Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
As Dr. Singleton points out in our “What Every IT Auditor Should Know About Backup and Recovery” reading, Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are two distinct concepts.
The DRP is put in place to address the loss or interruption of digital/business infrastructure as a result of a disaster, such as a fire or a terrorist attack. A BCP is a strategy, not simply a plan, to mitigate downtime to core business functions. The distinction can appear to be subtle, but I think the following example makes it more clear.
If Acme Motors suffers a catastrophic fire in the factory that houses their data center and automated assembly line, the company would rely on its DRP to address the loss and destruction of key infrastructure.
However, if Acme Motors was looking to migrate its data center to the cloud while replacing 70% of the automated assembly line, they would need to rely on their BCP. Acme would be concerned about minimizing downtime to their business functions as a result of corporate strategy, not a disaster.
Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.
Given the human tendency to look on the bright side, many business executives are prone to ignoring “disaster recovery” because disaster seems an unlikely event. “Business continuity planning” suggests a more comprehensive approach to making sure you can keep making money. Often, the two terms are married under the acronym BC/DR. At any rate, DR and/or BC determines how a company will keep functioning after a disruptive event until its normal facilities are restored.
Technically, the Disaster Recovery Plan (DRP) deals with the restoration of computer systems with all attendant software and connections to full functionality under a variety of damaging or interfering external conditions. In daily practice Business Continuity often refers to disaster recovery from a business point-of-view, or dealing with simple daily issues, such as a failed disk, failed server or database, possibly a bad communications line. It is often referred to as the measure of lost time in an application, possibly a mission critical application.
In short we can say that Disaster Recovery Plans addresses the procedures to be followed during and after the loss where as BCP is the preemptive process put in place in preparation for the handling of a disaster.
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are two different concepts. BCP is the organizational strategy involved with ensuring the continuous operation of core business functions during and after a disaster. DRP is a subset of the overall BCP and are more specific. DRPs may be developed for specific groups within the organization to allow them to recover a business application or function.
The best way to look at this is that BCP is proactive in approach. It defines potential assets and threats associated with core business processes that may adversely affect the business, and derives alternative approaches to maintain business operations and stability. For example, if a building catches on fire, where will the employees work from.
DRP is reactive in approach, because it outlines the actions that a business takes after an adverse event. These might include information on how to recover data or what to do in an event of loss to critical staff,
Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. In other words, it provides detailed strategies on the steps that employees must follow during, and immediately after, a disaster.
The business continuity plan (BCP) takes the disaster recovery plan one step further. It is the creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.
These plans are interdependent but cover items that the other does not. In fact, DRP includes preventives strategies, whereas BCP introduces strategies that the business will use to maintain operations.
1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
Though Business Continuity Plan and Disaster Recovery plan are used interchangeably they have different meaning.
Business continuity plan is business centric and people centric and it focuses on management oversight and plans to make sure that the entire business can continue to operate effectively with as little disruptions as possible during and after the event of disaster. It involves rigorous planning and commitment of resources to plan for the recovery. BC plan includes all department and defines steps to be followed. It ensures that employees are aware of what needs to be done and where to go in case of a disaster. Example: Fire drills, emergency contact numbers etc. BCP includes both DRP recovering a facility rendered inoperable and the restoration plan which is used to return operations to normality.
Disaster recovery plan is a part of Business continuity plan. It is data centric i.e. it is concerned about the process of replicating and storing data so that it can be quickly recovered when disaster occurs. It ensures that the data will be easily accessible so that the down time to restore operation is minimum and it won’t affect the daily operation of the business. Having a backup in different location or mirroring of datacenters, properly defined restore points all come under DRP.
While Business Continuity Plans and Disaster Recovery Plans might sound alike, they are in fact two different areas. One can see this by looking more closely as the names of each plan. For Business Continuity, the plan is to continue the business operations through events such as natural disaster without any “hiccups”. This plan essentially outlines multiple steps an employee should take for a variety of events such as fires, natural disasters, building collapse, etc. In my experience when I did an Internal Audit internship, our BCP included the names, telephone number, and addresses of all the members of my department as well as include where the designated backup meeting spot was (at a hotel down the road) and telephone numbers of other important staff. The key focus on the business continuity plan is to have the business continue its operations through its personnel during a disastrous event.
Disaster Recovery Plans are different and as the name implies, is a plan to recover after a disaster has occurred. These plans usually revolve around maintaining or recovering data and IT infrastructure after a disaster has occurred, but can also encompass recovering business processes as well. This plan essentially outlines how if a business were to experience a disaster, what would be it steps to go back to pre-disaster or new desired conditions? With that being said, one of the key areas of disaster recovery is the protection and use of data within a company. Since many businesses run off of data or online communication, is it crucial that a Disaster Recovery Plan include some form of data backup policy and how that data will be recovered into the system. The key focus on the disaster recovery plan is to recover back business processes and information after a disaster has occurred.
They are different!
Disaster recovery plan provides detailed strategies about processes and procedures an organization must put in place immediately to ensure that critical functions can continue during and after a disaster to recover from the event. Such as emergency supplies, flashlights, backup business information.
Business Continuity plan refers to more comprehensive planning that identifies the long-term, crucial strategies that are needed to ensure that the business maintains stability. It includes DR and address to how the business will continue its key operations after the disaster. It also refers to how the business will continue its operations after smaller events, such as power outages.
This two terms are always used together, so people forget that there are differences between them.
What is BCP?
Identify contingencies and alternatives for continuing business, and allow the business to define key parameters for the development of DRP. Concerned with keeping business operations running after disaster has struck.
What is DRP?
DRP specify how to recovery of a function will be performed. Within a DR plan, there will be individual component system recovery plans that would specify steps to recover applications.
BCP tends to focus on the whole business, DRP tends to focus more on a specific side like technical of the business. It is easier to think of a BCP as an umbrella policy, DRP as part of it. There is a good chance the whole strategy (BCP) will be either less effective, or useless for department uses when a disaster happens. On the other hand, DRP can stand alone and many companies can do fine without a full continuity plan. BCP is typically set up on a day-to-day basis. The reason to have BCP is because they wish to remain able to provide their service or product to customers. A properly defined BCP would include considerations such as paper processes, communication with customers and suppliers, staff relocation, location of other documents and contact details.
Q1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
BCP and DRP are not synonyms rather they are different.
• Business Continuity Planning: is a policy cum implementation of measures which will ensure continuity of critical business operations after a disaster has struck
• Disaster Recovery Planning: is a set of “fail-over” arrangements which ensures restoration of systems, operations and data without loss.
Following are the differences between BCP and DRP:
a. Strategy: Business Continuity
b. Concerns principally with the continuity of business functions even after the disaster has struck
c. Objective is to ensure Enterprise wise continuity of operational activities essential for business
d. Guidance and planning derived from IT Governance and directed by Governing body
e. A broader approach of identification of critical business processes, assets and people
f. Essentially Under Governance-top down approach
g. Defining the Metrics for recovery is MUST
a. Strategy: Recovery from Disaster
b. Concerns mainly with the ability to Recover of the main systems after disaster.
c. Objective is effective recovery defined by the metrics such as Recovery Time Objective (RTO) and (RPO)
d. Guidance and planning are usually responsibility of the IT Head
e. Minimize the effect of Disaster
f. Governance is not emphasized
g. Metrics for recovery & restoration not emphasized
Business continuity plan and disaster recovery plan are different even they are both related practices that describe an organization’s preparation for unforeseen risks and continued operations.
Business continuity plan is to minimize service interruption, keep critical system online during recovery process, prioritize and cut scope and consider paper-based emergency alternatives.
Disaster plan is to protect assets to provide enormous business values. It is required by law. Some companies think that backing up is a disaster plan, however, backups are just part of a larger disaster plan, and it only protects data. In addition, backups must be sent offsite. On the other hand, IT departments have the greatest insight into company, but every other department must contribute to the disaster plan as well, because disaster planning is a business issue, not an IT issue. Disaster recovery plan should outline how a company prepares for disaster, reacts to disaster and recovers from disaster, and roles must be assigned rehearsed and revised.
BCP stands for the planning of Business Continuity and DR is actions taken to recover form a disastrous event to bring business back to continuity after an event of calamity or failure. BCP leads to DR.
Business Continuity Planning-
1. It is a blueprint of a plan if an incident occurs. BCP identifies the parameters of DR. BCP defines a plan in advance
– Critical business activities that will be continued
– What is the process that must be followed in case of an event
– Who must be informed , what is the time duration within which event occurrence must be reported
– Who will be the critical resources who will continue with the activities during and after event
– What is the timeline for disaster recovery?
– What level of disaster recovery plan is in place?
Ex. Level 1- Inside the same building on a different floor, Level 2- In the different city than the incident, Level 3- Continuity will be done in a different country than the country in which incident occurred
2. BCP consists of 1. BC Strategy 2. BC Plan 3. Impact Analysis 4. Recovery plan stages 5. How information of Incident will be communicated to all
3. ex. BCP of a XYZ project will specify that the normal activities if halted, only critical activities like monitoring servers will be continued. BCP will identity the critical resources who will continue to work in case of any BCP event.
1. DR defines the steps and procedures towards resuming the critical and normal activities after a calamity has occurred. DR defines steps to be followed immediately after an incident. DR is how to recover get back if a failure has occurred.
2. DR identifies 1. Backup Strategy 2. Risk Management 3. Emergency Response Team 4. DRP activation plan 5. DR plan for specific infrastructure ex. Media, internet, and remote connectivity.
3. DR consists of incident response, emergency response, damage assessment, evacuation plans
4. DR- ex. DR will specify that in case of incident at location A, location B resources will take over. The resources from location B will connect via the VPN to the backed up data located at located at client site.
1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
I think these plans are different but reliant on each other as one covers issues and situations the other does not and vice versa. Disaster Recovery Plan discusses the specific instructions to be taken in order to resume operations in the aftermath of a natural disaster or national emergency. Overall, this plan protects a business’s IT infrastructure by providing detailed steps that employees should follow during and after a disaster. The Business Continuity Plan follows the DRP by allowing businesses to follow a strategy tailored through the recognition of threats and risk facing the business as well as ensuring that employees and assets are protected in the event of a catastrophe.
Great post Pryia and explanation. The examples you used really bring the plans to life and make the difference so much more apparent. Great job !
1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?
The difference between BCP & DRP is in the name. BCP is a Business Continuity Plan. Continuity means remaining constant or to continue. This means the BCP is a plan to follow when the system goes completely down. A solution is to have a Second server in place, so in the case of the “original” server were to go down, you could re-direct traffic to the Second server, or NAS device. The DRP is a Disaster Recovery Plan. This means the DRP is a plan to follow when you need to recover data or a system. A solution for this is Remote Back-Up. The data is back-up to the cloud and accessible if a user accidently deletes and email or file.
Here is a link to how ISACA. http://www.isaca.org/Groups/Professional-English/business-continuity-disaster-recovery-planning/Pages/ViewDiscussion.aspx?PostID=72
Here is what they say:
“BCP refers to plans about how a business should plan for continuing in case of a disaster. DR refers to how the IT (information technology) should recover in case of a disaster.”
Although there is some overlap between the two, they are different and not synonyms. A disaster recovery plan is essentially a subset of a business continuity plan. A business continuity plan is much broader than disaster recovery and ensures that a business will still operate in the event of a disaster or catastrophic event. Its purview includes the entire infrastructure, including both the hardware and software, not only the data. A disaster recovery plan only ensures that the data can be recovered in the event of a disaster. However, if there is a disaster and the business only has a DRP and not a BCP, then there will likely be an interruption in business operations. It will take time to recover the data, and in then made accessible to the business. If the infrastrucutre is also damaged, then the data will remained unaccessible until the repairs are made.
Business Continuity Plan and Disaster Recovery Plan are different. BCP refers to the response strategy that kicks in in the event of a Disaster. It involves alternate planning of employee staffing, network availability, physical resources such as office space, desktops, and even power in case of a disaster. BCP are the steps taken to ensure that business continues to deliver the expectations in face of single or multiple disasters.
Disaster Recovery Plan : are the actions to be taken or steps to be performed to recover the state of IT systems to the same state as before the disaster, onto same or remote sites depending on the disaster. It includes the planned actions for restoration of data and IT systems in the event of disasters like server crash or physical harm to equipment or data centre.
BCP comprises of the actions that need to be kicked-off immediately, while Disaster Recovery may still be underway or may not have even kicked off. BCP provides the process to be followed as soon as a disaster occurs – it is the first response while DRP provides the process to be followed after the disaster has occurred and Business continuity is established.
Since BCP also covers availability of employees, it is possible that an incident can occur which would require only the BCP to be triggered and not both BCP and DRP eg: Staff being unable to travel to office due to political strikes or riots and staff located in other city filling in for unavailable personnel to ensure business continuity.
According to ISACA, a business continuity plan (BCP) refers to plans about how a business should plan for continuing in case of a disaster. It allows a business to plan in advance what it needs to do to ensure that its key products and services continue to be delivered at a predefined level.
A disaster recovery planning (DRP) refers to how the IT should recover in case of a disaster. It allows a business to plan what needs to be done immediately after a disaster to recover from the event. In daily practice, Disaster Recovery plan often refers to major disruption rush as flooded building, fire or earthquake disrupting an entire installation, and data branch to an organization.
• Activities required to ensure the continuation of critical business processes in an organization
• Alternate personnel, equipment, and facilities
• Often includes non-IT aspects of business
• Assessment, salvage, repair, and eventual restoration of damaged facilities and systems
• Often focuses on IT systems
In short, DRP addresses the procedures to be followed during and after the loss where as BCP is the preemptive process put in place in preparation for the handling of a disaster.
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are not synonyms. Rather, DRP can be categorized as a subset of a BCP. BCP is all about maintaining critical business operations following a disaster. The elements necessary for business continuity include the physical location of the place(s) of business, staffing, equipment, inventory, transportation, distribution channels and of course IT systems. DRP is considered a subset of BCP because it mainly focuses on the IT systems of the BCP. DRP is the process of saving data with the sole purpose of being able to recover it in the event of a disaster. The root of disaster recovery is that data is kept in a secondary site, and plans are made to insure that the data will be recovered and the business can access it in a timely fashion.
Continuity represents a much larger scope of planning and maintenance than recovery. However, given the dependency most businesses have on technology, disaster recovery is usually a top priority because it supports all the other elements of the business continuity plan.
Disaster Recovery and Business continuity although sound very similar and have a lot of overlap, they are different.
Disaster Recovery outlines how a company prepares for disaster, what the company’s response will be in an event of the disaster and what steps will the company take to make sure the operations will be restored (recover from disaster). This plan should include many possible scenarios. Since causes of disaster can vary greatly, it can include causes from deliberate criminal activity to a natural disaster like fire, from a stolen laptop to power outages and terrorist attacks. There are hundreds of possible scenarios and they vary based on culture, geography and industry.
It is also important that the disaster recovery plan is distributed across the organization so that everyone knows their role within the plan and can also take over the roles of their teammates who are unable to perform their duties.
It’s a plan that outlines as to what steps an organization must take to minimize the effects of service interruptions.
For e.g.: Hospitals have generators to ensure that their patients still get the required treatment (service) even if in a case of power outage (interruption). Back when companies were mainly paper-driven and information processing was done using batch processing, organizations could tolerate a few days of downtime. Now-a-days, technology has become faster and cheaper, companies have thus began computerizing their critical business activities; companies now have systems in place to minimize unplanned downtime.
Business Continuity planning focuses on sustaining an organization’s business processes during and after a disruption.
Business continuity is based on standards, policies, guidelines, and procedures that facilitate continuous operation regardless of the incidents. Disaster recovery (DR) is a subsection of business continuity and is concerned with data and IT systems. Although BC and DR are always used together, actually, they are two different concepts.
As the definition indicates, DR is a subsection of BCP, i.e. business continuity represents a much larger scope of maintenance than the recovery of just the data and IT infrastructure. Disaster recovery (DR) refers to having the ability to restore the data and applications that run your business once your data center, servers, or other infrastructure get damaged or destroyed. One important DR consideration is how quickly data and applications can be recovered and restored. Business continuity (BC) planning refers to a strategy that describes the processes and procedures an organization must put in place to ensure that mission-critical functions can continue during and after a disaster, enable a business operate with minimal or no downtime or service outage.
Therefore, a disaster recovery plan is more reactive while a business continuity plan is more proactive.
The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are different. Disaster recovery is a subset, which is a small part of the overall business continuity. It is the process of saving data with the sole purpose of being able to recover it in the event of a disaster. Disasters in IT range can from minor to major: the minor loss of an important set of data to the major loss of an entire data center.
Different from the DRP, business continuity plan typically refers to the management oversight and planning involved with ensuring the continuous operating of IT functions. Moreover, it is not a data centric, but business centric. The most important point for the business continuity is to continue to do the business even if the failure or disaster occurred.
From the endnote of What Every IT Auditor Should Know About Backup and Recovery, We can get that “BCP and DRP are deferent and separate”.
BCP is about the business continues to operate if something goes wrong. DRP defines the business requirements for a Disaster Recovery Plan. DRP deals with the restoration of computer systems with all attendant software and connections to full functionality under variety of damaging or interfering external conditions. DRP will specify how the recovery of a function will be performed. In a DR plan, the individual component system recovery plans that would specify steps to recover applications.
BUSINESS CONTINUITY PLANNING (BCP) – A process that organization use to plan and test the recovery of its business processes after a disruption. It also describes how an organization will continue to function under adverse conditions that may arise.
DISASTER RECOVERY PLANNING (DRP) – A process of planning and testing for recovery of information technology infrastructure after a natural or other disaster.
Both BCP and DRP are very important to IT auditor. However, BCP and DRP are not synonyms because BCP is the preemptive process put in place in preparation for the handling of a disaster. DRP addresses the procedures to be followed during and after the loss.
DRP and BCP are both used situationally and customized depending on the needs of the companies that create and install them. The BCP is the preventative process put in place in preparation on how to respond to a disaster, while the DRP addresses the procedures to be followed during and after the loss. For example, the DRP deals with the refurbishment of computer systems in terms of getting the system’s software and connections back to full functionality. The BCP is from the business perspective and often refers to disaster recovery in terms of a failed server or database for example.
Brou, great answer. What kind of things does the BCP do to make sure that the systems can function after a disaster? Like software recovery installs, system booting, and the installation of backup servers and such?
I agree with you. DRP can be part of BCP. Development of a BCP will identify contingencies and alternatives for continuing business, and allow the business to define key parameters for the development of Disaster Recovery Plans such as;
Defining the priority of critical business processes
Specifying the time that business processes should be recovered by (Maximum Tolerable Outage)
Identifying how much information can be recovered by going back to source information – how much can be lost and re-entered (Recovery Point Objective)
Good example Ahbay,
Hospitals usually have a special control to mitigate the risk of running out of power. It is one of the Business Continuity Plan (BCP) example, which is really important to make the patient’s safety. In the same case, companies should be able to operate at a minimum level to not affect the consumers.
Good post Shahla,
Even though both DRP and BCP sound similarly, they are totally different from each other. Disaster recovery plan focuses on how to recover from the event, whereas Business Continuity plan focuses on how to maintain its main functions during or after the event.
Great post, the video really helped me understand the difference between both Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). This video describes how they are different and simplified reasons on why. It also points out that the IT department or head should help the company write the disaster plan because they have the greatest insight of the company. Very useful video!
You are right, Yu Ming, DRP and BCP are similar but different from each other. Actually, the Disaster Recovery Plan is part of the BCP, besides DRP, there are many other methods to ensure the business continuity of an organization. For example, an effective backup plan can also mitigate the risks and enhance the continuity of the business.
Exactly, I totally agree with you that the DRP allows the organization recover its maximum capacity in a minimum downtime. I was thinking that as for the new start companies or small companies, they might have limited information assets, and the DRP may cost a lot for them. In this scenario, the companies may also choose to transfer the risks to the third parties like purchasing commercial insurance.
Exactly, I agree with you that the DRP is a part of BCP. According to the CISA review manual, both DRP and BCP has the purpose to maximize the capacity and business continuity and minimize the downtime. The difference is that BCP is a bigger concept which includes other methods to ensure the business continuity.
Thanks for sharing the hospital example! It’s very important to have Business Continuity Plan (BCP) to guide the hospital in response to an emergency/disaster situation or a mass casualty incident. Patients’ safety should be hospital’s priority concern. Also, organizations should strengthening their capacity to scale their response to a range of events impacting operations as well.
What are the security challenges in online banking?
Question 1: What are the security challenges in online banking?
Online banking has become prominently global due to, it’s ever so easy banking platform. The convenience of online banking, allows its internet users to manage their bank accounts from anywhere in the world, at any given time. Like the HDFC, many banks have been encouraged to park take in this trend. Furthermore so, online banking saves banks a lot of resources such as operational cost, staff training, and branch and ATM investments. The basis of online banking is to dramatically enhance the users’ experiences by providing and bridging the access of their bank accounts to their fingertips.
However, since the Internet was not originally intended for banking; banks are now faced with a wide array of security risk for both offline and online infrastructures. Some of these risk include phishing scams, spamming, credit card fraud, identity theft as well as many other related cyber-crimes. Subsequently, there is not a doubt the transition to online banking has greatly improved banking globally but, the absence of proper controls whether legal or regulatory, infrastructure failures and consumer protection continue to pose major challenges for online banking operations. The objective of this case analysis is to critically evaluate security challenges faced by online banking, as represented in the HDFC Bank fiasco.
As depicted in the HDFC Bank case study, many banks and managers are being challenged with attempting to remain cutting edge as well as strong competitors. CISO, Vishal Salvi experienced this first hand at HDFC. He was being challenged with the use of new technology and software systems, all in order to remain a key player within the banking sector in India. However, one must be careful with this. They must assess and weigh the probability impact on the business as well as maintaining alignment with the business objectives. Like the HDFC Bank, many banks CISO are faced with the same three major dilemmas. “How do I ensure the security of an online transaction while still keeping customer convenience as a priority? Should I make secure access mandatory or should I leave it discretionary? Should I go for an onsite model or for a cloud model?” These questions are tough to answer because, no banks are the same and face different issues.
Yet, with the many benefits of online banking, there are many inherent security risk involved such as, confidentiality, integrity and availability. These security challenges possess many risk such as the confidentiality of personal information being exchanged, authentication in regards to the integrity of the online banking platform and ability to access the platform. Conversely, there is no doubt that all of these security risk can overlap simultaneously. With that being said, a bank must secure their transactions by possessing and mitigating confidentiality and integrity controls so, the user’s’ transactions and content exchanges with the bank remain secure; without strong authentication techniques the banks have no way to be sure that the user placing request are the person they say they are. The HDFC Bank case study exemplifies these risk when dealing with online banking. Today, technology is the future and will continue to expand even more throughout the future. Along with technology’s evolution, online banking needs to evolve as well to combat those risk. Banks need the ability to define the risks factors involved such as regulatory risk, legal risk, operational risk, and reputational risk. Consequently, although a considerable amount of work has been done in adapting banking and supervision regulations; continuous attention and modifications will be essential as the scope of online banking and technology increases.
Overall, there is no one-size-fits-all strategy approach. There are numerous different types of security dangers that affect the online banking platform. On the other hand, by focusing on a multi-layer protection approach, a bank can focus on system security, protection of consumers’ interests, as well as other factors. This approach would allow a bank to implement a mix of different factors when implementing controls a few being: shielding the authentication process from malicious activities that can affect the customer; providing customer authentication strategies which allow the user the ability to verify the connection, to then access the site; effective communication with the customers that a potential occurrence of fraud is happening and etc. Like mentioned earlier, there are many risk involved with online banking but, it is up to banks to mitigate these risk to the best of their ability with the strong use of IT Governance.
With the rise of technology and a growing number of Internet users, banks found it convenient to offer online banking to their customers, allowing them to manage their finance anytime, anywhere. However, as online banking become increasingly popular, it is more vulnerable to security threats and present various security challenges that should be addressed individually. Those security challenges include authentication, authorization, privacy, integrity and non-repudiation.
Authentication refers to the idea of virtually making sure that the user is who they claim to be. In fact, if one can pretend to be another person, the possibilities to compromise the privacy and integrity of that person’s financial data are endless. Banks need to clearly identify the person accessing the account. This is usually done using a single-factor authentication such as username and password. However, with the increasing number of online frauds, the use of single-factor authentication has been inadequate for guarding against account fraud and identity theft. Hence, banks add more layers of security using multi-factor authentication, consisting of using two or more factors together, to protect customers’ identity. The main issue with multi-factor authentication is user fatigue. Indeed, as mentioned in HDFC Bank case study, customers want “simplicity” whereas authentication requires them to enter username, password, answer to security questions and more, in order to only make a simple transaction (pp.8).
Following authentication, authorization is another security challenge in online banking. Users need to not only be authenticated, but also have the permission to make a specific transaction. The authorization process is another layer of security added to protect customers’ accounts. For instance, a large transaction may require approval from the bank before going through. During this approval time, the bank has the opportunity to verify if the person who initiated the transaction is an authorized user. SafePass used by Bank of America online banking illustrates this concept well. It uses a 6-digit one-time code sent in a text message to the user’s registered mobile number, to help verify their identity before authorizing certain transaction, including higher-value transfers or log in from unusual devices. Authorization, like authentication, can be seen as tedious for users in a hurry to make a rapid transaction for example.
Moreover, privacy should be of major concern in online banking because it can lead to unwanted exposure of information, which can be used to commit ID theft. The main challenge here is to teach users how to protect their privacy while accessing their online account. Indeed, personal privacy is threatened the second users log on, and this is the main fear of customers in India who would rather use physical locations. However, some privacy safeguards can be used to minimize the risk. These include, strong password, secure devices and limited personal information sharing on social media. Additionally, when it comes to transactions, banks must create secure platforms ensuring that the exchange of sensitive information is only between the two parties involved and no one else. In other words, the sender’s personal information should be kept secret in order to increase the security of the transaction.
Above all, data integrity and non-repudiation should be part of the online banking IT security system because they protect banks from frauds. Data integrity refers to the idea that banks should have security protocols leveraging encryption for transferring data. This will ensure that information can only be accessed and modified by authorized users. Similarly, non-repudiation implies that online banking should be monitored in a way that would prevent customers from repudiating transaction they authorized. For example, if users deny and claim refund for transactions they intentionally made, the bank should have the necessary tools to prove otherwise.
A strong IT security system should take into consideration the security issues that online banking presents. Those issues are authentication, authorization, privacy, integrity and non-repudiation. Indeed, online banking offers an easy access to financials account, which makes it the main target for phishing attacks. However, understanding the risks and challenges involved will allow banks and customers to safely protect their data.
Great analysis Laly.
However, when you say that “no banks are the same and face different issues,” it is both right and wrong. To me, when it comes to online banking, all banks have the same issues, the same security challenges in that case, given the nature of the service they provide to customers.
Perhaps in another context like financials or organizational structure, that statement may apply.
You summarized it well Magaly. Great point about a strategy not being one-size-fits-all approach. I think the basic issues remain the same but the ways to implement them become different for organizations dependent upon the business operations, geographical location, the core business function and different cultures where the business is active.
Like in this case, HDFC bank has to deal with two main problems. One, maintaining trust of customers who are used to offline and in person banking. Two, the trust is at stake even with dormant customers who have created account online but do not use it.
Another important thing to discuss if giving IS security to a vendor who is expert a good choice over in house management? In case of HDFC when they were exploring a new area and trying to recover out of so many problems, it was better to take expert advice. That would save a lot of time as experts would not be experimenting, RSA was already an expert and had explored the security solutions.
HDFC Bank is one of the leading private banks of India. This case analysis will focus on the question, what are the security challenges in online banking, and I will provide a recommendation.
Online banking is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution’s website. Not only HDFC Bank were facing security problem of online banking, but also all of the online banking faced the same security problems. For example, phishing attack is the attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. According to the case, “customers were receiving e-mails claiming to have originated from the bank and seeking sensitive account information, including passwords and personal identification codes.”
Additionally, there is a competitive banking environment in, so many banks quickly start online banking for taking more market shares. It will lead to the online banking system vulnerability. Many customers are apprehension about online transactions because online banking is still in its early stage in India. What’s more, RBI announced a set of guidelines for online banking, however, Indian banks may not follow them. “RBI observed that at present some banks do not have proper security policy and methods to monitor the service level agreements with third parties and have inadequate audit trail.” (Comparitive Study of Online Banking Security System of various Banks in India, Rajpreet Kaur Jassal)
As the CIO of HDFC bank, Salvi had provided HDFC’s dilemmas in strengthening security in order to face these challenges. Firstly, HDFC bank balanced between customer convenience and system security. According to the case, “she had to strike a balance between keeping the IS transparent to the customer (so that he or she breezed through an online transaction without barriers) and making it effective from the bank’s point of view (so that the bank was not taken for a ride by potential fraudsters).” Second, she had to increased the secure access. “Salvi was planning to introduce a second level of authentication for all online customers… and beneficiaries.” The beneficiaries mean “another major part of secure access was asking the customer to provide the bank with a list of account holders with whom the online customer’s transactions would be periodical and regular.” Third, she selected the secured server location. Locating the servers onsite or offsite should be decided by Salvi, according to two models’ advantages and disadvantages. “The main advantage of the cloud, as its name suggested, was that it was fluid and elastic. It could expand and contract depending upon the need of the user to scale up or scale down the relevant computing services.”
It is necessary for Salvi to solve those issues, and I provide some recommendations for Salvi in order to increase the level of the security as followed:
1. Creating cyber security policy and making Internal control. HDFC bank should follow the RBI regulations to create a security policy for bank, which can provide specific documented business rule to protect information and systems in order to optimize risks and resources. It is critical for a bank to understand the role IT plays in order for the department to help the bank succeed.
2. Increasing level of secure online bank system by layered security approach. When the bank accepted the transaction, it should be verified by Visa, MasterCard Secure Code and JCB J/Secure. Additionally, the bank should monitor the irregular large amount billing transaction. The bank also can use the adaptive authentication for e-commerce. Those methods would minimize the risk of the transaction by online bank system.
3. Freezing dormant accounts. If the time that customers don’t use the online accounts exceeds 6 months, the bank will able to freeze the dormant accounts automatically. Users can reactive their accounts online by using their authentication information.
4. Building up cloud computing with dedicated bandwidth. Although this practice cost lots of money to the bank, it is the most reliable to provide trustworthy financial services to customers.
Overall, those recommendations can help HDFC improve secure online system, and those recommendations also can be used by other Indian banks.
What are the security challenges in online banking?
Online banking has become a trend as we can see in exhibit 2, millions of people are using internet today. Usually, when you open a bank account, it will come with an online account. Online banking had two components: net banking and mobile banking.
Therefore, we can analyze some major problems in this two components first:
Challenges that faced in net banking:
Most computers have the function of “remember your password and username” now. Banks should eliminate this function when design the online bank websites.
Challenges that faced in mobile banking:
Smartphones have security flaws itself, click on a simple link can bring malware in the smartphones. In 2014, a security expert named Winston Bond demonstrated how easy it was to reverse engineer mobile app: decompiling them back into source code, altering the behavior of the app, and reuploading it back onto the app distribution servers (Makeusof.com).
There are nine most common online frauds that banks should be aware of: Spam, scam, malware, phishing, pharming, man-in-the-middle, man-in-the-browser, replay attack and crimeware (Exhibits 7). HDCF bank was suffered from the phishing attack in 2007.
The overall challenges for online banking (net banking and mobile banking):
1. Adaption: in the light of how rapidly technology is changing today, adapting different version of online banking is the first thing that every bank should think of. The password system, management of database, applications and etc. need to update to the newest technology in order to mitigate the risks.
2. Legalization: new methods of conducting transactions, new instruments and new service providers need to require permissions from regulation departments. For example, it will be essential to define an electronic signature and give it the same legal status as the handwritten signature (imf.org)
3. Harmonization: since most banks have branches in different countries, they may have different regulations among countries. The international harmonization of online banking is also a challenge for banks. They need to adjust their systems and applications based on a country’s law and culture.
4. Integration: Salvi mentioned in the case that for HDFC bank, an IS framework, in the light of the changing ecosystem, has three dimensions-technology integration, business integration and risk integration. This is the process of including information technology issues and their accompanying operational risks in bank supervisors’ safety and evaluation.
Question 1: What are the security challenges in online banking?
Online banking is popular because it’s accessible, quick, and convenient. With the biggest network ever created (Internet), online banking became a “must have” for banks. Even banks in developing countries are implementing online banking. It’s eliminate long lines in the bank and make it easy for customers to monitor their transactions. It is so convenient that some banks operate only online. Unfortunately, security is a big issue. This easy access to your bank account makes online banking a target for hackers.
In fact, as it is easy for the customers to access their accounts in few clicks, it is also easy for a hacker to find a way to penetrate the system. Online banking presents several security challenges like phishing scams, identity theft, credit card fraud which also shows that hackers are not only looking for your money but also your personal information. Online banking is a double-edge sword.
In our specific case, Mr. Salvi the Chief Information Security Officer (CISO) of HDFC Bank is facing many challenges with managing online banking in the bank. After a phishing attack in 2007, HDFC took corrective measures and contracted IS security solution provider to set up a 24/7 command centre. Mr. Salvi must find a balance between customer convenience and security. The more barriers you put between customers and their account, the more you irritate them.
Authentication is one of the biggest security challenges in online banking. The bank system must be sure that the person logging in is the right person. One of the solution to counter this challenge is to implement a two-factor authentication. It’s requires a second code when logging into your account. Mr. Salvi is planning to implement that solution in HDFC bank but faces another dilemma. Whether to provide secure access to every online user or limit it to active users.
Another security challenge in online banking is how to protect the IS infrastructure. In the HDFC bank case, Mr. Salvi is hesitating between having his servers at the bank data centres or hosted by an IS vendor. Both represent a risk and are vulnerable to hacker attacks. The servers (authentication servers and online servers) are crucial for the bank operation online. The challenge here is not where to store the servers but how to protect them from intruders.
Online banking security challenges also respond to the CIA triad. There is a confidentiality risk to the extent that personal information is being used. Confidentiality can be seen as privacy, and in online banking you don’t want your sensitive information to be shared with anyone. Once a non-authorized person has access to your information it affects the integrity of the information. This is why authentication is really important in online banking. The bank must prevent other people than you from accessing your account. The bank also needs to secure and protect its infrastructure in order to avoid disruption of the service. Customers want to be able to access their accounts 24/7, and it is the bank job to make sure customers access their accounts in a secure way.
In my humble opinion, customers are also a security challenge for online banking. People are the weakest link in IS and represent a danger to themselves. Most of the time, it is by people that hackers intrude systems. It is important that customers understand the danger of the Internet and protect their information before any additional protection from banks. The root of the problem is that people (customers) want convenience and don’t think about the consequences. Some people write down their passwords or use the same password for different accounts. Other save their passwords in their computers… I think banks should educate and provide weekly security tips (precautionary measures) to their customers.
The bank should also develop a strong IT system which will reduce the risk of security breaches. Another way counter cyber-criminality in online banking is to work together. Banks should create an organization where they will share their bad experiences and design together solutions.
What are the security challenges in online banking?
Online banking offers benefits to both banks and their customers. Banks can offer more services with greater availability with less resources. Customers gain added convenience and availability to their money. Many transactions that used to require visiting a local bank branch to complete can now be done online or on a phone. Banks benefit by offer the same service without requiring a physical branch, and customers can complete the transaction anywhere and anytime. As the article noted, banks were uniquely suited to build and convince customers to use mobile banking applications because of a strong public perception of risk management and security. The Internet however, is an inherently insecure entity, and presents numerous risks to banks as more banking applications migrate to the Internet.
Banks face the same problem as many other industries with cyber security, the delicate balance between security and convenience/accessibility to customers. Too much security can often lower convenience for customers, making the process more cumbersome. Too little security with a convenient platform may create a better experience, but will likely expose customers to more cyber threats. Customers will not use a mobile banking platform that is not secure.
The article lists five areas for online banking security that must be addressed: authentication, authorization, privacy, integrity, and non-repudiation. Authentication ensures that the user access the bank account is the correct user. Before any transaction can proceed, the correct user identity must be established. Authorization then validates if that user has permission to complete the requested transaction. A customer should only be allowed to make transaction specific to his/her account, and should meet regulatory/compliance guidelines. Users also expect the bank to protect their privacy and not allow a third party to access financial transaction data without permission. Purchases, transfers, and other transactions are not public knowledge and people will not use a bank that does not protect customers’ privacy. Integrity refers to the inability to alter data related to the transaction. Both parties must trust the data is accurate or customers and the bank may lose confidence in the system. Last, non-repudiation prevents either from denying consent or communication regarding a transaction. A customer cannot sign a document with a digital signature and then later contend that they did not. Or the bank cannot authorize a transaction and then deny it at a later date.
Said, Thanks for the post. You’ve summarized the challenges of online banking very well. I agree with you that the people are the weakest link in any information security program. Aside from the people using a bank’s online resources, you have the people internal to the bank that may be subject to, intentional or unintentional, fraudulent activities. Some other major concerns, regarding people, in this mobile banking environment is the sheer size of mobile applications that people install on their devices. Apps tend to continue to share more and more information with each other causing concerns of what information is actually being shared about you. Say for example you downloaded an app, and without your knowledge or consent, the app collects information on the apps you have installed on your phone. The information collected had online applications for banks such as Bank of America or Citibank, and is sent to a hacker. Now the hacker has personal information about you, from signing on with Facebook, and knows what banks you use. They can use this to target you with phishing scams to get you to reveal your account information for Bank of America or Citibank.
I respect your opinion in that regard. However, I do believe banks have different issues that are more situational and not universal. What one bank lacks, another could not. Generally speaking, the IT industry is very new and constantly evolving so the security challenges do apply but, like mentioned above they might need to be handled differently because they must align with the business’s objectives, location and size. Nowadays, banks are facing plenty of challenges such as not making enough revenue, consumer expectations, competition from financial technology companies, and regulatory pressure. Though these issues may be prevalent across all boards, they need be handled in a manner that positively impacts their business.
Thanks Priya. Great additions. I completely agree with your context in regards to the approach. One must take into account the other factors when implementing strategies. As of the expertise aspect, you hit the nail on the head with that one, The CISO should have acknowledged his lack of experience within the Online Banking realm and should have sought out guidance. It is never wrong to need help and ultimately, if he had done so, they wouldn’t have probably a victim of phishing scams.
Well summarized Said!
Towards the end you suggested that, “banks should educate and provide weekly security tips (precautionary measures) to their customers”, which is a great control in the disclaimer aspect. Personally, I would love if my banks did that or even have yearly password updates.
As for the banks coming together to discuss knowledge, in theory that sounds amazing. However, at the end of the day banks would rather not disclose their information especially, to their competitors. It’s sad how the business world works in that regard but, it most been done to stay prevalent.
Question: What are the security challenges in online banking?
As the rank top 15 bank in India, HDFC had $15.64 billion Deposits in 2007. In the same year, 1.28 million customers, which is 28% of the HDCF Bank’s retail customers claimed that they were the target of a phishing attack, many of them hold the online banking account of HDFC Bank. In this case, the bank’s online banking system and its information assets are challenged.
Generally, the security challenges in online banking are both existing for the customers and the bank’s online banking system itself. From the customers’ perspective, the first challenge is protecting the personal identify information (PII) like the account number and online passwords. Besides, ensure the physical protection of debit and credit cards are also important for the online banking users. On the other hand, the online banking system also faces security challenges from internet attack like unethical hacking.
In order to avoid the identity theft, online banking users should carefully keep their personal identify information like the account and passwords of the online banking system. Especially for those who operating on PCs, before input the sensitive personal information, ensure the antivirus software is protecting the system. Attackers may monitor the system data flaw through malware and copy the passwords. According to the article, many online banking users in the HDFC Bank got phishing attack. The process and concept of the phishing attack is not complicated: Phisher designs campaign and sends to huge quantity of bank account holders via different approach like spam email or spam message with a link. If the user clicks on the link, the PC or mobile device will be attacked by Trojan. After that, if customer input the sensitive information like online banking account and passwords, the Trojan will record the information and send it to the Phisher. With the bank account information, Phisher can log in the online banking system through the customer’s personal identify information. Therefore, if the online banking users in the HDFC Bank loss the PII by phishing attacks, attacker may allow to access in the system and transfer the money on victims’ online bank account. This will damage the HDFC’s reputation and cause huge negative influence in its online banking service, because HDFC’s online banking system failed in protecting customer’s assets.
To mitigate the risk of attackers logging in the online banking system through victim’s online banking account, effectiveness of secure access and server location are very important. In the most cases, attacker will log in the online banking system in a different location. For example, if the user usually logs in the system in New York City, but it suddenly logged in from the UK in the same day, the system should double check the identify information by sending a confirm email or text.
Security challenges in online banking are :
• to have a trustworthy IT system that is not cumbersome to use for a customer –
Banking systems need to be able to strike a balance between being safe and convenient.
• to have the system robust enough to handle the different types of cyber attacks such as phishing, malware, pharming
• to have a system that ensures privacy in transactions such that the transaction data between two people is only available to the concerned two parties and no-one else
• to employ different validation and authentication checks for different types of transactions
• to ensure that dormant accounts were protected aswell as they were susceptible to being hacked without getting noticed or reported
• to employ, in the event of an attack, a mechanism where by the attack is detected quickly and subsequent action is taken to stop further damage
I like how you mention “Harmonization”. This reminds me of companies located in different states and have different taxing procedures with goods / services.
Here is an example:
Everyone has a cell phone and the taxes associated with the phone & service are based on individual State regulations. One person in PA will have to pay taxes on a new phone, but a person in DE won’t.
The rules and regulations surrounding communications varies from a Federal standpoint to a State standpoint.
Binu, I think the bank should leave it to the discretion of the user.
The option is there for the customers’ convenience, there are people who don’t remember their password all the time. However, I think instead of the remember password option, it’s better to have the password hints. Usually, I will recall the password after I saw the hints.
I am currently working at a accounting firm, and we use LastPass to store our password. I think it is secure because LastPass encrypts your Vault before it goes to the server. Since the Vault is already encrypted before it leaves your computer and reaches the LastPass server, not even LastPass employees can see your sensitive data.
I agree with you Yulun. Sharing the same username and password for several accounts is not a good option to protect our information. We should secure our PII to avoid phishing attack by change passwords on a regular basis, use longer more random passwords, avoid use an easily identifiable user name, and lastly DON’T write down password anywhere that other people have access to.
An Important Message to Yahoo Users on Security
Yahoo, the tech company, has recently disclosed that it had been breached with over 500 million accounts compromised. According to haveibeenpwned.com, a website that allows users to search if their accounts have been breached using information from the web, the Dropbox breach could potentially be the biggest breach in history with the largest breach currently being MySpace with close to 360 million accounts compromised. The breach had occurred in late 2014 with the information being stolen including names, email addresses, telephone numbers, dates of births, and hashed passwords. Yahoo had identified that the breach was the cause of a state sponsored hacker, which is to say that the individuals for the attack had political motivation or support.
While this may seem just like another data breach that we hear on the news, the two areas that make this breach important is the size and how long it took Yahoo to publicly release the hack. According to the fortune article, many states require companies to report a breach within 30 days in order to protect users. However, Yahoo has had acknowledged that accounts were for sale online in August and have just recently prompted users to review their online accounts and activity. Due to Yahoo not taking the necessary actions to warn users in a timely manner (within 30 days), Yahoo might be facing legal issues going forward. For myself at least, I normally think of the damage of data breaches being a loss in reputation or having to pay for damages done to the users. However, fines for not following the law are another costs that could affect those in data breaches. I will need to keep posted on this breach as Yahoo reveals more about the attack to the public.
Your smart cars are at risk!
While electronic accessories and smart cars add leisure in cars it also increases security issues.
Are you an owner of Audi or Volkswagen? What is the issue?
Volkswagen, Audi, Seat, Skoda key less cars produced over the last 20 years are vulnerable to hack attacks due to cryptography keys. The car manufacturers are dependent upon constant key scheme and thus vulnerable.
What is the attack?
Attackers use simple radio signals and can use a simple $40 radio for the attack. Hackers can identify the car, intercept the radio signal sent from a key fob to the car, then get the cryptographic “password” associated with the vehicle. That cryptographic key would then need to be paired with another special key. With the constant key scheme used, makes it easy to detect. The bad news is that the task would not be a serious challenge for a professional hacker, and if they ever found the special cryptographic key, they could leak the details online.
How can it affect you?
Although the mechanism cannot start the car it can still unlock it. This is a major physical security and theft issue, corporate scandals and theft.
With the newest technology to have driver less cars, this can be a major threat to human safety.
Who is safe?
VW’s cars built on recent MQB platform, Golf , Tiguan, Touran, Passat models were not vulnerable to this attack.
I had read this news earlier and that time Yahoo had not accepted that the data has been breached. They said they were investigating. The news I read dated back to Aug 2nd. Prior to publishing the news, Motherboard, has tested 5000 records and they had claimed that not all but few accounts were accessible. And the accounts which were not accessible was due to password change as data dated back to 2012.
Now that Yahoo has accepted the breach, it has already been more than a month. The sale of accounts was already active on the dark web and data lost has potential further loss.
The article I found is about a new tactic adopted by cyber criminal in Melbourne. It seems like they now drop in random people mailbox infected USB drive hoping that someone would plug it in their computer and give them access to their data.
One would think that with so much awareness of data breach and hackers as well as the potential danger of USB drive, people would not even try to public the device on their computer. However, I was surprised to know that many people were too curious and ended infecting their computer. This raise the question of whether or not cyber criminal are now leveraging human psychology and use it as a tool to get to people. A study conducted by researchers from the University of Illinois, the University of Michigan and Google, found that all of the target people not only plugged the USB drive but also open the files. Why is that? It is certainly not due to a lack of awareness.
This is crazy! I guess we are not safe anywhere anymore. Whether you use your phone, your computer, your car or even the ATM machines, you put yourself at risk one way or another . The funny thing is that, it will get even worse with the rise of technology.
They say we should be embracing new technology but it definitely come with a big package.
Thanks for sharing Priya!
Hackers Leak Michelle Obama’s Passport Online
A scan of First Lady Michelle Obama’s passport has been published online, the feds are investigating the breach now. The scan appeared on a site with suspected ties to Russia, DCLeaks.com. The hacking group also published other confidential information like travel details, names, social security numbers and birth dates. The scan appeared to have been taken from a Gmail account belonging to a low-level White House contractor.
Last week the group published personal emails from former secretary of State Colin Powell, with critical comments about presidential hopefuls Hilary Clinton and Donald Trump. DC leaks is suspected to be linked to Russian intelligence services. Also, DCLeaks’ registration and hosting information aligns with other Fancy Bear activities and known tactics, techniques and procedures.
It seems like Russia hacking organizations had attacked American systems for several times—Hilary Clinton’s email, American athletes’ medicine records and this time Michelle Obama’s passport. However, it is difficult to understand their purpose. Those three events don’t seem to have commons. It is a threat that they may make troubles for the election day of president. Also, it is a warning call for the government to see how vulnerable their systems are.
Vaibhav, They did not take 2 years to accept. The data that is leaked dates back to 2012. But yes, the hacker had claimed about a month ago and Yahoo has accepted now. What Yahoo could have done is as a preventive measure they could have asked customers to change the passwords at start of the month when this news was out.
Mengxue, thanks for sharing this news. You have brought up an interesting question here. What is the purpose of hackers exploiting identity theft?
Mainly that happens not for a direct monitory gain. A person may steal personal information to get details of your personal life that can be used while committing a bigger fraud.
Another reason is that hackers want to blackmail the target and get easy cash. I had read about an incident where the hacker stole health data and blackmailed patients about disclosing their persona information in public.The hacker could have a revenge motive.
Flaw with IOS 10 allows hackers to crack password:
A severe security flaw was uncovered in the new release of Apple IOS 10 which can allow hackers to crack password from backup 2500 times faster than before. The new password verification method is 2500 times slower that IOS 9 backups. Elcomsoft researchers discovered that when IOS 10 backup is saved in itunes, a password cracking tool can be used to conduct brute force attack at a rate of 6 million times per second and can also decrypt the entire content of the backup including the keychain.
Apple is working on security update to fix it. Apple has since modified its OS to restrict private APIs. But yet one can find a way around this restriction. This may not be fixed just by an update and not sure how quickly this can be fixed. Probably along with the IOS 10 update, the itunes also has to be updated and the backup format also may need to be changed.
IOS is known to be malware free or threat free. Seeing this I feel that no organization can take its security lightly and should always be ready to face the threat no matter whatever preventive measures they take.
Article: US Issues Federal Security Guidance on Self-Driving Cars
In its most comprehensive statement yet on autonomous vehicles, the US Department of Transportation has issued a 15-point set of federal safety assessment guidelines covering issues like cybersecurity, black box recordings and how a vehicle would deal with potential ethical conundrums.
When it comes to cyber, the guidelines say that “the manufacturer or other entity should address the cross-cutting items as a vehicle or equipment is designed and developed to ensure that the vehicle has data recording and sharing capabilities; [and] that it has applied appropriate functional safety and cybersecurity best practices.”
On the privacy front, DoT said that manufacturers’ privacy policies must explain how they collect, use, share, secure, audit and destroy data from vehicles, offering choices as to how personally identifiable information (PII) like geolocation, biometric and driver behavior data is accessed and used. It also said that manufacturers should collect and retain the minimum amount of personal data required to achieve legitimate business purposes—and keep the data only for as long as necessary.
Spot on the news post Paul! To piggyback off the previous post, it’s a shame it took so long for Yahoo to disclose this information.
Priya, most definitely agree with that email notification. The brunt of the backlash would have minute. Unless, Yahoo wanted the bad publicity. I would like not to think so, but reading some Twitter users tweets regarding it was pretty funny about yahoo doing a publicity stunt.
The article I read is about how mobile devices and mobile security is likely to become the next corporate focus for security executives because in recent times, hacks and exploits have become more successful. In fact, it is now a fact that mobile security NEEDS to be part of the broader policy and procedure mix because most incidents are due to employees failing to follow basic security instructions and procedures. Securing mobile devices is tricky because of the above fact, because employees lose their devices, and because often time’s people use their own unsupported devices for work. Researchers have found that pins and password can be stolen from mobile devices with 80% accuracy on their first hack and 90% on their second attempt. The reality is that while executives want to bring in the latest and greatest technology in mobile technology but even the latest mobile devices are one of the weakest links in corporate security. So the bottom line is that mobile security, protecting data, securing networks, and training employees to take security seriously is going to be a huge focus and challenge for security executives moving forward.
***********Disclaimer: Posted this new article by accident on week 4 -_-************
This article goes into explanation about the massive hacks that have been happening via Dark Net to huge companies. A few of these heavy hitters that fell victimized include: Apple, DropBox, Uber, McDonald’s, Ebay, etc. As many of 85 companies have been targeted by these “Russian hackers”.
The article goes into further details that there is no knowledge regarding the identities of the perpetrators and no links have been established foreign governments. Yet, if the information that was seized by these hackers are valuable; they elude that we can expect to see these stolen credentials for sale on the dark web.
Firefox browser vulnerable to Man-in-the-Middle Attack
I found an article about Firefox browser, which a critical vulnerability resides in Mozilla’s Firefox browser, allows attackers to launch MITM attack. This can deliver the malicious update on targeted computer.
The main issue exists on in Firefox Certificate Pinning which is an HTTPS feature that makes sure the user’s browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.
Mozila announced that they schaudlued to realease Firefox 49 on September 20, users should update to new version and disable automatic add-on on updates.
Really interesting article. I think they have released updates concerning the issue. Also, iOS is far from being malware free or threat free. It’s just because more people use Android and Windows phones. So hackers put all their energy in those OS as it’s more lucrative.
Hackers stole airline miles to book a hotel room or airline
It’s easy for hackers to get into your airline and hotel rewards accounts, then use your hard-earned points and miles for their own gain.Hackers might use passwords from lower-security sites like shopping platforms or chat forums and try those same passwords on frequent flier accounts, or they might send out phishing emails to trick customers into giving away account information.
The article I read this week is called “Chinese Hackers Remotely Control Tesla Cars.” It talked about that Chinese researchers have discovered major security vulnerabilities in several Tesla car models, allowing them to remotely apply the brakes, open the boot and perform other actions which could put drivers in danger. In addition, the cyber-attack allows to fold the car’s wing mirrors when it changes lanes while driving, and allows to brake the car when in motion. This was the first case of remote attack on Tesla cars. Other professions argued that it is the modern car’s connectivity which often leaves it exposes to attack, especially as mechanical and electrical engineers don’t have the requisite TCP/IP skills to develop secure implementations. And he listed several focuses: “open source to improve the quality of the software; forging a root of trust in hardware to ensure firmware can’t be reflashed and replaced; and security-by-separation via hardware-assisted virtualization, to ensure lateral movement inside embedded systems is not allowed.”
As a result, Tesla has fixed the issues and claimed that the bug could only be exploited if a car was physically near and connected to a malicious wifi hotspot.
Synopsis of “Swift Reports Summer Cyber Attacks on Three Banks”
Since this week’s case study was online banking, I thought this article was interesting because it points out that not only online banking is vulnerable to cyber attacks.
Swift is a company that provides a financial messaging network to business, banks, and other financial institutions to make transactions, which includes real-time payment systems. It currently connects 11,000 institution in over 200 different countries.
Hackers were able to create and transmit fraudulent messages requesting money transfers to a third-party beneficiary. Some of the banks hit were in Bangladesh (India), Ecuador, Ukraine, and Vietnam. A total of $81 million has been transferred by hackers, and SWIFT CEO warns financial institutions to take additional precautions to secure their local networks.
To learn more about SWIFT: https://www.youtube.com/watch?v=t_lPPxUwdM0
Russian ‘Fancy Bear’ Hackers Hit Mac OS X With New Trojan
Fancy Bear has been spotted using a new Trojan that targets Apple Mac OS X machines. The group used a phishing email to lure the user into downloading a file that looks like a PDF but instead is malicious executable code. The victim works in the aerospace industry, and though he/she was downloading a file containing Russia space program. Once the victim opens the file or link, a decoy document with a PDF-looking icon appears.
Until now, the group was mostly attacking Windows machines in its targeted attacks against government agencies, nonprofits, non-government organizations.
This is really interesting because people think Apple OSs are not vulnerable to attacks; whereas, more and more hackers are developing malware to attack those OSs.
New MarsJoke Ransom-ware Targets Government Agencies
State and local government agencies, K-12 educational institutions, healthcare, telecommunications, insurance are being targeted in a newly discovered spam email campaign aimed at distributing a new ransomware variant.
The MarsJoke ransom-ware email campaign featured emails containing links to an executable file named “file_6.exe,” which was hosted on various sites with recently registered domains. Apparently, the attackers registered the abused domains for this specific campaign, marking a major shift from the usual attached document campaigns.
The attackers use the subject lines such as Checking tracking number,” “Check your package,” “Check your TN,” “Check your tracking number,” “Tracking information,” and “Track your package”, to convince victims.
It creates .bat, and .txt instruction files and save them throughout the file system, to alert the victim on the infection. Infected users need to follow the instructions included in a locker window. The malware also changes the victim’s desktop background and displays a ransom message in several languages, including English, Russian, Italian, Spanish, and Ukrainian. Victims are warned that, if a 0.7 Bitcoin ransom isn’t paid within 96 hours, their files are deleted.
In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.
NEWS: “Leaked NSA Hacking Tools Were ‘Mistakenly’ Left By An Agent On A Remote Server”
The Shadow Brokers, a hacking group published leaked data including hacking tools that were made to inject malware into various servers and also leaked “best files” of some sophisticated “cyber weapons” and put them on sale for 1 million bitcoins. The Shadow Brokers obtained all these tools by hacking an NSA-linked group.
It turns out that the NSA’s private zero-day exploits, malware and hacking tools were directly hacked. A former NSA employee left these tools on a remote server three years ago and a group of Russian hackers discovered them, according to investigation by Reuters. These hacking tools helped hackers to exploit vulnerabilities in systems of Cisco, Juniper and Fortinet.
The careless employee did realize the mistake and reported it to the NSA shortly but instead of notifying the affected vendors about the associated risks, the NSA kept quiet. When the NSA’s cyber weapons were released in public, Cisco and Fortinet “the leaked zero-day vulnerabilities were legitimate and issued out patches to fix those exploits.”
Hackers will continue to use the exploits to launch cyber-attacks and some of the Cisco customers were targeted as well; Cisco released a new zero-day vulnerability from the data that was dumped publically.
I read the article named “IOS 10 Flaw Could Expose Backup Data to Hackers”. The article points out that the IOS 10 operating system skips certain security checks during the backup process. Indeed, this can increase the running speed of the system, however, comparing with IOS 9, the newest vision of IOS operating system higher the risk of being hacked, which may cause serious data leak of users’ personal information. According to the article, the IOS 10 potentially give hackers access to information stored in a user’s Apple Keychain. This could include passwords, credit card information and WI – Fi network information. Apple confirmed to Forbes that it was aware of the issue and was working on a fix.
IoT devices being increasingly used for DDoS attacks
IoT attacks have long been predicted, with plenty of speculation about possible hijacking of home automation and home security devices. Today, attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service (DDoS) attacks. The number of attack groups focusing on IoT has multiplied over the past year. 2015 was a record year for IoT attacks, with eight new malware families emerging.
Just this month the security vendor Sucuri reported on a large DDoS attack launched from 3 different types of botnets (CCTV botnet, home router botnet and compromised web servers). While not commonly seen in the past, attacks originating from multiple IoT platforms simultaneously may be seen more often in the future, as the amount of the embedded devices connected to the Internet rises.
Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords. More than half of all IoT attacks originate from China and the US. High numbers of attacks are also emanating from Russia, Germany, the Netherlands, Ukraine and Vietnam.
Majority of attacks originate in US and China –
Analysis of a Symantec honeypot which collects IoT malware samples found that the highest number of IoT attacks originated in China, which accounted for 34 percent of attacks seen in 2016. Twenty-six percent of attacks stemmed from the US, followed by Russia (9 percent), Germany (6 percent), the Netherlands (5 percent), and Ukraine (5 percent). Vietnam, the UK, France, and South Korea rounded out the top ten.
How to stay protected :
• Research the capabilities and security features of an IoT device before purchase
• Perform an audit of IoT devices used on your network
• Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password”
• Use a strong encryption method when setting up Wi-Fi network access (WPA)
• Many devices come with a variety of services enabled by default. Disable features and services that are not required
• Disable Telnet login and use SSH where possible
• Modify the default privacy and security settings of IoT devices according to your requirements and security policy
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Regularly check the manufacturer’s website for firmware updates
• Ensure that a hardware outage does not result in an unsecure state of the device
The mobile devices have been one of the weakest links in corporate security because most organizations have began using mobile devices to increase the operational efficiencies but they don’t have strong control or security in place. It is very important for the organizations to take it serious to set up strict policies for whose employees using their own devices for work. I am very shocked that how easy and accurate it is to steal our pins and pins and passwords on the first and second attempt on out mobile device.
Bad Security Habits Persist Despite Rising Awareness
In the spirit on “Creating a Security Aware Organization Week”, I found an article that actually bring bad news about this topic. It seems that a survey was done in 2016 which found that despite 79% of organizations feel that they learned lessons from cyber-attacks and improved security, only 25% deployed malware protection, followed by endpoint security, 24% and 16% deployed security analytics. They also found that 40% admitted to store privileged and admin passwords in Word document or spreadsheets, which is a worrying practice. Another point of worry is almost half (49%) of the respondents allow third-party access to their systems and public sector firms are doing a poor job of securing that access. 21% admitted to not securing connections at all while 33% do not monitor third-party activity on their network.
Those tweets are pretty funny! Unfortunately, I wish it could be just a publicity stunt but instead this hack was backed by some government. I recently just read another interesting article on the breach and it gives a couple of examples of why a government will support such hacks.
Interesting article Yulun,
In fact, security is not just about information security of an organization but all electric devices including cars, mobile phones and computers. I am imagining that how dangerous and scary it is to remote a testa car while someone is using the auto drive feature of Testa.
Uber’s new selfie check helps make sure riders get the driver they’re promised
Uber has announced that it will require drivers to take selfies before signing on to the platform and accepting ride requests. The new feature, called Real-Time ID Check, uses Microsoft machine learning to compare a selfie snapped in the moment against a driver’s registered profile pic, which Uber says is designed as a protective safety measure for rider and driver alike
On the rider side, it means the driver you’re getting is the same one who went through Uber’s onboarding process. Plus, it may avoid things like “ghost driver” phenomenon.
On the driver side, Uber notes that this will prevent driver fraud, by essentially requiring an additional verification measure each time you login. The equivalent Uber is looking to evoke seems to be with bank account security – it’s aiming to protect drivers against identity theft.
Interesting article, I also used to think that Apple computers or its OSs are more secured against cyber attacks. In fact, none of the operating systems(Linux, MacOS, Windows) are perfect in security. Employees can still open phishing emails even though the OSs are perfectly secured. I recalled from our class that some organizations send out testing phishing email to see how their employees react to that. If employees do open the phishing email, they will be sent to complete specific trainings.
This unsophisticated Lo T product has the possibility to posing your personal life to someone else you don’t know, just as the following news shows.
Google has released another product in its Nest Internet of Things lineup. This time it’s an internet-streaming home security camera, which means Google could be watching your every move, if you let it.
Thanks for sharing this news, I think that we should avoid giving our personal information in some unsecured websites, but in fact, it is hard to define which website has lower security so I will tend to trust large companies because they would invest more in securing their websites.
The article that I selected this week is regarding the massive breach from 2014 of over 500 million customer records were stolen by what Venafi (security consultant brought in after the breach) said was a state sponsored breach by a China group. The records were found for sale on a dark web site called The Real Deal. There are also accusations being tossed around that Yahoo’s CEO, Marissa Mayer, was aware of what was described as a devastating breach long before the breach was made public. The fallout from this breach could have far reaching impact as the timing of this being made public couldn’t have been worse as Yahoo was in the process of selling their core business to Verizon and the filings to the SEC for the purchase were made just last week. During that process Mayer also said she had no knowledge of any serious breach of Yahoo’s internal systems or users accounts. It appears that this was completely untrue and may end up terminating the sale to Verizon. This brings up serious questions as far as what the Chief Executive’s duty is when a breach of customer records is identified as far as notifying the users as well as making it available in the case where the company is up for sale to potential buyers. In addition to the implications of the Verizon acquisition, a class action lawsuit has been filed stating that they were negligent in protecting users data. The issue at hand is that it appears that Yahoo was using outdated algorithm and outdated certificates to create a relatively easy target for motivated individuals.
Hospital Security Fears as Pagers Come Under Spotlight
This article talks about all healthcare organizations should immediately re-evaluate their use of pagers because unencrypted messages can be intercepted and spoofed with potentially life-threatening repercussions. Following are the key points that Trend Micro claimed in its new Leaking Beeps report:
• Pager messages can be simply decode by a software-defined radio (SDR) and a $20 USB dongle.
• It enable remote hackers to spy on sensitive protected health information (PHI) being sent to and from facilities, including names and medical diagnoses.
• hackers could sabotage medical prescriptions by spoofing messages intended for pharmacies; direct patients to the wrong operating room; create havoc by declaring emergencies inside facilities; and even steal the identities of dead patients
What actions should be taking to prevent spoofed messages?
• limiting the transmitted of relevant documentation/ information on the receiving end
• vendors should include pre-shared key encryption(PSK) in pager to protect customer privacy and
authentication needs to be designed into the firmware
Brits in Biometrics Boost as 20% Use Fingerprint Tech
While PINs and passwords (63%) are still the most popular way to authenticate via the device, nearly a quarter of respondents (21%) said they use fingerprint sensors to do so. This article highlights that pins and passwords are not safe anymore and there is a growing need and influence of biometrics in cybersecurity. A majority of UK firms are expecting to increase their spending on biometrics in the next three years.
In fact, hackers can easily crack passwords by trying millions of word combinations but it is much hard to hack the passwords or system with biometric technology. Organizations like banks should begin considering to adapt the biometric technology in improving the issues of authentication of a customer. In our case study, HDFC bank had a hand time balancing the convenience levels of customers while improving the online banking security.
Tesla model S was hacked by a Chinese security research group (Keen Security) who posted the entire hack and how they did it on YouTube. The group was able to take over the controls of the cars computer, door locks, side mirrors during auto pilot mode. Tesla has provided patches for the security flaw.
This is a huge security flaw for Tesla but glad the good guys were able to identify the issue before the bad guys found it. Glad to see Tesla pro-active with security and technology.
“HACKING, CRYPTOGRAPHY, AND THE COUNTDOWN TO QUANTUM COMPUTING”
The article I chose is about the threat of quantum computing to current encryption methods. At the moment, strong encryption is one of the best cyber security tools available, and most available computing power are nota able to break strong encryption. Computers attempt to break encryption by trying one combination after another in a method known as brute force until successful. This method can be successful for weaker encryption, but the stronger the encryption the harder it becomes for computers. Stronger encryption means longer passwords or possibilities for a computer to guess, and it can only guess one answer at a time. Most strong encryption standards are out of reach for current computers, but not for quantum computers.
Quantum computers operate differently than current computers. Today, computers process through 0 or 1. known as bits. Instead of bits, quantum computers store information as quits, which can be either or both at once. Quantum mechanics allows for superposition, which allows for objects to exist in multiple states and/or be in different places simultaneously. Superposition is the primary threat that quantum computing posses to encryption. Unlike a traditional computer which must try combinations sequentially, a quantum computer can try many different combinations simultaneously, exponentially speeding up the process. With more advancement in quantum computing, current encryption methods might become useless with quantum computing.
I think that Tesla was the first car manufacturer to deliver software updates remotely. While convent, can make the car vulnerable to cyber threats. On the other hand, it allows Telsa to push out security updates very quickly as opposed to having to do a traditional recall. While there are always going to be cyber security issues with cars, and Tesla is no exception, they have seemed to take the issue very seriously, but time will tell.
Having my SSN stolen worries me much more than a credit card number. I can always cancel my credit card, but can’t change my SSN. My Dad now keeps his credit frozen and has actually found it helpful. Periodically receives notices that a credit card application he did not request has been denied because his credit is frozen. Saved him from having to deal with a lot of fraudulent activity.
Another reminder of how inadaquete cyber security is for healthcare organizations. Hard to believe that anyone is still using pagers. and not to mention for an organization that has a lot of sensitive data.
Android phones are also more likely not run the current version of Android. Every time Google releases a version of Android, every manufacturer must then release its own version which can take months if not a year. Most Android users do not use the current OS while the vast majority of iPhone users are using the current iOS.
“Global Survey: Cyber Security Awareness Rises, Yet Bad Habits Persist”
CyberArk recently finished conducting its 10th annual survey regarding cyber security. It shows 82% of those surveyed believe the IT security industry is making progress against threats. Although, bad practices like privileged account access control, 3rd party vendors, and the cloud are hampering improvement. The survey indicates an improvement of leadership in regard to cyber security, an increase and improvement in entity policies regarding security standards, but nearly half allow outside vendors access into their internal networks. It personnel confidence is significantly higher in regard to threat prevention, 95% of reporting organizations have a formal cyber security policy, and over two thirds of businesses report customer data as an identified risk. Less than 20% of businesses identify notifying customers of a data breach as most important when responding to a breach.
Don’t let the link fool you, this isn’t about sports (not sure why it’s in the sports section of Yahoo, maybe it was part of the hack! 😉 )
Former PA Governor and the first Secretary of Homeland Security, Tom Ridge, says that cyber attacks are now worse than physical attacks. He talks about how the cyber risks are more dynamic and are constantly morphing.
The suggestion of him and the panel he was on was that government agencies among themselves and the government and the private sector need to do a better job of communicating and sharing information.
I thought this was an incredible comment because I read Governor Ridge’s book about starting the office of homeland security after 9/11. At that time the attacks he was tasked with defending us against were physical and most of the solutions he found lied within communication between government agencies and the public. The book is a great read because it shows the similarities between solving cyber problems and physical security problems.
I thought this news article tied that together well several years after the book was written.
“KnowBe4 platform to combat phishing attacks using simulation technique to verify training effectiveness”
KnowBe4 combats the exploding threats of ransomware and CEO email fraud giving companies a global tool to manage risks associated with social engineering.KnowBe4 Inc., the most popular integrated platform for security awareness training and simulated phishing tests.
Due to a massive increase in phishing attacks, companies are now realizing they cannot keep doing the same old annual awareness training, as threats are evolving much faster. KnowBe4’s CEO Stu Sjouwerman stated, “Employees are the weakest link in your network security and you need effective security awareness training to keep on top of furiously innovating cybercrime.
KnowBe4 tool provides effective training and frequent simulated phishing. KnowBe4’s Chief Hacking Officer Kevin Mitnick stated “Our new EZXploit feature truly assesses whether your business can be exploited by the bad guys. Just clicking on a link sent in email alone doesn’t mean your business can be successfully phished. The true test is to determine whether the user can be exploited. EZXploit allows you evaluate that risk.”
Advanced Simulated Tests include:
– EZXploit – simulated phishing attack
– USB Drive Test – tests user if a dropped USB drive will be picked up and inserted into workstation
– GEO location – attacks that are recorded on the map
Wells Fargo Scandal (Follow-up)
Apparently, the latest development on the Wells Fargo controversy takes interesting new twists.
Last Tuesday (9/20/16), John Stumpf, CEO of Wells Fargo, spoke to the Senate Banking Committee to apologize for the bank’s opening as many as 2 million bogus customer accounts to generate fees for the lender. “I accept full responsibility for all unethical sales practices,” CEO John Stumpf told a congressional panel. Another ripple effect of Wells Fargo’s scandal includes John’s resignation from a national panel that discusses financial matters with the Federal Reserve. These are perfect examples of what an organization can face by simply failing to apply strong policy controls and business processes. Poor risk evaluation to describe potential business impact can also lead to such unfortunate outcomes. See below for articles’ links.
A concern that I have with Cyber Security is how well will defense mechanisms be able to keep up with attacks/threats methodologies. In other words, will the good guys be able to keep up with the bad guys? The dangerous part about this is that ethical hackers, pen testers are somewhat relying upon unethical ones to develop fresh lines of defense. Remember, one of the nest ways to combat a hacker is to think like one. How long will it take before IT security professionals even understand new ways that hackers think? Won’t attackers move on to superior form of attacks by the time the good guys learn about other unknown ways? Which group outnumbers the other with the rise of more frequent state sponsor attacks?
NSA operative might have accidentally leaked its hacking tools
This article details an ongoing government investigation around a set of NSA hacking tools were obtained by the Russian hacker group, Shadow Brokers. It’s not clear exactly how it was obtained, but the most likely theory is that the NSA operative used the tools on an remote computer 3 years ago and left them exposed. These tools allow users to exploit security system flaws and can be used to target specific company products such as Cisco firewalls and routers.
Shadow Brokers made the tools available online and the NSA has deployed sensors to detect whether the tools have been leveraged. To date, it looks as though they have not been used, however, the NSA had failed to communicate the potential security risk to any of the companies that may be affected.
It’s key to point out that the article states that Edward Snowden most likely did not have anything to do with the exploit, or that the NSA itself was hacked.
I think this article really makes you think, “who are we training and giving access to these potentially hazardous tools?”
Given this week’s topic, I was curious as to how Target dealt with their very-public breach in 2013.
The above article discusses some steps that Target has taken to address the security issues in their organizational culture. These steps include:
– Enhancing monitoring and logging
– Installation of application whitelisting point-of-sale systems
– Implementation of enhanced segmentation
– Reviewing and limiting vendor access
– Enhanced security of accounts
The article is interesting to me because we’ve become accustomed to hearing about these data breaches, but the post-breach analysis and results are often harder to come by. I’m glad that Target shared this with the public.
A Lesson in Social Engineering: How “Security-aware” Organizations (including the U.S. government agency) got completely penetrated
So I know some people might have heard about this case as its not so so recent, but this is the first time I read about it , and I’m amazed, surprised, mesmerized etc etc
“Every time we include social engineering in our penetration tests we have a hundred percent success rate,” Lakhani said. “Every time we do social engineering, we get into the systems.” (I think that is so scary – because the world gets more social by the day)
Security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a U.S. government agency with a high level of cybersecurity awareness, as part of an exercise that shows how effective social engineering attacks can be, even against technically sophisticated organizations. The attack was part of a sanctioned penetration test performed.
By building a credible online identity for a fake attractive female named Emily Williams and using that identity to pose as a new hire at the targeted organization, the attackers managed to launch sophisticated attacks against the agency’s employees, including an IT security manager who didn’t even have a social media presence.
Within the first 15 hours, Emily Williams had 60 Facebook connections and 55 LinkedIn connections with employees from the targeted organization and its contractors. After 24 hours she had 3 job offers from other companies.
As time went on she started receiving LinkedIn endorsements for skills and men working for the targeted agency offered to help her get started faster in her alleged new job within the organization by going around the usual channels to provide her with a work laptop and network access. The level of access she got in this way was higher than what she would have normally received through the proper channels if she had really been a new hire, Lakhani said.
Around the Christmas holiday they created a site with a Christmas card and posted the link to it on Emily’s social media profiles. People who visited the site were prompted to execute a signed Java applet that opened a reverse shell back to the attack team via an SSL connection.
The attack used built-in Java functionality to get the shell instead of exploiting vulnerability and required user interaction, but despite these technical limitations, it was very successful, according to Lakhani.
Once they had a shell, the team used privilege escalation exploits to gain administrative rights and was able to sniff passwords, install other applications and steal documents with sensitive information. Some of the documents included information about state-sponsored attacks and country leaders.
Even though it wasn’t part of the plan, some employees who worked for contractors to the targeted government agency also fell for the Christmas card attack, including employees from antivirus companies, Lakhani said. In one case, one of the accidental victims was a developer with access to source code, he said.
At one point the attack team saw that two of the organization’s employees were talking on Facebook about the birthday of the head of information security at the agency. That person had no accounts on social media websites, so the team sent him an email with a birthday card that appeared to come from one of the two people talking about the event on Facebook.
The attack worked and after he opened the malicious birthday card link, his computer was compromised. “This guy had access to everything. He had the crown jewels in the system,” Lakhani said.
The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections. (I found that so hilarious, how real is this?)
I was searching for an article to tie to this week’s lecture and found something that I thought was a good topic to post. Apparently, the Spratly islands are playing host to the modern-day cold war, and its flying under the radar.
These islands have a massive economic significance to China, the Philippines and Vietnam, and all have been attempting to stake their claim to them since the beginning of time. China has taken the boldest approach by creating man-made islands in the area to help bolster their military presence, while conducting military operations on said islands. The focus of the article is that many of the latest attacks are not ground/air battles, but specifically targeted cyber attacks.
This past summer, the Chinese launched a DDoS attack that crippled 68 Philippine government websites in response to an international court ruling that denied China’s territorial claims in the region. The website belonging to this international court was also infected, and knocked offline. A group known as 1937CN also hit Vietnam shortly after, by disabling national airline systems at major airports.
As you can imagine, the Chinese do not want Americans getting involved. Any attempts to fly drones in have been either hacked or their GPS was jammed, making it virtually impossible to navigate the drone. Add that to the NSA hack, hacks against US political organizations and state institutions, and attempts toward critical infrastructure and military weapons systems and it seems we may be in the midst of a very quiet, very digital cold war.
These many international cyber threats have caused the US to beef up its cyber security and risk evaluation practices, via the new cyber strategy issued last year (The DoD Cyber Strategy). However, the threats are still very real and very prevalent, and it’s scary considering that the playing field is level in the digital landscape. Our superior military forces can’t patch these vulnerabilities, and – if they are ignored by organizations and exploited by outside entities – could result in the loss of the one thing never that is never supposed to be assigned a dollar amount: human life.
Darin: truthful article, and reading it reminds of me Ted Koppel’s book, “Lights Out.” The gist of my article this week was similar in that the digital arena is so much more threatening because it can offer complete anonymity, it does not require a large army or countless resources, and the results of successful attacks can impact millions, not thousands.
Technology is reshaping society every day, and how we fight wars in no example. As US Army General Keith Alexander stated in your article, the hacks are to not only collect info, but to attack other countries as well. My concern is that I don’t see the potential solution actually solving anything. Would these countries actually work together to share information? If so, how much of that would be censored, and – if it was – would the info be of any value at that point?
In Koppel’s book, he surmised that a successful exploitation of critical infrastructure could change the way we live, if not destroy us. There are plenty of standards, guidelines and processes is in place to help guard against this, but – as we are learning – what if a certain vulnerability is mistakenly classified as a Low Impact or a Low Occurrence? We are essentially one incorrectly categorized risk away from digital war.
This article talks about the results from the 2016 Global Advanced Threat Landscape survey (link below).
I chose this article since it talks about security awareness. The good news is that progress is being made, but that there is still a lot of work to be done. Most of the responses show that professionals believe progress is being made, and 79% of respondents do believe that their company has learned from previous security incidents. 67% believe that their senior leadership is showing good “cyber security leadership.” That was up 10% from 2015.
While the above is good, 40% said that administrator passwords are stored in word documents, which as we know is not secure. While the large majority have emergency response plans, only 45% regularly test their preparedness. I thought it was interesting to see what people out there working were saying about their company’s security awareness. The article also notes that companies aren’t exactly good at enforcing their own security policies.
The line at the end of the article is something that stuck with me:
“There’s a fine line between preparedness and overconfidence. The majority of cyber attacks are a result of poor security hygiene – organisations can’t lose sight of the broader security picture while trying to secure against the threat du jour.”
I believe that is trying to tell us that we can’t just focus on one type of threat, and if you do, you are not as secure as you think you are.
Yahoo Executives Detected a Hack Tied to Russia in 2014
The article talks about an attack that happen at Yahoo 2 years ago that they believe is linked to Russia. The attack was launched from computers in Russia and the targets were people who did business in Russia. So it made sense that the hackers where after these people. The attackers were seeking data on 30-40 specific users. That year also led to an attack which stole information on 500 million user accounts. The article did not mention how the attacker got into the system.
I agree with Sean. This problem was created by corporate greed. Wells Fargo is the largest bank by capitalization well until recently so it has a need to return investor value with a high stock price.So all the products employees came up with to meed sales targets were all nodded upon by management as long as there were no reputations. This is a case of accepting the risk because the returns outweigh the impact.It can be seen by the reaction to it’s practices being brought to light that they fire employees and apologize hoping to get out unscathed.
“Cyber Security Awareness Growing Within Business Sector, Research Shows”
This article discusses the state of cyber security awareness within the United Kingdom. Organizations within the UK show an increasing understanding of the cyber security threats that their businesses face, with about 84% of respondents to a Marsh survey stating they had a “basic-to-complete understanding”. But despite the growing ability to identify potential risks, organizations are still struggling to fully understand their impact. Specifically, two thirds of these surveyed organizations had not completed any sort of financial impact analysis, meaning a majority of organizations do not have a solid idea as to how much a cyber security incident can cost them. This is troubling, since without knowing the potential impact of an event, organizations will have a more difficult time categorizing risks (high, medium, low) and deciding how they want to proceed (avoidance, transference, mitigation, acceptance).
While this survey included only organizations within the UK, I don’t believe that these findings are unique to them. The percentages may vary, but I think in many cases there is a discrepancy between the number of organizations that are aware of cyber security risks versus the number that have a thorough understanding of them. As we’ve discussed previously, identifying the risks can be far easier than quantifying them. However, organizations must strive to do both if they are to make educated decisions on how to handle the threats they face.
3 Industries That Will Be Transformed By AI, Machine Learning And Big Data In The Next Decade
This article doesn’t really cover this weeks topic though I thought it was an interesting read. The writer discusses how the Healthcare, Financial, and Insurance industries are changing from AI and big data implementation. It also raises some questions about how these new systems will be protected and the potential vulnerabilities associated with them. Most notably how AI is slowly, and will continue to, take over roles currently occupied by humans. AI guaranteeing a personal loan, being your personal financial advisor, or enabling you to self-diagnose a disease or ailment are all examples of where these industries are heading. New security measures will be needed and it will be important for the security of this tech to grow with the tech itself.
Very interesting article! I have also heard about AI, Machine Learning, impact on our business. AI financial advisor and AI self-diagnose system are great examples. Today, I had a chance to talk to a director from one of the world largest retail companies. He mentioned that they use the AI inventory system called Perpetual Inventory system which is automatically monitoring store inventory and placing an order for missing items. And he also said that a Perpetual Inventory system keeps learning itself by conducting multiple rounds of checking inventory and placing an order and continuously reduces its error in the future.
It is promising to hear that cyber security awareness is increasing. I wonder, because the individuals surveyed were only from the UK, if the raise in awareness comes from the new EU regulations around cyber security that require any organization that holds data of EU citizens must comply with. The regulation was created in 2014 but goes into effect this year, so I would hope that organizations dealing with EU customer data have been preparing for this regulation to take effect. I would also hope that these preparations include security awareness training.
I found an article this week pertaining to the rise of the security-as-a-service model within the cloud. As the number of employees using applications on the cloud increases, many are now open to security being a part of it as well. In a survey done with various businesses, 60.6% say they would be ‘very likely’ to use the cloud to protect passwords on privileged accounts. The assumption of many was that businesses may be hesitant to use SaaS as security solution but the assumptions are proving to be wrong. As more and more businesses are moving away from the brick and mortar model and adopting the cloud, the challenge will be protecting every single privileged account and new accounts the business gets. Check it out:
Some more fallout from the scandal: CEO John Stumpf is forfeiting $41 Million in awards, and is not going to be paid during the investigation.
I’ve looked at both your articles from Andres and Sean and it doesn’t appear that Target has addressed a crucial issue of the HVAC system being the same network as the point of sale system. What business do Refrigeration Cooling monitoring system have to do with Credit card processing system. There needs to be a separation but I don’t see that addressed anywhere. It definitely is an expensive venture but it would isolate the issue if it had to occur. It appears there investment is heavily in the Malware system but redesigning the infrastructure architecture would be of greater benefit. As an example Temple’s employee network is separate from that of the student network. So if student network is hacked the issue would be isolated only to the that network.
The article titled: Samsung Goes After Biometrics For Enterprise Banking” revealed that Samsung SDS, the company’s IT Service Provider plans to collaborate with Sensory to improve security over mobile transactions through the use of biometric authentication capabilities available through Sensory’s TrulySecure solution. The joint venture intends to use a mobile devices camera and voice recognition features to complete authentication measures via facial or voice recognition.
Users would merely need to open an application on their mobile device and either look into the front-facing camera or state a selected passphrase prompted by the same mobile device in order to process a transaction. Both authentication measures can be required for higher value transactions to provide increased security. Additionally, the technology could be used to fuse voice and facial recognition features simultaneously to create a one-step (vs. two) authentication approach, thereby increasing user efficiency.
In a related article (http://www.biometricupdate.com/201609/samsung-sds-to-use-sensorys-trulysecure-adds-biometric-authentication-to-oracles-iam), it was revealed that Samsung’s SDS FIDO Client product will use Sensory’s FIDO UAF Certified “Authenticators.” Since each party has been independently FIDO certified, the new technology will be compliant with Fast IDentity Online (FIDO) UAF guidelines.
In furtherance of Seans’ very valid comment, what comes to mind is the fact that companies (and auditors) cannot lose sight of legacy fraud vulnerabilities while trying to figure out the next cyber scam. It amazes me that, in an industry that is as highly regulated as financial services, such a rudimentary fraud could be perpetrated, and that somewhere along the way, someone thought they would get away with it…
One of the first questions I ask (myself) when I learn of a fraud of this nature and magnitude is “where were the auditors?” It would be very interesting to learn when the customer account set up process was last reviewed, and why associated KPI’s – such as the number of accounts opened in the current month/year vs. the prior month/year – didn’t trigger attention.
At my last employer, Internal Audit maintained a fraud scheme inventory that we increased annually as a result of fraud risk assessments and “think tanks”. We rarely removed a fraud scheme unless there was a valid reason to do so. During the annual fraud risk assessment, we rated ALL fraud schemes based on management’s input regarding the likelihood and potential impact. This means we spoke about every fraud scheme every year. We then tested anti-fraud controls rotationally based on significance (impact score x likelihood score), effectiveness of the control in preventing the fraud, etc.
The perception of a control is a control, and if all employees in an organization are routinely reminded of relevant fraud risks, the bad apples are less likely to tempt fate for fear of getting caught!
This is a very interesting article that reminded me about what happened to me right after class last Thursday. I received a phone call on my cell phone from what sounded to be a young woman who spoke clearly and legibly and seemed to have a pleasant personality. She introduced herself by name and said she was conducting research on behalf of my undergraduate university. Her first question was something like: “How have you utilized your education in a professional manner?” I realized that this woman had gained my trust merely through the sound of her voice. My better senses then kicked in and I asked her if I could call her back at the number on my screen. She politely said no, that the number was only able to be used for outgoing calls and that she would call back at a more convenient time. I have not received a return phone call since. Whether or not the call was legitimate, I was surprised that – knowing all that I know about social engineering – I could have fallen prey to it!
In Sunday’s Washington Post, I noticed the article, “Tech law needs a reboot.”
The article talks about how lawyers do not have technological understanding and as result, misinterpret information in a way that is unfavorable for the cases they work.
“Whether it’s high-level physics research or the technology of our daily lives, the government’s lawyers are struggling to grasp the increasingly technical cases that come before them. Both federal prosecutors and the attorneys who represent executive agencies in court are bungling lawsuits across the country because they don’t understand what they’re talking about. Too few lawyers have the skill set or the specialized knowledge to make sense of code, networks and the people who use them, and too few law schools are telling them what they need to know.”
I know that are my company, at started a transformation series for educating people about technology, including security risks and it’s an enterprise-wide effort. Employees in all functional areas are expected to skill up.
A security aware organization will perform risk assessment of its IT infrastructure, create policies and use the technology available to mitigate the risk to the organization, but a key risk that needs to be addressed is the lack of skill personnel to handle the risks. A study conducted in eight countries reveals that there are security skills shortage concerns within the organizations. This article focuses on the current state of the cyber security skill pool and its negative affect on the organizations ability to properly formulate a security strategy that would keep in line with the business goals. The irony is that the lack of skilled staff is actually considered a security risk, when it is usually the employees that pose the greatest risk.
There are some that believe it is the education requirements that cause this gap, due to companies wanting different degree levels, while other feel that hands on experience is better training, there is a balance that needs to be reached for maximum effectiveness. It has been suggested that until the workforce can catch up to the demand, that automation and outsourcing of duties should be taken advantage of to alleviate the pressure on the in-house personnel.
By outsourcing, the government and organizations have bought a little time to evaluate their risk tolerance and develop the skills needed to mitigate risks and focus on more complex threats to the organization.
I agree with the statement by Gov. Ridge about the worsening of cyber-attacks, we have become so dependent on mobile devices and being connected that our dependency has almost become an addiction to the web. In turn create vulnerabilities that must be handled, but at the same time how much must be shared and with whom.
This is a very good article that ties in to this week’s topic area; I believe this to be a good example of how the lack of security awareness can actually be used as a way in. It is scary how easy it is to create an identity and a social media presence. With the recent hacks into sites like LinkedIn, it would stand to reason that their security measures have been ramped up, this article seems to suggest otherwise, and provides proof that employees are the top cause of risks.
“Has the TheDarkOverlord hacker struck again; this time in financial services?”
FTSE Global Markets
The article talks about a recent data breach at Westpark Capital a California investment bank by the hacker The Dark. Two things of importance in this article:
-Demand for ransom to release data. Typically hackers sell the data on the dark web but in this case they are demanding a ransom not to release the data. So the company still have their data unlike in the case of ransomware so could this mark a shift in tactics as this is the same group who hacked multiple healthcare databases and listed 9.2m records on the dark web.
-They managed to hack Westpark Capital and others not through the common technique of phishing emails and malware attacks but by taking advantage of a vulnerability in the Microsoft Remote Desktop Protocol – a standard technical tool for remote management of server devices. This again is the same method they used to access the medical record and are not revealing what that vulnerability is.Standard security practice is to limit RDP protocol on firewalls to only certain IP Addresses but Westpark seemed to have overlooked this.
“The Biggest Cybersecurity Threats Are Inside Your Company”
No matter what size a cyber breach is in, it is usually caused by an action or failure of an insider of the company. Employees are usually the greatest vulnerability of all organizations. According to the research, 60% of all attacks were led by insiders. Three-quarters are intentional attacks, while one-quarter are due to negligence. It was also found that the top three vulnerable industries are health care, manufacturing and financial services. It is hard to ensure employee not to make mistakes. Sometimes, a small mistake of administrators would lead to catastrophic damage to a company. Trusted yet unwitting insiders may leak password and get credentials stolen. With stolen credentials, attackers can even obtain accesses to confidential information. Therefore, to avoid information leakage from insiders. Organizations need to focus on the right assets, the most valuable system and data, apply deep analytics as a good habit, and understand which person are potential attackers or related to possible attacks. Companies should also enforce standards for user identities and have user awareness programs to train insiders. I think this article is interesting and can be related to the topic of this week, creating a security awareness organization. Since most of cyber security frauds are involved into insiders’ actions or failures, it is extremely important to educate employees and increase security awareness.
“As we speak, teen social site is leaking millions of plaintext passwords”
Social hangout site with 6.6 million users is compromised and the information of 1/3 of those users has been posted to the web for all to see. Worse yet, passwords were unencrypted and stored as plain text, which could compromise these users on other sites if they’re reusing passwords. Considering that the target audience of this site were minors, the reusing of passwords seems extremely likely.
Cybersecurity Awareness Indispensable to Protect You, Others
This article was written by the Better Business Bureau and speaks about raising security awareness. The author notes the importance of the establishment of October as National Cyber Security Awareness Month and of the complain called “Stop. Think. Connect” which is a national awareness effort meant to explain cyber risks and help Americans attain a more secure online experience. The article lists five tips for increasing online safety:
1. Own your online presence (monitoring security settings on social sites and the information you make available),
2. treat your personal information like money,
3. share with care,
4. keep a clean machine, and
5. utilize multi-factor authentication when possible
I think that the writing of cyber security articles, the establishment of national security month, and the mentioned (and other unmentioned) cyber security initiatives makes it apparent that cyber security is being recognized as a serious threat. Recognizing this threat is the first step in providing the average joe with the proper education and training to manage their online presence as well as sensitive information related to work or themselves. Reading articles like this one really helps the seriousness of cyber security sink in.
whoops, here’s the link to the article I read: http://www.hutchnews.com/news/business/cybersecurity-awareness-indispensable-to-protect-you-others/article_d655049c-e5cc-5f04-a258-8a332df25ad2.html
This article is pretty interesting. Vladimir M. Fomenko is a 26 year old owner for a server company, King Services, based out of western Siberia. A few of his servers have been identified as locations that hacks targeting Illinois and Arizona electoral systems originated from. Spear phishing attacks were also perpetrated against the governing Justice and Development Party in Turkey, the German Freedom Party and Ukrainian members of Parliament.
Fomenko denies personal involvement with the attacks, and say he does have IP addresses of the perps, but no one has asked. He also denies Russian involment in these hacks saying “The analysis of the internal data allows King Services to confidently refute any conclusions about the involvement of the Russian special services in this attack”. He says the addresses belonged to server companies in Britain, Finland, France, Italy, Norway and Sweden.
Fomenko seems willing to share information with Russian and foreign law enforcement but denies being contacted by anyone.
500 million accounts stolen from Yahoo
Yahoo confirmed a data breach that they had in late 2014. They believe this to be a “state-sponsored actor” meaning someone was acting on behalf of the government. The breach stole information from accounts such as the account holder’s birthdays, email addresses, names, passwords, security questions and answers. They do not believe that hackers got financial information through this attack.
Yahoo is working with the FBI to learn for about the breach. They were made aware of an attack when they heard claims of an attack on 200million Yahoo accounts by a hacker that goes by the name of “peace” two months later (now) they learned it was much worse than they expected.
“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.” U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”
“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.”
This breach came during an important time for Yahoo, as Verizon agreed to buy it for 4.83 million in late July just before the hack was reported.
“Blumenthal said law enforcement and regulators ‘should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.’ ”
OVH suffers massive 1.1Tbps DDoS attack
Hosting company suffered a major DDoS attack over the past week. The interesting point of this news story is that it is now a fact that hackers can utilize any computing device available to join a botnet ‘army’. Gone are the days where laptops, desktops and tablets were the only targeted items. Now, any device containing computing capability is being pulled into the DoS strategic assaults. As always, there is a trade off for ease of use when considering appliances or smart devices… that tradeoff appears to be security.
Europol warns of Android tap-and-go thefts
This is really more of an alert and warning that a report of specific incidents. In the article, Europol makes multiples points on how tap and go thefts could be very complicated. They single our Android phones because Google does not restrict third party apps form accessing the NFC chip while Apple does. Another interesting point comes from what happens when fraud is suspected. With a card, the card is confiscated. WIth smartphones handling these transactions, this becomes very complicated.
FBI Warns About Elections Systems, Reveals Two States Were Hacked
The President election is coming up on this November. However, the election is not immune from being targeted by hackers. Because of the sensitive nature of the President election, the hackers are looking for to cause noises and the elections systems are the perfect target for it. Enjoy the article!
Cyber security was a recent topic in our 1st presidential debate of 2016. The article from Yahoo first paints a contrasting picture between the level of knowledge between candidates leaning more towards Hillary with slightly more knowledge. Yet, As the title suggests the article goes into topics that should rather have been discussed as our nation is undergoing more cyber attics each day. The article begs for the involvement of our government to impose regulations for such cyber issues as Vulnerability Hoarding, Data Breach disclosure, and the Oversight of critical infrastructure. Sincere topics when you are dealing with companies, withholding known vulnerabilities for years and companies are unaware. OR Data breaches of citizens personal data. Just how long does a company have to weight before they let the public know? Our critical infrastructure, who is regulating the investigating private firms?
I loved this article. Yet more proof that Apple is focused on security. There was a frightful sentence in this article: “However, the police are unsure exactly how the attacks are being carried out and how common they are.” Wow. no idea how and no idea how much. That kinda makes you want to go back to the credit card impression machine. From the articles inclination it seems that the major vulnerability is from 3rd party or developer apps having access to the NFC chip. It can be a quick fix for google cutting off access. Let hope they get this straitened out before they launch their new phone shortly.
WOW, 145607 CCTV cameras/dvrs were hacked to provide further cpu power for the attack. Those are clearly security breaches that the original manufacture could have never conceived. Hindsight is always 20/20 so it may seem easy for us to now say, why did you think of that? Yet, naivety is not always the antithesis of awareness when considering newly creative and invented threats. This is where regulations for cyber security may become a a major political player in the near future. Companies interested in making a smart thermostat are not thinking about how a hacker could use their device maliciously just as the automobile maker wasn’t too concerned with auto accidents requiring seat belts in the future. It will be very interesting to see how the Gov starts to regulate and enforce “safety measures” upon the seemingly benign products of the future who’s sole benefit is to improve life.
Firstly, Is Yahoo only worth 4.83 million currently? That what Verizon offered before the recent discovery of 500 million hacked accounts. Something that i found most disturbing from this article is the fact that the security questions and answers have also been breached. Somewhat recently I have become increasing suspect of how I answer security questions on websites. Trying to find a way where the same question among sites could also be different as it pertains to the site. Security questions with the same answer distributed through many different sites created a huge vulnerability today as hacking one site grants access to an other sit with similar question schemes. Per Thorsheim, “Cyber Security expert” mentioned in the article has no wiki page but does have a twitter account, he seems heavily focused on cyber security. He mentioned that this will be an attack that will cause ripples for years to come. It is not hard to argue when you have 500,000,000 accounts that probably use the same answers for the same silly and easy security questions we see on every site for password recovery.
Nation States May Be Plotting Internet Takedown, Warns Cybersec Pro
Some anynymous attackers have been running sophisticated and significant DDoS attacks against defenses of companies that run critical parts of the Internet, possibly to figure out how to take them down, cybersecurity expert Bruce Schneier warned Tuesday. Large nation states — perhaps China or Russia — are the likely culprits, he suggested.
They “want to know what can be done not only in the event of a cyberwar but a kinetic war as well,” he told TechNewsWorld.
The most important takeaway for me is the learning how to code in SQL. As I have found out, SQL is used everywhere and by putting that on my resume, I can stand out from the crowd. I would explain to a future employer that I am proficient in writing SQL code and can do basic functions such as selecting specific data from a database as well and…[Read more]
One of my favorite news sites is Nate Silver’s fivethirtyeight.com. They make visualizations on everything from sports, to politics, to when most people arrive at a party. These visualizations are insightful ways to view large amounts of data in neat graphs.
“Is Your Idea Taken?”
This is infographic is relatively comprehensive and is ripe with relevant information. What it does is it notes everyday activities on the right side, and popular apps (Uber, Tinder, AirBnb, Birchbox) and it visualizes if there is a company that combines the two.…[Read more]
I am back from a very nice vacation. I hope you are all jealous. Here are information and assignments to help you prepare for the upcoming Business Skills for IT Auditors session onSaturday, […]
If you were working for a financial services company and you were trying to find out who owns a certain stock, you could create a table that held customer information and a table that held stock information.Since many customers can own one or many stocks and many stocks can be bought by one or many customers, there would be a table in between…[Read more]
I think the hardest part of creating an ERD is determining cardinality. I feel like the descriptions aren’t detailed enough and leaves too much up to matter of opinion. Some cardinality can be different depending on how literally you read the description. How I deal with this is I try and put myself in the situation and imagine all the…[Read more]
For my final project in Data Science I used data from the Federal Election Commission (FEC) to come to conclusions about the effect of Dark Money in the 2012 Presidential and Congressional elections. I downloaded data that outlined all individual contributions as well as contributions coming from PAC’s and aggregated it into a working model on…[Read more]
Welcome to the Spring Semester of MIS 5287.001 Business Skills for the IT Auditor. Along with the many of you returning from the fall, we are happy that several new students are joining us. Each session is self […]