UpGuard Blog

Securing GitHub Permissions with UpGuard

GitHub is a popular online code repository used by over 26 million people across the world for personal and enterprise uses. GitHub offers a way for people to collaborate on a distributed code base with powerful versioning, merging, and branching features. GitHub has become a common way to outsource the logistics of managing a code base repository so that teams can focus on the coding itself.

But as GitHub has become a de facto standard, even among software companies, it has also become a vector for data breaches— the code stored on GitHub ranges from simple student tests to proprietary corporate software worth millions of dollars. Like any server, network device, database, or other digital surface, GitHub suffers from misconfiguration.

Filed under: security, Validation, github

Check your Amazon S3 permissions. Someone will.

Nearly all large enterprises use the cloud to host servers, services, or data. Cloud hosted storage, like Amazon's S3, provides operational advantages over traditional computing that allow resources to be automatically distributed across robust and geographically varied servers. However, the cloud is part of the internet, and without proper care, the line separating the two disappears completely in cloud leaks— a major problem when it comes to sensitive information.

Filed under: security, AWS, cloud, S3, Procedures

5 Biggest Takeaways From WannaCry Ransomware

Global in scale, with across the board press coverage, the WannaCry ransomware attack has quickly gained a reputation as one of the worst cyber incidents in recent memory. Despite the scale, this attack relied on the same tried and true methods as other successful malware: find exposed ports on the Internet, and then exploit known software vulnerabilities. When put that way, the attack loses its mystique. But there’s still a lot we can learn from this incident, and we’ve summed up the five most important takeaways to keep in mind going forward.

Filed under: security, cyber attack, ransomware, wannacry

Cyber Resilience Challenge: Coke vs Pepsi

 

Few corporate rivalries are as legendary as these two enterprise contenders; admittedly, there have been more than a fair share of comparisons pitting the pair against each other over the last century. So we're offering a twist to the traditional cola challenge: how do Pepsi and Coke stack up in terms of cyber resilience? Read more to find out. 

Filed under: security, CSTAR, cybersecurity

How Cyber Resilient Are The Top Online Banks?

Booksellers and electronics retailers aren't the only brick-and-mortar businesses challenged by the rise of highly agile, online-only competitors—traditional retail banking institutions also face stiff competition from Internet-based consumer banking upstarts. But are these born-in-the-cloud banks and financial services offerings safer than their traditional counterparts? Let's take a look at the leading online banks to see if they're equipped to handle today's cyber threats.

Filed under: security, CSTAR, cyber risk

Are Leading IoT Vendors Putting Customers at Risk?

On October 21st, 2016, DNS provider DYN suffered from the largest DDoS attack in history, leaving much of the Internet inaccessible to Europe and North America. The unprecedented event saw cyber attackers orchestrating swathes of Mirai malware-infected IoT and connected devices to perform DNS lookup requests from tens of millions of IP addresses—impressive automated hacking, but hardly sophisticated: the malware gained privileged access by using public, default passwords. Are IoT companies doing enough to secure their "things" against nefarious actors?

Filed under: security, CSTAR, cyber risk

How Secure Are the World's Leading Airlines?

With all the conveniences of modern air travel—mobile check-ins, e-gates, in-flight wifi, and more—it's easy to assume that the world's leading airlines have addressed the inherent cyber risks of digitization. But the safety of in-air passengers is just one aspect of airline customer security; are these companies doing their best to protect customers against online security compromises? Let's take a look at the world's leading airlines to find out. 

Filed under: security, CSTAR, cyber risk

CES 2017 Highlights: Which Vendors Are Putting Consumers at Risk?

Every year, leading tech/gadget vendors descend upon the world's largest consumer electronics show in an exuberant display of product design wizardry, cutting edge innovation, and of course—a requisite dose of ridiculousness. This year's focus was on connected cars and VR, with IoT device and wearable tech manufacturers out in full force, per the usual. Let's see how good the best of CES 2017 are at protecting customers against cyber attacks.

Filed under: security, CSTAR, cyber risk

Top 11 Cybersecurity Predictions for 2017

2016 was arguably the year when cybersecurity events entered into the global stream of consciousness, from the sabotage of national banks to the hacking of elections. And though we're barely into 2017, the breach announcements have already begun: on January 3rd, a data breach was discovered involving the sensitive data of health workers employed by the US military's Special Operations Command (SOCOM). An increase in government-related security incidents is one of our top predictions for 2017—here are 11 other cybersecurity predictions for the new year.

Filed under: security, CSTAR, cyber risk

How Resilient Are the World's Leading Online Learning Providers?

Last week, leading online education provider Lynda.com announced that its database of over 9.5 million accounts were compromised in a recent data breach. With the education space increasingly moving to the internet, are underlying technology providers doing their best to provide a safe learning environment to customers?  

Filed under: security, CSTAR, cyber risk

How Secure Are the Leading Travel Aggregator Websites?

AAA predicts that a record number of Americans will be taking to the skies and roads this holiday season—103 million between Dec. 23-Jan. 2, a 1.5% increase over 2015. 57% of these travel reservations—that's 148 million travellers—booked online. Airfare/hotel/car rental comparison websites are an increasingly popular way to book travel these days, but how good are they at protecting their users' data? Let's take a look at the top 8 online travel aggregators' CSTAR ratings to find out.

Filed under: security, CSTAR, cyber risk

How Resilient Are The World's Leading Video Game Companies?

Once upon a time, video gaming was strictly an offline, console-based affair. Even PC-based titles were relegated to the safe confines of the player's local desktop machine. The arrival of affordable and ubiquitous high-speed internet transformed gaming into a highly interactive online activity; these days, the online component is an integral part of gameplay. But are gaming vendors doing enough to protect users against today's cyber threats?

Filed under: security, CSTAR, cyber risk

How Secure Are the World's Leading ERP Vendors?

Last week, leading global ERP vendor SAP was busier than usual in the patch department: it released a record amount of closed issues per month and addressed 48 vulnerabilities—one of them an authentication bypass vulnerability previously left unaddressed for 3 years. Given how mission-critical ERP systems are for centralizing business operations these days, is it safe to assume that ERP vendors are serious about their customers' security? Let's take a look at the leading solution providers in this category to find out.

Filed under: security, CSTAR, cyber risk

Paid-to-click Surveys: Your Opinions Don't Matter to Cyber Attackers

Does filling out an online survey in exchange for a few bucks sound too good be true? For ClixSense users, this is turning out to be the case: last week, the leading paid-to-click (PTC) survey firm admitted to a massive data breach involving virtually all of its users' accounts—roughly 6.6 million records in total. With so many giving in to the allure of easy money, PTC firms should be on top of securing privileged data of survey takers they're bankrolling. Let's find out how the top 5 compare when it comes to fulfilling this critical responsibility.

Filed under: security, CSTAR, cyber risk

Why Pen Testing is Not Enough To Prevent Data Breaches

Essential to enterprise security, or a waste of time? Security professionals' opinions regarding penetration testing (pen testing) seem to fall squarely on either side of the spectrum, but—as with most IT practices—its efficacy depends on application and scope. And while pen testing alone is never enough to prevent data breaches from occurring, information gleaned from such efforts nonetheless play a critical role in bolstering a firm's continuous security mechanisms.

Filed under: security, data breaches, IT security

Are Cloud Storage Providers Dropping the Box on Security?

 

Leading cloud storage provider Dropbox is arguably having its worst month since launching back in 2007—but with over half a billion users, it's somewhat surprising that serious issues have only begun to surface between the ubiquitous service and the people trusting it with their files. First, in a recent announcement reminiscent of LinkedIn's latest data breach fiasco, Dropbox announced several weeks ago that over 68 million emails and passwords were compromised in a previously disclosed 2012 data breach. And now, security experts are criticizing the company for misleading OS X users into granting admin password access and root privileges to their systems. What recourse do consumers have when cloud services providers "drop the box" on security, or even worse—when their actions directly jeopardize the users they're supposed to protect?

Filed under: security, CSTAR, cyber risk

How Secure Is Electronic Voting in Today's Digital Landscapes?

As election year moves into the final stretch, news coverage wouldn't be complete without another mention of a politically motivated data breach or cybersecurity incident. Of course, several months ago the DNC's emails were compromised by hackers, resulting in the theft and exposure of 19,000 hacked emails and related documents. This pales in comparison, however, to the recent FBI announcement of data breaches involving both Illinois and Arizona's voter registration databases. If the controls critical to securing election systems continue to fail, how can participants in the democratic process be sure that their votes won't be hijacked?

Filed under: security, CSTAR, cyber risk

Are Enterprises Thinking About Security All Wrong?

Organizations often regard cybersecurity as a series of barricades protecting the inner workings of the data center from attacks. These barricades can be hardware or software and take actions such as blocking ports, watching traffic patterns for possible intrusions, encrypting communications and so forth. In practice, these measures are only part of a comprehensive cybersecurity strategy, and by themselves will do little to bolster the overall resilience of an organization. But thoroughly tested and streamlined procedures within IT operations can prevent the most common attack point on the internet: misconfigurations.

Filed under: operations, system misconfiguration, security, cyber risk

How Secure are the Top Online News Sites?

If you regularly use a computer, chances are you spend at least part of your time reading internet news. If you have a subscription, you might even log in and enter your payment info. But how secure are news sites? Here at UpGuard, we took a look at six of the top news media sites on the internet to see how their security stacked up. Many big names had low scores, while a few did very well. What does this mean for the average online news reader?

Filed under: security, CSTAR, cyber risk, webscan

Re-Energize Existing Software Through Integration

In 2015, organizations spent over $75 billion on cybersecurity. That’s a lot of money. But 2015 also saw a rise in successful cyber attacks, costing companies hundreds of billions of dollars in damages, loss and other related expenditures. Did all of the security software and hardware purchased with that $75B fail to do its job? Today's landscape requires more than just a collection of isolated products handling specific tasks—it needs an integrated ecosystem dedicated to overall resilience.

Filed under: security, cyber risk, digital resilience, Integrations, trust

Prime Day: How Amazon Handles Cybersecurity

Tuesday July 12th is online retail giant Amazon’s self-styled “Prime Day,” and the potential deals mean a surge in online shopping. Designing systems and applications to handle the amount of traffic a site like Amazon sees day to day, much less during promotions like Prime Day, can be difficult in and of itself. Throw in the complexity of cybersecurity and it becomes clear why so many online retailers have trouble keeping up. Amazon itself has relatively good security, but what exactly does that mean for customers? We’ll look at what measures Amazon has in place, what they mean, and a few simple steps to tighten security even further.

Filed under: security, CSTAR, webscan, cybersecurity

When it Comes to Security, Knowing is Only Half the Battle

Since 2000, the nonprofit Center for Internet Security (CIS) has provided the public service of creating and distributing hardening guidelines for common operating systems and applications. Alongside documents describing what configuration to check, how they should be configured, and how to fix them, CIS also offers a software solution that can analyze a system for compliance with the CIS benchmarks. Despite those resources, and their criticality for information security, the fact remains that becoming and staying secure is a persistent problem. Why is system hardening so hard?

Filed under: security, compliance, cybersecurity, CIS

Just How Risky is Crowdfunding?

There are really only a few ways to get funding: an individual such as a venture capitalist or billionaire, a partnership or strategic investment by a corporation or state agency and getting a large number of people to give you a very small amount of money. Crowdfunding websites claim to offer a platform for the latter, giving inventors, artists and small businesses a method by which to propel themselves on the merits (or popularity) of their ideas, without needing inside connections or extensive business acumen as the other methods usually require. But because all of the transactions involved in crowdfunding take place on the internet, cybersecurity should be a number one concern for both users and operators of these websites. We used our external risk grader to analyze 7 crowdfunding industry leaders and see how they compare to each other and other industries.

Filed under: security, CSTAR, cybersecurity, crowdfunding

Buying a Computer Online Soon? Acer Data Breach Highlights Retail Danger

A few days ago, Taiwanese computer manufacturer Acer disclosed that "a flaw" in their online store allowed hackers to retrieve almost 35,000 credit card numbers, including security codes, and other personal information. Most of the major personal computer retailers have online stores like Acer's, allowing people to buy directly from the manufacturer, rather than through a reseller like Amazon. But how secure are these digital outlet stores, and what are the chances that if you use them you'll end up like Acer's customers? We examined seven industry leaders with our external risk grader to see how they stacked up, and unfortunately, Acer wasn't alone in its security practices.

Filed under: security, CSTAR, IT security, data breach

ATM Skimming and The Future of External Threats

A routine fill-up at the local gas station or ATM withdrawal might cost you dearly these days. With the recent surge in ATM and gas pump skimming attacks, you certainly wouldn't be alone—in fact, the odds are one in three that you'll fall victim to identity theft once your financial data is swiped. Is there any hope in an increasingly hostile landscape rife with external threats?

Filed under: security, vulnerabilities, data breach

How Secure Is Your Cell Phone Provider?

It’s 2016 and you have a cell phone. You also probably pay your cell phone bill online or through an app. Telecom companies handle the world’s communication and part of what that entails is securing that communication to guarantee privacy and integrity to their customers. Here at UpGuard, we scanned ten of the major telecom corporations with our external risk grader to see how their web and email security measured up. These are big money companies with many moving parts, but we’re focusing on the primary web presence a person would consider, for example www.att.com. Turns out there’s some good news and some bad news... depending on which carrier you use.

Filed under: security, CSTAR, webscan, telecom

The Password Security Checklist

Yesterday you might have read about Facebook founder and user Mark Zuckerberg’s social media accounts getting “hacked.” Hacked is maybe not the right word here, since many people believe Zuck’s password was among the 117 million leaked LinkedIn passwords recently posted online. If this is true, it means that Zuckerberg used the same password for multiple websites, allowing the damage done by the LinkedIn hack to spread into other areas. If you have or want a job, chances are you also have a LinkedIn account, and if you had one back in 2012, it was probably one of the compromised accounts from that incident. Do you still use that password anywhere? Our 9 step password security checklist will help you secure your accounts, whether you’re a billionaire CEO or just someone who likes to post funny cat videos.

Filed under: security, cybersecurity, data breach, passwords, checklist

Important Changes in NERC CIP Compliance Between v3 and v5

While it’s not certain that society would become a zombie apocalypse overnight if the power grids failed, it is hard to imagine how any aspect of everyday life would continue in the event of a vast, extended electrical outage. Part of what makes electrical infrastructure resilient against these types of events are the North American Electric Reliability Corporation (NERC) regulatory standards, especially the Critical Infrastructure Protection (CIP) standards, which provide detailed guidelines for both physical and cyber security. The CIP standards evolve along with the available technology and known threats, so they are versioned to provide structured documentation and protocols for companies to move from one iteration of the standards to the next. But the jump from version 3 to version 5 involves many new requirements, so we'll look at some of the differences between the two and what they mean for businesses in the industry.

Filed under: security, configuration management, compliance, cybersecurity, NERC

11 Steps to Secure SQL

Whether you’re running Microsoft’s SQL Server (soon to run on Linux) or the open source MySQL, you need to lockdown your databases to keep your data private and secure. These 11 steps will guide you through some of the basic principles of database security and how to implement them. Combined with a hardened web server configuration, a secure database server will keep an application from becoming an entry point into your network and keep your data from ending up dumped on the internet. When provisioning a new SQL server, remember to factor security in from the get-go; it should be a part of your regular process, not something applied retroactively, as some key security measures require fundamental configuration changes for insecurely installed database servers and applications.

Filed under: SQL, security, mysql, database

It's Like Updating OpenSSL All Over Again

A new high severity vulnerability in the OpenSSL protocol was announced today that could allow an attacker to cause memory corruption in devices handling SSL certificates. The vulnerability was caused by a combination of bugs, one a mishandling of negative zero integers, and the other a mishandling of large universal tags. When both bugs are present, an attacker can trigger corruption by causing an out-of-bounds memory write.

Filed under: configuration testing, security, vulnerabilities, openSSL

The Website Security Checklist

Putting a website on the internet means exposing that website to hacking attempts, port scans, traffic sniffers and data miners. If you’re lucky, you might get some legitimate traffic as well, but not if someone takes down or defaces your site first. Most of us know to look for the lock icon when we're browsing to make sure a site is secure, but that only scratches the surface of what can be done to protect a web server. Even SSL itself can be done many ways, and some are much better than others. Cookies store sensitive information from websites; securing these can prevent impersonation. Additionally, setting a handful of configuration options can protect both your full website presence against both manual and automated cyber attacks, keeping your customer’s data safe from compromise. Here are 13 steps to harden your website and greatly increase the resiliency of your web server.

Filed under: security, apache, IIS, nginx, webscan, checklist

The Nightmare Scenario: When Your Security Provider Becomes a Security Problem

You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe. The next thing you know, the very software you’ve put in place to protect your data is exposing it instead. This nightmare scenario has turned into reality for some companies when major security software was compromised or had fatal flaws that exposed sensitive information to unknown third parties. Just because you sell security doesn’t mean you always practice it.

Filed under: security, data breaches, IT security

Tax Day 2016: Auditing the IRS, E-file and Tax Software Websites

Are you filing your taxes online this year? As e-filing and internet connected tax software becomes more and more standard, the security of the sites accepting your sensitive information becomes more and more important. You've probably heard about some of the various data breaches facing the tax industry, including one of the IRS in May of 2015, potentially exposing hundreds of thousands of tax records. UpGuard's external risk grader measures the security of a company's internet presence. We ran ten tax-related websites through to see how they stacked up and the results are interesting. Perhaps most interesting of all, IRS.gov received a rare perfect score of 950 out of 950. Tax software websites such as TaxSlayer fared well too. But as we'll see, the external information is just the tip of the iceberg.

Filed under: security, CSTAR, vulnerabilities, webscan

Security Through Visibility

People commonly use the phrase “security through obscurity” to refer to the idea that if something is “hidden” or difficult to find, it becomes more secure by virtue of other people not knowing it’s even there to be exploited. But in reality, security through obscurity usually means that the only people who find obscure resources are the people looking to exploit them for a way in. This is why visibility, rather than obscurity, increases security. Our website risk grader provides people with an easy way to view a website's security rating by offering visibility into their internet-facing footprint. This also allows businesses to monitor their own improvement over time.

Filed under: security, CSTAR, visibility

The Healthcare Security Epidemic

Your medical records live in a database or file system on servers somewhere, on someone’s network, with someone’s security protecting them. A recent PBS article about cyber security in the healthcare industry reports that over 113 million medical records were compromised in 2015. Medical records, perhaps even more than financial data, are the epitome of sensitive, private data, yet the healthcare industry has reported breach after breach, with over a dozen separate breaches already logged in March of this year.

Filed under: security, CSTAR, data breaches, healthcare, webscan

Gambling with Security: Online Sports Betting, March Madness Edition

 

In the last few years, sports betting websites like DraftKings and FanDuel have exploded in popularity and controversy. Anyone who watched last year’s NFL season shouldn’t be surprised that those two sites alone spent over $200M on national television advertising in 2015, amounting to around 60,000 commercials. At the same time, betting sites have been in the news due to their questionable legality and the lawsuits being brought against them from various parties. With March Madness in full effect, people are turning to online gambling sites to place their bets. Aside from the increasing legal resistance these companies face, should users be concerned about the security of sharing their information with these sites? As it turns out, it depends on the site.

Filed under: security, CSTAR, cyber risk, webscan, ssl

Using UpGuard to Validate Your CIS Critical Security Controls for Effective Cyber Defense

First circulated in 2009, the CIS Critical Controls are used by both the U.S. and U.K. governments as the preeminent framework for securing critical infrastructures. Consisting of 20 security controls that cover areas from malware defense to incident response and management, the CIS Critical Controls offers a prioritized set of security measures for assessing and improving a firm's security posture. Though not a cybersecurity panacea, the controls help to address the vast majority of security issues faced by organizations today.

Filed under: security, compliance, CIS

How CSTAR Works

With the rate of data breaches increasing along with the complexity of modern IT infrastructures, the cyber insurance industry has been experiencing significant growing pains. Cyber risk determination had historically been done with employee surveys or contextual information about industries at larger. Without reliable data on an organization’s actual working state, many insurers came to realize there was no way to formulate a fair and accurate cyber insurance policy, especially for more complex and ever-changing IT environments.

Filed under: security, cyber security, CSTAR, cyber risk

Fixing The New OpenSSH Roaming Bug

Call it an experiment gone wrong: a bug in a test feature of the OpenSSH client was found to be highly vulnerable to exploitation today, potentially leaking cryptographic keys to malicious attackers. First discovered and announced by the Qualys Security Team, the vulnerability affects OpenSSH versions 5.4 through 7.1. Here's what you need to know about bug, including remediation tips.

Filed under: security, vulnerabilities

Sound Security Strategies from Cisco's 2015 Annual Security Report

Networking giant Cisco recently released its Annual Security Report highlighting trends in data breaches and threats from the previous year, and its findings—while similar to other recent reports (e.g., Verizon DBIR, Trend Micro Security Roundup)—offer some unique insights regarding the current threat landscape. No stranger to IT security, Cisco details in its report shifting patterns in cyberattack methods, emerging vulnerabilities, and best practices on how to mitigate future threats.

Filed under: security

Rolling Your Own Continuous Security Toolchain

When it comes to IT security, how do you roll? Many tools exist, but the fact is that in most cases, to do it right— you have to roll your own. This is especially true in today’s environments, where infrastructures can vary widely in composition from organization to organization. The truth is that factors such as degree of DevOps and Agile adoption, skill set of IT staff, corporate culture, and even line of business come into play when crafting a security solution for an organization. How well these tools align with the organization ultimately dictate the success and failure of a company’s security architecture. And when existing tools don’t fit or don’t work well, sometimes the only option is to build them yourself.

Filed under: security, cyber risk, IT security

Why Security Needs DevOps: OpenSSL and Beyond

On March 18, 2015, system administrators and developers received ominous news: two high severity vulnerabilities in OpenSSL would be announced the next day. Since Heartbleed, OpenSSL had been on a bad streak, and it looked like things were only going to get worse. Operations, development, and security teams braced for impact and then– it wasn't really that bad.

Filed under: security, devops, IT security

Lenovo and Security Lessons Learned

Technology giant Lenovo has come under heavy criticism again for subjecting users to undue security risks– this time in the form of three vulnerabilities discovered by researchers at security firm IOActive. Flaws in Lenovo's System Update service– a feature that enables users to download updated drivers, software, and security patches from Lenovo-- enables hackers to surreptitiously slip malware onto user’s laptops and systems through a man-in-the-middle attack. Lenovo has since issued a patch for these vulnerabilities, but it’s doubtful the PC giant will regain consumer credibility any time soon.

Filed under: security, cyber security, IT security

3 Steps for Integrating Security into DevOps

The fate of CSO John in The Phoenix Project is a good parable for illustrating the dynamic and often conflicted relationship between Security and IT Operations. Security can either become a separate, obscure, and increasingly irrelevant group that everyone else resents–sounds pretty good, huh?–or it can be integrated into broader framework of the development cycle. Security John goes through a mental breakdown before finally understanding how to adapt and survive, but it doesn't have to be that hard.

Filed under: security, devops, cso

Heartbleed Update

Here at UpGuard, we take security seriously. As you may have already heard, the OpenSSL Project yesterday disclosed a serious vulnerability, nicknamed Heartbleed (CVE-2014-0160).

Filed under: guardrail, security, heartbleed

Don't put security in DevOps, turn DevOps into security

I've been thinking a lot lately about the intersection of DevOps and Information Security. I'm definitely not the first to have considered the implications, but I am undoubtedly a complete cynic when it comes to InfoSec and how it can align itself to the DevOps movement. Why am I cynic you may ask? Well, I spent almost 10 years in the security/governance arena interacting with CISOs and their teams trying to help them 'reduce risk' and 'pass audits', but I've watched countless organizations fail miserably. What is the main reason why? Because the business fails to see the value of security and doesn't understand it. Better said - the business invests in what the business understands.

Filed under: security, devops

Configuration Tests as Automation Requirements

While there are many benefits to cloud computing, one of the major difficulties is migrating from the in-house servers to a cloud computing platform. Configuration issues can develop when a company does not have the right tools, and when it lacks clear communication.

Filed under: ALM, configuration testing, security, IT automation, chef, puppet, Cloud Computing, Legacy systems, Configuration Drift

October Announcements!

Hello,

Filed under: configuration testing, amazon, security, ec2, data center