Archive september 2018

12 things every IT security professional should know

Fighting the good fight takes specialized knowledge. Here’s the baseline of what all security pros should know.

Basic common defenses

Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:

  • Patch Management
  • End-User Training
  • Firewalls
  • Antivirus
  • Secure Configurations
  • Encryption/Cryptography
  • Authentication
  • Intrusion Detection
  • Logging

Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do. If you want to know which two defenses help decrease the most risk, read this.

Cloud security

What four factors make cloud security more complex than traditional networks?

  • Lack of control
  • Always available on the internet
  • Multi-tenancy (shared services/servers)
  • Virtualization/containerization/microservices

The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users in the cloud. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multi-tenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand. Want to dig deeper into this topic? I recommend starting with this article on cloud security.

Threat education and communication

Most threats are well known and re-occur frequently. Every stakeholder from end-users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company.  So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.

Communication is an essential IT security professional skill. But you can’t simply rely on your charming personality because communication happens through a variety of methods including: face-to-face conversation, written documentation, emails, online learning modules, newsletters, tests, and simulated phishing.

Every good IT pro needs to be able to clearly and effectively communicate using verbal and written methods. When appropriate, she knows how to create or purchase the needed education and communication vehicles. No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:

  • The most likely, significant, threats and risks against the organization
  • Acceptable use
  • Security policy
  • How to authenticate and what to avoid
  • Data protection
  • Social engineering awareness
  • How and when to report suspicious security incidents

Looking for some hands-on, practical information security education advice? Check out “Ways to improve security education in the New Year” at CSO Online.

-/-

Follow the link to find all twelve;

https://www.itworld.com/article/3297944/it-careers/12-things-every-it-security-professional-should-know.html

Globally, just under 23 percent of organizations are likely to suffer at least one breach over the next 24 months

According to the IBM report, it now takes 197 days to identify a breach and 69 days to contain it. <…> Entertainment and healthcare organizations take the longest time to discover and contain a breach – averaging more than 300 days – while financial services and energy sectors were quickest at discovery and remediation.

Time is money and being slow to detect and contain a breach can be costly. Taking more than 100 days to discover a breach could add as much as $1 million to the final bill. Likewise taking longer than 30 days to contain the breach once discovered can also add over $1 million to costs. Investment in monitoring and forensics capabilities could be valuable in the long run.

The size of your average data breach is now 24,615 records; an increase of 2.2 percent compared to 2017. Each record lost costs around $148 on average globally, while in the US that figure rises to $233. The final cost per record can be impacted by a number of factors relating to how well-prepared an organization is and how well it reacts to a breach.

Given the highly sensitive and regulated nature of the data they manage it should come as little surprise that the health and financial sectors face the largest costs per record; up to $400 each.

A significant outlay organizations are faced with post-breach is notification costs. These include the creation of contact databases, determining regulatory requirement, consultancy fees, postal expenditures, email bounce-backs, and more. India has the lowest notification costs at just $20,000, while the U.S. has the highest at $740,000 per breach, largely due to data breach notification regulations.

However, now that the European Union’s regulation is in effect, companies are likely to see “huge increases throughout the world” in the future when it comes to notification costs. One key thing with GDPR is you have that 72-hour disclosure window. And that time can go by very, very fast. Folks really need to understand the need for preparation.”

Mega breaches can incur large indirect costs

According to IBM a ”mega-breach” of 1 million records could cost a company $40 million, while the loss of 50 million records might lose a company $350 million.

“If you’re a company who loses fifty million records, first and foremost there’s an expectation that you’re likely a very large company who certainly has the financial means to be able to put an adequate level of protection in place. Folks will look at that and say that is a catastrophic failure, and clients are going to make an alternative choice of who they do business with as a result.”

https://www.itworld.com/article/3304358/data-breach/what-is-the-cost-of-a-data-breach.html

How To Protect Your Privacy On iPhone

Follow these easy steps to protect the personal data on your iPhone or iPad. (details and how to if you follow the link in the bottom)

You might also be interested in our privacy tips for Android.

1. Lock your device with a passcode longer than 4 digits.
2. Enable “Erase Data” to delete data after 10 failed passcode attempts.
3. Don’t show notifications in the lock screen for sensitive apps.
4. Turn off “Share My Location.”
5. Turn off location services for things that don’t need them.
6. Turn off access to sensitive data for apps that don’t need it.
7. Review your installed apps.
8. Turn off read receipts so people are not notified when you see their messages.
9. Turn on “Limit ad tracking”.
10.From time-to-time, reset your advertising identifier.
11. Set DuckDuckGo as your default search engine.
12. Install the DuckDuckGo Privacy Browser.

https://spreadprivacy.com/iphone-privacy-tips/

NUMRET I DISPLAYEN INGEN SÄKERHET

Tar du för givet att det nummer som visas i telefondisplayen också talar om vem som egentligen ringer?
Bedragare som ringer använder ofta en tjänst som kallas för spoofing. Det innebär att de kan ringa från vilket telefonnummer som helst men i din display visas numret till exempelvis din bank. Numret i displayen ses av många av oss som en garanti för att det, i det här fallet, är banken som ringer vilket bedragarna i det här fallet utnyttjar.
Du kan alltså inte lita på att det numret som visas verkligen är den som ringer. Därför ska du vara extra misstänksam när du får oväntade samtal. Be alltid om att få motringa. //Lotta, NBC

https://www.facebook.com/Polisen-bedr%C3%A4geri-546406245370971/?hc_ref=ARQMXe9XB5FBJu5Ppsh0bsTtQlAmNjDBPM9Iq5yh1lb_hyOWTgdF_zj6edCUWu5Yyk8&fref=nf&__xts__[0]=68.ARAczMO3_l-5XyKFJhumm4FlBNIR2DngngzuweMfQm7W6XHP_qhs4jqNSkZS_WPihB4WLHbqIBkNkqP32K8o19y1_mjFx9VPJZoZ3uRyk-L-pOh7wKKWK5-kocCqUHSzrBVhQCc26T_JBRXdykTGgoc9IY8M8WeiFIl_am_IS7cJncfHwWEbPw&__tn__=kC-R

Google wants to get rid of URLs but doesn’t know what to use instead

Their complexity makes them a security hazard; their ubiquity makes replacement nigh impossible.

Sometimes URLs are explicitly typed by users; other times they’re opaque and hidden behind hyperlinks. Some URLs are good for sharing, others aren’t. Sometimes they’re shown on devices with abundant screen space, other times they’re so cramped that only a fragment of the URL can ever be seen.

https://arstechnica.com/gadgets/2018/09/google-wants-to-get-rid-of-urls-but-doesnt-know-what-to-use-instead/

IDN homograph attack

An example of an IDN homograph attack; the Latin letters ”e” and ”a” are replaced with the Cyrillic letters ”е” and ”а”.

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike). For example, a regular user of example.com may be lured to click a link where the Latin character ”a” is replaced with the Cyrillic character ”а”.

This kind of spoofing attack is also known as script spoofingUnicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek Ο, Latin O, and Cyrillic О were not assigned the same code. Their incorrect or malicious usage is a possibility for security attacks.

https://en.wikipedia.org/wiki/IDN_homograph_attack

A Guide to Common Types of Two-Factor Authentication on the Web

In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key).

Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it’s becoming much more common across the web. With often just a few clicks in a given account’s settings, 2FA adds an extra layer of security to your online accounts on top of your password.

https://www.eff.org/deeplinks/2017/09/guide-common-types-two-factor-authentication-web