Category Archives: Internet Security
Survive A Cyberattack: 7 Things Business Owners Must Do In 2021 – Forbes
Global cybercrime trends mean annual damages will hit $10.5 trillion by 2025, representing $11.4 million in of damages incurred per minute and $16.4 billion per day. Not only is cybercrime one of the fastest growing markets on the planet, but according to Cybercrime Magazine it also represents the greatest transfer of wealth in human history.
Survive a cyberattack: 7 things business owners must do in 2021
Successful cyber attacks often start by targeting company employees via social engineering, the psychological manipulation of people into performing actions, including divulging confidential information or granting access to critical infrastructure. Social engineering is the primary way cyber criminals gain access to sensitive data, infrastructure and money.
Adam Anderson is co-founder of Hook Security, providing cyber security awareness training, and managing general partner of Ansuz Capital, a cybersecurity venture fund. With his twenty years of experience in the field of cyber security, Anderson has pioneered and created a new field of study inside security, psychological security (PsySec), to combat the epidemic of social engineering.
From an interview with Anderson, here are seven things business owners can do to prevent and survive a cyberattack.
Taking backups of your critical data is, well, critical. It mitigates risk should you be the target of a ransomware attack, reducing the impact by enabling you to reliably retrieve your data. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware is serious business; Garmin was reported to have paid a $10million ransom when its systems were hacked in 2020.
Anderson recommends you use cloud-based tools such as Dropbox, Google Drive and Box, instead of storing files only on your computer. Configure them to back up your important information automatically. Whilst it is true that online companies such as Microsoft, Google and Apple get hacked, they are still many times better at security than you are, he added. With cloud-based programmes, if the worst should happen, you can simply rebuild the computer, or pick up a new one, and log back into your applications, which means you are down for hours, not weeks.
Cybersecurity insurance policies are valuable in two main ways, according to Anderson. Firstly, they help reduce the impact of a cyber attack by reimbursing your losses and providing resources for recovery. Secondly, they explain exactly what they need to see from your security posture to guarantee a pay out on the policy. In just the act of adhering to the insurance requirements, your protection will be higher.
Anderson recommends the policy you take comes with a disaster recovery team, a financial pay out, and clear instructions on what you must do to be compliant, but says there really isnt a significant difference between providers.
Another area of risk comes from security issues within the software your company uses; the ones already installed on its devices. But before you throw away your laptop, understand that most of these vulnerabilities have likely already been discovered and updated in the latest version of the software. This means software updates are key.
Anderson explained that the technology and paths used to breach a machine are dependent on holes in the system that hackers can exploit. The computer industry announces fixes to these holes on what is known as patch Tuesday, where software updates are available to all users. But its not that easy. Cyber criminals know that most people wont update their machines and they immediately deploy new attacks that count on the presence of those security holes. Updates are essential to stay safe. By updating your computer, you defeat the majority of automated attacks that hit users thousands of times each day.
Survive a cyberattack: 7 things business owners must do in 2021
A password is just one factor of authentication, and cracking a username and password can be very simple. Cyber criminals will either trick you into giving them the information or crack it using technology. By having two-factor authentication (2FA) in place, more information is required, and accessing your accounts is much harder. Yes, its a pain but Anderson believes its well worth it.
When 2FA is in place, even if they have your username and password, they cant log in because they dont have your key fob, phone or whatever else they need. Two-factor authentication typically takes the form of a phone app or text message containing a code that you type in during login. Almost all applications have 2FA. Check the help section of their websites and follow the instructions. Note, dont store your 2FA in a 1FA place. Programmes such as LastPass offer to store your 2FA codes safely, but LastPass only requires 1FA to log in. If in doubt, keep them separate.
Don't give yourself permission to accidentally hurt yourself, Anderson implores. Multiple logins can protect you. For every programme you use, create a non-administratoraccount for your computer and conduct your day-to-day access using that account. It makes sense. Keeping your master accounts untouched and accessing them via reduced admin rights means reduced likelihood of you installing harmful software by accident.
If you dont require full daily access to your programmes, why needlessly open yourself up to exploitation? Write a list of your software programmes and create new user accounts to further minimise risk.
Working from new places poses further risk. In a quest to be productive whilst travelling, unsecure WIFI networks are tempting. What can go wrong, right? A lot. Working remotely, from coffee shops and hotel lobbies, brings more risk than logging onto your home network but most of it is unavoidable.
Anderson recommends you use a virtual private network (VPN) to protect your data whilst you access it. VPNs encrypt your internet traffic and disguise your online identity, making hackers more likely to target someone else. Protect yourself further by never using WIFI networks that dont have a password as they are rife for hacking. It wouldnt be difficult for a hacker to log right into your computer and record your keystrokes, camera or microphone, plus all your files. Its just not worth it. Instead of relying on dodgy coffee shop internet, carry a portable router, tether from your phone or stay offline.
Gadgets and programmes aside, the most important part of all this is training your brain. Think like a hacker to fill the holes they will exploit. Know what they are looking for to ensure its not found. Cybersecurity awareness training programmes are a way to train yourself and your people to spot scams and stay safe. Knowing the difference between a genuine email and a phishing attempt, plus locking down data and software, can save thousands in material, mental and reputational damage.
Whats the value of your data and software? What price do you put on your peace of mind? Taking just a few steps can mean that hackers are deterred, reducing the risk of a successful cyber attack and the impact it has on your organization.
Read more:
Survive A Cyberattack: 7 Things Business Owners Must Do In 2021 - Forbes
Singapore Government-funded software creates cyber attack fixes for utilities and more – The Straits Times
SINGAPORE - Water treatment is important to societies globally but glaring leaks in the cyber defences of systems controlling water plants have been in the spotlight in recent months.
In January, a hacker gained access to a water plant in San Francisco and deleted programs linked to water treatment. This came to light only in June.
Another water plant in a Florida town was hacked in February and the intruder tried to poison the drinking water by raising the concentration of a chemical to dangerous levels.
In both cases, workers undid the hackers' actions in time. But the incidents highlighted some perils.
Workers were using a popular software to access the plants' systems from locations other than the facilities, and hackers had taken over their accounts to break in.
One cyber-security firm believes a software it has developed, funded by a Cyber Security Agency of Singapore (CSA) innovation initiative, could help operators of critical infrastructure detect and plug security issues, even without expertise.
Called X.act, the software can simulate new and known cyber attacks and tactics, as well as create a fix that can be used immediately.
The Singapore company that made it, SkillSpar, which also has offices in the United States, Vietnam and Thailand, said its software recreates a virtual copy of the critical system controlling an infrastructure facility.
The infrastructure operator chooses a breach scenario to test, such as a computer compromised by a worker who uses a malware-infected USB drive.
The operator can use X.act to run hacking simulations on the virtual control system with the press of a button to find out what happens next.
This could show how far the malware spreads, and if there are unusual activities, such as the system being accessed at odd hours.
Unlike other products in the market, SkillSpar said X.act automatically generates data that can be used to configure the system quickly as a fix to thwart hackers' techniqueswhen operators are alerted to potential malicious activities.
By curbing the damage arising from potential breaches, systems can be protected even if security flaws have not been patched by equipment vendors.
"Patching in the operational technology world doesn't work," said Mr Phuong Nguyen, SkillSpar's co-founder and offensive security consultant, referring to systems that run critical infrastructure like those in water and power plants.
He said vendor patching happens once every three months as time is needed to test patches and the systems need to be up as much as possible.
Another patch issue is that many legacy control systems work only on old operating systems like Windows 7. The latter is no longer supported with official security patches, making it open to cyber attacks. Overhauling all these systems would be costly, said Mr Nguyen.
With X.act's fix, infrastructure operators can quickly test it on the virtual system against another similar attack by pressing a button.
The operator can then contact vendors to further test the fix before deciding if it can be applied to the real system.
X.act is being used in the oil and gas sector here, and SkillSpar has received inquiries from the United Arab Emirates and Vietnam.
The software was developed after SkillSpar took part in CSA's Cybersecurity Industry Call for Innovation programme in 2018. It would have received funding of up to $500,000 from the agency.
Since the start of the call for innovation in 2018, CSA has awarded funding for 21 projects, eight of which are already in use or undergoing trials. Over $10 million has been committed to the projects so far.
Past cyber-security projects include those for Internet-connected devices, ransomware protection, autonomous vehicles and operational technology security across the energy, maritime, healthcare and government sectors, said CSA.
Mr Joel Langill, managing member of the Industrial Control System Cyber Security Institute based in Wisconsin in the US, said SkillSpar's simulation software is good in theory as it is used on a model of a real system, and could be applied on different systems too, be they simple or complex.
He is a member of CSA's Operational Technology Cybersecurity Expert Panel that is meeting in Singapore this week. Among other things, the panel seeks to identify challenges and gaps in the cyber-security capabilities of the operational technology sector here, and recommends how to address them.
Mr Langill was, however, concerned about how sensitive X.act was at detecting suspicious activities that might fly under the radar because they look like commands executed by a legitimate user.
Another issue: the cost of using the software. He said many public utilities, like in the US, have limited budgets, so they may not be able to spend as much on cyber security, and face challenges hiring talent in this area.
"Working for municipalities probably isn't as high (on the list for people) as working for an integrator or a larger contractor, where their salaries could be significantly more, and job satisfaction could be much higher," he added.
Mr Langill said ramping up cyber-security in the water sector is also difficult in countries like the US, because water and waste water treatment are not regulated centrally and there is lack of enforcement.
"The cyber awareness and maturity of the bulk of (US water) authorities arevery low," he said.
One way to address some of these challengesis to make cyber security a procurement requirement at every point in building a water plant, said Mr Langill.
He added that it is "not expensive" if done right from the get go.
He cited a large South American oil and gas facility he worked on that needed cyber-security features installed after a breach. About 200 control devices at the facility did not have firewall software, as it appeared a financial decision was made earlier against the installations.
"To install what they should have installed in the first place cost about 2.5 times what it would have cost if they'd done it the first time," said Mr Langill.
The rest is here:
Singapore Government-funded software creates cyber attack fixes for utilities and more - The Straits Times
SA’s internet access not quite the world’s worst, but far from the best – – The Citizen
South Africas digital wellbeing is in ICU due to lax security, low number of users, and broadband growth, according to the latest Digital Quality of Life Index. The countrys worst criteria rankings were for cybersecurity (95th place), number of internet users (91st) and broadband speed growth (80th). Surfshark, an internet security firm, indexed 110 countries that covered 90% of the global population in the third edition, which ranks countries digital wellbeing according to the five pillars of internet quality, internet affordability, e-infrastructure, e-government, and e-security. An additional 25 countries were added to the index this time. Internet quality measures the...
South Africas digital wellbeing is in ICU due to lax security, low number of users, and broadband growth, according to the latest Digital Quality of Life Index.
The countrys worst criteria rankings were for cybersecurity (95th place), number of internet users (91st) and broadband speed growth (80th).
Surfshark, an internet security firm, indexed 110 countries that covered 90% of the global population in the third edition, which ranks countries digital wellbeing according to the five pillars of internet quality, internet affordability, e-infrastructure, e-government, and e-security. An additional 25 countries were added to the index this time.
Internet quality measures the stability, speed and year-on-year growth of online connections, while internet affordability measures working hours required to pay for broadband and mobile internet. E-infrastructure measures the percentage of internet users per country and its network readiness, while e-security measures the ability to tackle cybercrime and the status of data protection laws, and e-government measures the roll-out of online government services and AI readiness.
ALSO READ: Local brands work to bridge the digital-learning gap
South Africa ranked 68th globally out of 110 countries, a drop of nine places compared to 2020, but placed first among the 18 African countries surveyed. The countrys best criteria rankings were a seventh place for mobile internet stability, 21st for mobile affordability, and 24th for broadband internet affordability.
ALSO READ: How fibre is being rolled out to townships through Gbitel
Denmark took the top position in the index for the second year in a row, and the new overall top 10 has changed considerably, with a new entrant, South Korea, taking the second spot, ahead of Finland (3) and Israel (4). The United States jumped to the 5th position from the 22nd spot the year before, with significant improvements in internet quality and e-infrastructure.
Singapore was in sixth place, France in seventh, Switzerland eighth, Germany ninth, and Britain in 10th place.
Digital opportunities have proved to be more important than ever during the COVID-19 crisis, stressing the importance for every country to ensure fully remote operational capacities for their economies, says Vytautas Kaziukonis, CEO of Surfshark.
That is why, for the third year in a row, we continue the Digital Quality of Life research, which provides a robust global outlook into how countries excel digitally. The index sets the basis for meaningful discussions about how digital advancement impacts a countrys prosperity and where improvements can be made.
ALSO READ: Calls for transparency after justice department cyber attack
Read the original here:
SA's internet access not quite the world's worst, but far from the best - - The Citizen
Cybercrime is hitting communities of color at higher rates, study finds – CyberScoop
Written by Tonya Riley Sep 27, 2021 | CYBERSCOOP
Black people, Indigenous people, and people of color (BIPOC) are more likely to suffer from identity theft and financial impact from the fallout, according to survey data collected by internet security company Malwarebytes with the nonprofits Digitunity and the Cybercrime Support Network.
The survey found, for instance, that just 47% of BIPOC respondents were able to avoid a financial impact due to identity theft, compared to 59% of overall respondents. Compared to overall respondents, BIPOC on average reported roughly $200 more in financial losses.
Forty-seven percent sounds like okay, well, thats not so bad its like 50-50 whether youre losing money, right? But 47% is compared to 59% of all respondents, said David Ruiz, an online privacy advocate at Malwarebytes. That means that everyone else has a better chance at not being financially hit, everyone else has a better chance of skirting by kind of unscathed.
Ruiz says the reports findings on cybercrime should be considered within the wider context of the way communities experience the Internet in unequal ways. For instance, the Pew Center reports that significantly larger numbers of women and Black and Hispanic Americans have reported online harassment compared to white men.
This survey, for me at least, really showed that the internet is not an equal experience for everyone, said Ruiz. And people are telling us that loud and clear. There are groups who feel less private, there are groups who feel less safe.
The survey, which looks at the demographics of cybercrime, polled 5,000 people across the United States, the United Kingdom and Germany. While the three nations have very different privacy regulations, Ruiz said there was not a substantial difference when looking at the data by country.
Malwarebytes study also reflects the interconnectedness of online and offline harms, Ruiz noted. Women were twice as likely as men to attribute credit card information fraud to a physical attack or theft. Similarly, Ruiz offered the example of how online attacks such as doxing can lead to physical attacks against a person.
Malwarebytes numbers generally align with data collected by the U.S. government in recent years. A 2016 Federal Trade Commission study provided to Congress found that African American and Latino consumers were more likely to become fraud victims than non-Hispanic whites. The study was a part of the agencys outreach initiative to help reduce fraud-related crime against minority communities. Prior to 2016, the agency had not generally collected demographic information about fraud victims. However, the survey relied on a relatively smaller sample size of 3,700 individuals.
Federal data has also been limited by self-selection. Heavily Black and heavily Hispanic communities register far fewer complaints to the agency than non-minority communities compared to their level of victimization, FTC economist Devesh Raval wrote in the journal Marketing Science.
Nonprofits that work with cybercrime victims have also seen higher rates of minority victims.
While the Identity Theft Resource Center only collects the demographic data of U.S. identity crime victims that reach out for help, the organization still sees a higher percentage of victims who self-identify as African American compared to the overall U.S. population, said James Lee, chief operating officer.
Visit link:
Cybercrime is hitting communities of color at higher rates, study finds - CyberScoop
Quad involvement expected to boost coast guard’s role –
By Wu Su-wei and William Hetherington / Staff reporter, with staff writer
Taiwan could play a pivotal role in coast guard activities and cybersecurity in the Asia-Pacific region, Taiwanese academics said on Saturday.
They made the remarks following reports that Taiwan might participate in activities of the Quadrilateral Security Dialogue, a security grouping between Australia, India, Japan and the US also known as the Quad.
Leaders of the four nations issued a joint statement after a meeting in Washington on Friday saying that they were committed to promoting the free, open, rules-based order, rooted in international law and undaunted by coercion.
We stand for the rule of law, freedom of navigation and overflight, peaceful resolution of disputes, democratic values and territorial integrity of states, they said.
The formation of AUKUS a trilateral security alliance between Australia, the UK and the US as well as an earlier joint statement by Quad members showed that the US seeks to expand the grouping, said Kuo Yu-jen (), a political science professor at National Sun Yat-sen University.
Although the latest joint statement did not specifically mention Taiwan, the issue of Taiwans possible role in an expanded Quad Plus grouping, and the nations cooperation with the coast guards of the US and Japan were discussed at the meeting in Washington, he said.
AUKUS was formed specifically as a military alliance, so its likely that the US intends the Quad to be something different more of a mechanism for the four member countries to cooperate on a variety of issues, he said.
Aside from cooperation on coast guard affairs, Taiwan could work with the Quad on the detection of submarines, Internet security and logistics affairs, he said.
Lai I-chung (), a consultant at the Taiwan Thinktank, said that the nation is likely to play a key role in international cooperation on technology and medicine involving the Quad members, as Taiwan excels in the two sectors.
Lai said that 5G mobile networks and other technology, supply chains, and vaccines were mentioned in Fridays Quad statement, which indicates that Taiwan could also play a role in these areas.
As the formation of AUKUS frees up Quad nations capacities, it can now focus its efforts on other areas that will strengthen the freedoms of other regional countries, he said. This will attract more countries to participate in a Quad Plus.
Asked whether Taiwan could participate in military drills with Quad countries, Lai said that such maneuvers would not make use of Taiwans strengths.
However he said that by improving its defensive capabilities, Taiwan would be contributing to regional stability.
Under AUKUS, Australia would likely commit its troops to helping Taiwan should a war break out in the Taiwan Strait, he said, adding that Japan would likely also commit its military to the cause.
Taiwan just needs to focus on its asymmetrical warfare capabilities, strengthen its defenses and work out how to coordinate its defenses with the US, Japan and Australia, he said.
Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.
More:
Quad involvement expected to boost coast guard's role -
Former Gartner Analyst and Cybersecurity Pioneer Joins SessionGuardian’s Advisory Board – PRNewswire
NEW YORK, Sept. 23, 2021 /PRNewswire/ -- SessionGuardian, an industry leader in endpoint security for distributed workforces, announced today that Rob Smith, former Gartner analyst, has joined the company's advisory board.
"We're pleased to welcome Rob to our board," said Jordan Ellington, CEO and Founder of SessionGuardian. "It's an honor to have a globally recognized expert in endpoint and remote security on our team to help us maintain our leading position in the cybersecurity industry."
Mr. Smith currently provides advisory and consulting services to multiple internet security vendors, including SessionGuardian. Previously, he worked at Gartner for eight years. As the senior director analyst, he advised on endpoint security, digital workplace infrastructure and operations, security and risk management, and infrastructure security. With a career spanning 33 years, Mr. Smith has also founded and/or co-founded four companies.
During his initial advisory meetings with SessionGuardian, Mr. Smith identified the company's unique positioning in the cybersecurity landscapeVDI/DaaS endpoint protection. Recognizing the company's ability to prevent breaches through persistent biometric user authentication during remote sessions, their innovative software is theonly product that eliminates uncertainty around who's viewing your data. Mr. Smith now joins the advisory board to help SessionGuardian keep their edge in this emerging tech space.
"I've seen hundreds of cyber security products, and SessionGuardian is the only one that utterly eliminates uncertainty about who is viewing your data. It's a total evolution in data protection for companies with remote workers, and it arrived just in time to combat increasingly sophisticated attacks that MFA alone simply can't defend against. SessionGuardian adds the final layer of security that IT leaders have been demanding," said Mr. Smith.
Mr. Smith's addition to SessionGuardian's advisory board affirms the company's mission to pioneer software solutions that mitigate risk and create limitless opportunity for the evolving global economy.
Visit http://www.sessionguardian.com to learn how SessionGuardian blocks endpoint security threats.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission.
About SessionGuardianSessionGuardian is a software development company with proven success in the endpoint security landscape, with a focus on organizations navigating the risks of a distributed workforce. SessionGuardian pioneered the adoption of persistent biometric technology and offers a preemptive, zero-trust approach to cybersecurity, empowering organizations to operate fearlessly in the evolving global economy.
SOURCE SessionGuardian
http://www.sessionguardian.com
Read the rest here:
Former Gartner Analyst and Cybersecurity Pioneer Joins SessionGuardian's Advisory Board - PRNewswire
Does Your Organization Have a Security.txt File? Krebs on Security – Krebs on Security
It happens all the time: Organizations get hacked because there isnt an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isnt entirely clear who should get the report when remote access to an organizations internal network is being sold in the cybercrime underground.
In a bid to minimize these scenarios, a growing number of major companies are adopting Security.txt, a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences.
An example of a security.txt file. Image: Securitytxt.org.
The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place such as example.com/security.txt, or example.com/.well-known/security.txt. Whats in the security.txt file varies somewhat, but most include links to information about the entitys vulnerability disclosure policies and a contact email address.
The security.txt file made available by USAA, for example, includes links to its bug bounty program; an email address for disclosing security related matters; its public encryption key and vulnerability disclosure policy; and even a link to a page where USAA thanks researchers who have reported important cybersecurity issues.
Other security.txt disclosures are less verbose, as in the case of HCA Healthcare, which lists a contact email address, and a link to HCAs responsible disclosure policies. Like USAA and many other organizations that have published security.txt files, HCA Healthcare also includes a link to information about IT security job openings at the company.
Having a security.txt file can make it easier for organizations to respond to active security threats. For example, just this morning a trusted source forwarded me the VPN credentials for a major clothing retailer that were stolen by malware and made available to cybercriminals. Finding no security.txt file at the retailers site using gotsecuritytxt.com (which checks a domain for the presence of this contact file), KrebsonSecurity sent an alert to its security@ email address for the retailers domain.
Many organizations have long unofficially used (if not advertised) the email address security@[companydomain] to accept reports about security incidents or vulnerabilities. Perhaps this particular retailer also did so at one point, however my message was returned with a note saying the email had been blocked. KrebsOnSecurity also sent a message to the retailers chief information officer (CIO) the only person in a C-level position at the retailer who was in my immediate LinkedIn network. I still have no idea if anyone has read it.
Although security.txt is not yet an official Internet standard as approved by the Internet Engineering Task Force (IETF), its basic principles have so far been adopted by at least eight percent of the Fortune 100 companies. According to a review of the domain names for the latest Fortune 100 firms via gotsecuritytxt.com, those include Alphabet, Amazon, Facebook, HCA Healthcare, Kroger, Procter & Gamble, USAA and Walmart.
There may be another good reason for consolidating security contact and vulnerability reporting information in one, predictable place. Alex Holden, founder of the Milwaukee-based consulting firm Hold Security, said its not uncommon for malicious hackers to experience problems getting the attention of the proper people within the very same organization they have just hacked.
In cases of ransom, the bad guys try to contact the company with their demands, Holden said. You have no idea how often their messages get caught in filters, get deleted, blocked or ignored.
So if security.txt is so great, why havent more organizations adopted it yet? It seems that setting up a security.txt file tends to invite a rather high volume of spam. Most of these junk emails come from self-appointed penetration testers who without any invitation to do so run automated vulnerability discovery tools and then submit the resulting reports in hopes of securing a consulting engagement or a bug bounty fee.
This dynamic was a major topic of discussion in these Hacker News threads on security.txt, wherein a number of readers related their experience of being so flooded with low-quality vulnerability scan reports that it became difficult to spot the reports truly worth pursuing further.
Edwin EdOverflow Foudil, the co-author of the proposed notification standard, acknowledged that junk reports are a major downside for organizations that offer up a security.txt file.
This is actually stated in the specification itself, and its incredibly important to highlight that organizations that implement this are going to get flooded, Foudil told KrebsOnSecurity. One reason bug bounty programs succeed is that they are basically a glorified spam filter. But regardless of what approach you use, youre going to get inundated with these crappy, sub-par reports.
Often these sub-par vulnerability reports come from individuals who have scanned the entire Internet for one or two security vulnerabilities, and then attempted to contact all vulnerable organizations at once in some semi-automated fashion. Happily, Foudil said, many of these nuisance reports can be ignored or grouped by creating filters that look for messages containing keywords commonly found in automated vulnerability scans.
Foudil said despite the spam challenges, hes heard tremendous feedback from a number of universities that have implemented security.txt.
Its been an incredible success with universities, which tend to have lots of older, legacy systems, he said. In that context, weve seen a ton of valuable reports.
Foudil says hes delighted that eight of the Fortune 100 firms have already implemented security.txt, even though it has not yet been approved as an IETF standard. When and if security.txt is approved, he hopes to spend more time promoting its benefits.
Im not trying to make money off this thing, which came about after chatting with quite a few people at DEFCON [the annual security conference in Las Vegas] who were struggling to report security issues to vendors, Foudil said. The main reason I dont go out of my way to promote it now is because its not yet an official standard.
Has your organization considered or implemented security.txt? Why or why not? Sound off in the comments below.
Read the original here:
Does Your Organization Have a Security.txt File? Krebs on Security - Krebs on Security
HSE was in ‘uniquely vulnerable position’ at time of cyberattack Smyth – The Irish Times
The HSE was in a uniquely vulnerable position at the time it was attacked by cyberhackers, Minister of State Ossian Smyth has said.
He told the Oireachtas communications committee that large healthcare systems, which are under the pressure of life and death situations, are often vulnerable to attack and the HSE had made improvements in its cybersecurity in the run-in to the attack.
However, the combined workloads associated with the pandemic and the vaccine rollout meant it was in a uniquely vulnerable position at the time.
He said two consultants reports are underway into the hack, and they will be published shortly. A Garda investigation, he said, has established when and how the network was compromised, he told Fianna Fil senator Gerry Horkan.
Sinn Fin communications spokesman Darren ORourke said a capacity review of the National Cyber Security Centre (NCSC) a redacted version of which was shared with the committee was a very damning indictment of its capacities. Mr ORourke said it found it was under resourced and overtasked. Mr ORourke also questioned whether it could recruit 20 new staff in 18 months, with Mr Smyth conceding it would be challenging to compete against other states and organisations seeking similarly skilled workers.
Mr Smyth told the committee that a new headquarters for the NCSC is likely to cost in the single digit millions and will take over a full floor of the new Departmental headquarters in Dublins Beggars Bush but not until 2023. Before then, the team is set to move to a temporary facility identified by the Office of Public Works. An internship programme is also underway.
Smyth said the HSE is in a much stronger position when it was hacked compared to its previous readiness on cybersecurity, but that healthcare organisations are innately vulnerable to attack as they are large organisations encompassing multiple different bodies and groups, with people under life-and-death pressure whose attention is not always focused on things like password strength.
You cant say to someone who is trying to save a patients life, you need to have a better password to go and look up a patients file, he said. Financial resourcing for cybersecurity, he said, is not an issue - dismissing it as a red herring. He argued that instead the cultural emphasis placed on it by organisations and the political support for it is key.
He also argued that the ongoing use of outdated software packages on HSE computers - such as Windows 7, which was still in use in the health service at the time of the attack - was not the reason the attack was successful. He said it didnt help but definitely didnt cause the hack to take place, and it would not have been prevented if they had all been upgraded. He said efforts had been made prior to the hack to keep machines running that system off other parts of the network as they werent receiving security patches, but that sometimes they were needed to run older pieces of medical hardware which did not work with newer systems.
Windows 7 is one risk of many and it is not the sole reason this attack happened, he said. Smyth said Ireland wasnt particularly targeted for HSE hack, and that hospitals have been attacked around the world, even countries which have the best cyber defences
Mr Smyth said that new powers of the NCSC were unlikely to include offensive capacity - or the capacity to carry out cyber attacks, but rather having the ability to act defensively and disrupt attacks. He said that there had been a sixfold increase in cyber attacks during the pandemic and, rejecting the suggestion the NCSC was unfit for purpose, he accepted that any organization undergoing such an increase in workload is going to be challenged. However, new people to work in the NCSC could not be magicked out of thin air. Staff at the organization had not reported low morale to him, he said.
He also committed to giving the full capacity review of the NCSC to the committee in the coming weeks.
On budget, he said 7mn is not an issue that is up for dispute, money is not a constraining factor... and I honestly think the money is a red herring. He told the committee that comparisons to the UKs GCHQ budget were not apt, as Ireland had no desire to run a similar scale operation, examining internet, call and email traffic at such a level.
On the hacking of Simon Coveneys phone, he said that it was reported to the NCSC who took it extremely seriously. In no regard was this treated as a trivial manner, he says, and that all the correct statutory measures were taken. Regarding the European Court challenge taken by Graham Dwyer on data protection and retention regarding his original murder conviction, he said that the implications and the outcome are both unknown, but that scenario planning is of course done.
the Oireachtas committee that new legislation providing for intelligence gathering for the NCSC is to be brought forward.
The agency is at the centre of reforms which will involve significant extra resources and manpower being directed at it in the wake of the successful data hack of the HSE earlier this year.
Mr Smyth told the committee on Wednesday that an inter-departmental committee met to consider new legislation that might be needed to strengthen the NCSC.
To empower the NCSC to carry out its necessary functions, it is inevitable that the proposed legislation will provide for intelligence gathering, which will bring with it certain governance requirements as well as requirements on the legislative process, he told the committee.
Officials are working on a consultation over the process which will lead to heads of a Bill being drafted and legislation passing through the Oireachtas before the end of next year, Mr Smyth said.
Applications are to be sought for a new director of the States National Cyber Security Centre this week, with a bumped-up salary of 184,000 attached.
The higher salary, which was approved earlier this year following the HSE data hack, followed criticism over the States failure to fill the position prior to the most damaging cyberattack it ever experienced.
Mr Smyth gave evidence on Wednesday to the Oireachtas communications committee on the future of the NCSC. Committee members were also given access to a redacted version of a consultants report which identified significant shortcomings in the capacities and resources of the NCSC.
Mr Smyth told the committee good progress is being made adding to the headcount for the NCSC, which is set to rise by 20 full-time roles approved earlier this year. That is due to take place within the next 18 months, with headcount to rise to at least 70 within five years. In July, just 25 staff were employed full time at the NCSC.
The Government has approved an extra 2.5 million for this purpose in 2022. Open competitions are being run and civil servants are also being invited to redeploy from other positions into the NCSC, Mr Smyth told committee.
Read the rest here:
HSE was in 'uniquely vulnerable position' at time of cyberattack Smyth - The Irish Times
Stop worrying that crims could break the ‘net, say cyber-diplomats only nations have tried – The Register
The Global Commission on the Stability of Cyberspace (GCSC) is worried its guidance on preventing the internet and all it connects becoming a casualty of war is being misinterpreted, perhaps wilfully.
The GCSC works to create global behavioural norms that hopefully find their way into the diplomatic documents that govern nation-states' behaviour. The organisation does so because conventions governing kinetic warfare prohibit attacks on hospitals or schools, but many nations are yet to formalise recognition that information warfare could easily disrupt hospitals. The GCSC therefore wants nations to recognise that information warfare needs rules that match the intent of those governing kinetic conflict.
The Commission has had considerable success in those efforts, having defined eight norms. The first, the Norm on non-interference with the public core of the Internet, seeks to forbid attacks on the Domain Name System, DNSSEC, WHOIS information services, systems operated by the Internet Assigned Numbers Authority and of Regional Internet Registries.
The norm also calls for "naming and numbering protocols themselves and the integrity of the standardization processes and outcomes for protocol development and maintenance" to be off-limits during conflict.
The organisation is pleased with progress towards its goals.
"We are delighted that the concept of the public core of the Internet has been fully integrated in such diverse texts as the Paris Call for Trust and Security in Cyberspace and the Cyber Security Act of the European Union," reads a new statement [PDF] from the group.
But the statement suggests the norm is being misinterpreted.
"Fundamentally we believe that the norm of non-interference with the public core is an issue of governance 'on' the Internet, and primarily a matter of moderating malicious state behaviour, and not an issue of governance 'of' the Internet, and therefore of Internet governance" the statement declares.
"Despite recent attempts to cast the main threat to the public core as resulting from cybercriminals, it is in fact states and their affiliates whose activities pose the greatest risks," the document adds, citing an International Telecommunications Union document that suggests nation-states could guarantee the 'net's safety from a criminal attack.
That document [PDF], submitted by the Russian Federation, suggests that nation states need to safeguard the internet core because the GCSC model doesn't offer a good model for coordinating defenses. The Russian document also suggests criminals are gathering strength with the intention to attack the internet.
The GCSC statement also points out that most internet governance organisations are not run by governments.
"There is nothing in the GCSC norm to suggest that these key elements of the public core are not being well cared for by these actors," the statement adds. "However, no extent of care is sufficient to address an unlimited reservoir of potentially malicious behaviour. As described above, the only evidence of repeat behaviour points to state-affiliated activity, and not cybercrime."
The statement therefore concludes that the GCSC's approach of setting norms for nations regarding the bodies that define, operate, and administer the internet is therefore more appropriate than trying to stop criminals attacking its core.
"Even if governments maintain a de jure monopoly over the legitimate use of force in cyberspace, they no longer have a practical monopoly on attacking and protecting this domain, nor can they prevent the proliferation and use of powerful cyber weapons," the statement declares.
"Rather, the technical community, civil society, and individuals also play a major role in the protection of cyberspace, including the promulgation of standards."
Continued here:
Stop worrying that crims could break the 'net, say cyber-diplomats only nations have tried - The Register
Britney Spears’ dad monitored her phone and internet use: report – National Post
Breadcrumb Trail Links
Her security staff were subsequently asked to put 'parental control' on her iPhone so other people could gain access to her texts, calls, and browser history, according to the Controlling Britney Spears documentary
Author of the article:
National Post Wire Services
WENN
Publishing date:
Britney Spears phone and internet use were monitored by her father, a new documentary has claimed.
The Baby One More Time singer who has been outspoken about wanting Jamie Spears to lose his position as conservator of her affairs reportedly worried her team when she requested a new iPhone.
Her security staff were subsequently asked to put parental control on the device so other people could gain access to her texts, calls, and browser history, according to the Controlling Britney Spears documentary.
Speaking in the film which was released on Friday (Sept. 24) Alex Vlasov, who worked for Black Box Security from 2012 to 2021, said: Britney wanted to get an iPhone and that was a big deal. Everybody was worried.
(My boss) Edan (Yemini) approached me and asked me, Is there any monitoring services for an iPhone that you are aware of? And Im like, What do you mean? And hes like, Well, parental controls. Is there any way you can put parental controls on an iPhone?
And thats when Edan explained to me that Britneys communication is monitored for her own security and protection.
Alex questioned the legality of the request and was told the court were aware of the monitoring of her communications, which eventually led to Britneys phone being cloned onto an iPad, which was kept in a safe.
He continued: (Edan) said, Yes, the court is aware of this. Britneys lawyer is aware of this. This is for her safety. Its for her protection.
And then Robin (Greenhill of Britneys management team at Tri Star Sports & Entertainment Group) came up with the idea of, Why dont we just take an iPad, sign in with an iCloud on there, the same iCloud that Britney would use on her phone, and that would mirror all activity? You would be able to see all messages, all FaceTime calls, notes, browser history, photographs.
Their reason for monitoring was looking for bad influence, looking for potential illegal activity that might happen, but they would also monitor conversations with her friends, with her mum, with her lawyer Sam Ingham. If theres anybody that should be off limits, it should be Britneys lawyer.
Tri Star Sports & Entertainment group branded the allegations false, but Jamies lawyer, Vivian Lee Thoreen, insisted his actions were done with the knowledge and consent of Britney, her court-appointed attorney and/or the court.
Edans lawyer said: Black Box have always conducted themselves within professional, ethical and legal bounds, and they are particularly proud of their work in keeping Ms. Spears safe for many years.
The singers new attorney, Mathew Rosengart, has vowed to fully and aggressively investigate these matters.
He added: Intercepting or monitoring Britneys communications, especially sacrosanct attorney-client communications, represents a shameful and shocking violation of her privacy rights and civil liberties. (CDG/BAN/CDG)
Read this article:
Britney Spears' dad monitored her phone and internet use: report - National Post