Thursday, April 14, 2016
Thursday, March 31, 2016
PCI 3.2 is coming
In our Preparing for PCI DSS 3.2: Lets take a look at key dates to help organizations plan for PCI Data Security Standard (PCI DSS) 3.2
April 2016
- PCI DSS 3.2 is scheduled for publication at the end of April. Publication will include a summary of changes document and webinar that provides an overview of 3.2 and the timeline and resources for putting it into place.
- PCI DSS 3.2 supporting documents including Self-Assessment Questionnaires (SAQ), Attestation of Compliance (AOC) forms, Report on Compliance (ROC) templates, Frequently Asked Questions (FAQ) and Glossary will also be available at the end of the month.
October 2016
- PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and at this time all assessments will need to use version 3.2.
February 2018
- The new requirements introduced in PCI DSS will be considered best practices until 31 January 2018. Starting 1 February 2018 they are effective as requirements.
Questions, comments, concerns, please let me know by emailing me at: jncsousa@outlook.com
Monday, March 28, 2016
The Rising Cost of CyberSecurity
Since the early 2000's information security has always been mistaken for something you can buy or something you can do to prevent breaches and data compromises. The latest headlines have proven otherwise. The cost of data breaches are expected to reach 2.1 trillion by 2019, with the average cost of each breach exceeding $150 million by 2020.
Costly Attacks We know from past data breaches from Home Depot in 2014 that personal information from up to 60 million consumers was compromised. The Home Depot breach is still being calculated, but costs could reach $3 billion. Unfortunately, this type of attack had been seen before in an earlier Target attack Sony hack and could have been avoided all together.
The fallout from the 2013 Target compromise has cost the company $148 million for the breach, $100 million for better security and $86 million to settle with Visa and MasterCard for a total direct cost of $334 million. Indirect costs include the loss of their CEO, a class-action litigation filed against the board of directors for negligence, loss of an unknown number of customers, and making themselves a prime target for a hacker who wants to claim the trophy for breaking past their new defenses.
Is Human Error to Blame I have been monitoring and investigating various cyber-attacks since 2010 and I have found all compromises are the direct result of human failure at all levels. Not one data breach has ever been attributed to hardware, operating system, or application failures. In 2013 it took an average of 229 days to discover a breach, with only 33 percent of those finding the breach themselves, and 37 percent finding the breach with help from third parties. Here is my 5 second pitch to ensure you have proper logging in place. Ensure these logs are being monitored on a daily basis.
Always a Constant Process What most organizations fail to understand about information security is that defense is a process you must apply diligently with constant improvements over time. The process is a simple three-step focus of prevention, detection, and response. Every organization should continue to attempt to prevent attacks and compromises; just realize that history has proven that no matter what you do or spend to prevent a compromise, it will fail. When you compare the cost of data breaches to the cost to prevent a compromise, it is easy to understand that consumers and organizations both will have to find a way to cover or transfer those risks and costs. To do this, more effort and budget dollars must be put into the detection of attacks and data breaches.
In order to determine the best ways to cover or transfer cost, you must know exactly what happened. In the response phase of the process, knowing exactly what happened is imperative to making an informed decision. Of course, making an informed decision to do nothing can be acceptable. The information gathered during the detection or monitoring phase will be used to handle incidents internally through human resources, self-insure losses, dealings with authorities, or knowing which insurance policy could be used to transfer losses to. Regulatory compliance, potential litigation, and lost revenues all add unknown cost into your response.
Costly Attacks We know from past data breaches from Home Depot in 2014 that personal information from up to 60 million consumers was compromised. The Home Depot breach is still being calculated, but costs could reach $3 billion. Unfortunately, this type of attack had been seen before in an earlier Target attack Sony hack and could have been avoided all together.
The fallout from the 2013 Target compromise has cost the company $148 million for the breach, $100 million for better security and $86 million to settle with Visa and MasterCard for a total direct cost of $334 million. Indirect costs include the loss of their CEO, a class-action litigation filed against the board of directors for negligence, loss of an unknown number of customers, and making themselves a prime target for a hacker who wants to claim the trophy for breaking past their new defenses.
Is Human Error to Blame I have been monitoring and investigating various cyber-attacks since 2010 and I have found all compromises are the direct result of human failure at all levels. Not one data breach has ever been attributed to hardware, operating system, or application failures. In 2013 it took an average of 229 days to discover a breach, with only 33 percent of those finding the breach themselves, and 37 percent finding the breach with help from third parties. Here is my 5 second pitch to ensure you have proper logging in place. Ensure these logs are being monitored on a daily basis.
Always a Constant Process What most organizations fail to understand about information security is that defense is a process you must apply diligently with constant improvements over time. The process is a simple three-step focus of prevention, detection, and response. Every organization should continue to attempt to prevent attacks and compromises; just realize that history has proven that no matter what you do or spend to prevent a compromise, it will fail. When you compare the cost of data breaches to the cost to prevent a compromise, it is easy to understand that consumers and organizations both will have to find a way to cover or transfer those risks and costs. To do this, more effort and budget dollars must be put into the detection of attacks and data breaches.
In order to determine the best ways to cover or transfer cost, you must know exactly what happened. In the response phase of the process, knowing exactly what happened is imperative to making an informed decision. Of course, making an informed decision to do nothing can be acceptable. The information gathered during the detection or monitoring phase will be used to handle incidents internally through human resources, self-insure losses, dealings with authorities, or knowing which insurance policy could be used to transfer losses to. Regulatory compliance, potential litigation, and lost revenues all add unknown cost into your response.
Tuesday, March 22, 2016
Top 10 Network Security Tools
Hacking tools here means the tools or the software used to gather information of network or website. These tools could also be used by most of the hackers. There are a number of tools for different purposes. The tools listed here widely used. Moreover make sure you have the permission to run these tools otherwise it is illegal.
1. Nmap (Network Mapper): To explore the networks Nmap is mostly used tool. Nmap is a free and also an open source tool. Security auditing could be easy with the use of this tool. Rapidly scanning of network is its major task. With the use of IP packets it determines what type of hosts are present in a network along with information on the applications being used by them. Nmap also gives information about the operating systems used by the networks. It is helpful to identify the firewalls in a network and many more other characteristics of any given host.
2. Wireshark: Wireshark is a packet analyzer. It is a free and also an open-source. A network engineer use wireshark for troubleshooting, network analysis, education, software and communication protocol development. It’s original named was Ethereal, but in May 2006 the project was renamed with a new name Wireshark. It happens only due to trademark issue.
3. Nessus: Nessus Remote Security Scanner has become closed source software in the year 2005, but the engine that runs the software is still free of cost. 75000 organizations world-wide are using the Nessus Security Scanner. So Nessus has been become the world’s most popular scanner. Many have befitted from this software and it is being used extensively in auditing critical enterprise devices.
4. Kismet: For 802.11 wireless LANs, Kismet works as network detector, packet sniffer, and intrusion detection system. It is also compatible with all the wireless cards, which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. This is available for Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. Kismet is also available for Microsoft Windows in GUI version. Aside from all external drones, Kismet is only supported wireless hardware available as packet source.
5. LCP: In Windows NT/2000/XP/2003, LCP could be used for user account passwords auditing and recovery, Brute force session distribution, Hashes computing and Passwords recovery. It is very good free alternative to L0phtcrack.
6. Yersinia: In different Layer 2 protocols there are some weaknesses. So this network tool has been designed to take advantage of these weaknesses. It acts like a solid framework for analyzing and testing the deployed networks and systems, but in actual it is not a framework. Currently, the following network protocols are implemented: IEEE 802.1q, Spanning Tree Protocol (STP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), Cisco Discovery Protocol (CDP).
7. Nikto: It is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. The plugins used by it needs to be update at proper timess and it could be updated automatically.
8. SuperScan: SuperScan is a very powerful tool which works as connect-based TCP port scanner, pinger and hostname resolver. This program is extremely fast and versatile due to multithreaded and asynchronous techniques which developers used to make it. For network administrators, this is first and foremost tool. Do not scan those systems which are not under your control. It will be illegal. To use this program against computers on the Internet that you have no right to scan since you are highly likely to be tracked down and attract the attention of your ISP, possibly resulting in your account being terminated.
9. John the Ripper: John the Ripper is a fast password cracker, currently available for many flavours of Unix, DOS, Win32, BeOS, and OpenVMS. The weak passwords of any operating system could be crack by using it. Besides several crypt password hash types most commonly found on various Unix flavours, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
10. Cain and Abel: In Microsoft Operating Systems Cain and Abel works as a password recovery tool. With the help of decoding scrambled passwords, recording VoIP conversations, sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, uncovering cached passwords, recovering wireless network keys, revealing password boxes, and analyzing routing protocols, it allows easy recovery of various type of passwords
Wednesday, March 16, 2016
Microsoft and Adobe Adobe Push Critical Updates
Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site.
The bulk of the security holes plugged in this month’s Patch Tuesday reside in either Internet Explorer or in Microsoft’s flagship browser — Edge. As security firm Shavlik notes, Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.
Windows users who get online with a non-Microsoft browser still need to get their patches on: Ten of the updates affect Windows — including three other critical updates from Microsoft. As always, Qualys has a readable post about the rest of the Microsoft patches. If you experience any issues with the Windows patches, please share your experience in the comments below.
As it is known to do on patch Tuesday, Adobe issued security updates for its Reader and Acrobat software. Alas, there appears to be no update for Adobe’s Flash Player plugin as per usual on Patch Tuesday. However, an Adobe spokesperson has advised through various news channels that the company will be issuing a Flash Player update on Thursday morning.
If you would like to see more detailed information on monthly patches, please leave a comment and I will look at adding it to the blog.
Be Safe and for god sake, please patch!
Thursday, February 25, 2016
Organizational controls for Cyber Risk
How do I ensure that my organization has controls to protect itself from cyber risk? In other words, what are the key controls that my company must implement to protect itself from cyber risk? There are excellent security frameworks available as public documents that can be used as cybersecurity baseline controls.
Here is my list of essential controls:
Patch management—it is essential to have a structured patch management process. It does not mean that all patches have to be applied, but the enterprise has to make a conscious decision on which to apply and which not to apply. Patch management should be done as a priority for critical applications. While many enterprises apply patches for their IT infrastructure on a priority basis, it is common knowledge that the same rigor is not applied to patch management for software applications.
Administrative privilege control—it is key to remove administrative privileges from all and grant them only to a select few as determined by job need. Some individuals see it as a status symbol to hold admin privileges. Local admin rights must be removed for a significant majority of users.
Dynamic analysis—conducting dynamic analysis, which uses behavior-based detection capabilities instead of the conventional approach of relying on the use of signatures, helps enterprises to detect malware that is yet to be identified. Such dynamic analysis can be undertaken at the enterprise’s main gateway, the end point or the cloud, depending on the specific, relevant scenario. Customized sandboxes will help perform structured dynamic analysis.
Host-based intrusion protection/detection system (IPS/IDS)—Host-based IPS/IDS’s detection strength is based on behavior instead of conventional signatures.
Segmenting—segmenting the network based on business criticality is yet another essential control. Active Directory and other authentication servers should be able to be administered only from a selected number of intermediary servers called “jump hosts.” Jump hosts must be well secured, and jump host access must be limited to a predefined list of users and network devices/equipment. Ideally, jump hosts will have no Internet access.
Multifactor authentication—though a number of users view it as painful, it is essential to implement multifactor authentication in the interest of the enterprise.
Internet access—Direct Internet access from all end points/desktops/laptops must be denied and must instead be processed through a proper proxy.
Passphrase policy—for service accounts and privileged accounts, it is essential to implement a passphrase policy instead of a password policy; this is yet another area of common resistance.
Web site access—Access to web sites must be via their domain names and not by IP addresses.
Removable storage media—Usage of removable storage media must be appropriately controlled—though any restrictions on these are viewed by users as a loss of rights. Any enterprise keen to protect its sensitive information from leakage must restrict access and grant it based on a business need.
User education—it is not necessarily for all business users, but about educating the developers to write secure code and infrastructure experts to manage it in a secure manner. While users from the business appreciate the risk to the business, it is these experts from the IT world who require more convincing.
External email exchange management—when emails are exchanged with entities external to the enterprise, it is essential to adopt and implement protocols such as transport layer security (TLS).
Strong asset management—In terms of having an inventory of authorized devices, equipment and software are essential. Asset management is another area that does not get accorded its due priority.
Web application testing—whether the web applications are developed in-house or by a third-party, it is essential to test them for vulnerabilities. They must also be tested via simulated attack scenarios.
The staging environment—Security testing such as a vulnerability assessment or a penetration test must be done in a replica of the production environment; otherwise, the gap between the environments becomes the weakest link in the chain.
Wireless networks management—Access must be granted on a need basis with adequate restrictions, and sundries must not be allowed to connect in an unrestricted manner. Ideally, network admission controls mechanisms must be in place.
This is a very indicative list and must not be deemed as exhaustive. Please choose a security framework relevant and apt to your enterprise and use it. These days, cyber risk insurers also provide guidance documents that they consider prerequisites for any enterprise to buy cyber risk insurance policies.
In my opinion, it is essential to identify relevant controls and implement them in the most appropriate manner rather than implementing a huge list of controls that are irrelevant and inappropriate. And, of course, the best controls rely on competent professionals to make them work effectively.
Here is my list of essential controls:
Patch management—it is essential to have a structured patch management process. It does not mean that all patches have to be applied, but the enterprise has to make a conscious decision on which to apply and which not to apply. Patch management should be done as a priority for critical applications. While many enterprises apply patches for their IT infrastructure on a priority basis, it is common knowledge that the same rigor is not applied to patch management for software applications.
Administrative privilege control—it is key to remove administrative privileges from all and grant them only to a select few as determined by job need. Some individuals see it as a status symbol to hold admin privileges. Local admin rights must be removed for a significant majority of users.
Dynamic analysis—conducting dynamic analysis, which uses behavior-based detection capabilities instead of the conventional approach of relying on the use of signatures, helps enterprises to detect malware that is yet to be identified. Such dynamic analysis can be undertaken at the enterprise’s main gateway, the end point or the cloud, depending on the specific, relevant scenario. Customized sandboxes will help perform structured dynamic analysis.
Host-based intrusion protection/detection system (IPS/IDS)—Host-based IPS/IDS’s detection strength is based on behavior instead of conventional signatures.
Segmenting—segmenting the network based on business criticality is yet another essential control. Active Directory and other authentication servers should be able to be administered only from a selected number of intermediary servers called “jump hosts.” Jump hosts must be well secured, and jump host access must be limited to a predefined list of users and network devices/equipment. Ideally, jump hosts will have no Internet access.
Multifactor authentication—though a number of users view it as painful, it is essential to implement multifactor authentication in the interest of the enterprise.
Internet access—Direct Internet access from all end points/desktops/laptops must be denied and must instead be processed through a proper proxy.
Passphrase policy—for service accounts and privileged accounts, it is essential to implement a passphrase policy instead of a password policy; this is yet another area of common resistance.
Web site access—Access to web sites must be via their domain names and not by IP addresses.
Removable storage media—Usage of removable storage media must be appropriately controlled—though any restrictions on these are viewed by users as a loss of rights. Any enterprise keen to protect its sensitive information from leakage must restrict access and grant it based on a business need.
User education—it is not necessarily for all business users, but about educating the developers to write secure code and infrastructure experts to manage it in a secure manner. While users from the business appreciate the risk to the business, it is these experts from the IT world who require more convincing.
External email exchange management—when emails are exchanged with entities external to the enterprise, it is essential to adopt and implement protocols such as transport layer security (TLS).
Strong asset management—In terms of having an inventory of authorized devices, equipment and software are essential. Asset management is another area that does not get accorded its due priority.
Web application testing—whether the web applications are developed in-house or by a third-party, it is essential to test them for vulnerabilities. They must also be tested via simulated attack scenarios.
The staging environment—Security testing such as a vulnerability assessment or a penetration test must be done in a replica of the production environment; otherwise, the gap between the environments becomes the weakest link in the chain.
Wireless networks management—Access must be granted on a need basis with adequate restrictions, and sundries must not be allowed to connect in an unrestricted manner. Ideally, network admission controls mechanisms must be in place.
This is a very indicative list and must not be deemed as exhaustive. Please choose a security framework relevant and apt to your enterprise and use it. These days, cyber risk insurers also provide guidance documents that they consider prerequisites for any enterprise to buy cyber risk insurance policies.
In my opinion, it is essential to identify relevant controls and implement them in the most appropriate manner rather than implementing a huge list of controls that are irrelevant and inappropriate. And, of course, the best controls rely on competent professionals to make them work effectively.
Monday, January 4, 2016
4 Steps the SMB can take to improve Cyber Security
So what exactly can SMBs do to minimize the changes of being a victim of cyber crime?
My recommendations are incredibly simple, but highly effective. This is the beauty of this message. It boils down to awareness, education, cyber monitoring and damage control.
Awareness - small organizations are focused on building their business, not fighting invisible threats. A range of actions can be taken by business owners to stay informed about the current threat landscape and relevant risks to their industry. Cyber risk assessments, self-served or partner-led are available and affordable for the SMB now. This is one of the first steps the SMB can take to begin the process of understanding what is at risk. The important point to take away from this is to stay plugged in to the basics and remain diligent.
Education - as a small organization becomes successful, they add employees. It is critical to educate all staff on the full range of physical and cyber security risks on a continual basis. This is not a discussion on the first day of employment and never thought of again. With the blurred lines of personal and business use of technology assets (e.g., smart phones, tablets, laptops, etc.) this places the organization at significant risk ranging from malware to target phishing exploits. A regular education process is critical to help employees understand the proper actions and behaviors.
Cyber Monitoring - monitoring for active and real-time threats in a smaller organization isn't likely one of the first things that an entrepreneur or business owner thinks about in the morning. The good news is that they don't have to because their are credible cybersecurity firms that do this for them at an incredibly affordable price. Having visibility at the network layer for malicious activity is the first step to long-term success in a smaller organization. Think of this as the safety net when employees are lured into malicious attacks or as a means to reveal the activities that are happening inside the network that no one can see. There are plenty of verifiable data to confirm the inability of a smaller organization to recover from a serious cyber incident. Monitoring for malicious activity on a continual basis is something that a small organization could never effectively do on their own.
Damage Control - small organizations should have a cyber breach recovery plan. Even if it is as simple as having identified the proper authorities to contact and a local firm to provide guidance through the process, it is important to plan ahead.
Questions, comments thoughts. Email me at jncsousa@outlook.com
Monday, December 28, 2015
Cyber Security Predictions for 2016
Happy New Year - My thoughts on Cybersecurity predictions/trends for 2016
1. TheInternet of Things (IOT) will increasingly be exploited by hackers. With more and more products including cars, refrigerators, coffee makers, televisions, smart watches, webcams, copy machines, toys and even medical devices being connected to the Internet, the IOT will become a prime target for hackers to exploit in many ways.
2. Ransomware, whereby hackers take control of the data in their victims' computers, encrypt the data and threaten to destroy the data unless the victims pay a ransom has evolved into a bigger problem than many people may be aware of because many of the victims of ransomware do not report the attacks out of a concern as to adverse publicity. Companies of all sorts and governmental agencies have become victims of ransomware. The sophistication of the malware used as ransomware makes this a tremendous threat. In addition, while in the past ransomware has been used primarily for financial extortion, it can be expected that terrorists and others may use this malware purely to attack a target and destroy its data without any financial purpose.
1. The
2. Ransomware, whereby hackers take control of the data in their victims' computers, encrypt the data and threaten to destroy the data unless the victims pay a ransom has evolved into a bigger problem than many people may be aware of because many of the victims of ransomware do not report the attacks out of a concern as to adverse publicity. Companies of all sorts and governmental agencies have become victims of ransomware. The sophistication of the malware used as ransomware makes this a tremendous threat. In addition, while in the past ransomware has been used primarily for financial extortion, it can be expected that terrorists and others may use this malware purely to attack a target and destroy its data without any financial purpose.
3. As more and more data migrates to the cloud, hackers will focus their attention on exfilterating data from the cloud. As so often is the case, the cloud may be more vulnerable due to the security measures used by the people and companies using the cloud rather than inherent security weaknesses in the companies providing cloud services.
4. ISIS and other terrorist groups will attempt to conduct cyberwarfare including trying to attack vulnerable computer connected infrastructure including energy facilities.
5. Spear phishing , the primary method for implanting malware in the computers targeted by hackers will become more and more difficult to identify as hackers are able to harvest personal information from both public sources and stolen private sources to make their spear phishing emails appear legitimate. In particular, social media will provide tremendous amounts of personal information that will be exploited by identity thieves and scammers to tailor spear phishing emails and scams to their victims.
6. Small and medium size businesses will become increasingly targeted for data breaches that can be exploited for purposes of identity theft as they become perceived as the low hanging fruit for cybercriminals. Its not a matter of how but when the hackers will breach your network.
7. The creation and sale by sophisticated cybercriminals of Exploit Kits, which are software which can be used by relatively unsophisticated cybercriminals to identify vulnerabilities in computer systems that can then be exploited by malware will increase.
8. Although in the wake of the massive data breach at the Office of Personnel Management (OPM) the federal government has made a concerted effort to increase computer security, the problem is too big and the government is too cumbersome to make the dramatic across the board changes necessary to prevent another major and embarrassing data breach at one or more federal agencies.
9. As more and more people do large amounts of their financial dealings on their smartphones, these devices will increasingly be targeted by identity thieves seeking to exploit vulnerabilities in the Android systems and Apple's iOS. Hackers will also take advantage of smartphone users failing to use basic security precautions such as having a complex password for their smartphones or failing to install and continually update anti-virus and anti-malware software.
10. The financial system will come under increased attack in creative ways such as stealing "insider" information and using it to profit through stock trading. Pump and dump schemes will be done on a large scale based on stolen data identifying vulnerable victims. Banks worldwide will continue to be targeted by criminals attacking not just particular accounts, but the accounting systems of the banks to make their crimes more difficult to recognize.
11. The health care industry will remain the largest segment of the economy to be victimized by data breaches both because, as an industry, it does not provide sufficient data security and because the sale of medical insurance information on the black market is more lucrative than selling stolen credit and debit card information. Medical identity theft is not only the most costly for its individual victims to recover from, but also presents a potentially deadly threat when the identity thief's medical information becomes intermingled with the medical identity theft victim's medical records.
12. Although data breaches have not been discovered at major retailers during this holiday shopping season that does not meant that they have not occurred. It only means that they have not yet been discovered. You can expect that in 2016 we will learn about major retailers whose credit and debit card processing equipment has already been hacked.
13. The computers of the candidates for President of the United States present too tempting a target to a wide range of hackers from those merely looking to embarrass a candidate to those seeking financial information about political contributions. Expect one or more candidates to have their campaigns' computers hacked.
As scary as this baker's dozen of predictions and warnings may be, there are many things we can do to increase our own personal cybersecurity. I will discuss those in my first column of the new year.
Malware-Driven Card Breach at Hyatt Hotels
Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations.
Hyatt’s notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that “customers can feel confident using payment cards at Hyatt hotels worldwide.”
As of September 30, 2015, Chicago-based Hyatt’s worldwide portfolio included 627 properties in 52 countries. Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection.
Thursday, October 1, 2015
Cyber Security Awareness Month
In honor of Cyber Security month I wanted to offer tips to help you keep your customer and business data safe.
1. Use strong passwords and employ additional authentication. You should require, unique passwords for employees, and that they can change them at least every 90 days. Consider a multifactor authentication scheme to add an additional layer of security. "Password1" is still the most commonly used password in the business setting.
2. Make security a priority for employees. Create well-defined security policies and best practices for your business, including appropriate Internet guidelines. Establish penalties for violating company cyber security policies, and update employees regularly on possible security issues. Be transparent with how cyber security affects your business.
3. Keep physical access to computers and servers secure. Ensure unauthorized individuals don’t use business computers by putting physical controls in place, i.e. away from customers. Require individual logins for employees, and lock up laptops when unattended. If you have a public computer for customers to use, put it on a separate, guest network
4. Limit install and admin authority on all systems. Make sure your operating system has its firewall enabled or install one yourself—they’re available free online. If you do business from home or have employees that do, create a policy to ensure the same for those connections. Records being compromised by external hacking have significantly increased from roughly 49 million in 2013 to 121 million and counting in 2015.
5. Secure your Wi-Fi. Make sure any Wi-Fi network that employees use for work is encrypted and secure. If you offer free Wi-Fi to customers, keep a separate network for the public and one for your business, and set up the business connection so that the SSID (network name) isn’t broadcast. Create and change passwords for both frequently, or tie them to the same username and password combination that employees use to log into their computers.
6. Update software regularly. Ensure your security software, Internet browser, and operating system are up to date to limit the possibility of security breaches; the majority of security breaches happen on outdated software. Consider setting programs to auto-update (preferably after business hours) if the option is available.
7. Define strong policies for mobile devices. If you or your employees are going to access sensitive data from mobile devices, ensure you have a strong policy around mobile access in place, including password protection for the device, data encryption, security apps, and reporting procedures for lost or stolen devices.
8. Limit employee access to sensitive data. Ensure employees are only allowed access to data essential for the duties of their job, and limit universal access to key personnel. Log all access to data and analyze those logs for strange behavior.
9. Keep important business data backed up. Regularly back up important business data and information, including documents, spreadsheets, databases, financial information, HR info, and accounting information. Install a scheme for automatic backup or perform a backup at least weekly, storing information offsite or in the cloud.
10. Purge or encrypt sensitive data. Purge customer credit card numbers and, expiration dates, and daily, and never store CVV2, PINs, PIN Blocks, or full track data codes daily. Maintain only the minimal data required for charge-backs and refunds.
11. Keep payment systems up-to-date and isolated. Ensure your credit and debit card readers are EMV-compliant, and work with your processing vendor and bank to ensure trusted anti-fraud systems and practices are in place. Isolate payment systems from less secure programs, i.e. don’t process payments and surf the Internet on the same machine.
12. Ensure a secure connection with TLS authentication. To abate customer fears about transaction security, make sure your ecommerce platform includes a strong Transport Layer Security (TLS) authentication scheme, such as Extended Validation, to authenticate the identity of your business while encrypting data in transit. Include prominently displayed trust signals (security seal) so customers know they’re safe shopping on your site.
13. Use multiple layers of security. Employ a firewall, then ensure contact forms, user registration and logins, and search queries are protected with extra layers of security to make sure your ecommerce site is protected from application-level cyber attacks like SQL injections and cross-site scripting.
New Malware Threat a Warning to Banks, Customers and ATMs
Beware Cash-Out Attacks, Banking Trojans Via Malvertising and POS Memory-Scraping Malware.
The new warnings center on three types of unrelated malicious code. For starters, malware has been spotted in the wild that is being used to drain cash from ATMs in Mexico, although security researchers warn that it could go global. The Shifu banking Trojan, meanwhile, has moved beyond Japan and is now being used to target customers of four U.K. banks. Finally, the notorious Neutrino crimeware has gotten an upgrade, allowing it to scrape POS device memory and steal payment-card data.
Cash-Out Attacks: GreenDispenser Malware
The newly spotted ATM cash-out malware has been dubbed "GreenDispenser," by cybersecurity firm Proofpoint, which says that while it has only seen the malware used to "cash out" ATMs in Mexico, the malicious code could soon spread to other countries "GreenDispenser provides an attacker [with] the ability to walk up to an infected ATM and drain its cash vault," Proofpoint security researcher Thoufique Haq says in a blog post. "When installed, GreenDispenser may display an 'out of service' message on the ATM, but attackers who enter the correct PIN codes can then drain the ATM's cash vault and erase GreenDispenser using a deep-delete process, leaving little if any trace of how the ATM was robbed." A deep delete in this case means that the malware not only deletes itself, but also employs Microsoft's sdelete to make it much more difficult for any malware-related bits and bytes to be recovered via later digital forensic analysis.
The malware resembles the PadPin - a.k.a. Tyupkin - ATM malware that first surfaced in March 2014, and which could be used to make an ATM dispense all of its money, in what's known as a "jackpotting" or cash-out attack, Proofpoint says, adding that it believes that installing the malware requires physical access to an ATM. Like PadPin, GreenDispenser is designed to interact with a set of standard programming interfaces, or APIs, that are built into most ATM host computers and components, known as XFS - which stands for "extensions for financial services"
Malvertising Attacks Now Serve Shifu Banking Trojan
The banking malware known as Shifu - after the Japanese word for thief - has returned, and is no longer just targeting Japanese banks. In a Sept. 25 blog post, the French researcher who maintains the Malware Don't Need Coffee blog, who goes by the name Kafeine, warns that in recent days, the malware has been spotted targeting four U.K. banks: Bank of Scotland, Halifax, Lloyds Bank and TSB. To date, it's not clear how many banking customers' systems may have been infected with the malware.
In August, IBM reported that it first saw Shifu being used for in-the-wild attacks, beginning at least in April. But Kafeine says that after cross-referencing his findings on Sept. 24 with security researchers at Fox-IT and Dell SecureWorks, they found that collectively they had been tracking Shifu since September 2014. "We were using a 'non public' name to talk about it," Kafeine reports.
In the United Kingdom, Shifu is being spread via malvertising attacks, Kafeine says. To date, it's not clear if these attacks are part of a campaign that has successfully served malicious advertising via multiple popular sites, including dating sites Plenty of Fish and Match.com
Neutrino Malware Targets POS Devices
Meanwhile, upgraded Neutrino - a.k.a. Kasidet - crimeware toolkit malware is also now targeting POS devices, report researchers RonJay Caragay and Michael Marcos at information security firm Trend Micro. Previously, the crimeware toolkit - which competes with Angler - was known in part for its ability to facilitate distributed denial of service attacks.
In a Sept. 24 blog post, Trend Micro says that new research has found that Neutrino version 2.9, which debuted in March, included for the first time the ability to steal credit card details - by "scraping" the RAM of infected devices, via a feature referred to as "ccsearch." But in July, it says, a cracked edition of version 3.6 of Neutrino - which had previously only been available via cybercrime markets, for a price - was leaked onto underground forums, meaning it is now available for free.
Trend Micro - which is headquartered in Japan - reports that based on data gathered from its users' antivirus software, the greatest number of recent Neutrino infections have been seen in Japan, followed by the United Kingdom, Taiwan, France and the United States. It warns that it saw a 1,288 percent spike in related malware detections between May and June, even before the malware became available for free in July. Neutrino, the security firm says, is designed to infect Windows systems via removable drives and network folders, and gives attackers the ability to use capture keystrokes and screenshots from infected systems, copy clipboard data, launch a remote shell, launch DDoS attacks, as well as steal data from POS device memory.
"Upgrading old malware to include POS RAM-scraping capabilities is a new technique in the threat landscape, but it's not surprising, given how lucrative stolen payment card data is," Trend Micro says. Furthermore, the release of the cracked, free version of Neutrino continues to lower the barriers to entry for payment-card-seeking criminals. "Scoring this tool is basically finding a valuable tool in a bargain bin and ending up not having to even pay for it," Trend Micro says
Subscribe to:
Posts (Atom)
-
Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers fro...
-
Nearly every day is some kind of holiday or special observance at the local, state or national level. Some days are assigned to multiple ca...
