Category Archives: Internet Security
These are the companies offering free software during the coronavirus crisis – IT PRO
The escalating COVID-19 outbreak has already changed the way we work and live in significant ways, with countries under lockdown, supply chains disrupted and businesses in the midst of an economic crisis. A plethora of tech companies havestepped up, however, to help in ways that only they can, whether its by supporting other businesses or the emergency services as they struggle to contain the crisis.
Be it security software to protect medical teams from cyber security threats, or providing access to workplace apps to ease employees working from home, tech companies are rising to the challenge. Weve rounded up some of the best offers that organisations and workers can take up today as the coronavirus crisis continues to escalate.
Non-profit organisation CompTIA is a trade association that trains, upskills and issues professional certifications for IT workers
Advertisement - Article continues below
CompTIA is providing free 30-day licenses for the CertMaster Learn eLearning course for the CompTIA IT Fundamentals (ITF+) certification. This is a pre-career certification that helps students and those keen to switch careers understand whether or not they have the capacity to take on a career in technology.
The CertMaster Learn programme is a tool that can be tweaked to suit each individuals preferred method of learning, and includes a host of features tailored to suit different ways of learning. These span learning with flashcards, videos to outline key concepts and processes, as well as performance-based questioning, and analytics.
The Russian-based cyber security company Kaspersky develops enterprise security products and antivirus systems for organisations
Advertisement - Article continues below
Medical organisations based around the world are eligible for six months of free product licenses for a swathe of B2B products that covers an array of security facets - from the cloud to Office 365 protection.
Advertisement - Article continues below
For six months, the firms Endpoint Security Cloud Plus, Security for Microsoft Office 365, Endpoint Security for Business Advanced, and Hybrid Cloud Security platforms will be free for healthcare organisations. To obtain a license, representatives of medical organisations can contact local resellers or a local Kaspersky office directly.
Founded ten years ago, ThousandEyes in a network monitoring company that develops software that analyses performance of local and wide area networks
A Global Internet Outages Map has been launched to provide a real-time visualisation for the state of the global internet health, based on ThousandEyes insights.
With more and more of the workforce working remotely, fears are rising that pressures on the internet - from streaming services to workplace apps - may become too great. Anyone can use the service to gain a broad understanding of internet usage patterns, as demand for services climbs, by indicating when outages may be occurring, where, and which services are affected.
The web security ImmuniWeb develops AI and machine learning-based tech for app security testing and attack surface management
Advertisement - Article continues below
Businesses can apply for $500,000 worth of ImmuniWeb products to help migrate their employees to digital spaces. Eligible firms can use ImmuniWeb Discovery, ImmuniWeb On-Demand and ImmuniWeb Mobile Suite products to perform a host of tasks from assessing their attack perimeter to conducting audits of their web and mobile apps.
The offers been extended to international companies or government entities in Europe, Canada or the US, and solvent businesses that have existed for the last two years in these regions. Companies must have made 30% of less of their revenues from online sales in 2019, and must expect 70% or more of their revenues to shift online in the second quarter of 2020 due to coronavirus.
Advertisement - Article continues below
Firms must email ImmuniWeb, describing their digital transformation demands, a list of their web or mobile apps, cloud or software as a service (SaaS) systems, and contact details. Governmental agencies fighting COVID-19, as well as suppliers of medical equipment and essential goods, can apply for fast-tracking.
Banyan produces a flagship remote access platform for businesses in thrall to hybrid and multi-cloud environments
Advertisement - Article continues below
To help businesses through the global crisis, Banyan is offering companies free full access to its Zero Trust Security Platform. This product offers customers secure remote access for users and applications through a singular platform, which is also scalable.
The remote access system is designed to suit a multitude of environments, from on-premise to multi-cloud deployments. Newly-registered companies will be offered free usage of the Zero Trust system for a limited time to help them improve workforce productivity and reduce frustrations tied with virtual private networks (VPNs).
The multinational cyber security firm Trend Micro develops enterprise software for a wide range of systems including servers, containers and end points
Trend Micro has offered six months of free access to its internet security product Maximum Security for employees forced to work from home using their personal computers. This is in addition to a one-month trial for Maximum Security for mobile devices.
Advertisement - Article continues below
The Work From Home Assistance Programme gives workers access to the comprehensive security and antivirus software, which includes features ranging from ransomware protection to anti-phishing tools. Businesses can sign up with Trend Micro website directly to receive product download URLs that can then be shared among employees.
The developers Q&A site Stack Overflow gives programmers and coding enthusiasts a forum to learn and share their expertise
The basic tier of Stack Overflow for Teams, a collaborative learning environment for development teams within businesses, is being made free for an unlimited number of users through to 30 June 2020.
Advertisement - Article continues below
The tool helps people collaborate and share knowledge across their organisations, and empowers them to ask and answer questions directly relevant to the systems theyre building and maintaining. Organisations can apply to use the service through the Stack Overflow website.
The Leeds-based analytics company Panintelligence gives businesses insights, analytics and software to help with reporting
Advertisement - Article continues below
Small businesses in Yorkshire, England can apply for a full version of Panintelligences flagship analytics suite for 90 days, which includes ten user licenses.
Eligible companies can use these intelligence, reporting and analytical tools to maintain a broad view of business performance, keep in the loop with key metrics like cash flow, as well as maintain communication between staff members. Businesses can leave their details with the Panintelligence website for a member of its software team to get back in touch with further details.
The workplace mental health and personal development platform Umind gives employees digital tools to manage their mental wellbeing
All 1.5 million NHS workers have been granted free access to Unminds workplace mental health platform to manage their concerns and wellbeing during the COVID-19 crisis.
The platform will give any staff member with an NHS email address access to the suite of digital tools, which comprise learning and development programmes, relaxation tools, mental health assessments and insights, among other tools. Staff can register for free with the Unmind website, and no expiry date for access to these tools have been set.
The tech giant most known for its Windows operating systems also runs the Azure public cloud platform and develops enterprise and workplace software
Advertisement - Article continues below
NHS staff can make use of Microsoft Teams to communicate with one another through audio and video calls, as well as chats, during the coronavirus outbreak to share advice and updates on patients.
The unified collaboration and communication platform, which boasts a staggering 44 million users, hosts a range of business centric tools, and boasts a solid range of app integrations. NHS Digital is rolling Teams out to all NHSmail users, with organisations not using the NHSmail system also eligible for free access if they apply directly to Microsoft. Theyll also have access to NHS Digitals NHSmail support platform for help with rolling out the platform.
RingVPN offers an unlimited encryption service for secure and anonymous web browsing for a range of devices
Advertisement - Article continues below
RingVPN has made the first 90 days usage of its flagship service free of charge, and suggests it may extend this offer if the business disruption continues beyond.
Advertisement - Article continues below
The company had been planning to launch its VPN service in May, but has brought forward the software following an explosion of questions and queries. RingVPN uses AES 265-bit encryption to protect connections across a range of devices and operating systems. Organisations can register to receive the initial three-month cost-free subscription through the RingVPN website.
The Singaporean firm Acronis develops on-premises and cloud software for backup, disaster recovery and secure file sync and share, and data access
The cyber protection firm Acronis has made its Cyber Files Cloud product free to all service providers until 31 July 2020, so they can help clients transition to remote working.
The enterprise-grade file sync and share platform can be deployed by service providers to their client organisations to reinforce the transfer of files and data as workers migrate to working from home. Partners who are keen to take up the offer should approach their account manager with Acronis.
The Voice over Internet Protocol (VoIP) company 3CX develops unified communications (UC) software for organisations of all sizes
Advertisement - Article continues below
All businesses and public sector bodies can take advantage of the standard edition of 3CXs flagship VoIP software free of charge for a staggering three years. Unlimited employees can be registered with the service, too.
The UC platform allows users to make and receive calls with a smartphone and web app, as well as communicate with colleagues. Firms looking to keep a clear line of communication with customers can also do so with a live chat plugin embedded into their websites. Organisations interested in registering for the free service can do so through a dedicated 3CX web page.
Selenity develops a range of cloud-based back-office software for organisations, spanning HR and finance to procurement and legal
Advertisement - Article continues below
Selenity is offering free access to a segment of its ER Tracker software, an HR case management system, to help businesses track staff absences due to COVID-19 infections.
The platform is designed to help HR professionals improve case compliance and turn HR policies into effective actions. The system features a variety of tools from document capture, to real-time monitoring and workflow management.
Advertisement - Article continues below
Large businesses with more than 500 employees can use ER Tracker CV-19 for a six-month trial period on a first-come, first-serve basis. The CV-19 addon is also being offered to its existing customers free of charge.
Lifesize is a video collaboration software developer that builds communication and productivity tools
Organisations impacted by the pandemic are eligible for an unlimited number of free licenses to use Lifesizes cloud-based video collaboration platform for six months.
The platform allows unlimited hosts, meetings and call duration for video conferencing so businesses can more easily transition their workers into remote working. Its compatible with iOS and Android as well as Windows and Mac devices, alongside in-browser functionality. Organisations of all sizes and all sectors are welcome to take up the offer, and can do so by singing up on the Lifesize website.
Qualys provides cloud security, IT and compliance services to businesses with real-time threat analysis
Advertisement - Article continues below
Remote workers can keep their devices secure with a 60-day free trial of Qualys Remote Endpoint Protection service. The offer includes free instant security assessments, visibility and remote computer patching for corporate and personal PCs.
The Remote Endpoint Protection software identifies and inventories all remote endpoints with real-time visibility, ensures these devices are secure, and patches remotely with no impact to VPN bandwidth, among other features. Businesses of all sizes can apply for the 60-day trial by registering with the Qualys website.
The password and information security manager Dashlane builds a platform that doubles as a password repository and digital wallet
Dashlane is waiving the charge for the first three months of Dashlane Premium subscriptions for new individuals, as well as corporate accounts through Dashlane Business.
The service aims to boost personal and corporate security by storing passwords and other sensitive material including payment information in an online and desktop-based repository. Companies of any size or sector can use a Dashlane Business account for 90 days free of charge for an unlimited number of employees by registering with the website. Dashlane will also send discount codes for individuals who have already signed up to use the free version.
Top 5 challenges of migrating applications to the cloud
Explore how VMware Cloud on AWS helps to address common cloud migration challenges
3 reasons why now is the time to rethink your network
Changing requirements call for new solutions
All-flash buyers guide
Tips for evaluating Solid-State Arrays
Enabling enterprise machine and deep learning with intelligent storage
The power of AI can only be realised through efficient and performant delivery of data
Read more here:
These are the companies offering free software during the coronavirus crisis - IT PRO
The real insider threat is the use of security software – TechRadar
An insider threat is defined as a security risk that derives from within an organisation; and with the global cost averaging $11.45 million, it is critical that organisations address this issue. Frequently, the risk is attributed to malicious or negligent employees, as well as others close to the organisation, such as contractors and business associates, and think that employee monitoring software will prevent threats. Yet, this understanding of insider threats misleadingly unloads the blame on people; in other words, exposing them as the scapegoat.
Javvad Malik is a Security Awareness Advocate at KnowBe4.
While there are people who do actively seek to harm an organisation, according to the Ponemon Institutes 2020 Cost of Insider Threats Report, they only account for 23% of insider threats. The majority of people can be easily trained to become an asset rather than a liability for the organisation.
Rather than blaming people then, why are we not shifting our attention to the root of the problem? That is to say, security software.
Whether embedded with vulnerabilities, corrupted by governments, or used as a channel to harvest data for a profit, the use of security software at present is riddled with problems.
One of the largest and most commonly used security software providers, is the Czech-based company, Avast antivirus, with more than 435 million active users across 59 countries employing their antivirus protection. However, until the end of January 2020, Avast was also furtively gathering data from their users and selling that data on to third-party customers through their subsidiary, Jumpstart. In that sense, they have been working as a double agent against the very people who had entrusted them with their internet security and, specifically, their privacy.
In many cases, the software itself is faulty. According to the Veracode SOSS Report Vol. 10 published last year, around 10 million flaws were found across 85,000 applications and 83% of those applications had at least one flaw in the initial scan. Out of those flaws, 20% were marked high or very high severity. It is precisely through exploiting such vulnerabilities that bad actors are able to infiltrate an organisation and access its data.
Complicating things further, the sheer scale and complexity of vulnerabilities makes it that much harder to verify if a system has or has not been patched. Indeed, the majority of data breaches (60%) occur because software vulnerabilities were left unpatched. The Equifax data breach of 2017 and the Marriott breach in 2018 are two exemplars of this occurring, collectively exposing over 640 million records.
In certain instances, the government gets involved, and not in a way that resolves infringements on privacy rights or apprehends the criminals behind attacks. Rather, they themselves are the offender. The attacks carried out by APT5, otherwise known as Manganese, on high-end enterprise VPN servers are a clear example of this.
Since August 2019, it was revealed that Chinese state-sponsored hackers performed internet scans in search of Fortinet and Pulse Secure VPN servers. They then attempted to exploit two vulnerabilities within these VPN servers to gain access to files without the need for authentication. In this way, allowing the hackers to acquire access to passwords and VPN session data from vulnerable devices. The Iranians are not too far behind either. A report by cybersecurity firm ClearSky revealed that Irans government-backed hacking units have made it a priority to exploit VPN bugs as soon as they become public.
Fortinet and Pulse Secure VPN servers are both widely used, with hundreds of thousands of customers. More specifically, Pulse Secure is popular amongst numerous Fortune 500 companies, including some of the largest technology firms and government agencies. Their use of a VPN server is, primarily, to protect their internal servers from unauthorized access. Yet, if they fail to do so, how can we then turn around and blame the employees when a breach occurs?
Finally, there is scareware. As is implied by the name, scareware is a form of phishing that gambles on your fear and perception of an impending threat. Through a pop-up ad, cybercriminals send warnings suggesting that your computer is infected with malware or that it is running slow. They then capitalize on your concern and panicked reaction to provide a solution.
However, the solution, a fake or a bogus update, enables the bad actor to access your data and install malware on your computer, perhaps even ransomware. In this type of scenario, it is easy to point the finger at the individual who clicks on the ad, but what about the security software providers who let it happen? Is it not the responsibility of security software programs to identify malicious ads and block them from popping up on the screen?
In the end, we are left to wonder what the real insider threat is. All this time, people have been described as the weakest link and held responsible for exposing organisations to insecurity. Yet, looking at the evidence, the problems seem to stem from security software and their providers. Considering that they are the ones who are supposed to protect us, both individuals and organisations, from a cyberattack, it is rather ironic that they are, in reality, the problem.
Read the original post:
The real insider threat is the use of security software - TechRadar
Preparing for November’s election must be a national priority | TheHill – The Hill
The coronavirus pandemic is testing our nations resolve and already disrupting our way of life. But we cant afford to let it disrupt the November election.
Six states have already postponed their primaries. More will likely follow in the weeks and months ahead.
With a risk that the pandemic will continue through November, the hard work to plan for the election must begin now. The American people deserve a national bipartisan effort including leadership from the policy and technology communities to ensure the integrity and continuity of American democracy.
The good news is that this important work was underway long before the pandemic. Since 2016, national and state leaders have prioritized strengthening the security and integrity of U.S. elections with bipartisan engagement from the Obama and Trump administrations. Congress has invested more than $800 million in new funding for state and local election systems over the past two years.
Recent efforts to modernize state and local election systems have focused on addressing potential cybersecurity vulnerabilities. Managing this risk should remain a priority, particularly given the recent cybersecurity attack against the Department of Health and Human Services. We should plan for foreign adversaries to exploit potential opportunities to undermine and divide our country.
But we now face a new, graver threat in COVID-19. National, state and local officials will need to work together to adapt the American election system to address the challenges of a pandemic.
We all hope that society returns to normal sooner rather than later. But if social distancing to flatten the curve of potential infections is required through November, state and local election officials must consider new strategies to administer the election.
One promising strategy is to expand vote-by-mail, which is already common for absentee ballots and Americans living overseas. According to the National Association of Secretaries of State, 33 states and Washington, D.C. now allow vote-by-mail for non-absentee voters. Sens. Amy KlobucharAmy KlobucharWhy Klobuchar should be Biden's vice presidential pick Changing antitrust rules will cause confusion Who should be the Democratic vice presidential candidate? MORE (D-Minn.) and Ron WydenRonald (Ron) Lee WydenDemocrats fume over GOP coronavirus bill: 'Totally inadequate' Sticking points force stimulus package talks to spill into Sunday Democrats call for stimulus to boost Social Security benefits by 0 a month MORE (D-Ore.) recently introduced legislation to allow all Americans to vote by mail.
Expanding this option to all communities, combined with widespread early voting, offers a promising option for states seeking to support social distancing while encouraging voter turnout and participation.
But vote-by-mail does come with risks, particularly concerns about voter integrity and ballot harvesting. We must ensure that votes sent by mail are counted accurately. The policy and technology community should work together to quickly develop best practices and practical solutions to address these concerns to ensure voter confidence.
One aspect of vote-by-mailto consider would be to design ballots in a manner that provides voters with an electronic receipt (such as a QR code) that they can use to electronically verify their vote was counted. This process, combined with other checks-and-balances, such as the creation of a state election integrity ombudsman, could establish a system where voters can independently audit whether their vote was counted accurately.
Officials should explore other ways to use technology. For example, mobile applications could allow voters to gauge the voting location wait times and check in to their preferred paper ballot drop-off or in-person voting location. This activity would alert the poll registration system to the increased voting demand and likely resulting wait times. The same monitoring data can be shared with a variety of services supporting voting wait time web sites and mobile mapping applications like Waze, Google Maps, and Apple Maps. This could allow for the election day voters to maximize their options for voting while supporting social distancing.
Experts from the policy and technology community should work together to consider these and other options to support our state and local election officials.
We should all have confidence in the public servants responsible for administering our elections. In January, the nations Secretaries of State and state election directors met in Washington. While Congress debated impeachment across town, state officials were having nuanced discussions about all aspects of election administration. In our deeply partisan times, these state leaders are working together in a spirit of nonpartisanship that should make us all proud.
Much is uncertain about the weeks and months ahead. But history shows us that we can hold an election during even the most difficult times. The United States held elections in 1864 during the height of the Civil War and in 1944 when the Greatest Generation was fighting World War II.
It may be our responsibility to hold a presidential election during a pandemic. The time to prepare is now.
Dan Lips is Director of Cyber and National Security and Sean Roberts is a Senior Internet Security Engineer with the Lincoln Network.
Link:
Preparing for November's election must be a national priority | TheHill - The Hill
EFF and COVID-19: Protecting Openness, Security, and Civil Liberties – EFF
EFF and its members work to ensure that technology supports freedom, justice, and innovation for all the people of the world. The COVID-19 pandemic has made obvious how important the Internet and digital tools are to our lives and how vital it is that we maintain an open and secure approach to them.
For those of us living under quarantine, shelter in place orders, or just staying home to voluntarily help protect our communities, we now rely on the Internet and digital tools more than ever to share information and advice, create art and memes, listen to our favorite musicians perform live, or just to feel less alone. We see how technology is helping us cope, hopefully temporarily, with the loss of in-person contact. Many others are using digital tools and services to organize mutual aid for their neighborhoods and communities in this time of crisis.
When fear threatens to undermine our rights and pervert justice, thats where EFFand youcome in.
Thanks to open access science, scientific and medical teams are able to instantly share their work and build on efforts to track the virus, study its effect on people, and develop vaccines. Others are developing ways to create and repair vital medical equipment using open tools, including reportedly 3D printing. We are coming together online and offline in new and creative ways, and ensuring that security, privacy, and openness are baked into the tools and services we use will only support our efforts.
In some ways, the explosion of open creativity online to keep us connected and sane during these scary times is one of the bright spots in the darkness. But in the United States, it also shows how this crisis disproportionately impacts those of us who are marginalized in society alreadythe unsheltered, those who cannot afford or access reliable broadband service to continue school or work, the consultants and retail workers who have little reserves, and all of those falling through our frayed social safety net. Innovation is needed here toolike ensuring that robust broadband access works for everyone, not just the wealthy, and is not dependent on temporary largess of some giant providers.
We also know that times of great public fear come with great risk. Public fear has driven some of the worst human rights atrocities, and given opportunities for those who would seize power from us and reduce or even erase our hard-won human rights and civil liberties. Already we see efforts to use this public health crisis as an excuse to place irrational blame on our Asian communities and direct even more pressure and discrimination against refugees and immigrants. We already see calls from companies seeking to cash in on this crisis for unchecked face surveillance, social media monitoring, and other efforts far beyond what medicine or epidemiology require.
When fear threatens to undermine our rights and pervert justice, thats where EFFand youcome in.
We know that this virus requires us to take steps that would be unthinkable in normal times. Staying inside, limiting public gatherings, and cooperating with medically needed attempts to track the virus are, when approached properly, reasonable and responsible things to do. But we must be as vigilant as we are thoughtful. We must be sure that measures taken in the name of responding to COVID-19 are, in the language of international human rights law, necessary and proportionate to the needs of society in fighting the virus. Above all, we must make sure that these measures end and that the data collected for these purposes is not re-purposed for either governmental or commercial ends.
As we head further into these difficult times, EFF is standing strong to make sure that we both take advantage of how technology can help us now and, equally importantly, that we emerge from this time with our freedom and democracy as strong, if not stronger, than when we went in. Because we at EFF have a committed membership as our primary support over half of our annual budget comes from individuals we are able to pivot our attention to these issues even as we continue our ongoing fights. Our lawyers are scrutinizing the proposed laws and regulations and corporate privacy moves, especially the growing and concerning raft of corporate/government surveillance efforts. Our technologists are digging into the digital tools we all rely on during this crisis to make sure that your privacy is protected. Were pushing to lower artificial barriers to information sharing, and working to make sure that access to knowledge is one of the things we keep as we emerge from these times. And more.
We have created an issue page dedicated to our COVID-19 focused work and will continue to highlight our efforts there, as well as publish needed practical information about how to fight COVID-19 phishing attempts and how to show your EFF support as we head into our 30th year of standing strong for your rights.
Right now, when real science is so often under attack, those of us who care about truth, health, and each other need to take seriously the things that science and medicine are telling us about how to keep this virus from spreading. And we also need to be vigilant so that we come out the other side of this crisis with a society we want to live in and hand down to our kids. We canand mustdo both.
EFF is proven, ready, and strong. With the support of our members, new and old, well be there with you every step of the way.
Visit link:
EFF and COVID-19: Protecting Openness, Security, and Civil Liberties - EFF
COVID-19 decoy doc, Cloudflare tools used to spread Blackwater malware – SC Magazine
Researchers have uncovered a new malware campaign that uses the COVID-19 pandemic as a lure, and also abuses platform-as-a-service web infrastructure tools to apparently thwart attempts at blocking command-and-control communications.
Dubbed BlackWater, the backdoor malware specifically takes advantage of Cloudflare Workers an offering of Cloudflare, a popular provider of website operators with content delivery network,DDoS mitigation and internet security services. As Cloudflare explains on its own website, Cloudflare Workers offer a lightweight JavaScript execution environment that allows developers to augment existing applications or create entirely new ones without configuring or maintaining infrastructure.
These JavaScript programs enable serverless functions to run directly on Cloudflares edge, as close as possible to the end user, where they interact with connections from remote web clients, BleepingComputer explains in a report on BlackWater threat, citing research from the MalwareHunterTeam. Under normal conditions, Workers can be used to modify a websites HTTP requests and responses, make parallel requests and disable Cloudflare features. But malicious actors are now also using them to act as a C2 server, or at minimum a proxy that acts as a front end to a ReactJS Strapi App that itself performs like a back-end C2 server. BlackWater does this by using a command line to connect to the Cloudflare Worker over attacker-established domains.
SC Media contacted Cloudflare for comment and received the following response: Cloudflaretook immediate action to shut down the malicious domains as soon as we were made aware.
SentinelLabs researcher Vitali Kremez told BleepingComputer that the attackers likely chose this technique because it returns back the legit Cloudflare proxy IP, which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.
The malware is delivered via an RAR file most likely distributed as an attachment via an email phishing campaign that appears to contain information about the novel coronavirus in the form of Word document. But the file is actually an executable that, upon activation, extracts a decoy Word doc that serves as a distraction while the backdoor is implemented.
The decoy doc observed by MalwareHunterTeam purports to be from the Wessex Learning Trust, a British general secondary education conglomerate, and appears to contain details and instructions for parents and students.
This is a good example of the power of using Platform-as-a-Service to build code. Unfortunately, it is a malicious example, said Chris Morales, head of security analytics atVectra, to SC Media. CloudFlarewas built to support code for remote access just like this. And yes, by running on a Platform as a Service, it makes it difficult to block without stopping access to the entire cloud platform as traffic is legitimate traffic from the site.
What this tells me is that the PaaS providers still have a ways to go in ensuring their platforms are not used for malicious means. They need to provide better auditing of the code run on their services and back end, Morales continued. Amusingly theCloudflarewebsite espouses the security benefits of using service workers on the edge and the security of JavaScript. What they did not account for is this code being used against people in a way it was designed for.
Joseph Carson, chief security scientist and advisory CISO atThycotic, told SC Media thats especially important during times of crisis to always be vigilant and suspicious of any attachments, even when they appear to be coming from legitimate sources.
The best way to reduce the risks of such threats is for companies to practice the principle of least privilege, he added.
See original here:
COVID-19 decoy doc, Cloudflare tools used to spread Blackwater malware - SC Magazine
Technology saves the day as Kenyan firms send staff to work from home – The East African
By PAULINE KAIRUMore by this Author
The Covid-19 coronavirus pandemic has drastically changed life as we know it.
In Kenya, where the number of confirmed cases had reached 15 by the time of going to press, the government asked employers to allow staff to work from home.
In addition, all learning institutions have been shut down as students go online and to the radio for lessons and homework.
Remote interactions and e-commerce have emerged as valuable contingent options amid the pandemic, which is projected to cause one of the biggest economic recessions in recent times.
Microsoft announced that it is offering its Microsoft Teams collaboration platform, for free, to companies to make remote working possible.
Corporate vice president for Microsoft 365 Jared Spataro said, At Microsoft, our top concern is the well-being of our employees and supporting our customers in dealing with business impact during these challenging times. By making Teams available, we hope that we can support public health and safety by making remote work even easier.
In Kenya, Safaricom and Nation Media Group said they had acquired and were providing laptops, dongles and tech tools to their employees.
Safaricom said over 95 per cent of its workforce has been asked to work from home.
We will be engaging collaboration tech tools such as Microsoft Teams, WebEx, Yammer & Cisco Jabber to enable teams that would ordinarily be required to work from a certain location to work remotely, the companys chief human resources officer, Paul Kasimu, said.
Safaricom also announced on Tuesday that it was doubling its internet speeds for home fibre packages at no extra cost.
Nation Media Group under the Safe Nation mantra, last week rolled out the business continuity plan for remote working protocols.
NMG systems administrator Sicily Rugendo, said, We are connecting our teams to VPN, a vital tool for internet security, especially when you are working from home, which will allow secure remote access to corporate resources.
We are enabling e-mail connectivity to different software systems, and giving them interactive tools like Skype-for-business, to enable people hold meetings remotely, Ms Rugendo added.
The Kenya Association of Manufacturers has launched an online directory for locally manufactured goods to help Kenyans shop online and have products delivered to their homes or shops.
We are doing this to forestall disruptions in the market, said the associations chief executive Phyllis Wakiaga.
The Ministry of Education assured parents and pupils of continuation of learning following the closure of schools.
The Kenya Institute of Curriculum Development said it would deliver the curriculum through YouTube, the Kenya Education Cloud, radio and television starting Monday.
The ministry will broadcast programmes daily, from Monday to Friday, through Radio Taifa and English Service.
Originally posted here:
Technology saves the day as Kenyan firms send staff to work from home - The East African
In Industrial Realm, Trustworthy Software Ensures – IoT World Today
Trustworthy software requires significant initial planning and a long-term perspective.
While many corporations struggle to win the trust of an ever more cynical public, the stakes are higher for industrial organizations that must rely on various software type.
Problematic software can cause operational downtime, intellectual property loss and, in some cases, life-threatening consequences.
There has been a recent uptick in interest in trustworthy software concerning the Internet of Things (IoT) and software quality in general. The fate of the digital economy depends on individuals and organizations trusting computing technology. But trust is less sturdy than it has been in the past, as the National Institute of Standards and Technology concluded in 2016.
In recent years, various organizations have made trustworthy software central to their mission. Founded in 2016, the U.K.-based not-for-profit Trustworthy Software Foundation drives best-practices in software development. Late last year, the Linux Foundation launched Project Alvarium, an initiative exploring mechanisms to support trust in heterogeneous systems, including IoT deployments and between diverse stakeholders. The Industrial Internet Consortium advocates the concept of trustworthiness in industrial IoT.
Outcomes to Avoid
A string of events serve as a warning of the risks of relying on untrustworthy industrial software, according to Bob Martin, co-chair of the Software Trustworthiness Task Group at Industrial Internet Consortium who coauthored the organizations white paper Software Trustworthiness Best Practices.
In 2004, for instance, a software glitch caused air traffic control infrastructure and its backup system to shut down in Southern California, according to the L.A. Times. The error resulted in the diversion of 800 commercial airline flights after radio and radar equipment failed for more than three hours.
Other similarly themed stories include a computer-controlled radiation therapy machine that caused several deaths in the 1980s and a power outage in Tempe, Arizona, in 2007 that resulted from a misconfiguration by a vendor engineer.
Real systems have been deployed in the industrial IoT space with the kinds of errors you dont want to have on your rsum, Martin said.
The explosion of connectivity and new applications in industrial IoT settings has increased the numbers of professionals creating and procuring software for critical processes. People who are new to building systems with software or trying to make software resilient may not have run across these events in their education, Martin said.
The variety of systems and operating environments involved with industrial IoT devices poses another challenge as it opens up the possibility of security- or safety-related risks, said Johannes Bauer, principal security adviser, identity management and security at UL. It also complicates the process of looking for faults in the various processing elements and code involved in a single project.
Creating a Common Trust Language
In the industrial realm, trustworthiness includes facets, including safety, security, privacy reliability and resilience. Trustworthy software can withstand environmental disturbances, human error, system faults and cyberattacks, according to the Industrial Internet Consortium.
Deploying software that can be trusted requires a comprehensive approach that spans the entire software lifecycle process, according to Simon Rix, product strategist at Irdeto. You have to incorporate security early, and you have to work out how to automate it, said Rix, who also co-wrote the IIC whitepaper.
Fostering conversation between those stakeholders can be challenging, however. How do you get the businesspeople to speak in a way that the technical people can understand, and how do you keep the technological people from rushing off on their mission to design a product quickly? Rix asked.
The key is to address the whole life cycle, all the different software development methodologies, and to make sure you bring in the stakeholders of the business as well as the operators, Martin said. Theres a need for a translation key or Rosetta Stone for the different parties to be able to talk about what they care about where others around the table can see their perspectives as well.
Frameworks Provide a Starting Point
A growing number of frameworks distill the subject of trust among various stakeholders, but instilling trust in software remains a complex proposition. The use of the word trust has so much variability that its almost a useless concept except it does let us have a dialogue, Martin said.
Putting controls in place to optimize security and safety of industrial software is a vital first step. But cybersecurity processes need to be continually audited. The concern I have is you can screw anything up, said Chester Wisniewski, principal research scientist at Sophos. For example, I can use [the Advanced Encryption Standard], but I can misuse it far more ways than I can use it correctly. Wisniewski draws a parallel from retail. A lot of stores that have chip readers for credit cards have a piece of cardboard with a sign that says, Please swipe. he said. Having chip readers doesnt mean your credit card processing is secure if you dont actually use [technology designed to limit fraud].
Another pitfall is to focus on deploying secure software initially but not consider that it will become obsolete. We differentiate between end of support and end of use. Just because the original creator may not support the software doesnt mean that it turns into a salt pillar that it is unusable, Martin said.
Ironically, the topic of end-of-life software also underscores the importance of focusing on security considerations from the beginning. If the software is critical to you, then put it in your contract to get rights to the source, Martin advised.
Ultimately, understanding how software works in the real world requires long-term focus. It isnt magical. It reacts, interacts and sometimes needs to be replaced.
Visit link:
In Industrial Realm, Trustworthy Software Ensures - IoT World Today
Security Software in Telecom Market is Growing Rapidly Due to Increasing Internet Penetration – Press Release – Digital Journal
"Security Software in Telecom Market"
Global Security Software in Telecom Market Research Report: Information by Component [Solution (Identity and Access Management (IAM), Risk and Compliance Management, Encryption, Data Loss Prevention (DLP), Unified Threat Management, Security Information and Event Management (SIEM), Distributed Denial of Service Mitigation (DDoS) and Firewall)
Security Software in Telecom Market Research Report- Forecast till 2025
Market Highlights
Due to the massive expansion of LTE networks, the customers have been experiencing seamless connectivity across the globe. It has given a significant opportunity to the telecom industries to expand their networks and penetrate in urban, rural, and remote areas. Furthermore, a perpetual increase in the usage of internet, increasing need demand for data services, and rising adoption broadband adoption are some of the critical drivers for the telecom industry. The development of networks has also resulted in a higher number of cyber-attacks in the telecom industry. The Global Security Software in Telecom Market 2020 was valued at USD 3,599.4 million in 2018 and estimated to expand at a CAGR of 11.9% with a value of USD 8,923.5 million by 2025.
Telecom operators have often experienced attacks while signaling, metering, switching, and configuring the network. The increasing number of cyberattacks has motivated the security providers to develop a sustainable solution for the enterprises. Hence, the increase in data breach incidents has led to the demand for establishing secure networks.Inadequate infrastructure and inexpensive security solutions to implement IPV6 technology, which is the most recent version of internet protocol, are some of the factors that are hindering the expansion of security software in the telecom market.
Get a Free Sample @ https://www.marketresearchfuture.com/sample_request/6961
Segmentation:
By component, the security software in the telecom market is classified into solutions and services.
By solution, the security software in the telecom market is segmented into identity and access management (IAM), risk and compliance management, encryption, data loss prevention (DLP), unified threat management, security information and event management (SIEM), distributed denial of service mitigation, firewall, and others.
By services, the market is categorized into professional services (risk assessment, design and implementation, support and maintenance, and others) and managed services.
By security, the market is segmented into network security, endpoint security, application security, cloud security, and others.
By deployment, the market is segmented into the cloud and on-premise.
By end-user, the market is segmented into large enterprises, small and medium enterprises (SMEs), and government.
Regional Analysis
The global security software in the telecom market has segmented into Asia-Pacific, North America, Europe, the Middle East & Africa, and South America.
North America is estimated to dominate the security software in the telecom market. It has also been anticipated that it will retain the market during the forecast period. The advent of new technology and adaptation to it has led to considerable growth in the market. The rise in the deployment of IoT and the existence of internet-enabled solutions and cloud services have led to significant exposure to global security software in the telecom market. Canada and the US are facing a higher number of cyberattacks in the telecom sectors, which is one of the most significant reasons which increases the demand for security software.
Asia-Pacific is estimated to be the fastest-growing telecom market during the forecast period. With fast digitization, along with the developments in IoT and cloud computing has created a higher risk of cyber-attacks and security breaches. It resulted in a higher demand for global security software in the telecom market. It has encouraged the service providers to develop security solutions efficiently for the telecom operators. Countries like India, Japan, and China are growing at a faster pace, and hence, they contribute to the expansion of the market in the APAC region. Moreover, the increasing cyber-crime and strict government rules and regulations are speculated to increase the demand, thereby growing the market in the APAC region.
Key Players
The prominent players of the global security software in telecom market are Symantec Corporation (US), IBM Corporation (US), Palo Alto Networks (US), Dell Inc (US), McAfee (US), and Trend Micro (Japan) Inc. are few of the most eminent players who contributed about 40% of the market share in 2018.
Other players like Check Point (US), Splunk (US), Amazon Web Services (US), Imperva (US), Qualys (US), F-Secure (Finland), HP Enterprise Development LP (US), FireEye (US), Oracle Corporation (US), Forcepoint (US), Fortinet (US), Microsoft Corporation (US), Proofpoint (US), F5 Networks (US), CyberArk (Israel), Sophos (UK), Juniper Networks (US), and, FireEye (US) have also played a key role and have secured position on the global security software in telecom market.
Browse Complete Report @ https://www.marketresearchfuture.com/reports/security-software-telecom-market-6961
Global Security Software in Telecom Market Research Report: Information by Component [Solution (Identity and Access Management (IAM), Risk and Compliance Management, Encryption, Data Loss Prevention (DLP), Unified Threat Management, Security Information and Event Management (SIEM), Distributed Denial of Service Mitigation (DDoS) and Firewall) and Services (Managed Services and Professional Services)], Deployment Mode (Cloud and On-Premise), Security Type (Network Security, Endpoint Security, Application Security and Cloud Security) and Region [North America (the US, Canada, Mexico), Europe (Germany, the UK, France, Italy, Spain and Rest of Europe), Asia-Pacific (China, Japan, India and the Rest of Asia-Pacific), the Middle East & Africa and South America] - Forecast till 2025
Media ContactCompany Name: Market Research FutureContact Person: Abhishek SawantEmail: Send EmailPhone: +1 646 845 9312Address:Market Research Future Office No. 528, Amanora Chambers Magarpatta Road, Hadapsar City: PuneState: MaharashtraCountry: IndiaWebsite: https://www.marketresearchfuture.com/reports/security-software-telecom-market-6961#summary
See original here:
Security Software in Telecom Market is Growing Rapidly Due to Increasing Internet Penetration - Press Release - Digital Journal
How safe is your brand in the hands of a remote workforce? – Bizcommunity.com
Many employees today already have laptops, high-speed internet connectivity and access to networks via the cloud to perform their daily tasks remotely. However, are they equipped to deliver consistent brand experiences that customers have come to expect when dealing with the organisation?
Having invested significantly into their brands for years, companies need to put the best interests of their employees and customers at heart but not at the detriment of their brands. As such employees should be equipped with tools that will help them to meet customers needs seamlessly and deliver consistent brand experiences in every email and document sent to clients wherever they are working from.
There are several measures that companies should put in place to secure their brand and deliver a consistent experience in all customer and employee engagements whether working remotely or not.
Further, the body of the emails should be on-brand using the same font and colour across the company. It is also recommended to have pre-developed and pre-approved content available and easily accessible for employees to insert into emails while working remotely. This requires minimal input and keeps the brand integrity in every communication.
Employees should have access to the latest company letterheads, templates, documents and presentations that are required for client communication. If documents are updated while the employees are working remotely, the latest versions should be easy-to-access without the need for a Virtual Private Network (VPN) and employees should feel comfortable that they are sending their customers the most up-to-date information at all times.
When employees are separate from the company it is critical they are kept up to date on all important company news and information throughout the day to prevent them from becoming disconnected and uncoordinated. An employee communication tool should be used to broadcast information to employees throughout the day and keep them informed about company news.
It would also be valuable to share updates on topical issues such as the latest coronavirus stats regularly via the broadcast tool to minimise the amount of time employees would otherwise spend looking for the information themselves.
To avoid financial and brand damage, companies need to incorporate layered security to help prevent customers and employees from falling victim to email scams, particularly while working with a remote workforce. Centrally managed, tamperproof email signatures are also a first step in helping to prevent fraudulent emails from being sent on behalf of a company. Built-in email verification would also benefit the company and email recipients and give them added peace of mind that emails are authentic.
However, more than this, companies need to have segmentation of risk built into their email branding solution to safeguard customer and company information at all times, particularly when employees are working remotely. This is key to preventing security breaches.
As such the customer experience has to be nurtured at this time and employees need to be empowered to continue to deliver on-brand experiences wherever they may be working from.
Go here to see the original:
How safe is your brand in the hands of a remote workforce? - Bizcommunity.com
How Organizations Can Retain Talent Amidst the Infosec Skills Gap – tripwire.com
In a previous post, I shared some expert insight into how organizations can address the challenges of hiring skilled talent despite the ongoing infosec skills gap. Organizations cant rest easy once theyve brought on new talent, however. They need to make sure they hold onto their existing workforce.
Thats easier said than done. Cybersecurity Ventures forecasted that a total of 3.5 million infosec-positions will be unfilled in 2021. Clearly, skilled infosec professionals have plenty of other places to go should they be unhappy with their current employer.
Acknowledging that reality, we at the State of Security asked security experts to weigh in on the impact of the infosec skills gap on existing security teams. We then asked them to share their thoughts on how organizations can keep their current teams intact. Heres what they had to say.
Its challenging. I accept that there will always be four times more work than I have resources. My mantra is to prioritize. Make sure we are working on the highest risk, the most likely security issues, and communicate the residual risk.
The other solutions are extending the responsibility for protecting the business into all parts of the business. I deputize people onto the cybersecurity team, and I recognize that people bring cybersecurity issues and solutions. I even have silver deputy badges that I found on Amazon for .50 each that I hand out with a certificate of recognition. I love walking by peoples cubes and seeing them pinned on the wall!
There is also an opportunity to leverage low tech solutions like easy-to-find and easy-to-follow security cheat sheets, so people whose core competency is customer service, legal, or administration can know how to do things securely without being frustrated or inadvertently causing a security incident.
The infosec skills gap impacts security teams today by putting additional stress and reliance on specific personnel who have attained the necessary skillsets to perform at peak. In many cases, thats only one or two individuals. This can create a potential single point of failure, putting stress on hiring managers to fill that gap.
One solution to the infosec skills gap problem is to reach out to Market Vendors for readily available SAAS solutions. Other options include onsite or remote contract staff as well as customized support options with SLAs that can assist with daily cybersecurity support operations and maintenance. After all, sleeping peacefully at night leads to less stress and better health.
Despite constantly fighting for bandwidth, the really successful small security teams Ive seen have mastered processes and constant improvement to win out more often than not.
How that works in reality varies from business to business, but it can generally be summarized by having a program of small improvements that can be constantly assessed and scored, thus providing evidence to the rest of the business that the team is busy but successful. For example, having the team focus on a single area of improvement (implementing improved password policies, hardening software firewalls, etc) and making sure they can measure the number of devices touched and the number of configuration changes made helps justify new team hires as well as keeping forward momentum. (Hopefully, these different effects are tracked already by your compliance tools, so measuring your success shouldnt take any extra human bandwidth.)
In terms of processes, making sure that your response is consistent, well-documented and easy to do (preferably by multiple team members so processes dont break down simply due to short term staff absences, etc) can be the difference between beating the influx of new risks and challenges and collapsing under a deluge of repetitive and inefficient workflows. The people closest to the problem should also be closely involved in developing those processes to make sure they really can be achieved, too!
Discussions about the infosec skills gap often focuses on hiring, training, or outsourcing. Those are a few ways to fill the gap, but how do you stop the gap from widening at your organization? Keeping talent is just as important as bringing it in, and when demand is high and supply is short, keeping talent isnt easy. It isnt just about money, either. There will always be another company who can pay more, which is why culture, personal development, and a reasonable workload are just as important. Remember Daniel Pinks keys to motivation in his book Drive. Everyone seeks mastery of their domain, autonomy in their work, and purpose for what they are doing. Its less costly to keep a person than to hire one.
Of course, you could always outsource, a decision which comes with its own sets of pros and cons.
My thoughts are akin to Schrdingers cat. There is both a skills gap and not a skills gap. By that I mean that there is potentially an infosec skills gap and that hiring practices are not helping. These two factors culminate in a situation where jobs are not being filled.
Nothing I am saying is new.
Barriers to entry and hiring are multifaceted issues. Lets consider the following:
Job postings appear to request skills that are both beyond what is needed for the role and that require a high amount of years of experience. This potentially screens candidates from being reviewed and prevents others from applying.
Infosec is a large space, as demonstrated by the number of certifications in our industry. As a result, newcomers to our field might not know which skills are foundational to having a career in information security, while HR might not have an accurate understanding of what skills are needed for which roles.
Many companies exhibit a lack of communication on the status of an application after someone has applied.
Diversity (or lack thereof) also plays a role here
This infosec skills gap or ineffective hiring process is also creating multiple issues downstream:
Companies are becoming increasingly tool heavy due to an effort to counteract the lack of human analysts on the ground. However, good intentions dont mean that tools are deployed effectively and or that alerts are reviewed as often as they need to be.
The current talent begin to lose their skills as they become dashboard warriors instead of spending their time tuning and managing tools.
Companies are becoming more vulnerable to digital threats as it becomes harder for them to fill security positions.
For the short term, security teams can attempt to manage these issues by focusing on defense in depth and foundational controls, as found in most frameworks:
Asset management Hardware & Software
Multiple Factor Authentication (MFA)
Secure configurations and baseline images
+ many others from your framework of choice
Make sure youve got the basics nailed down. You can get to the fancy stuff later. Also, there are lots of free resources available. Seek those out. One of my faves is https://www.globalcyberalliance.org/.
Another very important skill is communication. Many technical folks do not necessarily understand the impact that security can have to the operation of their organization. An organization is never going to be 100% secure, so it is very important to understand the tradeoffs in minimizing risk while maintaining optimal business efficiency. This is another area that organizations should spend time training their teams on. Part of the onboarding process should include some training on what it is that the business does as well as ongoing training of the organizational goals and progress towards those goals.
Small teams typically outsource many of their security functions to managed service providers or managed security service providers. When selecting these providers, it is also key to select providers that can integrate the business goals of the organization to the management of their security tools. Focus on implementing security tools with metrics that can clearly help to identify the risk to the business and activities that mitigate that risk. For example, reporting on the number of missing patches means nothing to the business, but reporting on the risk vulnerabilities and insecure configurations present to the organization can show both the current risk posture and the impact a patching program has on mitigating the risk to the business.
Only when maintaining an open dialog of communication can these goals be achieved together.
Small, stretched in-house teams should look to the use of smart technology and automation where they can. Whilst there are a lot of unknowns and variables with cyber detection and defence that will always require a degree of professional judgment, there are also plenty of known knowns which can be automatically defended against. In-house teams should also look to establish arrangements with trusted external partners upon whom they can offload specialist activities and whose skills they can use as required rather than trying to retain them in-house.
Its really important to show that you care about your employees. One of the ways you can do that is by providing training for them, having one-on-ones with them, finding out what their goals are, and creating a roadmap together. Of course, you want to see them go and hit that goal. With that said, the best thing you can do to make that happen is to be that manager who wants to see their employees succeed and who cheers them on the entire way.
Now its also important to have a conversation with your team about work and life balance because burnout is prevalent in InfoSec. Burnout is a mental health issue. When someone on the security team feels burnt out, it puts the security posture of the company at risk. With that said, please take care of your employees and show them that you care.
Many companies are looking for qualified staff due to the security and compliance concerns mandating that job roles be filled. This has increased the pressure on cybersecurity teams to wear multiple hats within an organization. This skill gap also creates particular roles that can become very focused, the exact opposite of the first issue, and can silo roles into doing one area of security. This creates an ebb and flow when looking for people. The culture of career development will look different in each scenario.
The infosec skills gap will continue to widen as security becomes everyones concern. Many times, we see teams with a small security team thats focused full-time on security but that also has a culture of security spread throughout various groups. This allows for a team to have a smaller full-time security team with the greatest reduction in risk.
Create diverse and inclusive teams that approach security in a holistic and proportionate way. This teams should do the following:
Include all departments,
Effectively train consumers on their roles and responsibilities in the cyber defence team,
Embed intrinsic motivators,
Enhance existing team members skills,
Build a culture of trust and understanding where questions are welcomed, and
Hold formal learning sessions where its safe to speak up for the purpose of creating a continuous improvement programme.
One of the major barriers on the infosec skills gap is simply knowing where to start. There are many avenues of information security, each with their own complexities that need to be understood. IT departments are tasked with defending endpoints, network devices, applications, the cloud, and more. Gartners Adaptive Security Architecture makes a great visualization on how complex protecting each one of these avenues can be. From a high level, it outlines that first, you need to create a baseline of what you have in your environment, harden what you know about, detect what you cannot harden, and respond to anything that is detected.
Information security teams that are feeling outstretched need to simply get back to the basics. The Pareto Principle fits into the value of defensive architecture. The rule states that 80% of the effects come from 20% of the causes. Relating that to information security, we can state that 80% of cybercrime type attacks can be mitigated by 20% of the defensive techniques we can take. The Center for Internet Security (CIS) did a study and found that one could stop up to 85% of attacks by simply implementing the first five of their Critical Security Controls. These five controls are basic and foundational measures such as simply having a baseline of your system and applying hardening benchmarks to your machines.
Read the original:
How Organizations Can Retain Talent Amidst the Infosec Skills Gap - tripwire.com