security

Funding for bug bounty vendor

February 9th, 2017

As per the recent news, one can make money in the rewarding business of security researchers for finding security vulnerabilities. HackerOne published that they have raised a $40M Series C round of funding. Total funding received till date for the San Francisco based company is $74 Million.

Dragoneer Investment Group led new round of funding. It will be used to help HackerOne grow its business.

“HackerOne is at the forefront of the burgeoning bug bounty movement,” Marc Stad, Founder and Managing Partner of Dragoneer Investment Group, said in a statement. “It is borderline silly for a company not to utilize a bug bounty platform given the immediate reduction in security vulnerabilities and the relatively low price point compared to other security options.”

Rice, co-founder and CTO of HackerOne in the video interview mentioned the statistics of business growth. Also, discussed the bugs found by HackerOne’s community of researchers.

Hacking the pentagon program was one of the major successes of HackerOne. The results were positive. It has 1,400 security researchers participating in the program. It also discovered 138 serious vulnerabilities which were fixed quickly. Also, the U.S. Department of Defense also got involved in the program.

HackerOne faces competition from bug bounty vendor Bugcrowd. The rival has raised $24 million in funding to date which includes $15 million Series B round.

“When I started the company in 2013, I spent most of my time explaining what a bug bounty was to people,”Bugcrowd founder and CEO Casey Ellis said. “I don’t have to do that anymore.”

“How we do things today is we prove a concept manually first, apply human intelligence to the problem set and then take the repeatable learnings and codify that,” Ellis said.

The market of buy bounty is competitive but there is demand. Rice also mentioned that more bugs have been found by third party bug bounty companies as compared to vendors.

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Ukraine Blackout

January 27th, 2017

According to the Ukraine’s national power company Ukrenergo, blackout in Kiev was due to cyber attack. Initial reports suggested that workstations and SCADA systems at a 330-kilowatt substation were attacked by hackers. The Company didn’t mention the source from which the attack originated.

“The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion,” Ukrenergo said.

“The attackers actually attacked more but couldn’t achieve all their goals.” Said Honeywell lead cyber security researcher Marina Krotofil.

Marina said that the attackers hid in the network for six months. She added, “The team involved had quite a few people working in it, with very serious tools and an engineer who understands the power infrastructure.”

In 2015, a similar attack was attributed to Russian hackers. It affected 225,000 people in western Ukraine while damaging power distribution equipment.

“Cyber attacks that cripple critical infrastructures continue to grow at a rapid pace — the repeated attacks on power plants in Ukraine, resulting in a loss of power to hundreds of thousands, [are] just the latest example,” Dtex Systems CEO Christy Wyatt told eSecurity Planet by email.

“It is crucial for all public and private sector organizations to focus on not only mitigating these attacks, but preventing nation state actors from gaining access to their networks in the first place,” Wyatt added.

Recent Survey Tripwire of 200 IT professionals working for governments has below findings –

Ninety-eight percent believe smart cities are at risk for cyber attacks

Thirty-eight percent said smart grids have the greater cyber security risks

Twenty percent said they have smart city initiatives

Fifty-five percent says they don’t have enough cybersecurity resources

“Security isn’t usually glamorous, and it can be difficult to    sell the need for added time and cost on a project, even when it’s to ensure that services are secure,” Tripwire senior director of IT security and risk strategy Tim Erlin said in a statement. “Smart city initiatives are pushing the technological envelope for urban infrastructure management, and it’s clear from the survey results that cyber security is being left out of the conversation.”

____________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Insider Threat

October 3rd, 2016

According to the latest survey of 500 IT professionals, one in three respondents said that their business has experienced an insider strike in the last year. Other observation includes: survillance

  • Seventy four percent said that their business is exposed to insider threats
  • Fifty six percent said insider flows are becoming more regular
  • Seventy one percent said they are most worried about inadvertent flows resulting from the use of unsecured mobile devices, accidental outside sharing, and unsanctioned programs
  • Sixty eight percent are worried because of threat caused by neglect
  • Sixty one percent are worried because of threat caused by malicious insiders

Privileged users have emerged as the biggest security threat which represents 60 percent of businesses. Respondents said rise in the number of apparatus with access to sensitive information, inadequate data protection options, worker training, and more information leaving the network perimeter are causing more insider threat. Cloud storage programs and cooperation software are seen as the most exposed.

“Adoption of cloud and BYOD are positive developments, but organizations that have limited cross-app visibility will struggle to detect anomalous behavior and need to rethink their approach to data security,” Bitglass CEO Nat Kausik said in a statement. “The reality is that cloud apps have made data more readily accessible and insider threats more prominent — it’s up to the enterprise to put adequate data controls and policies in place to secure vital data.”

Twenty three percent said it can take them a month or more to identify an insider violation

Sixty six percent said stopping insider risks is more challenging than shielding against outside dangers

A different RedOwl study of 281 participants at Black Hat 2016 found that 47 percent of participants had experienced an insider event of some sort in the previous year.

When asked who in their business is intrigued in mitigating insider risks, answers contained- typical workers, executives, board of directors, human resources, and IT and security teams. Impact of insider events are standing legal repercussions, IP loss, financial loss, negative cultural impact, and brand damage.

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

EHR vendor and data breach

June 18th, 2016

Healthcare organization, Vincent Vein Center has notified patients of a potential healthcare data breach. The incident was result of the hacking incident at Bizmatics, a vendor who manages EHR for Vincent. Colorado-based phlebology office of the facility mentioned that some of its EHR files were accessed by the outside entity. Unauthorized access was related to PrognoCIS system, a practice management and EHR system serviced by Bizmatics.

The number of affected individuals stands at 2,250 according to the OCR data breach tool. Affected information included names, addresses, health insurance information, health visit and treatment information, and other identifying data, such as Social Security numbers.The PrognoCIS system use to store complete patient files.

Bizmatics mentioned that there has been no indication that Vincent Vein Center’s files were accessed or obtained by the outside party. Also, there are no available reports of information published online.

As per Bizmatics, “cybersecurity firm is hired to investigate the incident. It found out that that cybercriminals had installed malware on its systems to capture user credentials. Affected individuals are contacted about the possible data breach. Also, the facility has established a toll-free number to answer any questions which included identity theft protection resources for patients.”

As noted in Bizmatics’ letter, we have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. VVC is examining Bizmatics’ practices and determining whether a continued relationship with Bizmatics is appropriate. VVC will make every attempt to prevent further breaches.

“We sincerely regret that this incident has occurred and thank you for your understanding.”

————————————————————————————————————————————————————–

Alertsec is used by organizations that have recognized the need to protect their information  Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Computer glitch and Data Breach

March 26th, 2016

Laborers’ Health & Welfare Trust Fund for Northern California discovered that a computer glitch caused certain consumer health information to be processed incorrectly. The incident affected the processing of IRS Form 1095-B which included some patient health data in California.

According to the reports, some personal health information of workers were sent to other plan
participants and beneficiaries. Affected information included beneficiary names and names of dependents, Social Security numbers, and health plan coverage information. According to a press release, the Fund Office has notified potentially affected individuals personally, and will provide free credit monitoring to them.

The Fund Office mentioned that it will be taking steps to strengthen training processes and tighten security measures.

According to the press release –
The Fund Office has notified participants and provided credit monitoring services to all those participants and beneficiaries affected.The Fund Office has also instituted stronger security measures to guard against future mishaps.

According to the Wikipedia –
A computer glitch is the failure of a system, usually containing a computing device, to complete its functions or to perform them properly.In public declarations, glitch is used to suggest a minor fault which will soon be rectified and is therefore used as a euphemism for a bug, which is a factual statement that a programming fault is to blame for a system failure.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Tools for Compliance management which can boost security

June 24th, 2014

HIPAA has certain set of rules when it comes for compliance management. Compliance requirements are many times seen as an unnecessary burden but if proper procedures are followed then it can protect your organization even from data breach. Moreover it can also protect you from lawsuits to corporate espionage. The risk associated with compliance failures can include financial impact or fines, data loss, lost business or even a suspension of operations.

Below is the list of compliance management tools –

  • www.glpi-project.org: A free, open source tool, GLPI offers IT and asset management capabilities. After all, a good inventory is the first step in seeing what needs to be secured.
  • www.ptatechnologies.com: A free toolset that is driven by the methodology of effectively managing operational and infosec risks in complex systems using calculative threat analysis and threat modeling.
  • www.somap.org: The ORICO Framework and Tool are two projects in one, offering risk management and the toolset to build a reference implementation of a security framework.
  • sourceforge.net/projects/assetmng: An open source IT asset management system that provides identification, valuation and risk assessments.
  • http://openfisma.org : An open source framework that is designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

IT managers may need to build their own solutions and integrate off-the-shelf products with other solutions. Luckily for those choosing a path of self-development, several free tools can become part of an integrated solution.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Boulder Community Health (BCH) investigating data breach

May 13th, 2014

 

Someone mailed patients’ records to their homes to prove that Boulder Community Health (BCH) has lapses in security. It is one of kind of incident where context of breach is bizarre. BCH located in Colorado is investigating the incident. Earlier incidents include BCH notifying 178 patients when paperwork was missing. A different incident of BCH happened in which two unlocked recycling bins left 79 patients’ records exposed.

The letters which was sent out contained information of the records from the clinic sites on the main Foothills campus and the Riverbend Office Park neighboring the campus. The letter was sent to the patients to show the lapses of BCH in securing patient’s information. It mentioned that the sensitive information was taken from the papers present in trash bins just outside of the campus.

“If you travel north of Arapahoe (Avenue) on 48th (Street),” the letter said, “you will see the blue containers that contain medical records. These containers are often left unlocked.”

BCH has claimed that it has checked and reviewed employee privacy training and education and added automatic locks to recycle bins. It was not clear exactly whether there was a shredding policy in place.

“Our immediate goal is to determine the scope of this situation,” Boulder said in a statement. “We will work with any affected clinics to assess the impact on their patients and provide support to affected individuals.”

The letter also didn’t fail to accuse the organization of focusing on making money while not emphasizing patient privacy.  Based on the reports, it was clear that unknown person inappropriately took nine patients’ records and sent them to those patients in an attempt to shed light on Boulder’s alleged lax patient privacy policies.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

After 7 months Maricopa Colleges informs 2.4 million students of data breach

November 27th, 2013

It took The Maricopa County Community College District seven months to notify 2.4 million current and former students and employees that their academic or personal data were compromised in a security breach.

The district’s governing board has already approved several million dollars for repairs, and agreed to spend up to $7 million more to notify everyone who is potentially affected, said spokesman Tom Gariepy.

Gariepy said that letters will be sent to current and former students, employees and vendors of the district’s 10 colleges going back at least several years to alert them that their information could have been seen.

Among the vulnerable data were employees’ Social Security numbers, driver’s-license numbers and bank-account information, he said. Students’ academic information also may have been exposed, but not their personal information. However there is no evidence that any information actually was looked at or stolen.

Gariepy also told that the FBI notified the district that it found a website advertising personal data from the district’s information-technology system for sale. The district’s website was taken down that day and stayed down for several days before being restored in stages.

Gariepy said the district didn’t release information about the event at the time because it was investigating the extent of the exposure.

“There was a tremendous amount of data, and the forensics investigation around this was very complex. They had to look at a number of different systems and servers and databases. It would have been nice to say something earlier, but we couldn’t give anyone information until we could say it with certainty, even if it’s not conclusive” Gariepy said.

At the same time, the district was repairing its information-technology system and didn’t want to publicize that it could be vulnerable. The district has installed more firewalls and security procedures. He also said some employees in the information-technology department face disciplinary action.

“We started immediate steps to make the system secure, and it’s become progressively more secure as time has gone on,” he said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Facebook alert its users following Adobe data breach

November 19th, 2013

Back in October, approximately 150,000,000 Adobe customer’s user information was compromised in a stupendous data breach. After such a massive damage to Adobe during security breach, Facebook users who use the same credentials as that of Adobe were asked by Facebook to take precaution so as to protect their information. Facebook’s security team is mining the data leaked from the Adobe breach to find users who are currently using the same password that they used for Adobe.

Facebook has locked the accounts of these users and the only way to unlock their account is by answering a few security questions and changing the compromised password. Facebook is telling such users that for their own sake, “No one can see you on Facebook until you finish.”

You may be wondering how Facebook is able to pinpoint which users are committing the security mistake of reusing passwords. The researchers at the social media website pass an Adobe

user’s recovered password through their hashing function, allowing them to see if the result matches what they have on record for that user. These actions show how the website is being proactive and responsible when it comes to users’ security and privacy.

This alertness by Facebook perfectly illustrates the importance of having multiple passwords and not reusing passwords on different sites, especially those which may have been compromised or leaked in the past. It is also critical to create strong and unique passwords that hackers will not be able to guess easily. Following these quick and easy password precautions will ensure your security and privacy on all of your favorite websites.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

388 council-owned laptops lost

November 17th, 2013

The loss of hundreds of council laptops potentially containing council taxpayers’ confidential information has been termed as ‘not a big security breach’.

The Observer exclusively reported an Interim Progress report from the Royal Borough’s internal Audit and Investigation Unit revealed 388 council-owned laptops were unaccounted for in a survey of council IT assets.

The missing laptops range from devices owned and used in council-maintained schools to assets kept in council buildings.

The report, which outlines risks arising from procedures and policies and any countermeasures being taken, was scrutinized at an audit and performance review panel meeting at the Town Hall, in St Ives Road, Maidenhead, on Thursday last week.

Councilor Duncan McBride, chairman of the panel, said: “I think this has come up before. It is not the first time it has come before us. It is clear from the previous meeting that this is not a major security breach.

“It is terrible that we might have lost these things but… I do not think it is a big security breach.”

However, Councilor Simon Dudley, deputy leader of the council, said: “I’m concerned about these figures, I mean you can see the headlines about the council losing 388 laptops and potentially important information being on them. I would want security processes clearly written down for staff.”

Questioning how many laptops had gone missing in the past year, Liberal Democrat Councilor George Fussey, said: “If we are losing laptops quite regularly, that would be a huge issue. It would be useful to know if we are still losing them or if this is 388 over five years or something.”

Catherine Hickman, head of audit and investigation at the Royal Borough and report author, said the missing laptops date back to 2005 and only a handful, most likely in single figures, had been lost in the 2012/13 financial year.

Mrs. Hickman added; “It could be for a variety of reasons. They may not have been stolen, they could be left in cupboards and forgotten about. We are trying to assess this.”

Councilor McBride added the fact the lost computers may have been older than five years would negate the importance of the lost information and steps have since been taken to reduce the chance of laptops with confidential information on them going missing.

However, speaking after the meeting, councilor John Fido said: “That represents a quite lackadaisical attitude. 388 laptops missing not only represents an awful lot of taxpayers’ money – you would expect a couple of hundred of pounds for each laptop – but also the information on them it puts at risk. These matters have to be treated respectfully.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta