Posts

penta govware singapore in the background

Penta Security to Showcase Its Latest IoT Security Developments and Solutions at GovWare 2017

During Singapore’s International Cyber Week (SICW), Penta Security Systems Inc. will be exhibiting at this year’s GovWare, showcasing its web security and encryption offerings to empower large scale IoT and cloud deployment, with security at the forefront.

As the APAC region’s premier conference and platform for building partnerships in cyber security, GovWare will gather industry leaders to discuss the latest solutions for combating cyber threats in enterprises and governments. Penta Security plans to showcase its cloud and IoT solutions at the event, also highlighting its intelligent Web Application Firewall (WAF) and encryption solution, D’Amo. At GovWare, Penta Security is also set to the launch an important upgrade to its open source database encryption solution, MyDiamo, by extending compatibilities to include PostgreSQL, joining its existing offerings of MySQL, MariaDB, and Percona.

As the top market leader for web application firewalls (WAF) in the APAC region, Penta Security has gained particular recognition for WAPPLES, a WAF powered by a logic-based detection engine and D’Amo, an encryption solution platform optimized for the customer’s environment. Both of these technologies now power Penta Security’s range of newest security solutions including its smart car security solution, AutoCrypt, and Penta Smart Home Security, an IoT solution for all smart devices within the home.

With Singapore’s Smart Nation initiative guiding the country toward enabling data and technology to improve everyday life, the country is unique in prioritizing the need for security. Penta Security aims to facilitate this vision, empowering steps towards the digital future through its lineup of smart cyber solutions.

Chief Strategy Officer of Penta Security Systems, DS Kim said, “Singapore is unique in that there’s a positive push by the government to pursue the growth of quality cyber security, working closely with all kinds of enterprises. GovWare 2017 is an opportunity for Penta Security to contribute its expertise in this movement, paving the way for cloud and IoT to be deployed on a large scale in Singapore, with security at the forefront.”


About Penta Security
Penta Security Systems Inc. is a leader in web, IoT, and data security solutions and services. With 20 years of IT security expertise in powering secured connections, Penta Security is the top cyber security vendor in Asia, as recognized by Frost & Sullivan, and APAC market share leader in the WAF industry. Driving innovations across encryption, authentication, and signature-free firewall detection technology, Penta Security’s whole-system approach to security enables resilience in an era of hyper web integration and connectivity. For more information on Penta Security, visit www.pentasecurity.com. For partnership inquiries, email info@pentasecurity.com.

detect and respond cybersecurity

The Flaws with Detect and Respond

detect and respond cybersecurity

There has been a lot of discussion around Detect and Respond but there remains a number of misconceptions and misunderstandings about this particular cyber security framework. Many companies hold the notion that perfect security isn’t achievable, and perhaps they’ve given up hope on blocking cyber attacks through preventive measures. Therefore, most flock to Detect and Respond instead. But Detect and Respond has its own pitfalls, which we’ll cover in this blog piece.

What classifies as Detect and Respond?

The Detect and Respond framework, in the realm of cyber security, refers to the ability to discover cybersecurity incidents in a timely manner (“detect”) and develop as well as implement the appropriate actions to take against such cybersecurity incidents (“respond”).

As a result, the “detect” aspect of the framework includes security approaches and technologies that support continuous security monitoring, and the “response” aspect includes response planning and mitigation. It’s false to assume that solely implementing Detect and Respond capabilities can make up for a weak implementation of preventive measures (vulnerability management systems, intrusion prevention systems, WAF) against cyber threats.This is a particularly dangerous mindset.  

Detect and Respond Pitfalls

The major flaw with Detect and Respond is that once a cyber attack is in full effect, for example a malware infestation that has taken over a system, then it becomes really hard to tell the immediate impact of such an attack. This makes detecting and responding even more difficult. Consider the following analogy: Detect and Respond is like monitoring the activity within your brick and mortar shop through security cameras…but without someone behind the seats monitoring those security cameras 24/7 and with no installed alarms to notify you.

To find out if you’ve been robbed, you’ll have to personally check the footage in the next few hours or the following morning. Moreover, if a burglar did manage to break inside and steal something, then it becomes harder to respond to the situation since: A) the burglar might be unidentifiable, having probably worn a mask, thus making it challenging for police to track down and B) the likelihood of retrieving those stolen items is almost close to zero.

Preventive methods

One thing’s for sure: no company would implement the above security strategy if Detect and Respond were explained through that analogy. This is not to say that Detect and Respond does not or should not play an important role in your security strategy. However, once a company comes under attack, just having Detect and Respond capabilities does not suffice and it is predicted the company will likely suffer monetary losses, too. Solely relying on preventive measures does not work either as that simply presents a false sense of security.

Take for example the different cases with data breaches. The cause of the breach may have been the result of weak or stolen passwords. But that doesn’t equate to the same thing, as weak passwords are not the same as stolen passwords. Preventive measures would protect against weak passwords by ensuring that passwords are not set to its default (e.g. password, admin), and Detect and Respond would deal with monitoring the stolen passwords and the respective accounts. As exemplified, the best cyber security strategy for any business should always include both, Detect and Respond as well as preventive measures.

10-cyber-security-lingo

Top 10 Cyber Security Lingo You Need to Know

10-cyber-security-lingo

“Jargon” is defined as a set of words that are used by a particular group, usually in a specific industry or profession, and difficult for others to understand. However, within the context of cyber security, certain jargon is starting to make its way into mainstream conversation and news, hinting at the increasing importance in understanding what these words mean. We’ve laid out our top 10 cyber security lingo that just might come in handy in your next conversation.

Phishing
21

Much like how a fisherman catches fish with bait, a “phisher” lures innocent victims into giving away their personal information. While this method used to be largely executed over the phone or even over text messaging, in recent years, phishers have transitioned to e-mails and websites as their weapons of choice.

Phishing works by spoofing sites, making it seem as if the user is looking at a legitimate website. They’ll trick users into updating their billing information, or even conducting transactions – resulting in loss of money, and in some cases loss of identity.

VPN
19

A VPN, or Virtual Private Network, is a method that adds privacy and security when users access potentially unsafe networks. Normally, when trying to connect to the internet, users pass through their Internet Service Provider (ISP) and the traffic is viewable by the ISP. However, when you’re using a VPN, connections are encrypted meaning that your ISP is left out of the loop.

Many people use VPNs to keep their information secure through the encrypted connection, or to utilize the IP of the VPN server. By hiding their real IP address, users may be able to use services that were previously barred for them.

Back Door
4

When cyber attacks occur, there’s always talk about a secret way that hackers accessed the system when it was supposed to be safe. This is called a back door – a way to get into a system, product, or device by installing software or configuring the software to bypass existing security mechanisms.

Most recently, we saw through the “NotPetya” attacks that a backdoor was written into updates in a Ukrainian software firm’s accounting software, allowing for potentially 1 million computers to be compromised.

Keylogger
5

To add onto the scariness that is a back door, a keylogger is spyware or monitoring software that keeps track of every key typed on your keyboard. This means that usernames, passwords, social security numbers… virtually every piece of information typed onto a keyboard is fair game for a malicious hacker.

While there are legitimate uses for keyloggers (perhaps a parent is watching over their child’s activity), most of the time, cyber criminals utilize keyloggers to gain access to financial accounts or networking accounts. Just this past month, two Latvian men were arrested on charges of providing keyloggers as a service.

SSL
9

SSL, or Secure Socket Layer, is a must for websites – especially if they handle sensitive information like credit cards or client names and addresses. SSL ensures a secure, encrypted connection between a browser and a server. Why is this important? While current speeds of the internet make it seem as if information is transferred from point A to point B automatically, in reality, any computer in between the browser and server is able to see unencrypted information. However, SSL prevents that by making sure that only the intended recipient is able to see the sensitive information.

How do you know if your site utilizes SSL? The URL will have HTTPS (hyper text transfer protocol secure), as opposed to just HTTP (hyper text transfer protocol). Check with your hosting provider or security service about what SSL options they offer.

2FA
6

We use this next acronym a lot when we’re talking about authorization and authentication for applications. 2FA, or two-factor authentication, is a type of authentication method where the proof of a user’s identity is gained by two independent sources. This might be a password and your fingerprint ID, or perhaps a username-password combo and a code from an OTP (one-time password) token.

With people still using silly combinations like hello or 123456 as their username or password, 2FA adds on an extra protective layer, making it a bit more difficult for an intruder to gain access to a user’s data.

FIDO
24

The best password is simple, secure, and unique… that’s the philosophy behind FIDO, or Fast Identity Online. FIDO is a set of security specifications supporting multi-factor authentication and public key cryptography. FIDO-compliant authentication means that users don’t have to use the traditional username and password combo, but instead use biometric authentication which can include fingerprints to irises.

When on a remote device, users can still utilize FIDO authentication through 2FA, using both an authorized device (such as a USB drive) and a separate PIN.

Dark Web
25

Though many of us use the internet for everyday purposes like buying commercial goods, communicating with peers, or checking up on the news, there are web users who have been using the web for more sinister purposes. The Dark Web is a part of the World Wide Web that’s only accessible by installing special software. It then allows users to access an encrypted network where users and operators remain anonymous and untraceable. Because it’s so hidden, this is a haven for illegal activities.

WAF
02

A WAF, or  “Web Application Firewall” is a device that filters, monitors, and blocks traffic to and from a web application. Many people have heard the term “firewall” but a WAF differs by filtering content of specific web applications, because the majority of cyber attacks target the application layer. WAFs function in a variety of ways but a majority of traditional web application firewalls utilize a signature method, where regular updates are necessary in order to make sure that malicious traffic is blocked.

However, there are options available where WAFs use a logic-based detection engine where rule-sets for certain characteristics of malicious traffic are analyzed to block traffic. This results in more accurate detections – a must for businesses who want to retain their customers.

SECaaS
10

With the rise of cyber threats and attacks, companies of all sizes and even individuals are starting to realize the grave consequences they could face if they were to ignore the need for security. This new insight has led to the rise of SECaaS, or “security-as-a-service” where security services are provided on a subscription basis. This means that individuals or smaller businesses who may not have an adequate budget for utilizing security appliances can still apply security in a more cost-effective way.

SECaaS is clearly skyrocketing, and it’s estimated that by 2020, “85% of large enterprises will be using a cloud access security broker solution for their cloud services.” That’s up from 5% in 2015.


These are our top 10 picks for must-know cyber security lingo – do you have any other favorites? Feel free to contact us on our Facebook page, where we regularly introduce new jargon with simple explanations you can understand. Who knows? Maybe you’ll see your word next week!

ciso working at business from a window

Why More Companies Are Looking for a CISO

more-ciso-title-header

A growing number of web and data threats has companies scrambling to find someone to take charge.

Since the birth of computing, there’s been a need for the “IT-guys,” the ones you could call when an issue required technical assistance and would come running to the rescue. But with the dotcom boom of 2000, this need has spiked even more. Not only has technology changed from centralized computer centers to cloud environments, but hackers’ strategies for attacking have become increasingly complicated. While IT geniuses used to be portrayed in popular TV shows or movies as hooded loners in basement corner offices, now the IT department is an integral part of any enterprise dealing with sensitive and valuable information. In fact, some companies are going as far as to place a Chief Information Security Officer, or CISO, in their c-suite.

While many ask if there really is a need for a CISO when you could simply have an IT-manager to look over the security of the organization, more companies are scrambling to find someone to take charge of this sensitive area, and we stand behind them in that choice. Here are three reasons that hiring a CISO can work in your company’s favor.

Preventing Damage Before It Happens

First and perhaps most obviously, a CISO’s job is to make sure that the information and assets of a company are secure. Unlike Chief Security Officers (or CSOs), a CISO has the added responsibility of making sure that digital assets are protected. This makes life a bit harder as digital assets don’t have a tangible presence, meaning that simply locking it in a safe and guarding it won’t do much in terms of security.

There are various things that CISO can do after an incident in order to take care of the damage, but a large part of being a CISO involves setting up protocols so that damage can be prevented before it even happens. For example, they can set up access controls so that only a select few at the corporation have access to certain servers and permissions, backup storage regularly, and utilize encryption solutions to protect sensitive data. CISOs are also the ones that have the final say in which web or data security solution to go with; whether it’s a web application firewall (WAF) or WAF service, data encryption solution, or a multi-factor authentication system, the CISO has it under control.

executive-2051414_1920Aligning Security Policy with Business Outcome

However, at this point you might say that the above is something that even an entry-level employee could do, if given the time and resources. However, most will agree that in any company, there’s a large gap between different departments. The IT department may not understand sales, business development might not understand web developers, etc. These miscommunications may be from the language, demeanor, or even the strategic mindset that the other may hold. While before, security managers were mainly technical in nature, at the end of the day, the corporation must stay financially viable in order to continue. Therefore, now the CISO must have both business and technical skills and ultimately be the senior-level executive who’s responsible for balancing the technical policies along with the business factors.

He or she is, in a way, a bridge to connect the gap between the two sides. A CISO offers a unique perspective on how to deal with the risks and dangers of data breach that neither side may be able to grasp. The CISO is a difficult position to fill because of this balance of business and technical: most corporations look for someone with an academic background in information security and/or business with CPA, CISSP or PMP certifications, OWASP or CISO forum memberships, as well as 10+ years of experience in information systems leadership. Not an easily acquired curriculum vitae.  

The Face of Security

Last of all, having a CISO for the organization tells the world that your company stresses the importance of valuing customer data. While other companies may be fully capable of dealing with vulnerabilities and threats on their own, customers can gain a tremendous amount of respect for a company if they’re able to see publicly and visibly that there is someone working on the company’s behalf to secure their sensitive information.

Many CISOs will work inside the office as well as outside to educate partners and the general public on information security issues. Other companies may see this and also be encouraged to hire their own CISO. If companies start to prioritize information security as much as they do finances, executive administrative duties, and technology and put a face to information security among the top level of executives, perhaps the entire world of business and industry will start to put security at the forefront of business decisions.

1484806777641_1_111339 (1) (1) (1)

The Blockchain Hype

blockchain hype blog post title

With technology advances a-plenty – what’s going to be the next revolutionary technological development?

Big data? The Internet of Things (IoT)? Nope.

It’s going to be the blockchain

With more than 25 countries investing in the technology, and $1.3 billion invested – it looks like individuals, companies, and governments alike are putting their eggs in the blockchain basket.

The public blockchain is, simply put, a digital ledger where digital transactions are recorded publicly. Most widely-known for its use with cryptocurrencies like the Bitcoin, blockchain technology has enabled peer-to-peer transactions to be conducted without a banking system middle man, thereby challenging the power of banks to control currency. However, the applications of blockchain go far beyond cryptocurrency transactions to include supporting all kinds of informational exchange.

The idea of the blockchain is revolutionary because it allows for transparency and a new way of organizing the millions of transactions that society now handles on a daily basis. Its workings are defined perfectly by its name: transactions are recorded in “blocks” and placed chronologically in “chains.” Once a block is complete of transactions, a new block is added on and chained. Therefore, when the chain gets longer and longer, it becomes nearly impossible for hackers to penetrate it for scams, defacement, or theft. With security at maximum – what is there to worry about?

But let’s cut to the chase. Is blockchain technology secure? The short answer is, yes — yes it is.

The long answer is: Maybe. It depends on your perspective.

Time is (not) of the essence

First, there are many who complain about issues in terms of transaction verification. Because the blockchain is a distributed ledger, every block of transactions must compete to be added to the chain. This is done through a consensus process of selecting blocks contributed by miners who solve complex mathematical equations in the fastest time to receive a reward. This process can be sped up by paying an added fee, bumping up the transaction, but the average wait can be upwards of 40 minutes. In rare cases, it may take days for a transaction to be verified. Just so you can see how slow that time is: MasterCard’s 2012 report claimed that its network could take upwards to 160 million transactions every hour, with average response time of 130 milliseconds per transaction.

The duration of the wait is not only a cumbersome issue in terms of service, it’s also a security issue – a lot can happen in 40 minutes, and most people aren’t interested in being patient in exchange for reassurance in security.

Where are my keys?

When people talk about the blockchain, you’ll also hear the word “bitcoin” quite often – but don’t interchange these two terms, as they’re two very different ideas. The blockchain is a decentralized ledger, a database of transactions. Bitcoin is a form of virtual currency, or the preferred terminology “cryptocurrency” (encrypted currency). Bitcoin or ether, another cryptocurrency, are used in transactions that are noted on the blockchain. The currency is stored in a virtual “wallet” that will store and manage these currencies.

To make transactions, private keys (which many store in virtual wallets) are a necessity. Now, private keys are a completely separate entity from the blockchain, making security a bit more difficult to ensure. Despite the myriad of “must-do, top security tips” articles out there, many are still foolish in the way they store or remember their private keys. By choosing to save their keys in an unsafe digital or physical location, it no longer matters how secure the blockchain itself is – breach is still possible with a legitimate, albeit stolen, private key.

On top of possible theft, there’s the issue of the loss of a private key. Just like one may be able to lose a physical car key, private keys can also be lost. The loss isn’t a failure of the blockchain technology, but a result of the user’s misaction. This is a huge area of concern within the public blockchain, as some put the value of lost bitcoins at over $948 million.

Old habits don’t die hard

The reality of blockchain is that in order to truly deliver on the “revolution” in terms of economy, the traditional structures of government, financial institutions, and societal ideas of transactions will have to change.The most hyped up “security issue” with the blockchain technology was in 2016, when the Decentralised Autonomous Organisation (the DAO), an investment fund relying on the Ethereum platform, had 3.6 million “ether” (a cryptocurrency unit of the ethereum blockchain) stolen from them by a hacker who exploited a vulnerability in their system. With multiple heists, the DAO ended up losing around $150 million.

Now, did this mean that the blockchain technology isn’t secure? Not necessarily – the technology itself was and is secure, and strong cryptography is used to make sure that assets are transferred safely. Units of ether are also traceable, meaning that even if the hacker were to try to re-sell his goods, it would be flagged right away. Within the DAO, payouts also take a few weeks – which gave the DAO developers a bit more time to figure out how to remedy the hack. The damage was, however, done in terms of the credibility of the blockchain and the DAO. Ethereum enthusiasts were not fans of the incident, and it caused many to raise their eyebrows at the idea of a public ledger.

The future of the blockchain

So we can see that the “issues” deal more with the applications rather than the technology itself. But the reality is that resolving the security issues, albeit secondary from the actual technology of the blockchain, takes time and effort as public blockchains need acceptance by the community that is utilizing it in order to have any value within the social construct. Will the blockchain technology still catch on? Not only will it catch on, it’s already taking the world by storm. With the gargantuan amounts of money (both physical and virtual) being invested, this isn’t a hype that looks short lived. It still helps to keep in mind that no matter how secure a technology is, the applications surrounding the technology may still need quality security.

six personalities and types of hackers online kids older white hat and black hat

The 6 Types of Hackers You May Come Across Online

 

These days it’s easy to look at the mountain of cyber crime news out there, and imagine a hoodie-wearing, tech-savvy loner in a dark corner of a room trying to get into a network for information. However, times have changed. It’s not just technology that changes or security measures that evolve. Hackers are also evolving.

In order to properly detect hacking attempts, it’s also important to understand who’s behind the attacks as well. Hackers come in all shapes, sizes, and intentions, so never judge a hacker by their cover as it might be a whole different facade then what you believe. We’ll give you our top six types of hackers you may come across online.

six personalities and types of hackers online kids older white hat and black hat

The White Hat Hacker

The least malicious of the bunch, the white hat hacker breaks into protected systems to either test the security of the system, or conduct vulnerability assessments for a client. Most of the time, they work for a security company which makes the security software or product and wants to find weaknesses in the software before releasing it for open or commercial usage. Most recently, white hat hacker Tavis Ormandy discovered the vulnerability for Cloudflare. Ormandy, employed at Google, found and reported the bug, termed Cloudbleed, which was affecting millions of sites worldwide. 

While they may use methods similar to “mal-intentioned” hackers, white hat hackers do not use the data that they’ve found for ill will. Simply put, the white hacker does what he or she does for ethical reasons, and there are even classes and certifications available to become a white hat hacker.

The Black Hat Hacker

A black hat hacker is most likely what the general public thinks of when they hear the word “hacker.” The black hat hacker is the opposite of the white hacker, where their intentions are always for personal gain rather than for the good of society. Also known as “crackers,” they gain joy from cracking into systems and bypassing security. A black hat hacker usually intends to profit from breaking into systems or does so simply to satisfy a craving for mischief – they can be differentiated from hacktivists who have a political motive for their hacking.

The Grey Hat Hacker

You guessed it, the grey hat hacker is a mix of the white hat and black hat hackers. While the grey hat hacker might break some rules and violate laws, they usually don’t have the malicious intent that the black hat hacker has. The white hat hacker will always hack under supervision or prior consent, but the grey hat hacker will not go to the lengths to receive permission before breaking into systems.

When a grey hat hacker finds a vulnerability, instead of alerting the authorities or the company, they will most likely offer to repair it for a fee – utilizing it as an opportunity to make some financial gain. Grey hat hackers argue that they only violate the law to help others, but because of the nature of their breaking and entering – companies may choose to prosecute rather than appreciate the “help.”

The Hacktivist

A hacktivist uses the world of computing and networks for a political movement. Whether it’s related to free speech, freedom of information, or proving a conspiracy theory, hacktivists span many ideals and issues. Many hacktivists work towards a common goal without reporting to a boss or an organization.

Even people unfamiliar with the IT world have heard of hacktivist groups like Anonymous, who have been active in their political movement over the past decade. Whether it’s combatting terror groups or calling for protests of retaliation, hacktivist groups hope to impact change in the real world through their programming skills in the cyber world.

The Script Kiddie

This is a wannabe hacker who lacks expertise. Just like it takes time to earn your Ph.D., it is difficult to go up the ranks to becoming a skilled hacker. A script kiddie is usually nowhere near the level of being able to hack into an advanced system, hence tending to stick to weakly secured systems. This “kid” may also get premade scripts or codes from other sources because they lack the knowledge to develop their own code. Script kiddies’ careers are generally short-lived as they might lack the discipline and creativity it takes to become an advanced hacker.

The Green Hat Hacker

Unlike a script kiddie, the green hat hacker is a newbie to the hacking game but is working passionately to excel at it. Also referred to as a neophyte or “noob,” this is a hacker who is fresh in the hacking world and often gets flak for it, having little to no knowledge of the inner workings of the web. Although it may seem unlikely that this newbie may cause any serious issues, because they’re blind to their own actions, green hat hackers can cause significant damage to a system without knowing what they’ve done and worse – how to reverse it.


It’s easy to compartmentalize hackers into good or bad, but it’s not always so black and white (pun intended). Whatever colored hat the hacker may wear, it’s important to note the differences in their techniques, results, and intentions. Then, once you understand the motives, it may be easier to either ask for assistance or perhaps look for a better security solution to guard your data and applications.

For more information on security solutions for your data or applications, visit www.pentasecurity.com or email us at info@pentasecurity.com.

blog-cover-image

Tax Season: Cyber Security Defenses to Make (and Keep) Your Returns

tax season cyber security tips

It’s that time of year again the time of the year where winter coats are abandoned, flowers are in full bloom… and everyone starts to rack their brains for how to deal with their taxes from the last fiscal year. Tax season is a stressful time for most and, whether you hire an accountant or decide to tackle the numbers yourself, it’s no time for haphazard calculations. Every single cent counts in order to get the best return possible. But could your hard work go down the drain with a single click? According to a report from the Federal Trade Commission, of the half a million complaints registered in 2015, nearly half were tax fraud-related, and these frauds are increasingly conducted online.

Cybersecurity and tax fraud are two ideas that people don’t usually look at side-by-side. After all, the IRS will never send out an email to contact you (if they do, it’s probably a scam), but with the rise of the digital age, many accounting firms have seen the benefits of having taxpayers fill out necessary forms online, facilitating the process for both the taxpayer and the agency. However, digitizing the process has opened up a Pandora’s Box in the realm of cybersecurity.

Now, by no means does this mean that taxpayers absolutely need to revert to the pen-and-paper method of tax filing. Electronic forms are an enormous load off everyone’s burden during tax season, but here are some tips to keep in mind as you file your taxes so that at the end, you do make returns and keep them. Here are our top five tips for making your tax season a little more secure:

Get it out of the way

Did you know that employers are by law required to provide W-2 forms to their employees by the end of January? Some may give their forms out earlier, and the IRS officially began accepting 2016 tax returns on January 23, 2017.

While it may be tempting to push it off until April, there are benefits to being an early bird. Not only do you get to be stress-free for Spring, but filling early means you 1) give the IRS time to immediately process and check your return, 2) avoid the peak period when hackers fish for victims in March and April. The latter part of tax season is when potential victims tend to be a little more scatterbrained, not utilizing as much discernment as they should in their securing their tax returns. Hackers are less likely to be looking for prey in January or February.

Watch out for phishing scams and links

As mentioned before, the IRS will never, under any circumstances contact you via emails, texts, or phone to demand money. They will always send a postmarked notice to “kindly” remind you to pay your dues. However, because this is a rather unknown fact, many fall prey to the phishing and pharming scams that hackers love to execute.

Especially in emails or text messages, be careful not to click on any links or attachments. Although it may be tempting to see what the IRS could want, these seemingly harmless links could trigger malware, and viruses could get installed on your devices to infect entire systems. The IRS encourages users to forward any emails you suspect of being fraudulent to phishing@irs.gov and delete it permanently from your inbox.

Keep your devices and connections clean

Updates are cumbersome and might take more time than you are willing to put in. However, an update could be the difference between a vulnerability and a strong defense against a loophole. Software, browsers, and applications should have the latest updates and any unnecessary software is best deleted to avoid cluttering your system.

Additionally, when filing your taxes, make sure to use a secure wireless connection. Public Wi-Fi is not your safest bet (read about our research on public Wi-Fi networks here), and hackers may be able to take a clear look at your sensitive data if they intercept your wireless connection.

Use Encryption

When sharing information with your accountant, make sure that your information is well-encrypted to ensure that a hacker will not be able to see the contents even if they do succeed in interception. Along those lines, double-check to make sure your online tax-filing agency is using SSL, which applies encryption to sites. Look for “HTTPS” in the URL, with a lock icon signifying a secure SSL connection. While an agency may claim to be “easy filing,” you don’t want that to mean “easy access” to your financial information.

Be careful of your… social media???

While social media may seem to be the furthest platform from your tax returns, many hackers have been utilizing a social engineering method called “social sleuthing,” where they will stalk a high-level executive to see if and when they go away on holiday or travel during these chillier months. Then, impersonating the executive, they may reach out to a lower-level employee back at the office, asking for help with paying taxes, or for sensitive information that they conveniently “forgot.”

Although hackers work year-around to try accessing our data, tax season is ripe for harvest when it comes to getting sensitive information, making it much more lucrative for hackers. The sad reality is that though the IRS may do their best to put preventative measures in place in terms of your W-2 or through public service announcements warning of fraud, the consequences that you may potentially encounter are solely your responsibility. At the end of the day, taxes are owed to the IRS, regardless of the situation.

But remember, many prevention tips are simple to implement it just takes a bit of awareness and effort. Remember, no one enjoys tax season (except hackers), especially if there are any heavy consequences that may await in case of any loss, damage of data, fraud or scam.

hearts on valentine's day

Love in All the Wrong Places: the Dangers of Online Dating

online dating can result in cyber crime or scams especially on valentine's day

As February 14th creeps closer, hype over finding a valentine is at its peak. But finding a significant other does pose more difficulty in this day and age with the rise of career-driven individuals, slaving away with the chaotic schedules of everyday life. Furthermore, with the digital world just an arm’s length away, it’s not surprising that many have opted to look for a match in cyberspace. The use of online dating apps has increased nearly threefold since 2013, and social stigma for online dating has largely subsided, with mentions in popular media and even attractive celebrity endorsements. But unfortunately, like any other new phenomenon, many fail to realize the security implications of finding love online.

The oversight is understandable as the desire for love and companionship often trumps over protective instincts, but with the increase of online dating also comes an increase in cybercrime. In the UK, as many as 350 online dating scams were reported monthly, with victims handing over not only their hearts but more than £39m to false lovers in 2016. There may be those who would be baffled by the enormous amount of money handed over to hackers and scam artists, but with love – anything is possible.

The Consequences of Finding Love Online

We’ve all heard of stories of someone getting “catfished,” when unsuspecting individuals may be lured by a fake online profile. The scammer could be using an attractive picture, extraordinary details, but suddenly disappear when the time comes to meet. Worse, they could extort money out of their innocent “catfish catch,” who being madly in love will gladly acquiesce to aid their partner.

But as scary as a “catfish” exchange may be, the consequences may stretch even further and deeper in cyberspace – as information can be transmitted across the world in just seconds. In 2013, Cupid Media, a media group housing over 30 online dating sites, had 42 million passwords in plain text taken from their server. While many of these passwords were taken from inactive accounts, the millions of members that were active users now have their personal information in the hands of hackers.

When Ashley Madison, a site serving as a platform for individuals looking for extramarital affairs and casual hook-ups, was hacked in the summer of 2015, many were harassed with ransom and blackmail threats to distribute their names, credit card information, and email addresses. The threats demanded payment – the alternative? All personal information and data on website activity would be openly displayed on a public website. Some paid up, and some didn’t – citing that information had already been leaked anyway.

Nevertheless, online dating can have dire consequences on both your wallet and ego. So for Valentine’s Day this year, while you don’t necessarily need to skip the web-browsing tango, take these tips with you to have a loving, safe February 14th.

1. Watch out for the telltale signs

Avoid the “catfish” traps. Blonde, loves sunsets by the beach, and has the body of a model? If someone looks too good to be true, it’s a real possibility that you’re talking to a made-up persona. Before you reveal your deepest and darkest secrets, check for inconsistencies throughout their profile. Even if it’s not a con-artist on the other side of the screen, it’s estimated that around one-fifth of all online daters have asked a friend or family member to help them “tweak” their profile

And with more than 60% percent of web traffic comprised of bots, it is not surprising to run into “chatbots” on online dating sites and apps. These chatbots are designed to simulate real-life conversation and can convince you to click on a link or give away personal information. The telltale signs include the “bots” responding suspiciously quickly, chatting  in an unnatural way or using weird syntax, or sending links without asking you.

2. No advance fees

No matter how in love you may be, don’t fork over the cash just yet. Once an online relationship has built a basis of trust, the requests for favors may start rolling in. Perhaps a loved one is having a medical emergency, or they’re a little short on rent that month.

After a certain, most likely pre-planned, amount of time has passed, the scammer may even ask you to wire some money to purchase a plane ticket… to finally meet. While some may be wooed by the idea of finally meeting in person – perhaps a safe way to respond would be to suggest that they borrow money from a family member or the bank.

3. Find a worthy website using a WAF service and encryption

Although the examples we’ve given so far may be on the scarier side, not all online dating sites are vulnerable. Especially if a company has taken the time to employ a Web Application Firewall (WAF) or WAF service, as well as encryption for their data, your personal information has less of a chance of being compromised.

Think this is a given? Many companies will keep their data in plain text out of sheer convenience – but they might have to face dire consequences. Don’t play with fire, and bet on a company that is transparent about their security practices. Better safe than sorry, especially when your future relationship is at stake.

4. Nothing’s as good as (secure) face-to-face

“Let’s meet in real life” are the words that an online lover might be impatiently waiting to hear. However, if you’re not feeling ready about a potential meetup – then be firm and put your foot down. If meeting in-person, meet in a predetermined and public location, never at home or in your office. Consider having a friend to be a “safe buddy” so that if things aren’t going well they will be on standby to get you out of a potentially risky situation.

Some might choose to “meet” via video chat programs like Skype or FaceTime. Even then, make sure to have a secure connection, turn off any kind of geolocation settings, and be on guard to not disclose too much about yourself.

The Future of Online Dating?

The majority of people will first think of the physical dangers of online dating. However, in this day and age, cybercrime can go a long way, and even faster at that. Be smart offline and online, but to not be a downer – keep your hopes up: 5% of Americans say that they met their significant other online, and with other statistics in the cyber realm, it seems like this number has nowhere to go but up.

Perhaps love is just around the website. And hopefully a secure one.

dark web

Which Industry Is Most Vulnerable To Hacks?

dark web

The Dark Web is a hacker’s playground.

Previously, we discussed the different industries that are targeted for DDoS attacks. Below, we’ll begin by pointing out some interesting industry facts… like which industry is the most vulnerable industry when it comes to hacking attacks. Then we’ll take a look at some examples of how hackers like to get creative with their revenue strategies.

Which Industry Is The Most Vulnerable Industry?

Research performed by a Korean media company last year suggests that corporate CSOs and security managers believe the finance industry needs information security the most. This is also supported by the fact that previously, financial institutions received the most cyber attacks compared to other industries.

Yes, we can all agree that financial firms are a valuable target to hackers. Credit card information, bank account information, etc. can result in money takeovers, thus resulting to secondary damage such as phishing and/or spam. However, many institutions that aren’t in the finance industry, and many small businesses in general, fall under the impression that they’re not a target at all for hackers and are not vulnerable.

ComputerWorld mentioned that a study performed just last year by Ponemon Research showed that a staggering 90% of businesses reported their organization’s computer had been breached at least once or more within the past 12 months. This study involved 583 businesses ranging from small organizations of 1-500 people to organizations with employees of up to 75,000.

Below are some more examples of how the finance industry shouldn’t be the main industry who try to protect themselves from cyber attacks.

Hackers: In It For The Money

The direct purpose of hacking is, of course, an exchange of money for data leakage. Recently, Hollywood Presbyterian Medical Center were demanded to pay $17,000 by malicious hackers using the ransomware hacking technique. After the hack, the hospital was forced be taken offline. They had to revert to using old-fashioned documentation techniques such as hand-writing patient details and surgical events.

Ransomware is usually a three-step process and begins in the email inbox of anyone under the use of the server being targeted. Often, the email will appear to be a legitimate bill. It provides a link that the reader will click out of curiosity.  The link leads to a Word document and once the readers clicks the “enable content” button, its game over and the hack is activated. It’s only able to be unlocked by a key that the hacker holds.

Not only did the hacker cause normal operations to stop, the hacker held valuable patient information and medical records. Hollywood Presbyterian Medical Center ended up paying the ransom, but fears of this happening again has escalated drastically.

Because a back-up plan and proper security precautions were not taken in the first place, this hospital now suffers from patients changing hospitals due to a questionable reputation.

Hackers going after financial value of the information are oftentimes involved with international crime groups, as it needs structural approach. That’s why their hacking method is daring and bold, and the damage can be easily numerically calculated which becomes big news on the media.

The Dark Web Market

In addition to ransomware, another financial incentive for hackers is the ability to sell information via the Dark Web. The Dark Web is essentially the black market of the internet. This environment is created through extremely sophisticated encryption and specific software only accessible to shared networks.

For example, when Korea’s Education Broadcasting company EBS’s database was leaked, one fourth of customer data was breached. Still, many didn’t appear to be too intimidated because EBS seemed calm due to customers’ SSN still being safe. Those victims thought that their information on education sites should be less dangerous than their information on bank sites. However, these individuals received spam messages such as ‘getting a quick degree’ or ‘attendees for new semester’ from private institutions and educational companies that may have purchased customer information via the Dark Web.

Another example would be when the Japan Pension Service got hacked and 1.25 million cases of personal data was leaked. This was due to one of their staff members improperly accessing an external email virus. The system’s president apologized for the leak that included names, identification numbers, birth dates and addresses. What’s interesting is that the police investigated hospitals, pharmacies, and pharmaceutical companies. Although the hacker was not identified, the police’s directions to investigate were smart. The leaked data could have been received by a hospital or pharmacy, and since past disease information can be seen, it’s possible to sell personalized medical products or run specific ads. Or, they can even find a relevant target audience for new medicine. Unlike credit cards, that can be unsubscribed or changed, medical records cannot change, so medical records are popular among hackers.

There’s No Such Thing As The Most Vulnerable Industry

Hackers sell the value of potential customers. Like the Korean Education Institution case, hackers were not interested in the SSN from the beginning. They went after the classes people took, their scores, interested subjects and other personal information. They wanted to know what these people’s interests were.

Although some information seems negligible, that information means a lot to some people who can gather a story from it. The hotel that someone stayed in, or the placed that someone ordered food can seem nothing. But it could be significant for related businesses. This is why small business that are very closely related to people’s daily lives are even more vulnerable, since these businesses hold very specific taste of users.

So be careful and stay safe no matter how big or small your business is. No matter the industry, we’ve seen evidence from 2016. It’s been an eye-awakening year for cyber security and personal data.

e-commerce-402822_1280 (1)

Holiday Cyber Security Tips – Santa, Sales… but what about Security?

From Black Friday to New Year’s Eve…

It’s that time of year again. Halloween is over and after the candy wrappers have been hidden and the costumes have gone on clearance, storefronts get ready for the holiday season. Starting with Thanksgiving and Black Friday, all the way to Christmas and New Year’s Eve, it’s a prime time to get your shopping done. In fact, statistics say that 19.2% of annual sales come from the holiday season. However, have you ever thought, “Wow, I’d really appreciate some holiday cyber security tips right about now!”…? Well, if you haven’t – you really should be.

e-commerce-402822_1280 (1)

It’s now easier than ever – shopping can be done at the click of a mouse or a touch of the finger on an iPhone. Nearly half of all shopping during the holiday season is done online – so you might not even have to face the horrid crowds of Black Friday. However, while you’re giddy about the possible steals, hackers might be celebrating for a completely different reason.

S is for Santa, Sale, and Security

40% of annual online fraud happens during the last three months of the year, according to Rurik Bradbury, a marketing executive at e-commerce security company Trustev. It’s an easy time to take advantage of customers who are eager to grab deals and get their Christmas shopping out of the way. Sales and Santa seem much more enticing than Security, and even the most security-conscious of people are duped into being carefree with their personal information.

However, we care about your security, so here are 5 tips to remember using SANTA during your shopping trips.

S – SSL?

To shop online, one must go to a website or a web application, so when connecting, make sure that you’re connecting to a site using SSL. SSL stands for Secure Sockets Layer, and it works by creating a secure connection through encryption.

How do you know the site you’re visiting uses SSL? Two steps: first, make sure that the url uses HTTPS and not HTTP (check in your browser bar), and second, see if your browser bar has a lock by the URL.

A – Ask the owner

Whether you’re shopping online or heading to some offline stores this holiday season, never hesitate to ask the owner or the site administrator about their security practices. Vendors are required to be PCI compliant if they’re handling payment of any kind – so make sure they can prove that to you as their valued customer.

N – No Wi-Fi

It might be tempting not to use any of your sacred cellular data when browsing through the store catalogs. However, make sure that you’re being careful with what network you are connecting to. Wi-Fi networks aren’t always secure and hackers can easily access personal or financial information on a public network.

T – Try Credit

While debit might seem like the safe idea to be financially savvy, to be security-savvy it’s a different issue. Credit cards are safer options because you don’t have to pay your bill immediately. This lets you as the buyer review what you’ve purchased. And fortunately many banks have fraud insurance so you’re not charged for some hacker’s wrongdoing.

A – Aim for what you know

Unfortunately, you could follow all these steps and still be vulnerable to attack. However, applying these steps and sticking to what you know can reduce your risks significantly. The holiday season isn’t the time to go to a website you’ve never visited before. It’s definitely not the right time to try a brand new payment method.

holiday cyber security deal for cyber monday by cloudbric gold signTake Charge of Your Holiday Cyber Security

It’s too bad that hackers take one of the happiest times of the year to try to wreak havoc on others’ finances and data. However, it’s best to be cautious so that your merriment won’t be disturbed.

To help your holiday season stay merry, here’s a bonus tip for you online site owners. Get a website protection service. And the great thing about the holiday season is that security companies are the most aware. They know the vulnerabilities of sites and the mischievous nature of hackers during the season.

Services like Cloudbric are offering one month of free service for its users. However, remember that it’s up to 100GB of traffic if you sign up on Cyber Monday. So take a cue and mark it on your calendar so you can spend your holidays worry free!

Happy (early) holidays!