Metanav

Tag Archives | cyber attack

Is Your Smart Device Spying On You?

Is your smart device spying on you?A regulatory agency in Germany just announced a ban on children’s smartwatches. This illustrates a growing concern among regulators and consumers alike regarding the privacy implications of smart devices. Is your smart device spying on you?

In the example of the smartwatch ban in Germany, the devices in question contain a remote listening capability. According to the regulators, this means the device counts as a spying device under German law. Worse yet, some smartwatches were found to transmit and store data without encryption. Parents could listen, unnoticed, to their child’s classroom, for example. But so could others who hack the device. Parents in Germany are being urged to destroy the smartwatches.

Concerns about smart device spying are not limited to Germany, however. According to a recent Deloitte survey, 40% of consumers are concerned that smart home devices reveal too much about their daily lives. After all, cameras and microphones within these devices can be hacked, and they are often found in the most intimate areas of the home, listening in on every conversation. While cheap devices that have been rushed to market may be more susceptible to hacking than larger brands, 60% of consumers in the survey felt that they had little or no information at all about the privacy of these devices. Smart device spying is a real and growing concern.

And it’s not just about listening to private conversations. These devices can also be controlled remotely by hackers to coordinate large distributed denial of service (DDoS) attacks on sites around the world, all without the device owner’s knowledge. Privacy cannot be taken for granted, and device manufacturers must make the security of devices a primary element in the design.

However consumers of these devices have a role to play as well. Here are some ways that consumers can protect their smart devices:

  • When available, enable two-step authentication that requires physical access to the device in order to log in.
  • Ensure your internet connection is secure.
  • Install software updates issued by your device manufacturer immediately.
  • Change device passwords frequently.

Smart devices can be remarkably convenient for consumers, but the security of those devices cannot be ignored. Device manufacturers certainly have a role to play, ensuring privacy by design. However consumers must also do their part to make sure that their devices can’t be hacked. This is the only way to ensure that the benefits of smart devices outweigh the risks.

Want to learn more about cyber security, and how it related to not just smart devices, but other areas too? Explore the IEEE online course program Cyber Security Tools for Today’s Environment.

 

References

Griffin, A. (18 Nov, 2017). Low-Quality Devices Could Be Damaging the Idea of the Internet of ThingsIndependent.

Wakefield, J. (17 Nov, 2017). Germany Bans Childrens’ Smartwatches. BBC. 

Tung, L. (20 Nov, 2017). Is Germany Right to Tell Parents to Destroy Kids’ Smartwatches Over Snooping Fears? ZDNet. 

Cakebread, C. (15 Nov, 2017). Consumers are Holding Off on Buying Smart-Home Gadgets Thanks to Security and Privacy Fears. Business Insider. 

Continue Reading 0

Should the Government Regulate IoT Devices?

Should the government regulate IoT devices?As security concerns rise about Internet of Things (IoT) devices, so does the debate about the necessity of government regulations. Should the government regulate IoT? Many Internet of Things devices on the market today have little to no security built in, which can compromise the privacy and even personal security of consumers.

Many consumers today are not (yet) clamoring for more regulation. A lot of them do not realize that their smart devices may be compromising their privacy in significant ways. Yet there is a growing concern from those in government and industry that something must be done. The question is, however, whether more secure devices will arise through government regulations imposed by governments that are often hacked themselves, or by the Internet of Things industry itself.

Should the government regulate IoT?

Proponents of government regulations see the following benefits to having the government regulate IoT devices:

  • Standards applied to every device that help to protect the security of consumers
  • Requirements for patches that take new security concerns into account

Opponents take a different view. Should the government regulate IoT devices, they are concerned about:

  • Regulation and bureaucracy stifling innovation
  • Expensive regulations eliminating smaller companies, reducing consumer choice and competition
  • The government lacks the expertise to effectively regulate these devices

What are lawmakers doing today?

Several countries are already proposing regulations related to this issue. For example, in Australia, lawmakers have proposed a certification for IoT devices with requirements such as:

  • Changeable, non-guessable, non-default passwords
  • Not to expose ports to the wider internet
  • Software updates to fix known vulnerabilities

In the United States, lawmakers are working on a bill related to devices purchased by the federal government that includes requirements such as:

  • Devices must be patchable, rely on industry standard protocols, and be built without hard-coded passwords and known security vulnerabilities
  • Alternative network-level security requirements for devices with limited data processing and software functionality
  • Cybersecurity coordinated vulnerability disclosure policies will be required of all contractors that provide connected devices to the U.S. Government

It is essential that Internet of Things devices become more secure in order to protect consumers, governments, and organizations alike, while complying with international data privacy regulations. Whether that is done through government regulation or industry self-regulation remains to be seen. Likely it will be a combination of both. As consumers and organizations alike become more aware of the security risks of IoT devices, the market demand for more secure devices will grow, increasing the supply in a market-driven economy. Likely we will see the government regulate IoT devices, while the market demand increases.

What do you think?

Should governments regulate Internet of Things devices? Or can the industry self-regulate? Please share your thoughts in the comments.

And if you’d like to learn more about the Internet of Things, check out our newest course program: IEEE Guide to the Internet of Things.

 

References:

List, J. (2017, 16 Oct). Aussies Propose Crackdown on Insecure IoT Devices. Hackaday.

Corsec. (2017, 27 Sept). IoT Security Facing Government Regulation. Corsec blog.

Thierer, A. and O’Sullivan, A. (2017, 12 June). Leave the Internet of Things Alone. US News & World Report.

Thomson, I. (2017, 15 Feb). You Know IoT Security is Bad when Libertarians Call for Strict RegulationsThe Register.

Continue Reading 0

Corporate Hacking: Are You a Target?

Corporate Hacking: Are you at risk?Corporate hacking stories are a staple of the news. Whether a small business or large international corporation, if you use the internet to do business, you are susceptible to having your network hacked, customers compromised, and your reputation ruined.  How can you protect yourself from being a target of corporate hacking? Sometimes it is just about being proactive, and thinking smart.

Here are five strategies to defend against corporate hacking:

  • First, Think Passwords: Are yours strong and unique? Do you change them often? Usually, a hacker steals passwords. By regularly changing yours, you make it harder for hackers to use stolen data. If the hacker doesn’t have access to stolen passwords, they will try combinations of easily guessable alternatives.   There are ways to make cracking your passwords more difficult, including using spaces and characters in your password and increasing the length. And whenever possible, use Two-Factor Authentication, which adds another layer of security. (2017, Symantec)
  • Second, Look at web URLs:   Your information is not encrypted if you do not see an “s” after the “http.”  Encryption is necessary for any business, especially when financial transactions, credit card information, or other critical data is shared.
  • Third, Software Updates:   Keep abreast of the updates pushed out by software providers.  They are created to counter software flaws.  Updates, also known as patches, are developed and pushed to users for upload.  It is important to keep up with the updates in order to stay ahead of malicious hackers who could use the flaws to hijack your system.
  • Fourth, Encrypt, Encrypt, Encrypt:  Use road blocks to make it difficult for your corporate information to be collected and shared.  Encrypting data is key to this process. Learn more about how to encrypt files in this post from Lifehacker.
  • Fifth, Employ White Hat Hackers:   Sometime you need to have someone on the inside working to find the cracks in your armor.  Employing cyber security specialists, or training your existing employees in ethical hacking techniques, can wind up saving your company money in the long run. After all, cyber attacks can be incredibly expensive. Finding and patching the vulnerabilities yourself costs a lot less.

These are just a few of the many steps your company can take to make doing business more secure in the digital age and help build a defense against corporate hacking.   One last tip: education.  Stay ahead of trends by constantly educating your employees on best practices.

Why not learn more about cyber security and ethical hacking?

Check out the IEEE online course programs: Cyber Security for Today’s Environment and Hacking Your Company: Ethical Solutions to Defeat Cyber Attacks. These courses provide you and your employees with the foundation you need to put a sensible cyber security strategy in place for your organization.

 

Resources

Nixon, Sam. (2017, September 8). Are you an easy hacking target? Cybersecurity tips for small business. The Guardian.

Symantec. (2017). How to Choose a Secure Password. Norton Security Center.

Continue Reading 0

Tips for Cyber Security Awareness Month

Are you #CyberAware? Cyber Security Awareness MonthAre you #CyberAware? October is Cyber Security Awareness Month. It’s a great time to review the online security practices you use at home, as well as at school or at work. When we all work together to prevent cyber attack, the internet as a whole can get safer.

Individuals can protect their computers and networks by following some of these simple tips:

  • Apply patches and updates as soon as they are available. Sure, it can be annoying to continually run updates on your computer. But take a lesson from the massive WannaCry attack. It took advantage of a system vulnerability in the Windows operating system. Updating Windows prevented the attack. Yet many outdated computers were affected for lack of an upgrade. (2017, Saito)
  • Never click on links that seem suspicious. Sometimes the email may be from someone you know. But if it doesn’t feel right, it probably isn’t. When in doubt, reach out to the person who sent you the link another way to make sure the link is legitimate before clicking.
  • Practice good password hygiene. Make sure your passwords are long, use a combination of symbols and letters, and are changed frequently.

In addition to the above tips, businesses should also keep in mind the NIST Security Framework. This framework includes:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Learn more about the framework, and how to apply each of these steps for your business, at StaySafeOnline, powered by the National Cyber Security Alliance.

Everyone needs to do their part to prevent cyber attacks, and Cyber Security Awareness Month is a great time to start. The number one key is to educate yourself on the tricks cyber criminals use, so you can defend against these attacks.

Ready to learn more about cyber security, or even considering a cyber security or ethical hacking career? Check out the IEEE online course programs: Cyber Security for Today’s Environment and Hacking Your Company: Ethical Solutions to Defeat Cyber Attacks. These courses will give you a solid foundation in the basics of cyber security to prepare you to defend your company’s network from cyber attack.

How do you defend against cyber attack? Please share your tips in the comments below.

 

References

Saito, W. (2017, May 18). 9 Ways to Stay Safe from Cyber Attacks.  World Economic Forum.

Stay Safe Online powered by the National Cyber Security Alliance. (2017) https://staysafeonline.org/

Continue Reading 0

Medical Device Cyber Security is Essential

medical device cyber security

No one wants to imagine that their pacemaker or insulin pump can be hacked when their life depends on the proper functioning of these medical devices. However, a recent Ponemon Institute survey discovered that 67 percent of medical device manufacturers and 56% percent of Healthcare Delivery Organizations (HDOs) think an attack on a medical device in use is likely to occur over the next 12 months (2017 Trip Wire). That information provides an added layer of anxiety for patients, medical providers, and manufacturers, and makes medical device cyber security more important than ever.

There is good news, though. In the last 5 years, healthcare providers and manufacturers have made an effort to include cyber attacks in their contingency plans, and put into place resources to mitigate a potential breach. (2017 TripWire)

These well designed security plans for medical device cyber security include:

  • Dedicated budget for cyber security
  • Cyber security professionals included in the staffing headcount
  • Risk assessments regularly performed by healthcare providers
  • Regularly conduct penetration testing
  • Security awareness and training programs made available
  • And much more…

The US Food and Drug Administration has been making inroads to mitigate any potential attacks with updates to security measures and by seeking to formalize guidelines. As with all guidelines, they do not have to be followed. However, if a provider adopts the recommendations, medical device cyber security can be improved, making the industry and the patient less apprehensive. (2017 TripWire) Not to mention the fact that the provider can use these security measures as a competitive advantage.

Want to learn more about cyber security and how it can affect the healthcare industry? IEEE offers both cyber security and ethical hacking training to help corporations prepare. Learn more about institutional pricing and request a quote here.

References

Newman, L. (2017, March 2) Medical Devices Are the Next Security Nightmare. Wired

(2017, August 27) Highs & Lows of Cyber Security in Healthcare. TripWire

Continue Reading 0

Easy Ways to Improve Your Organization’s Cyber Security

Easy Ways to Improve Cyber Security from IEEEThe Internet touches almost all aspects of everyone’s daily life, according to the US Department of Homeland Security. However, with access to so much information comes an increase in cyber-attacks that can affect people and companies on a global scale. In 2016, there was a 38% increase in phishing security attacks year over year according to a report produced by PricewaterhouseCoopers. The techniques that attackers use is also evolving, with attacks that continue to affect more computers and devices than ever before. (2017 Revision Legal) Every organization wants to improve cyber security, but the prospect can sometimes seem overwhelming.

The news in 2017 has been equally daunting with reports of serious cyber breaches that effect individuals and companies. Some of the more serious instances include a recent security breach to credit-reporting agency Equifax, a Gmail phishing campaign, US IRS data breach, and the British health system shutdown that affected administering medical attention to patients all over the UK.

With such widespread attacks, how do you protect yourself? How do you protect your company?

Sometimes it is the most basic steps that will improve cyber security for your organization, and make it harder for the hackers to be successful. (2017 Wired)

  • Training
    • Stay sharp on techniques hackers are using. Training will help you identify and avoid the traps and improve cyber security.
  • Always Think Before Clicking
    • Sometimes it is as simple as trust your gut. Many times, we notice something that bothers us, but we cannot identify what it is. Always trust your instincts. If it does not feel right, do not click on the link or open that email.
  • Consider the Source
    • Have you received information from this sender before? Is the offer too good to be true? Sometimes taking a few moments to read the full email address or researching who the sender is will help you sidestep a pitfall.
  • Use Security Back-Ups
    • Take advantage of security options when available like enabling multi-factor authentication on accounts, using a password manager or other system to help in maintaining strong passwords, and backing up your data.

October is National Cyber Security Awareness Month. Why not use this as an opportunity to have your staff become more aware of their cyber surroundings and in turn protect themselves and the company as you improve cyber security throughout the organization.

Does your organization need cyber security training? IEEE offers both cyber security and ethical hacking training to help organizations prepare. Learn more about organization pricing and request a quote here.

References

(2017, Aug 11) National Cyber Security Awareness Month. US Department of Homeland Security.

Newman, L. (2017, Mar 19) Phishing Scams Even Fool Tech Nerds—Here’s How to Avoid Them. Wired.

DiGiacomo, J. (2017, Jun 21) 2017 Security Breaches: Frequency and Severity on the Rise. JD Supra.

Continue Reading 0

Study Reveals Most Organizations Are Unprepared for Cyber Attack

Study Reveals Most Organizations Are Unprepared for Cyber Attack

A recent study released by Arctic Wolf Networks (2017) has found that many organizations are completely unprepared for cyber attack, and Internet of Things (IOT) devices are only making the problem worse. In the wake of attacks such as the one on Equifax, it has become clearer than ever that every organization needs a comprehensive cyber security strategy in place.

The study revealed that 100% of the companies that were included use at least one IOT device. Because these IOT devices often do not have the necessary security infrastructure built in, they are easy targets. While nearly every company had a firewall and antivirus system in place, that is unfortunately just the beginning of what is needed. The advanced threats seen today easily bypass these measures and many organizations are unprepared for cyber attack.

The Equifax attack, for example, was an attack on a web application. (2017, Wolff-Mann) This type of attack tricks an interactive web page, such as a form, into giving up far more from the database accessed than requested using a SQL Injection Attack. So for example, rather than just providing the requested information, any information stored in the database could be captured by hackers, and used for nefarious purposes. Unfortunately, many organzations focus on network security instead of software security, resulting in data breaches such as the one experienced by Equifax. Rohit Sethi, COO of Security Compass, believes that the automated testing and scans that many organizations rely on cannot measure up to what a trained human being can do.

Several industries have found themselves subject to attacks on IOT devices, with transportation leading the way. 29% of transportation companies have reported being subject to an attack, followed by 22% of energy, oil and gas; utilities, construction and property; and IT, Technology and Telecoms. And this number is expected to rise as cyber criminals become more sophisticated in their attacks. The infrastructure maintained by these industries is critical, and organizations cannot ignore the necessity to put trained personnel and advanced systems in place to protect the people that they serve. As hackers become more sophisticated, ignorance is no longer an excuse to be unprepared for cyber attack.

It is up to every organization to get the training and put the systems in place needed to defend against cyber attack, and protect their organizations and customers.

Does your organization need cyber security training? IEEE offers both cyber security and ethical hacking training to help organizations prepare. Learn more about organization pricing and request a quote here.

 

References:

Wolff-Mann, E. (2017, Sept 8). Equifax hack exposes a major cybersecurity gap. Yahoo! Finance.

Arctic Wolf Networks. (2017, Sept 7). Ransomware of Things: When Ransomware and IoT Collide. arcticwolf.com.

 

Continue Reading 0

Three Ethical Hacking Myths

Three Ethical Hacking Myths from IEEE Innovation at WorkA recent report conducted by Lloyd’s of London predicts that a worldwide cyber attack could result in approximately $53 billion of economic losses, an amount similar to the costs from U.S. Superstorm Sandy in 2012 (Reuters, 2017). In light of this figure and the rise of cyber attacks over the past several months, the call to strengthen cyber security has become loud and clear. Ethical hacking, where someone acts like a malicious hacker (after obtaining permission) in order to identify vulnerabilities in a system, is one means to significantly improve an organization’s cyber security. There is a lot of misinformation, however, about ethical hacking and the people that perform these services. Here are three ethical hacking myths, and why they are incorrect:

  1. Ethical hackers are not as knowledgeable as malicious hackers. Some “white hat” (ethical) hackers actually used to be “black hat”  (malicious) hackers, so there is no difference in ability level (LANInfotech, 2017). According to Cyber Security Intelligence (2017), “Ethical hackers, like any other hacker, may also venture into the dark web to gain intelligence and learn about new exploits.” The main differences between ethical hackers and malicious hackers are their intentions, and whether or not their actions are legal and performed with permission.
  2. Performing ethical hacking once is enough. On the contrary, it is helpful to perform ethical hacking regularly. SystemExperts CEO Jonathan G. Gossels analogizes this process to an annual physical. His cyber security company “tests clients’ digital defenses on a yearly basis or if there is a change in management” (Milliken, 2017). Analysts evaluate a company’s size and type of information stored when deciding the degree of security needed, and then they search for potential risks.
  3. It is best to hire an ethical hacker from outside of the company. While there are businesses out there that specialize in contracting cyber security and ethical hacking services, you can equip your own technical professionals with ethical hacking skills by providing training or specialized certification courses (Milliken, 2017). Having people on the inside perform ethical hacking for the company might also feel less risky, though there are pros and cons to either choice.

Despite its advantages, ethical hacking has yet to gain mainstream acceptance, perhaps because of some of these ethical hacking myths. Those organizations looking to cover their bases and ensure their network is secure will benefit from implementing some form of ethical hacking, however, as it is better for an ethical hacker to find the vulnerabilities before someone else does.

Interested in providing ethical training for your organization’s technical professionals? Check out IEEE’s online training Hacking Your Company: Ethical Solutions to Defeat Cyber Attack.

References:

(2017). White hat. vs. black hat hackers and the need for ethical hacking. LANInfotech.

(2017, Jun 5). Ethical hacking can beat black hat hackers. Cyber Security Intelligence.

Barlyn, S. (2017, Jul 17). Global cyber attack could spur $53 billion in losses: Lloyd’s of London. Reuters.

Milliken, K. (2017, Jul 17). Ethical hacking: At WPI, a search for computer vulnerabilities. Telegram.

Continue Reading 0

Five Lessons Learned from Recent Cyber Attacks

5 Lessons Learned from Recent Cyber Attacks

Cyber attacks are happening more often and becoming more severe. The recent WannaCry and NotPetya attacks have taught us several important lessons to keep in mind as we look to improve our own cybersecurity defenses:

  1. The threats weren’t necessarily new. Attacks similar to WannaCry occurred with Sony in 2014 and Blaster in 2003 (Ward, 2017). Firewalls and regular patching can prevent the attacks, and the specific patch for the WannaCry vulnerability was released almost two months ahead of the attack. When word got out that this weakness existed and that it was easy to exploit, those that did not act quickly to patch their vulnerabilities suffered from the attacks.
  2. Many organizations were still vulnerable. According to Hackett (2017), the NotPetya cyber attacks targeted companies that failed to patch their systems against the Microsoft vulnerability (SMB-1). If you haven’t already, make sure you apply Microsoft patch MS17-010 and block connections to Microsoft Windows’ port 445 (Howard, 2017).
  3. Back up your data. Even after applying patches, no firewall or anti-virus software is completely flawless, so it’s best to store important data in another location outside of the network (Weavers, as cited by Satran, 2017).
  4. If affected, report incidents and take the proper response steps immediately. Quick incident reporting and firm participation helped stop the spread of WannaCry not long after the attacks had begun. Regulators have also started issuing warnings that those neglecting to report cyber attacks within 72 hours will be penalized. The Office of Civil Rights (OCR) recently published a helpful checklist and infographic for responding to cyber attacks here.
  5. Paying the ransom doesn’t guarantee your files will be returned. The email service (Posteo) quickly blocked the email used for receipt of Bitcoin, severing any link for further communication. Further, paying the ransom will likely encourage cyber criminals to continue the attacks.

These attacks serve as stark reminders to take preventative measures and avoid complacency with our cyber security. The risks are becoming harder to ignore as we continue to see attacks emerge and ripple across a global network.

Is your organization prepared to handle a cyber attack? Are you looking for ways to strengthen your organization’s cyber security? IEEE offers extensive training for technical professionals to improve security techniques. Check them out here: Courses from IEEE Continuing Education

References:

Hackett, R. (2017, Jun 27). Everything to know about the latest worldwide ransomware attack. Fortune.

Howard, R. (2017, Jun 27). Threat brief: Petya ransomware. Palo Alto Networks, Inc.

Satran, R. (2017, jun 22). ANALYSIS: WannaCry attacks shows trend toward ‘economic’ cyber threats, rising regulatory risk. Reuters.

Ward, D. WannaCry NHS attack- Busting the myths. Public Technology.net.

Continue Reading 1