of the organizations they want to attack. They may try to breach the defenses hundreds or thousands of times, then learn from their mistakes, modify their behavior, and finally find a way to get in undetected.Once a network is breached, most APTs go into a stealth mode. They move slowly, laterally compromising other systems and inching toward their goals. Post-mortems from successful attacks often show that the time an APT breached a system to the time it was detected could be anywhere from six months to a year or more. And, they are often only detected after making that final big move where there is a huge exfiltration of critical data.To read this article in full or to leave a comment, please click here(Insider Story)

Inside 3 top threat hunting tools

Taking down the threatImage by ThinkstockAdvanced Persistent Threats (APT) are able to slip past even the most cutting-edge security defenses thanks to a diabolically clever strategy. Hackers may try to breach your defenses thousands of times until they finally get in. Once a network is breached, most APTs go into stealth mode. They move slowly, laterally compromising other systems and inching toward their goals. But what if you could hunt down these active, but hidden threats before they can do real damage? For this review, we tested threat hunting systems from Sqrrl, Endgame and Infocyte. Read the full review as well.To read this article in full or to leave a comment, please click here