Tag Archives: cyber security

G7 sets common cyber-security guidelines for financial sector

13 October 2016

On Tuesday the Group of the Seven industrial powers agreed on guidelines for protecting the global financial sector from cyber-attacks.  Although the guidelines are not binding for the financial sector they will definitely make a difference:

Cyber security receives at last the governmental attention which is required to safeguard the global economy. This is long overdue, hopefully not too late because it will take some years until the global financial system has implemented the guidelines.

The initial work is done. Now some more governmental attention is required to ensure international competitiveness at a high level. Lots of work to do for the Group of the Seven industrial powers.

Have a good day.

Advertisements

Cyber security innovation is crucial

17 October 2015

I had some unpleasant discussions this week about the importance of basic security. In my opinion most of the companies could raise their level of security by about 50 to 60 percent by just getting the basics right. The best Advanced Threat Protection (ATP) technology is useless once the attacker is on your network. Then it is important to hinder the attacker in searching the network for the credentials of the domain administrators.

Warwick Ashford’s post ‘Cyber security innovation is crucial, says security evangelist’, published on Tuesday on ComputerWeekly.com saved my day:

“Basic cyber hygiene is typically lacking, and just by getting the basics up to scratch companies could reduce 90% of their cyber risk

This report gives you great arguments for adjusting the budgets in favor for the basics. I hope you enjoy reading it.

Have a good weekend.

Criminals use IRS website to steal data of 104,000 people

30 May 2015

On 10 June 2014 I wrote my first post on this blog about the eBay data breach, which was published on 21 May 2014. This Thursday, nearly a year later, the Internal Revenue Service (IRS) data breach was made public. Cyber attackers used personal information mined from other attacks, even perhaps from the eBay attack, to breach the “Get Transcript” accounts of more than 100,000 taxpayers.

Jose Pagliery wrote on CNN Money on May 26, 2015: “The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions — the ones we all know as being too specific, annoying and difficult to answer ourselves.”

FIDO U2F Security Key

FIDO U2F Security Key

Well said, those identity verification questions are really annoying. And inherently unsafe, as we learned from a Google study published this week.

And yet the obvious solution would be to discard all those questions and to use Two Factor Authorization instead. For example a FIDO U2F security key in combination with a one-time PIN or fingerprint would be a nearly unbreakable and cheap solution.

How many data breaches must still take place before organizations seriously start securing their customers personal data?

Have a good weekend!

Some thoughts about: People and process remain the soft underbelly of banks

25 April 2015

In post ‘Security Think Tank: People and process remain the soft underbelly of banks’, John Colley discusses on the example of the Carbanak attack some new concepts for surviving the cyber war.

I like the idea of sharing knowledge about attack vectors and best practice for the defense against cyber-attacks across industries. But what is the proper scope for action?

John Colley writes:

‘Even worse, the persistence of bad cyber security practices is driving banks to try to protect badly designed systems by hiding them from view. Many banks try to prevent attackers discovering what internal programs they use; yet it shouldn’t matter if outsiders know what software a bank uses for its internal systems, if that software is secured properly in the first place.’

I am discussing such issues for months now. My advice is crystal clear:

Before you start sharing information about your internal systems with whatever partner, carefully consider

  • what information and what level of detail is required, and
  • how the information must be protected.

Every available information about your internal systems will support attackers in finding vulnerabilities in your systems. Remember: It’s merely a matter of time before cyber criminals break into your company network…

Too many details increase the attack surface of your company!

Have a good weekend!