Tag: cybersecurity

Posted on

Strong Passwords and MFA : It’s All About the Bots

Robbie the Robot from movie Forbidden Planet

You may have noticed that more online services are requiring strong passwords – cryptic phrases or letter combinations along with symbols and numbers – and Multi-Factor Authentication (MFA). The goal is to keep services more secure than a simple password allows.

These service providers have recognized that their services are far more secure when the user has to prove they are who they are, and prove it in more than one way. A password plus a special code texted to your phone, or maybe an email to your backup email account are examples of MFA. This means that the password alone isn’t good enough to gain access; the user must satisfy an additional challenge to confirm their identity.

Why is this additional level of account security a good idea? BOTS, that’s why.

A bot is a software application that is programmed to do certain tasks. Bots are automated, which means they run according to their instructions without a human user needing to start them up. Bots often imitate or replace a human user’s behavior. https://www.cloudflare.com/learning/bots/what-is-a-bot/

Bot (like roBOT) does what you tell it. Give it instructions and it runs. Give it some rules to follow and actions to perform when certain conditions are met and off it goes.

The problem with bots is that not just the good guys use them. Bad guys use them… a lot.

Bots can send emails, engage in chats and help you reset your password. They can also carry out cyberattacks at a pace that no human could match. Bots will search for public IP addresses, they’ll pummel an address with intrusion attempts and logins and may keep trying until they’re either successful or they give up. Bots are very good at brute force, because they have all the patience they need. It’s software, so it doesn’t get tired or bored and it can be programmed to not give up.

This is among the reasons for Noobeh’s strict password policy and why we strongly recommend our clients don’t store their passwords to make connecting to the service faster and simpler. Fast and simple is good but not where security is concerned. Our goal is to not only keep your applications and data available for anytime/anywhere access, we want to keep your cloud environment secure and as safe as possible.

Contact us today to get the cloud hosting platform your business needs, along with the privacy and security features the Microsoft Azure platform can provide. Keeping your systems secure isn’t just about keeping your secret password a secret. It’s about putting in place the best methods possible to ensure that your account doesn’t get compromised because a bot guessed your pet’s name.

Make Sense?

J

Posted on

The nasty surprises hackers have in store for us in 2018

“Hackers are constantly finding new targets and refining the tools they use to break through cyberdefenses. The following are some significant threats to look out for this year.

More huge data breaches

The cyberattack on the Equifax credit reporting agency in 2017, which led to the theft of Social Security numbers, birth dates, and other data on almost half the U.S. population, was a stark reminder that hackers are thinking big when it comes to targets. ..

Ransomware in the cloud

… The biggest cloud operators, like Google, Amazon, and IBM, have hired some of the brightest minds in digital security, so they won’t be easy to crack. But smaller companies are likely to be more vulnerable, and even a modest breach could lead to a big payday for the hackers involved.

The weaponization of AI

This year will see the emergence of an AI-driven arms race. Security firms and researchers have been using machine-learning models, neural networks, and other AI technologies for a while to better anticipate attacks, and to spot ones already under way. It’s highly likely that hackers are adopting the same technology to strike back…”

Source: The nasty surprises hackers have in store for us in 2018

Posted on

Securing Business Data When Mobility is the Target

driving1-ANIMATIONToday’s workforce is a mobile workforce. Technology has enabled businesses to allow their employees to reach beyond the office walls, doing business and operating effectively from just about any location.  SaaS, online access to business data, and smart phone technologies have brought flexibility in working models previously only imagined by the workforce tethered to business locations and office computers. Yet this flexibility comes at a price if the business is to keep up with securing and protecting data assets as readily as it extends access to them.  The bad guys are well aware that mobile computing and remote access working models are growing in adoption with businesses, and are finding ways to take ever-greater advantage of the situation.

Teleworking, which is not quite the same thing as telecommuting, is on the rise and it doesn’t look to be a trend that will slow down any time soon. According to GlobalWorkplaceanalytics.com, “telework is defined as the substitution of technology for travel”.  Those who work sometimes from an office, but sometimes not, are teleworkers. Working at the office during the day and then taking work home at night makes you a teleworker. The primary tool of the teleworkforce is the smart phone – the mobile computer with built-in connectivity and enough processing power to handle many basic office workloads.

  • 50% of the US workforce holds a job that is compatible with at least partial telework and approximately 20-25% of the workforce teleworks at some frequency
  • 80% to 90% of the US workforce says they would like to telework at least part-time. Two to three days a week seems to be the sweet spot that allows for a balance of concentrative work (at home) and collaborative work (at the office).
  • Fortune 1000 companies around the globe are entirely revamping their space around the fact that employees are already mobile. Studies repeatedly show they are not at their desk 50-60% of the time.  http://globalworkplaceanalytics.com/telecommuting-statistics

The number of teleworking employees is on the rise, and so is the variety of devices used to facilitate mobile working.  Smartphones, tablets and phablets and, of course, laptop computers are used by mobile workers – often in addition to the company-supplied desktop in the office. The variety and number of computing devices per user is growing. Knowing this, businesses must take increasingly expansive steps to strengthen and secure remote access systems and business data, yet many organizations are just beginning to fully realize that the mobility they extend to their users is part of the reason for the increasing number of data breaches and attacks against business information systems.

Cybercriminals and their crafty programs are often able to steal important information or access a network by first infecting computers and devices used for telework.  Many of the devices available to the attackers are not company-owned, but are introduced to the system by contractors, vendors and employees (BYOD or bring-your-own-device users).

Even if the device isn’t a vehicle delivering a nasty payload into the network, data breaches may still occur when business information is stored on an improperly secured device. Most people who work with computers have some recognition of the potential for virus attacks and malware, but far fewer recognize the threat potential of attacks against mobile devices such as phones and tablets, and even fewer may implement meaningful protections on those devices.

“To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by, or stored on, telework devices,” said Murugiah Souppaya, a NIST computer scientist. [1]

Providing guidance and information to the public on such topics, NIST (National Institute of Standards and Technology) is revising its publications on telework to cover growing use of BYOD and how contractor and vendor devices are increasingly used to access company information resources.  Two new publications – one for organizations and one for users – are now available for review and comment.  You can find them here.

“As one of the major research components of the National Institute of Standards and Technology, the Information Technology Laboratory (ITL) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.”  [NIST Information Technology Laboratory Mission]

The rising number of threats, attacks and breaches caused by compromised devices used for teleworking is nothing to take lightly, and protecting against them shouldn’t be approached as a merely perfunctory obligation. Organizations must create and consistently update policies and requirements relating to protecting information accessible by remote workers if they intend to reduce business risk and provide assurances to stakeholders and customers that the information is adequately guarded.  But it doesn’t stop with the policy; businesses must also make an effort to properly educate their users (employees, contractors, vendors, etc.) on those policies, ensuring that all parties involved understand the responsibilities and requirements and strictly adhere to them.

jmbunnyfeetMake Sense?

J

[1] http://www.nist.gov/itl/csd/attackers-honing-in-on-teleworkers-how-organizations-can-secure-their-datata.cfm
Posted on

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information

SEC Watchful Eyes Focus On Cybersecurity and Protecting Personal Information  #cybersecurity BehindBars

Information privacy used to be a fairly simple thing.   Systems – what systems there were – weren’t so interconnected and information wasn’t so easy to share with thousands (millions) of people all over the world.  Security used to come down to gaining physical access to the information, which was usually on paper.  If you couldn’t get to the paper, you couldn’t get to the information. Yet those very analog days are long gone, and most of us have come to recognize that our personal information assets are no longer so tangible that we can touch them and feel them and keep them secured safely in the lockbox in the closet. What’s disturbing about the landscape of security in the cyber-world is that it is risky to trust not just the systems but the users – including the folks you want and need to trust – with your personal information.  It isn’t that you can’t trust anyone these days.  You just can’t trust that everyone is taking the precautions necessary to protect YOUR information.  You need to be sure.

Trust has always been an essential element in business and finances, and in every business relationship there is some element of it present. The prudent customer performs necessary due diligence before entering into any business arrangement, but there are often factors taken for granted in the review; factors which are overlooked or remain unconsidered, often due to an essential level of trust which  is placed with the other party. This is among the issues identified by the SEC as it relates to broker/dealers and their recognition of the importance of securing their clients personal information.  Yet recognition of the risk and responsibility isn’t always enough, especially with the number and makeup of bad actors out there. As the threat landscape changes, so must the approaches and technologies used to protect information from those threats.

Consumers place a high level of trust with their financial advisors and generally provide them with a great deal of personal information, and the broker-dealers and advisors generally recognize the importance of protecting the personal information they are entrusted with.  The problem is that these entities too often approach the problem of information security and protection as something with static and unchanging requirements. Compliance in establishing a baseline of protection is met.  A lack of ongoing diligence required to adjust to new threats and changing conditions… not so much. According to a summary report on the subject issued by the SEC in February 2015, the “vast majority” of examined broker-dealers and advisors have adopted written information security policies, yet the report goes on to discuss additional measures and constant reviews which should be applied to better guard the personal information of consumers.

Most of the examined firms reported that they have been the subject of a cyber-related incident.  A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors.  The majority of the cyber-related incidents are related to malware and fraudulent emails.

National Exam Program Risk Alert issued By the Office of Compliance Inspections and Examinations (“OCIE”); Volume IV, Issue 4 February 3, 2015

Among the agencies placing focus on the issues of cybersecurity and personal information protection is the SEC.  Within the SEC (Securities and Exchange Commission) is an office called the Office of Compliance Inspections and Examinations (OCIE).  The OCIE exists to “protect investors through administering the SEC’s nationwide examination and inspection program”.  Registered entities examined by this office (in Washington, DC and the Commission’s 11 regional offices) include broker-dealers, transfer agents, investment advisers, investment companies, municipal advisors, the various national securities exchanges, clearing agencies, and certain self-regulatory organizations (SROs) such as the Financial Industry Regulatory Authority (FINRA) and the Public Company Accounting Oversight Board (PCAOB).

In February 2015, OCIE published a summary of observations of the findings from a SEC-sponsored Cybersecurity Roundtable which included SEC Commissioners and staff as well as industry representatives.  The roundtable discussion, held in March 2014, focused on the important part cybersecurity plays in preserving the integrity of the market system and protecting customer data.  On the heels of the roundtable came a Risk Alert published by OCIE, in which it announced a series of examinations and tests aimed at the identification of cybersecurity risks and assessing the preparedness of the securities industry to meet the challenge.  After all, federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.

Paperless_468x80

The watchful eyes of the SEC are looking directly at broker-dealers and advisers, bringing additional attention to messaging about the requirement for these entities to protect consumer personal information.  The message is more likely to be heard when it includes the threat of censure and big fine. In September 2015 the SEC charged an “investment adviser with failing to adopt proper cybersecurity policies and procedures prior to a breach”.  According to the SEC release, the firm “failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.”  Also in September, the OCIE communicated another Risk Alert notifying of their intent to focus on cybersecurity compliance and controls, including information about the next round of examinations which will include more testing to evaluate firms’ implementations of procedures and controls around information protection and cybersecurity.

Gathering information on information security and privacy practices is not always easily accomplished for the SEC OCIE.  FinCin (US Dept of the Treasury Financial Crimes Enforcement Network), on the other hand, seems to get more reports of breaches from broker-dealers than does OCIE.  Maybe it is due to the advisor wanting to take more the role of the victim rather than admittance of culpability in any way, but the OCIE reports that roughly 65% of broker-dealers that acknowledged receiving fraudulent emails, for example, reported them to FinCen, yet perhaps 7% or fewer actually reported the information to law enforcement or other regulatory agencies.  It is the public report of the breach which gets the attention, and which continues to spur the efforts within the OCIE.

Public reports of cybersecurity breaches occur with too much frequency.  Sadly many of these events are due to failures or weaknesses in basic controls – failures which might have been identified if testing and review of basic processes, systems and controls was part of regular procedure.  With some of the largest data breaches possibly resulting from hacking of 3rd party vendor systems and platforms, review and assessment of vendors and suppliers must also be folded into the realm of consideration.  Failure to protect personal information of consumers and clients is risk to not just the firm or the client, but also to the entire market.  Risk reduction and management is among the focus areas for OCIE, a charter which supports the recent creation of the Office of Risk and Strategy, and which recognizes the challenge in gaining the information necessary to effectively inform the SEC and the market on cybersecurity issues.

jmbunnyfeetMake Sense?

J