Posts tagged wireless security
That was the question on the table when researchers examined the vulnerabilities of 44 different nations. Let’s take a look at how the U.S.’s cybersecurity fared, which nations were the most secure, and which could face serious trouble from hackers in the future.
Why This Study Is Important
Unfortunately, cyberterrorism is a global scourge. Some nations have a better system in place to defend against attacks, and other nations could stand to learn a thing or two. Plus, it is important to be able to respond quickly and appropriately to a cyber-attack. It’s not just criminals and terrorists who are lurking online. Sometimes a nation hacks another nation. So national defense now includes preparing for online attacks.
How the U.S.’s Cybersecurity Scored
Of the 44 nations in the study, the U.S. was ranked 11th. The 2-year study found that nations, including Denmark, Finland, and Norway, had the best systems and responses in place. Who were in the danger zone for attacks? Three of the worst-defended countries were superpowers China, Russia, and India, all of which boast a nuclear arsenal. Not the nations you want hackers being able to attack easily.
Takeaways from the Study
The researchers examined stats on trojans along with worms and viruses to see which nations were best prepared to handle them. The U.S. did really well in that department. Unfortunately disk cleanup utilities, fake anti-virus programs, and other misleading software exploits seemed to be very prolific.
These hacks are usually based on the user, and not the defenses of the system. Basically, it comes down to the fact that while the U.S. has really good security software in place, user error accounts for how poorly the nation as a whole did in the study. This means education is vital in order to avoid potential hacks.
What This Means for Your Business
Your business’ cybersecurity is probably in line with the results of the study. You may have firewalls in place and keep software up to date, but have your employees been sufficiently trained to detect a scam? This may be the most important thing to consider in your data security.
If you use the Internet, you use OpenSSL. It’s as simple as that. OpenSSL is the most frequently used software package when it comes to online data security. There’s just one problem. It may not be as secure as everyone thinks.
At least that is what researchers have discovered while looking for vulnerabilities in the extremely common security protocol. They referred to the vulnerability as a side channel attack.
What is this type of attack, and what is being done to protect your browser use?
What is a Side Channel Attack?
This type of attack allows a hacker to glean information regarding software through examining the use of a computer system. Some examples include how much of the system’s power is being used during activity or the timing in which the software is used.
Why is this ability to listen in on a computer so dangerous? Researchers were able to use this method to acquire the unique key that identifies who is using the computer. Does this have implications for your internet use?
What OpenSSL Vulnerability Means for Your Security
The fact is that hackers are unlikely to use this method to hack a computer at your home. Unfortunately, the reason for that is simply because there are many easier ways to hack a personal computer.
For businesses, we’ll just have to wait and see what kind of fix the researchers come up with, and hope that this exploit is deemed too time-consuming for most hackers who seem to be opportunists. After all, this type of hack doesn’t seem to be common, and OpenSSL has had this vulnerability for as long as it has been in existence.
While most manufacturers are sticking to their guns about this hack not being possible—but because it was repeated under controlled circumstance by the researchers, this was enough for the OpenSLL developers to start looking for a fix. In the meantime, it’s important to keep an eye out for potential attacks though this type of hack, no matter how unlikely it may be for someone to use it.
When it comes to defending yourself and your company from potential threats, knowledge is power. That’s why we will report on an extremely common type of cyberattack in the most basic terms possible. Knowing what an exploit kit is can help you to be able to defend yourself and your company’s assets.
Defining the Exploit Kit
Basically, this is a collection of different things that can be used to infiltrate a stream of revenue. It would include redirecting browser URLs as well as other exploits. An exploit kit is not generally used to target one particular system or company. It’s simply placed out on the internet, and it constantly searches for places it can go and do what it has been designed to do.
Many types of exploit kits are online today, including common ones like Nuclear, Angler, and RIG. Some of these kits exploit thousands of systems on a daily basis. Often, they are used to deliver ransomware or other exploits designed to cheat businesses and consumers alike out of money.
How the Exploit Kit Infects a System
It’s quite a simple process. These kits are already out there just waiting to find an in. It all starts when a user goes to an infected website. Frequently, it is an advertisement on the site and not the site itself that contains the exploit. This means the user doesn’t have to do anything wrong to start the process other than going to the shady site. The ad redirects the user to a landing page that actually uploads the exploit. However, this often happens in short time-frame, so the user never knows that something is happening until it is too late.
Defending Yourself from Exploit Kits
For a business, defense from exploit kits means restricting the sites that employees can go to on the company network. It also means educating employees. After all, your firewall doesn’t help if an employee takes a business laptop home, and then gets on a malicious site.
Knowing that these kits exist, and training users to avoid shady sites on any device being used for work, are the best ways to keep your company safe from an attack.
Cybersecurity is on the forefront of everyone’s minds. Just ask the Democratic National Committee (DNC) if they wish their email servers had been more secure. In the world of digital data, the hacker can do more damage in a day than almost any weapon. Businesses can be greatly compromised overnight due to hacks. How can you protect your business? Have you ever considered hiring white hat hackers to help?
That’s just what the Department of Defense (DoD) did a few months ago—setting loose 1,400 white hat (no criminal intent) hackers on the Pentagon’s cyber defenses. They were promised rewards for finding security flaws in the system so that the government could close the gaps to future black hat (criminal) hackers.
The white hat hackers filed a total of 1,189 reports on things they discovered. Of these, the government determined that 138 reports qualified as valid security concerns. In total, more than $70,000 was paid out to the hackers as rewards for the legitimate reports. In the end, the program was viewed as a success. The total cost of the program was estimated at about one-seventh (14%) of what a professional contractor would have cost.
This isn’t the only DoD project in place that provides bounties to hackers. Others in the future will allow hackers to search for potential exploits in applications and websites used by the government.
White Hat Hackers: What Does This Mean for Your Business?
The U.S. government may be happy with the results, but this probably isn’t the route you want to go with your business. Why not? What if, while fooling around in your system, a hacker leaves himself a backdoor to get in later? You simply don’t want to take that chance with your livelihood.
The fact is that, for an SMB (small to medium-sized business), a security audit is affordable. So there’s no need to provide a bounty to hackers and let them run wild on your system. A security audit can allow a consulting agency to determine the weak points in your data security, so these can then be secured.
If you want to protect your business, you have to protect your data, which means getting professional assistance.
Threats to your data security come from many different angles. The secret to being able to defend your organization is knowledge. That’s why threat intelligence is becoming an important part of data security. But what types of threat intelligence are there? We’re going to identify three.
1) Preemptive Threat Intelligence:
This type of intelligence involves gathering data on things that could potentially happen in the future. Your IT department or agency should look at trends in cybercrime to determine threat that will exist in the next 1–2 years. This will give your organization time to plan ahead to rebuff such attacks by updating hardware and software as needed. It also gives you the chance to train your staff to avoid risky behavior that could invite an attack.
2) Active Threat Intelligence:
Looking at the data collected by your network logs and other security features will help you determine current behavior that needs to be adjusted. It also allows you to see indicators of attacks that have already occurred so as to adjust your future defenses. Basically, you are auditing your current security to find the gaps that future hackers will use as an in to your system so you can proactively plug those holes accordingly. It can be something as simple as updating software or training a particular team member who needs to be more careful online.
3) Tactical Threat Intelligence:
Know your enemy in order to defend yourself from future threats. This means thinking like a hacker. What does your organization have that is worth stealing? How would you try to get into the system? Is your weak link the lack of a firewall? Perhaps the biggest threat is an unhappy employee who is willing to sell his login credentials to the highest bidder. Once you know which tactics hackers are most likely to employ to steal from you, this provides a starting point for developing a plan of preventative action.
If your organization is employing these three types of threat intelligence, you are not only making it tougher for hackers to attack your company, but you are also setting yourselves up to be able to say “We did everything we could,” if a data breach should occur, and that is important for PR.
What would you say if someone walked up to you and asked for your email password? You would probably immediately say no, even if you knew the person. You may allow only your most intimate associate, such as a mate, to have that information. So how do hackers manipulate people into giving out login credentials on a daily basis? Welcome to the world of social engineering.
Social Engineering: Infiltration Doesn’t Come Cheap
It can be expensive and time consuming for a hacker to develop a way into a secure system. It is far easier to manipulate someone into giving away his credentials. Not easy, just easier.
That’s why psychologists studied 1,208 individuals to learn some of the methods that prove to be effective in getting a person to reveal login information.
One of the methods used in the study was to give the user a reward. After first receiving a piece of chocolate, half of the users were asked for passwords during an interview. Others were asked about the password first, and then given the chocolate when the interview was over (fair is fair).
Over 43% who received the chocolate first were willing to give away login credentials. In fact, almost half of people who were given the chocolate immediately—before being asked the question—gave away their password, while just under 40% caved when the reward was provided early in the interview, and long before the question was asked.
People Cave to the Idea of Reciprocity
When an incentive is provided, many people reciprocate without considering whether the trade is equal. Even the timing of the reward or gift is crucial to how likely a person is to respond. Don’t get us wrong—nearly 1 in 3 people in the control group gave out their credentials without any “gift,”—but a reward increases the likelihood of a positive response. Clearly, the reward does not have to be much.
Knowing this, calls for employee training that encourages your staff members not to trust freebies online, especially if there is something required in return. Employees need to be taught never to share passwords.
While employees often do things such as open email attachments that they shouldn’t, fail to update software and apps, or visit websites that have been compromised, these aren’t the only ways someone can get to your data through your staff. Let’s look at a few more serious data security mistakes your employees should be trained to avoid.
Common Data Security Mistakes
- Password problems – Start with the concept of using passwords that are not secure. Not only should things like 12345 be avoided—and your IT team should make sure passwords like that can’t be used—but “personal-type” passwords should also be avoided. For example, it’s not a huge reach for a hacker to learn personal info about an employee, and then try the person’s birthdate or anniversary as a password. Besides these things, employees should be instructed to effectively protect passwords by never sharing them, even with another employee. Having a list of passwords on a mobile device, or even on a piece of paper under the keyboard, are also terrible ideas.
- Cloud computing – First of all, there’s nothing wrong or not secure about using cloud computing for The problem begins when employees feel they can share private company information through cloud file-sharing services that are not designed for business, and are thus less secure.
- Losing data/devices – Any time that data is removed from the office on a device like a laptop or a phone or even on something like a thumb drive, loss becomes an issue. Something as simple as leaving a smartphone at a restaurant can lead to theft. And once a thief finds private corporate information on the device, what is to stop him from trying to increase his payday by selling the information before selling the device?
It all comes back to proper training. Your employees need to know how to create strong passwords and manage them properly. They need to understand the difference between a secure way to send a file and a way that is inviting trouble. And they need to understand the importance of protecting devices with sensitive information on them, especially if such devices are taken out of the building.
Sometimes your worst security threat is an untrained or careless staff. A well-maintained online security setup can easily be overcome by a hacker if an employee makes a simple mistake. Let’s go over some of those common data security mistakes that lead to many of the data breaches that companies suffer today.
Common Data Security Mistakes
- Opening an email attachment – No matter how many times management may have told employees to be careful about emails from people they don’t know, this is still one of the most common issues. The fact is that sometimes the sender isn’t a stranger. If a friend’s email gets hacked, cyber criminals can send everyone in that person’s address book a malicious link. A message from a friend arrives with the title, “You’ve got to see this!” or something else that is innocuous. The employee clicks the link, and the damage is done. Employees need to be trained to question links, even from someone they know, if they were not expecting the message.
- Putting off updates – The computer says it needs to restart for new updates to take effect. However, the staff member is in the middle of a project and delays the restart. Days pass. The problem is that the update was for a security issue, and now that employee’s computer is a hacker’s way into your network because the exploit is still useable. You must train employees to apply updates as soon as they are available.
- Pornography, pirating, and other shady websites – If a visited website is compromised, it doesn’t take long for a computer to become compromised. Obviously, these are the kinds of websites employees should not be using on company time or company devices. Unfortunately, employees may also work from personal devices and save login credentials. It’s not a long stretch to have those credentials stolen if shady websites are being accessed on the same device. Train your employees to save logins only on their work devices, and to use such devices only for work.
These are just three of the most common data security mistakes made by employees. We will consider more in future articles.
When it comes to treatment of disease, early detection is vital. However, this is a catch-22 when related to patient files because of privacy issues. You want to be able to look at the data and know which screenings are the most appropriate, but you legally can’t disclose much of the relevant data to a team of statisticians. Mathematicians are trying to give you a way around this.
Keeping Patient Files Anonymous
The first step in maintaining privacy is altering patient data so that the patient is anonymous. This may sound like it defeats the purpose, but there are computer programs that can use the changed data just as effectively as the real data. While the data is no longer attached to an individual in any significant way, it is still relevant for the sake of observing trends and looking at summaries of statistics.
Researchers are working hard to ensure that the changed data does not result in statistics that have been altered. The computer system looks at the answers to yes and no questions like:
- Is the patient overweight?
- Does the patient smoke?
- Is there a family history of illness?
Then it turns this data into geometric patterns. Now, while disguised as shapes, the data is still there for the computer to see, while the patients remain anonymous. How does this help a practice to treat patients?
The data can be collated, and statistics can be determined. At the same time, no one ever sees the name of a particular patient while doing data entry or figuring up the statistics. In this way, patients are protected, but health care providers still get much-needed data to determine the importance of various types of screening and other preventative measures.
Computers and the Health Care Industry
Patient privacy is a vital aspect of the health care industry despite the fact that we live in a digital age of information sharing. You need an agency to help you navigate the line between storing data and protecting data. After all, you want to be able to provide patients with the best possible care while submitting to the law.
When it comes to malware, there may be none more malicious and devious than ransomware. Ransomware effectively locks a computer and holds the contents for ransom, requiring the owner to pay a fee in order to regain access.
How Serious Is It?
Ransomware can do anything from permanently locking a computer to actually deleting all of your data if you try to get around the malware without paying the ransom. But before you reach for your credit card, there are important reasons to avoid paying the ransom, and far better ways to protect your company or recover your data.
What This Means for Businesses
If someone in your office wanders into unsavory internet territory and gets ransomware downloaded on your system, it can bring your entire organization to a grinding halt. Paying the ransom is worthless. There is no guarantee that the malware is not still in the system just waiting to spring up and take more of your money in the future. And you probably shouldn’t give account info to someone who is clearly a criminal. So what can you do to protect your company?
Prevention—The Best Policy
First of all, the best way to keep your business safe is to avoid ransomware at all costs. This means:
- Educating employees about what constitutes appropriate internet use on company devices.
- Keeping software, apps, and operating systems updated at all times so that the exploits hackers use are not available.
- Keeping firewalls and antivirus in place to protect your network.
- Keeping data backed up in the cloud, so that loss of a device does not stop workflow.
- Training staff to avoid clicking email links that they are not 100% certain about.
Stopping Ransomware Is a Team Effort
It takes everyone on the staff to recognize the dangers of the internet and avoid them. Another important thing that needs to be instilled is that if ransomware should somehow get on a machine, the employee should immediately report it rather than paying the ransom in an effort to brush things under the rug and avoid possible consequences.
What If It’s Too Late?
Don’t give up hope yet. A talented IT agency may be able to help recover your data—and an IT team will cost you far less than the ransom most hackers put in place.