Connect with us

A defined security culture is helping the financial industry, though the fundamentals should apply to any business.

Image: Getty Images/iStockphoto

I remember watching a bank being built. After the concrete foundation and ground floor were in place, workers began building a massive concrete and steel box right in the middle of the building’s floor. It finally dawned on me: That was the vault. It seemed impenetrable. 

Financial institutions are hypervigilant when it comes to security. Ever since money and anything of value had to be physically protected, banks had it pretty much figured out. 

However, cyber bank robbers found new ways to sneak in over the internet and move money to accounts outside the jurisdiction of the country where the victim financial organization resides. Even though cybersecurity experts do their best to plug all those avenues, cybercriminals are a wily bunch, and it’s hard to keep them from figuring out some way to ply their trade–and sadly, they did–we are now the weak link. As proof, Verizon’s 2020 Data Breach Investigations Report has identified miscellaneous error (human mistakes) and web application attacks as the top two causes for breaches in the financial and insurance sectors. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

The culture of security

To combat the human weak link, Javvad Malik, security awareness advocate at KnowBe4, in his Global Banking & Finance Review commentary The Psychology Behind a Strong Security Culture in the Financial Sector, suggests that business leaders try a new strategy: Develop a security culture within their organization. 

“Many leaders across the globe, realizing a strong security culture is of increasing importance, not solely for fear of a breach, but fundamental to the overall success of their organizations,” writes Malik. “Yet, the term lacks a universal definition, and its interpretation varies depending on the individual.”

Malik adds, “This speaks to the importance of building a single, clear, and common definition from which organizations can learn from one another, benchmark their standing, and construct a comprehensive security program.”

How to develop a security culture

As to what a well-developed security culture consists of, Malik suggests the following building blocks are needed:

  • Compliance: Written security policies and the extent that employees must adhere to them.
  • Attitude: Individuals must develop a mindset–learned opinions reflecting the organization’s security protocols–on what to do or say.
  • Behavior: When the time comes, employees must act or make decisions based on their learned opinions. 
  • Cognition: Attitude and behavior are meaningless unless there is an understanding, knowledge, and awareness of security threats and issues.
  • Communication: Cybercriminal activity is not static, there must be methodology to share security-related information in a timely manner.

Malik warns, “All of these dimensions are inextricably interlinked; should one falter so too would the others.”

What financial institutions do right in terms of security

According to KnowBe4’s Security Culture Report 2020, banking and financial sectors were among the best performers when incorporating a security culture. What’s interesting is how Malik focused on the importance of having well-oiled communication channels. 

“As cyber threats constantly and rapidly evolve, effective communication processes must be implemented,” explains Malik. “This allows employees to receive accurate and relevant information with ease; having an impact on the organization’s ability to prevent as well as respond to a security breach.”

He then offers an example: “In IBM’s 2020 Cost of a Data Breach study, the average reported response time to detect a data breach is 207 days with an additional 73 days to resolve the situation. This is in comparison to the financial industry’s 177 and 56 days.”

Better communications mean better attitudes

A benefit of having good communications is that employees have a better attitude. “Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort,” adds Malik. “It is also a means of boosting morale and inspiring greater employee engagement.”

Cognition is lacking

Even in the banking industry, the ability to identify a security threat as it’s happening needs improving, according to Malik. He adds, “By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognize the impact that their behavior might have on the company.”

Final thoughts

Getting a consensus on anything is difficult, let alone something as complex as an all-encompassing culture of security. However, like most things that are effective, there is a cost, and likely that cost is less than the fallout from suffering through a data breach. 

Malik concludes, “While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts–every improvement made in one dimension has a domino effect on others.”

Also see

Source link

Continue Reading


How leaders across industries see 5G helping their businesses

istock 1137013136

Verizon’s 5G Business Report found that everyone’s excited about 5G, but the reasons behind the buzz differ between industries.

Getty Images/iStockphoto

A report from Verizon on business leaders’ opinions of 5G finds that 5G adoption is well underway across industries, but the reasons for excitement and the ways in which businesses plan to deploy 5G tech vary greatly. The report surveyed 700 business tech decision-makers, and found that 55% had heard, read, or seen a lot about 5G, and 80% believe it will create new opportunities for their companies. The belief in 5G benefits for business extends to believing that 5G will benefit their individual industries and roles, with 79% saying they agreed with both statements.

There was some split between IT leaders and C-level executives on whether 5G is a top priority: 54% of IT leaders said it was, while only 39% of the C-suite agreed. Another large difference appeared between business leaders and the general public: As mentioned above, 55% of business tech decision-makers said they had heard a lot about 5G, while only 23% of US adults said the same. This could indicate a knowledge gap that drags 5G progress down, or otherwise slows customer adoption of the new technology. Regardless, business leaders seem eager to incorporate 5G into their organizations, both internally and externally. 

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)

The report breaks businesses down into five categories: Sports, entertainment, and media; government and the public sector, healthcare, manufacturing, and retail. 5G applications for each industry vary, and survey responses did as well. 

In the entertainment, sports, and media industries, most of the excitement comes from the sheer amount of bandwidth that 5G will be able to deliver. Eighty-four percent of respondents said they believed 5G would eliminate “miles of cables and wiring,” and the same amount said they were excited by high-bandwidth connections allowing for multiple broadcast or video streams. Those numbers were paired with the likelihood of adoption, with 80% saying they were likely to use 5G to eliminate wiring and 74% planning to take advantage of increased bandwidth to increase streaming capabilities.

The public sector sees 5G value in real-time video surveillance and public safety programs. Seventy-four percent said they see that technology as valuable, though only 58% said they were likely to roll that sort of technology out in the next two years. Public sector decision-makers were also excited by the prospect of increasing data transfer speeds to emergency services to reduce response time and smart city sensor networks to improve water availability, air quality, and energy-efficiency monitoring.

In the healthcare world, remote health monitoring technology leads as the most valuable tech, with 81% saying they find its potential valuable. Seventy-five percent said they’re planning to implement such technology. Other healthcare uses include using 5G mobile networks for telemedicine visits, real-time medical image sharing, and real-time wearable devices.

SEE: Future of 5G: Projections, rollouts, use cases, and more (free PDF) (TechRepublic)

Manufacturers were most excited by real-time supply chain tracking, with 88% intrigued by the prospect and 82% saying they were likely to employ such technology. Artificial intelligence (AI) designed to support worker safety also ranked high, with 83% saying it would be valuable, and 74% planning to implement it in the next two years.

Retail was most interested in real-time data processing that would “maximize efficiency from point of sale to product delivery,” with 82% planning to use similar programs, and the ability to analyze foot traffic to dynamically plan displays to maximize product positioning efficiency. Augmented reality (AR) shopping also proved high on the interest list with 75% saying they planned to use augmented reality apps, and 73% saying they were likely to use AR for product visualization.

In summing up the report Verrizon Business CEO Tami Erwin said the data points to 5G being seen as a serious transformative element. “Over the last year, 5G has become top-of-mind for businesses as they manage through condensed digital transformation timelines. These findings underscore the critical role 5G will play in economic recovery and growth, and we stand committed and ready to help our partners make that transition quickly and seamlessly,” Erwin said.

Also see

Source link

Continue Reading


iPhone SE Plus Rumoured to Be in the Works, Price and Specifications Leak

iphone se plus aaple lab leak 1611729402117

iPhone SE Plus is reportedly in the works, a new leak suggests. Apple introduced the iPhone SE (2020) last year and the tech giant could be working on a new model in the affordable ‘SE’ series. The iPhone SE Plus pricing and specifications have leaked online alongside a render that hints at the design of the upcoming phone. Apple may introduce the iPhone SE Plus around the same time as the iPhone SE (2020) last year, in April.

A tipster called @aaple_lab has leaked key specifications and pricing of the rumoured iPhone SE Plus. The phone is expected to be priced around $499 (roughly Rs. 36,300), which is $100 more than the launch price of the iPhone SE (2020). A render leaked alongside shows a wide notch on top of the display and a single rear camera. There is no physical home button on the iPhone SE Plus, a big change from the iPhone SE (2020) that has thick bezels and a physical home button. The tipster claims that the phone may launch in Black, Red, and White colour options.

Coming to the specifications, the iPhone SE Plus is tipped to feature a 6.1-inch IPS display and could be powered by either Apple A13 Bionic or Apple A14 Bionic chip. The rear camera is tipped to sport a 12-megapixel iSight sensor, whereas the selfie camera is tipped to feature a 7-megapixel resolution sensor. Camera features include six portrait light effects, OIS, and Smart HDR 3. The phone is tipped to come with an IP67 rating for dust and water resistance.

The tipster vaguely suggests that the Touch ID could be integrated into the Home button. This could be a reference to the Power button on the side, but it’s not very clear.

There is no clarity on when this rumoured iPhone SE Plus will launch, but if we were to speculate, it could launch sometime in April — around the same time the iPhone SE (2020) was launched last year. Apple has made no official announcements about the phone yet.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

1611729935 235 iPhone SE Plus Rumoured to Be in the Works Price

Raya and the Last Dragon Trailer: Disney Promises a Fantastical Southeast Asia Adventure

Related Stories

Source link

Continue Reading


Google releases alarming report about North Korean hackers posing as security analysts

1611704673 istock 1166333977

Google said the attackers were targeting security researchers by using fake LinkedIn and Twitter profiles and asking to collaborate.

Image: iStock/iBrave

Google unveiled a new report from its Threat Analysis Group on Monday highlighting the work of a group of cyberattackers associated with the government of North Korea that sought to impersonate cybersecurity researchers in an effort to target those “working on vulnerability research and development at different companies and organizations.” Adam Weidemann, a member of the Threat Analysis Group, wrote that the attackers used a variety of fake blogs, Twitter accounts and LinkedIn profiles to make themselves look legitimate and communicate with researchers and analysts they were hoping to go after. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

ZDNet noted that the malware associated with the attack was tied to a notorious North Korean government-backed organization called the Lazarus Group.

“The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” Weidemann wrote. 

“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”

Weidemann added that some security researchers were hit with attacks after visiting some of the fake blogs built by the those behind the campaign. 

SEE: Bad actors launched an unprecedented wave of DDoS attacks in 2020 (TechRepublic)

Some shared a YouTube video that claims someone had exploited CVE-2021-1647, a recently patched Windows Defender vulnerability. While many of the comments noted that it was fake, Twitter accounts connected to the campaign sought to deny these comments and tried to convince others it was real. 

All of the Twitter and LinkedIn accounts named in the Google report have been taken down by both websites. But Weidemann noted that the attackers also used Telegram, Discord, Keybase, and email to contact their targets. 

The blog includes a list of the accounts and blogs, and tells anyone who communicated with them to check their systems in case they were breached. 

The report caused a bit of a stir within the cybersecurity community, as one would expect. Multiple cybersecurity experts took to Twitter to say they had either been contacted by or communicated with the accounts named in the report.

WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded

— Richard Johnson (@richinseattle) January 26, 2021

Chloé Messdaghi, chief strategist with Point3 Security, said she was contacted by four of these attackers and noted that experts with any amount of notoriety or government ties have to be careful at all times. 

SEE: Governors hear about the dangers of a lackluster cybersecurity response, need for FBI coordination (TechRepublic)

“They want people with government connections, and they work to climb that ladder of contacts to figure out who they can reach. We don’t know who they’re targeting or why, but for me it’s been an ongoing thing for a year, where people I know will get in touch and say ‘Hey I went to this site and your name is on there, but just letting you know that I think it might be malicious,'” Messdaghi said. 

“As someone they’ve targeted, I’m glad Google is coming out with this alert. There are so many people throughout the world seeking private intel, and if you don’t know who you’re talking to, work on the assumption that the name and picture you’re being offered is likely not valid. The accounts of these four attackers are suspended, but really that means nothing. They’ll just make up another name and be back.” 


A message from one of the attackers to Chloé Messdaghi, chief strategist with Point3 Security.

Image: Chloé Messdaghi

She noted that many researchers have the urge to give back to the cybersecurity community but have to be wary about who they’re associated with. 

Katie Nickels, director of intelligence for Red Canary, said for anyone working in this field, there is always heightened threat of being targeted, not just by adversaries who might not like their research and analysis but also by adversaries who are intent on gaining advanced knowledge of vulnerabilities, exploits, and other methods of attack. 

“While we are knowledgeable about ways to protect ourselves, sometimes we forget that we are ripe targets and get complacent just like anyone else. This campaign was interesting because it preyed upon the desire of researchers to collaborate, including with people we do not know, to advance our work,” Nickels said. 

SEE: 2020 sees huge increase in records exposed in data breaches (TechRepublic) 

“One concerning part of this attack is that the adversaries managed to draw researchers into seemingly legitimate websites and compromise their machines via drive-by downloads. Clicking unverified links on Twitter and elsewhere is commonplace for all but the most cautious individuals.”

SafeGuard Cyber CEO Jim Zuffoletti said attacks like this are on the rise because attackers are moving into channels of communication that “are invisible to security teams,” adding that the distributed nature of work since the onset of the COVID-19 pandemic made it imperative that security teams put better controls in place for social and chat apps. 

Others said it was well known within the cybersecurity community that there were people eager to exploit the culture of sharing for nefarious reasons. 

But Andrea Carcano, co-founder of Nozomi Networks, said what was new about the attack was the boldness of the attackers and their willingness to risk sophisticated zero-day exploits to target researchers. 

Carcano explained that some of the attacks were fairly obvious and would have been caught, but the scariest one involved the researcher who was infected by simply visiting a web page with some technical documentation. 

Carcano and Paul Bischoff, lead researcher with Comparitech, both suggested researchers open projects in secure environments or on other devices besides your actual machine. Bischoff also said to beware of any Twitter accounts with lots of numbers and to use a script blocking extension “to prevent any drive-by downloads that might occur as a result of visiting a malicious page.”

SEE: How asset management companies are vulnerable to ransomware and phishing attacks (TechRepublic) 

“You know you’ve made it when cybercriminals are trying to gain access to your social media accounts or research,” joked James McQuiggan, security awareness advocate at KnowBe4.  

“People are sociable and for the most part like to meet other people. With social media, it’s easier with tweets, connections and chats. However, we take a risk when we accept that LinkedIn connection or that follow on Twitter that the person at the end of the request is who they say they are.” 

McQuiggan said it was key to make sure to look through someone’s profile before accepting any friend or follow requests and to be wary of anyone who immediately sends you links to unknown websites. 

Some cybersecurity experts, like Vdoo Vice President of Security Shachar Menashe, said they take extra precautions by using encrypted email services and other endpoint protections. 

“It does bother me more than other attacks because if successful, these attacks could be used to attack others, which is an abuse of our hard work trying to secure these very same systems,” Menashe said. 

Saryu Nayyar, CEO of Gurucul, said Google most likely “only scratched the surface of these campaigns” and predicted that there are many more similar accounts being used for similar activity.  

“It is a reminder that security practitioners and researchers need to be on guard themselves,” Nayyar said. “Their knowledge and skill make them difficult targets, forcing malicious actors to put a lot of effort and resources to compromise them. But for a rival state actor, an expert in the field is worth the expense.”

Also see

Source link

Continue Reading