National Cyber Security Awareness Month: Are you taking steps to prevent cyber security threats?
The phrase "An ounce of prevention is worth a pound of cure" may be an old one, but it's still as true today as it was when Benjamin Franklin first uttered the words, and it's especially applicable to the world of cyber security. Unfortunately, cyber crime isn't likely to just "go away" any time soon, so to protect your data and the integrity of your business, it's important to prioritize prevention.
Most organizations are working toward having reliable recovery plans in the case of a security breach - whether that is through malware attacks or the increasingly prevalent ransomware threats. But while a recovery plan is valuable, it shouldn't be your main focus.
Years ago, it was enough to educate employees to not click on suspicious links or opening unsolicited file attachments, but hackers no longer need click-bait emails or websites to infect a company's infrastructure. Malware is breaching organizations through brute force attacks that are "clickless," meaning they bypass user interaction all together. And all it takes is a single infected computer to compromise an entire network.
As we mentioned a few weeks ago, hackers are now hiding malicious scripts in legitimate software solutions, which means you may be deploying compromised software across your network without realizing it. And in the case of the September security breach, it was anti-virus software itself that was compromised. These backdoor hacking techniques aren't always out to take your data hostage. In many cases, they silently steal credentials and use their access to further propagate their malicious code or even drain corporate bank accounts.
And even if you think you have a malware attack contained, some ransomware attacks leave behind backdoors and schduled tasks that reinstall the malware, so just when you think you have resolved the issue, it resurrects itself and the recovery process begins again.
With all of these threats coming from a variety of seemingly undetectable sources, prevention may seem difficult, if not downright impossible. But deploying Endpoint Security solutions will help your organization prevent a breach rather than just reacting to one after the fact.
Endpoint Security provides protection against fileless attacks and exploits that would otherwise be missed by antivirus software. This centralized approach protects all "endpoints," meaning your servers, desktops, laptops, smart phones and IoT devices, that are connected to your corporate IT network from malware and other cyber security threats. It blocks these attacks by analyzing behaviors and attributes during the "set up" phase of a cyber attack, protecting your system before the damage is actually done.
Effective endpoint security solutions utilize a client-server model that installs security software on the network via the centrally managed server then authenticates logins made from the endpoints and simultaneously updates the client software on an as-needed basis. It monitors all files on the network the moment they start to execute and blocks attacks before they have the opportunity to run. Some endpoint security solutions even offer software that will analyze your organization's software profile, noting any custom software solutions or unique systems in place, then deploy tailored protection for your organization to maximize your coverage and the accuracy of your protection on every end point.
This provides users with real-time solutions that evolve as the threat landscape evolves and blocks exploits, fileless and clickless attacks. And a responsive solution that learns your organization's unique software profile will reduce the risk of false positives and other noise that may limit enterprise productivity.
As National Cyber Security Awareness Month comes to a close today, it's important to remember that cyber security threats don't just happen once a year. With cyber crime on the rise, it's vital for your organization to regularly review your prevention and recovery plans to ensure you are protected from the next threat that pops up. At Spud Software, we're passionate about helping our clients protect their data from cyber security threats. Just give us a call or visit our website to find out how we can help your organization.
National Cyber Security Awareness Month: In the age of cloud computing, who takes responsibility for data security?
As we continue with our focus on cyber security, it's important to acknowledge that there is some confusion when it comes to who is responsible for the security of a company's data, especially when that data is stored in the cloud. If your data is being stored in an off-site, cloud-based solution, are you ultimately responsible for its security? Is the cloud provider responsible? Who will be called to account if there is a data breach? The answers to those questions are not as simple as most executives would like, but they're vital to consider when handling sensitive data.
A survey released in September by Barracuda Networks Inc., a firm specializing in data security, reported that 44 percent of companies polled run their infrastructure in the public cloud with that percentage expected to double over the next five years.
But the survey also revealed significant confusion over who was responsible for the security of data stored in the cloud, with 77% of respondents saying the cloud providers were responsible for securing their data while 68% of IT executives believed cloud providers were also responsible for application security.
Data security "remains a key concern for organizations evaluating public cloud, and there’s confusion over where their part of the shared responsibility model begins and ends," said Tim Jefferson, vice president of public cloud at Barracuda.
Before you agree to work with any cloud provider it's important to express your expectations and address a few key issues related to cloud security. For example, where is your data being stored? What are likely threats to the security of your data, and how are these threats mitigated? Who is responsible for the major aspects of security, including access management, data encryption, security and vulnerability testing and secure deployment? The answers to these questions should be addressed in a legal contract prior to deploying any data to a cloud service provider.
Of course, if you're storing data in the cloud, we all know by now that it's important to ensure that data is encrypted. (If you're not familiar with encryption and you missed our previous newsletter detailing its importance, you can read it here.) But the level of access you and your cloud provider have to your encrypted data largely affects the burden of responsibility. Do you maintain your encryption keys? Does your provider? Do you both have access to and maintain your encryption keys? If both parties are in control of the encryption keys, both parties are responsible for the encrypted data they control.
Also, much of the responsibility for the issues relating to cloud security can be determined by which of the three main application architectures you are using for your hosting solution: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS).
With the IaaS model, the cloud vendor only provides the infrastructure to host data while the user functions as the network administrator. Thus the cloud user accepts the responsibility for all persons with access to the server and applications and maintains encryption keys for all data stored within. They are also responsible for any necessary security patches or audits required on their applications.
Similarly, with the PaaS solution, the cloud provider secures and monitors the provided database, but the cloud user is responsible for access management and the data itself.
With SaaS solutions, the security responsibility is shared between the vendor and the cloud user, and the vendor assumes significantly more responsibility than in the other two models. The user is still responsible for access management, but as the cloud vendor is providing the application, they assume responsibility for the program interface and security within their system. This includes security and vulnerability testing, secure deployment practices and application code scanning.
If your company is currently operating in a cloud-based environment, or you're considering moving to a cloud-based application and you're unsure of who is responsible for the security of your data, Spud Software is here to help. Contact us and a member of our experienced staff can help you determine if your data is secure, and what solutions are best suited to your company's IT security needs.
Cyber Security Awareness Month: Is your password really protecting you?
When we talk about cyber security, we always mention the importance of having a strong password. After all, it is the first line of defense in protecting against cyber criminals. But even as we tell you to have a strong password, we realize that you may be wondering what that really looks like. So we're offering a brief primer on passwords to help you set up an effective defense.
What Does a Weak Password Look Like?
Before you can fully understand what a strong password is, it helps to know what weak passwords look like and why they are so easy for hackers to break through. Weak passwords usually feature at least one of these common components:
Statistics from recent security breaches highlight the issues with using weak password practices. In most cases, 30% of the hacked passwords were 6 characters or less, with 40% using only lowercase characters, 16% using only digits and less than 4% using special characters (such as !*@#$?). Yet most users still utilize unsafe passwords.
An all lower case password that is only 6 characters long can be hacked by a computer within 10 minutes while 6 uppercase characters can be hacked within 10 hours and adding special characters only stretches the time it takes to crack the password to 18 days. Compare that to an 8 character password with special characters. It would take a computer on average 463 years to hack an 8 character password that contains a combination of uppercase, lowercase and special characters.
So What Makes up a Strong Password?
A strong password will be something that's hard to guess, and the more random it is, the more difficult it will be for an individual or a computer to crack. Some characteristics of strong passwords are:
So how can you incorporate the techniques of a strong password into a password that you can actually remember? There are a few different options that work, and one them can work for you.
String together random words
Look around your desk or your office and find a few things that have nothing in common, but that you see every day. For example, maybe your desk looks like this image:
Select a password that is made up of objects on the desk, then, for an added layer of security, add some numbers to the password - perhaps the digits of your gym locker combination or the date you brought home your pet, spread out within the password: 5Mug22Blue15Stapler!
Create a pass phrase:
Your password doesn't have to be actual words - in fact, it's better if it's not - and using a pass phrase that you shorten to just characters and numbers will give you a memorable password that's difficult to guess. For instance:
Uncle Bob runs fast to eat four Carrots! becomes: UBrf2e4C!
Does every Happy boy Like to Eat chocolate for breakfast?becomes: DeHbL2Ec4b?
Of course, it's beneficial to have more than one special character in the mix, so you could also use:
Uncle Bob runs fast to eat four Carrots! becomes: UBrf2e#4C!
But if a seemingly random pass phrase would be too difficult to remember, you could use info about a completely random place that no one would think to guess: MyLibraryis@1095Frost! At 22 characters, that's still an easy enough phrase to remember, but extremely difficult for hackers to crack.
However you choose to create your password and keep it memorable, it's becoming increasingly important that you not only choose a strong password, but that you follow best practices and change your passwords every 3 to 6 months. You should change your password if you have even a suspicion that it's been compromised. Also avoid using the same password for multiple accounts, and never enter it on a machine you don't trust (ie. a library computer or a public access portal).
By taking steps to secure and strengthen your passwords, you're protecting yourself and your sensitive data from cyber criminals. If you have questions about how to further safeguard against cyber security threats, Spud Software is here to help. Contact us at any time to find out how we can assist you in keeping your data secure.
Cyber Security Awareness Month: Starting October off with a Successful Security Event.
In honor of National Cyber Security Awareness Month and in response to several notable and national security breaches, we've been focusing our efforts on raising awareness of online security. With that in mind, on October 6th Spud Software teamed with VioPoint to host a Lunch & Learn Panel Discussion at Automation Alley that highlighted the benefits and risks of application security.
Led by a team of three panelists from Spud Software, VioPoint and Vigilant Cyber Security, the Lunch & Learn discussion focused on the importance of implementing secure development practices and application security measures to protect companies from data breaches as a result of vulnerabilities within their web applications.
When it comes to application development and security, the panel highlighted the challenges facing developers in this ever-changing environment. Unfortunately, they noted, for most companies, web application security is still under-emphasized, despite the vital role it plays in the security of their data. Web applications are often the first line of entry to a company's online space and are thus exposed to a wide variety of threats. This makes secure software design and development increasingly important.
In fact, the numbers are nearly staggering when it comes to the vulnerability of most web applications. At least 69% of applications contain security vulnerabilities. Of those, 80% feature at least one security vulnerability, with most averaging 45 vulnerabilities per application. And the average time to remediate these security threats is 129 days. That gives cyber criminals more than 4 months to exploit these vulnerabilities and steal a company's data.
Approximately 20 guests from a variety of industries attended the Lunch & Learn panel discussion and were very receptive to the information presented. In fact, one attendee has already requested that Spud Software work with them to implement further security measures on their existing web application.
If you're interested in learning more about web applications and how they can impact your business, you can join us on November 2nd for the Auburn Hills Chamber of Commerce Business Development Series. Larry Bossman, Spud Software's Sales Director, will be hosting a discussion on how to make software investments profitable for your company.
You can register for the event here.
Does your cyber security plan make you more than a statistic?
In the wake of multiple data breaches, ransomware attacks and backdoor hacking incidents, it seems like National Cyber Security Awareness month couldn't have come at a better time.
Established in 2004, National Cyber Security Awareness month takes place every October and is “designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident,” according to the Department of Homeland Security.
Those national security incidents appear to be on the rise. This year is lining up to be the worst year for cyber security incidents on record with a number of high profile breaches and global attacks, including:
Top Trading Apps Packed with Security Flaws
Research Group IOApp recently ran a test on 21 of the top mobile stock trading apps, responsible for millions of users and billions of dollars worth of transactions yearly, and their results were staggering.
Of the 14 security controls tested, 95% had a high failure rate in privacy mode, 67% failed in secure data storage, 95% failed in root detection, and 62% failed in sensitive data in logging console, hardcoded secrets in code and SSL certificate validation.
Worse, 62% of the apps sent sensitive data to log files where 67% of that data was stored unencrypted, exposing users' net worth and investment strategies to potential hackers.
Failure to Secure the Internet-of-Things
The American culture has been quick to embrace the Internet-of-Things (IoT) with over 8.4 billion devices currently in use. Whether you control your thermostat through your phone, ask questions of your Echo or Alexa home assistant, or monitor your home security system from a basketball game, the reliance on the Internet-of-Things also leaves us increasingly vulnerable to cyber criminals. And many owners are completely unaware. In fact, research shows that one-third of all IoT owners never change the default password on their devices and 54% don't use third-party security tools to protect their investments. With estimates suggesting that by 2020 25% of cyber security attacks will be against IoT devices, these statistics are especially troubling as some users are essentially inviting criminals into their homes through connected home assistants and vulnerable security systems.
The global cost of cyber security failures is continuing to rise. It is estimated that cybercrime costs have increased by more than 23% in the last year alone, with over 130 breaches worldwide. Companies across the United States have incurred the highest cost in the world, approximately $21 million, in data breaches.
With cyber crimes showing no signs of slowing down, it's vital that every organization takes a closer look at the security plans they have in place and the systems they are using to protect their sensitive data. At Spud Software, we're committed to helping companies safeguard against cyber criminals and protecting our clients from becoming more than another cyber security statistic.