Call Us (877) 740-5028
When hackers recently defaced the homepage of OpenSSL.org, administrators initially claimed the attack cam “via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.” One day later, VMWare defended its ESX Server against the OpenSSL claim and – one day later – OpenSSL’s investigation “found that the attack was made through insecure passwords at the hosting provider.” VMWare, which originally claimed “the defacement is a result of an operational security error,” released an updated statement when OpenSSL updated its advisory to “confirm that their understanding of the cause of this incident is the same as VMware’s.” What’s the lesson here? Primarily, says Online Tech Senior Product Architect Steven Aiello, that attackers aren’t interested in taking the hard road to their targets. “Human error, weak passwords and OS misconfigurations from inexperienced administrators are still the most vulnerable targets for hackers,” he said. While the OpenSSL hack was harmless – the Turkish group responsible seemed only interested in bruising OpenSSL’s pride – that’s not typically the case. Complex criminal organizations are becoming quite effective at making money in cyber space. Take, for instance, researchers at Trustwave finding another Pony botnet controller in December that was overseeing nearly…
Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. This post is by Tom Olzak, a security researcher for the InfoSec Institute and an IT professional with over 27 years of experience in programming. (View original post.) In addition to the excellent points Olzak makes about managing insider threats, Online Tech suggests creating an environment of education in the workplace and stresses leadership must be willing to surface areas of concern with all employees. The number of annual security incidents caused by insider threats is increasing. In The CERT Guide to Insider Threats, Capelli et al write, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and less skilled employees use information to achieve political or financial objectives. Any of these can constitute a critical national defense breach or breach of public trust. To defend against completion of damage or theft, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. Further, technical…
With 2013 wrapping up and 2014 close on the horizon, many organizations are reviewing their IT infrastructure needs. For some, it’s an active, ongoing conversation; others wish they could sweep that discussion under the desk for another year. Regardless of your business objectives, you and your organization need to explore these questions to find the right vendor to entrust with your IT infrastructure needs. 1.) What solution will work best for our organization’s needs? Know and rank your business priorities. What’s most important? Computing power from a dedicated server? Scalable hardware that can scale with your business needs? Pure square footage for a colocation environment? Disaster recovery options? What are the demands of your IT infrastructure today? Will that solution still be able to meet the needs of your organization in 3-5 years? These are the kinds of discussions that you and your potential vendor should have to establish a solid partnership and discover the best solution for your organization. 2.) Does your organization need to meet specific compliance requirements (HIPAA, PCI, Safe Harbor, SOX)? Does your organization handle patient health information, cardholder data, or other sensitive information? If so, finding a vendor that can be your partner in the…
The Adobe hack originally reported earlier this month turns out to have affected 38 million total users, including financial and personal account data. Adobe claims the 2.9 initially reported had their credit cardholder data compromised, while the additional millions had their encrypted passwords stolen. In addition, a letter to Adobe customers claims that hackers may have even used their systems to decrypt some of the passwords. While merely speculative during early investigations, it has been recently verified that the source code for Adobe ColdFusion, Acrobat, Reader, and Photoshop have been stolen and posted online. Photoshop’s source code appeared to be unencrypted, according to TheVerge.com. As I’d originally wrote about in Source Code, Encrypted Data Stolen as 2.9 Million Affected in Adobe Breach, compromised source code is serious business since a breach of an end user product allows hackers to write new malware and viruses for said product, and use them to access sensitive/confidential corporate or personal data. JDSupra Law News has deemed 2013 as the “Year of the Mega Breach Cybersecurity Awareness Month” due to the sheer size and litany of big-name breaches in the past few months alone – they name the seven biggest breaches of the year to…
According to ZDNet.com, there are a few checklist items to look for when shopping for an IaaS (infrastructure as a service) provider, as they wrote about in Finding the Ideal IaaS Provider. I supplied some commentary on our perspective as a secure IaaS hosting provider. Knowledge of your industry The article states that it’s to your advantage if your IaaS provider can offer regulatory, security and other governance compliance requirements that your apps and data need to follow. For example, if you’re a healthcare SaaS company looking for a HIPAA compliant cloud IaaS, don’t go with the vendor that won’t sign a business associate agreement or has never heard of the law. For more about compliant IaaS hosting, include resources on HIPAA, PCI DSS, SOC 2, SOX and Safe Harbor, read our Compliant Hosting pages, or visit our resource library. Technical competence and consultive capability What kind of expertise can your IaaS provider bring to the table? Meet and get to know the IT team you’ll be working with in the data centers, and find out if they have the certifications and knowledge required to provide excellent service. Communication is key to effective IT management and planning, particularly if something…
October is National Cyber Security Awareness Month (NCSAM), celebrated annually to highlight awareness about online security for consumers, small and medium-sized businesses (SMBs), corporations, educational institutions and young people nationwide. NCSAM will focus on different aspects of online security, including mobile devices, cyber education (including workforce development in STEM – Science, Technology, Engineering and Math), cybercrime, and cybersecurity as it affects critical society infrastructure, such as transportation systems, electrical grids, emergency response systems and more. Among the resources on their site include a 2012 NCSA/Symantec National Small Business Study that reveals 38 percent of business owners believe losing Internet access for 48 hours would be extremely disruptive to their business. Another 46 percent say a safe and trusted Internet is very critical to their business’s success. However, 32 percent believe a data breach would have a short-term impact on their business, while another 47 percent think a data breach would have no impact on their business as it would be viewed as an isolated incident. A data breach can affect a company’s financials and credibility, as well as introduce legal issues, particularly if the data breached is considered protected health information (PHI) or credit cardholder data (CHD). Sometimes data breaches…
The most recent hack on at least three major banks involved “low-powered” DDoS attacks targeting wire payment switch systems. A wire payment switch system manages and executes wire transfers at banks. While the story is still developing on how exactly the hackers accessed wire transfers, it is known that DDoS attacks were used to divert the attention of bank security staff in order to gain access to the system. This event presents a different type of security risk that organizations might not consider – the fact that they may have concentrated all or too much of their resources/personnel on handling attacks while neglecting security of other systems. One way to remedy this issue is to partner with an IT and hosting firm that specializes in technical security and secure hosting. Their focus and investment is in providing expert IT management and support, which frees up your organization to focus solely on your business growth. By using DDoS attacks as their cover, the hackers somehow took over the payment switch (wire application) by using the credentials of a privileged user account. By controlling the master payment switch, hackers were able to move large amounts of money from as many accounts as…
While you may think your organization has all of the appropriate technical, physical and administrative security in place to guard against a data breach, what about your third-party vendors and additional web-based software that you use on your website or internally to support your company’s workflow processes? This question is one raised after the recent hack by external forces in Syria that took down CNN, Time and the Washington Post on Thursday. Instead of directly targeting their websites, hackers had launched a phishing email attack to the employees of an ad content company that provided services to all three of the media outlets. According to Outbrain.com, the affected ad content company, they were a victim of a social engineering attack in which employees received an email purporting to be from their CEO. The email included a link from a news source that redirected to a page asking for Outbrain credentials. Someone complied and the hackers were then able to gain access to their widget configuration tools. The ad content network supplies links to related, external websites and articles that are similar in content to the one any user is currently reading, often titled “Other stories from around the web.” TheAtlanticWire.com…
A recent study by the Ponemon Institute and Experian Data Breach Resolution reveals that 45 percent of organizations reported having suffered a data breach or security exploit over the past 2 years as a result of negligence or mistakes causing the loss of confidential business information. Thirty-four percent experienced a disruption in business operations, and 24 percent were victims of misuse or theft of confidential business information (i.e., intellectual properties). Last year I wrote the article, Michigan Cyber Initiative Reports ‘People’ as Weakest Link in IT Security, citing the Michigan.gov’s cybersecurity advice about Personnel Security Controls – “People are the key ingredient to a successful organization, but people can be the weakest link for security of the environment.” Countless data breaches can be attributed to human error, including sloppy IT security practices, like the recent healthcare data breach caused by a health IT vendor that had their firewall turned off for a month, allowing Google to index private data ( read PHI Indexed on Google? Reaffirming the Need for Business Associate HIPAA Compliance for the whole story). Mistakes happen, but risk mitigation can start with preventionary tactics such as updated and consistent staff security training. Appointing a Risk Management and…
While at BSides Detroit, I was able to catch some really great sessions. One in particular, Josh Little’s A Cascade of Pebbles: How Small Incident Response Mistakes Make for Big Compromises, was extremely informative, as it allowed the audience a chance to see mitigation efforts from the the outside of a targeted attack, giving clear takeaways that all companies can use to make their incident response processes more effective. Immediately Little’s team tried a straightforward phishing email, to no avail. So, they spent a few days creating an intricate fake company; one that showed on Google searches, had a company news ticker, and information on the ‘executives’. The point of the email was to have users fill out a survey and ‘login’, thus giving their username and password. One user did fill out the survey, and they had credentials to get into the network. Simultaneously, someone in the IT department realized that it was bogus, and sent an email out to everyone who received the email telling them not to click on it. He also checked the logs, and seeing that no one had clicked, he decided that it was taken care of. What he didn’t know was that the…
