Is Your Business Winter Ready?

Here in NYC, all the TV weather forecasters are predicting the storm of the century, if not the greatest storm of all time. Some are calling it "Snowmageddon!" Oh,  my.

Have you formulated a plan to avoid grinding to a halt should your employees find themselves cut-off or the office inaccessible that includes keeping data safe? The answer could be to have adequate infrastructure in place that allows workers to securely work from home, or while stranded anywhere sensible with an internet connection. This article examines what technologies are there to help, and what security implications that need to be considered.

Tips for Stronger Passwords

Bill Carey, VP of Marketing for RoboForm offers these helpful tips and tricks to ensure that your password doesn’t make the annual list of the worst passwords in 2016!

1. Try the ‘First Letter’ method when creating new passwords. Take the first letter of your favorite expression, lyric, song or movie, etc., and put them together in a creative way. For example, the evolution of a password based on Frank Sinatra’s My Way may be:

 

• For what is a man?  What has he got?
• Turns into – Fwiam?Whhg?
• It has capital letters, lowercase letters, symbols and is 11 characters long.  Pretty strong…

2. Passwords are the first line of defense for most business networks, but too many managers and employees continue to use easily hackable passwords containing names, birthdays, titles and other information hackers can find online in seconds. Instead, require employees to use passwords that contain both upper and lowercase letters, symbols and numbers. That makes it much more difficult for hackers to gain access. 

3. Change passwords every 30-60 days and use a different password for each site: Keeping the same password long-term is dangerous, and using a single password for multiple sites is just asking for trouble: In that scenario, all a hacker would have to do to gain access to sensitive data stored on numerous sites would be to crack a single password. Change passwords at least every 60 days and use a unique one for each secure site. 

5 Steps to Securing Data Workflows in Your Organization

With all organizations having data flowing constantly into and out of them, the risk of malware infecting the system is greatly increased. To protect against these threats, most organizations have anti-malware solutions implemented at the different entry points, including email, web and portable media, in an attempt to stop malware from entering the organization's network. But is this the most effective way to stop malware? This article highlights why implementing a secure data workflow is more beneficial to organizations than single solutions at different entry points; the five steps organizations need to take to implement a secure data workflow; and how the use of multiple anti-malware engines can assist an organizations secure data workflow even further.

Internet Explorer End-of-Life Security Tips

PORTLAND, Ore.--(BUSINESS WIRE)--Beginning on Tuesday, January 12, 2016, Microsoft will no longer support Internet Explorer (IE) 8, 9 and 10. Users of IE 11 will continue to receive technical support and security updates, leaving users of legacy versions of IE more vulnerable to malware. According to Computerworld, only 55 percent of IE users – more than 340 million people – are using the latest version of the browser.

“It is safe to assume that cybercriminals have been stockpiling IE vulnerability information ahead of the support cutoff, and they will easily learn new attack techniques for older versions by analyzing future IE 11 updates,” said Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT). “Using Tripwire’s VERT vulnerability database, rough estimates indicate that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous IE versions.”

Tripwire security experts offer the following advice for organizations that cannot switch to IE 11 by the cutoff date:

• Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks.

• Businesses with application requirements for older Web browsers should block browsing from vulnerable systems. This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web.

• IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Black Energy Attack on Ukrainian Power Grid

Federal agencies in the US are looking into the Black Energy malware and possible state sponsored hackers that took down the Ukrainian power grid just before Christmas. About 700,000 were affected for several hours. If this proves out, it will be the first documented case of an attack that actually interrupted service and is a grave concern for governments around the world.

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire says, “Industry experts have been talking about how cyber attacks could directly affect the power grid for a long time, so it shouldn’t be a surprise that it’s now actually occurred. Discussing a threat doesn’t count as mitigation. Energy companies need to invest in securing their infrastructure, from control systems to corporate IT. Investment isn’t just about buying products. It’s about people, skills and process. Purchasing the latest security device is easy compared to training security staff effectively.

"All malware, including BlackEnergy, requires an infection vector to get to its target. Attackers will almost always take the path of least resistance. Today, that means published vulnerabilities, misconfigurations and phishing scams. These are all security issues that we can address, with sufficient resources.

 

"It’s myopic to think of this threat as an ‘energy sector’ problem. Any industry that relies on industrial control systems is at risk. Any industry where networked devices cause physical change in the world is a target for these kinetic cyber attacks.”

What Santa Didn't Bring Me

I was a little disappointed on Christmas morning when I discovered that Santa didn't leave any manuscripts of the following topics:

threat hunting
moving target security
insider threats
security kill chain
physical security and the IT department
security operations
synchronized security
security awareness
data loss prevention
SIEM

It's still not to late to bring some Christmas joy to a boy's heart. If you or a friend or a colleague have any interest in writing a book in 2016 on these or some related topics, please let me know.

Best wishes for 2016.

Rich

Is Machine Learning Cybersecurity's Latest Pipe Dream?

A recurring claim at security conferences is that "security is a big data, machine learning (ML), and artificial intelligence (AI) problem." This is unfortunately wildly optimistic, and wrong in general. As this article explains, while certain security problems can be addressed by ML/AI algorithms, in general the problem of detecting a malicious actor amidst the vast trove of information collected by most organizations is not one of them.