Sentences For Hackers

This morning’s WSJ on page A3 really boiled my blood. In the article, “Hacker Sentences Pose Test for Judges,” the WSJ reported on the Latvian hacker convicted for a part in the Gozi virus. The Gozi virus was one which target bank accounts of consumers, underscored the vulnerability of online consumer banking, and infected more than a million computers worldwide. The sentence was left at 21 months, or “time served.” Really? Continue reading

Revisiting the Insider Threat

In a previous post, I commented on the insider threat as an area often overlooked, particularly in smaller enterprises. Two variations of the insider threat were discussed: (1) the insider out for financial gain, and (2) those intent on settling a score. Reading various news articles this morning, it occurred to me that there is a third variation which is much more passive and insidious. Continue reading

Will Cyber Liability Insurance Protect My Business?

After reading yet another headline about cybercrime, you have decided to go out and purchase cyber liability insurance. Are you protected? The answer is “it depends.”

First of all, cyber liability insurance is only going to protect your business against financial losses. Depending on the extent of the incident, the embarrassment and bad publicity caused may not be recoverable and you may find yourself out of business in some cases. The cyber liability insurance policy can be helpful when clients, partners and others sue your business, and they will sue. Continue reading

The Small Business Firewall

Having breakfast this morning with an acquaintance, the topic of egress filtering came up and hence the inspiration for this post.

Just about any business these days, regardless of how small, deploys a network firewall. Even sole proprietorships and home users utilize some sort of firewall. The traditional view of the firewall is the expectation that unwanted traffic coming inbound will be blocked, but what about outbound traffic?

The typical small office firewall (and many large offices as well), sits on the network perimeter and allows any traffic originating from the inside to pass outside to the Internet. What is wrong with that? Consider the following hypothetical: Continue reading

Data Privacy at Risk

Reading the front page of this morning’s IBD, staring me right in the face was an article on forcing industry to give the government keys to decrypt customer information. While a knee jerk reaction to the Paris terrorist attacks this is the wrong move in my view.

Businesses, as well as individuals need to be secure in their persons and property. Data is tangible property just as real, business, personal and other physical property are tangible property. It is the right of individuals and businesses to determine what data is private and what is not. Governments should not have unrestricted access to data without due process. Data privacy should remain a right and not an option arbitrarily determined by governments.

Granting governments a backdoor to decrypt private data exposes a vulnerability which can potentially be exploited by bad actors. Consider for a moment a business holding confidential information on customers, regardless of whether those customers are individuals or other businesses. Should the decryption backdoor become compromised, the impacted business could potentially be at risk of possibly being out of business. Would the government accept the liability? Even of government was responsible, it is the business who was breached suffering the consequences.

Private encryption needs to remain sacrosanct if as a society we intend to respect and retain data privacy.

Starwood Breach and Detection Gap

This last week’s news that Starwood reported a breach affecting 54 of their locations is a continuation of an unsettling trend of detection gaps where organizations often take months to discover that they have been hacked. In this case, the initial breach occurred in early November 2104 and was not discovered until March 2015.   Cyber criminals can exfiltrate plenty of data to monetize during such a long period. Why is it taking so long to detect these breaches? Continue reading

Auditing the Risk Auditor

The cybersecurity profession, like many other professional disciplines requires annual continuing education. Yesterday, working to complete the needed hours for this year, I attended an all-day seminar sponsored by ISACA. The attendees were all security professionals, some operational and most from the auditing side of the business. What I observed amazed me and if my observations are indicative of those in the cybersecurity space, I wonder if there I any hope for user security awareness in the general population. We need to practice what we preach. Continue reading

Has My Business Been Breached?

Some time back, I blogged about the true intent of a denial of service attack, (DDoS). In that post I discussed that the true intent of a DDoS attack is usually to create a distraction, forcing the IT staff to focus on the outage while data is ex-filtrated by criminals who have already established a presence in the business. While sophisticated criminals are good at covering their tracks, many data breaches do leave behind clues. Continue reading

Detecting and Responding to Cyber Intrusions

Headlines can be found on a daily basis reporting increased cybercrime. While larger businesses are better funded protecting themselves, the small business market is undeserved by the large security vendors.  Worse, with the cyber security business bringing in billions in revenue, an entire industry exits with solutions to these problems.  But how is a small business person or manager in a smaller firm to know what solution is the right solution?

Defending against cybercrime requires a chain of defense.  The chain requires protection, as well as intrusion detection and intrusion prevention. (IDS and IPS)  The following short video explains in lay terms these technologies and how the layers in the chain of defense can help the business to detect and respond to threats before suffering substantial harm.

Cybersecurity Challenges For Small Business

Over $1.2 billion stolen by thieves using email scams in last two years according to the FBI.  Financial fraud easily targets stolen email accounts with 50% of SPAM email containing malware.

Smaller firms have less technical and security resources resulting in increased vulnerability.  They easily become a vector to attack larger firms who may be their customers.

The rapid pace of technology results in increasing attack surface for firms adopting new technology and almost every business is digitizing, increasing targets for criminals.

Read more in this free report: Cybersecurity Challenges for Small business