Security and privacy experts – not to mention federal government agencies - are still reeling from the disclosure by WikiLeaks of the CIA’s cachet of hacking and surveillance technologies that was released a few weeks ago. Among those disclosures, however, was a particularly interesting finding: the existence of “HammerDrill 2.0,” a cross-platform security toolkit that can breach the air gap.
The past week has provided some interesting revelations around the Internet of Things (IoT). As we all know, the IoT is that collection of generally unmanaged devices with embedded connectivity to the Internet. From cars, to refrigerators, thermostats, televisions and more, the IoT seeks to connect everything it can to the world’s largest global network. Conceptually, the IoT is a great thing: it can lead to more efficient use of energy, customized manufacturing, faster transportation and much more. However, as we’ve seen in the past ten days, there’s a dark side to the IoT.
Over the past two weeks, the security industry has seen some disclosures (or in one case, a half-disclosure) of vulnerabilities within their products. In at least two of these cases, we know that these vulnerabilities could have led to a significant compromise of data and systems. But what’s really interesting about these two vendors is how they responded to the discovery.
Businesses must take IT security seriously because their financial future depends on it. IT security is a broad topic that covers a range of different fields.
Here we'll discuss common vulnerabilities and why companies must ensure their operational systems are well-protected from cybercriminals.
"Interjection vulnerabilities are one of the most common and oldest web application vulnerabilities."
1. Injection vulnerabilities
Interjection vulnerabilities, such as cross-site scripting and CRLF injection, are one of the most common and oldest web application vulnerabilities because it's easy for cybercriminals to access and affect (or infect) them.
In a recent article on Credit Union Journal, I wrote about how to go beyond risk management to assess vulnerabilities in order to secure your data. It’s important to understand that vulnerability and risk are not the same thing. Risk is the probability of the vulnerability being exploited multiplied by the cost of damage it will cause. This is required for risk evaluation and will help you focus your remediation efforts as well as define compliance boundaries. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities especially in software and firmware. It works by analyzing computer systems for known vulnerabilities such as open ports, insecure software configuration, susceptibility to malware, etc.
If your organization is subject to PCI DSS 3.2 compliance, you’re likely aware of the looming deadline mandating the migration away from the use of SSL and TLS v1.0 to a “secure” version of TLS, as defined by NIST (currently v1.1. or higher). The PCI Security Standards Council previously released a bulletin on the migration to help explain the reasons for the change and what steps are necessary. While the PCI Security Standards Council has extended the deadlines for compliance, there are very real reasons not to wait to make the move.
In spite of the headline-making hacks of Sony, Anthem, and many other organizations, many business executives still haven’t prioritized cybersecurity as a top concern. A 2015 NTT Com Security survey showed that half of its participants were not prepared for a cyber attack. Yet hacks are becoming more frequent, and hackers are taking more creative approaches and finding more opportunities to strike. Executives that neglect cybersecurity place their companies at greater risk of a data breach.
With bugs like the glibc vulnerability announced nearly every day, it’s important to consider how your organization handles vulnerability management. How do you know which of your critical systems are exposed to which new vulnerabilities? If you had only one server or device to keep track of, you might know all the details of the device’s configurations; which software is running, and which versions are installed. But even then, keeping up with the latest CVE announcements and identifying which of these affect your system may be overwhelming, particularly if maintaining the device is not your only job. If you’re like many of the IT professionals we speak with every day, you’re wearing many hats and fighting constant fires. Therefore, it becomes critical to construct a comprehensive vulnerability management program to protect your organization. Here are three things every security professional should consider when building a vulnerability management program:
Last week, engineers at Google announced the latest vulnerability to be identified in Linux systems. Like last year’s GHOST vulnerability, this bug affects Linux devices that utilize the GNU C Library (glibc). Because the library is widely used in Linux systems, the vulnerability may be present in nearly any Linux-based device.
The 2015 cyber attacks on SMEs may be in the past, but the damages caused by these hundreds of security breaches have left their digital scars for good. And at the rate that cyber attacks occurred in 2015, we know that 2016 is going to get even worse. What this means for vulnerable SMEs is another year of fending off countless sophisticated cyber attacks and hoping to not become the next data breach in the news. Hackers know that SMEs tend to have weaker defenses than larger organizations, usually due to lack of financial and human resources. They also know that there is a wealth of customer data and intellectual property hiding behind easily penetrable defenses within these SMEs that can be a route to a bigger score (particularly if the SMEs contract with larger companies, who may be harder to penetrate directly). So if big enterprise companies such as Sony Pictures Entertainment, Hilton Hotels, and Anthem Inc. can’t protect themselves, what’s an SME to do in such a volatile world? Below are 3 options for SMEs to pursue to enhance their cybersecurity posture in 2016.