Information technology

The Key to Cybersecurity? Level Up on Resistance

by

(TNS) — The first step in protecting a business from cybersecurity attacks is educating employees because nearly all breaches result from a worker clicking on a phishing email or an inappropriate website, Information Technology experts said Thursday.
Ninety to 95 percent of it is through employees,” said David DeArmond, owner of Strix Louisiana, a business productivity and IT services firm.
Brandon Reeves, CEO of EtherMon LLC, an IT cybersecurity services firm, was the other.
Businesses can protect themselves by securing their networks with some sort of firewall, monitoring information flowing into and out of the network; installing anti-virus software on computers and smartphones; and backing up data.
DeArmond said the typical system backs up data every 30 minutes, so if there is a ransomware attack — malicious software that blocks a user’s access to data until a payment is made — a business loses very little of its data.
Bad guys are looking for the path of least resistance.
However, small businesses as a group are a huge target, DeArmond said.
They don’t have controls in place or spend much on security, so they don’t offer much in the way of resistance.
An EtherMon employee posed as a FedEx worker delivering a package to a hospital senior executive.
Google is helping people with “free” services, but Google gets the right to users’ data.

10 Information Security Blogs You Should Be Reading

by

10 Information Security Blogs You Should Be Reading.
This is our collection of important and informative InfoSec blogs from the industry’s top leaders.
With hundreds of informative security blogs on the internet, it’s hard to sort through the respectful thought leaders, the opinion makers and the highly reckonable blogs.
These blogs provide a respectable plunge into the industry’s leading information security topics.
DARKReading is an informative community that asks important security questions, has detailed tech debates and presents comprehensive insights into leading topics.
Dan Kaminsky’s Blog Are you interested in a thought-driven security information blog?
Read informative insights from one of the industry’s leading experts.
Three posts we like from Dan Kaminsky’s Blog: 4.
Graham Cluley With a career starting in the early 1990s, Graham Cluley is an industry thought leader in the computer security industry.
Three posts we like from Isaac Kohen’s blog: If you’re looking to dive deep into the information security realm, these ten blogs will give you effective insight into becoming an industry expert.

Cybersecurity for Family Offices: Q&A with the director of the Global Family Office Group at Citi Private Bank

by

The white paper surveyed information security experts in and outside of Citi to provide a comprehensive guide on a topic of high interest to Family Offices.
The author of the report, Edward Marshall, director, Global Family Office Group at Citi Private Bank, said, “As seen in recent news, the number of cyberattacks perpetrated against nations, corporations and individuals are increasing at a rapid pace.
One of the most pressing issues our clients face now is cybersecurity as Family Offices have more and more become targets of cyberattacks.
We have seen many Family Offices hire external professionals to provide an initial diagnostic of risks and then depending on complexity, FOs will retain those professionals to provide regular checkups.
This year’s leadership program included a panel on cybersecurity for Family Offices.
For the moment, an in-house Family Office CISO position exists only for the largest Family Offices in North America.
This is in juxtaposition to often well-established corporate governance guidelines seen in the companies that generated the wealth for the principal.
3) Underinvestment in critical information technology systems – While the corporations that often create the wealth for a family are well-equipped with information technology staff and updated technology, the Family Office is often deprived of the same treatment because they typically operate as separate corporate entities in locations convenient for the principal and/or access to capital markets.
This attention, whether desired or avoided, could make the Family Office a target.
Cyber technology vendors and security firms/consultancies will find that Family Offices will be interested in keeping informed on cyber threats and on effective cybersecurity solutions.

FAQ on cybersecurity

by

What is security?
The National Institute of Science & Technology (NIST), USA, defines security as ‘the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability’ Further, NIST defines a threat as any circumstance or event with the potential to adversely impact an organisation’s or a country’s operations by affecting its IT systems, as a result of unauthorised access, disclosure, destruction/ modification of information, etc.’ A vulnerability is defined as ‘weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.’ Threat agents exploit vulnerabilities to cause incidents.
The recent ransomware (WannaCry) attacks were global and affected companies from across sectors – asking probing questions on cybersecurity maturity.
How have recent technology trends affected security?
Currently, the global cybersecurity market is estimated at ~US$ 80 bn.
The Indian market, on the other hand, is estimated at ~US$1.1 bn, by various analysts, is expected to grow in double digit figures in the coming years.
In India, as it is globally, the financial services sector leads spending on cyber security.
The recent ransomware attacks affected hundreds of thousands of organisations globally, including leading organisations in India.
Organisations that followed a rigorous patch management process were far less likely to be impacted by WannaCry.
The new GST information architecture results in the aggregation of data, of both customers and suppliers, outside of enterprise applications, further, detailed transactions were limited to only ERP systems, but are now shared with a broader set of stakeholders, consequently exposing sensitive data to potential cyber threats outside the enterprise perimeter.

Canadian Parliament Shuts Down Emails Over Fears Of Hacking

by

Canadian Parliament Shuts Down Emails Over Fears Of Hacking.
OTTAWA — The House of Commons shut down email and computer network services Sunday over fears hackers might try to break into Canadian parliamentary accounts.
Commons spokeswoman Heather Bradley told HuffPost Canada the Parliamentary emails accounts “were temporarily deactivated as part of preventative measures” due to the hacking in the United Kingdom.
On Friday, MPs in Britain and their staff were informed of a “sustained and determined attack” against their networks. “These attempts specifically were trying to gain access to users’ emails,” HuffPost UK reported.
In Canada, a message from the information technology service branch noted the “unscheduled multiple service interruption” occurred from 4 a.m. to noon Sunday and affected: Constituency Connectivity Service (access to internal Hill services) “Preventative steps were taken to maintain the security of IT services.
The IT environment remains secure and the investigation is ongoing,” the note to MPs stated. “All services have returned to normal, but Information Services is continuing to monitor all services affected.” ‘They are targeting political parties’ Earlier this month, Communications Security Establishment chief Greta Bossenmaier told reporters that cyber threats against democratic processes are increasing around the world.
Suggest a correction

The Girl Scouts are adding a cybersecurity badge

by

The Girl Scouts are adding a cybersecurity badge.
The Girl Scouts, founded in 1912, have long received badges when they mastered certain topics or skills.
The cybersecurity badge will launch in partnership with security firm Palo Alto Networks.
The new badges will become available to participants in kindergarten through 12th grade over the next two years.
Girl Scouts CEO Sylvia Acevedo said the organization surveyed its members to learn which skills they wanted to acquire.
The findings showed a strong desire for technical education.
The Girl Scout cyber-education programs will be designed to encourage girls to pursue a career in the field.
The focus for younger Girl Scouts will include data privacy, cyberbullying and protecting themselves online.
The Girl Scouts program — with more than 1.8 million girls enrolled — could help narrow the gender gap in technical fields by exposing girls to these opportunities earlier.
Cybersecurity workers are in high demand.

Idaho appoints first cybersecurity director

by

Idaho appoints first cybersecurity director.
Jeffery Weak will harden the state’s systems and protect citizen data, an effort that officials say “only begins the process” of improving cybersecurity in Idaho.
Butch Otter announced Monday the appointment of Jeffery Weak as the state’s first state director of information security.
Weak, a U.S. Air Force veteran who most recently served as chief of the IT/Cybersecurity Portfolio Management Branch at Air Force headquarters in the Pentagon, will begin as the state’s new cybersecurity lead on Aug. 1.
The new cybersecurity chief is charged with detecting cybersecurity threats to state government’s systems, leading employee training and education efforts, and developing a public outreach program to share information on “how best to protect cyber capabilities and the privacy of Idaho citizens,” according to a release from the governor’s office.
Weak recently retired as a colonel after a a 20-year military career that included stints as chief of information security for a strategic NATO base in Germany and for multinational forces deployed in Iraq, according to the governor’s office.
“With his impressive experience and proven leadership abilities, Colonel Weak brings tremendous assets to this new role,” Otter said in a statement.
The appointment fulfills a recommendation of the Idaho Cybersecurity Task Force led by Lt.
Governor Brad Little.
This appointment “only begins the process” of hardening the state’s cybersecurity defenses, Little said.

Group Benefits System’s New Release Helps Insurers Streamline Data Integration

by

Group Benefits System’s New Release Helps Insurers Streamline Data Integration.
The IQX Exchanger lets system administrators easily configure web services with systems and data based on unique requirements. “Our clients now have a powerful tool to streamline data for integration with existing systems, portals, and insurance exchanges,” Marcov said.
New Features Allow Customization IQX Version 4.8 now includes a Resource Manager.
The Resource Manager allows users to edit drop-down lists found throughout the Global IQX system.
About Global IQX Inc.
Global IQX delivers a web-based, end-to-end software solution for insurance underwriting and sales automation for some of the world’s largest insurance companies.
It provides quoting, rating, proposal generation, enrollment, and automated renewals for insurers that offer employee, group and ancillary benefits.
Developed and delivered by a team with deep group insurance domain expertise, the fully configurable technology platform gives business users more control, with less dependence on IT resources.
World-leading insurers trust Global IQX to power their business.

TCS employee accidentally leaks confidential data on Github, gets roasted

by

TCS employee accidentally leaks confidential data on Github, gets roasted.
In what’s being called a “monumental common sense failure”, a Kolkata-based developer working at Indian IT service giant Tata Consultancy Services (TCS) inadvertently leaked sensitive banking project data belonging to at least 10 companies on Github.
The breach put sensitive data of American, Canadian and Japanese financial institutions out in the public domain.
Coulls counted six Canadian banks, two well-known American financial organisations, a multinational Japanese bank, and a multibillion-dollar software company among those whose data was leaked.
Coulls roasted the erring employee on his blog.
I’d suspect that other banks would have been interested in seeing the plans and architectures of their competitors, though” — Coulls FactorDaily mailed him asking about the severity of the breach, and the possibility of this data being exfiltrated.
No client confidential material or documents were exposed or made public in this incident” — TCS spokesperson “The issue related to certain files on Github was brought to TCS’s notice few days ago.
As soon as we were made aware about the existence of certain TCS files, our security team carried out a thorough investigation and has come to the conclusion that the files were TCS material ie draft solution documents being created as part of an intended proposal for clients.
The said site also had some code which was something that the concerned associate was using for his skill development.
He said that Fallible plans to open source the code for Gitleaks soon.

Industroyer – Biggest Threat To Critical Infrastructure Since Stuxnet Discovered

by

Industroyer – Biggest Threat To Critical Infrastructure Since Stuxnet Discovered.
This centralization has meant expanding the reach of the enterprise network into the industrial environment and in doing so exposing those industrial environments to levels of cyber risk for which they were neither secured nor designed.
Stop chasing the latest headline-breaking threat and instead, implement a strategic and agile security program to proactively manage cyber risk for the modern enterprise.
This is controlling the power grid.
To begin with, government needs to make more and better investments in technology.
This costs money and government only has so much investment dollars.
The good news is that everything is defensible – but at a cost.
Vastly different costs which will impact the government and citizens separately.
The hackers create a method of hacking, organizations and vendors change their solution to address that vulnerability.
Expert Comments Security Experts best practise chief product control control systems critical infrastructure cyber cyber risk foundational controls industrial industrial control industrial control systems industroyer malware network power power grid risks posed scary as it sounds security security best practise