Category Archives: Uncategorized

  • 0

Three Key Actions From Cyber Security Awareness Month You Can Take

Category : Uncategorized

In a world where the Internet has become significant part of our everyday lives, we all need to be responsible for making sure our online identities are kept safe and secure. Much of our personal data is stored online which exposes us very easily to all sorts of threats. In a year of high-profile hacks and security vulnerabilities hitting the news headlines businesses and consumers are thinking a lot more about their online security. That’s what the Cyber Security Awareness Month is all about.

What is Cyber Security Month?

October is National Cyber Security Awareness Month (NCSAM) in the US which is an annual campaign that aims to raise awareness about cybersecurity. This year also marks the 5th anniversary of the European Cyber Security Awareness Month. NCSAM was launched by the National Cyber Security Alliance and the Department of Homeland Security in October 2004. It’s a collaborative effort between government and industry to ensure that everyone – from consumer and small businesses to corporations and academia, has the resources they need to stay safe and secure online. NCSAM carries the global message that cybersecurity is one shared responsibility.

This year kicked off with a global launch event to highlight the international adoption of Cyber Security Awareness Month. Let’s look into some of the main actions we can take.

  1. Focus on consumers and their online safety

With the first few weeks of the initiative now behind us, we saw an even stronger focus on consumers and their online safety. This year also marks the 7th anniversary of the STOP. THINK. CONNECT.campaign, which aims to help all consumers stay safe and secure online. It is based on three easy to follow actionable practices:

  • STOP: make sure security measures are in place
  • THINK: about the consequences of your actions online
  • CONNECT: and enjoy the internet

Week 1 addressed the top consumer cyber concerns, encouraging users to be more vigilant about using the Internet and sharing their personal data online.

Simple steps to follow to stay safe online include using stronger authentication like two-factor, biometrics, making your password long and strong, sharing/ opening files with care, to name just a few.

We have a good and detailed checklist here: 10 tips to prepare for Cyber Security month. The most important tips include:

  • Make sure your password is secure
  • Regularly update your software
  • Beware of email scams
  • Password protect your laptop and smart devices
  • Install malware protections

The Internet touches almost all aspects of our everyday lives, so it is important that consumers are made aware of its most common risks. In the video below, former ethical hacker Jason Hart, who now works for Gemalto, explains how a man-in-the-middle attack works. A man-in-the-middle attack is where a hacker inserts themselves into a conversation between two parties and can affect your PC, mobile and the Wi-Fi network.

Here are videos of Jason Hart explaining how phishing scam and karma attack work.

  1. Today’s predictions for tomorrow’s internet

We live in an incredibly connected world with smart devices populating every aspect of our lives. There are many ways that an attacker can access data on our connected devices. So, how do we secure the Internet of Things? Data is the fuel that makes smart devices work, so looking for ways to secure it is essential. We see three essential pillars to secure the IoT data and rest in motion: securing the device, securing the cloud and managing the lifecycle of security components in the IoT. The importance of securing the IoT has also been recognized by the US government. Earlier this year two US lawmakers proposed new legislation that will seek to address the vulnerabilities in IoT devices.

Smart cars, connected homes and smart healthcare devices have become inseparable part of our reality. And while there are massive benefits for connectivity, it is important to understand how to use cutting-edge tech in safe and secure ways.

  1. Building Resilience in Critical Infrastructure

Building resilience in key systems like electricity, financial institutions, water treatment facilities, public healthcare and transportation is another key theme of this year’s events. These are all systems that store and will run based on data. We recently addressed end-to-end security of the smart energy ecosystem at European Utility Week. The final week will look at how cybersecurity relates to keeping our traffic lights, running water, phone lines and other critical infrastructure safe.

There we have them – the key actions from cyber security awareness month, aiming to educate us on the importance of keeping our online identities safe. So, what will you do?


Author: Brittany Jedrzejewski

  • 0

The Universal Translator in InsightAppSec and AppSpider

Category : Uncategorized

Providing better support for scanning modern web applications

In the face of constantly evolving web technologies, our engineers have responded to the
growing challenge of dynamically testing applications with the Universal Translator. The
Universal Translator acts as a bridge between the two key functions of every DAST: discovery
of the areas in an application where vulnerabilities can be exploited and attack through the
testing of those areas with inputs that may expose security gaps.
The Universal Translator increases flexibility by decoupling the discovery and attack engines
so that all attackable inputs identified by the discovery engine are translated and normalized
into a common universal format that is then understood by the attack engine; this makes it
possible for the same set of attacks to be applied to multiple input and data format types.
Still waiting on a “so what?” Long story short, this departure from just your standard crawling
expands your application area coverage and enables Rapid7 DAST engineers to quickly add
support for future web technologies and emerging attack types.

More here: The Universal Translator

  • 0

The new McAfee Is Extending Our Stride

Category : Uncategorized

With McAfee’s spin-off from Intel completed, our focus has turned to growing the business. Our commitment to the strategy articulated more than two years ago remains unchanged. We are determined to deliver an increasingly integrated solution, to deliver on our product roadmap, and to work with both competitors and partners. We are making great progress toward those objectives.

In June, the WannaCry and Petya attacks struck, creating a firestorm of publicity and disrupting business operations around the globe. Among other things, they exposed the continued use of old and unsupported operating systems in critical areas and they laid bare the lax patch-update processes followed by some businesses. These attacks remind us that the best protection is defense in depth, including zero-day protection to not just block but quickly learn about attacks to improve responses. The lead Key Topic in this threats report analyzes WannaCry and its business impact.

McAfee Quarterly Threats Sept-2017


  • 0

Evader by Forcepoint

Category : Uncategorized

What is Evader?

The 2017 NSS Labs NGFW Test reveals many of the leading next generation firewalls are vulnerable to Advanced Evasion Techniques (AETs) that can let exploits and malware (including aggressive ransomware attacks like WannaCry) into your network undetected.

With Evader, the world’s premier software-based testing environment for evasions, you can see how well your firewalls and intrusion prevention systems (IPSs) defend against these threats by:

  • Launching controlled AET-borne attacks at network security devices
  • Interactively combining and adjusting evasions
  • Seeing the results immediately

Note: Evader is not a hacking tool or a penetration test intended to transmit arbitrary exploits. It is offered solely for testing and should not be used against any systems outside your environment.  Using AETs, Evader tests whether or not a known exploit can be delivered through security devices you specify to a target host.

Schedule a Live Interactive Demo of Evader


  • 0

Tiered Storage, How to Calculate Your Potential Margins

Category : Uncategorized

For cloud or managed hosting providers, storage is obviously a key underpinning technology for any cloud or hosting infrastructure. What’s not so obvious, however, is how to productize the storage subsystem in a way that aligns with your ideal business model. And it’s not always clear how your customers want to consume it from you, how your ops teams want to support it, and how your CEO wants to report the sales to your board.

We have learned over the past five years that there are many ways to address most of these business challenges, but the discussion about storage tiering never seems to go away.

The good news is that with the quality-of-service (QoS) capabilities at the core of all NetApp® SolidFire® storage architectures, we can develop models that simulate pretty much any type of tiering. The Fueled by NetApp consulting team is available to help you develop the right deployment scenario to support your margin requirements and your customer consumption demandsand to do it predictably and consistently.

Our experienced consultants ideate with you to plan the right tiering model for your business strategies, including, but not limited to:

  • Fixed performance and variable capacity
  • IOPS/GB performance tiering (simulating legacy storage arrays)
  • Avoidance of tiers completely by simply charging for IOPS and gigabytes independently
  • An a la carte offering for which you can sell performance and capacity resources independently, as your customer wants

To get you thinking about the many deployment options, we created a very simple but representative sample storage tiering calculator.

Learn how to build your cloud hosting infrastructure and start monetizing storage today. To get into a deeper discussion about storage tiering, margins, and service differentiation, contact the Fueled by NetApp service provider consulting team. Our industry experts will walk you through what we see other service providers in the industry do with storage tiering, and they will help guide you on your go-to-market journey.


Author: Stuart Oliver

  • 0

Pulse Secure Access Solution Presented by Drawing a Whiteboard Diagram

Category : Uncategorized


 60 mins
Graham Duthie

In this webinar we’ll show you how to tell the Pulse Secure Access story by building up a whiteboard diagram. We include each of our products, including the recently acquired virtual Application Deliver Controller (vADC), and explain how they fit with the Secure Access strategy. This can be a great way to introduce Pulse to new prospects and is an ideal opener before diving into the detail of the individual products.

  • 0

Rapid7 CEO, Rethink IT and Security Organizational Structures

Category : Uncategorized

Companies are under constant pressure to innovate in today’s fast-paced business environment. That might mean creating a better product, improving efficiency, or creating a better customer experience. Unfortunately, the security function tends to be separate from the innovation process or, worse, after the innovation has created a new vulnerability.

That problem will persist unless companies rethink their organizational structures around IT and security. That’s the message that Rapid7 CEO Corey Thomas is delivering in his keynote today at the company’s United 2017 event in Boston. He believes that IT and security teams can work together effectively to innovate, create a better user experience, and adopt new technology without increasing the vulnerability surface.

Thomas sees security and IT functioning separately in most organizations. “Siloes are killing the organization,” says Thomas in an exclusive interview with CSO. “Breaking down the siloes and engineering automation solutions to solve some of the persistent vulnerabilities is a solvable problem.”

Organizational siloes that keep security at arm’s length don’t work. How many times have we seen these stories play out?

  • Company X releases a new, innovative product that meets with some initial success. Later, hackers find a vulnerability that could have been easily addressed during the development process. Company X scrambles to fix the problem and salvage its credibility.
  • Company Y rolls out a web application that collects customer data. Weak authentication allows data thieves access to customer information. That’s when the security team learns about the app’s existence.
  • Company Z migrates key data to the cloud. IT manages the migration but does not adequately involve security. Key questions go unasked, and as a result, improper configuration leaves the data exposed.

“The prevailing assumption is that you innovate first and add security later,” says Thomas. “People believe that security slows down innovation. They also don’t necessarily know the right security vectors, and there is a small kernel of truth to that.”

Thomas adds that it is assumed that any new technology you create will have some unforeseen vulnerability. He believes the way to address that is build update mechanisms into the technology. “By doing that you improve the long-term security of the technology as well as the user experience.”

“We live in a technology system that is highly fragmented. Security is best addressed if you have a holistic, integrated view of both the environment and the assets,” says Thomas. “Organizational structure that’s dominated by a siloed view of the world and siloed operations creates not only a negative IT user experience, but also a poor security experience. Functional siloes are the primary reason that organizations get complaints from so many of their users about the experience they’ve created, and why you have so much finger pointing.”

How should IT and security work together?

IT and security clearly need to work well together, but that will be difficult if they don’t understand each other. “It is impossible to have both IT and security function well without each having the context of the other,” says Thomas. Just passing security vulnerabilities “over the wall” to the IT team is an inefficient process that no longer works, he adds. Thomas cites organizations having success embedding security in core operations. “You see some success in the devops world where some innovators look at how they build security into the development process.”

“Security cannot be successful separate of IT. The ability to have an integrated view and apply security and IT operations closer together is key to having success,” Thomas says.

Thomas believes that communication and collaboration between IT and security are important, but cautions against seeing that alone as a solution. “In some ways, [focusing on communication and collaboration] is a distraction, because it gives in to this notion that you can treat security as an appendage,” he says. “I can have IT processes that are inefficient and don’t work. I can have escalating vulnerabilities in my environment because my attack surface continues to expand as I deploy technologies faster than I manage them. And it’s fine because I just need to communicate technologies that are deploying into the security team.”

“If you have not designed a process that allows you to update and maintain secure technology as it’s deployed, even if you communicate, you’re still going to be behind. Communication and collaboration are absolutely important, but they are not the root cause of the problem.”

What can an integrated IT/security organization do to foster innovation?

In his United 2017 keynote address, Thomas lists four skills that an integrated IT and security organization needs to excel at:

  • Mastery of data is required to understand the environment, the service experience, the risk profile, and identify attacker behavior.
  • Mastery of user and customer experience is about understand not just the needs of the organization but the type of experiences that make those needs not just achievable but highly likely.
  • Mastery of integration is the realization that we don’t create experiences from scratch, but rather extent, leverage, and from other products and services
  • Mastery of automation is about developing the capacity to manage and maintain systems that expand and morph at fast rates.

“This is a very different set of skills than what our organizations thrive at today,” Thomas said in his keynote address, “but many of our society’s biggest challenges have demanded that we think differently and try new approaches.”

He notes that the same data used to troubleshoot an environment from a security perspective—collect log data, do forensics across the environment, identify what applications and users are affected—is the  same data used to troubleshoot performance issues or which of your assets need to be updated. “An integrated view of the environment will ensure that you have the right data to serve all those domains well,” Thomas says.

Thomas encourages security professionals to find opportunities to participate in the innovation process. “Innovation tends to happen in clusters. The extent to which you have people on that journey together really matters,” he says. “Security has done a good job of that historically.”

Two other opportunities for security professionals might be more of a challenge. The first is generating and contributing to data mastery and organization. “Lots of security practitioners tend to create their own data siloes, which contributes to lack of mastery of information and data that’s so critical with the types of challenges that we face,” says Thomas. “Security practitioners can very much contribute and engage here.”

Second, shift focus to addressing root causes of security problems. “Poor management practice and technology management practices are the root cause of so many security vulnerabilities that organizations have,” says Thomas. “That can be addressed through better engineering and automation processes around updating, configuring, and controlling the environment.”

Thomas doesn’t see any company operating with fully, holistically integrated IT and security yet, although a number are on that path as they question some of the foundational assumptions they have about how they operate and organize their technology groups.

“It’s repeated events that change behavior,” says Thomas. “Most people throw technology at [security problems] for a while, and then something really bad still happens. That’s when they do a reassessment. That’s how some of the early movers in this space start to experiment with different ways in how they run and operate their technology operations.”


  • 0

Identity Fraud Is Everywhere, Here’s How to Improve Market Fraud Scoring Systems

Category : Uncategorized

A particular type of fraud has emerged in various countries. In markets where prepaid subscriber rates are high and SMS OTP mechanism is still heavily used by banks and service providers; criminals seized on vulnerabilities in existing processes to renew a subscription via SIM card swap. It can be difficult for Mobile Network Operators to enforce restrictive rules to control the identity of the user while changing the SIM, which means that fraudsters pretending to be users can claim for a SIM replacement while pretending they lost their mobile phone.

To illustrate the problems involved, take a look at this example. Chris was sitting in his Nottingham home a fortnight ago when his iPhone suddenly stopped working. Within 75 minutes the fraudsters who had hijacked his phone had, through his online banking app, emptied his bank account of £1,200 and applied for an £8,000 loan in his name. But Chris is just the latest victim of a financial scam that is sweeping Britain: SIM-swap fraud.

But what is SIM swap fraud?

A fraudster gathers data on a bank customer through “phishing” or “social engineering” to gain access to their online/mobile banking portal.

With this data, the fraudster contacts their mobile operator to get their SIM card replaced and/or change Mobile Network Operator while keeping the same mobile number.

With a new SIM and the same mobile number, the fraudster receives bank account authentication codes and/or payment transaction codes (SMS OTP).

The fraudster is now free to log in, create a new beneficiary’s account, transfer and withdraw money.

SIM swap is becoming an increasingly common source of fraud. Asia Pacific, North America and Indian markets are witnessing the most cases of SIM swap fraud. But this phenomenon is global as many countries (UAE, Brazil, Colombia, South Africa, Singapore or Germany, UK to name only few of them) reported SIM Swap fraudulent cases due to the need to fast track enrollment in order to capture potential new customers, while proper identity verification for mobile subscribers is still not enforced.

Mobile phone has become not only a ubiquitous extension of our daily life but also one of our identity master piece allowing banks to identify and authorize credit cards, online transactions, cash withdraw. That is the reason why mobile has also become the main target for criminals.

Clearly, SIM-Swap fraud is a growing problem that needs to be stopped. And we need to address the problem with strong, secure solutions. One solution banks are looking for is to reinforce the end users’ identity verification process to improve risk assessment and better respond to fraud management.

This solution cannot only rely on the data coming from the mobile network operators provisioning system. This is not sufficient to properly inform bank risk assessment engine.

To optimize risk assessment, it is important to establish a set of guidelines, which cover multiple conditions or sources of information.

What if banks could get access to real time mobile operator network information to protect the end-user account?

This would include knowing about SIM and device swap scams, but also access to roaming and location data and if needed device specifics, user behavior analysis, IP intelligence and geolocation, among others. Everything would be securely collected and always obtained with the end-user consent.

To show how such a solution would work, imagine a user is asked to validate a transaction with a one-time password sent to their mobile device. The solution gives real-time insight using the date of any SIM swaps.

The bank can then decide whether the targeted mobile subscriber is falling under fraudulent behavior category and if any further authentication is required (customer care call or step up authentication mechanisms). If a customer’s mobile account has been taken over, the bank can take appropriate action before the fraudsters can seize on a vulnerability and withdraw funds, change passwords or set themselves up as a new beneficiary for any payments.

What about subscriber consent?

Managing user consent in compliance with privacy-by-design regulations is becoming mandatory in a lot of countries. Implicit consent can be managed by a bank contract in some way. But explicit consent is requested more and more by market regulators and requires digital user consent prior to further use by the bank or service provider.

A good way to manage explicit subscriber consent is the use of mobile digital channel communication.

When consent occurs with the subscriber, we can set guidelines based on opt-in models.

Preventing SIM-Swap fraud is really all about stopping that problem at the source, which means making it as difficult as possible for fraudsters to lie about who they are to phone operators and financial institutions.

Are you facing this problem? What solution are you thinking of putting in place?


Author: Stéphanie Viriot

  • 0

Blockchain Versus the GDPR

Category : Uncategorized

The EU’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018. It will require all businesses that process EU citizens’ personal data to take lots of measures to protect their privacy. The GDPR also provides EU citizens with a right to erasure: to be able to require that businesses holding their data irrevocably erase the data upon request (also known as the “right to be forgotten”). This right is not absolute and has many exceptions (archiving in the public interest, public health purposes, etc.). But this may end up putting the GDPR on a collision course with blockchain technologies in unexpected ways.

Once data is written to a blockchain, it can be essentially impossible to erase it. This is actually considered a desirable feature of blockchains, but it also may make it impractical—perhaps even impossible—to delete personal data of an EU citizen from a blockchain. And this property of a blockchain is something that simply cannot be altered by legislation.

In the case of the blockchain that the Bitcoin cryptocurrency uses, for example, adding blocks to the chain is the result of performing a significant volume of computations on certain cryptographic calculations. Once a result is accepted as being part of the Bitcoin blockchain, replacing it requires a prohibitive amount of computing power.

Deleting or editing a block that is N blocks back from the end of the Bitcoin blockchain requires an industrious Bitcoin miner to do more work than it took to add all N of those blocks to the blockchain, and this work must be completed before a miner adds the next block. Even for blocks that are close to the end of the chain, this is extremely difficult; for blocks that have been on the blockchain for a significant length of time, it is essentially impossible.

But the information on the Bitcoin blockchain is just information about transfers of Bitcoins from one user to another user, and these users are essentially just identified by a particular public key. Can information that anonymous really be a threat to someone’s privacy?

Quite possibly.

It turns out to be very hard to make data of any kind truly anonymous. Instead, the best that we can do is make it pseudonymous. If we know nothing at all about a person’s identity, he or she has perfect anonymity but absolutely no accountability. If we know everything about a person’s identity, then we have perfect accountability but absolutely no anonymity. Pseudonymity is the range of possibilities between these two cases (including both of the extremes), so it may be useful to think of it as implementing a trade-off between anonymity and accountability. Most personal information falls between the two extremes, even if the data is strongly protected.

For example, the very fact that a person is a citizen of France reveals some information about him because only about nine percent of EU citizens are French. Or the fact that a person has an account at a particular bank reveals some information about him: of the roughly 750 million EU citizens, only a small fraction probably have an account at any particular bank.

Perfect anonymity is very uncommon, perhaps even impossible. Most cases of what we think of being anonymity are more appropriately considered to be a form of pseudonymity, and many forms of anonymization of personal information are more appropriately considered to be forms of pseudonymization.

Research suggests even anonymized data is enough to uniquely identify many people. A good example of this can be found in “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata.” This paper describes how researchers looked at three months of credit card records for 1.1 million people and found that they could uniquely identify 90 percent of individuals from just the date and location of only four of their credit-card transactions. Women and more affluent customers were even easier to identify because their purchases had even more structure than average.

Even anonymous credit card transactions are enough to uniquely identify many people, so it is not hard to believe that anonymous Bitcoin transactions are also enough to uniquely identify many people. And because of this, it is not hard to imagine a situation in which EU regulators decide that the Bitcoin blockchain is a violation of the GDPR. But it is also hard to imagine that they will be able to do anything about it.

This article originally appeared in the August 2017 issue of ISSA Journal.



  • 0

Retail Network Security Trends and Threats Report

Category : Uncategorized

In this webcast Michael Osterman will share the results of a large survey focused on large retail organizations undertaken by Osterman Research on behalf of Forcepoint. The research finds the top trends and pain points that IT and security professionals face as they attempt to protect their organizations from the growing variety of threats that can steal data, compromise retail systems, and exfiltrate funds from corporate systems.

Register now.