March 14, 2014

Rise in cyber security budgets

New data from a  BAE Systems Applied Intelligence survey indicates that about 60 percent of large companies across the U.S., Canada, Great Britain, and Australia have increased their spending on cybersecurity since last year’s Target Breach.  Industries such as banking, technology, law, and mining are now spending up to 15 percent of their entire IT budgets on security.   More than 80 percent of survey respondents expect the number of cyberattacks to rise. The loss of customer data ranked as the companies’ greatest concern, followed by the loss of trade secrets, reputational damage, and service interruption.

Nearly half of the U.S. companies in the survey said a cyberattack would cost them around $15 million, while 29 percent estimated the cost at more than $75 million. The results suggest that breaches would take an extreme financial toll on smaller companies as well.

The Target breach over the 2013 holiday season claimed 40 million customers’ credit and debit card numbers.

 

February 12, 2014

Quatrashield VP Artice on SMB Nation: SMBs Lack the Tools to Fight Cyber Attack

http://www.smbnation.com/content/news/entry/smbs-lack-the-tools-to-fight-cyber-attack

When it comes to cyber-attack, Small and Medium Businesses are at a significant disadvantage. Lacking the resources and expertise of their Enterprise counterparts, SMBs often rely on free or lightweight tools that leave their organizations exposed to attack. Instead of shoring up their cyber-defenses, many SMBs wait for a breach to occur. In some cases this can be too late.

Hacking has never been as easy as it is today. The significant information sharing between hackers has created a publicly-available knowledgebase that is easily accessible to cyber-criminals. Sites such as hackthissite.org serve as a training ground for cyber criminals, hacktivists and even government entities to gain up-to-date information on new attack vectors.

The net result is that SMBs are often the victim of data breaches, phishing, DDoS and watering hole attacks. A recent report commissioned by the Department for Business, Innovation and Skills (BIS) indicates that 63% of small businesses in the UK were attacked by an unauthorized outsider in the last year which is up from 41% a year ago. The research also uncovered that 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago). [1]

The Enterprise/SMB Technology Model Does Not Apply to Cyber Security

Traditionally, Enterprise and SMB level technologies differ in design and capability – whether they have been built from the ground-up as unique solutions or whether the SMB module is a “light” version of the Enterprise class technology with certain features disabled. The key differentiators between Enterprise and SMB class technology are the expected level of flexibility and sophistication including configuration, deployment, management and reporting. From a scalability perspective, Enterprise level technologies are designed to be deployed in a non-disruptive way to hundreds, if not thousands, of users or access points within an organization spanning multiple offices and geographic territories. SMB level technology is designed for a small number of users or ports and is not intended to scale.

When it comes to cyber-security, the traditional Enterprise versus SMB model does not work. Pricing SMB oriented technology at a more affordable level as a trade-off for limited functionalities may be a good marketing tactic for security vendors selling into this segment, but leaves the SMB with a limited and mostly cosmetic protection against attack.

Firstly, regulatory compliance requirements such as PCI-DSS and HIPAA are applicable to both SMB and the Enterprise size organization. The onus on the part of both size organizations necessitate the implementation of systems and process to protect third party data. Therefore, companies that are mandated to protect their sensitive data may not have the flexibility to rely on basic cyber security technologies that fall short of regulatory requirements. More importantly, Small and Medium businesses are often the direct target of hacker attacks. By relying on a cheap “light” but largely ineffective software, the SMB business maker may inadvertently expose his or her organization to significant risk to cyber-attack.

The Downside to SMB Level Technologies

Many of the (inexpensive) cyber security tools in the marketplace that are targeted at the SMB segment, offer basic protection that can easily be bypassed by most hackers. For instance, the typical entry-level web application vulnerability scanners is based on open source technologies widely disseminated in the hacksphere. For the small business owner with limited staff, trying the Do-It-Yourself route can be frustrating, resource intensive and takes away from business focus.

Marketers of SMB focused cyber technologies take advantage of the overall confusion in the marketplace and overemphasize basic capabilities. For instance, the Open Web Application Security Project (OWASP) publishes a list of Top 10 application vulnerabilities. The typical Enterprise organization will purchase a tool that scans for twenty or more vulnerabilities and the better technologies are based on artificial intelligence that scan more deeply. When SMB focused tools list product specs, they often include features that are rudimentary.

In our evaluation of sample population of web application vulnerability scanners that target the SMB market, we have identified significant flaws in many of the current commercial offerings. Important capabilities – such as the ability for a scanner to drill deeply within an application layer based on dynamic parameters – are often not bundled in the basic SMB cyber security packages. Many of the tools report vast amounts of false positives, thereby requiring additional follow on investments in costly remediation. More troubling is the number of false negatives – the number of significant vulnerabilities and malware that are simply not caught by even some of the leading SMB targeted software vendors.

The Cloud Is Not a Silver Bullet

Another challenge for SMBs is the confusion about how cloud-based technologies can help them protect their businesses from attack. In many cases, the hype surrounding some cyber solutions in the marketplace may lead the SMB business owner to over-rely on technology to address the cyber threat. For instance, many cloud-based solutions advertise their end-to-end capability and falsely claim that their systems can identify and remove the threat of cyber-attack. There is huge difference between systematically identifying a vulnerability and automatically removing it. Remediation is a complex process often requiring coding or access to system configuration. The claims to the contrary are misleading and can result in an over-reliance on point solutions to address a systemic risk of attack. Furthermore, we are noticing the attack vector moving towards the Cloud as hackers have realized that the Cloud is a single point of information concentration.

Final Thoughts on Technology as a Sole Solution

Not one software solution is going to remove the threat of cyber-attack. Good cyber security practices need to be applied on a company-wide basis and are not simply restricted to the IT department. We are only as strong as our weakest link and a company’s employees, customers and partners are the first line of defense against cyber-attack. From a technology perspective one should always assume that hackers have access to the latest advances in technologies and one should constantly update one’s defense toolset in order to reflect what’s happening in the hacker-sphere. Equally important is to create policies that standardize security practices across the organization.

Although hackers are constantly changing their methods, organizations need guidelines that withstand the test of time. Business of all sizes need to plan carefully and budget wisely when to protect their data assets.

About the author: Mervin Pearce (CISSP-ISSAP) is the Vice President of Professional Services at QuatraShield, a SaaS provider of Enterprise-class cyber security technologies that include web application vulnerability scanners and malware scanners.

January 13, 2014

Announcement: Quatrashield Launches White Label Program for ISP’s to Enter Cyber Security Market

(The Hosting News) – Quatrashield, a SaaS provider of Enterprise-class cyber security technologies, has launched a new partner program for the Hosting Industry. ISP Protection Plus is a white label offering for Hosting Companies to re-sell web application vulnerability scanners, penetration testing and threat remediation services.

The company’s cloud-based software platform is based on military grade technology. Its two leading products – QuatraScan V3000 and QuatraWare M3000 – use advanced artificial intelligence to deeply penetrate a corporate website and identify malware and application vulnerabilities that are often undetected by standard commercial software packages.

ISP Protection Plus offers ISPs the opportunity to create their own branding for the QuatraScan and QuatraWare scanners. Because the solutions are cloud-based, there is no investment in technical infrastructure required on the part of the Hosting Company. In an era where companies are increasingly concerned about the threat of hackers, Hosting Companies can use website security protection services as a competitive differentiator in the marketplace.

Said QuatraShield CEO Johan Grobler: “We believe that ISP Protection plus is an easy entry into the high-end of the cyber security market. Although some ISP’s are re-selling low-end scanners, we allow ISP’s to offer their customers with Enterprise-class cyber-security technologies.”

In addition to the company’s malware and application vulnerability scanners, Quatrashield offers Hosting Companies a white labeled value-added professional services including Black Box Penetration Testing and Threat Remediation. “Our goal is provide ISPs with a packaged security offer to their most valuable customers that are looking for more help combatting the threat of hackers” said Grobler.

December 17, 2013

10 Ways to Protect Your Company and Employees from Hacking

10 Ways to Protect Your Company and Employees from Hacking

Here is a link to my blog posting on websitemagazine.com

December 17, 2013

UK Study: SMB’s report more security breaches in 2013

A new study released by PwC and InfoSecurity Europe, indicates that the large increase in security breaches is occurring in the Small Business segment (under 50 employees) and that these businesses are “now experiencing incident levels previously only seen in larger organisations.”   

Below are some of the report highlights: 

  • 63% of small businesses were attacked by an unauthorized outsider in the last year (up from 41% a year ago)
  • 23% of small businesses were hit by denial-of-service attacks in the last year (up from 15% a year ago)
  • 15% of small businesses detected that outsiders had successfully penetrated their network in the last year (up from 7% a year ago)
  • 9% of small businesses know that outsiders have stolen their intellectual property or confidential data in the last year (up from 4% a year ago)
  • 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago)
  • 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago)

 Good News/Bad News

For the SMB segment, there has been a rise in the cost associated with breaches.  The average cost for to a small business for its worst breach was between 35,000 to 65,000 pounds. 

The silver lining here is that senior management does understand the risk of cyber-crime and there is an increase effort to prioritize investment and education in this arena.

December 8, 2013

New Study: Only 2% of leading online retailer sites use secure HTTPS for e-commerce

A new research reports indicates that very few e-commerce websites automatically protect users by directing them to highly secure HTTPS versions that use always-on SSL.  The study, conducted by High-Tech Bridge analyzed the top 100 e-commerce sites.

According to Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, comments on the findings: “Alarmingly, only 2% (two per cent) of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7% of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27% of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.

Here is a summary of findings from the report:

 

  • 0/100 websites have expired or untrusted SSL certificates.
  • Only 1/100 of website certificates expire in less than one month.
  • 99/100 of websites have 2048-bit or even stronger encryption certificate.
  • 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
  • 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
  • 73/100 websites do not have a secure HTTPS version at all for some “non-critical” online activities of their customers, such as shopping cart management for example.
  • An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
  • Only 25/100 websites have SSL EV certificates.
  • 33/100 websites display non-SSL content together with SSL content on their pages.
December 5, 2013

Microsoft’s guidance for protecting the enterprise from attack

Microsoft has released its guidance on best practices to protect enterprises from malicious attack.  Here is a summary of the report recommendations:

  1. Keep all software up-to-date:  Attackers will try to use vulnerabilities in all sorts of software from different vendors, so it is important for organizations to keep all of the software in their environment up to date and run the latest versions whenever possible.
  2. Demand software that was developed with a security development lifecycle:  Until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities.
  3. Restrict websites: Limit web sites that your organization’s users can visit.  This likely won’t be popular in the office, but given the majority of threats found in the enterprise are delivered through malicious websites, you might have the data needed to make a business case.
  4. Manage security of your websites: Many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
  5. Leverage network security technologies: technologies like Network Access Protection (NAP), Intrusion Prevention System (IPS), and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.
November 24, 2013

WSJ: Companies Neglect Physical Threat in Cyber-attacks

The Wall Street Journal makes an interesting point about how many companies ignore the linkage between physical intrusion and cyberattack.   The focus on obvious forms of cyber-attack such as phishing, malware etc., should not come at the expense of precautions that related to physical vulnerabilities.  For instance, cyber criminals broke into the office of the Walmart-owned Vudu video service and removed hard drives that contained customer data.  Even the Federal government is not immune from attack.  The Department of Veteran Affairs is currently being sued after a laptop containing 7,500 veteran records went missing.Related articles

Tags:
November 21, 2013

Developers need to start thinking about security now

Riaan Gouws:

Well written article we wanted to share.

Originally posted on VentureBeat:

Andy Chou will be discussing developer-first security at DevBeat.

The fundamental relationship between security and development is broken.

It’s broken because security teams drive security, and development teams let them. There needs to be a re-balancing of this relationship, driven by an awakening in the developer community.

Development teams abdicate security because they don’t understand it. They abdicate because they are too busy building features. They abdicate because they are too busy fighting fires. Developers are just too damn busy.


Editor’s note: Developers! If you’re good and want to be great, our upcoming DevBeat conference, Nov. 12-13 in San Francisco, is a hands-on event packed with master classes, presentations, Q&As, and hackathons, all aimed at boosting your code skills, security knowledge, hardware hacking, and career development. We’ll also have special sessions dedicated to security. Register now.


And yet, there was a time when developers were too busy for quality. But…

View original 403 more words

November 12, 2013

5 ways to prevent being hacked using a public WiFi

Many people log into public WiFi without realizing the danger posed by hackers who are often monitoring their traffic and accessing sensitive information.  We’ve compiled a short list of precautions that can be taken in order to prevent hackers from accessing your private data:

1)      Do not simply log into any public network.   Only log into recognized networks.

2)      Check your computer settings so that you do not automatically log into unknown public networks.

3)      Use encryption via https when accessing a website that requires you to provide sensitive information.

4)      Disable shared access to files.

5)      Consider using a VPN if you will be accessing/sending sensitive data.

Follow

Get every new post delivered to your Inbox.

Join 225 other followers