For those of you who have been reading the EiQ Networks blog on a regular basis, you know that one of the most fundamental and unyielding tenets of the security world that we frequently point out is this: functionality and performance always – and we mean always – trump security. For developers of new software products, hardware technologies and the emerging world of IoT, the ability to get to market as quickly as possible is the most important thing a company can do, because it gets them a market position that turns into revenue. Because security isn’t generally perceived by companies that make commercial software and hardware as something on which people make buying decisions, it’s usually relegated to a last-minute “bolt-on”, or simply addressed after vulnerabilities are discovered by users and security analysts after the product is released. Even after disclosure of vulnerabilities, many companies either ignore these findings or back-burner patches and fixes until the next major release of their product. One of the “dirty little secrets” of the industry is that certain, specific vendors (we won’t name names here… but they know who they are) have had gaping holes in their products for months and sometimes even years. Sadly, this behavior among many companies is not likely to change.
Most of us think about information security in terms of what hackers, malware, and other bad actors can do to compromise our systems and data. And while that’s certainly a critical concern, we sometimes forget about another aspect of information security: protecting our privacy. The privacy debate is one that has raged for many years. Today it is often equated with government intrusion, and while this is certainly a legitimate macro-level concern, there are other sinister threats that can be realized when we lose our digital privacy; identity theft, cyberstalking and online bullying, and physical assault due to location disclosure from digital assets (think geolocation inside of devices and geotagging metadata within digital media) are all real-world risks if we don’t protect ourselves. And while privacy and security are not the same thing, good security definitely improves privacy.
Just a few weeks ago, security researcher and journalist Brian Krebs reported on the arrest of two men who were suspected of running “vDOS,” one of the most pervasive distributed denial-of-service (DDoS) paid service networks in the world. DDoS as a subscription service is nothing new; vDOS was in existence for well over four years, and along with other services such as “PoodleStresser” were part of the nascent but rapidly-growing distributed denial of service-as-a-service market (“DDoSaaS” – how’s that for an acronym?)
During the early-to-mid 2000’s, the NBC network aired a successful reality television show called “Fear Factor.” In that show, contestants competed by attempting a broad range of terrifying stunts, eating grotesque foods, and a range of other activities designed to exploit their innate fears. The contestants, one assumes, had weighed the value of the show’s prize against the risks of the unknown, and decided to participate in the hopes of gaining the $50,000 top prize.
Late last year, Symantec Corporation released a survey on ransomware: malicious software that attempts to encrypt everything it can access, and demands money (usually in difficult-to-trace remuneration such as Bitcoin). One of the most disturbing trends of this report was that ransomware has grown from less than 20% of all new malware types in 2014, to over 90% of all newly discovered malware types today. Why is this? Well, put simply, because it works. When an organization’s critical business data is directly compromised – with the promise of possibly regaining access and restoring business as usual – the temptation to simply pay $500-$1,000 in Bitcoin or gift cards is strong. However, there’s always one nagging question in the background: what if the attacker doesn’t actually give us the key to decrypt the files?
Do you know what the HIPAA Security Rule is? What about the Privacy Rule? If you're a health provider, it's paramount you understand what both of these regulations are, otherwise you could end up like a number of health companies - in a financial mess.
"It's paramount that you understand what HIPAA's Security and Privacy Rules are, respectively."
Take St. Elizabeth's Medical Center in Brighton, Massachusetts, which broke HIPAA's Security Rule by violating regulations regarding electronic Protected Health Information, according to Elizabeth Snell of Health Security.
Businesses must take IT security seriously because their financial future depends on it. IT security is a broad topic that covers a range of different fields.
Here we'll discuss common vulnerabilities and why companies must ensure their operational systems are well-protected from cybercriminals.
"Interjection vulnerabilities are one of the most common and oldest web application vulnerabilities."
1. Injection vulnerabilities
Interjection vulnerabilities, such as cross-site scripting and CRLF injection, are one of the most common and oldest web application vulnerabilities because it's easy for cybercriminals to access and affect (or infect) them.
The threat from cybercriminals is real, and credit unions must be on the constant lookout for potential breaches. These institutions are very vulnerable to cyber attacks because of their smaller size, and don't always have the IT infrastructure and resources to thwart cyber attacks like their larger counterparts, according to a new 2016 Beazley Breach Response Insights report.
"You're being tested every day, whether you realize it or not," said David Luchtel, Vice President of IT Infrastructure and Operations at WSECU, according to Credit Union Times.
One need only read the headlines to know how insecure company data and networks are these days. Just a few weeks ago, U.S. health insurer Banner Health informed 3.7 million customers and healthcare providers that their data may have been stolen. This has become a fairly common scenario as healthcare records and private data are traded openly on the black market. Thinking through all of the likely attack vectors, it seems almost impossible for organizations to completely secure their intellectual property, customer data, and other corporate records. For example, employees might not know that malware need not be downloaded in a file or executable but simply through clicking on an infected banner ad or even a link in social media. If an organization has a “bring your own device” to work policy, a mobile phone or tablet infected at home can spread easily malware to the corporate network.
Passwords may be one of the most misunderstood elements of network security. The critical importance of the role passwords play in thwarting cybersecurity breaches cannot be downplayed or understated. Weak passwords undermine a company’s network. One of the key points of security tools, such as network security monitoring, is to flag unusual (and therefore suspicious) activity on an organization's computer systems. If passwords are so simplistic that hackers can guess them correctly in a normal number of attempts, then cybersecurity software is much less likely to notice and flag these cybercriminals' efforts.