At SecureState, we often stress to our clients that Social Engineering is one of the most common methods for attackers to gain access. Social Engineering attacks can take many forms, from people calling into companies and trying to get credentials over the phone to people trying to convince security guards to let them into facilities. The most common Social Engineering attacks are email phishing campaigns, which can take a few different forms. These emails can include malicious attachments that can give attackers access to a system, or they can seek to convince a user to visit a website that will grant similar access.
The second half of the 2015 Verizon Data Breach Incident Report is dedicated to the nine basic incident patterns that were originally identified in the 2013 DBIR. Over 96% of the data breaches examined for this report fell into one of these categories (in order of most frequency to least):
A recent report released by the Virginia Information Technologies Agency (VITA) showed that the state’s WINVote voting devices had severe vulnerabilities that could compromise the validity of elections. SecureState encounters security deficiencies similar to the ones identified in the report on a regular basis. These vulnerabilities and security gaps take on an added importance since voter confidence in the validity of elections is the backbone of a functioning democracy. Below, we outline the major voting machine vulnerabilities identified in the report and our recommendations to parties responsible for managing elections.
A recent article on Slate ended with the statement, “There’s still no answer to the question of how to get Americans fired up about cybersecurity.” SecureState’s cybersecurity experts decided to get together and brainstorm ways to raise public awareness of cybersecurity risks. While certainly not a definite answer to the question of how to get Americans to care about security, we believe by taking a few small sets we will increase the likelihood that people will start to care about cybersecurity.
What’s the saying, “If you can’t beat ‘em, join ‘em.”? Sure. Something like that. Doesn’t really work in the world of cybersecurity, though. Staying ahead of the curve does. I guess you can say Target “took one for the team” in December 2013. Otherwise, the giant steps taken may still be only a concept.
Verizon Enterprise’s 2015 Data Breach Investigations Report (DBIR) was recently released, and SecureState is here to give you some of the big takeaways from this massive report. Verizon works with thousands of partner companies to correlate information on the past year’s worth of data breaches and security incidents, identifying trends and information that can guide security efforts in the year to come. They combine all of their efforts into this massive report, which we have read over and pulled out some of the key issues highlighted.
As the calendar flips from March to April, so to do the priorities of Congress. To the back burner goes topics like immigration, oil pipelines and funding government departments, while the nation’s cybersecurity gets rebooted. Almost nothing has been top-of-mind over the last 12 months more than the threat of cyberattacks, following a half-dozen or more breaches from companies like JP Morgan Chase, Target, Sony and Anthem. In fact, just days ago, President Barack Obama dropped the hammer on would-be cyberterrorists using his power of executive order. This “big stick” approach allows the U.S. government to act quickly and slap sanctions on foreign hackers, if the threat is potentially damaging enough on a large scale.
SecureState recently covered how weak passwords can leave your accounts open to attack. However, once you have created complex, unique, 14 character passwords for your social networking, email, shopping, banking, and work accounts, how will you remember them all?
Recently, SecureState has seen a significant increase in our clients asking us about physical security assessments. This type of work is especially relevant for our clients in the medical industry, where protecting personal health information (PHI) is an essential part of HIPAA compliance. As hospitals, doctors, and insurers are depending further and further on third party companies, they want to know that each of these third party companies is protecting information and their business environment physically, not just electronically.
When the average person hears that rival nations, criminal organization, and individuals are targeting the U.S.’s power grid, they picture apocalyptic scenarios of the country returning to the dark ages the or terrorists controlling the nation’s infrastructure like a video game. Although these might be Hollywood fantasies, cyber-attacks against the nation’s critical infrastructure can result in very real, and very serious, consequences.