An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on servers and review the previous 3 weeks. Librarians and anyone else in a library
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Cyber Security Tips for students_Deepak Deepak Khari
Cyber Security Tips for students_Deepak
It will help a students or a non technical user to understand cyber security threats, Its awareness and precautions require to protect.
It’s an online world. Most adults, and even teens, need to have online accounts for banking, shopping, communications, entertainment and social networks. Even many children have online lives. With all this online activity, how we keep ourselves and our families safe? How can we protect our private information? In this session we will discuss the advantages and dangers of our online lives. We will review practical tips for avoiding common mistakes. We will look at passwords, website safety, email and phishing, social networks and mobile devices. You can decrease the risks in our online world!
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on servers and review the previous 3 weeks. Librarians and anyone else in a library
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Cyber Security Tips for students_Deepak Deepak Khari
Cyber Security Tips for students_Deepak
It will help a students or a non technical user to understand cyber security threats, Its awareness and precautions require to protect.
It’s an online world. Most adults, and even teens, need to have online accounts for banking, shopping, communications, entertainment and social networks. Even many children have online lives. With all this online activity, how we keep ourselves and our families safe? How can we protect our private information? In this session we will discuss the advantages and dangers of our online lives. We will review practical tips for avoiding common mistakes. We will look at passwords, website safety, email and phishing, social networks and mobile devices. You can decrease the risks in our online world!
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
This presentation was provided by Blake Carver of Lyrasis during the NISO webinar, DIgital Security: Protecting Library Resources against Piracy, held on November 16, 2016.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
Quick overview of tips for maintain home computer, home network, cell phone and social media security. References to articles are included that provide more detail.
This talk was provided by Blake Carver of LYRASIS during the NISO Webinar, Digital Security: Securing Library Systems, held on Wednesday, November 9, 2016
On October 21, 2016, a cyber attack took about half of the websites in the US. This presentation discusses the attack, why it happened, how it occurred, and what we can learn from it.
Hi, friends today Iam presented my ppt on ethical hacking and network security. This will gives you some basic tips and ideas about hacking and how to make our network secure.
This presentation was made by collecting all publicly available materials and it is purely for educational purpose. Author wants to thank each and every contributor of pictures, video, text in this presentation.
These are from the National Cyber Security Alliance (NCSA) for National Cyber Security Awareness Month (NCSAM) and are free to use. See https://staysafeonline.org/ for more info.
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
Library Security And Safety: Current Trends and DevelopmentFe Angela Verzosa
lecture presented at PAARL's Seminar-workshop on the theme "Library & Information Services: New Paradigm for the Digital Age" held at St. Paul Retreat House, Pico, La Trinidad, Benguet, Philippines on 17 May 2006
This presentation was provided by Blake Carver of Lyrasis during the NISO webinar, DIgital Security: Protecting Library Resources against Piracy, held on November 16, 2016.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
Quick overview of tips for maintain home computer, home network, cell phone and social media security. References to articles are included that provide more detail.
This talk was provided by Blake Carver of LYRASIS during the NISO Webinar, Digital Security: Securing Library Systems, held on Wednesday, November 9, 2016
On October 21, 2016, a cyber attack took about half of the websites in the US. This presentation discusses the attack, why it happened, how it occurred, and what we can learn from it.
Hi, friends today Iam presented my ppt on ethical hacking and network security. This will gives you some basic tips and ideas about hacking and how to make our network secure.
This presentation was made by collecting all publicly available materials and it is purely for educational purpose. Author wants to thank each and every contributor of pictures, video, text in this presentation.
These are from the National Cyber Security Alliance (NCSA) for National Cyber Security Awareness Month (NCSAM) and are free to use. See https://staysafeonline.org/ for more info.
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
Library Security And Safety: Current Trends and DevelopmentFe Angela Verzosa
lecture presented at PAARL's Seminar-workshop on the theme "Library & Information Services: New Paradigm for the Digital Age" held at St. Paul Retreat House, Pico, La Trinidad, Benguet, Philippines on 17 May 2006
Presentation that was presented at a Leavenworth Public Library staff meeting that relates to safety in the library from the point of view of library personnel.
Our lives are changing at an unprecedented pace. Transformational shifts in our economic, environmental, geopolitical, societal and technological systems offer unparalleled opportunities, but the interconnections among them also imply enhanced systemic risks. Stakeholders from across business, government and civil society face an evolving imperative in understanding and managing emerging global risks which, by definition, respect no national boundaries.
In 2015, the Aon Global Risk Management Survey revealed how increasing competition remained at the top of the industry’s list of concerns, but the potential for damage to brand and reputation is now second, having risen up from seventh place in the previous survey.
Like any responsible supplier, we know that the answer to delivering a good service is to ensure our customers are fully furnished with the facts that may influence their buying decisions. In this report, we consider how these factors translate into the risk profile of UK retail and how they may influence insurers to underwrite them at a good price, or lower, than last time around
Twitter for Consumer Businesses: Overview of Twitter Business Uses & TrendsAdam Schoenfeld
An overview of Twitter for B2C businesses I recently presented for a group of venture capitalists. The deck touches on the following points:
1. Why do consumer businesses care about Twitter?
2. How is Twitter being used - high level?
3. How is Twitter being used for customer service and market - specifics
4. Take Aways
5. Trends to watch
For a company like Aon, sectors like food and drink manufacturing are our lifeblood. The industry employs over 400,000 people in the UK, accounts for more than £80bn in annual turnover and we are proud to work with many of the sector’s leading companies in the UK and across the world.
Occupational Safety and Health Concerns in Library Work PlacesFe Angela Verzosa
Presented at MAHLAP Seminar on “The Challenge of the Medical and Health Librarians in the Next Millennium,” held at the Science and Information Technology Institute, DOST, Bicutan, Taguig. Philippines on 1999 Nov. 25
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
Learn about basic cybersecurity tips for protecting your computes, accounts and personal information. Topics include passwords and authentication, proactive defense against unwanted software and how to keep your devices current with security updates.
Cyber Security presentation given by Luke Schneider, Chief Executive Officer of Medicine Bow Technologies at the 2016 Wyoming Hospital Association Annual Conference
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
With all the things that go "bump" in the night, nothing worries administrators and even end users more than a security incident. This webinar will focus on building an understanding of IT Security and the tools that can help mitigate risk. Moreover, attendees will leave with a clear understanding of general informational security terms and processes that they can implement in their library same day to help safeguard and better protect their infrastructure and data. Brian Pichman of the Evolve Project will lead us through putting together components for a Security and Risk Plan and how to properly respond to threats and attacks.
Unveiling the dark web. The importance of your cybersecurity postureLourdes Paloma Gimenez
We live in the cyberspace but nobody talked us about cybersecurity. The web , deep web and the dark web. The different vectors of cyberattacks. Recommendations to stay protected.
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
Have you ever wondered why our web apps, and mobile web apps in particular, are hard to secure?
Be sure to read the speakers notes in this presentation
In this lengthy presentation, you will observe where researchers and hackers corrupt the developer's intentions...then, you will look at the Good, the Bad and the Ugly of Secure Software Development, WAF considerations, and Mobile Device Management...
The Internet is a fun place to be, but it is full of dangers too.This presentation helps you understand:
a. Types of Threats on the Internet
b. The Dos of Internet Security
c. The Don'ts of Internet Security
We are surrounding with technology. The more we surround and integrate with technology the more we will be in risk our privacy data/online/internet/cyber. Not only you are in risk, your family and friend alos in risk. If we think I am not important person then that would be your great mistake. You are important to someone in somewhere in this world.
Mind it your daily life is watched by someone. So be conscious… remember Prevention is Better than cure.
Construction projects in cultural heritage institutions can be challenging for their collections. This 5 part presentation offers some suggestions for a successful build.
Construction projects in cultural heritage institutions can be challenging for their collections. This 5 part presentation offers some suggestions for a successful build.
Construction projects in cultural heritage institutions can be challenging for their collections. This 5 part presentation offers some suggestions for a successful build.
Construction projects in cultural heritage institutions can be challenging for their collections. This 5 part presentation offers some suggestions for a successful build.
Construction projects in cultural heritage institutions can be challenging for their collections. This 5 part presentation offers some suggestions for a successful build.
This short class is intended to introduce participants to a few of the top questions to ask when developing a grant proposal. Funded in part by a grant from the National Endowment for Humanities, division of Preservation and Access.
You may either download ppt. for webliography, or go to the Delicious page prepared for this class: http://bit.ly/ccsxzT
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4
Keeping you and your library safe and secure
1. Keeping You And Your Library
Safe and Secure
Blake Carver – blake.carver@lyrasis.org
http://lisnews.org/security/
http://security4lib.org/
http://lyrasis.org
Intro
2.
3. “ Security is two different things:
It's a feeling &
It's a reality ”
Bruce Schneier – TedxPSU
5. Have A Hacker Mindset
Think Like A Bad Guy
Have A Security Mindset
Think Defensively
6. "None of this is about being
"unhackable"; it’s about making
the difficulty of doing so not
worth the effort."
7. Secure, here, doesn't mean impenetrable
Competent and determined bad guys armed
with the right tools can always find a way in
Less talented folks, and many automated tools,
however, experience great effort as a deterrent
12. What Are They After?
• PINs
• Passwords
• Credit Cards
• Bank Accounts
• Social Media
• Computers
• Usernames
• Contact Lists
• Emails
• Phone Numbers
These all have value to someone
15. We don’t know how our information is used,
stored or shared and for how long.
We don’t know who has access
We don’t know if it’s safe
16. On the InterWebs, the companies
entrusted to keep our personal
data safe are invariably the ones
who have the most to gain from
not doing so.
Robert X. Cringely
19. How Do You Know If You Are
Infected?
• Fans Spinning Wildly
• Programs start
unexpectedly
• Your firewall yells at
you
• Odd emails FROM you
• Freezes
• Your browser behaves
funny
• Sudden slowness
• Change in behavior
• Odd sounds or beeps
• Random Popups
• Unwelcome images
• Disappearing files
• Random error
messages
20. How Do You Know If You Are
Infected?
You Don’t
30. Browsers
• Use Two & Keep Updated
• Know Your Settings
– Phishing & Malware Detection - Turned ON
– Software Security & Auto / Silent Patching -
Turned ON
• A Few Security Plugins:
– Something to Limit JavaScript
– Something to Force HTTPS
– Something to Block Ads
Staying Safe Online
31. But The Internet Is Free Because Of
Ads...
• Online ads were 182 times more likely to
deliver malware than “adult” sites
• Google blocked
524 million 'bad ads'
250,000
• Up 50 percent in 1 year
39. Complexity is the Enemy of Security
(Bruce Schneier)
• Libraries have no shortage of access points
• We deal with any number of vendors
• Threats come from outside the libraries
• Threats come from inside the libraries
• Our libraries are full of people
43. How Can We Make Our Library Secure
• Don’t ignore it
• Prepare
• Train
44. Preparation- Practical Policies
• Patching and updates of the OS and applications
on a regular basis
• Regular automated checks of public PCs &
network
• Check the internets for usernames/passwords for
your library (e.g. pastebin)
• Dedicated staff? Someone needs to stay current
• Lost USB Drives?
• Is your domain name going to expire?
45. Training
• Phishing
• Privacy
• Passwords
• Email Attachments
• Virus Alerts
• How to practice safe social networking
• Keeping things updated
48. Change your mindset – YOU are the
attacker
• What are you library’s most valuable assets?
– Where are these assets?
– How can they be accessed?
• If you were the attacker how would you
spread malware?
• Who are the most ‘vulnerable’ targets in the
organization?
They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
I want people to walk away from this with a hacker mindset, and with a security mindset. I want them to look at things, at things on the internet, differently. I want them to see how secure, or insecure things are. How secure, or insecure, their habits are.
http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html
A quick hashing recap
Let’s take a quick step back before talking about what’s wrong with the hashing algorithms of today. The problem that cryptographic storage of passwords is trying to address is to limit the potential damage of unintended disclosure of passwords in storage. Now of course all the good upstream security practices such as mitigating against SQL injection vulnerabilities and protecting your backups still apply, this is about what happens once things go really, really wrong.
We were reminded of this just the other day when WHMCS was breached and thousands of account details were leaked. In this case it appears that some basic social engineering was used to circumvent the host’s security thus allowing access to the database of user accounts. It was a similar story with LinkedIn just a little bit later when 6 million passwords were exposed through (as yet) unknown or undisclosed means. Disclosure of passwords in storage happens. Lots.
So this is really the whole point of hashing – once you get owned to the extent that WHMCS and LinkedIn were, secure cryptographic storage of the passwords is the only thing saving your customer’s credentials. And remember, a large percentage of these credentials will be reused across other services so secure storage is about protecting a lot more than just the site that was breached.
The trick is to ensure the effort to “break” the hashing exceeds the value that the perpetrators will gain by doing so. None of this is about being “unhackable”; it’s about making the difficulty of doing so not worth the effort. In this case when I say “break” or “crack”, I’m talking about re-computing hashes rather than finding weaknesses in the algorithms themselves. I’m literally talking about taking a plain text string, hashing it then comparing it to a password already in storage. If they match, then I’ve just discovered the plain text password.
It boils down to 3 types of bad guys.
http://www.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html
They are after most of the things you’d expect, and some you might not...
Personal information is the currency of the underground economy. It'sliterally what cybercriminals trade in. Hackers who obtain this datacan sell it to a variety of buyers, including identity thieves,organized crime rings, spammers and botnet operators, who use the datato make even more money.
A name or email address is worth anywhere from fractions of a cent to$1 per record, depending on the quality and freshness of the data,information security experts say.That may not sound like a windfall, but when you multiply it bymillions of records, it quickly adds up. Take the Zappos breach as anexample: If hackers in fact obtained data on 24 million customers,even if they sell only 5 million email addresses at five cents apop—cha-ching—they've just made $250,000 off of one hack.
Botnet operators make even more money. Say you own a botnet thatconsists of 100,000 computers. You may rent it out to spammers for$1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, aprovider of Internet security awareness training based in Clearwater,Fla. If you rent or buy the 24 million records from Zappos' so thatyou can then send malware to those email addresses, even if only 20percent of recipients get infected with your malware that takescontrol of their computer, you've still grown your botnet by about 5million computers with very little work, he adds."Now you can charge $5,000 an hour instead of $1,000 per hour for 5million bots that start sending spam," says Sjouwerman. "These guysmake money hand over fist." Of course, their illegal activity alsomeans criminal charges, jail time and financial restitution.http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article Close WindowFrom: www.cio.comAre You at Risk? What Cybercriminals Do With Your Personal Data– Meridith Levinson, CIO
Personal information is the currency of the underground economy. It'sliterally what cybercriminals trade in. Hackers who obtain this datacan sell it to a variety of buyers, including identity thieves,organized crime rings, spammers and botnet operators, who use the datato make even more money.
A name or email address is worth anywhere from fractions of a cent to$1 per record, depending on the quality and freshness of the data,information security experts say.That may not sound like a windfall, but when you multiply it bymillions of records, it quickly adds up. Take the Zappos breach as anexample: If hackers in fact obtained data on 24 million customers,even if they sell only 5 million email addresses at five cents apop—cha-ching—they've just made $250,000 off of one hack.
Botnet operators make even more money. Say you own a botnet thatconsists of 100,000 computers. You may rent it out to spammers for$1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, aprovider of Internet security awareness training based in Clearwater,Fla. If you rent or buy the 24 million records from Zappos' so thatyou can then send malware to those email addresses, even if only 20percent of recipients get infected with your malware that takescontrol of their computer, you've still grown your botnet by about 5million computers with very little work, he adds."Now you can charge $5,000 an hour instead of $1,000 per hour for 5million bots that start sending spam," says Sjouwerman. "These guysmake money hand over fist." Of course, their illegal activity alsomeans criminal charges, jail time and financial restitution.http://www.cio.com/article/698820/Are_You_at_Risk_What_Cybercriminals_Do_With_Your_Personal_Data_ Print Article Close WindowFrom: www.cio.comAre You at Risk? What Cybercriminals Do With Your Personal Data– Meridith Levinson, CIO
Here’s a big list of
Common computer troubles
Common symptoms of malware infections
You don’t know which one it is!
Here’s a big list of
Common computer troubles
Common symptoms of malware infections
You don’t know which one it is!
Symantec reports they have seen the technique in malicious Droid apps hosted on Russian websites. Polymorphism has long been used to evade signature-based detection on PCs, with no little success. Server-side polymorphic techniques create a new version of the malware each time it is downloaded. The combination of these mechanisms, sophisticated obfuscation and the sheer volume of unique malware samples — tens millions annually — have rendered client-based antimalware far less effective that it was just a few years ago.
On your computer:
Keep that OS patched and updated. Related: Don’t use Windows XPDisable hidden filename extensionsMake sure ALL those programs are updated. Especially don’t miss anything made by Adobe (e.g. Flash & Acrobat)Never install things you’re not sure are safe. Especially don’t trust anything from Torrents or P2P sites. Avoid downloading programs from unknown sourcesIf you're not using something, just remove it. Every program installed on your computer opens a potential new hole.Make sure your firewall is turned onMake sure file sharing is turned offUse a reputable virus & malware protection software program, keep it up to date and run it oftenMake sure that the Macro Virus Protection feature is enabled in all Microsoft applicationsNever trust any links, attachments, short links, or anything else from anywhere or anyone unless you are SURE what’s insideHave a recovery plan - Is your stuff backed up?If it's a laptop, use something like Prey ProjectAdvanced: Consider changing up your hosts file and/or using something like OPEN DNS.
Yet Another Reason to Secure Your Wi-Fi Network: Child Porn Charges
Published by Jay Rivera
on April 28, 2011
in Criminal Law
. 0 Comments Tags: internet, password, police, privacy, search, unsecured, warrant, wi-fi.
By now we all know that privacy and the internet mix just about as well as water and BP. Previously we have blogged about privacy concerns and technology, specifically how police need a warrant to search e-mails. But did you know that you could get accused for internet activity that you didn’t even do, or weren’t even aware of?
That’s exactly what happened in a recent New York case regarding unsecured wi-fi internet connections and privacy rights.
In Buffalo, New York, police raided the house of a man because they suspected he was downloading child pornography. After viewing the man’s wi-fi internet activity, they believed that he might be responsible for the downloads, which were traceable to the user screen name “Doldrum”.
It turns out he wasn’t “Doldrum” at all- after further investigation, the police discovered that Doldrum was actually a neighbor who had been mooching download time off of the man’s unsecured wireless wi-fi. In this case, the man was found to be innocent. However, the police stated that the unfortunate situation might have been avoided if he had protected his internet connection with a password (which of course he didn’t).
On a much broader note, the Buffalo case does raise some very relevant issues regarding wi-fi usage and citizen’s privacy rights. That is, do the police have the right to obtain information from unsecured wi-fi internet activities? If you are using a neighbor’s unsecured internet connection (which is completely commonplace nowadays), who is responsible for activities such as illegal downloads? As this case illustrates, it can initially be difficult to tell who is responsible for what when it comes to openly shared and unsecured wireless wi-fi connections.
Copyright lawsuit targets owners of non-secure wireless networks
Failure to secure routers may let others download copyrighted content, Liberty Media contends
By Jaikumar Vijayan, Computerworld February 06, 2012 04:35 PM ET
Sponsored by:
A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content.
The lawsuit was filed by Liberty Media Holdings LLC, a San Diego producer of adult content.
The company has accused more than 50 Massachusetts people, both named and unnamed, of using BitTorrent file-sharing technology to illegally download and share a gay porn movie.
According to the compliant, the illegal downloads and sharing were traced to IP addresses belonging to the individuals named in the compliant and to several John Does. The complaint alleges that each of the defendants either was directly responsible for downloading and sharing the movie or contributed to the piracy through their negligence.
To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.
A federal lawsuit filed in Massachusetts could test the question of whether individuals who leave their wireless networks unsecured can be held liable if someone uses the network to illegally download copyrighted content.
The lawsuit was filed by Liberty Media Holdings LLC, a San Diego producer of adult content.
The company has accused more than 50 Massachusetts people, both named and unnamed, of using BitTorrent file-sharing technology to illegally download and share a gay porn movie.
Your Wi-Fi At Home:
Make sure you set a good password and use WPA or WPA2Be sure to change the default Administrator Passwords (and Usernames)Change the Default SSID and also disable SSID BroadcastTurn off DHCP and set a fixed IP address range insteadUse MAC Address FilteringWhen you're not using it, just turn it offBe sure to keep the firmware upgradedChange your passwords every so often
For many people, their personal email account is where they store their lives. Bank statements, bills, personal correspondence, work files, anything you can get in electronic form can often be found in a given target's email inbox. And a large number of email systems protect users' inboxes with nothing more complicated than a simple password.
http://threatpost.com/en_us/blogs/own-email-own-person-082012
Your Email:
Never open email attachments unless you know for sure what that file containsNever click a link unless you know for sure where it leads is safeCheck your mail filters and forwards for things you didn’t addUse good passwordsSign out when you're doneUse two factor authentication when possible (e.g. Google Authenticator for Gmail)Be sure to use https when on public Wi-FiConsider using 2 separate email accounts to keep important things separate from everyday stuffWatch out for short links, it's hard to know where they'll lead you
Web Browser — The Single Most Important [Online] Security Decision You Make
from WhiteHat Security Blog by Jeremiah Grossman
If you are reading this post chances are good that you are doing so with a Web browser. And if you are like most people, you use that very same Web browser to bank, shop, book airline tickets, find directions, read news, keep up with friends and family, and so on. These online activities are extremely important to everyday life and the reason why the Web browser you choose may be the single most important [online] security decision you make. If you are using anything except the one latest browsers, you are putting your computer at risk, and by extension the most intimate details of your life, to viruses and the criminals who author them.
Microsoft understands this better than most, and is launching a program encouraging people to upgrade their Web browser and protect themselves. The next important thing to understand is not all Web browsers are created equal and how safe they keep you online is difficult to compare, even for the experts. For consumers making a good Web browser choice can be even more daunting, even after becoming aware at just how exposed they may be on an outdated platform. To address this predicament, Microsoft is releasing a scoring methodology to assist people in selecting a Web browser that’s right for them.
Microsoft’s approach to this problem is interesting and novel. The score hinges on the presence of browser security features, comparing everything from URL filters to additional security functionality that web application developers can enable. Such a methodology is useful because it allows people to distinguish between Web browsers by which security features are available and most important to them. Packaging up the enhancements into an easy-to-understand score also helps demonstrate why upgrading makes sense — if nothing else it becomes obvious that newer browsers have better security features.
This effort by Microsoft’s is a huge step in the right direction and will serve to help make the Web just that much safer for everyone. For those curious, head over to YourBrowserMatters.org and see how the Web browser you are currently using scores.
http://searchenginewatch.com/article/2237541/Google-224-Million-Bad-Ads-Disabled-in-2012
Once again, the Google AdWords team has reported on its continued efforts to eliminate bad AdWords ads. This year, they've released an infographic (see below) that recounts all they have done over the past year to reduce the number of bad ads that appeared in the AdWords network.
Citing that Google's business "depends on keeping people safe and secure," the infographic identifies how the search giant defines "bad ads", how they discover them, and what they do once they find them.
By the numbers:
224 million: The number of banned ads.
889,000: The number of advertisers banned.
223: The number of countries and territories where bad advertisers originated from – the U.S., China, Japan, and India were the biggest offenders.
78: The number of languages used by abused in bad ad attempts Scots Gaelic, Kyrgyz, Tatar, and Esperanto were particularly troublesome.
The rest of the infographic contains horn-tooting numbers to give law-abiding advertisers and consumers the warm-and-fuzzies. Their AdWords blog post closes stating Google's "zero-tolerance" policy for bad ads and reiterates commitment to do "whatever it takes" to keep the web – and Google users and advertisers – as safe as possible.
Google's commitment to reducing "bad ads" isn't a new resolution for 2013. In previous years, the AdWords team has gone through what they call "bad ads" to weed them out in an effort to protect consumers and "legitimate businesses in harm's way." Google's ad team has gone through multiple iterations of taking extra procautions to keep ads safe.
"In 2011, advertisers submitted billions of ads to Google, and of those, we disabled more than 130 million ads. And our systems continue to improve—in fact, in 2011 we reduced the percentage of bad ads by more than 50% compared with 2010. That means that our methods are working. We’re also catching the vast majority of these scam ads before they ever appear on Google or on any of our partner networks. For example, in 2011, we shut down approximately 150,000 accounts for attempting to advertise counterfeit goods, and more than 95% of these accounts were discovered through our own detection efforts and risk models."
Your Browser:
Keep your browsers updated to the latest secure releasesKeep ALL Plugins updated to the latest secure releases, especially anything from AdobeDon’t install things from sources you don't trustBlock cookies, flash, and JavaScript (use with caution, will cause you trouble)Use a password manager to store all your many passwordsWatch out for short links
Original URL: http://www.theregister.co.uk/2013/01/30/cisco_security_report/
Web smut sites are SAFER than search engines, declares Cisco
Network giant: Perimeters are porous, get used to it
By Joe Fay
Posted in Security, 30th January 2013 17:03 GMT
Free whitepaper – A private Cloud-based approach
Cisco proclaimed that it is more dangerous to click on a web ad than a porn site these days as it unveiled the latest version of its security threat report.
The vendor also expanded its security offering, pulling in mobile management support for its ISE platform and announcing it had hoovered up Czech-based real-time security intelligence firm Cognitive Security.
Chris Young, senior veep for Cisco's Security and Government Group, said the nature of IT security threats were changing in the same way as the industry as a whole, meaning "the cloud" and "mobility" are trends for the cybercrime community too. This means that security managers should worry less about securing the perimeter and consider the "any-to-any" problem (any user, on any device, on any connection).
Cyber criminals and other miscreants were hitting their targets where they were most likely to gather, he said, and were increasingly launching "combinational" attacks.
This throws up some, arguably counterintuitive, conclusions. Malicious content is 27 times more likely to be encountered via search engines than counterfeit software, the vendor's 2012 Annual Security Report claims.
On the upside, perhaps, online adverts were 182 times more likely to deliver malware than a porno site, the survey said.
"We've been led to believe you have to go to an unsavoury place [to encounter malware]," he said. "That's not the case."
The report also said that mobile malware accounted for barely a half a per cent of malware encounters, though it also showed a whopping 2,577 per cent jump on Android-based malware last year.
The report also noted a spike in malware encounters in the Nordics, something which was ascribed to fans of Julian Assange hitting sites in Sweden to show their displeasure at extradition proceedings against the WikiLeaker-in-chief.
Young said that with the change in computing models, including the shift to the cloud, old attacks had become "new" again. For example, a DDoS attack becomes a bigger threat to a company when it relies on the cloud for its enterprise applications or data.
Unsurprisingly, Cisco has answers to these threats, or at least for those whose preferred solution is not to spend all their web time browsing for porn.
While continuing to focus on access control, companies should "expect the perimeter is porous," he said.
With threats lingering and propagating within organisations, this means discovery and remediation - cleansing devices - was more important. "This is a cycle," he declared. Young said that scalability is also becoming increasingly important for security tools.
The vendor has just announced an upgrade to its Identity Services Engine, 1.2, which sees it partnering with device management partners, including SAP, Citrix and Good.
The firm has also bolstered the intelligence part of its proposition with the acquisition of Prague-based firm Cognitive Security. The 30-strong company offers a machine learning service that analyses security threats.
Cisco plans to integrate Cognitive's tech into its own cloud-based security offering by the end of the calendar year, and will retire its standalone product. While the Czech firm's customer base is pretty minuscule, Cisco VP of engineering Mike Furhman promised no one would be left high and dry. ®
You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
You might say to yourself, oh, we’re just a library, no one will come after us, we have nothing worth taking.
A conclusion reinforced by evidence accrued in the aforementioned Verizon report and the following summation by Marc Spitler, a Verizon security analyst:
"Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords."
In other words, easy-to-find, easy-to-learn and easy-to-exploit weak passwords.
Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.
“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”
And here’s the same thing in different wording:
“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”
And of course, I like this one because it highlights Automated Vulnerability Assessment:
“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”
Basically, your organization already has the security solution that it needs; you’re just not using it.
As you’ve now seen, it takes very very little skill to be a bad guy now.
Why Security Is Hard
Though it is easy, that is, so man of the holes we miss are easy to fill, it’s hard to get it all right.IT Security isn't always easy. When it comes to securing your IT resources it's very easy to make a mistake, or overlook something small. In every library it feels like there are a million things to worry about. It's NOT only the fools who are getting hacked, it's everyone and anyone. The best of us miss things and make mistakes that can lead to security breaches. Most libraries don't have the money, time, or people to secure even the small number of resources they have. Larger libraries may be able to afford to spend more time/money on security, but then they also have more things to secure. Unfortunately, security doesn't scale up very easily. This doesn't mean you should give up and hope for the best! Everyone in your library has some small part to play in keeping things secure. We can talk all day about how we should integrate security into our daily routine more, and how vendors need to simplify, consolidate, and improve functionality. But in the end those problems are every bit as hard as everything else I'm talking about and won't be solved anytime soon. Especially since the economics or security aren't overly favorable. The costs are very low for the bad guys, and very high for those of us trying make things more secure.
The malware your computers are subject to now is very sophisticated. It's highly evolved and many times will be able to run totally undetected. It has automated installers, updaters, and a sophisticated command and control center that puts every infected machine to good use. It's easy for the writers of these tools to stay one step ahead of those who work to keep us safe. It's very easy for your computers to spy on your users, or become part of a botnet used to cause trouble anywhere in the world.
Force Attacker Perfection
I will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews:
The defender needs to be perfect all the time. The attacker only needs to succeed once.
And yes, it’s totally true. But we spend so much time harping on it that we forget how we can turn that same dynamic to our advantage.
If all the attacker cares about is getting in once, that’s true. If we only focus on stopping that first attack, it’s still true. But what if we shift our goal to detection and containment? Then we open up some opportunities.
As defenders, the more barriers and monitors we put in place, the more we demand perfection from attackers. Look at all those great heist movies like Ocean’s 11 – the thieves have to pass all sorts of hurdles on the way in, while inside, and on the way out to get away with the loot.
We can do the same thing with compartmentalization and extensive alert-based monitoring. More monitored internal barriers are more things an attacker needs to slip past to win. Technically it’s defense in depth, but we all know that term has turned into an excuse to buy more useless crap, mostly on the perimeter, as opposed to increasing internal barriers.
I am not saying it’s easy. Especially since you need alert-based monitors so you aren’t looking at everything by hand. And let’s be honest – although a SIEM is supposed to fill this role (at least the alerting one) almost no one can get SIEM to work that way without spending more than they wasted on their 7-year ERP project. But I’m an analyst so I get to spout out general philosophical stuff from time to time in hopes of inspiring new ideas. (Or annoy you with my mendacity).
Stop wishing for new black boxes. Just drop more barriers, with more monitoring, creating more places for attackers to trip up.
—Rich
Our patrons are bringing in all sorts of Wi-Fi enabled things
And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget
If firewalls worked that list of the major data breaches wouldn’t exsist.
http://www.wired.com/wiredenterprise/2012/03/antivirus/
Jeremiah Grossman is the kind of guy you’d expect to be super paranoid when it comes to computer security. He was on the front lines at Yahoo more than a decade ago when a hacker named MafiaBoy was abusing the site with DDoS attacks. Now Chief Technology Officer at security consultancy White Hat Security, Grossman spends his time fighting web intruders for his company’s clients.
When it comes to computer security, he’s paranoid — and for good reason. He’s seen what the bad guys can do. But when he met with Wired at the RSA Conference in San Francisco this week, he said something surprising: He doesn’t use antivirus software.
As it turns out, many of his security-minded peers don’t use it either. The reason: If someone is going to try and attack them, they’re likely to use a new technique, one that most antivirus products will miss. “If you asked the average security expert whether they use antivirus or not,” Grossman says “a significant proportion of them do not.”
Dan Guido, the CEO of security startup Trail of Bits also doesn’t use AV. Some security pros use it because they’re in regulated industries, or because they work with customers who require it. “If it weren’t for that,” he says, “almost nobody in the security industry would run it.”
It’s a story we heard again and again at RSA this week. The pros are generally smart enough to avoid the things that will get them hacked — visiting malicious websites or opening documents from untrusted sources. But even if they get fooled, the odds are their antivirus software catching it are pretty low. But many of these pros also believe that antivirus isn’t always that useful to the average business either.
“Ten years ago if you were to ask someone the question, ‘Do you need antivirus?’ the overwhelming response would be, ‘Absolutely, my entire security strategy is based on endpoint antivirus,’” says Paul Carugati, a security architect with Motorola Solutions. “Today … I don’t want to downplay the need for it, but it has certainly lost its effectiveness.”
The problem is that most criminals are smart enough to test their attacks against popular antivirus products. There’s even a free website called Virus Total that lets you see whether any of the most popular malware scanning engines will spot your Trojan program or virus. So when new attacks pop up on the internet, it’s common for them to completely evade antivirus detection.
Consumers and small businesses can get good antivirus software for free, but do businesses even need antivirus software?
You Do and You Don’t
The short answer is: yes they do. Most companies can’t just drop AV. First of all, it’s a line of defense protecting employees who do the stupid things that the security experts tell us to avoid: clicking on dubious attachments, visiting untrustworthy websites. Second, companies often must have desktop security software to meet industry regulations, such as the Payment Card Industry (PCI) Data Security Standard. Those folks simply have no choice but to pay the Symantecs and McAfees of the world.
But according to some, businesses should probably spend less on antivirus and other security software. Much of the money they’re spending is better spent somewhere else, such as analyzing the mountains of data logged by software on computer networks for signs of attack. “Save that money,” says Andy Ellis, Chief Security Officer with Akamai, a company that helps websites deliver content on the internet. “Do your own log analysis because that is what’s going to catch the problems.”
White Hat’s Grossman agrees. “I think we overspend on the wrong security products,” he says. “Particularly antivirus. I think we overspend on firewalls and antivirus.”
Corporations do spend a lot of money on antivirus and firewalls. Research firm Gartner pegs the corporate desktop security software market at $3.4 billion worldwide. Consumers will spend even more — nearly $5 billion — on antivirus this year. Biggest of all, though, is the $6.5 billion firewall market.
Gartner Analyst Ruggero Contu doesn’t quite buy the argument that companies are spending too much money on antivirus. According to him, the antivirus vendors have been doing a good job lately of beefing up their products and delivering new features beyond basic malware protection adding new features to encrypt files on disk and prevent data from leaking out. “Not to have malware protection would be foolish,” he says.
But spending money on learning how attackers are working, and changing your business to thwart common attack techniques may be a better investment.
“We need to be smart, we need to be more agile,” says Motorola’s Carugati. “My biggest concern right now and one of the things we’re focusing on is information sharing.” That means figuring out from his peers what attacks are really happening, and working out ways to stop them.
Dan Guido describes it as going “offensive on security.” Figure out who is likely to attack you — hacktivists, online banking thieves, so-called advanced persistent threat groups — and make sure that you can stop the known attacks that these people use. “You need to attack the system that they have developed to take advantage of your flaws,” he says. “That’s the name of the game.”
Mark Patterson learned that lesson the hard way back in 2009. That’s when hackers managed to install a variant of the widely used Zeus Trojan horse program on his construction company’s computers and steal the username and password to his corporate bank account. Over the next eight days, the criminals moved more than half a million dollars out of his account. Some of that cash was recovered, but at the end of the day, about $345,000 went overseas and is gone forever. To make matters worse, Patterson’s bank, Ocean Bank, says he’s responsible for the theft. (Patterson sued; last year, a court sided with the bank, but the case is being appealed.)
Patterson said his company, Patco, had “good AV” at the time of the attack, but nevertheless it missed the password-stealing Trojan. Now, two years later, he’s taken an inexpensive step that every small business should take to prevent his company from becoming victim to this type of fraud: He’s told his bank give him a call before it authorizes any big money transfers.
Patco still uses antivirus, but as Patterson puts it: “I think an AV is worth the investment,” he says. “I just would not rely on it as my protection for those transactions.”
http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/news/2012/022312-how-to-build-multiple-layers-256488.html&pagename=/news/2012/022312-how-to-build-multiple-layers-256488.html&pageurl=http://www.networkworld.com/news/2012/022312-how-to-build-multiple-layers-256488.html&site=printpage&nsdr=n
How to Build Multiple Layers of Security for Your Small Business
By Paul Mah, CIO February 23, 2012 10:20 AM ET
Sponsored by:
Most of us have heard about the concept of building a defense in depth in order to protect computer resources from black hat hackers. The idea revolves around the use of multiple defenses to thwart, or at least limit, the damage arising from a potential security breach.
RELATED: The data breach quiz
Given the rapid pace of change in the security sector, some executives may have difficulty naming the specific safeguards that their companies deploy. This guide aims to shed some light on some of the more common aspects of computer security, and also serve as a checklist to identify potential areas upon which to improve.
To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.
Most of us have heard about the concept of building a defense in depth in order to protect computer resources from black hat hackers. The idea revolves around the use of multiple defenses to thwart, or at least limit, the damage arising from a potential security breach.
RELATED: The data breach quiz
Given the rapid pace of change in the security sector, some executives may have difficulty naming the specific safeguards that their companies deploy. This guide aims to shed some light on some of the more common aspects of computer security, and also serve as a checklist to identify potential areas upon which to improve.
1. Network firewall
The first line of defense against unwelcomed visitors would surely be the firewall. At one point, the use of dual firewalls from different vendors was all the rage, though the creation of a DMZ (Demilitarized zone) appears to be more popular these days. Internet-facing servers are typically placed within the DMZ, where they are encumbered by fewer restrictions and lesser monitoring than the internal corporate network.
There are actually a few different types of firewall implementations. For example, consumer-grade routers typically make use of Network Address Translation (NAT), which was originally created to address the problem of limited IPv4 routable addresses. Because the identity of hosts is obfuscated, NAT is often said to offer firewall capabilities.
At a minimum, a proper firewall typically offers packet filter technology, which allows or denies data packets based on established rules relating to the type of data packet and its source and destination address. Stateful packet filter firewalls conduct what is known as stateful packet inspection (SPI), which tracks active connections to sieve out spoofed packets, a superior approach to the stateless packet filtering firewall. Finally, a firewall operating on the application layer understands application-level protocols to identify sophisticated intrusion attempts.
A heightened security awareness and an increase in ecommerce have led more users than ever to use encryption to protect against third-party snooping. Paradoxically, this has resulted in lower visibility of network traffic at a time when more sophisticated malware varieties are resorting to encryption in order to conceal themselves from a casual inspection.
2. Virtual Private Network
Employees who need to access company resources from unsecured locations such as public Wi-Fi hotspots are a particularly vulnerable group. Such workers will be well served by a virtual private network (VPN) connection in order to protect the confidentiality of their network access. A VPN channels all network traffic through an encrypted tunnel back to the trusted corporate network.
As a downside, a VPN can be complex for a small business to deploy, and is costly to support due to the overheads of authentication, processing and bandwidth. Moreover, it is also vulnerable to the theft of physical authentication tokens -- or authentication technology, as was the case with the compromise of RSA's SecurID technology last year. Finally, stolen and lost company laptops with preconfigured VPN settings can become potential gateways for unauthorized access.
3. IDS and IPS
An intrusion detection system (IDS) is a network-centric strategy that involves monitoring traffic for suspicious activities that may indicate that the corporate network has been compromised. On its simplest level, this may entail the detection of port scans originating from within the network or excessive attempts to log into a server. The former could be indicative of a compromised host being used to perform initial reconnaissance, while the latter could well be a brute-force attempt in progress. On more advanced network switches, IDS monitoring of network traffic may be enabled by port mirroring, or via the use of passive network taps.
Then an intrusion prevention system (IPS) is usually deployed in-line in order to actively prevent or block intrusions as they are detected. A specific IP address could be automatically blocked off, with an alarm sent to an administrator.
4. Malware Detection
The cat-and-mouse game of malware detection is very much a linchpin of the $22.9 billion enterprise security software market projected for 2012. Malware scanning performed on client devices relies on the processing capabilities of individual devices to check for threats. Business-centric versions typically include some form of central management used to push out new definition updates and implement simple security policies. Malware products specifically optimized for servers are also available, though they are not particularly popular, as businesses are understandably loathe to deploy anything that saps the processing cycles of expensive server hardware.
Given that most malware infestations are a direct result of a user action, the typical anti-malware package has also evolved into comprehensive suites that attempt to offer protection against multiple threat vectors. This may include a component to scrutinize a URL link prior to launching it, or email and browser plug-ins that do the same to file attachments. In addition, anti-malware suites are increasingly bundled with a software-based firewall, spyware detection and even spam filtering.
5. Whitelisting
Whitelisting is an anti-malware defense implemented on client devices much like traditional antivirus software. Instead of attempting to identify known malware, however, whitelisting only allows known files to be executed. This necessitates an initial baseline scan to construct a database of whitelisted applications, to which new applications can be added over time as they are installed.
Though promising, whitelisting has been plagued by various practical problems that have hindered its adoption in businesses. Situations may arise, for example, in which critical file dependencies were not properly identified, resulting in application crashes or an improper installation, as they were prevented from loading. Also, whitelisting may be less useful against exploits that leverage the use of specially created documents or other non-executable files. Finally, employees who are in a hurry may simply disregard warnings and opt to add everything, including malware, into their whitelist.
To be fair, whitelisting software has seen tremendous improvements over the years. Today, most whitelisting software applications will recognize commonly used applications upon installation and are hence capable of building an initial whitelist very quickly and with minimum interaction from users. It is important to ask question whether whitelisting software can coexist with traditional antivirus software. The answer varies, though some whitelisting products do advertise their compatibility with antivirus applications.
6. Spam Filtering
Though spam is not traditionally considered within the domain of computer security, the lines are getting blurred given the increasing number of spear phishing attacks used by hackers to sneak Trojan or zero-day malware into corporate workstations. In addition, there is also evidence to suggest that users who deal with a high volume of emails are more susceptible to being taken in by a phishing attempt. It is clearly in the interest of the IT department to filter out as many bogus email messages as possible.
There are many ways to deal with spam, which may entail channeling all incoming email messages through a specialized cloud service provider, a server-based spam filtering software, or dedicated anti-spam appliances deployed within the DMZ.
7. Keeping Software up to Date
Ensuring that software updates and security patches are kept up to date is widely acknowledged to be an important defense against security breaches. The reason is simple. Though vendors do not typically release the full details of new security flaws, the proffered guidelines and the release of the security patches are often sufficient for black hats to reverse engineer a particular vulnerability. Depending on the nature of the security flaw that is identified, an exploit could potentially be written in days.
This becomes a problem in larger SMBs, which may make use of wide range of software applications or in-house tools that depend on various third-party tools or codebases. It is hence not uncommon for new software updates or security patches to be overlooked, thus opening up a window of vulnerability. The increasing variety of software that is capable of updating itself over the Internet may somewhat alleviate this problem. However, it should be noted that automatic updating may not be a desirable behavior in mission-critical production environments. To that end, businesses need to implement appropriate processes to identify and test new updates in a timely manner. 8. Physical security
Physical security is a crucial factor that cannot be overstated. After all, given physical access, practically every security or network appliance can be reset to its factory default. In addition, unsecured Ethernet ports may also offer a direct line past the firewall and other perimeter defenses, though that access can be mitigated to an extent with managed switches configured to deny access to unrecognized MAC addresses. Another concern within server rooms is the theft of hard disk drives from hot-swappable bays of storage appliances or servers. Given how passwords files can be deciphered relatively easily from stolen storage devices, server closets or server rooms should be kept locked at all times, and access granted only to authorized staffers.
We have only touched on some of the most common aspects of security deployments. There are obviously many others, such as the importance of user education, independent security audits and the value of a good IT policy. The presence of comprehensive logging and auditing will also help greatly in identifying sources of a breach.
The important point here is that security is a multi-faceted topic that is constantly evolving. Small and mid-sized businesses need to ensure that they do not rely on a single mechanism to stay secure, and that they stay up to date on the latest security offerings available.
Paul Mah is a freelance writer and blogger who lives in Singapore. You can reach Paul at paul@mah.sg and follow him on Twitter at @paulmah
There are ways around ANYTHING and EVERYTHING you have installed on your PACs
http://blogs.rsa.com/change-your-mindset-you-are-the-attacker/
It seems that for many years , actually probably forever, security professionals have behaved in a totally reactive way when it come to data breaches. For example, if a breach was identified and it was determined that it was an issue with user education then the team would try to educate the user. This whole model is flawed as we are behaving and acting like victims because we really can’t see the who, what, when, where and why of attacks that we are going to be targeted with. We need to move from defense to offence when it comes to protecting ourselves.
To be in the mindset of an attacker you need to have answers to the following fundamental questions:
What are you most valuable assets? Where are these assets? How can they be accessed?
If you were the attacker how would you spread malware? And who are the most ‘vulnerable’ targets in the organization?
Do you have a view on the ‘normal’ behavior of your organization (people, behavior, locations and systems)?
As outlined in my previous blogs these questions aren’t new questions, they are the absolute basics of any sound security program yet we seem to get them wrong all the time and fall victim to attacks. So, it’s time to get on the offensive….
Here’s a quote from Sun Tzu, the ancient Chinese warrior general who even in those days understood really sound security strategies:
‘It has been said before that he who has known both sides has nothing to fear in a hundred fights; he who is ignorant of the enemy, and fixes his eyes only on his own side, conquers, and the next time is defeated, he who not only is ignorant of the enemy, but also of his own resources, is invariably defeated.’
http://eandt.theiet.org/news/2013/jan/embedded-world.cfm
Embedded-systems designers must pay more attention to how their systems can be compromised, and should "think evil, do good" in implementing security by design, says industry insider Stuary McClure.
Can you use something like this in your library?
Our patrons are bringing in all sorts of Wi-Fi enabled things
And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget
Our patrons are bringing in all sorts of Wi-Fi enabled things
And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget
May 2, 2012, 1:59PM
Nine Percent of Websites May be Malicious
Share on twitterShare on facebookShare on redditShare on google_plusoneShare
2 Comments
by Brian Donohue
Just fewer than 10 percent of websites serve some sort of malicious purpose, with an additional nine percent of sites being characterized as “suspicious” by Zscaler in a new research report.
Zscaler ran 27,000 website URLs through a tool they developed to assess the security of websites and give them a score from zero to 100. Nearly 81 percent of sites scored between zero and 49 (benign). 9.5 percent scored between 50 and 74 percent (suspicious) and another 9.5 percent scored somewhere between 75 and 100 (malicious), according to the company's State of the Web Report.
The report also indicates that outdated plug-ins and the users that refuse to update them continue to be a serious but improving problem in the enterprise. Zscaler cites the Flashback outbreak, which exploited known java vulnerabilities, as anecdotal evidence of this. The report shows that more than 60 percent of Adobe Reader users are running an outdated version of that software. Adobe Shockwave came in second, with 35 percent of users running an outdated version. Java came in fourth, with a only five percent of users running an outdated version.
Editor's Pick
Celebrity Ashton Kutcher Firesheep'd at TED Conference
Network Of 7K Typo Squatting Domains Drives Huge Traffic To Spam Web Sites
New Clickjacking Scam Uses Facebook, Javascript, Our Primate Brain To Spread
Threatpost Newsletter Sign-up
It appears also that enterprises are increasing their efforts to block employees from visiting social networking sites. When the quarter opened, social networks only accounted for 2.5 percent of policy blocks; by the end of the quarter, that statistic had increased to four percent.
Some other interesting info-morsels include Zscaler’s findings that Apple devices are becoming more prevalent in the work place as Android and BlackBerry devices become less prevalent. Facebook’s share of Web 2.0 traffic is down slightly from 43 percent in Q4 2011 to 41 percent in Q1 2012. On the other side, Twitter saw its share of such traffic increase over the same period from five percent to seven percent. Zscaler claims that the drop in Facebook’s traffic share is due to corporate policies that are increasingly blocking employee access to that social network while remaining noticeably less concerned about employee access to Twitter. Zscaler also believes that Twitter’s traffic-share increase may suggest that the service is being more widely adopted for use in the enterprise.
Sports and gambling sites generally see a spike in traffic in Q1 that can very likely be attributed to events like the NFL playoffs, Super Bowl, and March Madness in America and the International Cricket Council's Cricket World Cup in places like India and Australia. This year, those sites’ traffic increased a dramatic 74 percent.
Commenting on this Article will be automatically closed on August 2, 2012.
They are different, you can feel secure if you’re not, and you can be secure even if you don’t feel it.
On your computer:
Keep that OS patched and updated. Related: Don’t use Windows XPDisable hidden filename extensionsMake sure ALL those programs are updated. Especially don’t miss anything made by Adobe (e.g. Flash & Acrobat)Never install things you’re not sure are safe. Especially don’t trust anything from Torrents or P2P sites. Avoid downloading programs from unknown sourcesIf you're not using something, just remove it. Every program installed on your computer opens a potential new hole.Make sure your firewall is turned onMake sure file sharing is turned offUse a reputable virus & malware protection software program, keep it up to date and run it oftenMake sure that the Macro Virus Protection feature is enabled in all Microsoft applicationsNever trust any links, attachments, short links, or anything else from anywhere or anyone unless you are SURE what’s insideHave a recovery plan - Is your stuff backed up?If it's a laptop, use something like Prey ProjectAdvanced: Consider changing up your hosts file and/or using something like OPEN DNS.