Microsoft’s enterprise software powers the majority of large environments. Though often hybridized with open source solutions and third party offerings, the core components of Windows Server, Exchange, and SQL Server form the foundation of many organizations’ data centers. Despite their prevalence in the enterprise, Microsoft systems have also carried a perhaps unfair reputation for insecurity, compared to Linux and other enterprise options. But the insecurities exploited in Microsoft software are overwhelmingly caused by misconfigurations and process errors, not flaws in the technology— patches are not applied on a quick and regular cadence; settings are not hardened according to best practices; dangerous defaults are left in place in production; unused modules and services are not disabled and removed. Microsoft has come a long way to bring its out-of-the-box security up to snuff with its famous usability, not to mention introducing command-line and programmatic methods by which to manage their systems. But even now, the careful control necessary to run a secure and reliable data center on any platform can be difficult to maintain all of the time at scale.
The government of the Unites States of America is perhaps the largest target on Earth for cyber attacks. The US has plenty of enemies, a track record of perpetrating cyber warfare and espionage (even upon its allies), numerous recent instances of susceptibility to such attacks, countless official documents attesting to its weakness against cyber attacks, and, of course, the US government leads the wealthiest nation with the most powerful military. These facts are not lost on the good people responsible for the well being of American citizens and people all over the world.
Introduction The Internet Footprint There is much more to a company’s internet presence than just a website. Even a single website has multiple facets that operate under the surface to provide the functionality users have become accustomed to. The internet footprint for every company comprises all of their websites, registered domains, servers, IP addresses, APIs, DNS records, certificates, vendors, and other third parties-- anything that is accessible from the internet. The larger the footprint, the more digital surfaces it contains, the more complex are its inner workings, and the more resources it requires to maintain. Because although having an internet presence is basically a given these days, the risk incurred by that presence is not always acknowledged.
The Problem of Digitization The digitization of business has increased the speed of commerce, the scope of customers, the understanding of consumer habits, and the efficiency of operations across the board. It has also increased the risk surface of business, creating new dangers and obstacles for the business itself, not just its technology. This risk is compounded by the interrelations of digital businesses as data handling and technological infrastructure is outsourced, as each third party becomes a vector for breach or exposure for the primary company. The technical nature of this risk makes it inaccessible to those without advanced skills and knowledge, leaving organizations without visibility into an extremely valuable and critical part of the business.
Security ratings are like credit ratings, but for the assessment of a company’s web-facing applications. Where a credit rating lets a company determine the risk of lending to a prospective debtor, a security rating lets it decide how risky it will be to deal with another in handling data. The comparison even flattens out when we remember one of the key principles ofcyber resilience: that cyber risk “is actually business risk, and always has been.”
When we think about cyber attacks, we usually think about the malicious actors behind the attacks, the people who profit or gain from exploiting digital vulnerabilities and trafficking sensitive data. In doing so, we can make the mistake of ascribing the same humanity to their methods, thinking of people sitting in front of laptops, typing code into a terminal window. But the reality is both more banal and more dangerous: just like businesses, governments, and other organizations, hackers have begun to index data and automate hacking processes: the work of finding and exploiting internet-connected systems is largely performed by computers. There’s no security in obscurity if there’s no obscurity.
The way businesses handle the risks posed by their technology is changing. As with anything, adaptability is survivability. When the techniques, methods, and philosophies of the past aren’t working, the time has come to find something better to replace them. Cyber resilience is a set of practices and perspectives that mitigate risk within the processes and workflow of normal operations in order to protect organizations from their own technology and the people who would try to exploit it. This includes all forms of cyber attacks, but also applies to process errors inside the business that put data and assets in danger without outside help.
Technology and Information How much digital technology is required for your business to operate? Unless this document has traveled back in time, the chances are quite a lot. Now consider how much digital technology your vendors require to operate. The scope of technology grows quickly when you consider how vast the interconnected ecosystem of digital business really is. But digital business isn’t just about technology, it’s about information. For many companies, the information they handle is just as critical as the systems that process it, if not more so.
When we examined the differences between breaches, attacks, hacks, and leaks, it wasn’t just an academic exercise. The way we think about this phenomenon affects the way we react to it. Put plainly: cloud leaks are an operational problem, not a security problem. Cloud leaks are not caused by external actors, but by operational gaps in the day-to-day work of the data handler. The processes by which companies create and maintain cloud storage must account for the risk of public exposure.
Breaches, Hacks, Leaks, Attacks It seems like every day there’s a new incident of customer data exposure. Credit card and bank account numbers; medical records; personally identifiable information (PII) such as address, phone number, or SSN— just about every aspect of social interaction has an informational counterpart, and the social access this information provides to third parties gives many people the feeling that their privacy has been severely violated when it’s exposed.
Given the complexity of modern information technology, assessing cyber risk can quickly become overwhelming. One of the most pragmatic guides comes from the Center for Internet Security (CIS). While CIS provides a comprehensive list of twenty controls, they also provide guidance on the critical steps that "eliminate the vast majority of your organisation's vulnerabilities." These controls are the foundation of any cyber resilience platform and at the center of UpGuard's capabilities.
UpGuard makes a cyber resilience platform designed for exactly the realities that necessitate regulations like New York State Department of Financial Services 23 NYCRR 500. On one hand, businesses need to store, processes, and maintain availability for growing stores of valuable data; on the other, the very conditions for market success open them to attacks from increasingly sophisticated and motivated attackers. Balancing these requirements makes a business resilient, and UpGuard provides the visibility, analysis, and automation needed to thrive while satisfying regulations like NYCRR 500.
Why dashboards? Nobody’s perfect. Success is almost always determined through trial and error, learning from mistakes and course-correcting to avoid them in the future. The length of this cycle— from experiment to result, incorporated into future decisions— determines how quickly a trajectory can be altered, which in turn offers more opportunities to succeed. However, capturing and using hard data to make these adjustments is more difficult than it seems. Dashboards visualize real time data and recent trends, giving people insight into whether their efforts are succeeding— assuming they’re using the right metrics.
UpGuard is proud to announce that security expert Chris Vickery is joining our team as a cyber risk analyst, bringing with him a stunning track record of discovering major data breaches and vulnerabilities across the digital landscape. Chris comes to us from his previous role as a digital security researcher, where among other achievements, he discovered a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens, protecting more than seventy percent of the country’s population from the risk of exposure of their personal information.
Leading security researchers have confirmed that the U.S. Air Force (USAF) suffered a massive data breach leading to the exposure of sensitive military data and senior staff information. Here's what you need to know about this latest security failure involving the U.S. government.
On February 18th, 2017, Google security researchers discovered a massive leak in Cloudflare's services that resulted in the exposure of sensitive data belonging to thousands of its customers. Here's what you need to know about the Cloudbleed bug and what can be done to protect your data.
Arby's announced last week that its recently disclosed data breach may impact 355,000 credit card holders that dined at its restaurants between October 2016 and January 2017. Are fast food vendors resilient enough to sustain future cyber attacks and—more importantly—protect consumers against online threats?
Booksellers and electronics retailers aren't the only brick-and-mortar businesses challenged by the rise of highly agile, online-only competitors—traditional retail banking institutions also face stiff competition from Internet-based consumer banking upstarts. But are these born-in-the-cloud banks and financial services offerings safer than their traditional counterparts? Let's take a look at the leading online banks to see if they're equipped to handle today's cyber threats.
On October 21st, 2016, DNS provider DYN suffered from the largest DDoS attack in history, leaving much of the Internet inaccessible to Europe and North America. The unprecedented event saw cyber attackers orchestrating swathes of Mirai malware-infected IoT and connected devices to perform DNS lookup requests from tens of millions of IP addresses—impressive automated hacking, but hardly sophisticated: the malware gained privileged access by using public, default passwords. Are IoT companies doing enough to secure their "things" against nefarious actors?
With all the conveniences of modern air travel—mobile check-ins, e-gates, in-flight wifi, and more—it's easy to assume that the world's leading airlines have addressed the inherent cyber risks of digitization. But the safety of in-air passengers is just one aspect of airline customer security; are these companies doing their best to protect customers against online security compromises? Let's take a look at the world's leading airlines to find out.
Every year, leading tech/gadget vendors descend upon the world's largest consumer electronics show in an exuberant display of product design wizardry, cutting edge innovation, and of course—a requisite dose of ridiculousness. This year's focus was on connected cars and VR, with IoT device and wearable tech manufacturers out in full force, per the usual. Let's see how good the best of CES 2017 are at protecting customers against cyber attacks.
2016 was arguably the year when cybersecurity events entered into the global stream of consciousness, from the sabotage of national banks to the hacking of elections. And though we're barely into 2017, the breach announcements have already begun: on January 3rd, a data breach was discovered involving the sensitive data of health workers employed by the US military's Special Operations Command (SOCOM). An increase in government-related security incidents is one of our top predictions for 2017—here are 11 other cybersecurity predictions for the new year.
Last week, leading online education provider Lynda.com announced that its database of over 9.5 million accounts were compromised in a recent data breach. With the education space increasingly moving to the internet, are underlying technology providers doing their best to provide a safe learning environment to customers?
AAA predicts that a record number of Americans will be taking to the skies and roads this holiday season—103 million between Dec. 23-Jan. 2, a 1.5% increase over 2015. 57% of these travel reservations—that's 148 million travellers—booked online. Airfare/hotel/car rental comparison websites are an increasingly popular way to book travel these days, but how good are they at protecting their users' data? Let's take a look at the top 8 online travel aggregators' CSTAR ratings to find out.
As the holiday season approaches, the world’s fraudsters, scammers, and blackhats can take no small measure of yuletide cheer from their work in 2016 - a banner year for hacking. Call it the dark side of technological innovation, an equal and opposite reaction to the increasing breadth and efficiency of the internet. 2016 was a record-breaking year for data breaches, powerfully affecting the spheres of life like never before - from a presidential election rife with electronic intrigue, to a business landscape increasingly shaped by hacking. But if there is a silver lining to be found, looking at the most damaging data breaches to actually occur in 2016, it is the depressing fact that some of the worst hacks exploited well-known vulnerabilities which could’ve been easily prevented.
Once upon a time, video gaming was strictly an offline, console-based affair. Even PC-based titles were relegated to the safe confines of the player's local desktop machine. The arrival of affordable and ubiquitous high-speed internet transformed gaming into a highly interactive online activity; these days, the online component is an integral part of gameplay. But are gaming vendors doing enough to protect users against today's cyber threats?
Last week, leading global ERP vendor SAP was busier than usual in the patch department: it released a record amount of closed issues per month and addressed 48 vulnerabilities—one of them an authentication bypass vulnerability previously left unaddressed for 3 years. Given how mission-critical ERP systems are for centralizing business operations these days, is it safe to assume that ERP vendors are serious about their customers' security? Let's take a look at the leading solution providers in this category to find out.
Does filling out an online survey in exchange for a few bucks sound too good be true? For ClixSense users, this is turning out to be the case: last week, the leading paid-to-click (PTC) survey firm admitted to a massive data breach involving virtually all of its users' accounts—roughly 6.6 million records in total. With so many giving in to the allure of easy money, PTC firms should be on top of securing privileged data of survey takers they're bankrolling. Let's find out how the top 5 compare when it comes to fulfilling this critical responsibility.
Leading cloud storage provider Dropbox is arguably having its worst month since launching back in 2007—but with over half a billion users, it's somewhat surprising that serious issues have only begun to surface between the ubiquitous service and the people trusting it with their files. First, in a recent announcement reminiscent of LinkedIn's latest data breach fiasco, Dropbox announced several weeks ago that over 68 million emails and passwords were compromised in a previously disclosed 2012 data breach. And now, security experts are criticizing the company for misleading OS X users into granting admin password access and root privileges to their systems. What recourse do consumers have when cloud services providers "drop the box" on security, or even worse—when their actions directly jeopardize the users they're supposed to protect?
As election year moves into the final stretch, news coverage wouldn't be complete without another mention of a politically motivated data breach or cybersecurity incident. Of course, several months ago the DNC's emails were compromised by hackers, resulting in the theft and exposure of 19,000 hacked emails and related documents. This pales in comparison, however, to the recent FBI announcement of data breaches involving both Illinois and Arizona's voter registration databases. If the controls critical to securing election systems continue to fail, how can participants in the democratic process be sure that their votes won't be hijacked?
Organizations often regard cybersecurity as a series of barricades protecting the inner workings of the data center from attacks. These barricades can be hardware or software and take actions such as blocking ports, watching traffic patterns for possible intrusions, encrypting communications and so forth. In practice, these measures are only part of a comprehensive cybersecurity strategy, and by themselves will do little to bolster the overall resilience of an organization. But thoroughly tested and streamlined procedures within IT operations can prevent the most common attack point on the internet: misconfigurations.
If you regularly use a computer, chances are you spend at least part of your time reading internet news. If you have a subscription, you might even log in and enter your payment info. But how secure are news sites? Here at UpGuard, we took a look at six of the top news media sites on the internet to see how their security stacked up. Many big names had low scores, while a few did very well. What does this mean for the average online news reader?
In 2015, organizations spent over $75 billion on cybersecurity. That’s a lot of money. But 2015 also saw a rise in successful cyber attacks, costing companies hundreds of billions of dollars in damages, loss and other related expenditures. Did all of the security software and hardware purchased with that $75B fail to do its job? Today's landscape requires more than just a collection of isolated products handling specific tasks—it needs an integrated ecosystem dedicated to overall resilience.
The term cyber risk is often used to describe a business’ overall cybersecurity posture, i.e., at how much risk is this business, given the measures it has taken to protect itself. It’s often coupled with the idea of cyber insurance, the necessary coverage between what a company can do security-wise, and the threats it faces day in and day out. Cybersecurity used to belong exclusively in the realm of Information Technology, one of many business silos that while important, was only a small piece of the business and as such, often delegated to a C-level manager who interfaced with other executives as necessary. Today’s businesses have outgrown this model, as what used to be considered information technology has grown to encompass business itself, permeating every aspect of it, governing its speed, its range, its possibilities. As a CEO or CFO, the way your business handles information technology and begins to foster cyber resilience, reflects the way you think about your company and its place in the contemporary market.
You’ve hardened your servers, locked down your website and are ready to take on the internet. But all your hard work was in vain, because someone fell for a phishing email and wired money to a scammer, while another user inadvertently downloaded and installed malware from an email link that opened a backdoor into the network. Email is as important as the website when it comes to security. As a channel for social engineering, malware delivery and resource exploitation, a combination of best practices and user education should be enacted to reduce the risk of an email-related compromise. By following this 13 step checklist, you can make your email configuration resilient to the most common attacks and make sure it stays that way.
In the last few years, sports betting websites like DraftKings and FanDuel have exploded in popularity and controversy. Anyone who watched last year’s NFL season shouldn’t be surprised that those two sites alone spent over $200M on national television advertising in 2015, amounting to around 60,000 commercials. At the same time, betting sites have been in the news due to their questionable legality and the lawsuits being brought against them from various parties. With March Madness in full effect, people are turning to online gambling sites to place their bets. Aside from the increasing legal resistance these companies face, should users be concerned about the security of sharing their information with these sites? As it turns out, it depends on the site.
According to the recently released 2016 Data Breach Investigations Report (DBIR) digest, produced annually by Verizon to help educate the industry, companies spent hundreds of billions of dollars last year as a result of cybersecurity incidents.
Fortune recently published an article listing the airlines with the best in-flight wifi service. Coming in at the top of the list with the most onboard wifi connections globally were 3 American carriers: Delta, United, and American Airlines, respectively. But what defines best? Security is clearly not part of the equation, as one journalist famously discovered last week on a domestic American Airlines flight. But then again, if we're talking about wifi and commercial aircraft, all airlines get a failing grade.
We've all heard the saying: hindsight is 20/20. This applies to many scenarios but is seldom the case when it comes to IT security: most organizations develop shortsightedness when it comes to data breaches—even those that may be happening right under their noses. Like a vehicle's side and rearview mirrors, retrospective security improves visibility by eliminating blind spots using past trends and historical data.
When we think of protecting our information online, it’s usually in the context of traditionally sensitive data-- credit card numbers, addresses, SSNs, and so on. But as anyone who has taken a picture of themselves wearing nothing but a smile can tell you, the information exchanged during online dating can be just as personal. I haven’t done that, though. Ever. I have never done it.
As the digital economy has matured, so has the recognition that cyber risk cannot be eliminated; it must be managed. Insurance is the mechanism by which we distribute risk so that rare but catastrophic events don't ruin the unfortunate person (or company) that they happen to. Accurately pricing cyber insurance, however, is still in its infancy. Comparing the methods for assessing cyber risk to those used in property and casualty insurance points the way forward for better methodologies.
The answer is simple: because it's highly profitable. Credit card numbers are still the best we've got for transacting digitally and health records are 10 times more valuable on the black market. And despite efforts from the infosec community at large, cybercrime continues to increase in frequency and severity. The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
With the rate of data breaches increasing along with the complexity of modern IT infrastructures, the cyber insurance industry has been experiencing significant growing pains. Cyber risk determination had historically been done with employee surveys or contextual information about industries at larger. Without reliable data on an organization’s actual working state, many insurers came to realize there was no way to formulate a fair and accurate cyber insurance policy, especially for more complex and ever-changing IT environments.
For as much as "cyber risk" sounds like a 1990's board game involving robots, cyber risk is actually serious business—in fact, it is continually becoming more important as organizations old and new find themselves relying on a variety of connected technologies and services. And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation. So what is cyber risk, and what can be done about it?
In what is being described as a landmark case, Nevada-based casino operator Affinity Gaming is suing cybersecurity firm Trustwave for inadequately investigating and containing a 2014 data breach. The lawsuit not only marks the first time a security firm is sued over post-breach remediation efforts—it also highlights the complexities around managing cyber risk for high risk organizations in today's threat landscape.
As the saying goes, there are two certainties in life: death and taxes. As we all look ahead to 2016, it’s clear that a third certainty has entered the mix: breaches.
Yes, it's that time of the year again. Time for global electronics vendors and eager enthusiasts from far and wide to converge at the world's largest annual consumer electronics/technology tradeshow. CES 2016 is in full swing, and IoT innovations have unsurprisingly taken center stage once again. Of course, who can forget the debut of Samsung "Smart" Fridge at last year's show, followed by the publicized hacking of the device soon thereafter. Judging by this year's exhibitor turnout, consumers can expect to see more hacked IoT devices making headlines in 2016. The following are the top 7 hackable IoT devices to watch out for at CES this year.
The election year is officially underway, but for non-voters and the apathetic—another reason not to register to vote has surfaced: on December 20th, 2015, a security researcher discovered a publicly exposed database of 191 million voter registrant records—names, addresses, dates of birth, phone numbers, party affiliations, state voter IDs, and more—posted online and freely accessible.
2015 may have come and gone, but the effects of last year's data breaches are far-reaching—for both millions of consumers and internet users as well as the companies and organizations whose systems were breached. Such events are no less devastating in terms of brand damage, and 2016 will undoubtedly bring forth a heightened collective security awareness in both organizations as well as consumers.
The figures are staggering: 21.5 million records containing social security numbers, names, places of birth, addresses, fingerprints, and other highly sensitive personal data—stolen by cyber attackers.
What's the difference? The former offers no legal recourse, at least for now. Just in case you've been de-sensitized by the recent ongoing barrage of security compromises, the latest data breach involving electronics and educational toy manufacturer VTech is sure to instill new fear in the hearts of parental consumers, putting at stake the one thing they arguably hold nearest and dearest: the safety of their children.
There's a classic line (one out of many) in the movie Casino by DeNiro's character Ace Rothstein: "Since the players are looking to beat the casino, the dealers are watching the players. The box men are watching the dealers. The floor men are watching the box men. The pit bosses are watching the floor men. The shift bosses are watching the pit bosses. The casino manager is watching the shift bosses. I'm watching the casino manager. And the eye-in-the-sky is watching us all.”
Frequent fliers and international travelers are well familiar with these seatback devices (i.e., in-flight entertainment consoles) that serve as the only connection to the outside world while cruising at 30,000 feet. Soon, however, wifi on commercial flights will be generally available, rendering these devices obsolete—at least to the average laptop-toting flyer. This raises a series of concerns around their future obsolescence and resulting security gaps, as well as the potentially grave consequences of compromised wifi networks on planes.
For those of you planning on enjoying the sunset on June 30, 2015—an extra second of bliss awaits, compliments of the Earth’s inconsistent wobble. However, if Y2K sent you running for the hills, start packing again. Analysts predict technological fallout ranging from undeliverable tweets to outright digital armageddon, but for faithful IT folks with more grounded concerns like SLAs and business continuity, keeping critical systems up and running trump all other concerns. Fortunately, resolving potential issues related to the Leap Second Bug is a fairly straightforward matter—as long as you know what to look for and where to find it.
Sports is big business, and where money and competition collide—laws will be broken. This aptly describes the latest hack involving the St. Louis Cardinals and Houston Astros, though admittedly—it sounds more like a teaser for a Hollywood blockbuster. Corporate espionage in sports has largely been a nascent phenomenon but will soon become commonplace as intrusion methods grow in sophistication and data moves into the cloud.
The short answer: it’s not. This was certainly the case for Kaspersky Labs, who announced yesterday that its corporate networks were hacked using a sophisticated advanced persistent threat (APT) dubbed Duqu 2.0. Though the word “sophisticated” is used rather liberally these days when describing data breaches, this new threat is by all accounts the most advanced of its kind.
When it comes to IT security, how do you roll? Many tools exist, but the fact is that in most cases, to do it right— you have to roll your own. This is especially true in today’s environments, where infrastructures can vary widely in composition from organization to organization. The truth is that factors such as degree of DevOps and Agile adoption, skill set of IT staff, corporate culture, and even line of business come into play when crafting a security solution for an organization. How well these tools align with the organization ultimately dictate the success and failure of a company’s security architecture. And when existing tools don’t fit or don’t work well, sometimes the only option is to build them yourself.
Home Depot. Target. Neiman Marcus. Albertsons. Michaels. Most Americans have shopped at one of these national chains recently. If you’re one of them, your credit card information may already be on the black market. And if you’re a retailer using a POS system, proposed legislation like the The Consumer Privacy Protection Act may hold you financially accountable in the event of a data breach. Here’s the skinny on RAM scraping, and what can be done to prevent it.
Every year, Verizon compiles data from a list of prominent contributors for its annual report highlighting trends and statistics around data breaches and intrusions from the past year. The 70-page Data Breach Investigations Report (DBIR) covers a myriad of data points related to victim demographics, breach trends, attack types, and more. Reviewing these shifting security trends can give indications as to how well-postured one’s organization is against future threats. And just in case you’ve got your hands full patching server vulnerabilities, we’ve done the legwork of expanding on a few critical key points from the report.
In a widely publicized report released last week titled "FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen," the US Government Accountability Office (GAO) details the potential vulnerabilities and dangers of offering in-flight wifi services during air transit. By essentially granting customers IP networking capabilities for their devices, airlines may be opening up their avionics systems for attacks:
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.