STE WILLIAMS

Legacy Apps: The Security Risk Lurking in Dusty Corners

Four best practices to keep old code from compromising your enterprise environment.

A successful DevOps transformation empowers teams to release applications and add value for their organization faster than ever before. And now, with DevSecOps emphasizing early, integrated testing, security is being built into that high-velocity process. It’s a tremendous improvement over past approaches in which security was tacked on to the very end of the development pipeline.

Still, many enterprises, even those with mature DevSecOps processes, tend to overlook a significant risk in their application portfolio: legacy apps that predate these improved processes. These application inventories include apps that may not have had a code change in years — and certainly weren’t built using the best modern DevSecOps processes. Attackers know this and are happy to exploit it. A neglected segment of an organization’s technology stack that is no longer monitored or cared for could be an attacker’s ideal point of ingress.

These apps, lurking in dusty corners, might be used daily and no longer be under active development. Or they might be used infrequently, in forgotten production environments. Either way, they represent real risk for the business. The good news is that smart security teams that follow the four best practices below can mitigate the threats of legacy app-related security incidents.

Best Practice 1: Address “Tech Debt” Regularly and Incrementally
There’s no escaping the fact that updating, monitoring, and maintaining legacy apps takes time, and, much like a sink full of dishes or a pile of dirty laundry, these tasks only become more time-consuming the longer they are put off. Rather than letting this “tech debt” become too daunting, it’s worth considering dedicating a portion of the development team’s time to reducing their maintenance efforts. This could involve the creation of a dedicated sprint team that takes turns owning this initiative or a by focusing a small percentage of each team’s bandwidth on securing legacy apps and code on a regular basis.

Best Practice 2: Leverage Standards and Compliance Requirements
Associations like the National Institute of Standards and Technology (NIST) establish security guidelines and regulations specifically to help organizations achieve sound security postures. Cross-referencing legacy code against industry-approved frameworks can be a good method for identifying security flaws, making the security audit process a much less daunting task.

Best Practice 3: Maintain an Accurate Application Inventory
A critical step in addressing legacy app-related risk is establishing what apps are running on the corporate infrastructure. Start by creating a single catalog of applications and dependencies running in the corporate environment — including third-party apps and components. List each application’s name, technology stack, purpose, users, and who in the organization may have firsthand knowledge of its implementation. This can be an arduous task, but if businesses employ policies to keep the inventory current after the initial lift, it’s worth it.

Best Practice 4: Security Policies for Removing Legacy Apps
As organizations grow, workflows shift, and different team members become reliant on different applications. To deal with this constant state of change, IT and security teams need to implement a plan and process for reviewing the technology stack and sunsetting applications that no longer serve a business function. If the business is not getting anything out of an internal or third-party application, it is simply a potential source of risk with no corresponding reward.

A comprehensive security strategy must be just that: comprehensive. Modern businesses must account for every segment of the technology stack, not just those components being actively developed today. By following these guidelines, organizations will better understand the potential risk that legacy apps pose, and how to protect themselves from these risks before they become problematic.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Tim Buntel is vice president of application security products at Threat Stack. Prior to this role, Tim has built globally-recognized software businesses for 20 years at startups, mid-sized companies in transition, and the largest global brands, including Atlassian, Adobe, … View Full Bio

Article source: https://www.darkreading.com/risk/legacy-apps-the-security-risk-lurking-in-dusty-corners-/a/d-id/1334391?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/04/2019
  • adm

New Malware Campaign Targets Financials, Retailers

The attack uses a legitimate remote access system as well as several families of malware.

A new wave of cyberattacks uses legitimate remote access software to take over user accounts in financial services and retail organizations. 

According to CyberInt Research Lab, the attack is using the same tools and tactics used in earlier campaigns against financial institutions in Chile, India, Italy, Malawi, Pakistan, and South Korea, and against retailers in the US.

The current attack uses an off-the-shelf commercial remote administration tool called Remote Manipulator System (RMS), developed by a Russian-based company, as one of the malicious payload delivered through a spear-phishing campaign. Malware families including Gussdoor, Xrat, and Vimditator are also being delivered through the targeted malicious email messages.  

The cybercrime group behind the attack, TA505, has been active since 2014 and has been involved in campaigns using Dridex and Shifu banking trojans, as well as Locky ransomware and the Neutrino botnet/exploit kit. CyberInt says that an analysis of the code used in all the attacks leads them to believe that the financially motivated gang is made up of native-Russian speakers.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-malware-campaign-targets-financials-retailers/d/d-id/1334459?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/04/2019
  • adm

Tips for the Aftermath of a Cyberattack

Incident response demands technical expertise, but you can’t fully recover without non-IT experts.

Incident response teams need technical skills from security experts who can analyze and contain cyber threats. They also demand strategic and communications skills from employees who aren’t as tech-savvy but equally essential to getting the business back up and running.

“When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority,” said Matt Barrett, CyberESI’s chief operating officer, during a panel discussion at the Incident Response and Recovery: Reducing Uncertainty and Looking Beyond IT event hosted today by the National Cybersecurity Alliance (NCSA) and NASDAQ in New York City.

In the aftermath of a security incident, many departments that need to rebuild are unrelated to IT and consequently overlooked. Technical concerns about containing threats and preventing data leakage often trump the role of communications experts, legal teams, law enforcement, and HR – all of which should be involved with developing and practicing an incident response plan.

Communications, which can be a difficult hurdle not only between the business and its partners and customers, can also be difficult among the many experts sitting around the response table.

“Having a soft-skilled person at the table is critical,” said Lisa Plaggemier, chief evangelist at InfoSec and member of the NCSA’s board of directors. She calls these employees “a secret weapon” which many CISOs don’t realize they have. Consider security training and awareness managers: they can translate technical concepts between security analysts and executives, letting engineers focus on their jobs instead of conveying executive updates to the board.

As for external communications, it’s important to equip all of your employees – not just the PR and communications experts – with guidance for what they should say. “I think it’s important not to overlook the role employees play in crisis communications,” said Plaggemier, who said all employees across the organization should be informed on how to respond to inquiries.

“It’s not just what you’re going to say, but who you’re going to say it to, and in what order of priority,” she continued. For example, sales teams may be given different guidance than IT employees. Your workers will talk about the incident, and you want to prevent rumors. “I’m an advocate for arming employees with information as quickly as you can.”

Practice Makes Progress

Panelists urged the audience to practice response plans, and practice often. “The number one thing is to have a playbook and rehearse the playbook,” said Tim Vidas, senior distinguished engineer in Dell SecureWorks’ Office of the CTO. In a real incident, “people may not be aware of what the plans and procedures are … emotions run high.”

Beuchelt explained how at LogMeIn, the team simulates different incidents to test different response tactics. “It’s important to build muscle around technical response capabilities,” he noted. It’s also important to mirror those technical response capabilities with a communications response plan that packs social media and public relations strategies, he said.

The company chose to include general counsel and senior HR leadership in rehearsal. “It was really an eye opener for them … the impact will be fundamental,” he said. These days, LogMeIn is testing out a new “escape the room” practice game with executive leadership. Participants have to solve puzzles: who broke the rules and who was the insider who spilled the beans.

You’ll want to choose scenarios carefully when practicing response plans, added Plaggemier. You don’t want to cause panic, but you do want to put employees in a situation that could realistically happen. In situations that are too easy to run a tabletop, participants often walk away with a false sense of security. Further, she said, every response exercise should conclude with an honest post-mortem: be truthful about what went well and what should improve.

“No matter how many times you practice it, you’re always going to learn something new,” she said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/tips-for-the-aftermath-of-a-cyberattack/d/d-id/1334460?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/04/2019
  • adm

VPN Vulnerabilities Point Out Need for Comprehensive Remote Security

VPNs are the primary tool for securing remote access, but recently disclosed vulnerabilities point out the weakness of relying on them as the only tool.

“Encryption Everywhere” has become one of the rallying cries of enterprise security in the waning days of this millennium’s second decade. But when one of the foundation technologies of enterprise encryption is broken, the repercussions can spread far beyond the security team to cover everything the systems are supposed to protect.

That’s why the recent DHS CISA notice of vulnerabilities in four VPN applications is worrying and the details of the vulnerability particulars are so eye-opening. As it turns out, the vulnerabilities aren’t really in the basic encryption engines at work in the VPNs — they’re in the way the information on whether a particular session has been authenticated is stored and protected.

So what does it mean when an instrument of security is insecurely implemented? And aside from the obvious solution of patching the vulnerabilities (in Cisco, Palo Alto Networks, F5 Networks, and Pulse Secure products) as quickly as the patches become available, what is a security team to do?

“If we’ve made any collective mistakes in our use of VPNs, they’re around treating VPNs like infallible silver bullets,” says Amy Herzog, field CSO at Pivotal. “As with the firewalls of a couple of decades ago, VPNs are just one part of a company’s security posture. CISOs and CSOs should ensure their VPN use is as secure as possible, but they should also ensure their VPN fits into a larger system of security capabilities that’s resilient to disruption.”

It’s that feeling of VPN invincibility that experts warn against. “What [VPN] users don’t know is that VPNs are also prone to attacks and malware because bad actors know they are being used to convey sensitive information,” says Unman Rahim, digital security and operations manager for The Media Trust. “If bad actors are able to exploit vulnerabilities, they will be able to access, steal, and misuse VPN logging data.”

The Bad VPN?
As the security industry has seen with Amazon S3 buckets, problems explode when possibly secure products and services are implemented in a horribly insecure fashion.

“Unless businesses created multiple VPN profiles that restrict access to individual network resources, a VPN connection can allow carte blanche access to every network resource that would normally be available to users on the physical network,” says Justin Jett, director of audit and compliance at Plixer. “This means that hackers connecting over the VPN will be just as effective at stealing network resources on the VPN as they would be if they had physical access to the network.”

In the case of these vulnerabilities, it’s as if the system developers built a nice, strong door, then left the key under the big rock directly under the doorbell. It’s possible, some experts say, that the developers lost sight of the “key” importance because they exist as Web cookies rather than authentication certificates.

“As a developer, it’s easy to overlook that a cookie needs the same protections as a password because their format is already hashed or encrypted, but this is a common misnomer. Once someone has your cookie, they can just replay it and assume your Web identity,” explains Jason Haddix, vice president of researcher growth at Bugcrowd. He says it’s critical that those cookies be handled in the same secure manner used for authentication keys and certificates.

The problem is, “any exploit based on extracting keys or cookies and transferring them to another machine means that the VPN implementation on the gateway side does lack some additional countermeasures that I believe should have been implemented,” says Etay Bogner, co-founder and CEO of Meta Networks. But which countermeasures or additional security measures should the victims have put into place?

Beyond the VPN
Software-defined perimeter (SDP) systems have begun to appear in the market, and some say they offer the possibility of security beyond the limitations and vulnerabilities of VPNs. They may be part of the solution set that meets the requirements of the Tursted Internet Connection (TIC) 3.0 initiative of the Office of the Federal CIO.

“Solutions such as Zero Trust Networking through a software-defined perimeter will make a strong use case and promote how TIC 3.0 gives agencies greater flexibility and the ability to move quicker,” ZScaler’s Kovac says. “The SDP approach is to implement cloud-based access services to route traffic directly to the cloud. Using three core components — the application, the broker, and the connector — this method enables a ‘trust-to-trust’ approach, meaning a specific trusted user is connected to a specific trusted environment.”

This approach reduces risk by giving users specific access to specific applications, he said.

Added Bogner: “The unique capability of SDPs is that they redefine the perimeter as a solution that follows the user device wherever it is, rather than an office or data center.”

Better VPN Security Today
Technologies such as SDPs may be the solution for the future, but what can a security team do today to make sure its VPN is a security tool, rather than a vulnerability?

“System administrators have an important role to contribute to defense in-depth by using appropriate controls in the VPN configuration,” says Fausto Oliveira, principal security architect at Accepto. “It is not enough to trust on the security of the endpoint. My advice is to use defense-in-depth to help keep your information secure and continue to raise the level of effort required for an attacker to be able to exploit this type of vulnerability.”

Jett agrees, and goes further. “VPNs are a great resource, but reviewing VPN policies is critical to making them function correctly and with security as a first priority,” he says. “Finally, VPNs should not be the last stop in the security equation. After a user has authenticated via the VPN, additional safeguards should be in place to prevent access to resources.”

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vpn-vulnerabilities-point-out-need-for-comprehensive-remote-security/d/d-id/1334461?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/04/2019
  • adm

Microsoft confirms Outlook.com and Hotmail accounts were breached

Between 1 January and 28 March this year hackers were able to access a “limited number” of consumer Outlook.com, Hotmail and MSN Mail email accounts, Microsoft has confirmed.

News of the attack first emerged late last week when the company started sending emails to what seems to be a small subset of affected users which ended up being discussed on Reddit:

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.

Microsoft says that data access was limited:

This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments.

When Microsoft realised the stolen credentials were being abused, it disabled the access, the company added. The crucial sentence:

It is important to note that your login credentials were not directly impacted by this incident.

Microsoft still recommends that everyone receiving a notification should change these as a precaution, and also warned that affected users were now at risk of receiving phishing emails.

Contradicting some of this is a source who contacted Motherboard claiming that access was more extensive than has been admitted, specifically that the attackers were able to access email content.

When presented with the evidence, Microsoft said that “around 6%” of the impacted customers fell into this category, all of whom had been informed of the breach.

Right now, recommending that every one of Microsoft’s hundreds of millions of consumer email users reset their password seems like an over-reaction.

However, we’d still recommend that all users check their account to see whether they were contacted by Microsoft with an alert email.

And, as always, make sure you are practising good password hygiene – make each password different for every online account you have and consider using a password manager to help you generate and store them all.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HdJCi_tVqU0/

  • 17/04/2019
  • adm

Internet Explorer browser flaw threatens all Windows users

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).

The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

IE should throw up a security warning, but this could be bypassed Page said:

Opening a specially crafted .MHT file using malicious xml markup tags the user will get no such active content or security bar warnings.

No escape

Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?

Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).

However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.

Our first advice, then, is that if you have no intention of using IE in Windows 10, don’t enable it. Better still, if you’re sure you don’t need it, de-install it completely via the Control Panel after manually turning it off and hitting restart.

When Page reported the issue to Microsoft on 27 March, Microsoft responded with this reply:

We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.

Interpreting this as dismissive, on 10 April Page released his proof of concept (POC) and video demonstrating that his exploit works as claimed.

This has prompted some to call it a “zero-day vulnerability” because it is a known weakness for which there is no patch (as opposed to a zero-day attack – a known attack targeting a previously unknown vulnerability for which there is no patch).

Doubtless, Microsoft will fix the flaw in a future update, hopefully in May’s Patch Tuesday on 14 May.

Until that happens, our second piece of advice for anyone still using a computer with IE on it is to be extremely sceptical about MHT attachments.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pS403-P-9tI/

  • 17/04/2019
  • adm

Ad blocker firms rush to fix security bug

If you’re using an ad blocker to filter out online commercials, then beware: You might be vulnerable to a new attack revealed on Monday that enables hackers to compromise your browser.

The vulnerability, discovered by security researcher Armin Sebastian, affects Adblock, Adblock Plus, and uBlock (but not uBlock Origin). It stems from a filtering option introduced into the ad blockers in July 2018. The option allowed the programs to rewrite web requests, cleaning them of tracking data.

The problem is that an attacker can exploit this rewrite function using XMLHttpRequest. This is a programming feature all modern browsers use to request data from a server after a page has loaded. They can also attack the server using an API called Fetch, which allows similar operations. An attacker can load a JavaScript string using either of these features and execute the returned code.

For the attack to work, the browser must visit another server after hitting a legitimate web page. Hackers can force that if the server allows open redirects. This is when the server takes a URL as input from the client and redirects to it, no matter what it is.

An attacker can also get their executable code into the browser via the $rewrite function if they can get it onto the legitimate web page. That’s possible if the server lets the user post their own content (such as in a comments section or social media timeline) and doesn’t use proper input validation to check the post for malicious commands.

Finally, for the attack to work, the server must not restrict where it can fetch content from. It must not validate the final request URL either, because the attacker will have tampered with it.

These conditions aren’t as rare as you’d think; Sebastian created an example of a malicious filter that would redirect requests to Google Maps to Google’s I’m Feeling Lucky. The filter then executes code that displays an alert box.

He explained:

Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions. This is an unfortunate conclusion, because the exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together.

Website owners can fix the problem in two ways, he says. First, they can eliminate server-side open redirects. Second, they can use Content Security Policy (CSP), which is a World Wide Web Consortium (W3C) standard. The web server sends a CSP header when responding to a browser, and as long as the browser complies with it, it fetches content only from domains on the server’s white list.

Ad blockers might also want to rethink their use of the feature, he concluded:

Ad blocking extensions should consider dropping support for the $rewrite filter option. It’s always possible to abuse the feature to some degree, even if only images or style sheets are allowed to be redirected.

On Monday, eyeo GmbH, which makes Adblock Plus, did just that. It will release a version of the software without the $rewrite features “as soon as technically possible,” it said. However, it will leave in the ability to $rewrite to internal resources. This means allowing the filter to turn requests into local ones. They can substitute their own benign pixels for tracking pixels without alerting the server, for example.

Developers at AdBlock, which sells another product of the same name not connected to AdBlock Plus, are also working to rectify the problem. CEO Matthew Maier said:

We are aware of the vulnerability with the $rewrite filter option and we are preparing a release that will disable the potentially problematic functionality. We have not seen any attempt by a filter list maintainer to abuse this feature but we are removing the capability nonetheless as a precaution.

While Sebastian notified Google, Maier said that he didn’t get the same courtesy:

We did not hear from him first. We’ve been approached by ethical hackers in the past and we’ve paid bug bounties for folks that have surfaced issues to us. I don’t know that I would say I expected him to reach out, but it certainly would have been nice if he did. I don’t think we’re hard to find.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wUG2Ws7WLtE/

  • 17/04/2019
  • adm

Mozilla to Apple: Protect user privacy with rotating phone IDs

Mozilla has criticized Apple for its latest privacy marketing campaign, urging it to provide more automatic protection for users behind the scenes. The nonprofit Mozilla Foundation has launched a petition to enhance a little-known feature in iOS devices that could make it harder for advertisers to track mobile users.

In a blog post, Mozilla praised Apple for its privacy track record but criticized its latest marketing campaign, with the slogan “Privacy. That’s iPhone.” The iPhone vendor has produced tongue-in-cheek videos showing people in various situations they’d rather keep private. Mozilla responded:

A key feature in iPhones has us worried, and makes their latest slogan ring a bit hollow.

Mozilla has a problem with the Identifier for Advertisers (IDFA), which is a hexadecimal code unique to every iPhone. When mobile users click a banner, play a video, or install an app, media companies can pass that information to advertisers along with the IDFA. The code doesn’t identify you, but it enables them to build up a profile of your activities.

The IDFA is a crucial tool in advertisers’ quest for attribution. This marketing concept ties individual product purchases or subscriptions to the advertisements that promoted them. The missing link is an individual’s series of responses to those advertisements over time. This is what the IDFA provides, and Mozilla finds it distasteful:

It’s like a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.

Apple has sided with privacy advocates against advertisers before. In September 2017, it shipped IOS 11 with a new feature for the mobile version of Safari called intelligent tracking prevention. This feature, which also hit macOS Safari the same month, used machine learning to better manage cookies. These are small files, different to IDFAs, that websites and advertisers place in the browser to identify users later on.

Some sites use cookies to remember your session so you don‘t have to log in again. But others use it to tell advertising networks you‘ve been there, enabling advertisers to track you across multiple properties.

The intelligent tracking prevention feature works out which cookies make sites easier to revisit, and which of them spy on you. The original version blocked the latter from third-party use after a day and deleted them after a month.

Advertisers were so incensed by this that six major advertising groups published an open letter to the company calling it “unilateral and heavy-handed”.

Then, in June 2018, Apple updated the anti-tracking service, removing the 24-hour window for third-party cross-site trackers to use cookies in the browser. Advertisers protested again.

This should please privacy-conscious users, but the IDFA persists far longer than any cookie. In fact, it won’t ever change, unless the user intervenes. Mozilla explained:

Most people don’t know that feature even exists, let alone that they should turn it off. And we think that they shouldn’t have to.

Mozilla wants Apple to change the IDFA on its phones every month. This would still allow advertisers to track what you do on your phone, but only for a few weeks, instead of forever.

It is asking for this because most people don’t know about the IDFA or how to disable it, but now, you will. If you want to limit ad tracking via IDFA on your phone or tablet, go to Settings Privacy Advertising. Select the Limit Ad Tracking feature, and you’re done. This guide from Apple explains how to do the same on your Apple TV, and how to turn off location-based advertising on your iPhone, too.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GQ4aBOGDogM/

  • 17/04/2019
  • adm

Ep. 028 – SPEWS, Android security and scary Facebook messages [PODCAST]

In this episode, the Naked Security podcast tells you how to make your web signup forms safer [02’52”], explains how Android phones can be used as security tokens [08’13”], and looks into a Facebook “hidden message” that escaped into the wild [14’04”].

With Anna Brading, Paul Ducklin and Matthew Boddy.

This week’s links:

If you enjoy the podcast, please share it with other people interested in cybersecurity, and give us a vote on iTunes and other podcasting directories.

Listen and rate via iTunes...
Sophos podcasts on Soundcloud...
RSS feed of Sophos podcasts...

Thanks to Purple Planet for the opening and closing music.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ijzBAHAYNnc/

  • 17/04/2019
  • adm

7 Tips for an Effective Employee Security Awareness Program

Breaches and compliance requirements have heightened the need for continuous and effective employee training, security experts say.PreviousNext

Image Source: Shutterstock

Image Source: Shutterstock

Employee security awareness training programs have become a necessity for organizations in recent years because of the high percentage of data breaches caused by careless and negligent workers.

Phishing, in particular, continues to be a top attack vector because of the success threat actors have in tricking employees into downloading malware on their systems or following links to malicious sites. Many data breaches are also the result of poor employee password security habits and the failure to follow enterprise policies for data access, use, sharing, and storage.

In fact, negligent employees are one of the highest security risks for organizations in the US and elsewhere, according to a 2018 study by Shred-It. Eighty-four percent of C-suites and 51% of small-business owners described such employees as their biggest security problem. Ninety-six percent of Americans hold negligent employees as least partly to blame for data breaches at major US companies.

“While data breaches that grab headlines are often perpetrated by external threats, at least half of all security breaches are carried out by insiders,” says Chris Olson, CEO of The Media Trust. This can include malicious insiders, negligent employees, and third parties with access to the enterprise network.

But breaches are not the only reason for employee training. Many regulations, including PCI and HIPAA, mandate regular employee security awareness training. While requirements for such training can vary, the goal is to ensure companies take measures to address risks posed by employees and other insiders with trusted access to enterprise networks and assets.

Here, experts share some of the key attributes that make up an effective employee security awareness training program.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full BioPreviousNext

Article source: https://www.darkreading.com/threat-intelligence/7-tips-for-an-effective-employee-security-awareness-program/d/d-id/1334416?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 17/04/2019
  • adm