Tuesday, September 19, 2017

GDPR: The Pandora’s Box Is Open for Enterprise Websites

According to this article in Website Magazine, 

"Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union's General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements--customer, partner and employee--held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora's box, there's a slew of GDPR-driven evil emitting from your digital properties."

Here are some books by Paul Lambert that focus on The EU's General Data Protection Regulation

The Data Protection Officer: Profession, Rules, and Role

Understanding the New European Data Protection Rules

Monday, September 18, 2017

What Businesses Need to Know in the Wake of the Equifax Breach

What Businesses Need to Know in the Wake of the Equifax Breach
By Jason Tan, CEO of Sift Science

Online businesses everywhere are going to be dealing with the effects of the recent Equifax breach. It’s a tough truth to swallow, but these large-scale data breaches have become a fact of life – and it’s not just the breached business that pays the price. As fraudsters mine the valuable data that’s been compromised, all e-commerce sites and financial institutions need to be on alert.

Keep an eye out for signs of account takeover.

Last year, 48% of online businesses saw an increase in account takeover (ATO), according to the Sift Science Fraud-Fighting Trends report. And the Equifax breach is likely to exacerbate this trend, potentially flooding the dark web with names, addresses, Social Security numbers, and other personal information that fraudsters can leverage to gain access to a legitimate user’s account. They then make purchases with a stored payment method or drain value from the user’s account.

Some of the signals that could point to an ATO:

  • Login attempts from different devices and locations
  • Switching to older browsers and operating systems
  • Buying more than usual, or higher priced items
  • Changing settings, shipping address, or passwords
  • Multiple failed login attempts
  • Suspicious device configurations, like proxy or VPN setups

Keep in mind that taken individually, each of these signs may be normal behavior for a particular user. It’s only when you apply behavioral analysis on a large scale, looking at all of a user’s activity and all activity of users across the network, that you can accurately detect ATO.

Monitor for fake accounts and synthetic identity fraud.

Fraudsters can also take all of the different pieces of personal data leaked in the Equifax breach to steal someone’s identity and create new accounts. They may also pick and choose pieces from various people’s accounts – like a birthday, Social Security number, and name – and mix them together to create an entirely new ID.

To keep tabs on fake accounts, you can monitor new signups to look for risky patterns, like a sudden spike in new accounts that can’t be attributed to a specific promotion or seasonal trend. If the average time it takes a new user to sign up suddenly gets much faster, that may point to fraudsters using a script to quickly create accounts. And seeing multiple new accounts coming from the same IP address or device is a red flag for a single person creating many accounts.

Stay focused on maintaining user trust.

Even if a breach doesn’t happen on your site, any downstream fraud attacks still happen on your watch. If you don’t invest in protecting your users from the devastating effects of ATO, identity theft, and fraud, you will soon lose their trust. Trust is earned in drops, but lost in buckets.

At the same time, e-commerce businesses and financial institutions should make sure they aren’t overly cautious to the point where they’re rejecting good customers and denying legitimate accounts. Preventing fraud is a delicate balancing act, and the right technology – which looks at a range of data points to make an accurate prediction about what is and isn’t fraudulent – can help you strike the right balance.

About the Author:
Jason Tan is the CEO of Sift Science, a trust platform that offers a full suite of fraud and abuse prevention products designed to attack every vector of online fraud for industries and businesses across the world.

Monday, September 11, 2017

Information Security: The Dismal Discipline?

Read this chapter from Why CISOs Fail: The Missing Link in Security Management--and How to Fix It and understand why the author likes to call information security the "dismal discipline," and why this perception needs to change.

Thursday, August 31, 2017

Universities Still Struggle to Provide Cybersecurity Education

The latest Global Information Security Workforce Study paints a grim picture, predicting that in five years, the number of unfilled cybersecurity jobs will raise to 1.8 million worldwide. The main reason is a lack of qualified personnel who can fill the role and a lack of universities providing cybersecurity education.

Monday, August 28, 2017

Chipping People: Are You Ready?

Shelly Palmer notes that "Proponents of the technology tout its convenience and the idea that you never have to remember your wallet or a password, ever again. While they are technically correct, chipping people invokes a train of thought that quickly descends to the darkest of places."

Would you voluntarily submit to this? What if chipping was a term of employment?

There's a link to a survey at the end of the article. Although it's not my survey, I'm interested in the results.

Wednesday, August 16, 2017

New Research on "Pulse Wave" DDoS Attacks

New findings from Imperva Incapsula researchers published today Attackers Use DDoS Pulses to Pin Down Multiple Targets details the emergence of a new assault pattern, which they’ve named Pulse Wave.   

According to lead researcher Igal Zeifman, “Pulse Wave DDoS represents a new attack methodology, made up of a series of short-lived pulses occurring in clockwork-like succession, which accounts for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 Gbps.”

The size of these attacks, and the amount of skill they exhibit, are likely the handiwork of skilled bad actors who have become practiced in portioning their attack resources to launch simultaneous assaults — meaning the intervals between each pulse are being used to attack a secondary target.

This new approach shows that some offenders have grown to understand that it is not necessary to hit a target continuously to take it offline; rather, repeated short bursts are enough to disrupt routers and servers, producing the same effect. By the time the systems have recovered from the first burst, or pulse, the hackers hit them again. In this way, they can double their resource utilization and pin down several targets.

The existence of such capabilities spells bad news for everyone, as they enable bad actors to greatly increase their attack output. The pulse-like nature of these attacks, however, is especially harmful for appliance-first mitigation solutions, since it can cut down the communication between their two components, preventing effective failover from the appliance to the cloud. Specifically, the attacks have the capacity to delay the time it takes for the cloud component of the mitigation solution to kick in. This increases the likelihood of the target going down and being forced to initiate a prolonged recovery process.  Moreover, the pulse wave assaults can prevent transition of data collected in the early attack stages from the appliance and into the cloud to further harm its responsiveness.
As the research points out, while Pulse Wave attacks constitute a new attack method and have a distinct purpose, they haven’t emerged in a vacuum. Instead, they’re a product of the times and should be viewed in the context of a broader shift toward shorter-duration DDoS attacks. Multiple industry reports—including the Imperva Incapsula quarterly DDoS Threat Landscape report— point to an increased number of short-lived DDoS events over the past year. As a result, the majority of all DDoS attacks today —both at the network and application layers— consistently last less than one hour. Moreover, the percentage of such short-burst attacks is growing each quarter. 

“For a commercial organization, every such instance translates into tens of thousands of dollars in direct and indirect damages. For professional offenders—already inclined to split up their attack resources for optimized utilization—this serves as another reason for them to launch Pulse Wave DDoS assaults. Consequently, we expect to continue encountering such assaults. We also forecast them to grow larger and become more persistent, fuelled by botnet resource evolution and the previously described macro trends we’ve observed in the DDoS landscape,” Zeifman added.

The full Research Paper ”Attackers Use DDoS Pulses to Pin Down Multiple Targets, Send Shock Waves” presents a detailed dive into the nature of pulse wave attacks and the threat that they pose and their place in the DDoS threat ecosystem.

Monday, June 26, 2017

How Long Can Resources in Short Supply Last?

Smart Energy: From Fire Making to the Post-Carbon World first traces the history of mankind's discovery and use of energy. It then reviews contemporary issues such as global warming, environmental deterioration, depletion of carbon energy sources, and energy disputes. Next, it evaluates technical innovations, system change, and international cooperation. Then, it tackles how civilization will continue to evolve in light of meeting future energy needs, how Smart Energy will meet these needs, and defines the global mission. The book closes with a summary of China’s dream of Smart Energy. This chapter considers how long petroleum, coal, and other carbon-based resources can last.