Subscribe to RSS - Cybersecurity

Cybersecurity

Are you and your company ready for a cyberattack or data breach?

 - 
Wednesday, November 6, 2019

Kind of like the once elusive sound of a car alarm in a packed parking lot in the 80s to the flooded number of parked cars with car alarms today, as is the discussion of cyberattacks, cybercrimes, data breaches and such. 

I remember being around seven years old and in our local K-Mart parking lot with my mom, when a sound emerged from somewhere among the parked cars. That’s the first time I had ever heard a car alarm. Today, a car alarm is an annoyance at best and not really “heard” by many people anymore. 

Likening that to the cyber world, I remember becoming so intrigued with cybersecurity, cyberattacks, cybercrimes and such about 10 years ago, when I became heavily involved in social media. It was something exciting and different than had ever been seen before in true crime stories that intrigue and whet the public’s palates. Fast-forward to today, and it’s become common-place to see these types of stories throughout all aspects of media reporting — online articles and blogs; social media platforms; TV news stories; documentaries; radio reporting; etc., so much so, that people are already or becoming numb to it, passing it off as just “one of those things we have to deal with in life.” However, especially as a security professional, cyberattacks and data breaches not only shouldn’t be taken lightly, they absolutely cannot be, as they have literally ruined business and people. So, I ask you: “Are you ready and prepared?” 

Sad to say, but if you’re like the majority of the over 800 CISOs and other senior executives across North America, Europe and Asia, surveyed (commissioned by FireEye and delivered by Kantar, an independent market research organization), the answer is unfortunately, “no.” The study found that: 

  • 51 percent of surveyed organizations don’t believe they are ready or would respond appropriately to a cyberattack or data breach; 
  • 29 percent of these organizations with response plans in place haven’t tested or updated them in the last 12 months or more; and
  • 76 percent of the organizations plan to increase their cyber security budget in 2020. 

The survey also highlighted varying global viewpoints. In Asia, Japan plans to prioritize detection capabilities in 2020 and expresses concerns regarding cloud security, while Korea believes nation states are the most likely source of cyberattacks. The U.S. is leading the transition to cloud; Germany is concerned about cloud security and France believes employee training to be a top protection measure. 

I urge you, don’t become a parked car in a sea of cyberattacks and data breaches with your alarm going off and people just walking by like nothing is wrong. Prepare by creating a plan and know/understand exactly how to execute that plan before, during and after a cyberattack or data breach. This is a must. Think about it – it can’t be underestimated just how smart cybercriminals really are; it’s all they focus on day in and day out. They are experts at their craft and we must know how to prevent as must as possible and reciprocate, when necessary, to stay safe.

Formjacking, a newer way of stealing personal data online

 - 
Wednesday, October 16, 2019

Cyber Security Awareness Month is in full swing; social media is buzzing with extremely helpful content and resources, mostly of which is free to help businesses and individuals gain and stay in control of their digital worlds. As the saying goes, “you learn something new every day,” or you should. Through social media related to #NCSAM, #cybersecurityawarenessmonth and #BeCyberAware, I heard about a newer way hackers are stealing data – formjacking.

I knew the term “jacking” meant stealing, but combing it with the word “form,” it could mean a variety of things, so I reached out to my friends at the Security Industry Association (SIA) for some guidance. 

“Formjacking is the injection of malicious code into a seemingly trustworthy website form that relays a copy of the field inputs to an attacker,” Joe Gittens, director of standards, SIA, explained. “In these cases, the victim’s transaction with the trust source is not interrupted; however, information from the from, which could include sensitive data, is relayed to the attacker.” 

That literally gave me chills. I can’t speak for you, but I know I have filled out at least hundreds of forms in my digital life; reflecting back over my past 20 years, there’s no telling what data I’ve shared. And, with formjacking, here’s the kicker – there are no red flags for the average online user to look for. 

“Unlike with spoofing and phishing, there are very few tell-tale signs that a form has been compromised,” Min Kyriannis, head, technology business development, Jaros, Baum & Bolles and member of SIA’s Cybersecurity Advisory Board. In fact, the only way to detect formjacking is looking at the code, “and, unless you’re trained, it’s hard to detect,” Gittens said. 

It looks like the regular, every day Joe who is going online and filling out forms has absolutely no way of knowing his data could be at risk, although end users can self-sabotage through installing browser plug-ins, Gittens said. Therefore, it’s mainly up to the company behind the online form to ensure people and their data are protected. 

“Companies need to ensure that all software, plug-ins and any third-party applications or extensions have been vetted and check for vulnerabilities,” Kyriannis advised. “These need to be continuously checked, since software is constantly being updated.” 

It amazes me how smart cybercriminals/hackers truly are, and it’s important to never underestimate them. Think about it in these terms: once a threat is recognized and identified by the “good guys,” the “bad guys” have already moved on “looking for more covert ways to harvest data,” Gittens said, in a way that’s the “easiest to hide and what’s most lucrative” for them,” added Kyriannis.

Gittens identified partner trust as key and noted that formjacking can and has affected large and mom-and-pop institutions. “Just like with other attacks, understanding exactly what type of privileges a third-party service has on your website or your browser and only allowing the most trusted services into your ecosystem can help protect you and your business. Also, be careful about what types of information you are collecting in forms in case you are attacked. If you don’t have to collect sensitive data, don’t do it – contract a trusted third party to perform the transaction for you who has better security protocols in place and can provide you and your customers with assurances. The SIA Cybersecurity Advisory Board will soon look to provide guidance on how security stakeholders can foster more trust within the device and application ecosystem.”

Kyriannis concurs that trust is key, but “people with malicious intent will always find new ways to sneak under the radar. The industry must lead in bringing awareness to their clients, customers, etc., and self-awareness is critical – for end users, that means setting up security parameters for themselves,” such as tagging credit cards to constantly monitor charges. 

Formjacking Key Takeways

  1. Any and all information shared via an online form is at risk of being stolen. 
  2. The only way to detect formjacking is to look at the code. 
  3. Ensure software, plug-ins and any third-party applications or extensions have been vetted and regularly check for vulnerabilities.
  4. Understand the exact privileges a third-party service has on your website/browser. 
  5. If you don’t have to collect sensitive data, don’t. 
  6. Set up security parameters for yourself.

Cybersecurity pledge signed by over 20 countries

 - 
09/27/2019

YARMOUTH, Maine—As ink was flying and signatures made on Monday, September 23, on the Joint Statement on Advancing Responsible State Behavior in Cyberspace, representing the 27 countries committed to upholding this international rules-based order, an evolving framework that guides responsible state behavior in cyberspace, memories resurfaced of my dad and grandmother, both of whom never got to see, much less interact with, the Web.

Security Systems News recognized as a 2019 NCSAM Champion Organization

 - 
Wednesday, September 25, 2019

As the saying goes, “it takes a village,” and nothing is farther from the truth when confronting cybersecurity. It will literally take everyone working together to combat cyber risks and threats. As more and more organizations take the necessary steps to become and stay cyber safe, these same and other organizations are reaching out and showing their support of various campaigns centered around cyber. 

And, now an important announcement … drum roll please!

As of this blog post, Security Systems News is proud to be the only security industry publication recognized as a 2019 Champion Organization of National Cybersecurity Awareness Month (NCSAM) co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and infrastructure Agency (CISA) of the U.S. Department of Homeland Security. 

In just five days, October will be here, the month of ghouls and goblins, candy and trick-or-treating, and perhaps most importantly, NCSAM, a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations and individuals to be committed to this year’s NCSAM overarching team of “Own It. Secure It. Protect It.” This theme serves as encouragement to everyone to #BeCyberSmart through personal accountability and proactive behavior in security best practices and digital privacy.

“Cybersecurity is important to the success of all businesses and organizations,” Kelvin Coleman, executive director, NCSA, said. “NCSA is proud to have such a strong and active community helping to encourage proactive behavior and prioritize cybersecurity in their organizations.” 

So, what does this amazing news mean for you, our amazing readers? Well, throughout the month of October, we will provide you with the latest and greatest tips, discussion topics, free resources, videos, quizzes and more to ensure you are cybersafe!  

To gain access to these must-have tools, be sure to: 

  1. Follow SSN Managing Editor, Ginger Hill, on Twitter @SSN_Ginger; 
  2. If you miss any tweets, search on Twitter using #SSNTalks to see all our previous tweets.
  3. Follow SSN/SecurityNext on LinkedIn; and 
  4. Follow SSN on Facebook

When you see our posts on Twitter, LinkedIn and Facebook, be sure to comment, using #SSNTalks and #BeCyberSmart, like and share! We will respond to all comments! 

Everyone here at SSN is super excited to be a 2019 NCSAM Champion and to join in the fight for cybersecurity!

Phishing, smishing and vishing: what do they mean and how to protect yourself

 - 
Wednesday, September 4, 2019

I have a special affinity toward cybersecurity, probably because I’ve witnessed it grow from not even being a word, much less a concept to indoctrinating itself into society on a second by second basis. People must be alert, knowledgeable and actionable in order to stay safe from cybercriminals, and thankfully, there are various organizations available to help. 

During August, I attended the National Cyber Security Alliance and Infosec webinar that explored the cyber threats phishing, smishing and vishing, and offered steps of protection. Daniel Eliot, director of education and strategic initiatives, National Cyber Security Alliance moderated as Tiffany Schoenike, chief operating officer, National Cyber Security Alliance and Lisa Plaggemier, chief evangelist, Infosec took center stage.

“At their core, phish are just tools criminals use for social engineering, which is the use of deception to manipulate individuals into doing something they wouldn’t normally,” Plaggemier explained during the webinar. “Thieves are generally after two things: money and things they can turn into money, and over three billion phishes are sent every single day” to try and gain access to private information, engage with people to develop trust, present links that download malware when clicked, modify data, etc.

Here’s some common types of phish you need to know about: 

  • Spear phishing: a targeted attack that usually involves cybercriminals gathering intel to use to send emails that appear to be from a known or trusted sender.
  • Whaling: attacks that target senior-level employees. 
  • Credential harvesting: an attack that allows unauthorized access to usernames and/or emails with corresponding passwords. 

To identify phishes, Plaggemier said to look for things such as spoofed sender addresses that may be off by a letter or two; misspelled words and bad grammar; strange URLs; the use of scare tactics; buzzwords such as cool job offers and last but not least, use your own senses. If you feel something isn’t right, you’re probably correct. 

With smishing, the cybercriminal uses text or SMS messaging to try and trick people into giving out private information while vishing uses the phone via a call. 

To protect yourself and your organization against phishing, smishing and vishing, consider the following: 

  • Enable strong authentication.
  • Think before you share personal information. 
  • Never give personal information over the phone. 
  • Use unique and the longest passphrases possible as passwords
  • Keep your computer system and smartphone’s software updated. 
  • Only download apps from trusted sources. 
  • Train employees. 
  • Establish, maintain, use and enforce policies and procedures. 
  • Report all phishing incidents to DHS Cybersecurity and Infrastructure Security Agency and the Federal Trade Commission

For more information on how small and medium-sized businesses can be safer and more secure online, visit National Cyber Security Alliance’s national program, CyberSecure My Business, which consists of in-person, interactive workshops, monthly webinars, an online portal of resources and monthly newsletters that summarize the latest cybersecurity news.

Cyber:Secured Forum 2019 rehash

A discussion about connecting cyber and physical security
 - 
09/04/2019

DALLAS—About a month ago, Cyber:Secured Forum made its way to the Lone Star state and now with the pumpkin spice latte (PSL) trend well on its way in early September, it’s time to grab one and reflect on cyber and physical security.

State of the access control market, part I

Current physical access control (PAC) trends shaping the security industry
 - 
08/20/2019

YARMOUTH, Maine—The concept of access control is simple — to allow or restrict people, animals or things from gaining access to a particular space.

The first-ever Cybersecurity Women of the Year Awards

Infosec industry comes together to recognize innovators and leaders
 - 
08/01/2019

ROSEVILLE, Calif.—An influencer, a hacker, a top legal mind and a “barrier breaker” … sounds like the start of a very interesting joke or riddle, doesn’t?

Artificial Intelligence (AI) necessary to respond to cyberattacks

 - 
Wednesday, July 24, 2019

Being born in the late 70s, it’s been amazing to watch the evolution of computers, the Internet, cyber and the like. I remember sitting in my junior high computer class—7th grade, I believe. Working with Basic on an Apple 2e, I created white coding on a black screen that made a man (stick figure) jump, dance and run when the user got the correct answer to the math problem presented on the screen. That, my friends, was high tech! 

Now, the graphics are realistic and some even interact with voice; data is being produced and shared at the rate of zettabytes; and computers are turning into machine learners, all of which is absolutely amazing but at the same time scary as bad people have turned it into a free-for-all of mass hacking that is detrimental to people and society. 

Human security experts work tirelessly each and every day to keep people like you and me, and the world safe; however, being human, they have their limits. For example, cybersecurity involves repetitiveness and tediousness, scouring through big data to identify anomalous data points; long, exhausting hours of data analysis; and relentlessly monitoring data going in and out of enterprise networks. Enter the age of artificial intelligence (AI) penetrating into the cyber realm in terms of security, obviously known collectively as cybersecurity. Working along-side humans, AI can complement cybersecurity by performing the repetitive, tedious tasks; it can be trained to take predefined steps against attacks and learn the most ideal responses going forward; and AI is fast and accurate with data analysis. This enables and empowers human security experts to use their talents and skills on other projects to further enhance cybersecurity. 

Capgemini, a global leader in consulting, technology services and digital transformation, recently published “Reinventing Cybersecurity with Artificial Intelligence Report,” finding 61 percent of enterprises said they cannot detect breach attempts today without the use of AI technologies. That’s over half of the 850 senior executives surveyed from IT information security, cybersecurity and IT operations in seven sectors across 10 countries. And if that’s not eye-opening enough, check out these findings: 

  • 69 percent believe AI will be necessary to respond to cyberattacks; 
  • 73 percent are testing AI use cases for cybersecurity; 
  • 64 percent said AI lowers the cost and reduces overall time taken to detect and respond to breaches by 12 percent; and
  • 56 percent said their cybersecurity analysts are overwhelmed and approximately 23 percent are not able to successfully investigate all identified incidents. 

With numbers like these, it’s easy to see AI and machine learning are essential to cybersecurity now and into the future. So, here at SSN, we’ve taken a huge step to bring you the latest and greats cybersecurity news with the addition of a “cybersecurity” tab on our website. Yep, that’s right … a whole section dedicated to all things cybersecurity!

To get a taste of our cybersecurity content check out the articles “Federal government aims to modernize physical security practices” and “Data forensics: time is of the essence,” and as always, we value your feedback. 

 

 

Cybersecurity on tap at SSN

 - 
Friday, July 19, 2019

For the past few years here at SSN we have been paying more and more attention to cybersecurity and its role within physical security, looking at it from as many different security perspectives as possible — end user, consultant, specifier, commercial integrator, supplier — you name it and we’ve probably written about it!

With cybersecurity playing such a prominent role in physical security today, we have added a section on our site that is completely devoted to our cybersecurity coverage. The convergence of physical and IT security is happening, and what better place to stay up to date on the latest happenings in the cybersecurity space than right here at SSN.

Some of our recent cyber-related stories include a great piece from SSN Contributing Editor Lilly Chapa, who attended the recent SIAGovSummit, about how the federal government aims to modernize physical security practices. As she points out, government agencies intend to evolve their security approach to address changing technology, threats and budgets, including working closer with cybersecurity and IT professionals.

Another interesting story worth checking out is by SSN Managing Editor Ginger Schlueter, who spoke with Cyber Criminologist Dr. Peter Stephenson about the art of data forensics.

Plus, she will be attending Cyber:Secured Summit at The Westin Dallas Park Central, July 29-31, and providing full coverage of the event here on the site as well, which you can find by just clicking on the Cybersecurity tab at the top of the site.

Dive right in here.

Pages