Information Security Summit 2016 Review: Ransomware, Application Vulnerability, Hacking as an Industry Lead our Discussion

Thanks to all who attended and sponsored our 2016 Information Security Summit. It was a great turnout where we discussed a number of issues and threats facing infosec today. We were happy to see attendees share ideas and continue the discussion online with #summitbuzz16

Here are some of the topics discussed at this year’s summit:

 

Malware

Malware continues to be an ever-growing challenge for IT and Security.  Ransomware alone accounts +100,000 victims daily.

 

Online Applications

It’s not if you’ll get hacked, it’s when. So how do you respond? People, processes, and technology need to work together to address today’s security threat.

 

Governance, Risk Management, and Compliance (GRC)

While we would all like to think that our organization makes risk-based decisions, frequently it is compliance checklist items that get the most attention. We need to remember to not get caught up in just the check boxes.

 

Who are the Targets?

Employees are spearphished, rat’d and ransomware’d every day! Additionally, intranets are vulnerable, insecure and exploited daily.

 

Anti-virus is dead!

If it’s REACTIVE and it’s only 70% EFFECTIVE, what happens with the other 30% of MALWARE? Breach prevention is the key.

 

No Smartphone is secure. Not a one.

There are HUNDREDS of MILLIONS of malware downloads currently in the Google Play store, Microsoft App Store and Apple iTunes store. BYOD is a risky proposition without careful planning.

 


 

Takeaway: So How Do We Keep Our Data Safe?

  • People, processes and technology need to work together to address today’s security threat. Security frameworks and proactive risk assessments are necessary
  • Robust vendor risk assessments are necessary to do business securely with third party providers
  • Breach response readiness, planning, and tabletop exercises should be part of a comprehensive security program

 


 

Thank You and See You Again Next Year!

Finally, a thank you to all who sponsored and attended. It is through your participation that the success of our summit is possible. We are happy to report we raised funds for MassBay scholarships that will, among other things, support students exploring a career in cyber security!

Also check out:

 


 

Learn more about our Information Security Services:

 

Penetration Testing >

Network Assessment >

Application Security >

Governance, Risk and Compliance (GRC) >

 


 

LinkedIn Data Breach Still Causing Problems

Failing to take basic security precautions with website passwords puts your data at risk

 

Do you remember back in 2012 when LinkedIn was hacked? Around 6.5 million user passwords were posted on a Russian blog. There was a mandatory password reset for affected users, and LinkedIn released a statement advising people to enable two-step verification and use stronger passwords.

Four years later, and the passwords of 117 million accounts were compromised.

Worryingly, this came to light only when a hacker put them up for sale, offering data from 167 million accounts in total. If you haven’t changed your LinkedIn password since 2012, you could be at risk. Tech savvy is no protection, as evidenced by the fact that a hacker group used the LinkedIn password dump to hack Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.

 

Are you at risk?

The biggest risks here are for people who didn’t change their LinkedIn password after hearing about the 2012 breach and also made the mistake of reusing the same password for another account. Hackers will reuse the same email and password credentials elsewhere as they hunt out further details about you that could be used to steal your identity and turn a profit. You can dramatically reduce the risk simply by having a different password for every account.

It’s also a good idea to change your password when you hear about a data breach somewhere that you have an account, even if you aren’t contacted directly to do so. You can check if your account was compromised at https://haveibeenpwned.com/, where you’ll find a searchable database covering breaches at various websites, including LinkedIn.

Check if your account was compromised >

 

Dealing with data breaches

LinkedIn also could have, and arguably should have, taken better steps to deal with the breach in 2012. Allowing customers to choose weak passwords and making two-step verification authentication optional is sacrificing security for the sake of convenience. LinkedIn is by no means the only company to make this decision, fearing a loss of customers if security is too burdensome.

Another common facet of data breaches highlighted here is the fact that the victim is often unaware of how deep the breach is.

Smart criminals won’t publicize a data breach or come clean about its depth because they want time to exploit the data. In this case, LinkedIn clearly was unable to determine which accounts had been compromised. Remember this came to light only when a hacker put the details up for sale. Perhaps LinkedIn should have instituted a mandatory sitewide password change as a precaution.

 

Take precautions now

Obviously, LinkedIn has to accept a lot of blame here. Passwords were stored in SHA1 with no salting, according to Leaked Source, which means they weren’t as secure as they could have been.

Regardless of blame, it’s worth revisiting your security practices if you want to stay safe online. Leaked Source also published a list of the most commonly used passwords. The top entry was “123456,” which is used by 753,305 people, followed by “linkedin,” which is used by 172,523 people. If you choose a password like those, you have to know you’re making it easy for the bad guys.

If you haven’t done so already, change your LinkedIn password now. There’s a built-in color-coding system that will show you if your password is strong or not. You should also avoid reusing the same password on any other website. If you have reused your LinkedIn password elsewhere, change the password on that account, too. Since you’ll be using different, strong passwords on every account, it’s well worth considering a good password manager to help you keep track of them.

You could also turn on two-step verification so that you can keep track of different devices logging into your account. This system sends you a numeric code by text to your phone anytime an unrecognized device tries to sign in, so a criminal would need your password and your cell phone before being able to log into your account.

It may seem like a hassle, but it’s worth jumping through a few hoops to ensure your data are safe.

 

This article was recently published in NetworkWorld.
Image credit:LPS.1

8 Tips to Secure Those IoT Devices

Make sure the Internet of Things isn’t a route for hackers to get into your home or workplace

 

As more and more Internet-connected devices find their way into our homes and businesses, it’s important to remember that they represent a security risk. The Internet of Things (IoT) is growing rapidly, and in the rush for convenience, our privacy and safety is often an afterthought. Leaving them unsecured is the digital equivalent of leaving the back door unlocked.

There are 5.5 million new things getting connected every day in 2016, as we head toward more than 20 billion by 2020, according to Gartner. That’s an awful lot of devices. They might bring all sorts of handy new features, but, whether it’s the latest cutting-edge baby monitor or a wireless doorbell camera that links to your phone, it’s also a network-connected computer and should be treated as such. Here are eight tips to help you secure those IoT devices.

 

1. Don’t connect your devices unless you need to.

The first step is to consider what functionality you need from the device. Just because your TV or fridge can connect to the internet, doesn’t mean you definitely want to hook it up. Take a good look at the features it offers and learn exactly what internet connectivity brings before you connect.

 

2. Create a separate network.

Many Wi-Fi routers support guest networking so that visitors can connect to your network without gaining access to shared files or networked devices. This kind of separation also works well for IoT devices that have questionable security.

 

3. Pick good passwords and a different password for every device.

It’s very important to pick strong passwords, but you must also make sure that you pick a different password for every device. If a hacker manages to get one of your passwords, they will typically try it with other services and devices. Reusing passwords is not a good idea. Use a password manager to keep track of all your passwords.

 

4. Turn off Universal Plug and Play (UPnP). 

Sadly, UPnP can make routers, printers, cameras and other devices vulnerable to attack. It’s designed to make it easier to network devices without configuration by helping them automatically discover each other. The problem is that hackers can also potentially discover them from beyond your local network because of vulnerabilities in the UPnP protocol. Is best to turn UPnP off completely.

 

5. Make sure you have the latest firmware.

If you want to make sure you have the latest security patches and reduce the chances of a successful attack, then you need to keep your firmware fully updated. Vulnerabilities and exploits will be fixed as they emerge, so your IoT devices and your router need to be regularly updated. Automate this wherever possible or set a schedule to check for updates every three months or so.

 

6. Be wary of cloud services.

A lot of IoT devices rely on cloud services, but the requirement for an internet connection in order for something to function can be a real problem. Not only will it not work when the network is down, but it may also be syncing sensitive data or offering another potential route into your home. Make sure you read up on the provider’s privacy policy and look for reassurances about encryption and data protection.

 

7. Keep personal devices out of the workplace.

Don’t take your personal IoT devices to work. There are lots of potential security concerns for wearables. Every enterprise should have a clear BYOD policy, and it’s often a good idea to prohibit personal IoT devices from connecting to the network, or at least limit them to a guest network.

 

8. Track and assess devices.

Businesses need to track everything connected to the network and monitor the flow of traffic. Devices need to be assessed to determine the level of access they should have, to keep them fully patched and up to date, and to protect data end-to-end to preserve its integrity. Unknown devices should flag an alert. Understanding which devices are connected and what they’re doing is a prerequisite for proper security.

If you’re dealing with sensitive data or you’re concerned about privacy, then make sure you have a long hard look at the IoT devices you’re considering. What security protocols do they support? How easy are they to patch? Do the providers have a proper privacy policy? It’s not safe to assume they’re secure because all too often they simply aren’t.

 

This article was originally posted on NetworkWorld.

Image credit: Thinkstock

5 InfoSec concerns for colleges and universities

Higher education institutions are a prime target for cybercriminals, and IT needs resources to prevent attacks and provide a proper level of security

 

No industry or sector is immune to data breaches, but some are targeted more often than others. Education came ahead of government, retail and financial sectors, and it was second only to healthcare on Trend Micro’s list of the most-breached industries.

With more than 500 security breaches across 320 higher education institutions since 2005, higher ed accounts for 35 percent of all breaches, according to an enlightening infographic from SysCloud.

Universities and colleges are a high-priority target for a number of reasons:

  • They may be easier to attack than other sectors.
  • They store millions of records with lots of personally identifiable information.
  • They store valuable research and intellectual property.
  • They can provide sideways access into more secure organizations.
  • High-speed networks and massive computation ability make them an excellent platform for attacking others.
  • They operate highly decentralized IT environments.

The list goes on, so it’s no wonder that concerns are being raised. Let’s drill into the top five InfoSec concerns for higher education.

 

1. Malware

The potential exposure to malware for educational institutions is massive. A huge range of devices have access to networks and systems at universities and colleges. Students and teaching staff use university computers to check personal email, update social media, shop, watch movies and download all sorts of files.

It’s difficult for IT to keep track of all the traffic and ensure nothing untoward makes it onto the network. In too many cases, they lack the necessary tools to detect and respond to attacks. Building malware defenses is vital, but detection and remediation is also often neglected. When malware isn’t caught quickly and dealt with, it has a chance to burrow deeper.

 

2. Exploits in database systems and servers

Many universities and colleges employ monolithic internal database systems that may be easy to exploit. Simply identifying and patching all known exploits on institution servers can be a challenge when resources are tight. Many of these systems were built without security in mind, so retro-fitting security protocols can be tricky, but it must be done. Known exploits are an easy inroad for cybercriminals and there are many different endpoints that offer access.

 

3. Phishing attacks

It’s often easier for attackers to trick people into handing over login details and other sensitive data than it is to gain access by other means. Phishing attacks are growing more and more sophisticated and spreading from email to social media and beyond. Students and teaching staff need to be educated on the risks of clicking links in emails or responding to unverified requests. But that alone won’t be enough to stop successful phishing attacks. Education must be backed up by real-time monitoring and scanning tools that can identify suspicious behavior and traffic and flag it.

 

4. Vulnerabilities in websites and servers

Without vulnerability management, many universities and colleges leave themselves open to external attack through websites and servers. Cybercriminals can exploit known vulnerabilities quite easily. It’s important to take steps to identify them, but also to create a remediation plan that can patch systems as necessary and close these potential points of access.

 

5. Device management

Personal devices flood most universities and colleges. Smartphones, laptops, tablets, USB thumb drives and wearables are growing more and more common. There are also risks from network-attached devices such as printers, copiers, scanners and laboratory devices. As the Internet of Things continues to take off, surveillance systems, HVAC systems, vending machines and door controls also have to be taken into account.

Creating a complete picture of the devices that have access to networks and controlling that access carefully is important, but it’s not an easy task.

 

Closing the door

There’s a lot of work to be done to tighten information security at higher ed institutions. Data classification would help to define the sensitivity of instructional data, encryption should be used far more often for data in transit or at rest, and risk assessments are urgently required to identify critical assets and protect them, but also to ensure compliance with regulatory requirements.

Gathering this data should give staff the ammunition it needs to graduate to higher IT security budgets. Because without more resources, the proper level of security will be impossible to achieve. InfoSec can’t afford to go on sabbatical.

 

This article was originally posted on NetworkWorld.

Image credit: MIT Stata Center By Egaowakaii