data security

Privacy and Security for Americans

May 12th, 2017

A Recent survey conducted by AnchorFree shows that more than eighty percent of Americans are worried about online privacy and security as compared to previous year.

The bill is passed which allowed companies to collect personal data without permission through ISPs. Ninety-five percent of respondents are concerned about this bill. More than fifty percent people are looking to increase their security for personal data.

The survey also shows that more than 70 percent are employing more ways to protect their data as compared to previous year.

“Our survey finds that the majority of consumers are concerned in the aftermath of the Federal Communications Commission’s rollback of Internet privacy protections,” AnchorFree founder and CEO David Gorodyansky said in a statement.

“As more connected devices emerge and threats to Internet freedom persist, it’s imperative for Americans to learn about online privacy protection options and take personal responsibility for safeguarding their health, wealth and family,” Gorodyansky added. “They otherwise risk the misuse of this data by hackers and third party companies.”

Another survey by TeleSign survey shows that thirty-one percent of consumers have their online life worth of $100,000 or more. Fifty percent believe that businesses are primarily responsible for security.

“Companies make plenty of money with the time and money we invest in them and they should do the same to protect our accounts and personal identity,” one survey respondent said.

A survey conducted by Lawless Research shows that 51 percent faced data breach in the previous year. Forty-two percent suffered financial loss. One-third of the respondents stopped doing business with that companies.

Almost 61 percent changed their password after it was compromised. Seventy percent said that they use reused passwords.

Another survey conducted by EyeVerify mentioned that eighty-six percent believes that biometrics makes logging in apps easier. Also, seventy percent believe mobile apps are more secure with biometrics authentication.

“Most people use some form of biometrics every day, but they want more opportunities to use it to make their lives easier and more secure,” EyeVerify CEO and founder Toby Rush said in a statement.

 ___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Verizon Survey

May 5th, 2017

Verizon mentioned that increase in the propriety research, prototypes, and amounts of confidential personal data is the major factor for the rise in the phishing attack. It also mentioned that there is an increase in 50 percent in the attacks last year.

Almost 95% of the attacks include the phishing technique of software installation on the user device. There is also rise in getting the information by pretending someone else. These are called pretexting attacks. Eighty-eight percent of pretexting attacks originated from emails.

Many smaller organizations also suffered a data breach. Sixty-one percent of breach occurred at the companies having less than 1000 employees.

“Cyber-attacks targeting the human factor are still a major issue,” Verizon Enterprise Solutions Global Security Services Executive Director Bryan Sartin said in a statement. “Cybercriminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

Verizon mentioned that three quarters of the breaches was caused by outsider. Almost 51% involves criminal groups.

Finance sector was the major area where attacker focused. Almost 24% attacks counted for this sector. Healthcare involves 15% of data breaches.

“The cybercrime data for each industry varies dramatically,” Sartin explained. “It is only by understanding the fundamental workings of each vertical that you can appreciate the cyber security challenges they face and recommend appropriate actions.”

Survey also found out that 73% percent of the attacks are financially motivated.

“Social engineering is a common means for cybercriminals to establish a foothold,” report authors warned. “And employees are making this easy by using easy-to-guess passwords. Users, and even IT departments are even often guilty of not changing the default passwords that devices come with, and can easily be looked up online.”

The report author at Verizon mentioned that encryption and two-factor authentication also help to limit the damage.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Stolen laptop leads to data breach

May 2nd, 2017

Lifespan Corporation recently suffered a possible data breach due to stolen laptop. The device belongs to Lifespan employee. An individual broke into employee’s car and stole laptop along with other items. The employee immediately reported the incident to law enforcement & Lifespan.

As per the website, “Lifespan, Rhode Island’s first health system, was founded in 1994 by Rhode Island Hospital and The Miriam Hospital. A comprehensive, integrated, academic health system affiliated with The Warren Alpert Medical School of Brown University, Lifespan’s present partners also include Rhode Island Hospital’s paediatric division, Hasbro Children’s Hospital; Bradley Hospital; Newport Hospital; and Gateway Healthcare. “

To reduce unauthorized access to the laptop, Rhode Island health organization changed the login credentials for accessing Lifespan system information. Facility found out the stolen MacBook was not encrypted. Password protection was also not present on the system.

The laptop included information of 20,431 patients. Affected information included emails containing patient names, medical record numbers, and demographic information. Lifespan has started notifying the affected patients. Call centre is also established to answer the queries.

Facility mentioned that there is no suggestion or information of data misuse. Also, patient medical records or Social Security numbers were not included in the breach.

Facility is retraining the employees to avoid such incidents in future.

“Lifespan is committed to protecting the security and confidentiality of our patients’ information, and we deeply regret this incident occurred.”

How can you protect data when the laptop is stolen?

Encryption

 Encryption can play a major role in securing your data in case of stolen laptop.

Authentication

Biometrics and two-factor authentication (2FA) increases the security level of your device.

Email security

Your email contains a lot of sensitive information. Emails are auto-opened in the system due to stored password. Remember password or use alternative methods to open email accounts.
Find My Device

Activate Find My Device software on your laptop. It will help you to track the laptop.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Companies planning to implement security-as-a-service model

April 29th, 2017

OPAQ Networks sponsored the recent survey of 301 US-based IT professionals. It shows that 87 percent of participants are planning to use security-as-a-service model. Survey also mentioned that 40 percent of companies manage security through part-time employees, contractors and Managed Security Service Providers (MSSPs).

According to eight two percent participants, the in-house staff spends 20 to 60 hours a week for procuring, implementing and managing a variety of security products.

“The security challenge for mid-tier businesses is multi-dimensional,” 451 Research analyst Daniel Cummins mentioned in a statement. “For these businesses, everything seems to be increasing — attack frequency, compliance requirements, complexity, costs, and the number of security products that need to be managed.”

Three-fourth of participants said that they dedicate between three to five full-time employees to security. The total cost incurred is $178,000 a year. Forty percent believe that the security spending is going to increase by 10 to 20 percent within one year. Seventy-two percent prefer security as service.

“We thought there would be a preference for the ease and simplicity of security-as-a-service solutions, but we were genuinely surprised by both the degree and urgency of the market demand,” OPAQ chief strategy and technology officer Ken Ammon mentioned in a statement.

“MSSPs are and will continue to play an important role in advising and supporting incident response, but this study reveals that MSSPs should look to leverage cloud-based solutions in order to deliver what the market is demanding,” Ammon added.

Survey participants mentioned that they seek cloud-based security functionality which includes data loss prevention, network access control and encryption.

Other survey conducted by Spiceworks and undertaken by Carbonite shows that only  11 percent of IT pros’ time is utilized on IT planning and strategy while 13 percent is utilized on modernizing technology.

“In a time when data threats are more prevalent than ever, it’s important IT teams have the capacity to focus on mission-critical tasks as well as proactively preparing for threats and strategizing ways to innovate their existing technology in order to facilitate a safe and secure organization,” Carbonite chief evangelist Norman Guadagno said in a statement.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Security Survey For Mobile Data Breach

April 25th, 2017

According to the recent survey by Dimensional Research, Sixty-four percent of security professionals feel that their organisations cannot prevent a breach to employees’ mobile devices.

Highlights of the survey are as below:

Twenty percent had suffered mobile breach incident

Twenty-four percent are not sure of the breach or they can’t tell about it

Fifty-one percent believe that breach to mobile is equal to that of PCs

“Perhaps the high level of concern is based on the frequency of mobile device loss or theft, as well as the limited security measures companies use to protect enterprise mobile devices,” the report states.

More than a third of companies fail to secure mobile devices as required and only thirty-eight percent take help of mobile security solution. Fifty-three percent says that lack of budget leads to a less secure environment. Forty-one said the shortage of resources is the reason.

“The dichotomy of management trying to control costs and security professionals struggling with insufficient tools to repel attackers is not a new story line in most enterprises,” the report notes. “Unfortunately, the story usually ends sadly with a huge, embarrassing event with the press blazing headlines of a costly hack and the company suffering brand damage and loss of customer confidence.”

Ninety-four percent feels that mobile attack will increase in coming time

Seventy-nine percent expect that complexity of mobile security will increase

Twenty percent said that mobile breach can cost $500,000 and 11 percent said it will cost more than $1 million for the companies

“The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” Dimensional Research principal David Gehringer said in a statement.

“Security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses,” Gehringer added. “It’s unfortunate that so many companies have not learned from the past and are doomed to repeat wasted costs and the customer outrage of being breached.”

____________________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security software, the market leader in the field of mobile data protection. Encryption is performed with the AES 256 bit encryption algorithm.

Encryption strategy for enterprises

April 18th, 2017

A Recent survey of Thales’ 2017 Global Encryption Trends Study shows that only 41 percent of enterprises have an encryption strategy which has consistency throughout the company.

Other findings of the reports are as follow-

Forty-six encrypts data on-premise before sending to the cloud

Twenty-one percent encrypts data in the cloud

Thirty-seven percent gave control of keys and encryption processes to cloud service providers

Fifty-five percent believe that compliance is the most important driver for encryption

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyber attacks, as well as the need to protect a broadening range of sensitive data types,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement.

“Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy,” Ponemon added. “Encryption and key management continue to play critical roles in these strategies.”

A different survey conducted by Venafi of more than 1,540 information security professionals shows that twenty-three percent have no idea the extent of decryption and inspection of encrypted data.

“Encryption offers the perfect cover for cyber criminals,” Venafi chief security strategist Kevin Bocek said in a statement. “It’s alarming that almost one out of four security professionals don’t know if his or her organization is looking for threats hiding in encrypted traffic.”

“It’s clear that most IT and security professionals don’t realize the security technologies they depend on to protect their business are useless against the increasing number of attacks hiding in encrypted traffic,” Bocek added.

This survey also showed that 41 percent companies encrypt at least 70 percent of internal network traffic.

“Although the vast majority of the respondents inspect and decrypt a small percentage of their internal encrypted traffic, they still believe they can quickly remediate a cyber attack hidden in encrypted traffic,” Bocek said. “The problem is that attackers lurking in encrypted traffic make quick responses even more difficult.”

“This is especially true for organizations without mature inbound, cross-network, and outbound inspection programs,” Bocek added.

“This overconfidence makes it very clear that most security professionals don’t have the strategies necessary to protect against malicious encrypted traffic.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Hacking of Amazon third-party sellers’ accounts

April 16th, 2017

Hackers use passwords for high-profile breaches to compromise Amazon third-party sellers’ accounts. The attackers stole tens of thousands of dollars from sellers’ accounts. They also posted nonexistent items for sale in order to get more funds.

The incident has affected two million seller accounts on Amazon.com account which counts for more than half of its sales. As per the reports, over 100,000 sellers earn more than $100,000 a year.

Amazon seller Margina Dennis told NBC News about the fraud. She got 100 emails from customers. They were complaining of not getting a Nintendo Switch. The product was uploaded on site through her account by hacker. They also changed the accounts password.

An Amazon spokesman said “There have always been bad actors in the world; however, as fraudsters get smarter so do we. Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com.”

Third-Party Risk

CyberGRX CEO Fred Kneip mentioned that hackers are targeting Amazon’s third-party ecosystem for financial gain.

“Amazon is a high-profile example of how increasingly connected businesses have become, but organizations across the world in every industry are undergoing a similar transformation as outsourcing, globalization and the digitization of business expand their digital ecosystems exponentially,” he said.

“Whether it’s one of the world’s largest retailers or a small business, companies need to approach third-party cyber risk as a real threat to their business that needs to be continuously managed,” Kneip added.

AlienVault security advocate Javvad Malik mentioned that third party vendors should look for their own security.

“It is therefore, important that all companies of all sizes have at least a basic level of threat detection controls in place that can alert when unexpected changes occur, or when systems start behaving in an unusual manner,” he said.

“Compromised credentials are the leading attack vectors in cyber breaches, as hackers target networks through trusted third-party suppliers and contractors who likely have less rigorous security than the ultimate target,” Centrify senior director of products and marketing Corey Williams said.

“This certainly won’t be the last time we see third parties being hacked — organizations need to up the security stakes with multi-factor authentication, which requires more than one method of authentication to verify the user’s identity for a login or other transaction, in order to stop the use of stolen credentials,” Williams added.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Keeping sensitive information from leaks

April 11th, 2017

Today companies needs to keep the data very secure due to need of protecting corporate data and  also regulations which require consumer data to be protected. EU General Data Protection Regulation (GDPR) are increasing the fines for non compliance. It is daunting task for companies to comply with regulations.

“I can see the difference from before GDPR and after GDPR,” he said of companies scrambling to shore up data leaks. “Even if I have a tiny office somewhere, I need to check for confidential data.” And automating this scrutiny is the only way to effectively manage it.” said Angel Serrano, senior manager of advanced risk and compliance analytics at PwC UK in London.

What is DLP?

ISACA mention it “data leak prevention”.

Gartner calls it “data loss protection” or “data loss prevention”.

It prevents unauthorized users from sending sensitive data.

“DLP is not one thing, like a tomato,” GBT Technologies co-founder Uzi Yair said, referring to GBT’s enterprise suite of products. In addition to more traditional practices such as scanning endpoints, network and storage as well as policy management and workflow tools, it includes an information rights management (IRM) policy server that applies file-level control over who has access to what, where – it might be solely on-premises – and when.

Recent reports on DLP has below highlights:

  • An average of 20 data loss incidents occur every day all around the world
  • Eighty three percent of organisations have security solutions but still thirty three percent suffer from data loss
  • DLP detects incidents and has regular expressions, dictionary-based rules, and unstructured data for breach detection.
  • Many facilities use DLP only for email instead of full business applications

DLP takes two forms:

  • Agent software for desktops and servers, physical and virtual appliances for monitoring networks and agents, or soft appliances for data discovery
  • Integrated DLP products that may offer more limited functionality

“All these web applications like Google Drive and Office 365 are integrating with other satellite applications,” said Krishna Narayanaswamy, founder and chief scientist at Netskope.” Salesforce uses Google Drive as a place to store files. DocuSign can put documents in Google Drive. You need to be at all the points where data is going into these applications. You need to be able to inspect that data at rest and determine who uploaded that data. Also inspect and apply policies to outgoing email.”

Many companies do not use new ways.

“The new generation considers email a dinosaur. They go to social media – Twitter, LinkedIn, Facebook – you have to cover those as well. More and more communication is coming via SSL, and that’s a big blank spot that many DLP vendors have not considered,” Narayanaswamy said.

“When you look at the web, there are many reasons for sending data from inside to the outside,” Narayanaswamy said. “Modern applications constantly post information about how users are using the application, response times, and so forth, to improve user experience. When you look at every post transaction, there’s a potential for many false positives,” which have been the bane of DLP.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Ransomeware attack at ABCD

April 8th, 2017

ABCD Pediatrics recently suffered ransomware attack. According to the statement, a virus was inserted to gain access to the healthcare organization’s servers. Patient data was encrypted in the process. Facility contacted IT personnel to take all servers offline. It is conducting detailed analysis.

Experts came to conclusion that this particular type of virus has likely not removed the information from the server.  Facility also mentioned that user accounts may have been accessed through it’s network. Affected information includes names, addresses, phone numbers, dates of birth, Social Security numbers, insurance billing information, medical records, and lab reports.

As per the OCR data breach reporting tool, approximately 55,447 patients may have been affected. ABCD has successfully removed the virus from the system. Corrupted data was also removed from its servers. Secure backup of the facility is not affected and thus used to restore all impacted data. It also mentioned that no PHI was lost or destroyed in the incident.

“Also, please note that ABCD never received any ransom demands or other communications from unknown persons,” ABCD stated. “However, ABCD remains concerned because it discovered user logs indicating that computer programs or persons may have been on the server for a limited period of time.”

Facility has upgraded it cyber security monitoring program to stop future incidents. Call centre is setup for the affected patients.

“Patients also can place a fraud alert on their credit files with the three major credit reporting agencies. A fraud alert is a consumer statement added to one’s credit report. The fraud alert signals creditors to take additional steps to verify one’s identity prior to granting credit. This service can make it more difficult for someone to get credit in one’s name, though it may also delay one’s ability to obtain credit while the agency verifies identity.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach trends in 2016

April 5th, 2017

As per the IBM report, data breach increased 566 percent in 2016 from 600 million to more than 4 billion. The report also mentioned that healthcare in no longer the most attacked sector. Most of the attack was carried out on financial services industry.

In 2016, 12 million records were affected in healthcare. In previous year, the breach was 100 million records which counts to eighty eight percent drop. IBM surveyed 8000 security clients in 100 countries.

IBM Security Vice President of Threat Intelligence Caleb Barlow mentioned that the cyber attacks was carried out with innovative techniques.

“While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment,” Barlow said in a statement. “The value of structured data to cyber-criminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”

IBM mentioned that for ransomware attacks, 70 percent of the companies paid more that $10,000 to regain the access to data. According to the FBI, cyber-criminals were paid $209 million in first three months of 2016.

Ransomware attacks are on the rise with 400 percent increase. In the coming time healthcare will do many reforms which includes increase in internet of things (IoT) technology. This will increase the attacks.

“Retail and financial services have battened down their hatches,” IDC Health Insights Research President Lynne Dunbrack told HealthITSecurity.com in a 2016 interview. “Now the cyber criminals might still be nipping at those heels, but they are looking at other targets, healthcare being one of them.”

CynergisTek Vice President Dan Berger mentioned that attacks against healthcare are carried out with sophistication.

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records compromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger stated.

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.