How Consumers Can Respond to the Yahoo Breach

By | December 16th, 2016|Industry News|

CSIDYahoo recently disclosed that it has discovered a breach of more than one billion user accounts that occurred in August 2013. This is believed to be a separate attack from the breach Yahoo reported in September.

Bob Lord, chief information security officer at Yahoo, said the stolen user account information may include names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Whether or not you have a Yahoo account, this is a great reminder to make sure you’re following best practices when it comes to your online security.

Create Strong Passwords
Take a look at the most common passwords from last year and it’s a canvas of simplicity. “123456” and “password” are the two most common, with other easy-to-guess passwords like “football” and “abc123” high up on the list.

While these are easy to remember, they’re also quite easy to guess. Refrain from using your name, birthday, or pet’s name in your passwords; instead, use long, strong, unique passwords with a mix of numbers, letters, and special characters. Don’t reuse passwords across multiple apps and sites and also be sure to update your passwords regularly – it’ll help further protect your information from being accessed.

Stay Updated
When your computer or an app asks if you’d like to update to the latest version, do you typically ignore it, or click “Remind Me Later?” Get out of that habit – those updates are there for a reason. Developers are constantly fixing bugs and adding security adjustments and patches to make your devices safer.

Keep an Eye out for Phishing Scams
Phishing scams often come in the form of a fraudulent email message. Though they can occur at any time, they’re even more prevalent during the holidays, with cyber criminals sending what appears to be a legitimate offer. Avoid clicking on links or downloading attachments from suspicious emails, especially if you don’t know the sender. Be wary of emails that ask for personal information or refer you to a website to input your information, even if it appears to come from a retailer you do business with. The best way to confirm if the retailer really sent the email, is to call the legitimate entity directly to confirm the email is legitimate.

Monitor Your Payments
Keep records of online transactions and monitor bank and credit card statements to ensure there aren’t any fraudulent charges. Contact your bank or credit card company immediately to report suspicious activity or charges – even small ones. Oftentimes, cyber criminals test small amounts to ensure the account is active. Take the time to set up monitoring services to help you keep an eye on all your financial accounts.

This latest breach is another reminder that no company is safe from cyber attack. However, by taking a proactive approach to online security, you’re doing your part in safeguarding your information and minimizing your vulnerability to attack.

Do you have any other best practices for ensuring online security? Share your tips with us on LinkedIn, Facebook and Twitter.

Virtual Reality: Real-World Security Concerns

By | December 1st, 2016|Industry News|

CSIDRecent advancements in virtual reality (VR) have ushered in one of the most exciting times in technology, with consumers and businesses alike realizing VR’s potential for transforming and enhancing experiences. VR has proven to be so much more than a vehicle for gaming. We’re still in the early stages of understanding the full implications of VR, but exciting progress has already been made in verticals spanning from entertainment to education, and even the medical field. Early studies have shown it has helped paraplegics regain body functions, treat PTSD and anxiety attacks, test car safety, and so much more.

With VR picking up steam and quickly making its way from research labs to consumers’ living rooms, it’s more important than ever for consumers to be aware of the unique threats that may be associated with VR.

Physical Risk: Blended Realities
Virtual reality simulated experiences can create a degree of realism that may cause a user to become so deeply immersed in that experience that they become less aware of their surroundings. The nature of current VR headsets is such that users cannot see anything around them. VR experiences that require movement – like simulating the motion of swinging a tennis racket for example – could cause danger or harm to the user if they are not in an open space, clear of other individuals or structures.

Digital Risks: Privacy and Identity Theft
Like any technology that collects user information, including payment, account, and personal details, VR will continue to be a valuable target for cyber criminals. Pressures to bring the technology to market quickly may also cause developers to overlook critical security and privacy considerations. Other security risks may emerge when the devices are in use, as users may unknowingly express information related to their location or identity which may be recorded by a third party and used for marketing or if it falls into the wrong hands, identity theft.

Many predict that hackers will use tried and true hacks in new ways, leveraging VR to have users, “unwittingly deploy a Trojan” or “leak their password with just a wave of a hand,” for example. Phishing could also be executed via “fake virtual objects,” a duping method believed to already be in use by hackers.

Securing VR will take collaboration from the public and private sectors and a commitment from technology developers to create more secure devices. However, users should be aware of their own responsibility in protecting themselves. Be careful to use long, strong and unique passwords for VR-associated accounts, vet third party vendors, and ensure all of your devices have the latest software.

Have other VR security considerations to share? Weigh in with us on Facebook, Twitter and LinkedIn.

How the Election May Affect Cybersecurity for Consumers

By | November 16th, 2016|Industry News|

CSIDRegardless of where you stand politically, one thing we can all agree on is that the topic of cybersecurity took a prominent role in this year’s presidential elections – from concerns around hacks at polling sites to alleged cyber-attacks against the candidates themselves. Now that the election period has come to a close, the outcome will undoubtedly have implications for consumers, as several cybersecurity policies and practices come under discussion and key legislative decisions are made.

In 2016, we saw key moves from the White House, including the introduction of the Cybersecurity National Action Plan (CNAP), a plan seven years in the making which takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, and empower Americans to take better control of their digital security. As cybersecurity continues to garner growing national attention, we can expect it to remain a popular topic of conversation and influence decisions being made in 2017 and beyond.

We’re still in the early stages of learning about President-elect Trump’s plans for cybersecurity beyond the vision expressed on his campaign website, which includes the establishment of a Cyber Review Team and Joint Task Forces. Trump’s 100 Day Action Plan, the roadmap of priorities for his incoming administration, also promises to work with Congress to establish a “Restoring National Security Act,” a provision of which would go towards protecting the country’s infrastructure from cyber attacks. Trump has also promised a federal hiring freeze and a new requirement that two federal regulations be eliminated for every new regulation. If enacted, both of these policies could potentially impact existing cybersecurity regulations like the CNAP.

On the financial side, consumers could also be impacted by his promised reforms to the Dodd-Frank Act. Part of that act established the Consumer Financial Protection Bureau, a government organization that educates consumers on financial risks including identity theft and fraud.

As we learn more, it’s imperative that consumers understand the role they play in staying secure, regardless of policy decisions made at the state and federal levels. It’s the responsibility of all consumers and businesses nationwide to keep cybersecurity top-of-mind and take the necessary proactive steps to help safeguard their personal information. Here are some steps you can take – in five minutes or less – to up your personal security:

  • Turn on two-factor authentication (2FA) on your online email and financial accounts: By making the login process harder and more complex through incorporating this additional step, 2FA provides an extra layer of security for you against attackers.
  • Create long, strong and unique passwords: Take a few minutes to ensure all of your passwords include a long and cryptic combination of upper and lowercase letters, numbers, and special characters. Also avoid using easy-to-guess passwords, like your name, birthday, or pet’s name, and be sure to use unique passwords across accounts.
  • Opt-in to automatic updates: Software updates almost always address security vulnerabilities. Keeping your system updated with the latest software means you have the latest patches to defend against threats.
  • Check your privacy settings on social: Social platforms are constantly updating their security and privacy policies, with new features like 2FA that can help keep your information secure. Stay up to date with these policies to make sure you’re taking advantage of all security features.

Have more tips to share? Weigh in with us on Facebook, Twitter and LinkedIn.

A Recap of NCSAM 2016

By | November 4th, 2016|Industry News|

CSIDEach October, we band together with other businesses, nonprofits, and agencies to observe National Cyber Security Awareness Month. Now in its 13th year, NCSAM is a collaborative effort between the U.S. Department of Homeland Security and the National Cyber Security Alliance to educate consumers, corporations, and institutions about cybersecurity awareness.

The past four weeks we have been sharing our tips and insights in weekly themed #ChatSTC Twitter chats, hosted by our friends at STOP. THINK. CONNECT. Below, learn more about the topics we explored and key takeaways on important issues discussed.

Every Day Steps Towards Online Safety:
Creating new cybersecurity habits does not need to be daunting. There are simple steps and easily adoptable actions that can help keep your private information safe online.

  • We recommend getting started by creating a conversation at home. Late last year, it was reported that teens spend nearly nine hours every day in front of some form of media channel. Talk to your children and your partner about the types of information that should remain private and the importance of safeguarding this information.
  • Create strong, cryptic passwords that are a complex combination of letters, numbers, and special characters. Take care to avoid your name, birthday, or pet’s name, and don’t reuse passwords across multiple sites and apps. We also recommend using two-factor authentication whenever possible.
  • Check your privacy settings on your devices and apps. Certain apps may have default settings that may share your sensitive information. Disable or permanently delete programs and apps you no longer use.

Cyber from the Break Room to the Board Room:
Businesses of all sizes need to implement cybersecurity practices and understand the threats facing their organization, like phishing scams and malware. Every person in an organization plays a role in keeping a business secure and creating a culture of security.

Our Continuously Connected Lives:
Lastly, we explored the Internet of Things. According to Cisco, there are already 10 billion things that can connect to the Internet. This number is expected to grow substantially within the next few years. Cisco predicts that by 2020, the number of devices connected to the Internet will exceed 50 billion. However, the cybersecurity standards within these devices remains somewhat unchartered territory.

  • Whether a wearable, smart fridge, or connected car, it is important for users to understand what data is being collected and stored.
  • Always password protect new devices and use biometric authentication whenever possible.

You can learn more about all of these topics in our Firewall Chats podcast series, and by searching the hashtag #ChatSTC on Twitter. CSID is proud to be a champion of National Cyber Security Awareness Month. Let us know your top cybersecurity tips on FacebookTwitter or LinkedIn.

Friday’s Cyber Attack and Future Threats

By | October 24th, 2016|Industry News|

CSID

Photo by: DownDetector

Friday was an interesting one for Internet users in the U.S. A large-scale Distributed Denial of Service (DDoS) attack took down a number of sites including Twitter, Netflix, and Amazon for a large part of the day. Many of us were left with a newfound sense of how much we rely on web-based services in our day-to-day lives and a growing unease about how vulnerable these services are.

DDoS attacks are not new and are just one type of cyber attack in a growing arsenal. We’ve compiled a list of some of the types of cyber attacks that are seeing incredible growth, and a description of how each works. You’ll likely be hearing these terms more as these attacks continue to grow in prevalence and scope.

Distributed Denial of Service Attack: Friday’s Internet outage was caused by a DDoS attack on Dyn, a company that monitors and routes Internet traffic. While Friday’s attack did require a fair amount of sophistication (USA Today has a great summary of the details we know to date), most DDoS attacks are easy and inexpensive for hackers to execute. A DDoS attack occurs when a website’s servers are flooded with illegitimate page requests, preventing legitimate requests from getting through. This can often cause the website to crash. Cyber criminals can execute DDoS attacks for as little as $150 a day by purchasing botnets on the online black market. Botnets are a network of computers and connected devices infected by malware and controlled without the owner’s knowledge. Botnets are used to send the page requests, resulting in the overburdened servers. A recent study by CDN services company Akamai found that there has been a 125 percent increase in DDoS attacks year-over-year and a 35 percent increase in their duration.

Zero Day Attacks: A Zero Day vulnerability refers to a hole in a businesses’ software that is unknown to the software provider. A Zero Day attack refers to an incident in which this hole is exploited by hackers before it is discovered and fixed. Because these vulnerabilities are unknown to the developer, cyber criminals can often exploit holes for months before anything is detected. According to Symantec, the number of Zero Day attacks also increased by 125 percent last year.

Domain Name System (DNS) Highjacking: The DNS is a naming system for any resource connected to the Internet that associates various information with domain names. For example, a DNS translates a user-friendly name, like CSID.com, to its corresponding IP address. DNS hijacking, or DNS redirection, is the practice of intercepting and changing the information associated with a DNS record for malicious reasons. The result is a user ends up on a site that has malicious malware or code instead of the site intended.

These are just a few of the cyber attacks we’ll be reading more about in the coming years, especially as the skill set and resources needed to execute them continues to lessen. For businesses, it means strengthening security on their sites and focusing on security against web-based attacks. For consumers, it is about staying informed.

Were you affected by Friday’s DDoS attack? Share your experience with us on social media. Follow CSID on FacebookTwitter or LinkedIn.

 

The Next Frontier: Cybersecurity in Space

By | October 20th, 2016|Industry News|

CSIDResearch organization Chatham House made headlines earlier this month with a new report that calls for a “radical review of cybersecurity in space” and points to the rarely discussed, but increasing threat of satellite attacks. As so much of our world’s infrastructure – including GPS navigation, financial transactions, weather and environmental monitoring – relies on satellite data, it’s important to recognize that satellites and other space assets, just as any piece of technology on Earth, are vulnerable to cyber-attack.

According to the report, such attacks might include jamming, spoofing and hacking attacks on communication networks; target control systems or mission packages; and attacks on ground infrastructure like satellite control centers. There are a few reasons why satellites and space systems may be more vulnerable to attack. Here are some of those key factors listed in the report:

  • The first GPS systems were introduced more than three decades ago and technology is evolving at a rapid pace, making it hard to execute a timely response to space cyber threats. Younger individuals are using space-based and cyber communications in ways that older generations – often times the key decision makers – may not understand the range of threats.
  • Backdoor holes in encryption and otherwise secure control systems.
  • Increasing number of individual satellites and constellations providing an ever-increasing number of entry points.
  • Speed to market compromising important security controls.

The researchers leading this project insist that it will take a concerted and collaborative international effort, made up of “able states and stakeholders within the international space supply chain and insurance industry” to combat these growing threats.

But what can we do as consumers? Just as our day-to-day actions impact our security in the Internet of Things, these actions may also impact our security in space. It’s imperative that we take action to secure our personal data (check out some tips on how to help secure your data in five minutes), business owners educate employees on cyber security best practices, and that manufacturers and developers keep security top-of-mind when bringing new products to market.

Where do you think the future of cyber security in space is headed? Share your thoughts with us on FacebookTwitter or LinkedIn.

All Eyes on Encryption: Facebook Steps Up Its Game

By | October 13th, 2016|Industry News|

CSIDMore than 900 million people around the world use Facebook’s Messenger app to communicate with friends and family while on the go. The mobile messenger app is a way for users to communicate privately, but until recently, there hasn’t been much public information available around how Facebook is ensuring these messages are kept private and secure.

Recently, Facebook announced that the company is offering encrypted messaging technology to mobile users worldwide in a feature it’s calling “Secret Conversations.” Facebook’s users can opt in to send messages that no one – including Facebook, the government, or intelligence agencies – will be able to read, using Signal Protocol for end-to-end encryption.

This is a big move for Facebook and for social media overall. While other apps like WhatsApp provide encrypted messages, many major social platforms do not. There is the possibility of identity theft via social media, particularly for users who aren’t selective with what they post. Having an additional layer of privacy in messaging could potentially reduce the risk of an attack.

However, in America, as more messaging services offer the ability to encrypt messages, the mindset could shift from whether encryption should be an option to whether it should be the default setting. On Facebook’s Secret Conversations, it’s currently not the default setting. Unless users opt in to the service, their messages will remain unencrypted, and each messaging chain must be selected. In other words, users must actively select which messages they wish to remain private. It’s a similar strategy to Google’s messaging app Allo, which also offers opt-in messaging encryption.

While Facebook Messenger’s new encryption feature is welcome news to privacy advocates in the United States, people in other countries may find themselves in a precarious position. Facebook is a global company, reaching nations across the world. Some of those countries have strict privacy laws, which would interfere with what Facebook is trying to do in offering encryption for all of its global users. Facebook has seen this controversy before when its WhatsApp property made international headlines.

For now, it’ll be interesting to see how many users utilize Secret Conversations. Infrequent or non-technical users may never even be aware of its existence, while others may worry that activating encryption could drive unwanted attention their way. While the messages themselves will be encrypted, the metadata won’t be, so those outside the conversation can see who is messaging each other, and how often they’re doing so.

Will you take advantage of this new encryption feature on Facebook Messenger? Do you use any other apps that offer encryption? Join the conversation and stay up to date on the latest cybersecurity news by following CSID on FacebookTwitter or LinkedIn.

Macs Under Attack: Why We Can’t Take Security for Granted

By | September 1st, 2016|Industry News|

CSIDIn January, we shared predictions about the trends that would dominate the cybersecurity space in 2016. Among those was a prediction that Apple devices would no longer be “immune” to attack and as they gained popularity, would become a more desirable target than ever for cyber criminals. Once seemingly impossible to penetrate, we’re already seeing a number of attacks against Apple in just the last two months that suggest this is no longer the case.

Users were urged to updated their devices in late July, when news broke around new research identifying security holes in Apple’s desktop and mobile operating systems that could allow malware to be sent via iMessage – similar to what we saw last year with the Stagefright bug on Android devices. By creating malware formatted as a TIFF file, hackers could send an image to a target over iMessage and execute malicious code on the device – giving the attacker access to both the device’s memory and any stored passwords. The same attack could be delivered by email, or by directing the user to a browser that contains the malware-infected image. The good news? Apple addressed these vulnerabilities with the release of iOS 9.3.3 for mobile and El Capitan 10.11.6 for OS X.

Just last week, we saw what could be another pivotal moment in Apple security: the first remote jailbreak exploit. Human rights activist Ahmed Mansoor, from the United Arab Emirates, received a suspicious text with a link that, if clicked, would have jailbroken his phone and infected it with malware. Had this been successful, the attacker would have been able to log encrypted messages, secretly activating the phone’s microphone and tracking its movements. This attack exposed three vulnerabilities in Apple’s iOS that, when combined, could lead to the jailbreak of an iOS device, which until now, has never been thought to be possible. Again, Apple released patches for the vulnerabilities with the release of iOS 9.3.5 last week.

Attacks against Apple show no sign of slowing. That said, if there is one take away from the above, it’s that Apple is offering consumers the opportunity to stay secure with every software update they release. It’s therefore our responsibility to take advantage of these updates, and take control of our own security.

Join the conversation and stay up to date on the latest cybersecurity news by following CSID on FacebookTwitter or LinkedIn.

News Recap: Millennials and Cybersecurity

By | August 11th, 2016|Industry News|

cybersecurityThis week, we’re talking about one of the most important topics in cybersecurity: the global cybersecurity professional gap and how computer-savvy millennials can help to fill it. Here’s a quick recap of the news surrounding this important issue, including research from our friends over at the National Cyber Security Alliance (NCSA).

The Cybersecurity Professional Gap
Today’s interconnected world creates greater opportunities for cyber attacks. As a result, the demand for cybersecurity professionals has grown enormously. Unfortunately, there are not enough qualified professionals to meet that demand. A study from Raytheon found that 79% of businesses in the U.S. experienced a recent cybersecurity incident, but 82% are unable to fill their open IT jobs. The study also found that while there are only 65,362 Certified Information Security Professionals (CISSP) in the U.S., companies posted almost 50,000 job requests for CISSP holders.

The consequences of this gap are already being felt. NCSA explains that without the proper security team, organizations are exposed to a greater risk for loss in profitability, brand reputation and intellectual property. According to a report from Intel Security, 71% of those who participated say they are already seeing quantifiable damage to their organizations. Current cybersecurity professionals are more likely to experience burnout, and their limited time is often spent responding to pressing cyber incidents rather than defending against them in the first place.

Can Millennials Fill The Gap?
Organizations and governmental task forces globally are hoping millennials can start to fill the deficit. However, lack of awareness is still a huge barrier. The Raytheon study found that 52% of millennial women and 39% of millennial men say they were never made aware of computer science programs in school. Additionally, 77% of young women in the U.S. say no high school guidance or career counselor talked about cybersecurity as a career, and 67% of men said the same.

Fortunately, it’s not too late for the millennial generation to correct the problem. The same Raytheon study also found that 40% of survey respondents were interested in learning more about careers in security. While millennials already in the workforce may have a more difficult time switching career fields, helpful Quora users have shared some tips on how people can begin to educate themselves. Additionally, the current pool of late millennials and college students are great candidates to begin training in the cybersecurity market.

Join the conversation and stay up to date on cybersecurity news by following CSID on FacebookTwitter or LinkedIn.

Head to the Polls: SXSW 2017 PanelPicker Voting is Now Open

By | August 8th, 2016|Industry News|

CSIDIt’s that time of year again, South by Southwest’s 2017 PanelPicker voting platform is now live! Every year, people around the world vote through PanelPicker to help bring their favorite sessions to SXSW Interactive, the internationally recognized event that draws thousands of tech enthusiasts to Austin, TX every March.

We’ve participated in SXSW Interactive for the last few years and we’re once again hoping to bring our cyber security expertise to the stage, but we need your help to get us there. SXSW’s PanelPicker is a simple, two-step online process that allows the SXSW community to have a significant voice in shaping the programming. Your vote shows the organizers that our panels are a good fit for 2017’s event.

Check out our submissions below. If you want to see the panel at SXSW next March, follow the PanelPicker link and give it a “thumbs up.” All you need is an email address to vote.

The Creation Of A Hacker
Younger, less technical individuals are the new face of cyber crime. Through a live demonstration, this session will dive into the relatively unexplored world of gaming and showcase the growing role it is playing in luring younger individuals to get involved in cyber crime as a service. We’ll explore the emerging business models within the dark web and the consequences for the misrepresentation of hackers in mainstream media. Recent case studies will shine light on the evolving cyber criminal identity and participants will walk away from the session with new, critical insights to mitigate risk at the individual and organizational levels.

Vote here: http://panelpicker.sxsw.com/vote/60437

Target on Their Back: Small Businesses Under Attack
Cyber criminals have their eyes on small businesses more than ever before. In fact, more than half of phishing attacks were targeted towards small businesses last year. Why? They have fewer resources to defend themselves than large enterprises but still store data criminals consider valuable and attractive for commerce across the dark web. The consequences of a breach can be critical – sometimes even forcing a small business to close up shop. With attacks on small businesses showing no sign of slowing, how can this group stay one step ahead of cyber threats? Join this dual session for a conversation around the latest threats and walk away with proactive steps to defend against attacks.

Vote here: http://panelpicker.sxsw.com/vote/65846

The Domino Effect of Flawed Breach Response
The unthinkable happens – your company has been breached. How has this happened? What are the first steps you take? Are you prepared? In this interactive session you’ll gain insight into the breach response process, uncover best and worst practices, and experience the long-term domino effects inherent with each. Attendees will form small groups to role-play the wide variety of responses at each stage, and uncover the potential long-term effects of actions. By learning best practices through seeing the effect of worst practices, you’ll walk away with unique insight into the breach response process that will help you prepare your company.

Vote here: http://panelpicker.sxsw.com/vote/61885

You have until September 2 to cast your vote and leave any comments or questions for our panelists.  We appreciate your support! Keep up with our SXSW involvement and other company happenings on Facebook, Twitter, and LinkedIn.

Load More Posts