UpGuard Blog

Minimizing Cyber Risk in Microsoft Environments

Microsoft’s enterprise software powers the majority of large environments. Though often hybridized with open source solutions and third party offerings, the core components of Windows Server, Exchange, and SQL Server form the foundation of many organizations’ data centers. Despite their prevalence in the enterprise, Microsoft systems have also carried a perhaps unfair reputation for insecurity, compared to Linux and other enterprise options. But the insecurities exploited in Microsoft software are overwhelmingly caused by misconfigurations and process errors, not flaws in the technology— patches are not applied on a quick and regular cadence; settings are not hardened according to best practices; dangerous defaults are left in place in production; unused modules and services are not disabled and removed.

Microsoft has come a long way to bring its out-of-the-box security up to snuff with its famous usability, not to mention introducing command-line and programmatic methods by which to manage their systems. But even now, the careful control necessary to run a secure and reliable data center on any platform can be difficult to maintain all of the time at scale.

Filed under: SQL, IIS, Microsoft, Windows, cyber risk, policies, cybersecurity

Security Ratings Explained

The Problem of Digitization

The digitization of business has increased the speed of commerce, the scope of customers, the understanding of consumer habits, and the efficiency of operations across the board. It has also increased the risk surface of business, creating new dangers and obstacles for the business itself, not just its technology. This risk is compounded by the interrelations of digital businesses as data handling and technological infrastructure is outsourced, as each third party becomes a vector for breach or exposure for the primary company. The technical nature of this risk makes it inaccessible to those without advanced skills and knowledge, leaving organizations without visibility into an extremely valuable and critical part of the business.

Filed under: cyber risk, cybersecurity, third-party vendor risk, security ratings, vendor risk

UpGuard CyberRisk and Fair and Accurate Security Ratings Principles

In June of 2017 the U.S. Chamber of Commerce posted the “Principles for Fair and Accurate Security Ratings,” a document supported by a number of organizations interested in the emerging market for measuring cyber risk. The principles provide a starting point for understanding the current state of security ratings and for establishing a shared baseline for assessing vendors in that market.

Filed under: CSTAR, cybersecurity, cyber resilience, security ratings, vendor risk, cyberrisk

Cyber Resilience Challenge: Coke vs Pepsi

 

Few corporate rivalries are as legendary as these two enterprise contenders; admittedly, there have been more than a fair share of comparisons pitting the pair against each other over the last century. So we're offering a twist to the traditional cola challenge: how do Pepsi and Coke stack up in terms of cyber resilience? Read more to find out. 

Filed under: security, CSTAR, cybersecurity

Cyber Resilience Showdown: AT&T vs Verizon

As the two leading mobile telecom providers in the U.S., AT&T and Verizon are perpetually at war on almost all fronts—pricing, quality of service, network coverage, and more. But with data breaches at an all time high, security fitness may soon become a critical factor for consumers evaluating wireless service providers. Let's find out how the two compare when it comes to measures of enterprise cyber resilience.

Filed under: CSTAR, cybersecurity

Grinches Out in Full Force Scamming Online Holiday Shoppers

Retailers aren’t the only ones benefiting from increased sales around the holidays — scammers and hackers are seeing their own bump in business.

Filed under: hack, cyber attack, cybersecurity, data breach

2016: The Year of Preventable Hacks

As the holiday season approaches, the world’s fraudsters, scammers, and blackhats can take no small measure of yuletide cheer from their work in 2016 - a banner year for hacking. Call it the dark side of technological innovation, an equal and opposite reaction to the increasing breadth and efficiency of the internet. 2016 was a record-breaking year for data breaches, powerfully affecting the spheres of life like never before - from a presidential election rife with electronic intrigue, to a business landscape increasingly shaped by hacking. But if there is a silver lining to be found, looking at the most damaging data breaches to actually occur in 2016, it is the depressing fact that some of the worst hacks exploited well-known vulnerabilities which could’ve been easily prevented.

Filed under: cyber risk, hack, cyber attack, government, cybersecurity

2016 DevOps Year in Review

At the start of 2015, Gartner predicted that DevOps adoption would evolve from a niche to mainstream enterprise strategy, resulting in 25% of Global 2000 companies drinking its Kool-Aid by 2016. And while the hype—tempered by the realities of implementation—has more or less died down as of late, the methodology's value to enterprises is no longer a debatable matter. Here are some highlights from 2016 detailing how the year panned out for DevOps and its practitioners.

Filed under: devops, enterprise, cybersecurity

How Safe Is Your Cyber Monday?

It’s hard to believe Thanksgiving is almost here, and with it, the frenzy of the holiday shopping season fast approaches. Whether you are camping out overnight for “Black Friday” bargains, or waiting for the online deals of “Cyber Monday,” the odds are you are more nervous than ever about the safety and security of your financial information against holiday scammers. At least, so indicate the results of UpGuard’s survey of over 1,200 respondents in November 2016. The survey finds that 95% of consumers are to some degree concerned about the security of their information online, and more than half would break with their favorite brands if they knew their information was at risk; full survey results can be viewed here.

Filed under: CSTAR, retail, cybersecurity, chrome extension

How Much Are Service Outages Costing the Airline Industry?

Several of the world's leading airlines are getting the travel season off to a rocky start: last week, American Airlines and Alaska Airlines resolved a technical glitch causing reservation/check-in and delays across 15 flights. With the holidays approaching, can airlines weather mounting losses caused by their aging computer systems and IT infrastructures?

Filed under: vulnerabilities, cybersecurity, transportation

The New OAuth Flaw That Leaves Over a Billion Mobile Accounts Exposed

Your website's perimeter security couldn't be any better: sitewide SSL and DMARC/DNSSEC are enabled, software versions aren't being leaked in your headers, and all other resilience checks are green. But how secure is your mobile app? Unfortunately, like most companies, you've outsourced mobile app development to a third-party agency and have little visibility into their security practices. And if your app supports Facebook and Google sign-ons, you may be in trouble: a security team recently discovered an OAuth 2.0 flaw that's already left over a billion apps exposed. 

Filed under: vulnerabilities, cybersecurity

Hack The Vote!

Happy Election Day! As you head to the polls to vote, take a moment to check out this article from UpGuard's cybersecurity researchers analyzing the shadowy campaign financing organizations that helped fund this election - and how their activities might not remain so secret for long, if hackers have their way.  Now go vote!

Filed under: cyber risk, government, cybersecurity

Resilience Is the Lifeblood of Digital Health

Last month, around 1.3 million records belonging to over half a million blood donor applicants were breached when the Australian Red Cross' web development agency Precedent left a database backup exposed on a public website. The venerable non-profit has since taken responsibility and apologized for the incident, despite being the fault of a third party agency. If anything, the mishap serves to illustrate that resilience—not stronger cybersecurity—is the key enabler of safe healthcare digitization.

Filed under: enterprise, healthcare, cybersecurity

How Lack of Visibility Resulted in the Most Devastating Data Breach to Date

Government/politics, and cybersecurity—these topics may seem plucked from recent U.S. election headlines, but they're actually themes that have persisted over the last decade, reaching a pinnacle with the massive OPM data breach that resulted in the theft of over 22 million records—fingerprints, social security numbers, personnel information, security-clearance files, and more. Last month, a key government oversight panel issued a scathing 241 page analysis blaming the agency for jeopardizing U.S. national security for generations. The main culprit? Lack of visibility.

Filed under: enterprise, government, cybersecurity

How Risky Partners Increase Your Cyber Risk Exposure

This is not an opener for a sex-ed public service announcement, but in fact the million-dollar question for today's enterprise CISOs and CROs: which vendor in the supply chain will prove to be the riskiest bedfellow? With 63% of all data breaches caused directly or indirectly by third party vendors, enterprise measures to bolster cyber resilience must now include the evaluation of partners' security as part of a broader cyber risk management strategy. Easier said than done: most third parties are unlikely to admit to their security shortcomings, and—as it turns out—even if they did, most firms wouldn't believe them anyway.

Filed under: devops, enterprise, cybersecurity

Why Rugged Devops Is Important for Enterprise Cyber Resilience

DevOps has proven to be more than just an industry buzzword, but as the term starts to gain widespread use in modern software development parlance, an emerging successor has begun to take hold: Rugged DevOps, also known as SecDevOps/DevSecOps. RSA Conference (RSAC) 2016 dedicated a track to the emerging practice earlier this year, so it's likely to become as prevalent as its predecessor by next year's end—especially since RSAC plans to highlight the methodology again in 2017.

Filed under: devops, enterprise, cybersecurity

Spotify Resets User Passwords to Protect Against Third Party Data Breaches

For Spotify CEO Daniel Ek, the goal for the rest of 2016 should be simple: don’t rock the boat. The Swedish music streaming service, which is widely expected to go public late next year, is already locked in enough significant conflicts to occupy most of Ek’s waking hours.

Filed under: cybersecurity, data breach, passwords

Why the Padlock Isn't Good Enough

When you use the internet, your computer has a conversation with a web server for every site you visit. Everything you submit in a form, any data you enter, becomes part of that conversation. The purpose of encryption is to ensure that nobody except you and the server you’re talking to can understand that conversation, because often sensitive information such as usernames and passwords, credit card data, and social security numbers are part of that conversation. Eavesdropping on these digital conversations and harvesting the personal information contained therein has become a profitable industry. But encryption isn’t an on/off switch. It requires careful configuration. In other words, the padlock isn’t always enough.

Filed under: CSTAR, ssl, cybersecurity, encryption

Cybersecurity is Not an Olympic Sport


Online business has made traveling for events like the Olympics easier and faster by putting everything from airlines to hotel rooms at the fingertips of anyone with a smartphone and an internet connection. But transferring your personal and financial data across the internet is only as secure as the companies on the other end make it, and from site to site there can be a vast difference of risk. The differences don't necessarily come where you'd expect either, with many popular organizations having middling to low security practices. How can you know who to trust?

Filed under: Infographic, CSTAR, cybersecurity

Prime Day: How Amazon Handles Cybersecurity

Tuesday July 12th is online retail giant Amazon’s self-styled “Prime Day,” and the potential deals mean a surge in online shopping. Designing systems and applications to handle the amount of traffic a site like Amazon sees day to day, much less during promotions like Prime Day, can be difficult in and of itself. Throw in the complexity of cybersecurity and it becomes clear why so many online retailers have trouble keeping up. Amazon itself has relatively good security, but what exactly does that mean for customers? We’ll look at what measures Amazon has in place, what they mean, and a few simple steps to tighten security even further.

Filed under: security, CSTAR, webscan, cybersecurity

When it Comes to Security, Knowing is Only Half the Battle

Since 2000, the nonprofit Center for Internet Security (CIS) has provided the public service of creating and distributing hardening guidelines for common operating systems and applications. Alongside documents describing what configuration to check, how they should be configured, and how to fix them, CIS also offers a software solution that can analyze a system for compliance with the CIS benchmarks. Despite those resources, and their criticality for information security, the fact remains that becoming and staying secure is a persistent problem. Why is system hardening so hard?

Filed under: security, compliance, cybersecurity, CIS

Just How Risky is Crowdfunding?

There are really only a few ways to get funding: an individual such as a venture capitalist or billionaire, a partnership or strategic investment by a corporation or state agency and getting a large number of people to give you a very small amount of money. Crowdfunding websites claim to offer a platform for the latter, giving inventors, artists and small businesses a method by which to propel themselves on the merits (or popularity) of their ideas, without needing inside connections or extensive business acumen as the other methods usually require. But because all of the transactions involved in crowdfunding take place on the internet, cybersecurity should be a number one concern for both users and operators of these websites. We used our external risk grader to analyze 7 crowdfunding industry leaders and see how they compare to each other and other industries.

Filed under: security, CSTAR, cybersecurity, crowdfunding

Is Symantec's Latest Failure the End of Enterprise Security?

Cybersecurity news items are usually one of two things: your "run-of-the-mill" data breach announcement or vulnerability alert, usually software-related. This week's Symantec fiasco falls into the latter bucket, but it isn't your average vulnerability alert. In fact, this is the one that most enterprise security professionals have been dreading and horrified to hear: that your security defenses are not only ineffective—they can be used against you by attackers.

Filed under: CSTAR, vulnerabilities, cybersecurity

Is Employee Happiness Affecting Cybersecurity?

Glassdoor's 2016 Employees' Choice Awards Highest Rated CEO List includes household names like Marc Beniof, Mark Zuckerberg, and Tim Cook—CEOs of companies that also score high marks for strong security. Is there any correlation between a company's cyber risk profile and its CEO employee approval rating?

Filed under: vulnerabilities, cybersecurity, data breach

The Password Security Checklist

Yesterday you might have read about Facebook founder and user Mark Zuckerberg’s social media accounts getting “hacked.” Hacked is maybe not the right word here, since many people believe Zuck’s password was among the 117 million leaked LinkedIn passwords recently posted online. If this is true, it means that Zuckerberg used the same password for multiple websites, allowing the damage done by the LinkedIn hack to spread into other areas. If you have or want a job, chances are you also have a LinkedIn account, and if you had one back in 2012, it was probably one of the compromised accounts from that incident. Do you still use that password anywhere? Our 9 step password security checklist will help you secure your accounts, whether you’re a billionaire CEO or just someone who likes to post funny cat videos.

Filed under: security, cybersecurity, data breach, passwords, checklist

Almost Compliant With NERC CIPv5? CIPv6 is On Its Way

The NERC CIP v5 standards will be enforced beginning in July of this year, but version 6 is already on the horizon. Previously, we examined the differences between v3 and v5, and we saw how the CIPs related to cybersecurity were evolving. This pattern continues in v6, with changes coming to some of the cyber CIPs and the addition of standards regarding “transient cyber assets and removable media,” but the major changes in v6 have to do with scope-- which facilities are required to comply, and at what level they must comply: low, medium or high impact. We’ll examine some of the differences coming up in CIPv6 and what they will mean for the industry.

Filed under: compliance, cybersecurity, NERC, process

Important Changes in NERC CIP Compliance Between v3 and v5

While it’s not certain that society would become a zombie apocalypse overnight if the power grids failed, it is hard to imagine how any aspect of everyday life would continue in the event of a vast, extended electrical outage. Part of what makes electrical infrastructure resilient against these types of events are the North American Electric Reliability Corporation (NERC) regulatory standards, especially the Critical Infrastructure Protection (CIP) standards, which provide detailed guidelines for both physical and cyber security. The CIP standards evolve along with the available technology and known threats, so they are versioned to provide structured documentation and protocols for companies to move from one iteration of the standards to the next. But the jump from version 3 to version 5 involves many new requirements, so we'll look at some of the differences between the two and what they mean for businesses in the industry.

Filed under: security, configuration management, compliance, cybersecurity, NERC

How to Build a Tough NGINX Server in 15 Steps

Arguably--in that people literally argue about it--there are two types of web servers: traditional servers like Apache and IIS, often backhandedly described as “full-featured,” and “lightweight” servers like Lighttp and nginx, stripped down for optimum memory footprint and performance. Lightweight web servers tend to integrate better into the modern, containerized environments designed for scale and automation. Of these, nginx is a frontrunner, serving major websites like Netflix, Hulu and Pintrest. But just because nginx slams Apache in performance doesn’t mean it’s immune from the same security problems the old heavyweight endures. By following our 15 step checklist, you can take advantage of nginx’s speed and extensibility while still serving websites secured against the most common attacks.

Filed under: nginx, cybersecurity

Cybersecurity and the State

Last week the Australian government announced a new cybersecurity initiative that will cost upwards of AU$240 million and create 100 “highly specialized” jobs. This comes on the heels of Obama’s February announcement of the Cybersecurity National Action Plan, which hopes to establish a cybersecurity committee and create a 3.1 billion dollar “modernization fund.” With business and communications now done almost entirely online, it makes sense that governments are taking cybersecurity seriously, but what does it mean for the state to establish a cybersecurity presence and how will these initiatives ultimately play out? We’ll look at the details of both plans and how they align with their government’s cybersecurity actions, as well as their potential impact on citizens.

Filed under: government, cybersecurity