“In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Almost four years later, agreement was reached on what that involved and how it will be enforced.” The result: The General Data Protection Regulation, otherwise known as GDPR. At its core, it is a new law that gives European Union citizens more control over their personal data, which requires users to be notified when companies use any form of general personal data such as photos, names, address, or credit card numbers. It also extends to IP addresses, genetic data, and biometric data.
In this month’s Security Newsletter, we will take a look at some of the positive outcomes of the new law, and some of the new challenges facing the information security world.
First, the positive.
Improves Customer Trust
When customers feel that their information is protected, they stay loyal to a business. Picture Company A and Company B who sell similar products. Company A complies with GDPR and therefore has never been breached. Company B has no security standards and is more susceptible to breaches. In a world where technology effects our everyday lives, customers are more aware of the security standards held by their product owners. Think of the GDPR as a competitive edge to your business.
Complying by the GDPR means that your company is required to report a known breach within 72 hours, which is a giant step in a positive direction for customers. In a recent Yahoo breach, 500 million users had usernames, email addresses, dates of birth and passwords stolen. Yahoo did not report this for over two years and left users in the dark in order to protect the company’s reputation. The GDPR will now require businesses to be transparent by notifying users of breaches within the appropriate time period.
And now, the challenges.
A consumer may not be affected by this challenge, but as a business this is a major concern. Fines for not complying to the GDPR regulations can become extremely detrimental. Google and Facebook faced up to $9.3 billion in fines within the first effective day of the GDPR. More detail on the fine parameters can be found within the following link https://www.gdpreu.org/compliance/fines-and-penalties/ (1)
If you are an international business owner with a third-party cloud service located in the UK for example, you are now also required to comply with the GDPR. “The GDPR won’t just affect companies based in the EU, despite the fact it concerns the data of EU citizens. Any business handling the data of EU citizens – whether customers, employees or other stakeholders – must comply, no matter where the business is located.” This is a new challenge for global businesses who may need to restructure their policies in other locations.
It is important for businesses and consumers to understand that the GDPR is not just another regulatory obligation, but a means for aligning business and technology. Now that data and technology are becoming the leaders of our digital world, businesses and consumers alike must consider a comprehensive approach to information and data management policies within their companies.
Don’t live in the EU but want to know more? Check out this video.
By, Matthew McCaffrey
Data breaches in 2017 reached an all-time high. “On December 20th, the Identity Theft Resource Center (ITRC) reported that there were 1,293 total data breaches, compromising more than 174 million records. That’s 45% more breaches than 2016.”1 Your company may think they’re doing all they can to prevent a breach, but hackers are taking advantage of something you might not be thinking of: a simple password.
Password breaches are one of the most common ways to break into a company and steal its information. So, the next time you roll your eyes at that password creation box that requires a password with crazy letters and symbols, you should trust that it’s for your own protection.
There are three types of password attacks used by hackers to break your passwords, but here are some steps you can take to improve your security.
A Brute Force Attack is when a hacker uses a program such as Metasploit, the worlds most used penetration testing framework, to attempt to crack a password by cycling through various combinations. There are several penetration testing tools such as Netsparker, Acunetix, Wireshark, and w3af. This type of attack is the most common because it focuses on the complexity of the password, so the shorter the password the easier it is to breach.
Resolution: One of the most effective and simple ways to prevent a Brute Force Attack is to implement an account lockout policy. When a user enters an incorrect password more than a specified number of times, the account will be locked- requiring an administrator to take action. Therefore, the hacker will not be able to cycle through enough combinations to reach the correct password with such a system in place.
In this type of attack, a hacker uses a special program to record all of the user’s keystrokes. It is a more complex tactic because it requires malware to be downloaded and is the reason why RSA secure ID tokens have become more common among businesses. RSA Secure ID tokens are hardware tokens used in conjunction with a rotating pin, and used to add a second factor of authentication when accessing confidential information.
Resolution: It is recommended to install anti-spyware and antivirus software, such TotalAV, ScanGuard, and PCProtect because they act as the first line of defense and can be the most effective with the least amount of effort from your business’ IT Administration.
This is when a hacker uses a script to cycle through simple words. Dictionary attacks are usually successful because most users tend to pick short, common passwords like Password123. Dictionary attacks differ from brute force because there are no special characters involved in the passwords. Brute force attacks are typically used against the encryption algorithm itself, whereas the dictionary attack focuses on the keys, or real words.
Resolution: The easiest way is to strengthen the password parameters. Most sites require that your password is 8-12 characters and must include one upper case letter, one lower case letter, a number, and a special character, such as @#$%!. Even if the site does not require this, we recommend following these guidelines, anyway.
Now that you’re more aware of the different types of password attacks, you can understand the importance of how having a unique password can prevent a major breach in your company’s information.
We understand the difficulty of tracking all the usernames and passwords that you create for all the sites you use on a regular basis, so we recommend using a password protection program, such as LastPass, which safely stores your credentials in its “vault.” But don’t forget, give that program a strong password, too!
By, Matthew McCaffrey
Spring has sprung and now it’s time for the dreaded, but ultimately satisfying, spring cleaning. Most chores are often put off or forgotten, but we’re here to help. Wash windows? Check. Dust shelves? Check. Clear data and reset passwords? Oh, good idea! Refreshing the well-being of your data could help prevent major headaches down the road, simply by following these steps:
“Before you delete the software, clean out and close your account with the company so it retains the smallest amount of data possible about you.”1 Be sure to review the app’s Terms of Service regarding data handling procedures. When you close an account, some of your basic data may still remain, but taking these steps will keep the account from staying active and potentially continuing to collect data.
Check browser settings and clear out old data such as cleared passwords and auto filed information. Also delete any unused browsers, and clear the cookies of your primary browser.
“Anything that has the ability to store information can retain that information even after you have deleted it, including ones that aren’t obvious, such as phones, wearables, networking equipment, copiers, printers and fax machines.”2 These devices should be handled as if they were credit cards. You can easily find links on the internet about how to securely get rid of your device. YouTube is a great resource for things of this nature.
There are electronic recycling events in several communities where you can bring your old devices and recycle or donate them. For Bergen County, NJ residents, the link below shows what devices are accepted and the locations for recycling.
Reset all of your passwords and have a “password purge” in order to avoid using the same one for years on an account that does not prompt you to change it after a fixed amount of time. Also avoid using the same password for multiple accounts. If you use one password for everything and someone gets a hold of it, they can gain access to everything else, too.
These four steps are easy to do and beneficial to the security of your information and devices. So, as you dust off your desk for spring cleaning, dust off your data, too!
By: Matthew McCaffrey
As the sun stays out later and the snow melts away, people are breaking out of hibernation. We no longer act as shut-ins on the weekends, hiding from the blistering cold of winter. Instead, we celebrate by shutting down the laptops and TVs, and going outside! Since everyone can’t stay away from being connected and sharing their “Rosé all day” social media posts and pictures with friends at a BBQ, we take our phones with us; after all, they’re called mobile phones! The convenience of mobile phones is great, but, just like computers, they can be extremely dangerous to the integrity of your data. If you’re out of the house and you urgently need to connect to the internet (and maybe you’re running out of your monthly data), you are more likely to connect to a suspicious Wi-Fi network. Phones are still essentially computers, which means that they are also vulnerable to things such as network spoofing, spyware, and phishing. Fun fact: today’s smartphones have more computing power than the computers NASA used to send Neil Armstrong to the moon. Crazy!
Here are some tips to protect your mobile data:
Luckily, iPhones have encryption built into the operating system (OS) if the user takes advantage of the password feature (which we highly recommend). Other mobile devices have built-in encryption methods that are commonly demonstrated via YouTube videos1 if the user struggles to take advantage of the feature.
A lot of people don’t even know their smartphones can update. Apple’s updates are usually very upfront about update notifications, with a prompt asking you to update several times a day until you complete it. Other companies are a little more relaxed, which is not ideal for security. Look up the current software version for your mobile device and make sure your phone has that version to remain secure.
Would you download apps from a website that you have never heard of on your computer at work? We would hope not. So, would you do this on your personal, mobile computer, AKA your smartphone? We hope you wouldn’t. Think twice and do research before downloading applications to prevent downloading malicious software.
By: Matthew McCaffrey
As the year moves on, cybercrime continues to grow as predicted. Last month, CNN reported that United States authorities revealed 36 cyber criminals who were responsible for more than $530 million dollars in cyber-related crimes cumulatively.1 Even though action is taken to deter this, the industry is projected to reach $2 trillion by 2019, according to Forbes.2 Not only is cybercrime demanding more dollars, cryptocurrency is continuing to grow as well.
Though the value of cryptocurrency has decreased in recent weeks, the potential for another upward burst in value is still looming. With that in mind, there has been a steady increase in the demand for cybercrime as a service. “Things like malware-as-a-service, ransomware-as-a-service, distributed denial of service-as-a-service and phishing-as-a-service are becoming commonplace items that can be purchased or rented online. Technology that steals passwords is just a couple of clicks away for a wannabe hacker. Not only are they available, they’re updated regularly and supported. There’s an entire ecosystem built around these products, much as you’d see around conventional software that you’d run on your laptop.” 3
As cybercrime-as-a-service is beginning to gain more traction, we notice that they are targeting small to mid-size business. The biggest reason for this is the inability to pay for proper cyber protection due to budget restrictions. Cybercriminals are aware of this and are always attempting to find innovative ways to obtain information. Therefore, having weak protective measures makes these businesses more vulnerable. If they can’t afford the protection, they are encouraged to find other ways to protect themselves to prevent an attack from cybercriminals. ITWeb provides some cost-effective suggestions to achieve this:
An increased amount of research is being done on Artificial Intelligence (AI) algorithms, which are growing the rate of machine learning faster than ever before. With AI becoming more popular, it is possible that it might be able to give IT professionals the help it needs to compensate for understaffing. We can also hope that it can help with the rapid influx of cybercrime. Compared to other types of crime, cybercrime has changed and grown significantly over time, especially considering it’s relatively new. So can AI help?
Infosecurity Magazine references Simon Crosby, Co-founder and CTO at Bromium, who says that “ML [Machine Learning] makes it easier to respond to cybersecurity risks. New generations of malware and cyber-attacks can be difficult to detect with conventional cybersecurity protocols.”1
These machines will be able to use data from previous attacks to respond to newer and similar risks. This use of AI will decrease the need of cybersecurity professionals on staff, but it will not decrease the need for cybersecurity.
Joerg Sieber, Director of Product Marketing Performance at Palo Alto Networks, says in BizTech, “Staff members may also have an inherent ‘distrust in technology.’… The feeling that automated technology will overlook threats or overblock the employees in our organizations is another very powerful, yet emotional argument against automation.”2
So while there is still going to be skepticism surrounding AI, “automation can cut duplicative processes, bring cohesiveness and consistency to cybersecurity responses, compensate for fatigue among IT security staff members and harmonize cybersecurity data.”2 Our hope is that AI and human cooperation may finally be able to team up and find a way to slow down the $445 billion cybercrime industry.
It’s a new year and time for new resolutions! Whether you have a cliché, traditional resolution like deciding to cut out caffeine or something totally original like trying a new food each month, think of one that can not only improve your own life, but also the lives of everyone around you. We encourage you to come up with a work resolution in addition to your personal one!
One suggestion we have is to become informed and proactive about preventing ransomware attacks. Imagine this: You are working for what feels like months on a project. You are almost 90% done when you try to log on to your computer and you see a ransomware message. It’s one that commands you to pay $10,000 to get back onto your computer. Uh-oh! You did not back up your project! Now you are stuck, without all your hard work, and the deadline is approaching. Unfortunately, the situation occurred because one of your co-workers opened a malicious email. This is called “phishing” and it happens every day to people all over the world. This year, try to make your work-related resolution to get informed and help prevent your companies from being impacted by these types of attacks.
The holiday season is packed with wonderful activities: Ice skating, snowboarding, gift shopping (although not always wonderful), and spending time with family and friends; just to name a few. And as the good times advance, so does technology, and using it to perform these activities has become more and more common. (Think buying your lift tickets online ahead of time and taking selfies as you traverse the mountain.)
One of the more common gift selections during the holiday season is electronics. Electronics are fantastic at making every day tasks much more efficient and make life easier. Roomba vacuums are a prime example of this. Who wouldn’t want to come home to a clean floor after being away for a weekend without lifting a finger?
However, technology has its down sides, too. The issue with security this holiday season may not be the user like it has been in years past. An issue may be the developer’s fault. Companies sometimes discover security flaws after they release their product and the buyer is unaware. Also, if a product is on the shelf in a warehouse for a few months before being purchased, it may have missed a critical update!
Companies will often release product updates in order to increase security. Have you ever gotten an update request on your computer, or your phone asked you to upgrade (but you click “Remind Me Later” because you just don’t got time for that!)? More times than not, security upgrades are embedded within these updates. Apple is a company that is rather famous for doing this after releases. So, to protect your information this holiday season: Update! Update! Update! If you get a gift that suggests you update the software, you should do it. The more you update, the more likely you are to be secure and to enjoy your experience with your new device!
November is when many Americans are excited about an extra hour of sleep due to daylight savings, and look forward to the holidays and all the shopping! We have Black Friday and Cyber Monday, which from a shopping standpoint is great, but we need to be cautious from a cybersecurity standpoint. Many shoppers don’t realize how dangerous these holidays can be. They draw the attention of cyber criminals, so if you plan to partake in today’s Cyber Monday shopping, please be aware of your cybersecurity as you shop on your computer and on your phone.
You think, “What could spoil your Thanksgiving vacation?” Hackers. Cyber criminals are licking their lips at breaching companies during this ravenous shopping spree and are excited to see what they can gain from users. The user is always the weakest link in the world of cybersecurity.
In addition to shoppers, employers can also be effected. The Thanksgiving break is a time for employees to get out of the office and enjoy family, food, and football. They also often neglect their emails. But the employees who are checking their email and other business-related tasks can be hurting their employer if they’re not careful.
So, what are some ways to keep you and your company safe while shopping and checking emails?
The first way is to make sure all your devices have passcodes. If you are walking around without a passcode on an iPhoneX in 2017, you may be in for a rude awakening. You could forget your phone on a table at a coffee shop, and by the time you come back your phone is swiped and wiped, or even worse, confidential documents in your shared drive are now available to whoever was bold enough to take your phone.
The second way is to be aware of “shoulder surfing.” Have you ever taken a peak at a stranger’s phone while sitting on the subway or waiting in line for coffee and saw something you probably shouldn’t have? If so, then you are a Social Engineer. This is the easiest and most effective method cyber criminals use to obtain confidential data. Be aware of what you are using your phone for, as well as who you are around while entering your passcodes and credit card information.
The final security awareness tip is to steer clear of “Free WiFi,” especially with a device that holds your company’s information. “Free WiFi” is like seeing “Free Candy.” Is a free candy bar great? Sure, but is it safe? That should be a question that is asked in cyber space, too. Though free WiFi sounds great, is it worth a potential breach? Put the device down until you get home, and enjoy some face time with friends and family instead!