Dec 29

Report Said Most Enterprises Don’t Correctly Protect Sensitive Data

Trustwave found surprising data security trend in its 2014 risk status reports, which included the fact that most companies don’t have mature approach to control and track sensitive data.

 

For data security issues, enterprises have high degree of awareness of legal responsibility but they don’t figure out how to control risks by tracking sensitive data. The report interviewed 476 IT professionals in more than 50 countries, most of which were in the United States and the United Kingdom. According to the report, 63% of enterprises don’t have mature approach to control and track sensitive data.

 

“This means that many enterprises don’t know what their sensitive data is and where it is, who can access it and its mobile location,” senior vice president of Trustwave, Phil Smith, said, “This type of information is the first step of building security strategy.”

 

If enterprises don’t know what their sensitive data is and where the data is, then how do enterprises protect the data? Smith said the first part of risk assessment is to identify the location of enterprise’s sensitive data. Enterprises should know what sensitive data is, where it is and its movement and who has right to access it.

 

The report also found that while 58% of enterprises use third party program to manage sensitive data, but 48% of enterprises actually don’t deploy third party management program.

 

“Many companies (especially retail) outsource payment process to third party vendors, letting them access sensitive payment information,” Smith said, “however, they don’t know how these providers protect their data.”

 

Secure payment processing issue is particularly important, especially in 2014 so many retail data leak issues occurred. Smith recommends enterprises to communicate with their third party providers, so that each party knows what their responsibilities are in data protection. In addition, he recommends that enterprise should build secure requirements in the contract with third party provider.

 

Although enterprises may not protect all data, but Trustwave’s survey found that enterprises had high degree of awareness of the legal responsibilities. 60% of enterprises said they knew their legal responsibility of protecting sensitive data. The survey found that only 21% of enterprises didn’t have any training in secure awareness, which means that most enterprises actually had some forms of security training programs.

 

In addition, most respondents indicated that the deployment of control over BYOD was already in place. Only 38% of respondents indicated that their companies didn’t have any control on BYOD.

 

Smith said: “There are still a lot of companies do not have security policies and procedures foucus on BYOD.”

 

Patch management is an important part of corporate security, but the study found that 58% of enterprises didn’t have mature patch management process. Smith pointed out that in many cases, enterprises focus on deploying more strict access control, intrusion prevention/detection equipment and other perimeter security, but put patch repair and existing system maintenance on lower priority.

 

Another important finding of the survey is that the board of directors highly involves in enterprise security. 45% of enterprises have the board of directors or executive-level management involving in security affairs. Security is a top-down problem.

 

“All sectors of enterprises should consider security as an important issue, from IT professionals to non-technical staff and management,” Smith said, “C-level executives should not only ask their IT team whether our data is safe? It should also be asked how our data is protected? What control measures is deployed? “

Dec 01

Ten measures to protect small and middle business data security(1)

Ensure recoverability of data

To do backup of existing data has been one of the key tasks of every business organization, only stupid administrators will take this kind of things as something superfluous. However, according to our experience, many enterprises don’t adopt extra measures to regularly check backup content.

Data disaster prevention mechanism

One reason why small and middle enterprises always suffer loss is the lack of forward-looking. Most of small and middle enterprises never make up adequate precautions for fires, floods and other natural disasters. Here what I must emphasize is that it’s necessary for all enterprises to store backup data in separate locations that is far from infrastructure.

Judge enterprise tolerance to data loss

Although in theory, it’s certainly more scientific to do full backup for all data. However, from the actual operations, all the information is often not necessary to be strictly protected. Companies should first determine themselves what type of data or which level of data loss can be tolerable. After a thorough understanding of their situation, we can begin modifying the backup system, letting data that is not needed disappears from backup list.

Estimate how long the daily data persists after losing data support

How long does your business persist when the enterprise doesn’t access specific data? Making sure this point can help enterprise determine how to make up restore time object (RTO). At the same time, it can help you easier establish suitable data maintenance system and hardware architectures。

Ensure that the backup system is secure and complies with regulations

The backup copy should be placed in specific location, the entire process must strictly follow relevant management system. Under possible circumstances, try to use data encryption technology to protect enterprise business information.

Nov 10

Three methods of data backup

Every company now highly emphasize on data security, for example, company establish information management department to better manage company internal data security.

To protect data, one of key factors you need to consider is data backup. Backup can be divided into three levels:

Hardware-level backup: hardware-level backup refers to using hardware redundancy to protect system’s continuous operations, for example, disk mirror and Dual Fault-Tolerant. If the main hardware gets damaged, backup hardware can immediately take over the work, this approach can effectively prevent hardware failure.

But this solution also has flaws; it can’t prevent data logical corruption. When logical corruption occurs, hardware backup will copy the error again, it can’t really protect data. The goal of hardware backup is actually to ensure system continue running when failure occurs, which is more likely hardware fault tolerance.

Software-level backup: software-level backup refers to saving system data in other software, so that when error occurs you can restore system to backup status. Since this backup solution should be fulfilled with software, it’s called software-level backup.

But this solution takes much time on backup and restore. This solution can prevent logical corruption, because backup media is separate from computer system, error won’t be rewrote in backup media, which means it will help restore data as long as it can save enough history data. But this is not suitable to companies that need to quickly restore data.

Manual backup: Manual backup is the most initial but also the most simple and effective method.

But if you use manual mode to restore data, it will spend more time than using software-level backup.

When choosing backup solution, you need to consider the importance level of the data first. For more important data, choose multiple solutions to back up. In addition, use data protection software to encrypt important data.

Oct 27

JPMorgan confirmed releasing 8.3 million users information, hackers want data rather than money

In early September, the JPMorgan data leak even was found; FBI and NSA were both involved in the investigation. At that time, according to Bloomberg reports, data leak occurred in early August, hacker used 0day vulnerability in bank website to launch attacks, FBI considered this is an attack launched by a national hacker organization according to the complexity of the attack.

CISO is a “temporary” worker

In HomeDepot event, we noted that HomeDepot hired a security manager with criminal record; and in this JPMorgan data leak event, the “temporary worker” – its chief information security officer (CISO) is deeply associated with this event.

When hacker invaded the network of JPMorgan, the CISO of JPMorgan – Greg Rattray just took office, he even wasn’t familiar with his parking space; before coming to JPMorgan Rattray assumed the Air Force Information Warfare commander, and before Rattray taking office, JPMorgan former CSIO Anthony Belfiore had resigned earlier this year, during the period, Anish Bhimani served concurrently as CSIO.

Data is more valuable than money

It’s reported that hackers found vulnerabilities in JPMorgan bank computer software and exploited them, attacking over 90 servers, but the survey showed that hackers are more interested in personal information than money. Although bank account password and other crucial information didn’t leak, but just like the impacts caused by other large-scale personal information leak events, users of JPMorgan now are facing the threats of spear phishing and social engineering attacks, for hackers mastered detailed private data of a enormous number of users.

Chief Technology Officer of RedSeal Ph.D. Mik Lioyd believes that in JPMorgan data leak event, hackers were busy stealing users’ information and even had no time to steal money, which indicates that today’s cybercrime group fancy the value of users’ data (user data exchange market and underground processing industry chain have been matured). Just like the army commander is more emphasized on Battlefield intelligence than weaponry.

Difficult to remedy

Relevant officials involved in the investigation said JP Morgan need to take at least several months to ferret out thousands of software applications and confer with technology providers about authorization contract. New York pointed out that this would give hackers a long time window through which they can further attack JPMorgan internal system undetected vulnerabilities.

JPMorgan data leak event also sent by far the most serious security warning to global enterprises: although the most high-edged security response technology and processes are inadequate to deal with automatic coordinated attacks. Enterprises need to do automatic analysis on entire end to end network access path and use security tools to timely detect any wrong configuration and anomalies caused by network complexity.

JPMorgan said they would continue to focus on detection and financial fraud events related to this data leak event, and if customers could timely detect and inform account unauthorized transaction, JPMorgan would bear the loss of customers.

You can’t stop focusing on the security of your account information and other private information stored in your service providers as well as on your own computer. Information and data leak issues occur in anytime anywhere, timely and comprehensive data and file protection is necessary and imperative.

Sep 09

Strife openly and secretly behind data encryption

In the information age, the U.S. National Security Council (NSA) almost becomes popular in the whole Internet. Not because they are credited with maintaining American security but because they rip off information, which makes them become enemy of users who strike to maintain network and freedom of network information security.

NSA has the world’s leading IT and personnel, meanwhile they are supported by U.S. government, which make them unscrupulous in the information world and the Internet.

According to “New York Times” online edition reports, a few years ago, the United States National Security Agency (hereinafter referred to as” NSA “) had implanted back door system into a International encryption technology that allows the United States federal to breach any data that was protected by this encryption technology.

There were reports that in 2006 the National Bureau of Standards and Technology helped develop an international encryption technology to assist countries and all walks of life to prevent their computer systems were hacked. But another United States federal agency — NSA—had stealthily implanted a backdoor system into the technology without many users knowing it, so that federal agents can decipher any data encrypted by this technology.

According to the documents leaked by former NSA contractor Edward Snowden, NSA has attempted to infiltrate each set of encryption systems, and often try to use the easiest means to achieve this goal. As modern encryption technology is extremely difficult to decipher, even with powerful supercomputers of the institution, it often failed to decipher. Therefore, NSA prefers to cooperate with major software developers and encryption technology licensors to secretly gain access permission to the system.

According to the news from “New York Times”, “The Guardian” and news site ProPublica, NSA can now access the code that’s originally used to protect commercial banking system, trade secrets, medical records and e-mail and Internet chat. Sometimes, NSA has forced some companies to give them access permissions.

These backdoors and particular access permissions are another evidence of the United States intelligence community’s ultra vires. Today, more and more businesses and individuals store most secret data on the cloud storage service, hence they need to be assured that their data is secure, but this relationship is mostly based on trust. Once users know the encryption system is sabotage, they will shake their confidence in these systems, which may have adverse impact on business activities.

People were originally thought that individuals, businesses and government agencies’ privacy in the general communications will be protected, but the fact that NSA implanted backdoor backdoor system might make such illusions shattered.

NSA tends to assure the U.S. government that they would decipher the communication or data that is suspected of illegal individuals or businesses. But weakening citizens’ ability of using encryption technology is obvious a practice of ultra vires.

New Jersey Democratic Congressman Rush Holt has proposed a bill, banning the government requiring software developers to implant backdoor in encryption software system. Outsiders believe that the bill should receive the unanimous support of the U.S. Congress. At the same time, a number of Internet companies including Google and Facebook are developing a new encryption system that is difficult for NSA to penetrate. These companies attempt to show an attitude that they are not secret partner of intelligence agency.

Aug 25

Top 10 Security Issues Revealed in 2014 Blackhat Conference (2)

6. Insecure family router

In-Q-Tel’s CISO (Chief Information Security Officer) Dan Geer said in hacker conference that the home router was most likely to be invaded. These routers could be easily found through a network scan, which usually contained the default login information, and most people never thought of upgrading their router firmware to the latest version. Perhaps in 2014 family network security will be a hotspot for hacker attack.

7. NAS with numerous loopholes

Storage devices connected to the network even have more loopholes. A security analyst at an Independent Security Evaluators agency Jacob Holcomn said the topic at this year’s hacker conference theme is NAS network storage.

He said there’s no one device that he cannot get, at least half of the device he could intrude without authentication. Through invading NAV devices, attackers could hijack other devices’ traffic on the same network, using the sniffing technology similar to ARP. “Jacob Holcomb said in a hacker conference.

More alarming is that, loopholes Jacob Holcomb showed in hacker conference had been submitted to the NAS manufacturers, but these loopholes had not been fixed yet. And the NAS patches usually take a few months to reach users.

8. Network management procedure

Do you remember Carrier IQ that develops smart phone hidden tracking program and the chaos caused by it? In fact the original intention of this phone app was just monitoring the phone flow, and it’s just a network performance diagnose tool. However, phones that install this diagnostic tool are vulnerable to attacks. Just like Mathew Solnik and Marc Blanchou from said in hacker conference, this vulnerability could be used to execute remote code, and bypass the local protection mechanism of operating system.

The researchers said that about 70% to 90% of mobile phones sold worldwide were equipped with device management program. Some other devices, such as notebook computers, wireless devices and networking equipment hotspots, etc., were facing risks from the “Open Mobile Alliance Device Management Protocol” (OMA-DM) contained loopholes.

9. Cheap picklock

Qualsy company’s researchers Silvio Cesare demonstrated how to use cheap and easy to get components to patchwork a tool, and then use it to get a car with smart system.

Cesare said this tool can be used to open the car door, and opened the trunk. But it takes implementers 2 hours to stay in the vicinity of the car, so now the car thieves still not abandon the rowbar and turn to computers.

10. Invade Hotel

The loophole mentioned by Security consultant Jesus Molina in hacker conference is more practical. Molina had lived in five-star hotels St. Regis Shenzhen, China Shenzhen, at that time Molina cracked iPad app “ digital butler” the hotel offered for customers through reverse engineering and used protocol vulnerabilities in KNX / IP router successfully control the hall way lights. In addition to lighting, television, temperature, music in room, and even the window-blinds in more than 200 rooms in the hotel were all in control. More exaggerated, the hacker who controlled all of this even had no need stay in China.

If you need more information about individual data protection and enterprise file management, you can visit Kakasoft.

Aug 11

Top 10 Security Issues Revealed in 2014 Blackhat Conference(1)

Hackers always present their amazing skills to the public, from invading aircraft code to monitoring surveillance cameras, and then to using any USB device as attacking tool.

Even though some of the security issues are sensational in theory, but they are pioneers that uncover security risks in Internet world.

1. Quietly deadly BadUSB

A researcher in Berlin “Security Research Laboratory” claimed that they had developed conceptual tools to attack USB device firmware. When the infected USB device is plugged into the computer, it will disguise as keyboard to download malicious software.

Since most USB device manufacturers haven’t taken any measures to protect the firmware, and anti-malicious software won’t scan firmware malicious behaviors. So theoretically this vulnerability can spread malicious software owing to hard to find and difficult to prevent, and imagine how many USB devices are interacting with computers over the world, we know how terrible this vulnerability is. Fortunately, in reality we have not found attacks based on this vulnerability.

2. Invade aircraft

The consequence of another conceptual attack is more terrible. A researcher in the field of human-computer interaction, Ruben Santamarta claimed that hackers can invade aircraft satellite communication system via Wi-Fi and entertainment systems, thereby allowing the attacker to affect aircraft navigation and safety systems.

The satellite communication system manufacturer said in an interview with Reuters, the possibility of such attack and harm caused by the attack are very small, but they also said they had begun to fix loopholes.

3. Being monitored surveillance cameras

Are your surveillance cameras monitored by other people?

Two security researchers opened a $ 200 Dropcam camera, wanting to see how it works internally. It turned out that there are many vulnerabilities that hackers can make use of them to not only browse the video camera in the store but also upload to third-party video and forge to be taken by other machine. In short, hackers can hijack and take over the camera’s video stream.

Fortunately, there’s a significant adverse condition to implement this terrible security vulnerability: an attacker need physically access to your Dropcam camera. In other words, if an attacker can strut into your room and access to your camera, the security issue on your company or your room is more serious than that of surveillance camera.

4. Tor crisis

Tor provides anonymous access between the source node to the destination node for the user. However, a researcher Alexander Volynkin at Carnegie Mellon University said that with minimal cost to break the anonymity of Tor network is very possible. However, the specific implementation details hadn’t been announced yet.

However, urged on by Carnegie Mellon University, Volynkin abruptly canceled his speech at the hackers conference. Meanwhile, recently Tor’s operators also discovered a set of unidentified malicious relay node, Tor tries to decrypt the user’s identity. (Reference: peeled onion skin, deep Inside the Tor network)

5. Symantec Endpoint Protection loophole

Renowned security expert Mati Aharoni discovered three vulnerabilities in Symantec Endpoint Protection tool. These vulnerabilities could allow an attacker to launch high-level access to the victim’s computer. In other words, hackers can invade your computer through security software. Would not it be a very ironic thing?

Of course, Symantec has started repairing the vulnerabilities!

The last five vulnerabilities will be revealed in next blog post, please stay tuned!

If you want to know information about personal or enterprise file protection solutions, please visit: http://www.kakasoft.com.

Jul 28

Use Heartbeat as Password – a New Encryption Method Appears

Since now many people don’t trust the traditional passwords, some technology companies began to explore other ways to ensure people’s online account safety. Some companies invented to use brain waves or fingerprints as passwords. Now there’s a new encryption method in the world.

A wristband called Nymi can detect user’s heart rate through ECG sensor, and allows user to use own heartbeat to decrypt device. This product can be used with iPad or even cars. This product manufacturer is Bionym from Toronto, the company’s developers said using human heartbeat to unlock the device is safer than using fingerprints, facial recognition and other external means to do that.

When first time getting the device, users simply need to use finger to press on the sensor of the wristband, the sensor will automatically monitor and store the user’s heart rate. The whole process takes about two minutes, after saving the user’s heartbeat, the device will only recognize the user’s heartbeat. Ordinarily, the sizes of people’s hearts are completely different, so produced electrocardiogram is unique.

Daily use of the device is also very simple, you need to press and hold the sensor with your finger, after a few seconds, the sensor will be able to identify the user’s heart rate, and use Bluetooth technology to connected with the device that need to be controlled to unlock the device. When wristband leaves outside of the scope of Bluetooth, the device automatically locks.

Nymi even works with the gesture control feature, for example, when a user is in the car, waving can open the drive side door or rotating the wrist to open the front passenger side door. In addition, the product also has a secure payment feature, at highway toll stations users can use it to scan the device charges, and the fees will be automatically deducted from the user’s account. The wristbands can also remind users of receiving a mail or social network message by vibration, while the device vibrates, the screen will also display.

This encryption method is limited used to protect devices. We now still use traditional password most. For example, we use traditional password to protect files/folders on computer or external hard drive.

Jul 14

Five Errors in Personal Network Protection

Owing to the frequently happened network security incidents and personal privacy and data leak issues, most of readers have already begun to pay attention to strengthening personal information protection and enhancing secure awareness. But unfortunately, currently there’s still some false information about data protection spreading among the public. These erroneous views spread between the network community and users, but seldom experts correct these errors. The following includes five representative security errors:

Error 1: I don’t have valuable information, nobody would hack my computer

Many people hold the similar argument. When you tell them to strengthen security measures (for example, improve the account password strength), they always say we don’t have valuable information and there’s no need to hack my computer.

In fact, today’s hackers often use phishing attacks. Once your cell phone information , email and social network information and other network information have been mastered by hackers, they would carry out further social engineering attacks (of course, the targets may be your friends in Contacts), and even cooperate with offline fraud, causing serious consequences.

Moreover, hackers or cyber criminals can not only make use of privacy information to start social engineering attacks, they can also invade your home router, laptop. NAS and even smart phone, they can change your device into zombie clients, even worse, they can use your device to initiate a variety of criminal activities, so you will not only be a victim but also an accomplice. Therefore, it’s a responsibility for us to enhance security awareness, improve security knowledge level.

Error 2: VPN or Tor can realize completely anonymous.

After Snowden event happened, Tor has stepped into the vision of people who are seeking asylum privacy. Many people may forget, Tor is also a paradise of botnet network and network black market. And more importantly, after Snowden event, some experts pointed out that Tor couldn’t help escape tracking of US intelligence agencies.

The most typical example is that by the end of 2013 a student of Harvard University – Eldo Kim used Tor to release bomb threat information and then arrested. Perhaps influenced by Snowden, Kim overestimated Tor’s “stealth” capability, and published false information of bomb attack by Tor, attempting to delay the date of the final exam, but unfortunately FBI officers soon found Kim’s classmate.

Similarly, VPN also do not have the stealth capability, for the design purpose of VPN is strengthening security, rather than being stealth.

Error 3: Mac address filtering plus turned off SSID broadcast can ensure WiFi network security

Many users think setting the MAC address filtering plus turned off SSID broadcast can ensure family WiFi hotspots security, which is actually a big misunderstanding. It may be useful for computer novice, but useless for computer geeks or hackers.

Remember that only WPA2 encryption standard level can effectively protect your WiFi network, and you must use strong password.

Error 4: Seamless browse can ensure security

Today, many browsers have launched a so-called “incognito browsing” security option, but in reality this so-called incognito can only prevent other users of your computer check and see your privacy information, but for network service providers such as providers of cloud disk, mailbox, social network, your activities are still under surveillance.

Error 5: I have never visited dangerous sites, so I don’t need to install anti-virus software.

Many people think that computer hacker is caused by browsing “dirty” sites, in fact. Nowadays many hackers use pub-style attacks”, which means that first of all attacking regular sites you frequently visit, and then sit back and wait to control your computer. In addition, browser plug-ins, malicious app will stealthily steal your important private information and data.

Hackers have been all pervasive and even your computer that’s never connected to the Internet may be infected with virus. Therefore, you need to keep good online habits including installing anti-virus software, enhancing anti-phishing awareness and password protecting personal files.

Jun 30

Best Defense is Equal to Attack

Speaking of BYOD, the best defense is attack, namely, making strategies in advance to achieve your desired results and to avoid potential risks.

BYOD (Bring Your Own Device) has stirred all walks of business processes. Some companies are fully enjoying the convenience brought by BYOD, yet some companies shy away from them. On the bright side, BYOD can potentially help companies save operating costs, help employees maintain a happy mood and improve office efficiency. But on the other hand, BYOD may also bring a series of problems and pitfalls in the various aspects of security, compatibility and so on. But through some planning and education, most of these problems and pitfalls can be avoided. We can have a look at the troubles brought by BYOD and corresponding resolutions to these problems.

Data leakage: Companies sensitive data leakage is always one of most concerned problems for companies. Employees bringing their own devices to company makes enterprise more worried. Employees may lose their smart phone or tablet; for these devices can easily be eyeing by thief. When the devices containing companies’ sensitive data get lost, the data may fall into wrong hands. One way to avoid this situation is to use file password protection program to lock sensitive data with password, and the other way is to use a remote deletion policy, namely when the employee’s mobile device is stolen, company can remotely delete the sensitive data on the remote device.

Password Leak: just like we usually carry several keys, employees’ mobile devices will store various passwords that are used to log in company’s network and applications. These passwords may exist in mobile applications, or may also be stored directly in the mobile device’s memory. Enterprises must establish a strategy to ensure that companies’ passwords won’t be stored in cache or any application in mobile device. An alternative strategy is that if employees want to save the password on the mobile device business (even login information), they need to use information/password saving application to properly encrypt them.

Productivity decline: When employees start BYOD, they will spend a lot of time on social network, chatting with friends or do other things unrelated to work. How to solve this problem? Since many devices are connected to operator’s mobile communication network, in which case the employees feel that their equipment is not bound by corporate policy. In order to avoid this situation, you should require employees’ mobile devices switch into WiFi network provided by the enterprise when entering company. 

Insufficient bandwidth: Many companies have been concerned about this problem. Most companies believe that the enterprise network bandwidth demands will be dropped after the use of BYOD, which is a big mistake. One of the advantages of BYOD is that employees also can use the mobile operator’s network networking to work when going out, but when they returned to the office, they are likely to connect desktop and their mobile devices to the corporate network, thereby increasing the burden on the enterprise network access bandwidth. Therefore, companies need to ensure that their network access bandwidth has sufficient load-bearing capacity.

Device Management: Many companies are asking how to manage a large number of mobile devices. Because of the many types of equipment, as well as different operators, companies is difficult to centrally manage all mobile devices. But what companies can do is to establish a set of network access control mechanism (NAC), and to control these devices via MAC address for each mobile device.

Over Autonomy: Once a company implemented a BYOD strategy, which’s equivalent to tell employees and users that businesses gives them a very high autonomy. Of course, this autonomy is likely to be abused by employees or network users. Therefore, even if the enterprises implement BYOD, they should let employees know that it doesn’t mean that they can use their own equipment in any activity. If necessary, you can also require employees to sign BYOD agreement confirming that they understand their mobile devices use behaviors in the enterprise are limited.