Google data shows value of penetration testing and regular security audits

Alongside penetration testing and regular security audits, ensuring safe online browsing practices can be one of the best ways to ensure your business remains protected from external threats.

A new blog post published June 19, from Google principal software engineer Niels Provos, has confirmed just how many malicious websites are out there and posing a danger to internet users.

“We protect 600 million users through built-in protection for Chrome, Firefox, and Safari, where we show several million warnings every day to Internet users,” writes Provos.

“We find about 9,500 new malicious websites every day. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing.”

The new information has been released to commemorate the five year anniversary of Google’s Safe Browsing effort, which is an initiative aimed at ensuring users remain safe while using the internet.

Malicious websites are often used as a way of spreading information-stealing malware software, which can allow cybercriminals to externally access private information, disrupt computer operations or track user activity online.

Google suggests that users who want to protect themselves from online threats pay attention to any official warning messages that pop up.

Furthermore, by selecting the check box that appears on the red warning page, people can assist Google by submitting information on potentially dangerous or unscrupulous websites.

Businesses concerned about the danger of online malware and viruses spreading onto company servers will want to ensure they are running up to date anti-virus software and regularly reviewing vulnerability management reports.

“The threat landscape changes rapidly. Our adversaries are highly motivated by making money from unsuspecting victims, and at great cost to everyone involved,” writes Provos.

However Google has moved to reassure people that it will continue to invest in safe browsing and maintaining internet security in order to deal with evolving cybercrime technology.

Lawsuit argues LinkedIn failed to meet vulnerability management obligations

Security breaches like the one that affected professional social networking site LinkedIn on June 6 can be costly, both financially and in terms of lost consumer confidence.

Penetration testing can often prevent such instances and help ensure your company is storing user information securely.

LinkedIn is now facing a class action lawsuit over the aforementioned incident, which saw cyber criminals hack its information database and release 6.5 million user passwords onto a Russian internet forum.

The lawsuit, filed in Canada, asserts that LinkedIn did not meet its obligations of vulnerability management, as it did not salt its passwords – a practice commonly considered standard industry protocol.

"Despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilise basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format," reads the lawsuit.

LinkedIn responded by arguing that no member accounts were breached and that no user has suffered any undue injury relating to the incident.

"Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation," said LinkedIn.

LinkedIn could potentially find itself liable for $5 million in damages if the lawsuit is successful.

Security audit for commercial sites

An interesting note found in a recent online security report has stated that malicious programmers have begun to target specific social websites for drive-by infections.

While in the past scammers would set up their own pages and attempt to drive traffic to them to gain control over a victim’s machine or network, there has been a shift in recent years towards compromising legitimate URLs.

According to the Malicious Code Trends section in Symantec’s Internet Security Threat Report 2011 – published back in April 2012 – approximately 61 per cent of all sites listed as containing shadowy programs are “actually regular web sites that have been compromised and infected with malicious code”.

The top five sites for these kinds of attacks are blogs, personal sites, business or economics pages, online shopping venues and educational references.

It could be that the largest of these – the blogs and personal communications sector at 19.8 per cent – are the least well defended because they tend to be utilised by their owners as a communications platform and journal rather than a money-making enterprise.

This theory seems to be backed up by the fact that the second-largest proportion of legitimate sites infected with malware is personal hosting services on 15.6 per cent – a result that seems to follow a noticeable trend.

It could be that the activities the pages are meant to support have a direct effect on the amount of effort that is put into ensuring their safety for visitors.

People who are in charge of commercial sites and sales channels – ten per cent and seven per cent respectively – are more experienced with controlling how their back end is accessed and how to defend against malicious activities.

The difference is that – while it is in everyone’s best interests to protect repeat visitors to online venues – commercial concerns simply have more to lose by allowing their customers and clients to suffer from their lack of in-depth vulnerability management schedules.

That being said, the fact is that 17 per cent of legitimate sites infected with malware belong to enterprises that either trade goods and services or relay economic and financial information to their customers.

This means that every incident of infection has the potential to disrupt their flow of income – be it from advertising revenue or customer transactions.

LinkedIn reassures users that their information is secure

Professional social networking site LinkedIn has moved to assure users that their information is secure, following a highly-publicised security breach earlier this month.

“By now, many of you have read recent headlines reporting that 6.5 million LinkedIn hashed passwords were stolen and published on an unauthorised website,” wrote LinkedIn director Vicente Silveira, in a blog post dated June 9.

“We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime.”

Silveira pointed out that no usernames were paired with the leaked passwords, and claimed that he has received no reports of accounts being breached as yet.

He also claimed that LinkedIn recently upgraded its security protocols. Stored passwords are now hashed and salted in order to provide an extra layer of protection, a commonly recognised best-practice in the security industry.

Following the breach, many experts criticised the LinkedIn team for not taking more care in guarding user information.

LinkedIn has responded by pointing out that all compromised passwords were deactivated immediately and that all users whose information was put at risk have been contacted.

However Andrew Conway, from security website CloudMark, is reporting that four per cent of affected LinkedIn users incorrectly marked that email as spam, and did not take heed of the instructions it contained.

Even minor security breaches can have a major impact on a business’s reputation. Customers expect complete security when operating in the online environment and it is the responsibility of the company to ensure its private information is safe.

Penetration testing is often a good way to fully evaluate the security protocols that your business has in place, by finding any potential backdoors and access points before they are exploited by cyber criminals.

Blogger Vincenzo Cosenza recently released his world map of social network popularity, and found LinkedIn to be the second most popular online networking option in Australia, behind only Facebook.

Many people still don’t understand the importance of internet security

Recent security breaches in major websites like Linkedin, eHarmony and LastFM have given us a timely reminder of the importance of having strong internet security practices in place.

Despite this, many people still show an alarming apathy for internet security and will often choose convenience over safety when it comes to securing their private information.

Last year, IT security consultant Mark Burnett set out to find the worst (AKA most common) passwords in the world by comparing 6,000,000 publicly available username/password combinations.

The word ‘Password’ was ranked first, while QWERTY took fourth place. Embarrassingly, the remaining top six were all an ascending series of numbers starting with one.

According to Burnett’s study, 91 per cent of users employ a password from the list of top 1000 selections.

This is concerning as obviously the more commonly used a password is, the easier it is to hack. Essentially anyone looking to crack into private information can access the majority of accounts simply by trying usernames in combination with those 1000 passwords.

Burnett recently posted a blog entry confirming that 93 per cent of the Linkedin passwords leaked earlier this month were present in his top 1000 list.

This is despite the fact that many security firms have encouraged people to select secure and unpredictable passwords in order to prevent hackers gaining unauthorised access.

While there are unlikely to be many businesses out there with the password ‘123456’, the findings are still an indication of a lack of public awareness for the importance of good security protocols.

Anyone concerned that their procedures may not be up to scratch should consider a due diligence assessment in order to stay on top of the latest technological developments.

By undertaking a due diligence assessment, businesses receive a thorough evaluation of the strengths and vulnerabilities in their online security systems and can make any necessary adjustments required to reduce the risk of unwanted access.

Data breach highlights security risks

Data breaches can have devastating consequences – and one recent incident overseas has illustrated the extent of the damage this type of negligence can cause.

A security breach at one UK health trust has highlighted the importance of keeping data protected – and underscored the risks that enterprises of all types can face when they fail to do so.

The UK Information Commissioner’s Office (ICO) reported this week that one publicly-funded healthcare organisation inadvertently leaked the details of 59 palliative care patients to an external source over a three-month period.

This sensitive information contained details about individuals that was intended for the St John’s Hospice and included information about their family life, medical treatment and instructions for resuscitation.

In March 2011, Central London Community Healthcare NHS Trust began faxing these details to the wrong recipient – with a total of 45 faxes sent over a three-month period.

In June last year, the recipient informed the healthcare provider that it had been receiving – and destroying – this sensitive data.

Checks carried out by the ICO revealed that there were insufficient measures in place to ensure that information was being correctly delivered to the right people, and as such, the healthcare body was fined a total of GBP90,000 (approximately $144,635) for the data breach.

Having the right security processes in place, according to the ICO’s head of enforcement, is essential – especially when it comes to protecting sensitive data such as medical records.

Stephen Eckersley said: “The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”

While this incident occurred overseas, it serves as an important reminder of the consequences of data breaches – both from a financial standpoint as well as the damage to an organisation’s reputation.

Enterprises that deal with sensitive information – whether this is in the form of medical details, financial records or other personal information – may wish to have their security processes assessed through penetration testing.

This can help to expose vulnerabilities in your system before they are discovered by malicious parties, who can cause significant embarrassment, reputation damage and financial losses to your organisation.

If your business is also evaluating new technologies, you might want to arrange for a security due diligence assessment to be carried out. This can identify any compliance gaps and allow your decisionmakers to make an informed choice about how best to proceed.

Patching routines examined by penetration testing services

Fake software updates have been identified as being pushed through free Wi-Fi in cafes and hotels – prompting security professionals to warn travellers to keep their software up to date before they head abroad.

An alert was issued by the Internet Crime Complaint Center on May 5 that said recent intelligence operations by the Federal Bureau of Intelligence (FBI) has uncovered malicious applications being spread through wireless connections in a range of hospitality venues.

According to the report, travellers attempting to access these Wi-Fi points have encountered a pop-up window that seems to be guiding them to update “a widely used software product”.

“The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available,” said the report.

On clicking the button to accept this ‘upgrade’, malicious programs would be downloaded and installed that could compromise the device’s integrity.

The report states: “The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.”

While regular audits and upgrades can help to make a difference in defending digital assets from outside intrusion, a penetration testing service can provide the insight and training they need to instil security-conscious behaviour in all travelling staff members.

Cyber attacks can have devastating healthcare consequences

An increased uptake in wireless technology has left some medical facilities – and their patients – exposed to new security vulnerabilities.

A new US report prepared by the National Cybersecurity and Communications Integration Center reveals that wireless medical devices (MDs) – which are connected to information technology (IT) networks – are creating new opportunities in this field, but are not without their risks.

Healthcare and public health organisations have much to gain from emerging wireless technology that allows for remote access – benefiting from enhanced operations, improved ease of use and rapid computing speed.

However, the report asserted, “the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern”.

Vulnerabilities in such wireless systems could have a number of dangerous consequences – ranging from vandalism, device reprogramming or even the loss or theft of sensitive medical information, which can compromise patients’ personal privacy and can result in identity theft.

Often, according to the report, these vulnerabilities can arise through poor security practices, misconfigured networks or errors made during the implementation or deployment of new technologies.

These can also occur through the increasing uptake of mobile devices and wireless networks.

Sometimes, these technologies are so new that IT departments are unaware of how to adequately secure them or keep up with changing trends. Others fail to install the adequate updated to these systems, which can open them up to further risks later down the line.

Penetration testing is one strategy that can be used to identify these risks and can help businesses of all types – including healthcare organisations – stay on top of any potential operational weaknesses.

This type of testing can not only alert you to any potential security issues that could affect your business, but also the consequences – both operational and financial – of a malicious attack.

Penetration ethical hacking changes security culture

The protection of a firm’s information assets is not entirely the responsibility of a single individual or department – rather the onus is on the enterprise as a while.

While the information technology officers certainly play a key role in ensuring that sensitive data is kept safe from misappropriation, a number of other factors come into play that can impact on their effectiveness.

This is because even the best infrastructure controls can be bested by an experienced group of hackers – all it takes is one weak link for them to get their hands on the details they need.

The fact is that without access to a weak password, unprotected database or open portal, most attacks are stopped before they can truly begin to gain momentum.

This makes the people hired by an organisation – as well as some of the more frequently-active stakeholders – the weak link in the chain, as it is their habits and activities that can potentially allow malicious parties to gain access to a network.

In a business where there is a weak sense of security consciousness, many employees may be unaware of how their actions can actively assist hackers in their attempts to uncover sensitive details.

On the same note, workers are also likely to be unfamiliar with the steps they can follow to inhibit unauthorised access beyond the obvious ones – such as not telling people their passwords.

To get the ball rolling towards creating a more security-conscious work environment, IT managers may want to look beyond the basics of repeated emails and the occasional lecture to a real-world demonstration.

Ethical hacking services can be directed to concentrate their attentions on particular departments or defences that may be flagged as potential targets.

Alternatively, a penetration testing team can be given free rein to use whichever methods they feel are effective to capture dummy data – or even the details of a particular office’s activities – in order to drive the message home to the people responsible.

Not only do these activities help to deliver a sound lesson on the kinds of measures that staff members need to take to protect their information from malicious activities, the reports generated by these teams can also go a long way towards shoring up any weak sections of the organisation’s internal defences.

In this way, IT executives can gain valuable insights into how their internal structures can be strengthened, while at the same time educating their colleagues on the importance of data safety.

Well informed staff members assist vulnerability management

Forward thinking employers take the security of information assets as seriously as they do the protection of their commercial property and their staff members.

This is because – like other more tangible resources – the data collected and stored by a firm offers a range of value-adding opportunities that are unique to the business concerned.

Understandably this makes the collection and analysis of information from a range of sources a sound investment in future development – allowing managers to gain insight into market patterns and buyer behaviour that might otherwise slip by unnoticed.

Anonymous trend data in itself can seem fairly innocuous – after all, there are no names attached and the details used will be of little use to anyone outside the industry.

However, the proprietary nature of this information – or rather the planning resources it can provide – mean that it can be a target for malicious parties looking to disrupt the organization’s developmental capacities.

When these resources are combined with client details, account numbers or contact channels, the threat posed by the loss or misappropriation of these data stores grows even more.

This is because such attentions hurt not only the planning activities normally undertaken by managers but also have the power to damage the company’s hard won reputation.

Moreover, should the details be made freely available there is a very real chance that valued customers and clients could become the unwilling targets of endless spam campaigns and social engineering attempts.

This is why it is a good idea for managers to ensure that staff members are well informed of the role they play in actively enforcing vulnerability management.

Professional security audits can go a long way towards ensuring that employees are aware of how their behaviour and routines can be tightened to ensure that breaches are less likely to occur.

In addition these professional teams are able to offer sound advice on measures that can be used to restrict unauthorised access should a gap in the defences become known – reducing the potential for damage to brand image.

When combined with other strategic moves – such as training sessions and proactive feedback initiatives – businesses are able to keep staff members informed of the role they play in managing data security while also allowing workers to contribute to the safety of proprietary information.

This engagement is perhaps the greatest measure of employee commitment – as they feel like a valuable part of a team that is working together, rather than viewing due diligence as a chore to be avoided.