Category: General Cyber Security

Simple Ways to Ensure Your Children’s Safety Online

April 29, 2021 /

Today, cybercrime is rampant. That presents a unique problem to parents in deciding how to approach ‘online safety’ with their children.

In the World, about 4000 cybercrime attacks occur each day, and, in fact, every 32 seconds, a hacker attacks someone online. To use the Internet safely and securely, you must know what to do and not do and distinguish between safe and unsafe.

Awareness and personal responsibility are vital components in surfing the web safely. Children should become aware of that as soon as possible.

Child-proofing the Internet is not as viable an option as some parents may hope it is. Yes, there are ways to block websites, keeping your children off of them. But it’s still preferable to educate them on the dangers the web presents.

Teach them how to keep themselves safe online. That includes what sites to avoid, links not to click, files not to download, emails to ignore, and so on. Education on the topic of cybercrime is a must.

Above all, children must learn against sharing personal information of any kind. Teach them young that giving out your full name, phone number, home address through any medium (email, Facebook, gaming platforms) is wrong.

Teach them to be cautious. Sometimes a string of innocent-seeming questions may pose a grave danger. It can start with your name, where you go to school, your postcode, and the child might not realize the escalation. Ensure it can recognize it.

As a parent, you must always keep your devices up to date with security installed on them – antivirus programs, anti-malware software, and other security software. Create unique passwords for your different accounts, and teach your children to do the same. Or use passwordless based authentication.

There are varying parenting styles. Some deem the act of monitoring their child’s online activity as an intrusion of privacy. Others perceive it as a given. Regardless of your parental views, it’s good to keep aware of what your child does on the Internet and encourage appropriate behaviors while discouraging inappropriate ones.

On the diagram, you can see a standard hacking workflow. Usually, hackers use this workflow to execute attacks. You can see that the first stage of attacks usually involves message-based fraud or social engineering.

‘Stranger danger’ has evolved beyond an in-person possibility of peril. It now lurks online, as well. Teach your children that not all online strangers are friendships waiting to happen – some are dangerous and look to cause mayhem and harm, i.e., hackers.

Make sure children realize that what goes on on the Internet stays on the Internet. If they upload a picture, it will forever be there. If they share their private details, they cannot merely ‘take them back.’

There are consequences to interacting with the web, and it’s your responsibility as a parent to teach them that valuable lesson.

In summary:

  • Stay updated: Always install updates when needed, and ensure your devices are protected.
  • Do not overshare: Be wary of sharing private details with people online. Sharing personal information can backfire. Ensure your children know this.
  •  Have a conversation with your child: Explain the many dangers that lurk online. Yes, children may be won’t ‘get it’ right away. But if that’s the case, talk to them again. 
  •  Use unique passwords: Ensure your child knows the importance of a strong password and the perils of using the same one for every account.
  • Keep an eye on their online activities: Be sure to monitor your child’s online activities to the extent that you know what they’re ‘up to’ online. Still, over monitoring is not good, so please use it carefully.

Educate your children, and make sure they know of the dangers the Internet presents and what they can do to minimize them

How Secure are the Virtual appliances?

April 22, 2021 /

A recent report raises questions about the software vendors’ responsibilities and claims that detected more than 400,000 Vulnerabilities across software vendors. The virtual appliances often get used to providing IT security functions like firewalls, encryption, and secure gateways. It aims to eliminate the need for dedicated hardware and can get deployed on cloud platforms.

Virtual appliances often reach consumers ready to be deployed to public and private cloud environments. Most consumers believe that virtual devices are safe and secure, free from security risks, but Orca’s report proves otherwise.

The research, conducted in April-May 2020, shows that 2,218 virtual appliances from 540 vendors got scanned and checked for known vulnerabilities and risks. The researchers ranked every appliance according to a scoring system designed for this research.

It is a good idea to encrypt your data before sending it to any virtual appliance. On the diagram you can see the standard hybrid encryption protocol using symmetric and asymmetric cryptography schemes. It offers good level of additional security.

The number of total discovered vulnerabilities is just over 400,000. The appliances received grades from A+ (exemplary) to F (failure). Only a mere 8% of products scored an A+, while 24% got an A as ‘well-maintained,’ 12% received a B as ‘above average,’ 25% were ‘mediocre’ with a C, 16% got a D as ‘poor,’ and 15% ‘failed’ with an F.

Interestingly enough, some vendors had products with an A and A+ and landed an F mark.

Correlation quality/price

Another exciting discovery by the report was that price doesn’t directly correlate with security. More expensive products don’t necessarily offer more protection. 1,489 of the products charged an average of $0.3/hour, while 510 were free, many of which were also open-source. The highest charge for appliances, which got tested in the report, was $3.00/hour. Free products received an average security score of 77.58, while fee-based ones got a 77.38.

Updates

It should come as no surprise that, as products get outdated, their vulnerability increases. Updates are essential as they can fix vulnerabilities when done regularly. The report discovered that 110 products received no updates for at least three years, 1,049 in the last year and only 312 got updated over the previous three months. Only 64 had received updates in the past month.

Feedback

Upon finishing the scans and grading process, the vendors received emails with the findings. All the vendors got contacted, but only 80 responded. Though the responses ranged, many confirmed they had taken remedial action. As a result, 287 products have received updates, and 53 got removed from distribution. Even though these numbers may seem unimpressive, that meant 36,938 (out of 401,571) discovered vulnerabilities got addressed. After a rescan, products that initially received an F ranking had improved their ranking to an A or A+.

The report also presents a few recommendations to help organizations reduce risks posed by virtual appliances. Among them are asset management and vulnerability management tools. Asset management helps to keep track of virtual devices, while vulnerability management tools assist in finding weaknesses.

Orca made sure to include in its report that all the data presented is a mere guide. A vendor’s top score doesn’t equate to a risk-free guarantee on all its virtual appliances. As already mentioned, some vendors have products with both the top and the lowest scores.

Is Identity-Based Passwordless Authentication the Way to Go?

April 15, 2021 /

User identity and security have continuously been reinforced in the organization by the use of strong passwords. User accounts tend to be restricted based on specific passwords typed. However, that has changed due to the technology rise that has wiped away the traditional password methods. Although some organizations still prefer passwords, authentication is slowly evolving to be passwordless due to convenience and efficiency purposes. Identity-based passwordless authentication is the focus of organizations and IT migration.

Passwordless authentication helps curb the insecurity that is common with organizations. The trends in cybercrime require that organizations implement robust measures of security in helping minimize the consequences.

Most technology-driven organizations have already implemented identity-based passwordless authentication. One popular method is biometric authentication as the main component of identity-based passwordless authentication. It integrates the biological features to develop some of the most effective solutions for signing into information systems and corporate portals. Significantly, a better approach to the management of user profile security and accessibility is by leveraging the biometric features and integration with IT to help promote a seamless process of identification. However, it is essential to ensure that the biometric data stays on your device and is adequately encrypted. In another case, once stolen, anyone can reuse it. Other methods use directly public and private key cryptography to achieve the same results.

You can see a sample passwordless authentication based architecture on the diagram. Users use a gesture to unlock a hardware device and different apps use the private key stored in this hardware device to sign a random token. Later this signature is verified on the server.

The uniqueness and strength of restricted access are robust in passwordless protection. Its features help in the promotion of quality and proper protection techniques, which are vital. Considering diverse approaches and key organizational security management measures, organizations have opted for identity-based passwordless authentication.

Cybersecurity is a significant concern, with hackers targeting high-profile organizations and creating weak points while accessing sensitive information. According to recent research, technological migration has been towards passwordless identification. The users do not have to use password authentication to access the organizational profiles. Necessarily, integration and passwordless leverage are vital in implementing the proper security protocols to achieve the desired security goals.

The feasibility of identity-based passwordless authentication is another competitive advantage. Passwords are tedious. Every time you enter them, you waste time as a significant impediment to a flawless work process. Most employers prefer passwordless authentication because they implement strategic and focused measures to improve access levels and ensure necessary and fundamental elements.

Passwords are the primary targets for hackers since they only have to master the keywords and process execution, which results in cracking of the security architecture. Biometric technology is the best way to focus and help advance its security needs, mainly by implementing efficient identification processes.

According to attackers’ behavior analytics, a strategy to reduce the attacks is by sensitizing people to implement passwordless authentication. Natural features are unique, and the level of security provided by investing in such technology is excellent. Howerer, the future will show whether it will help to improve safety and to meet various businesses’ needs regarding cybersecurity solutions.

The rise of data leaks

April 8, 2021 /

We are living in internet-reliant times. Everyone outsources and shifts aspects of their lives to online sources like social media, dating apps, and online workplaces and educational websites. With COVID-19 forcing us to emphasize online activities, the possibilities for data leaks are ever-growing.

Data leakage incidents are not always intentional, though most of the time, they are. Phishing attacks or malware sent via email and links are just some common examples. Both have high success rates, and once the malware is successfully installed on a device, leaking data is very easy. Private user information, including addresses, phone numbers, and more sensitive data like credit card numbers or passwords, are worth millions of dollars on the market.

845 GB of Data Leaked!

Recent examples showing the extent of leaked data in 2020 alone seem astonishing. Just a few weeks ago, nine dating apps leaked 845 GB of data. It may not sound a lot, but in fact, the leakage comprised private information of a few hundred thousand users. The leak includes explicit photos and messages that people would likely have instead kept confidential.

 Independent security researchers discovered the security breach for all affected websites.

The most shocking part of their discovery is that not a hacker was responsible for the leak but the companies themselves due to their careless configuration of the apps.

A standard workflow of data exfiltration. The hacker finds a way to infiltrate into the company infrastructure and after that uses other already hacked infrastructure to exfiltrate the data.

These websites and apps are mostly unknown, but data leaks can also happen to popular websites with millions of user account information leaked and stolen.

Big or Small – You’re Not Safe From Leaks

In 2014, a prominent commercial website’s entire user account list was leaked, with 145 million people affected. Users had to change their passwords as a consequence.

In 2012, a big social media website became a target, and 165 million business professionals’ data was readily available for sale. All users changed their passwords as well.

Other cases did not proceed as mildly. Big design software company in 2013 asked to pay their users 1.1 million dollars in compensation after credit card records and password leakage.

In 2021, the risk of data leakage is higher than at any time before; there have been numerous data breaches already, including major companies, universities, and cybersecurity providers. 

In October 2020 alone, there were 117 data breaches, the highest number recorded for a single month. Fortunately, only about 18 million user information leaked, less than the yearly running total of compromised data records of 19.5 billion. The most breached sectors were healthcare and health science, education, and the public sector.

All of these numbers show that the protection of one’s data in a time where everyone has an online presence is crucial. With COVID-19 inevitably shifting our lives towards online resources, it is up to us to take the necessary measures to protect our private information.

The Legality of Private Servers

April 1, 2021 /

The legality of privately owned servers is a much-discussed topic with large grey areas and varying laws in different countries.

In general, that legality is determined by a sample amendment, similar to this one: “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

In other words, this means that the government and other institutions, organizations, and people, in general, do not have the right to search or control privately owned servers. They should not check what the servers store, except that there is reasonable evidence of illegal content.

A warrant to search a privately owned server would not be issued out of false claims because a judge has to examine whether the given evidence is sufficient. However, web servers are usually quite transparent, and illegal content on them is easily detected.

How is that a grey area then, and how liable are those individuals owning servers?

In the case of illegal content linked to a specific web server, people on the internet can see the server’s content and report it if they deem it inappropriate. If many people do this, it will eventually get removed in many cases.

However, if it is not a web server, then people would have no real reason to examine it without evidence of illegal content. Responding to other people reporting illegal content on one’s server by instantly removing it can make the server owner less liable.

Private Game Servers – Legal or Not?

One interesting legal case is the video gaming industry. Online games usually connect to a central server. That presents the issue of the game being unplayable once the online game and its server are gone.

Many people have chosen to counter this issue by setting up their game servers. That also allows them to change the game, revive old games for nostalgia’s sake or change aspects about it to meet their own needs, and so on.

But how legal is it to set up a private server without the game developer’s permission? Usually, this can happen through leaked or stolen codes, which is illegal in itself as it breaches copyright.

Furthermore, private server hosts often take donations to keep the server running. Emulating current servers is more troublesome than bringing back old games that no longer exist.

More Grey Areas

Another grey zone is whether you are the one hosting the server or playing on it. While hosting may easily be illegal, playing on private servers is not. People doing it can still get in trouble, in any case.

There is a difference between official laws and license agreements that the user has with the gaming company and developer. Playing on private servers can infringe the contract you have entered into with the game developer.

Since copyright is usually concerned with distribution issues rather than private use, it is unlikely you will get fined. Still, if you want to support the game developer because you love the game and want to see more of it coming to life, you should play on the official servers instead. Not to mention connecting to a not official game server can expose your machine to cyber attacks. Most of these not official game servers do not have proper cybersecurity defenses.

The only reason and grey zone that would warrant playing on private servers is if the game’s developers abandoned it with no official server left.

Pros and Cons of Working at Home

March 25, 2021 /

Coronavirus isn’t going anywhere, and people had to adapt. Many employees have started working from home, and people get left to wonder: is this the new normal? Is working from home a dream or a nightmare? There are both pros and cons to it. Let’s examine them and begin with the positives. 

You cut out the time it takes you to get to your office. No commuting saves time usually wasted, which you can use to work or sleep in – both great perks. It also decreases transportation costs and saves you the stress that accompanies street traffic or being cramped in a tube or bus. 

It’s your own space, and you control it. You don’t have to endure loud coworkers chatting, music from noisy headphones, any noise you find distracting or uncomfortable – you can get rid of at once. Brighter, darker, hotter, colder, any adjustments that usually require a conversation with your fellow employees, you can do on your own accord. You won’t get judged every time you go on a break.

Flexibility is also a key benefit. Unless video calls are involved, you can roll out of bed and work from your pajamas if you feel like it. You have no dress code. Even if you get a call, you can always be business on top and party at the bottom.

A quick recap of the pros:

  • no commute
  • saves money
  • control
  • flexibility

Let’s go over the disadvantages next.

To keep up productivity at home, you must have self-discipline. If you have set working hours, you must abide by them. If you don’t, you must find the time needed to accomplish your work for the day. The couch may seem enticing, but it can wait after you’ve done your job. The same applies to chores or other home-related tasks. Don’t get distracted. You may be at home, but you’re on the clock. 

A significant contributor to poor working conditions is roommates. That includes flatmates of any kind – family, friends, all same-space occupants fit the bill. If they are unaccommodating to your working needs, you will suffer for it. 

It can be isolating and lonely to work from home. Whether you live alone or with people, you’ll find that you miss your coworkers. You’ll miss the banter, the opportunity to ask them a quick question and get a response. You can lose that connection when you’re all working from home. In that case, you should try to spend some time in communication with your coworkers.

It’s hard to separate work from home. Not many people have the luxury of designated office space to leave and close the door behind them when work hours end. You can lose the distinction between home and office, and that can lead to overworking yourself.

On the bottom side of the diagram, you can see the standard office deployment, and on the top, the standard remote/freelancer deployment. We have to defend the red lines. In the case of freelancers, you have more entry points to defend.

Working from home increases the risk of being a cybercrime victim. Most people do not have the proper training to build their cybersecurity defenses, leading to data breaches. So to properly defend yourself, an onboarding cybersecurity essentials course is a good start.

A quick recap of the cons:

  • self-discipline is mandatory
  • unaccommodating roommates
  • lonely
  • no work-home separation
  • more significant risk of being a cyber victim

You can argue for and against it, but ultimately, it comes down to every person’s preferences.

How Can Companies Get Malware?

March 18, 2021 /

How does a company end up with malware? There are two general replies to that question – people and vulnerabilities.

The people category tends to include all admins, users, everyone who can run code on the network, and vulnerabilities encompass anything from an old system that hasn’t been updated to lack a good antivirus program.

How does malware invade the system?

Emails are arguably the most common infiltration way malware uses to slither into your system. Cybercrooks load them with corrupted links, attachments, or both and hope you fall for their trickery. You receive an email one day that seems legitimate. It can appear to come from your boss and contain a vital business document attached. Or from a delivery company that has a package withheld and urges you to open a tracking link to check it out. The potential scams are endless, and some of them can be pretty convincing. Always be vigilant when getting emails that you were not expecting or anything even remotely seems suspicious. Better to be safe than sorry.

Look out for bad spelling and grammar, weirdly placed punctuation, senders you don’t recognize, your name misspelled. Anything can be a giveaway that you’re the victim of a scam. Caution is critical if you wish to protect your computer and company from malware.

Here are two simple rules to abide by when dealing with emails:

  • Unless you’re positive who sent you the email – don’t open it!
  • If it aims to convince you to click a link or download an attachment, triple-check everything before you do; blindly following instructions won’t end well.

Another common invasive way is removable drives as they often carry infections. You should always handle external hard drives and USB flash drives with care. If employees find one on their way to work and decide to check it out on their company PC, the whole company could be in trouble. The malware usually gets installed once the drive gets plugged in, so don’t do that. Again, you must proceed with caution.

Employees often have to install programs needed for work. When doing so, it’s imperative to read through the terms and conditions and not just head straight for the OK. Malware can be hiding somewhere in the fine print, and you don’t want to agree to install it. Make sure to choose the official vendor’s website for necessary downloads, minimizing the risk of malware.

How to reduce the possibility of getting malware

If you wish to protect your company from malware, there are a few things you can do that will improve your chances of enjoying a malware-free company.

  • Educate your employees.

Teach them what to look for in emails and be wary of clicking suspicious-looking links or visiting unsafe websites.

  • Update regularly.

Software, applications, systems, everything must get frequent updates. Consistent updates are vital for keeping up your system’s safety.

  • Invest in excellent antivirus software.

If you can afford it, choose anti-ransomware and anti-malware software, too. Having several security layers is hugely beneficial in guarding against cyberattacks.

  • Backup your data.

If all else fails, you won’t find yourself at the mercy of cybercrooks. Try to backup everything weekly and even daily if possible. It’s preferable not to trust cloud services for that, as hackers can still find a way to access them.

If your company does get malware, it can be quite a devastating experience that could result in severe financial losses. Suppose you get stuck with a PUP (potentially unwanted program), adware, or anything of the sort. In that case, you’d be wasting valuable working time trying to get rid of the infection. The time that you could have spent making calls, connecting to clients, promoting your services, et cetera. If you get stuck with ransomware, it’s even worse. You could end up losing files, documents, client contacts, and, not to mention, time, energy, and money in your attempts to deal with the cyber threat.

You’d do your best to ensure malware cannot invade your company systems. When it comes to cyber threats, prevention is preferred to the reaction.