Last year was a pretty big year for data breaches, and it seems like 2015 is not so much different. Online retailers used to be a big target, but this we've seen breaches across many different sectors including insurance, many health companies and even governments. These targets carry even more of our personal data than retailers did.
Awareness of security issues is higher than ever, with people putting more efforts into protecting their data. However, according to studies, the cost per stolen records has still managed to increase by 6% this year to an average cost of $154 per stolen record.
Companies like Uber, Experian, Anthem, Premera and even the IRS had data breaches. Check out this graphic from Bromium to see the size and extent of breaches in 2015.
Pages
Wednesday, December 30, 2015
Tuesday, December 29, 2015
Call for Security Authors! No Prior Writing Experience Needed!
Over the course of the next year, I’d like to publish a few
small booklets regarding reoccurring themes we’ve seen year-over-year in the
security industry. What I’d like to do is have these booklets broken down into
chapters with people within the security industry assisting with adding the
real world material and insights. There is really nothing better than having
those working in the trenches each day to guide the way the booklets should be
written. There are so many people out there that don’t have the ability to share
what they’re learning and doing each day and hopefully this can allow them to
share their experience. By doing so, we
all benefit.
Within each topic I’d like to include multiple chapters,
each topic will be somewhat different, but what I’m aiming at is education on
topic itself. The granularity of the information for each topic will vary, but
we should attempt to hit on the following main themes on each subject:
Booklet Themes
- Review of the topic
- Why it’s a reoccurring topic
- Advice with solutions
- Tricks of the trade
- Improvements
At this time I’m proposing the following six topics to start
with, since this advice is either in great demand when looking to resolve an issue
or when proactively looking to improve your security posture. I’d like people
to use these booklets as a way to guide people in creating better security for
the topics being written on. These won’t be vendor slicks trying to sell a
product, but something valuable that can be taken without bias. This in my opinion
is more valuable. Also, this is a first stab at the topics, if you have others
you think should be on the list, please let me know. We’re flexible.
Topics
- Incident Response
- DDoS
- Deception in Depth
- Security Monitoring
- Phishing
- Application Security
If you have experience in any of these areas, and want to
submit some content on the topics, please let contact me at the email below.
Once we get enough authors signed up we’ll start breaking down the themes of
the topics in more detail. These booklets aren’t being sold and would hopefully
be put under a creative commons licensing approach where others can share and
add to it freely, but by giving credit to those that worked on it.
If you’re interested, please contact me at matthewpascucci@protonmail.ch.
Monday, December 28, 2015
Cyber Security 2015 Reflections - Another Year Gone By
Here's some cyber security reflections I've written for Algosec as the year comes to a close. Also, a few things we're forecasting for the new year to come.
http://blog.algosec.com/2015/12/the-state-of-security-reflections-on-2015.html
http://blog.algosec.com/2015/12/the-state-of-security-reflections-on-2015.html
Wednesday, December 23, 2015
Another Example of Why Governments Should Exit the Encryption Debate (The Juniper Debacle)
With the recent revelation of the Juniper backdoor
vulnerability, it begs the question as to why we should “let” the government put
purposeful backdoors into our products. Apple has been very vocal on why they won’t
be bullied into allowing this type of behavior with the government, and how
the privacy of their users data is paramount. With the recent terror attacks in Paris
and other places in the world, governments everywhere, U.S.A and U.K being the
loudest, are attempting to use fear to push their agendas. This isn’t news
anywhere. We know they’re looking to create backdoors into our encryption and
it’s for that very reason why we have the Juniper scandal today.
In a recent article by WIRED magazine they explain
that the backdoor was made possible due to the DUAL_EC_DRBG encryption
algorithm which was purposely created by the NSA to decrypt
data surreptitiously. This was always assumed while the protocol was in review, but was eventually pushed into NIST standard as one of the recommended encryption protocols at the time.
It’s been reported that this was part of the NSA’s operation BULLRUN,
which was created to break encryption for monitoring targets, and one in which
they had a nearly $250 million dollar yearly budget to do so. Even more concerning is
that the NSA purportedly paid off RSA with the sum of $10 million to include this
algorithm into their product. RSA has since said that they were unaware of this at the time,
but it’s still highly suspicious.
This being said, governments have already been
accessing our systems, either in cooperation with technology vendors, or by
illegally circumventing vendors technology to gather the data they’re looking
to collect. So why should we trust them to be more responsible by allowing them to put holes into products that we use everyday? What have they done in the past to gain this respect and trust? They don’t have our confidence to play within the rules, so what makes them think we’d be willing to
be taken by the hand and walked down a path we'll eventually regret? The
problems they’re creating, look at Stuxnet and DUAL_EC_DRBG, discredit them
from being taken serious. Also, it’s overreaching to start using the terrorist
attacks in Paris, where they didn’t use encrypted channels for communications,
or the terrorist attacks in San Bernardino, where there were public Facebook
announcements made by the terrorist alerting of their actions. Both of these attack communications were in cleartext and both of these attacks weren’t stopped. This might be
somewhat far-fetched by me, but if you want all the encrypted information now start
stopping things that happen in the clear first.
What many of these governments aren’t thinking now is that
they’re making your device less secure and more vulnerable to eventual attack by someone else. I
understand they want to have a separate key that would only allow them to
access the data when needed; which is still scary. But just like Dr. Ian
Malcolm said in Jurassic Park, “Life, uh….finds a way” and it’s possible that the vulnerability/hole you created for yourself
will be abused by others. That this hole will be used to spy against you, or
that even more malicious actors will use a similar method to abuse the access
that was blown open to “protect”
people. I can’t see any concrete
reasons, or examples, that have been used in the past that dramatically slides
the argument into the governments favor against us giving up our privacy. So as we watch the latest backdoor issue we've seen come to light with Juniper, all due to the NSA making a hole that shouldn't have been there to begin with, is yet another example of why the government should remove themselves from this debate completely. They don't have a track record of being responsible with this type of access and we don't want to give it to them.
Monday, December 21, 2015
Shop Safe This Holiday Season
With the holiday shopping season in full swing, many shoppers are deciding to skip the long lines and instead, make their purchases from the convenience of their mobile device. Did you know that nearly 53% of online purchases during last year's holiday season were made from a smartphone or tablet? This number is expected to grow even higher, making mobile shoppers a major target for cybercriminals. It's more important now than ever to fully understand how to stay safe when it comes to shopping from a mobile device or online. #ShopSafe.
Thursday, December 17, 2015
What's on Your InfosSec Wishlist?
I was recently asked the following question from TripWire: “If you had one wish for the infosec community this holiday season, what would it be and why?”. This is a very loaded question to be honest, since there's so many things on my wishlist, but there's one area I'm particularly passionate about that I think we should be doing more of next year. Here's my wishlist item, including many other information security professionals, as to what we'd like to see the community start doing this new year.
Tuesday, November 17, 2015
Speaking at IASA eSummit on "Deception in Depth"
Tomorrow I'll be speaking at the IASA Cyber Security eSummit on the topic of "Deception in Depth". The talk will be based on the following:
"Deception has a legitimate use in all types of defense. It’s been used
for hundreds of year successfully, why stop now? The bad guys use
deception to infiltrate your network, why not use it against them? In
this presentation we’ll review what deception is and how we can use it
for our advantage."
You can register to hear the talk live at the following link http://iasaglobal.org/monthly-esummit/. There are some interesting presentations going on tomorrow and it would great to hear any feedback. If you can't make it the presentation and talk will be recorded and available for download later on.
Tuesday, November 10, 2015
The Unintended Consequences of EMV (Pin and Chip) or The Water Balloon Effect
As of October 1st, 2015
merchants in the United States can potentially be held liable for fraud occurring on their PoS, if the EMV (aka Pin-and-Chip) systems aren’t rolled
out. If you’re like most people you’ve probably received a new debt/credit card
in the mail with the ability to use this new card at any EMV PoS at your
favorite retail store. In my opinion this was a long time coming and I’m glad
the legislation was made to have these systems pushed on retailors. Just like
anything else, this doesn’t completely protect people, but its heads and
shoulders above what we had in the past. My concern though, is that we’ll see
adverse effects in other areas of the industry due to a direct correlation of
securing a heavily targeted area.
Let me use the analogy of a water
balloon for a moment. The water balloon can take on multiple oblong shapes
depending on what area of the balloon is squeezed. If you pinch one area of the
balloon the water will be pushed to another section, filling it in and changing
the shape. If you release the section you’re applying pressure to on the balloon, the water will
refill areas that were previously closed off, changing the shape again. At this point I think you’re
wondering what EMV, cyber security and water balloons have in common with each
other, let me see if I can make this clearer. The example of the water balloon
shows that if something is being blocked, or not allowed to flow, it will be
displaced to another part of the balloon, but won’t eliminate the fluid in the
balloon. This is similar with EMV chip-and-pin cards and cyber theft. Attackers
are going to come after you, they’re not going to stop, and if they’re having
issues compromising the new PoS systems, they’ll attack elsewhere. Remember,
they’re opportunistic. Whatever can give them the most bang for their buck is
where they’ll focus their energy. They’re not going to disappear.
With this being said, if we eliminate
a very juicy and common target for attackers to feast on, what will they do?
Will they invest money into breaking EMV systems; maybe. Will they attack retailers that don’t have these EMV PoS deployed in their network; most likely.
Will they start broadening their horizons to untapped areas to keep making
money; definitely. Think about that for a minute. By fixing an issue that
people have been calling on to fix for years, could potentially cause other
sectors, or areas of the industry to be brought under attack. That’s what I’m
calling the “water balloon effect”,
or the unintended consequences of directing malicious attention elsewhere, due to the
remediation of a highly targeted area. There are many other sectors and areas
of attack that we’ve seen grow over the past year (mobile malware, healthcare
hacks, cryptolocker, etc.) and it would be interesting to see if these attacks
grew exponentially over the next year, while PoS compromises decreased. If this
is the case, what can we do going forward to alert other sectors of the “water balloon effect”? For the complete
safety of the general community we should at least be aware that this theory is
in place and that when we see a highly targeted exploitable risk remediated, we
should start considering where that displaced water is going to end up.
This isn’t meant to be some type of fear
mongering tactic to scare people into thinking bad things will occur, but the
fact is we should be prepared over the next couple months to see where this
goes. The old school PoS systems were such easy wins for hackers and if they’re
not going to be easy to compromise now there’s the possibility of an attack
shift towards other areas, or sectors. My only real advice is to determine what
data attackers would want to compromise now and start getting your arms around
it. I’m hoping you’re doing that now, but unlike other times in the past, this
might be the calm before the storm for a few unsuspecting industries. Let’s
embolden each other to take steps on preparing now while we still can.
Monday, November 9, 2015
Saturday, November 7, 2015
Support the ProtonMail Defense Fund (Urgent)
Over the past couple days, our friend Andy Yen and ProtonMail, have been the victims of a vicious DDoS attack. Attackers are obviously very upset about internet privacy. Please take a moment and consider donating a few dollars, any amount helps, to help ProtonMail defend themselves and our privacy. Here's a link to their GoFundMe; https://www.gofundme.com/protonmaildefense
Friday, November 6, 2015
Long Island's Cyber Consortium 2015
Last week I was invited to a cyber-consortium hosted by
Congressman Steve Israel at Long Islands NYIT College. This was the third
meeting of the consortium the Congressman has organized and it had good representation
of the NY area, especially on Long Island. Congressman Israel brought up the
analogy of how when pushed to action Long Isladers have undergone great
transition to change the world. He mentioned how when the space race began,
Long Island transitioned from a potato and pumpkin farming community, to the
life blood of Northrop Grumman (the company that built the moon lander). He
started this consortium to bring us together and stop the threat of cyber risks
against our home.
During this session Congressman Tom Graves, from Georgia,
presented on his thoughts on where cyber security was going and how he and
Congressman Steve Israel are attempting to champion their thoughts through the
government. He spoke about how cyber-security was becoming one of the largest
concerns in the government now and how we as a country need to start doing more
about it. The analogy of hackers was brought up by saying, “We show up to play
a football game and the other teams ready to play hockey.” The same rules don’t
apply anymore and it’s taking the government time to react to these new challenges.
One of the major topics brought up from the group was on the
recent CISA (Computer Information Sharing Act) bill. Both Congressmen voted for
the bill and were asked very pointed questions regarding how it worked. There
was heavy bipartisan voting on the bill, no matter how you feel about it, and
the answers they responded with were very honest. When Congressmen Graves was
asked if he thought it would fix the issue of cyber-security he responded that “It’s
a piece to a puzzle, but not the end all be all.” He also wanted to see
companies deal with vulnerable software first to stop the threat from happening
to begin with, because what good will intel do if you’re vulnerable first. He’s
one of the politicians that truly gets what we’re doing.
As you most likely know, I’m not a supporter of the CISA
bill, but I understand where the Congressmen were coming from. After hearing
about the people they knew personally that were affected by the OPM breach, it’s
understandable to see their point of view. The aspect of privacy was brought up
multiple times with the data being transferred, but the methods and processes
weren’t fleshed out yet. All in all, we don’t all have to agree on every topic,
but one thing was sure, both of these men are doing what they believe is the
best for the cyber security community and will assist with making our home a
safer place. I respect them both for doing so and wish we had more
Congressmen/Senators that understand the risks we’re dealing with like these
two men. It was a privilege to work a few things out with them, even if we don’t
completely agree on all the topics. Having different sets of opinions is how
you make progress.
Wednesday, November 4, 2015
Gremlins in the Network
There are a few things in your firewall you need to be aware of before they rise up and bite you in the butt. Just like those nasty little Gremlins that spawned from a soggy Mogwai in the movie "Gremlins", these issues will keep reoccurring until you fix the issue and they can cause a lot of damage.
I wrote this article for Algosec to describe a few areas in your firewall you want to take a look at before they reach true "Gremlin State". Also when reviewing them, please make sure to keep the water bottles out of the data center, just in case.
I wrote this article for Algosec to describe a few areas in your firewall you want to take a look at before they reach true "Gremlin State". Also when reviewing them, please make sure to keep the water bottles out of the data center, just in case.
Tuesday, November 3, 2015
Governments Banning Unbreakable Encryption
With all the improvements to encryption, especially those in the mobile arena, it's sad to think that a government can use fear to try and roll these achievements back when they don't get what they want. The British government and the GCHQ have been spying on their citizens for years, but now with the latest trends and advances in mobile phones, its not allowing communications to be decipherable by default. With these new encryption tools in place, governments are calling foul.
Over the past year the FBI was very vocal on their need to have a "master key"or "backdoor" placed into all devices for the protection of the country. We've seen how irresponsible the NSA's been with power, thanks to the Edward Snowden leaks, and giving them a backdoor into our lives was met with widespread outcry. They don't have right to snoop on an entire population and it's against our liberty to lives without privacy.
The British government is using the same guilty argument as the FBI did to try and pass a surveillance law into effect. When Prime Minister, David Cameron, says, "Terrorists, pedophiles and criminals must not be allowed a safe place online", he's really using this as a way to increase, or least keep par, the wide spread surveillance and data collection they've had in the past. Since everything these days is going towards mobile, without having this data collected on the entire population will decrease their ability to monitor severely. Without sounding callous, I have children, lived through a terror attack in NY and want to see cyber criminals locked up. I don't however, want to live in a life where the government could at anytime be monitoring my private communications. It will be abused and I personally don't think it's working. It's that simple.
I'm hoping that the Google's and Apple's of the world take a stand against governments looking to use FUD to propel their agenda of mass surveillance. It will be a sad day when a government can tell a private company how insecure they have to make their product. If there's a backdoor for someone to enter, it might not always be the one you expected. No good can come from this.
Over the past year the FBI was very vocal on their need to have a "master key"or "backdoor" placed into all devices for the protection of the country. We've seen how irresponsible the NSA's been with power, thanks to the Edward Snowden leaks, and giving them a backdoor into our lives was met with widespread outcry. They don't have right to snoop on an entire population and it's against our liberty to lives without privacy.
The British government is using the same guilty argument as the FBI did to try and pass a surveillance law into effect. When Prime Minister, David Cameron, says, "Terrorists, pedophiles and criminals must not be allowed a safe place online", he's really using this as a way to increase, or least keep par, the wide spread surveillance and data collection they've had in the past. Since everything these days is going towards mobile, without having this data collected on the entire population will decrease their ability to monitor severely. Without sounding callous, I have children, lived through a terror attack in NY and want to see cyber criminals locked up. I don't however, want to live in a life where the government could at anytime be monitoring my private communications. It will be abused and I personally don't think it's working. It's that simple.
I'm hoping that the Google's and Apple's of the world take a stand against governments looking to use FUD to propel their agenda of mass surveillance. It will be a sad day when a government can tell a private company how insecure they have to make their product. If there's a backdoor for someone to enter, it might not always be the one you expected. No good can come from this.
Monday, October 19, 2015
Mapping FinFishers Surveillance Spyware
This is some great research done by CitizenLab.org on the FinFisher surveillance spyware. Check it out here. Great job, guys.
Friday, October 16, 2015
Cyber Horror Stories From the Past Year
The eerie cyber season is upon us now, the time of year when
the cyber ghouls are out looking for our data. This past year has been
exceedingly spooky with major organizations being taken advantage of the cyber
undead. With this being Cyber Awareness Month we’d like to
review a few of these attacks with you so that they can become part of your zombie
security survival guide when the cyber apocalypse is pointed in your direction.
Stay alert; you never know when these monstrosities will come after you next.
Here are a few stories from the past year that will give you goosebumps.
We’ve noticed that 2015 is the year of the healthcare
breach. These monsters have targeted healthcare over the past 12 months with
wild abandon. Whether it is Anthem, Blue Cross, UCLA or any other casualty,
these monsters have the taste for healthcare and want more of it. The industry
as a whole has taken this very
serious after seeing their peers eaten alive and is making strides to securing
what they can before it’s too late. There is never a safe place from these
beasts, but over the past 12 months the sea change in thinking for healthcare has
been eye-opening. The entire industry is putting in defenses today that
wouldn’t have been there if not for these vicious attacks. The carnage of these
assaults has sparked a flame in healthcare, one that will hopefully continue to
shine brightly. Otherwise, they’ll be the next ones to the stake.
The government has also become, or should I say always was,
a favorite target for cyber witches that continue to plague their security. We
noticed some advanced witchcraft thrown out the government this year in the
forms of the OPM and IRS hacks. The enchantresses behind these breaches were
sophisticated and able to craft unstoppable spells over the government networks
who weren’t ready for their potent effect of data lose. These attacks were used
to gain more insight into government employees and could only be the beginning
of their spells. The stolen data these witches stole will probably be used later
on to create a more refined incantation using this pinched data as an
ingredient in their cauldron for an even greater conjuring of evil towards the
government and their employees. The government as a whole needs to wake up and
start making changes that will protect themselves from these types of attacks.
They’re the biggest target to these overseas witches and will be for years to
come.
Something interesting
we saw this year, that we don’t see every day, was a group of cyber fiends
being hunted down by what seems like a another individual to usurp them from
their evil throne. This of course was the “Hacking Team” hack, where the group
“Hacking Team” was selling surveillance and malware to countries to spy on
their people. The zombie hunting Phineas Fisher, who’s could play both hero and
villain, defended these countries by exposing “Hacking Team” for what they
really were. It’s interesting to watch these cyber vigilantes come right after
evil, while toeing the line of becoming exactly what they’re fighting against.
This battle for cyber purity is one that can swallow up a person, or group for
that matter, if they’re not careful.
My dear friends, it’s been a terrifying 2015 and one that
gives us reason to worry. Let’s use this Cyber Awareness Month as a way to
educate others against ghouls on the internet lurking in the dark webs ready to
pounce. Constant diligence and education will keep us safe, because you never
know when they’ll strike. Let us be like Ghost Busters and team up together to
let everyone know that “We ain’t afraid
of no ghosts!”
Wednesday, October 14, 2015
Best Practices to Prepare for a Cyber Attack
The war is coming and it's a matter of time before you're attacked, assuming you aren't already under attack which you most likely are, and if you're not actively preparing for this event you'll be destroyed when it happens. There needs to be a plan of action, there needs to be training, there needs to be assigned roles, or you'll be scrambling during an incident. This article I wrote helps explain a few areas that should be done now in preparation of an incident. It's better to be prepared, rather than making it up in the heat of the moment. Knowing is only half the battle.
http://blog.algosec.com/2015/10/10-best-practices-to-help-you-prepare-for-a-cyber-attack.html
http://blog.algosec.com/2015/10/10-best-practices-to-help-you-prepare-for-a-cyber-attack.html
Monday, October 12, 2015
Review of some best #CyberAwareTips
Tripwire recently correlated a few of the better cyber security awareness advice from the hashtag #CyberAwareTips for National Cyber Security Awareness Month (NCSAM). You can check out mine and others advice on this aggregated blog from Tripwire:
http://www.tripwire.com/state-of-security/security-awareness/cyber-aware-tips-how-to-stay-safe-online/
http://www.tripwire.com/state-of-security/security-awareness/cyber-aware-tips-how-to-stay-safe-online/
Friday, October 9, 2015
How NOT to be a Victim of Social Engineering [Cyveillance]
Here's a great infographic from Cyveillance about "How NOT to be a Victim of Social Engineering. To read the entire blog post please take a look here. Well done, Cyveillance.
Thursday, October 8, 2015
New Amazon Application Security Services
Okay, the cloud is dangerous and everyone should stop using it before it rains down your data upon all those it wasn't intended for, right? We'll, not really. There are times when keeping data in house is an ideal solution, but there are other times when pushing data to the cloud is completely viable approach. This is all about knowing your security risk appetite and understanding the data that's being hosted in the cloud and the security of the cloud provider. With this being said, Amazon has taken great strides in helping ease the "security of the provider" concern. Take a look at the following two products that Amazon recently released recently:
These two services assist greatly with running any type of web application off Amazon's AWS service. Many startups and lower income businesses are using Amazon to run their applications, as well as many very large companies, but for those without the revenues to purchase these services elsewhere Amazon has really created a secure ecosystem to keep clients from outgrowing their services from a security standpoint. This is a huge step forward for them and I'm personally very excited about seeing where they're going in the future.
- Amazon WAF: https://aws.amazon.com/blogs/aws/new-aws-waf/
- Amazon Inspector: https://aws.amazon.com/blogs/aws/amazon-inspector-automated-security-assessment-service/
These two services assist greatly with running any type of web application off Amazon's AWS service. Many startups and lower income businesses are using Amazon to run their applications, as well as many very large companies, but for those without the revenues to purchase these services elsewhere Amazon has really created a secure ecosystem to keep clients from outgrowing their services from a security standpoint. This is a huge step forward for them and I'm personally very excited about seeing where they're going in the future.
Wednesday, October 7, 2015
Building a cybersecurity culture in the workplace
We all know that attackers are coming after your users, this shouldn't be a surprise. We need to find better ways to have security awareness sink into their minds, because they're the first line of defense. They are the weakest links in your networks and systems. If they're not trained you're at even more of a risk of data breaches. It's really that simple. Also, all groups shouldn't be trained the same and having the dedicated training per group (administrators, marketing, finance, etc) will assist with getting a focused education and assist with better protection of your users.
Here's an article I collaborated with the good folks at Tripwire regarding some other cybersecurity culture training tips for the workplace.
http://www.tripwire.com/state-of-security/security-awareness/3-tips-on-how-to-create-a-cyber-security-culture-at-work/
Here's an article I collaborated with the good folks at Tripwire regarding some other cybersecurity culture training tips for the workplace.
http://www.tripwire.com/state-of-security/security-awareness/3-tips-on-how-to-create-a-cyber-security-culture-at-work/
Friday, October 2, 2015
Comparing MDM Solutions (IMO)
Here's my thoughts on how to compare mobile device management (MDM) when looking to purchase a system to manage your mobile devices. As the mobile market grows so does the risk of your data and internal networks being compromised on these devices. Here's a few criteria on how to make an educated decision on which MDM is right for your organization:
http://searchsecurity.techtarget.com/feature/Comparing-the-best-mobile-device-management-products
http://searchsecurity.techtarget.com/feature/Comparing-the-best-mobile-device-management-products
Who let the data out?! Time for effective egress filtering!
We've seen way to many organizations have data breaches due to not having proper egress filtering configured. Many places are still only worried about what's making it's way into the network and aren't concerned about what's leaving the network. This could be the difference between an attacker making it into your network and an attacker leaving with your data. If they aren't able to get data out, there's no data loss and this limits the risk of the compromise.
http://blog.algosec.com/2015/09/dont-let-the-data-out-tips-for-effective-egress-filtering.html
http://blog.algosec.com/2015/09/dont-let-the-data-out-tips-for-effective-egress-filtering.html
Security Metrics Crowdsourced Blog
If you're building a security dashboard with metrics for executives, or anyone for that matter, take a look at this blog assembled by Tripwire regarding "Top 10 Tips for Building an Effective Security Dashboard". Tip #6 is especially interesting ;)
http://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/the-top-10-tips-for-building-an-effective-security-dashboard/
http://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/the-top-10-tips-for-building-an-effective-security-dashboard/
Cyber Security Awareness Month #CyberAwareTips
October has been deemed "Cyber Security Awareness Month" by many major security companies and it's something, that if used correctly, could be of great assistance to those that might not be as cyber-savvy. I've been posting a few tips to Twitter with the hashtag #CyberAwareTips, along with many others. Let's see how much traffic we can generate with this hashtag and get the word out this month.
Thursday, September 24, 2015
An interview with Andy Yen (Creator of ProtonMail)
I was recently given the opportunity to correspond with
Andy Yen, creator of ProtonMail, regarding his encrypted email service and the
current state of internet privacy. ProtonMail, which has been posted about
multiple times on this blog, is growing at a rapid pace and is one of the most
popular encrypted email services available. Through our correspondence I was
able to ask Andy his opinion on internet privacy and what’s in store for
the future of ProtonMail. Also, make sure to add a donation towards ProtonMail
and spread the word about his company. Here’s a few questions Andy graciously
answered for us:
What prompted you
to start your own email service based on privacy? Was there a defining moment
you can remember?
“The defining moment was two years ago
when I tried to find a good way to keep my email communications secure and
private. All of the existing solutions (mostly involving PGP) were simply too
difficult to use, and since a good service didn't exist, the only solution was
to create it ourselves.”
In your opinion,
besides email, what is the largest threat to privacy on the internet today?
“The biggest threat is actually
cultural. Nowadays, we have the Facebook, Snapchat, Instagram generation, which
are young people being trained from a young age to share everything online
without giving it a second thought. This trend can permanently alter the
definition of privacy within a generation or two.”
What are your
suggestions to a new generation coming up that see's privacy as more of an
afterthought?
“I always joke that it will be very
interesting to watch a US presidential election in 20 years where the old
Facebook posts and instagram photos of the candidates resurface. I think it's
important for the new generation to remember that what goes out onto the
internet is permanent. Once you share a photo, you can NEVER take it back, and
it could mark you for the rest of your life.”
Honestly,
protecting privacy can be bad for business. Have you had push back from large
organizations or governments regarding your service?
“Actually no, businesses large and
small now understand that privacy is important. This is because, what
businesses need more than ever is actually security, and encryption
technologies like ProtonMail bring the security which ensures that cyberattacks
like the Sony hack are a lot harder to pull off. Security is the goal, but
privacy is the end state that comes with security.”
Over the past year
I've personally noticed the increase of the ProtonMail service. Will ProtonMail
always be free?
“We know that many of our users who
need privacy the most (activists in Russia, China, etc) are also those that
most cannot afford to pay. Thus, we are committed to keeping the basic version
of ProtonMail free for as long as possible.”
Do you foresee any
additional privacy services spawning off of ProtonMail in the future? I've
heard rumors of a mobile app. Would you ever branch off into secure storage?
“Actually, our mobile apps have
already been released in beta and we have several thousand beta testers using
the apps today. In the future, we also intend to expand into storage since that
is a commonly requested feature from our users.”
In what ways can
our readers help assist continue making ProtonMail the best private email
service out there?
“There are
several ways in fact. The first is to get the message out about how bad the
current surveillance state is. Many people simply don't realise they are being
constantly tracked, monitored, and recorded online. Secondly, it is important
to encourage others to also use ProtonMail because the most secure email system
in the world cannot turn the tide if we don't get the world on board. And lastly,
for uses who are interested in assisting us directly, it is possible to donate
to the project here: protonmail.ch/donate”
Tuesday, September 22, 2015
Protect Healthcare Data Now!
Healthcare data has become “en vogue” for hackers and it’s no secret that they’re looking for
it. The risk to the patient and the cost a hacker can get for the data is much
higher than any other record that can be stolen now. I wrote the following blog describing this
issue, why it’s important to protect the data and how the industry is taking this problem
head on. Hope you like it.
Subscribe to:
Posts (Atom)