The Internet of Things: Security vs. Convenience

CSIDIn the past few years, we’ve seen the Internet of Things (IoT) take off, and there appears to be no slowing. A new report from BI Intelligence forecasts there will be 34 billion devices connected to the internet by 2020. Think: smart cars, fridges, thermostats, tvs, alarm systems and more. Simply put, this is the concept of connecting any device with an on and off switch to the Internet (and/or to each other).

Take the car industry for instance. We’ve seen a surge in new, connected functionality, like: Where your car is? How much fuel it has? And, the ability to control its air conditioning remotely. While connecting our world brings added convenience to our everyday lives, it opens up a broader discussion around what we may be sacrificing from a security perspective.

Remember last year when cybersecurity experts Charlie Miller and Chris Valasek demonstrated that they could remotely hijack a Jeep’s digital system over the Internet? Well, they are back at it again, but this time, they bypassed a set of safeguards deeper in the vehicles’ networks. While patches have since been implemented, our very own CIO Adam Tyler reminds us in our latest Firewall Chat’s episode that these devices are capable of the same risks we see with our laptops or smartphones.

“The fact that these devices are computers; highly advanced, highly intelligent, highly capable devices means that they run the same risks as those that we associate with our laptops and our phones.” Tyler said. “So just like exploits can be used to hack into your laptop, so too can these exploits be used to hack into these IoT devices.”

While the thought of a hacker gaining control of your fridge is perhaps less daunting than the idea of them taking control of your car, the reality is that these product may service as a gateway to more sensitive information.

So what can you do to stay secure? First and foremost, consumers need to be aware of the risks associated with using these devices. Read the privacy policies to understand how your data is stored, collected and transmitted. If passwords are used on the device, be sure you’re creating strong, long and unique passwords. Apply software updates when available to patch security vulnerabilities in the same way you do with your smartphone or laptop.

Learn more about the IoT in our recent podcast, and be sure to weigh in on Twitter or Facebook with your thoughts on security and privacy risks associated with the IoT.

By |August 31st, 2016|Online Safety|0 Comments

As Social Media Usage Soars, How Can Your Business Mitigate Risk?

social sharing mitigate riskThe Internet is dominated by social media sites, and Ofcom reported in 2015 that 72% of adult Internet users had some form of social media profile.

People are using social media to tell the world who they are and who they work for, posing a risk of a data breach for businesses. IBM have stated in their 2014 Cyber Security Intelligence Index report that cyber criminals are targeting employees on social media sites in a bid to exploit the businesses that they work for.

Amidst all of this, what can you do to try and prevent your business being attacked?

Plan

Be sure to have a breach preparedness plan in place in case of a cyber attack. This plan can help keep customer relationships intact and reduce business reputation damage. CSID can guide you through the necessary steps to mitigate the effects of a data breach and provide comprehensive identity theft protection products for those that have been affected. We customize solutions to your level of risk, the type of data exposed, the severity of the breach and your budget.

Educate

As the saying goes, ‘prevention is better than a cure’. The same can be said about cyber attacks. Educate your employees and highlight the importance of digital security. Have policies and guidelines in place to allow employees to make secure decisions.

Do your employees have a VPN they can use if working in a public area? Are there guidelines in place if your employees use their own devices for work purposes? Are employees allowed access to social media whilst on work premises? Ensure you can answer these questions.

Teaching employees about the latest phishing scams, best password practices and social media risks can help them better identify suspicious activity both personally and within your business.

Insure

Cyber insurance coverage is just one piece of the puzzle when it comes to data breach mitigation, but a robust policy can help weather the storm in the event a data breach occurs.

According to leading global insurance companies, such as Beazley and PwC, the demand for cyber insurance coverage is expected to increase 300% by 2020. Most commonly, a cyber insurance policy can help businesses temper the costs of the following breach mitigation activities:

  • Reputation management post-breach – eg. work with a PR agency
  • Legal costs, fines and compensation claims
  • Website reconstruction and intellectual property rights infringements
  • Network security liability such as damages for the loss of data on third-party systems
  • Service interruptions and related consequences
  • Notification of affected parties

We take a deeper dive into the topic of cyber insurance coverage in our recent podcast episode, where we sit down with Alessandro Lezzi from Beazley.

Do you want to share any of your best practice tips on how to stay safe online? Let us know on Facebook, Twitter or LinkedIn.

By |August 3rd, 2016|Uncategorized|0 Comments

One of the worst habits of Internet users

shutterstock_226282561How many online accounts do you own? Your banking account, your shopping account, your smart phone account, the pizza delivery service… the list goes on.

It’s likely each one of these accounts require a username and password. Unless you have a superhuman memory, you’ve probably reused the same account credentials across several of them. This is one of the biggest mistakes that you can make online, and it can leave you — and the businesses you patronise — incredibly vulnerable to cyber attacks. Here’s why.

Say a hacker gains access to your online account with your hairdresser. You may not care if he knows about your appointment for a cut and blow dry at 10am on Friday with Emma, but he does care about the account credentials that he’s now in possession of. If you have used the same password for another online account that stores more sensitive information, such as your online banking account, he can now find out a lot more about you than just your hair preferences, and use that information as he pleases.

How does this common bad habit affect the businesses you patronise, or your place of work? If employees utilise their work credentials on personal online accounts and reuse the same credentials across multiple accounts — and one of those accounts is hacked — a business can be left exposed.

Besides kicking that nasty habit of account credential reuse, one of the easiest ways to reduce your online vulnerability is to utilize strong, unique passwords across your online ecosystem.

For the strongest passwords:

  • Make sure your combinations are at least 12 characters long, and are a cryptic combination of letters and numbers.
  • Take care to avoid your name, birthday, or pet’s name.
  • Create a unique password for each site.
  • Change your passwords a few times a year, and especially after being notified after a breach.
  • Implement two-factor authentication for sites whenever possible.

For more on this topic, listen to our latest podcast here or download our white paper, “Mitigating the Risk of Poor Password Practices,” here.

By |June 8th, 2016|Uncategorized|0 Comments

Why is cyber crime everywhere nowadays?

industrialization-cyber-threatCyber crime is no longer a cottage industry like it once was. You don’t need thousands of pounds to afford malware software. You don’t need specialist knowledge. You don’t need to be part of a massive criminal organisation.

Cyber crime has hit the mainstream and is now one of the biggest risks to businesses and individuals. The rise in commercial cyber security businesses and packages is a very visible sign of this.

The Financial Fraud Action group UK estimates that financial fraud cost the UK nearly £755 million in 2015, which is an increase of 26% on the previous year. The fraud prevention organisation Cifas state that 125,000 individuals were affected in 2014.

But why are we seeing this increase?

It’s simple. In the same way that music or film piracy has become mainstream, so has the software needed to carry out fraud attacks on your data. The malware software used to cost thousands of pounds but can now be found for free. Forums and YouTube videos are easily accessible with instructions on how to carry out attacks. It has become easy to access software and information for anyone whether you are seven years old or 70.

The news is littered with new breaches on a daily basis. One of the biggest breaches in the past 12 months was Talk Talk. We saw Talk Talk compromised last year by one individual who accessed the data of thousands of UK consumers. This attack was allegedly carried out with someone with limited cyber fraud knowledge or experience.

Medium sized businesses have become targets with regards to a new type of attack called ransomware. This is a type of malware software that is installed onto a computer without the users knowledge. It then infects the system and restricts access, demanding a ransom from the user before the restrictions are lifted. It is a lucrative business. But it is accessible and the usability of it is surprising.

Smaller businesses also experience this risk as they struggle to afford the security infrastructure those larger organisations like the banks can. Lots of these smaller businesses do not think that they carry interesting enough information for attackers, but these attackers are not fussy. They treat every hack as a win. It is a game and one we need to start getting better at winning.

Find out more on our podcast here.

What is the ‘Industrialisation of Cyber Crime’?

Cyber crime was once a cottage industry of those career criminals who had the specialist knowledge, time, money and bespoke software to carry out attacks.  However, recently it has developed into a growing industry that anyone who wants to join in can do so very simply.

Here at CSID we have called this growth the ‘industrialisation of the cyber threat’ as it moves from the darker hideouts of the web to the more mainstream places.

At the same time as this growth we have also seen the development of the regulatory environment of cyber security as businesses and individuals become more aware of the risk this industrialisation.

Over the next couple of months, we will investigate the reasons behind this growth and what risks it poses to both individuals and businesses on the blog. We will also be discussing how we can protect ourselves and what the future may hold.

You can hear CSID’s Managing Director Andy Thomas and myself discuss cyber security changes over the past ten years on the first of our two-part podcast on the industrialisation of the cyber crime here. Looking forward to sharing more of our thoughts with you soon!

2016: Mobile, IoT Threats on the Horizon

Cybersecurity TrendsLast week we recapped the big happenings of 2015 for CSID. This week, we’re switching gears to look ahead to 2016 and the trends we expect to dominate in the year to come.

All eyes on mobile
The rise of mobile payments (and recent participation from major players like Apple, Android and financial institutions like Chase), has made mobile a more attractive target than ever for cyber criminals. We expect that fragmentation, especially within the Android ecosystem, will exacerbate the problem, as different manufacturers are running multiple versions with no agreed-upon update system. This is an increasing problem particularly in the developing world where consumers are using older devices that are no longer supported by the manufacturer and as a result, no longer receive the critical patches and updates to address security flaws.

Additionally, as we look to the future, mobile attacks will be simpler than ever to implement. Just one example of this that we saw in 2015: the iOS text crash, where victims were infected just by opening a multimedia message (MMS). In 2016, we’ll see a rise in these simply orchestrated, yet impactful attacks on mobile devices.

Macs no longer immune to attack
While once seemingly impossible to penetrate, Macs will become the victim of increased focus from cyber criminals as they continue to gain popularity.

A recent report from Bit9 and Carbon Black states that 2015 was the most “prolific year for Mac malware in history.” Specifically, the report suggests that the OSX malware during this past year was a staggering five times more prevalent than the past five years combined.

It’s clear that Mac OSX is now a platform that we need to be concerned about. We’re no longer living in days where we can opt out of OSX updates and not worry about the materials we download. We’ll need to exercise increased caution across all of our devices in 2016.

The dark web as marketplace of ideas will exacerbate attack reach and impact
More than ever, we’ll see cyber criminals using the dark web to share tips and tricks amongst each other, making advanced threats and attacks more accessible to general users. With this, we’ll also see a rise in younger, less experienced, and non-traditional cyber criminals orchestrating attacks. The National Crime Agency recently reported that the average age of a cyber criminal has dropped to just 17 years old.

Malvertising and drive-by downloads will increasingly deceive users
We’ll see a rise in malvertising on legitimate, credible sites – like Forbes, BBC, and other top tier sites – that are sourced by external adware networks.

Malvertising, which takes the shape of seemingly innocuous ads on the internet, will infect users’ devices if clicked. What’s more, drive-by-downloads, which require a user to just visit a website to infect their device, will grow in popularity and be spread through MMS.

Internet of Things players will need to prioritize security
We’re seeing the Internet of Things (IoT) continue to gain momentum as more and more connected devices are brought to market. In 2016, developers will need to make security a priority. Even seemingly benign devices (like your connected refrigerator or thermostat) can serve as a pathway into your most sensitive information.

Vulnerabilities in in-car entertainment systems earlier this year demonstrated how hackers could, somewhat easily, take control of the car’s steering, brakes, and other vital features. In 2016, we’ll see an increasing focus on the security of the IoT, which may cause a shift in priorities at the product development level.

Keep an eye out for these trends in our “click-to-reveal” series on Twitter and stay up to date with the latest CSID news by following us on Facebook and LinkedIn.

By |December 21st, 2015|Industry News|0 Comments

Understanding the IoT Convenience/Security Tradeoff

IoTIf you’ve been to a music festival recently, you may have noticed something convenient about your wristband. Sure, it serves its main purpose of getting you into the event, but with recent technology, it now has the capability to do quite a bit more.

Take for instance Austin City Limits music festival, which took place last weekend and will run again this coming weekend here in Austin. Festival-goers have the opportunity to load their credit card information onto their wristband either online or via the mobile app to alleviate digging around in their bag or wallet in the middle of a busy crowd. Simply hold the chip in your wristband up to the POS reader on the vendor’s iPad and voila! You’ve paid for your drink, snack, or souvenir.

Sounds convenient, right? But consider this: As you exit the festival, there are people lined up, eager to buy your wristband from you. Sell it, and it won’t take much for the person to gain access to the personal information associated with the wristband and your credit card info. It would just be a matter of cracking your four-digit pin that you had set up when registering your wristband.

This is just one case to consider, which opens up a broader discussion around what we may be sacrificing from a security perspective in the era of wearables and the Internet of Things.

Wearables, particularly fitness bands, have taken off in the past few years. PwC recently reported that more than 20 percent of U.S. adults already own at least one wearable, and that there will be as many as 50 billion new connected devices by 2020. What users may not realize is that wearable tech creates a new opportunity for a massive quantity of private data to be collected – with or without the user’s knowledge.

Symantic threat researcher Candid Wueest recently shared with Wired that it’s not so much about the level of danger people put themselves in wearing wearable devices, but more about the fact that at this point, developers are not prioritizing security and privacy. From his research, Wueest found that some devices sent data to a staggering 14 IP addresses. During his demonstration at Black Hat, Wueest identified six Jawbone and Fitbit users in the audience, showing how easy it was to find users’ locations, and specific details down to the time they left or entered the room.

But is it the wearable itself that poses the actual security threat? Gary Davis of Intel has explained (and we agree), that the weakest link is actually a user’s mobile phone, not the wearable itself. Most wearables link to your mobile phone, which, in comparison to the wearable device, hosts an exponentially greater amount of data, making it an irresistible target for hackers.

Before you cancel your order on that new fancy fitness tracker, keep this in mind: There are a number of simple, common sense steps you can take in order to protect your data. Consider buying a wearable that comes equipped with remote-lock capabilities, so that you can lock or erase its data if it is stolen. Also, as always, use a password to protect your device, use biometric authentication whenever possible, and keep an eye on user reviews online.

Stay tuned to the blog for more cybersecurity news throughout National Cyber Security Awareness Month. Share your thoughts with us on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

 

By |October 8th, 2015|Identity Protection, Industry News|0 Comments

Industry News Recap: Connected Automobile Security

Car SecurityTwo weeks ago we published a blog on security in the Internet of Things, part of which addressed recently uncovered vulnerabilities in automobile software. Since that time, concerns about cars and cybersecurity have remained in the news.

Hacked cars have made headlines before, but the issue was recently thrust back into the spotlight when white hat hackers Charlie Miller and Chris Valasek revealed a flaw in Chrysler’s Uconnect system. The flaw allowed them to steer the vehicle, change its speed, disable the brakes and shut off the engine as it sped down a highway – all from the comfort of their couch. The two described the hack as “fairly easy” and “a weekend project.”

An article in Wired covered this demonstration in detail and included the fear-inspiring conclusion that if this flaw is not fixed, “the result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.” Days later, Tesla Motors was featured in a similar story, a sign that the auto industry’s connected cars are just as vulnerable to breach as our other Internet-connected devices.

There has been an evolving conversation around car security. As a result of Miller and Valasek’s research, Chrysler issued a recall on more than a million vehicles. Meanwhile, according to Dark Reading, “the automobile industry at large began to address growing concerns over security weaknesses and vulnerabilities in new and evolving vehicle automation and networking features.” Dark Reading also published a list of the world’s most hackable cars, while security influencers began weighing in on the best ways to reduce car hacking threats.

As of September, the ongoing conversation has yielded some promising progress. Miller and Valasek announced that they are joining Uber’s Advanced Technologies Center “to continue building out a world-class safety and security program at Uber.” Intel, a company with plenty of clout in the auto industry, also recently published a “Best Practices” white paper, providing recommendations for automakers to outfit their vehicles for privacy and cybersecurity “in the era of the next-generation car.”

The bonus of all the attention on car security? IoT security as a whole has been given more attention. Cars have not only pushed the Internet of Things forward, they have also reminded the world that as soon as anything is connected to the Internet, it becomes vulnerable to external parties.

Let us know what you think about security and the IoT on Twitter and Facebook. Be sure to check out our Tumblr for the latest industry news stories.

By |September 30th, 2015|Industry News|0 Comments

Why CSID is One of the Six Breach Notification and Response Services that Matter Most

In Forrester Wave’s latest report, CSID was identified as one of the top breach notification and response service providers in the market. In the report, six companies were rated on a variety of skills and services, including strategy, offerings, and market presence.

CSID was announced as a strong performer in the space. We are proud to be a recognized leader of global identity protection and fraud detection technologies, tailored for businesses, employees, and consumers. Our products are designed to help safeguard individuals and enterprises, and range from credit monitoring and identity theft insurance provided under policies issued to CSID, to full-service restoration and proactive breach mitigation.

The market is constantly growing and fluctuating with each new breach, malware release, and privacy legislation debate. To remain ahead of changing trends and digital threats, CSID provides unique services to help companies and consumers mitigate their risk.

Identity Management Center
Our fully hosted and managed white label identity protection portal is a welcomed feature for companies. The IMC can be easily tailored to a company’s brand and style needs, and allows the company to have an unrivaled suite of identity protections services to market to their consumers. The management center is seamlessly connected to CSID’s technology suite, and includes enrollment, billing, product selection and migration, and alert and report generation.

CyberAgent
Another service that CSID provides is CyberAgent, our proprietary technology that is designed to proactively detect sensitive stolen information and compromised data online. This feature is the only identity monitoring solution designed on an international level to help keep individuals and companies alert to all malicious global activity. CyberAgent provides consumers the ability to react quickly, and take added precautions to protect themselves if needed.

Social Media Monitoring
This fall we debuted CSID’s Social Media Monitoring, a new service that alerts social media users of privacy and reputational risks on any of the four major social networks – Facebook, Twitter, LinkedIn, and Instagram.

The service alerts a user of instances where they are sharing personal information via their social networks which may expose PII and put them at risk for identity theft. It can also alert users of content that was found within their social network profiles that may damage their reputational like foul language, sexual content, and drug and alcohol references.

These are just a few of the unique services that position CSID as a leader in the breach notification industry. To learn more about all our services and capabilities, please visit: csid.com.

By |September 23rd, 2015|Company News|0 Comments

Securing All the Things: IoT Myths and Realities

IoTThe Internet of Things isn’t a new concept – but it’s certainly one that has gained momentum, particularly within the last year. Recently, we’ve seen more and more connected devices come to market. While connecting our world may bring added convenience to our everyday lives, it’s important to question what we may be sacrificing from a security perspective.

Back in April, news broke around a software glitch that enabled hackers to take control of a Jeep Cherokee while on the road. Cybersecurity experts Charlie Miller and Chris Valasek, working from laptop computers at home, were able to break into the Jeep’s electronics through the entertainment system. The experts were then able to change the speed of the vehicle, alter its braking capability, and manipulate both the radio and windshield wipers. The two described the hack as “fairly easy” and “a weekend project.”

It was recently discovered that not even Tesla Motors is immune to being hacked. This, again, was an attack orchestrated through the car’s entertainment system, though it took closer to a year to pull off. Researchers were able to apply the emergency hand brake, remotely lock and unlock the car, and control the touch screen displays. There is good news – Tesla has already developed a fix, which has been sent to all of the affected vehicles.

Something rarely discussed that warrants consideration from both security professionals and consumers alike is the danger brought on by seemingly innocuous connected products (think: “smart fridge” or “connected toaster”). While the thought of a hacker gaining control of a refrigerator is perhaps less daunting than the idea of them taking control of your steering wheel while on the highway, the reality that these products may serve as a gateway to more sensitive information is something that cannot be ignored.

Just a few weeks ago, a team of hackers uncovered a man-in-the-middle vulnerability in a Samsung smart refrigerator that showed it could be exploited to steal Gmail users’ login credentials. What’s most concerning about this is hackers were able to access a sensitive network, containing users personally identifiable information, through hacking into the refrigerator.

There has been a lot of fear around smart medical devices – but this is one area that may be considered more IoT “myth” than “reality.” Most medical devices don’t currently appear to be connected to the Internet, but rather through Bluetooth. Additionally, because most medical appliances are smaller scale, it’s virtually impossible to integrate a mobile phone connection into devices of this size. Consumer fears around having cellular waves inside the human body have also kept these devices from operating on a mobile phone connection.

Fears around connected smart watches may also be considered an IoT “myth,” at least at this stage, as most are not directly connected to the Internet. That being said, last month HP did discover some major areas for concern, finding that most smart watches did not have two-factor authentication, were vulnerable for man-in-the-middle attacks, and had poor firmware updates.

It’s an interesting debate – and one that will undoubtedly continue as more companies introduce products to compete in this space. What do you think about security risks with the Internet of Things? Weigh in with us on Twitter and Facebook. Be sure to check out our Tumblr for the latest industry news stories.

By |September 4th, 2015|Uncategorized|0 Comments
Load More Posts