In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
The technology world was rocked late last week with the arrival of the “WannaCry” malware payload. “WannaCry” is ransomware: it encrypts files with strong encryption, and then notifies the victim that they can “recover” their files for a payment using Bitcoin (which is an extremely difficult-to-track blockchain-based payment system). While the New York Times has reported that victims in nearly 100 countries have been affected so far by this fast-moving malware, the most significant impact so far has been identified within the U.K.’s National Health Services (NHS), which was forced to reallocate patients to unaffected facilities due to the “WannaCry” outbreak.
Recently, social media giant Facebook announced that they are providing, free of charge, code to allow app developers to implement delegated account recovery. This is effectively a more elegant replacement for the traditional “security questions” approach to resetting a password, which historically has required the user to setup a series of questions that (ostensibly) only they know the answer to. However, a Microsoft survey from several years ago already identified that over 10% of those supposedly “secret” questions could be answered within five guesses by nearly anyone, and that participants forgot 20% of their security question responses within six months.
For those of you who have been reading the EiQ Networks blog on a regular basis, you know that one of the most fundamental and unyielding tenets of the security world that we frequently point out is this: functionality and performance always – and we mean always – trump security. For developers of new software products, hardware technologies and the emerging world of IoT, the ability to get to market as quickly as possible is the most important thing a company can do, because it gets them a market position that turns into revenue. Because security isn’t generally perceived by companies that make commercial software and hardware as something on which people make buying decisions, it’s usually relegated to a last-minute “bolt-on”, or simply addressed after vulnerabilities are discovered by users and security analysts after the product is released. Even after disclosure of vulnerabilities, many companies either ignore these findings or back-burner patches and fixes until the next major release of their product. One of the “dirty little secrets” of the industry is that certain, specific vendors (we won’t name names here… but they know who they are) have had gaping holes in their products for months and sometimes even years. Sadly, this behavior among many companies is not likely to change.
Most of us think about information security in terms of what hackers, malware, and other bad actors can do to compromise our systems and data. And while that’s certainly a critical concern, we sometimes forget about another aspect of information security: protecting our privacy. The privacy debate is one that has raged for many years. Today it is often equated with government intrusion, and while this is certainly a legitimate macro-level concern, there are other sinister threats that can be realized when we lose our digital privacy; identity theft, cyberstalking and online bullying, and physical assault due to location disclosure from digital assets (think geolocation inside of devices and geotagging metadata within digital media) are all real-world risks if we don’t protect ourselves. And while privacy and security are not the same thing, good security definitely improves privacy.
Just a few weeks ago, security researcher and journalist Brian Krebs reported on the arrest of two men who were suspected of running “vDOS,” one of the most pervasive distributed denial-of-service (DDoS) paid service networks in the world. DDoS as a subscription service is nothing new; vDOS was in existence for well over four years, and along with other services such as “PoodleStresser” were part of the nascent but rapidly-growing distributed denial of service-as-a-service market (“DDoSaaS” – how’s that for an acronym?)
During the early-to-mid 2000’s, the NBC network aired a successful reality television show called “Fear Factor.” In that show, contestants competed by attempting a broad range of terrifying stunts, eating grotesque foods, and a range of other activities designed to exploit their innate fears. The contestants, one assumes, had weighed the value of the show’s prize against the risks of the unknown, and decided to participate in the hopes of gaining the $50,000 top prize.
Late last year, Symantec Corporation released a survey on ransomware: malicious software that attempts to encrypt everything it can access, and demands money (usually in difficult-to-trace remuneration such as Bitcoin). One of the most disturbing trends of this report was that ransomware has grown from less than 20% of all new malware types in 2014, to over 90% of all newly discovered malware types today. Why is this? Well, put simply, because it works. When an organization’s critical business data is directly compromised – with the promise of possibly regaining access and restoring business as usual – the temptation to simply pay $500-$1,000 in Bitcoin or gift cards is strong. However, there’s always one nagging question in the background: what if the attacker doesn’t actually give us the key to decrypt the files?
Do you know what the HIPAA Security Rule is? What about the Privacy Rule? If you're a health provider, it's paramount you understand what both of these regulations are, otherwise you could end up like a number of health companies - in a financial mess.
"It's paramount that you understand what HIPAA's Security and Privacy Rules are, respectively."
Take St. Elizabeth's Medical Center in Brighton, Massachusetts, which broke HIPAA's Security Rule by violating regulations regarding electronic Protected Health Information, according to Elizabeth Snell of Health Security.
Businesses must take IT security seriously because their financial future depends on it. IT security is a broad topic that covers a range of different fields.
Here we'll discuss common vulnerabilities and why companies must ensure their operational systems are well-protected from cybercriminals.
"Interjection vulnerabilities are one of the most common and oldest web application vulnerabilities."
1. Injection vulnerabilities
Interjection vulnerabilities, such as cross-site scripting and CRLF injection, are one of the most common and oldest web application vulnerabilities because it's easy for cybercriminals to access and affect (or infect) them.