National Small Business Week is underway, and the festivities didn't take long to address one of the most glaring and ever-present issues for small to midsize businesses (SMBs): cybersecurity. The Small Business Administration (SBA) is the US government agency dedicated to providing concrete help, training, and recommendations that small businesses can put into practice right away in their day-to-day operations. To that end, rather than just offer pie-in-the-sky security trends, today's SBA cybersecurity panel gave SMBs concrete tips, resources, and steps they can take to mitigate security vulnerabilities and put a comprehensive security strategy in place.
These are pretty good, and while some of them may require a bit more time and planning, there really are some things you can do right now, even if you aren't a business.
This situation tonight is something that shows the real danger of hacking. We all know what kind of havoc can be created when someone steals your personal information, but here it's not just someone gaining access to information about this kid, it's someone getting into the account and planting information.
That's the real danger in hacking, that anyone, anytime, can make public what used to be private, or create wholly new "data" from nothing, and have it accepted as truth.
Laremy Tunsil may have, at some point, smoked from a bong. It may have been years ago, as he claims, or not, we don't really know. What we do know is that video came out at exactly the right time to cost him millions of dollars. That was no accident. Someone meant for that to happen.
That is a hacker targeting an individual in order to ruin them. There are so many insecure databases out there where a hacker could do the same thing to any of us. It's only going to get worse, I'm afraid.
Hackers are getting faster whilst defenders are treading water. Over 99 per cent of attacks compromise systems within days (four out of five do it within minutes), and two-thirds of those siphon off data within days (a fifth do it in minutes). Whilst there was an improvement in the number of breaches detected in 'days or less' noted in the last DBIR, that turned out to be a temporary blip. This year, less than a quarter of breaches were detected within the same timeframe – meaning attackers have almost always gotten away with the goods before anyone notices.<br /><br />Worse yet, it's usually not the victim that notices the breach, but a third party (normally either a security researcher or law enforcement).<br /><br />Nearly two-thirds of all breaches are still traced back to weak or stolen passwords – a basic security failure.
This is not good news, not even close. Your data has been hacked, you might as well accept that.
US-CERT (U.S. Computer Emergency Readiness Team) based its alert on news Thursday from Trend Micro's TippingPoint group, which said it had been told by Apple that QuickTime on Windows had been deprecated, or dropped from support, meaning no future security updates will be issued and development has been halted.
Lose it, it has vulnerabilities and won't updated. That is a recipe for disaster on your PC.
Encryption and how you control data your is a hot topic right now, but understanding encryption and how it relates to your personal data is confusing. YouTuber CGP Grey explains encryption, as well as some of the issues up for debate right now, as simply as possible.
Virtual Private Networks (VPNs) have become an important tool not just for large companies, but also for individuals to improve web privacy, dodge content restrictions and counter growing threat of cyber attacks.<br />Opera has released an updated desktop version of its web browser with a Free built-in VPN service to keep you safe on the Internet with just a click.<br />That's a great deal!
That is a pretty nice deal. Anyone used it yet?
"Windows XP exited public support on April 8, 2014, amid some panic on the part of corporations that had not yet purged their environments of the 2001 OS. Unless companies paid for custom support, their PCs running XP received no security updates after that date"
And we wonder why there are so many vulnerable computers on the internet. This would be one, of many, reasons.
If you're running XP, you are not secure. You haven't been for a long time.
"One interesting quote from Edelson in the article: "Firms are incapable of getting the 60-year-old rainmaking partner to not use public Wi-Fi to access client data on a computer that is not secure . . . they are just totally dropping the ball there." I can't verify whether that is accurate, but it shouldn't be happening at large law firms. Hopefully, technology and training together can prevent that problem . . . but maybe I'm wrong . . ."
I'd like to think that sort of thing isn't happening, but I worked in firms long enough to know that it probably is. Law firms targeted by this class action may find themselves in a bad way legally, and in terms of bad publicity.
"While the encryption debate may have temporarily subsided, burner phones seem to be getting the spotlight.
It might be because terrorists aren’t using encryption as much as they are utilizing the quick, easy, and anonymous method of obtaining and discarding a prepaid phone."
I've often wondered why governments have spent so much time decrying the use of encryption when criminals can just get an untraceable burner phone and accomplish the same thing in a much simpler fashion. Heck, how many years of Law and Order episodes do we have where criminals used burner phones and yet no one ever made a big deal out of those being available.
Now, to be fair, there are some legitimate uses for prepaid, untraceable, phones. Domestic violence victims, for example, need a way to communicate and stay safe from their abusers, and if those abusers have access to the records involved, which they often do because they are married to the victim, then this law will make things more dangerous for those folks. Until I've had more time to look at the alternatives and the full impact, I wouldn't go running to support this change, but it only makes sense that we would be having a discussion about this loophole first.
After all, the use of burner phones is something that forces us to balance the legitimate privacy concerns of users with the security needs of law enforcement without all the extra technical confusion over encryption. That's truly the argument we should be having, how to balance privacy rights and law enforcement needs when it comes to technology. I suspect, however, that many want to look at the more technically complex areas just to take advantage of people's confusion about the topic to install fear about it, instead of something they can easily understand.
So, encryption becomes the scary boogie man that terrorists use to keep hidden, because people don't really understand the need for truly secure encryption that we all have.
Lots of people who have no idea how encryption works, on the other hand, have had, or know someone who has, a prepaid phone, for completely legitimate reasons. Let's see how they feel about their right to privacy when it comes to something we all understand.
"It turns out that all of the security in the world won’t stop a disgruntled — or adequately incentivized — employee. According to research done by Austin, Texas-based security company SailPoint, one in five employees would sell their work passwords for money."
First off, let me just say that I do not ever condone this. It is highly unethical and just an awful thing to do.
Still, while company security experts are running around throwing gobs of money at the latest cybersecurity tools, I can't help but wonder how many of these same companies pay no attention to how overworked, stressed, and generally poorly-treated their own employees are. Yes, a disgruntled employee with legitimate access is much more dangerous that those mysterious hackers you're trying to keep out. Maybe you should check and make sure they're not so unhappy that they'd sell you out for a small sum.
"The report suggests that organisations are ultimately failing to protect themselves against cyberattacks because even if staff are being provided with cybersecurity training, it isn't adequately informing them about good practice.
This represents a major cause for concern, especially given that recent research by PwC suggests that three-quarters of large organisations suffered a staff-related security breach during 2015, with half of the worst cases caused by human error."
So not only are hackers out there poking around to find vulnerabilities but in many cases they are finding them as a result of user errors. Training for users and IT folks when it comes to security practices is pretty lacking. Without it, all the technical tools in the world won't fully protect them.
The newspaper has reported that the Justice Department is weighing how to move forward with an ongoing investigation that has run into trouble because of the service’s encryption. A federal judge had okayed a wiretap order during the course of the investigation, but because the communications being tapped is encrypted, they can’t see what’s being said.<br /><br />The department hasn’t decided how to proceed with the case. There are some that are advocating that they push ahead much like they’ve done with Apple: go to court and attempt to force the company to provide them with access to the information, while others are looking to hold off.
This is not going to go away, and it has profound impacts on where mobile and cloud technology will go from here. If the government gets its way, people and companies currently storing and sharing data across encrypted services will no longer be able to depend upon the data being safe from prying eyes, as the services themselves will have the means to access it directly. (If the government requires them to access and turn it over, they would have to leave it open to at least themselves in order to comply with potential court orders, as well as anyone else who figures out how to access the back door.) It will not be protected from the service storing it.
The interesting thing is that, if the companies are required to build in back doors to encrypted data, would using those services then violate current privacy laws like HIPAA?
This move by the government could literally cripple cloud services as viable business solutions, and then where will we be?
"Large, well-fortified organizations and enterprises may not be as attractive to data thieves as they once were. You can thank better training, bigger IT budgets and more effective security measures for this welcome bit of news.
Things are less rosy for small companies, however.
Shrinking budgets, limited resources, and lax or outdated security practices have now made SMBs the hacker’s preferred cyber-target, says a recent New York Times post–a vulnerability confirmed by recent industry stats."
This makes sense, criminals have always gone for the easier targets when given a choice. Small businesses used to be able to hide under the radar when it came to cyber security because their data just wasn't worth as much, but with the rise in ransomware and other quick-paying hacks available, those small companies with lax security become easy pickings.
Truly, data security has become everyone's problem.
"RSA 2016 For years, the security industry has been primarily focused on stopping information theft. Now more and more people in the trade are worried that the next wave of attacks won't steal data – they'll alter it instead."
There are a couple of examples in the linked article, but know that these types of attacks are coming, and they will be a lot harder to fix once it's been done. Instead of stealing your information, what if I close your bank account? Or change your DMV record to show that your license has been suspended? Those are some of the small ways you could screw with individuals, but think of all the NSA-collected data that could be altered to show anything you want it do, or manipulate markets, energy grids, etc.
For me, professionally, so much of what we do in the legal system is based on the data being preserved, but we assume it's accuracy. What if it's been hacked and altered? What if right before I filed a discrimination case, I hacked an HR system and altered the race, sex, or age of every terminated employee, and then that data was requested as part of discovery?
Scary, scary stuff. Like the article says, maybe storing a paper record as a backup wouldn't be the worst idea.
Check the lists and if you have accounts setup to use any of the common usernames or passwords, you might want to go ahead and change that. Like now, before someone starts remotely controlling your computer.
Assuming they haven't already.
"The best way to keep yourself safe is to use your own Wi-Fi connection, if you're able to set up a personal hotspot, or to ask employees (such as baristas in a coffee shop) which network is theirs. A free connection that pops up while you're on the go might just be too good to be true."
Just because there's a wifi signal available, doesn't mean you should connect to it. Verify the network is one you can trust, and even then don't do any banking over or anything like that over it, ok?
I've known some people who had to deal with having their identity stolen over the years, and I've seen what an absolute mess it can be trying to find their way through the maze. Now there's one place to get all the information the government has about dealing with identity theft. That's not bad!
"Until a year or 2 ago, the best-known program for creating and using encrypted container files was TrueCrypt, which was open source and widely supported with millions of users. Then the project was abruptly shut down. No one quite knows why, but rumours persist that the developers were formally discouraged from maintaining something that could allow law enforcement agencies to intercept information.
Luckily, the project now lives on in the form of VeraCrypt, which is based on the TrueCrypt code. It's still open source and it's still free, and it works just the same. It includes some minor new features, some bug fixes, and ongoing support. And it will work with your existing TrueCrypt container files if you have any."
Anyone used this fork of the Truecrypt code? I'm definitely going to check it out soon for some archived data I've got laying around. At least when I get home and have a chance.
"According to research 77 percent of people said that they did not feel that public Wi-Fi was any less secure than their own personal internet connection, 75 percent also said that they wouldn’t curb their activity on public Wi-Fi and they weren’t conscious of anything they may need to avoid doing whilst using it, showing a lack of awareness of the potential risk when using public Wi-Fi."
We are clearly failing to educate people on the risks of using public wifi.
I'm not saying you should never use it, as much as I travel there's no way I could claim that, but be aware of what you do when connected to a public network and plan accordingly. If you're on a public network, like a hotel, and not taking any steps to use a VPN or other type of encrypted connected, then every you send from your computer goes across that network. Someone with a little tiny bit of knowledge can grab a copy of all of it simply by being connected to the network at the same time as you.
So wait to do any online banking or shopping until you're not on a public network, change your passwords frequently, and turn on two-factor authentication whenever you can.
Do you use public wifi networks? How do you keep yourself safe? Let's get a good collection of professional techie tips going!
"Also appearing to be correct were reports that the "hacking" that took place in this instance was of the less hack-y variety and more of the let's-try-the-guy's-old-password-y. "
Yeah so, let's learn a lesson here people. Don't start a new job with the same password you used at your old job, OK?
Yes, using the password to access the Astros data was illegal, but something as simple as not using the same password that you just turned over to the old employer would have thwarted this hacking attempt.
Click in to find related links.