Encryption

How to Improve Data Security & Data Privacy

What are the biggest challenges currently facing data security and privacy? 

As organizations embark on digital transformation, there is a clear need for enterprise data privacy and protection. New data privacy laws and the growing enforcement of existing regulations challenge organizations. And most organizations face rapid data growth and proliferation across the enterprise. Organizations have more data, more use cases, and more locations than ever before

First what is data privacy?

Data privacy and data protection are very closely interconnected, so much so that users often think of them as synonymous. But the distinctions between data privacy vs. data protection are fundamental to understanding how one complements the other. Privacy concerns arise wherever personally identifiable information is collected, stored, or used.

Second what is data security?

Data security is about securing data against unauthorized access. Data privacy is about authorized access — who has it and who defines it. Another way to look at it is this: data protection is essentially a technical issue, whereas data privacy is a legal one.

Data encryption ensure only privilege users has access

Data encryption isn't just for the technical advanced; modern tools make it possible for anyone to encrypt emails and other information. "Encryption used to be the sole province of geeks and mathematicians, but a lot has changed in recent years. In particular, various publicly available tools have taken the rocket science out of encrypting (and decrypting) email and files. based on what your need are our firm can help you implement the right technologies to ensure data security.

Stronger Password and Multi-factor Authentication

Password and Multi-Factor are essential when protecting data and data privacy from unauthorized users, or attackers. unfortunately many user don’t understand the importance of passwords. So much so that the 20 most commonly used passwords not only contain highly insecure passwords like the word “password”, they also account for a whopping 10.3% of all passwords that are being used. CyberSecOp recommend creating passwords that contain a minimum of 8 characters. If your password protects something sensitive, like access to your bank account, then use a minimum of 12 characters. all password should contain at lease one upper and lower case, and a symbol. don’t use the same passwords for every site, you can use difference variations of the password making it easier to recall. Example: Chase Bank : Iwanttolive1o8chase% Facebook:Iw@nttoliv3fb.

Enable two-factor authentication.

On top of having good passwords, consider enabling two-factor authentication when you sign into your email, bank website or any other sensitive account. When using two-factor authentication, a code will be sent to your phone when you sign in. You then input the code to access your account. Hackers likely don’t have access to your phone, so this can be a great way to add a layer of password security and data security. It may feel like additional work, but the extra protection can go a long way.

All organization needs an Ethical Hacker team like CyberSecOp

An ethical hacker is one who mimics the actions of a malicious hacker so as to detect security risks in advance and thus prevent breaches and attacks.

Any organization or business can hire the services of an ethical hacker to test/monitor the organization’s defenses, perform IT health checks and penetration tests, to assess the security of the systems and to evaluate the overall security of the organization’s network. An ethical hacker can provide valuable help to an organization by detecting vulnerabilities in a system/network on time and thus prevent the exploitation of data (customer data, financial data and other sensitive data), which could happen as a result of cybercriminals exploiting the vulnerabilities.

Backup is an essential part of data security

Backups are most often overlooked, data protection and backing up your data is essential when you have a major security event such has ransomware. Basically, this creates a duplicate copy of your data so that if a device is lost, stolen, or compromised, you don't also lose your important information. It's best to create a backup on a different device, such as an external hard drive, so that you can easily recover your information when the original device becomes compromised. It is critical that once the backup has complete to physically disconnect the backup device for the system, if the backup drive stay connected and your system becomes affect by ransomware, your backup data could also be affected.

Data Security, Data Privacy & Compliance

CyberSecOp can provide guidance and assistance with addressing privacy and data security practices, as well as to ensure that the practices and program implemented are compliant with relevant laws and regulations. The EU and some US Federal agencies, including the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST), have been promulgating updated guidelines and recommendations for privacy and data security best practices in a variety of industries, including some of the newer Internet of Things and peer platform (sharing economy) marketplaces. Additionally, several industry groups have adopted self-regulatory programs and rules, including certification programs, to which a company can voluntarily abide.

In view of these guidelines and others, companies are further encouraged to establish internal policies and procedures to ensure compliance. Business policies may include a top-level information security and privacy policy, which expresses a commitment to data security and privacy from the top-level officers of a company, a risk management program, an acceptable use policy, access compartmentalization, communications monitoring, breach reporting, a document retention policy and outsourcing policies. Technical policies may include a variety of commitments to technical controls to ensure the protection of data, including encryption, passwords, authentication protocols, disaster recover, intrusion detection, physical security, patching and the like.

Cloud Security - Cloud Cyber Security

Cloud Security - Cloud Cyber Security

Of the large amount of data that has been moved to the cloud, a huge segment of it has been compromised. The compromised data includes election data, financial information like bank cards, health data, etc. Maintaining integrity and security continues to be a significant challenge for cloud platforms. [3]

In an attempt to provide extra security for cloud data, many cloud service providers (CSPs), have launched extensive cloud security technologies. Google has announced ‘shielded VMs’ to prevent hostile attacks. Even with these security technologies in place, however, users still have a large role to play in keeping their data safe.

In many cases, IT teams have recognized the lack of control when data is placed in the cloud. This lack of control is a symptom of the absence of an overarching security strategy. The challenge presents itself when an organization transfers data to the CSPs without maintaining any additional backup, as this could result In the loss of data at times. Stressing on the importance to maintain an additional backup of data. [3]

Another common challenge with the cloud is the unclear point-to-point access. Access permissions are complicated when an organization’s data is placed on a third-party cloud server. Planning and strategizing the access controls around crucial data is as important as defining the access points and control measures. Security in the cloud is different from on-premises security, making it complex due to the various rules implemented and security issues faced, such as failure to encrypt data. Access to the cloud server should be defined on a point-to-point basis. That means that access to data should be restricted based on the requirement of every individual, whether management or staff, should be clearly defined. A flow chart explaining the access points should be shared with the CSP to bring them on equal understanding to avoid conflicts.

Securing Your Data on the Cloud

The main objective of cloud security is to keep data secure, sharing the responsibility between the provider and the client. Here are some good practices that can be implemented to leverage the benefits of cloud services.

a) Encryption of Data

End-to-end encryption of data in transit

For high-security processes, where the data is highly confidential, all interactions with servers should happen over a secure socket layer (SSL) transmission. To ensure the end-to-end encryption of data, the SSL should terminate within the CSP’s network. Comprehensive encryption, when performed at the file level, makes cloud security stronger. All data should be encrypted before being uploaded to the cloud.

Encryption of data when at rest

Even when data is at rest, encryption should be enabled. This helps in complying with regulatory requirements, privacy policies, and contractual obligations related to confidential data. Before registering with your CSP, security policies should be verified with an auditor. AES-256 is used for encrypting data in the cloud and the keys should be encrypted with master keys in the rotation. Field-level encryption will also help keep the data secure.

b) Robust and Continuous Vulnerability Testing and Incident Response

A good CSP contract includes regular vulnerability assessment and incident response tools that extend to devices and networks. The solutions given by incidence response tools might enable automated security assessments to test system weaknesses. CSPs should be able to perform scans on demand.

c) End-user Device Security

Securing cloud-connected end-user devices is an often-overlooked component of a well-rounded security program. When utilizing infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) models, deploying firewall solutions in your end devices to protect the network perimeter is very important.

d) A Private Cloud and Network are Best

Opting for a cloud environment which is private and where you can have complete control over access to your data is the preferred method as opposed to using a multi-tenant instance. Also, opt for cloud storage or software-as-a-service (SaaS) which belongs to only you and is not shared with others. These personal clouds are called virtual private clouds (VPC) and all traffic to and from these VPCs can be routed to the corporate data center. This can be done through an internet protocol security (IPsec) hardware VPN connection.

e) Compliance Certifications

The two most important certifications that you should consider are SOC 2 Type II and PCI DSS.

SOC 2 Type II is a type of regulatory report that defines the internal controls of how a company should safeguard its customer data and operation controls. SOC2 deals with regulatory compliance, internal risk management processes, and vendor management programs. It confirms that a cloud service has robust management as it is specifically designed to ensure higher standards of data security.

PCI DSS – PCI DSS stands for Payment Card Industry Data Security Standard and is important to organizations that deal with credit card transactions. Meeting this standard helps keep cardholder data safe from fraud. It ensures that sensitive data stored in a cloud is processed and transmitted in a secure manner. It impacts security policies, procedures, software design, network architecture, and various protective measures.

Leading public cloud providers like Microsoft and Amazon offer proprietary credential management tools to provide legitimate access and keep intruders away from sensitive data. Having sophisticated tools can help ensure the security of your data in the cloud.

Defense is a matter of strict design principles and security policies scattered over various departments. By implementing the above key guidelines as part of your cloud strategy, you are on your way to securing your data in the cloud.

Ethical Hacker for Secure Cloud Storage

An ethical hacker is a skilled trained professional who knows how to locate the vulnerabilities in target systems, including cloud storage platforms and networks. The term ‘ethical’ differentiates a black-hat hacker from a white-hat hacker.

Facebook Data Taken- Breach

SAN FRANCISCO – Facebook says 30 million fewer accounts were breached than originally thought in one of the worst security incidents at the giant social network – 30 million instead of 50 million – but attackers made off with sensitive personal information from nearly half of those users that could put them at serious risk, including phone number and email address, recent searches on Facebook, location history and the types of devices people used to access the service.

Hackers got their hands on data from 30 million accounts as part of last month's attack, Facebook disclosed Friday. Facebook originally estimated that 50 million accounts could have been affected but the company didn't know if they had been compromised.

For about half of those whose accounts broken into – some 14 million people – the hackers looted extensive personal information such as the last 10 places that Facebook user checked into, their current city and their 15 most recent searches. For the other 15 million, hackers accessed name and contact details, according to Facebook. Attackers didn’t take any information from about 1 million people whose accounts were affected. Facebook says hackers did not gain access to financial information, such as credit-card numbers.

The company would not say what the motive of the attackers was but said it had no reason to believe the attack was related to the November midterm elections.

Facebook users can check if their data was stolen by visiting the company's Help Center. Facebook says it will advise affected users on how they can protect themselves from suspicious emails and other attempts to exploit the stolen data. Guy Rosen, Facebook's vice president of product management, said the company hasn't seen any evidence of attackers exploiting the stolen data or that it had been posted on the dark web.

Affected users should be on the lookout for unwanted phone calls, text messages or emails from people they don't know and attempts to use their email address and phone number to target spam or attempts to phish for other information. Facebook users should also be wary of messages or emails claiming to be from Facebook, the company said.

Third-party apps and Facebook apps such as Instagram and WhatsApp were not compromised, according to Facebook. Hackers were not able to access any private messages but messages received or exchanged by Facebook page administrators may have been exposed.

Security experts say the 14 million users who had extensive personal information swiped are now extremely vulnerable. Colin Bastable, CEO of Lucy Security, which focuses on cybersecurity prevention and awareness, painted an especially grim scenario.

"The truth is that, as a result of this news, millions of phishing attacks will now be launched, pretending to be from Facebook. Up to 20 percent of recipients will click and a large number of those will be successfully attacked, many of them using work computers and mobile devices," Bastable said. "Businesses and governments will lose money, ransomware attacks will result from this leak, and the attack will reverberate over many months."

The culprits behind the massive hack have not been publicly identified. The FBI is actively investigating the hack and asked Facebook not to disclose any information about potential perpetrators, Rosen said. When they disclosed the breach two weeks ago, Facebook officials said they didn't know who was behind the attacks.

The latest disclosure, another in a series of security lapses that have shaken public confidence in Facebook, may intensify political heat on the company. An investigation is underway by Ireland's Data Protection Commission, and Rosen said Facebook is also cooperating with the Federal Trade Commission and other authorities. The FTC declined to comment if it's investigating.

“Today's update from Facebook is significant now that it is confirmed that the personal data of millions of users was taken by the perpetrators of the attack," Ireland’s Data Protection Commission, the watchdog agency charged with privacy protection in the European Union, said in a tweet.

The extent of the personal information compromised by attackers delivered a blow to the public relations campaign Facebook has been waging to convince the more than 2 billion people who regularly use the service that it's serious about protecting their personal information after the accounts of 87 million users were accessed by political targeting firm Cambridge Analytica without their consent and Russian operatives spread propaganda during and after the 2016 presidential election.

This week, Google acknowledged that half a million accounts on its Google + social network could have been compromised by a software bug. The admission prompted lawmakers to call for an FTC investigation. Both incidents could further fuel a congressional push for a national privacy law to protect U.S. users of tech company services.

"These companies have a staggering amount of information about Americans. Breaches don't just violate our privacy, they create enormous risks for our economy and national security," Federal Trade Commission Commissioner Rohit Chopra told USA TODAY after Facebook disclosed the data breach last month. "The cost of inaction is growing, and we need answers."

More: Facebook breach puts your identity at risk. Here's what you can do to protect yourself

More: Largest Facebook hack ever turns up heat on Mark Zuckerberg

More: Facebook's 50 million account breach is already its biggest ever -- and may get even worse

More: Midterms: 'Furious' Democrats purchase blitz of Facebook ads on Kavanaugh, far outpacing GOP spending

After the accounts were compromised last month, more than 90 million users were forced to log out of their accounts as a security measure.

Facebook says attackers exploited a feature in its code that allowed them to commandeer users' accounts. Those accounts included Facebook CEO Mark Zuckerberg and his second-in-command, Sheryl Sandberg.

The attack began Sept. 14. A spike in traffic triggered an internal investigation. More than a week later, on Sept. 25, Facebook identified the vulnerability and fixed it two days later.

The vulnerability was introduced in July 2017 when a feature was added that allows users to upload happy birthday videos.

Attackers exploited a vulnerability in Facebook’s code that affected "View As," a feature that lets people see what their own profile looks like to someone else. The feature was built to give users more control over their privacy. Three software bugs in Facebook's code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people's accounts.

These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook.

Here's how it worked: Once the attackers had access to a token for one account, call it Jane's, they could then use "View As" to see what another account, say Tom's, could see about Jane's account. The vulnerability enabled the attackers to get an access token for Tom's account as well, and the attack spread from there. Facebook said it has turned off the "View As" feature as a security precaution.

Last month, Facebook reset the tokens of nearly 50 million accounts that it believed were affected and, as a precaution, also reset the tokens for another 40 million accounts that had used "View As" in the past year. Resetting the tokens logged the affected Facebook users out of the service.

A breach of this kind is not a single, isolated event, warned Adrien Gendre, CEO of Vade Secure North America, an email security company. Hackers don't profit from breaking into Facebook accounts. Money's made, he noted, by launching spear phishing attacks using the data they've purloined, an increasingly common form of cyberattack where hackers spoof someone's identity to get them to complete a write transfer or share confidential information.

And that's very bad news for the 14 million Facebook users who had intimate personal information stolen.

5 steps for preventing ransomware

5 steps for preventing ransomware

Hardening Your Environment Against Ransomware

To avoid ransomware infection, follow these steps:

1.    Back up your computers and servers regularly.

Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.

2.    Lock down mapped network drives by securing them with a password and access control restrictions.

Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.

3.    Deploy and enable the following Endpoint Protection:

Implement and managed endpoint antivirus on all endpoint to prevent ransomware, most ransomware can be detected by popular antivirus.

4.    IPS/IDS

IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.

See Enabling network intrusion prevention or browser intrusion prevention.

5.    Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.

Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.

6.    Use an email security product to handle email safely.

CryptoLocker is often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization. For important advice and recommendations, see:

How to remove ransomware

There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:

1.    Do not pay the ransom.

If you pay the ransom:

·         There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.

·         The attacker uses the ransom money to fund additional attacks against other users.

2.    Isolate the infected computer before the ransomware can attack network drives to which it has access.

3.     Update the virus definitions and scan the client computers.

New definitions are likely to detect and remediate the ransomware. Configure Endpoint Protection to automatically downloads virus definitions to the client, as long as the client is managed and connected to the Symantec Endpoint Protection Manager.

4.    Restore damaged files from a known good backup.

No security Endpoint Protection cannot decrypt the files that ransom lockers have sabotaged.

  1. Submit the malware to antivirus provider.

If you can identify the malicious email or executable, submit it to antivirus provider.

 

What is Botnet - Cybercriminals #1 Weapon

The word Botnet is formed from the words ‘robot’ and ‘network’. Cybercriminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer and organise all of the infected machines into a network of ‘bots’ that the criminal can remotely manage.

Botnet Prevention- What is Botnet   

Botnet Prevention- What is Botnet   

 

How Botnets can impact you
Often, the cybercriminal will seek to infect and control thousands, tens of thousands or even millions of computers – so that the cybercriminal can act as the master of a large ‘zombie network’ – or ‘bot-network’ – that is capable of delivering a Distributed Denial of Service (DDoS) attack, a large-scale spam campaign or other types of cyberattack.

In some cases, cybercriminals will establish a large network of zombie machines and then sell access to the zombie network to other criminals – either on a rental basis or as an outright sale. Spammers may rent or buy a network in order to operate a large-scale spam campaign.

How to prevent your computer becoming part of a Botnet
Installing effective anti-malware software will help to protect your computer against Trojans and other threats.

Botnet.gif

Secure Google Chrome from Hacking Attacks

Google Chrome is definitely one of the most popular web browsers being used today. Hackers, as we know, are perpetually after whatever gets popular in the world of the internet. This because whatever is popular would help them target more people and steal more data. Thus, Google Chrome too happens to be among the most favorite for cyber criminals across the world. Hence, securing Google Chrome against hacking attacks is really important.

chrome_wallpaper_by_kazvantipov-d4bt2mz.jpg

So, how do we secure Google Chrome from cyber attacks? Well, it’s a multi-step process. Lots of things have to be done. Securing your browser is important as it helps secure your device, your internet connection and more importantly, your personal and business data.

Let’s discuss, in detail, what all needs to be done to secure Google Chrome from hacking attacks. Here we go:

Begin by ensuring that your Google account is properly secured!

This is something basic, your Google account needs to be properly secured. Chrome lets you sign in from any device, anytime. Hence, it’s important to ensure the security of your Google account. You need to make sure you are logged out of your account every time you sign in, on any device. You also need to ensure that your password is secure. If you aren’t signed out or if someone knows/cracks your password, it would be easy to manipulate things and cause you harm. Your data could be stolen.

Keeping the browser secured is equally important…

Keeping the browser secured is as important as securing your Google account. You could use a password to protect your browser, and thus, in your absence, no one would be able to take control of your browser and do mischiefs. Similarly, every time you leave your terminal, it’s good to go out of the browser as well.

Keep your browser ‘clean’!

You should make it a habit to keep your browser ‘clean’, by wiping out most of the information from it. In fact, there should be some plan/schedule as regards cleaning the browser. Clear the history periodically, either everytime you log out or at least once every week if not once a day.

Never save passwords on the browser

The browser might offer to ‘remember’ your passwords for you so that you could sign in easily the next time you’re using some service. But it’s always good not to save passwords on the browser. If you save your passwords, it would be possible for someone else to get into your account and misuse it or steal information.

Having a master password helps

Having a master password, which would help you get to your other saved passwords in Chrome, is a good thing to do. Thus you need not worry about remembering all of your passwords and you don’t have to be afraid of your passwords getting stolen or misused either.

Keep your device protected

The device that you use to browse needs to be protected from malware and hacking. For this, you must use whatever security tools you need and also have alerts that tell you if at all your device is compromised. Remember a compromised device means an unsecured browser!

Keep the device locked whenever you’re not using it

Always keep your device locked when you are not using it, be it a computer or any other mobile device. That prevents people from getting on to your device and hijacking your browser and your data as well. Locking your device also gets it off the WiFi network that you are using.

Secure your network, never use unsafe WiFi networks

Securing your network is important; it helps a lot in securing Google Chrome from hacking attacks. Hence you need to do all that is needed to secure your network. Similarly, it’s always advisable never to use unsafe WiFi networks. Whenever you’re using a WiFi network, ensure it’s properly encrypted and if possible use an app or program that would prevent hacking. In fact, using a secure network secures not just your browser, but everything on your device/system.

Trust Chrome for phishing detection

Google Chrome does its own phishing detection and protects you from many phishing websites. So, when your browser tells you that a website is not safe, it’s always advisable to trust it and avoid such sites.

Avoid phishing websites and attachments yourself

In addition to Google Chrome detecting phishing websites for you, it’s always good that you yourself stay away from websites/attachments that could be used for phishing scams. Staying away from such suspicious websites secures your browser, your system/network and your data.

Cyber-Digital Task Force

The Department of Justice’s internal “Cyber-Digital Task Force,” created by Attorney General Jeff Sessions in February, will release its first-ever public report later this month at the Aspen Institute’s annual Security Forum, a department spokesperson told CyberScoop.

The report is expected to detail a series of security recommendations that the government should consider to protect future U.S. elections from a myriad of different threats, including foreign hacking attempts.

A statement by the DOJ previously explained that the Task Force will “prioritize its study of efforts to interfere with our elections; efforts to interfere with our critical infrastructure; the use of the Internet to spread violent ideologies and to recruit followers; the mass theft of corporate, governmental, and private information; the use of technology to avoid or frustrate law enforcement; and the mass exploitation of computers and other digital devices to attack American citizens and businesses.”

When Sessions launched the group earlier this year, he requested that an initial report be completed by June 30. The recommendations were submitted ahead of time, according to DOJ spokesperson Ian Prior. The answers are currently being reviewed ahead of publication.

The DOJ’s disclosure was made hours after the Democratic National Committee (DNC) issued a press release criticizing the department and Trump administration for missing various cybersecurity policy deadlines, including the June 30 submission. The agency contends that it in fact made the deadline, although the publication won’t occur for a few weeks. The Aspen Security Forum begins on July 18.

The creation of the Cybersecurity Task Force on Feb. 20 came less than a week after Special Counsel Robert Mueller indicted a group of Russian internet trolls for interfering in U.S. politics. The Russians allegedly ran an extensive social media campaign that worked to trick American voters in the run-up to the 2016 presidential election, the indictment claims.

Deputy Attorney General Rod Rosenstein is expected to make “an exclusive policy announcement” on July 19 at the Aspen Institute event.

New Data Privacy Law in India

Like EU India is putting tight restrictions on data privacy.

India is quick tilting into the computerized age, however, its laws and directions are dated and unsuited to the circumstances, consequently raising worries about protection.

In an offer to modernize them, the former Supreme Court judge B.N. Srikrishna is heading a panel to draft new data privacy laws to manage and regulate the conduct of tech giants, and the move has put the likes of Google and Facebook in a jitter.

The committee was constituted after a landmark Supreme Court judgment headed by Srikrishna after the Supreme Court, in August 2017, declared the right to privacy to be a fundamental right. The apex court further recognized the complexities in data protection and instructed the government to formulate and enact a comprehensive data protection law. After almost a year, the committee is slated to submit its draft this week.

Current data-privacy laws in India are narrow in scope

As of now, the primary statutes administering data protection in India are the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This is just not enough as it is just a thin line that separates the two that regulates the processing of sensitive personal data or information like password and financial information. Non-sensitive personal data have no such control.

The Srikrishna committee seeks to curb unhindered data collection practices and to curb such practices.

It seeks to detail several specifics, including defining what fair use is, deciding whether tech giants can transfer data across international borders, and designing an effective enforcement mechanism.

BENEFITS OF IMPLEMENTING AN INFORMATION SECURITY

THE BENEFITS OF IMPLEMENTING AN INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

 

SECURES YOUR INFORMATION IN ALL ITS FORMS

An ISMS helps protect all forms of information, including digital, paper-based, intellectual property, company secrets, data on devices and in the Cloud, hard copies and personal information.

INCREASES RESILIENCE TO CYBER ATTACKS

Implementing and maintaining an ISMS will significantly increase your organisation’s resilience to cyber attacks.

PROVIDES A CENTRALLY MANAGED FRAMEWORK

An ISMS provides a framework for keeping your organisation’s information safe and managing it all in one place.

OFFERS ORGANISATION-WIDE PROTECTION

It protects your entire organisation from technology-based risks and other, more common threats, such as poorly informed staff or ineffective procedures.

HELPS RESPOND TO EVOLVING SECURITY THREATS

Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.

REDUCES COSTS ASSOCIATED WITH INFORMATION SECURITY

Thanks to the risk assessment and analysis approach of an ISMS, organisations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.

PROTECTS CONFIDENTIALITY, AVAILABILITY AND INTEGRITY OF DATA

An ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.

IMPROVES COMPANY CULTURE

The Standard’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.

 

PGP vulnerability? Exposes PGP Encrypted Email

German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails.

Sebastian Schinzel, professor of computer science at Münster University investigated the flaw, tweeting that full details of the vulnerability will be available from 15 May. 

He said: "they might reveal the plaintext of encrypted emails, including encrypted emails sent in the past."

PGP Ecryption.png

We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the 

Anyone using PGP to encrypt their email could have their messages exposed thanks to a severe vulnerability for which there's no proper fix. That's according to researchers in Germany, who said anyone using plug-ins allowing simple use of PGP should stop using them entirely and possibly delete them too.

The warning came from Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, who noted attacks exploiting the vulnerability "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past." Though he isn't revealing the full details until Tuesday May 15, the findings have spooked security-conscious folk.

We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

The Electronic Frontier Foundation (EFF) said it had reviewed the research and could "confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

"Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email," the EFF wrote in a blog post.

The EFF has also offered guidance on how to remove plug-ins associated with PGP email, which users can find on the blog. Those plug-ins include ones for clients Apple Mail, Thunderbird and Outlook.

It appears the vulnerability (which some have dubbed eFail) resides in such email clients, rather than a fundamental problem with the PGP standard, according to Werner Koch, the man behind GNUPrivacyGuard (GnuPG), the free and open source PGP software suite. In a post, Koch said he believed the EFF's comments on the issue were "overblown" and that he hadn't been contacted about the vulnerability.

This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad. #efail

They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.

PGP was long seen as the standard for encrypted messaging and it remains the most popular method of sending private email. Increasingly, however, mobile apps like Signal, Apple's iMessage and Threema have provided simple methods for end-to-end encrypted communications.

Schinzel hadn't responded to a request for comment at the time of publication. He's done significant work on cryptographic weaknesses in the past; in 2016, he co-created an attack dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), which could decrypt people's web connections on 33 per cent of all HTTPS websites.

A trick to decrypt

The researchers explained in a website for the eFail vulnerability that it required the attacker to be able to intercept and email and tamper with it to reveal the plaintext of messages. "In a nutshell, eFail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs," they wrote.

"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."

The full technical paper is available here.

An old flaw

A spokesperson for ProtonMail, a webmail service that uses PGP, confirmed its services were not affected. The spokesperson also eFail wasn't exactly new. "It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself," the spokesperson added.

"What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation.

"As the world's largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP. This is not a safe recommendation."

Apple gets fixing

An Apple spokesperson said partial fixes to eFail were released in iOS 11.3, which shipped March 29. The remaining fixes for affected Apple products being developed and will be with customers soon, they added.

Microsoft said it had no comment on the matter.