The Federal Bureau of Investigation (FBI) warns about, and offers advice for preventing hackers (or “cyber threat actors,” as the FBI calls them) from using unsecured IoT devices as proxies to infect your networks and steal your data: https://bit.ly/2valBwb.
Every year in October, the U.S. federal government, via the Department of Homeland Security, pushes “Cybersecurity Awareness Month.” A campaign devoted entirely to cybersecurity awareness is a great concept. For an entire month, DHS and private industry organize events and share ideas to better ensure cybersecurity for all.
But sometimes I wonder about the effectiveness of Cybersecurity Awareness Month and whether all the great information generated around the campaign is retained and/or put into practice. So, I decided to do a little research to see what others have said about the campaign.
I didn’t have to look long before I found an article containing results of some rudimentary research relating to the effectiveness of last year’s campaign. The bio of the article’s author says he is “widely recognized as an expert in all aspects of cybersecurity” and the title of his piece is: “Few people know it’s National Cybersecurity Awareness Month. That’s a problem.” The title basically tells you what he found.
I came across another article published last week discussing a presentation given by the executive director of the Streaming Video Alliance (SVA). He is bemoaning the fact that “as over-the-top (OTT) streaming video continues to gain in popularity, it’s a prime target for pirates.” To protect OTT content, he recommended using a “layered” approach to cybersecurity.
MFT Nation agrees wholeheartedly with developing a “layered” approach to cybersecurity. But that concept is neither new nor revolutionary. bTrade’s MFT Nation published an article in 2015 in which we recommended layered security methods. And we weren’t being new or revolutionary either because the 2015 article cited an informative publication from the U.S. Federal Communications Commission which has a section captioned “Create Layers of Security” that says the following, among other things: “Protecting data, like any other security challenge, is about creating layers of protection.”
The byline in the article mentioned above by the guy who’s “widely recognized as an expert in all aspects of cybersecurity,” reads: “National Cybersecurity Awareness Month has failed to gain national, industry or cybersecurity community attention. It’s time to rally around it or kill it.” We disagree. Even assuming the truth of what he says, it never hurts to focus on and discuss cybersecurity, even if it’s only for one month out of the year, and even if people are rehashing cybersecurity topics covered in previous years. At a minimum, it gets people to think and talk about cybersecurity, which may result in some folks developing a plan which can be put into practice with the help of appropriate resources.
If you want to learn more about developing “layers” of data security, including how a managed file transfer solution can help, please contact our data security experts at firstname.lastname@example.org for a free consultation.
Just about everyone is familiar with certain elements of an access control system relating to personnel and vehicles. Anyone who works in an office setting or enters a secure building has to deal with mechanical devices or electronic systems that facilitate “authentication” to enter a protected space, such as an ID card or key fob that is kept on the user’s person, or using a personal identification number (PIN), or code, that must be keyed in for access. The basic objective of such an access control system is to permit entry/exit of authorized persons and deny entry/exit of unauthorized persons, and to maintain records of the access control system activity, user permissions, and facility configuration changes.
The same type of access control is available for network and software systems. According to NIST, “[r]ole based access control (RBAC) (also called “role-based security”) … has become the predominant model for advanced access control” because it reduces the cost of managing large networks and data flows. NIST succinctly summarizes the RBAC process: “Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role.”
bTrade has an enterprise-level managed file transfer software solution, TDXchange, that employs RBAC to limit system access to authorized users. Six user roles have been created, each of which has a predefined collection of read/edit privileges that can be assigned to users based on their job. In addition to the ability to limit access to specific areas, a user’s scope can be restricted to a specific part of the organizational hierarchy.
There is one pre-defined user role in TDXchange, called System Admin, and there can be multiple persons assigned to the System Admin role. Each System Admin has all the permissions and rights to create customized roles for different users. In addition, each System Admin has visibility, via dashboards and alerts/notifications, into system activity, user permissions, and system configuration changes.
If you are interested in discussing role-based access control in connection with your managed file transfer activity, or want to learn more about bTrade’s TDXchange software solution, please contact us at email@example.com.
More cybersecurity news relating to phishing emails, this time affecting banks: https://bit.ly/2LMpiP0.
A Virginia bank got hit TWICE during an eight-month period and the cyber criminals stole more than $2.4 million. The attackers gained access initially when a bank employee opened a booby-trapped Microsoft Word document containing malware.
Once the hackers gained access, they were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections. The hackers were then able to access internal applications used for customer debit card transactions and ATMs, among others.
It should also be noted the hackers were able to conceal their activities by deleting evidence of fraudulent debits from customer accounts. Who are these clever, but devilish hackers? The bank’s forensic experts determined the hacking tools and activity appeared to be of Russian origin.
To protect yourself against phishing emails, here’s a “Cyber Tip” from the US federal government via the Department of Homeland Security: https://bit.ly/2qozh3l.
If you want to learn how a managed file transfer software solution can help with your cybersecurity defenses, please contact our data security experts at firstname.lastname@example.org.
The U.S. federal government, via the US Department of Homeland Security, has a portal to report phishing emails and other cybersecurity incidents: https://bit.ly/2lwRZFW . Why do it? As the portal says, “to protect yourself and others from cybersecurity incidents.”
Phishing attacks use email or malicious websites to infect your machine with malware and viruses in order to collect personal and financial information. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their computer with viruses or malware, creating vulnerability to attacks.
Phishing emails may appear to come from an actual, existing institution, e-commerce site, government agency, or any other service, business, or individual. The email may also request personal information like account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, attackers use it to access their accounts.
Here’s a recent tweet from the University of Alabama warning of phishing emails offering jobs to college students: https://bit.ly/2JNXCr6. As the tweet says, “don’t fall for it.”
MFT Nation will continue to keep you updated on developments in the rapidly changing world of cybersecurity as and when they occur.
Here’s a research company’s view of cloud transition contained in a single infographic: https://bit.ly/2zwM2Ra . What do you think?