Dresses

Security Products – Apparel – Dresses

Equifax will be first of many victims of Apache Struts vulnerability, says cyber specialist

PATCHING PROBLEMS Equifax is probably just the first known victim of a software vulnerability that could take years to remedy, a top cyber expert has warned. Credit monitoring company Equifax recently revealed that hackers gained access to names, social security numbers, dates of birth, addresses and driver s license numbers of 143 million Americans between mid-May and July of this year. Credit card numbers for about 209,000 US consumers were also accessed.

Traced to a vulnerability in a web app framework called Apache Struts CVE-2017-5638, the Equifax breach is the biggest-ever theft of social security numbers, eclipsing the 2015 hack at health insurer Anthem Inc that exposed the personal data of 80 million people. While it isn t the biggest data breach in history Yahoo claims that mantle it could be the most damaging, because the data stolen is routinely used to verify people s identity by banks and other institutions. A patch for Apache Struts, a commonly used open source component used by companies to absorb and process data, was apparently available at the time of the breach. We should expect a long tail of incidents and breaches in the months and potentially years to come. Jeff Luszcz, vice president, product management, Flexera Unpatched systems According to Flexera Vulnerability Review 2017, patches were available at the time of disclosure for 81% of the vulnerabilities in 2016. The WannaCry attacks in May also exploited unpatched systems, which hackers can do faster than organisations can patch them up. Equifax is probably just the first known victim, said Jeff Luszcz, vice president of product management at Flexera, which provides tracking for open source components, vulnerability intelligence and tools to simplify remediation. Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months and potentially years to come, as we still see attacks targeting Heartbleed, a vulnerability more than three years old.

Offering tips on how organisations can protect themselves, Kasper Lindgaard, senior director of secunia research at Flexera, said: Patching this type of vulnerability is certainly not as simple as patching a desktop application. When it comes to vulnerabilities affecting the software supply chain, it s important to align software design and engineering, operational and security requirements. This isn t an easy task. However, the time frames of initial disclosure of the vulnerability and its patch on March 7 up to two months before the first reported unauthorised access at Equifax, and the further delay of the actual detection of the breach on July 29 currently indicates that the vulnerability was not handled with the priority that it should have. This is a common issue across industries that business leaders need to address rather sooner than later. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now Related Topics Shocking levels of neglect and complacency among responsible persons reported by fire installers GDPR gives CCTV operators chance to tackle negative image head-on , says white paper HID Global to buy Mercury Security Products from ACRE LLC

Three data breaches that should alarm the healthcare industry

Recent data breaches from the past several years seem to be following a trend. More and more target health service providers, and it s little wonder why. Few industries regularly hold as much sensitive data as the health industry.

Everyone including researchers, insurance providers and doctors keeps not only sensitive health information, but also billing data and unique identifiers, such as social security numbers. While plenty of legislation aims to provide extra protections for patient data, the fact is that anywhere there are humans, there will be errors. What happens in the doctor s office may not be as confidential as we all hope. Here are three of the most recent data breaches in the health industry. Anthem Blue Cross Blue Shield This disaster was one of the biggest data breaches of 2016. The health insurance company is one of the top Medicare providers and partners, and in July, it announced a breach of Medicare members data. Over 18,000 Medicare recipients received notification that their data was no longer secure. Retirees and the elderly have always been a favorite target for spammers and fraudsters. This breach increases their risk significantly.

According to Anthem, the attack came through one of their vendors, LaunchPoint Ventures. Indiana Medicaid Due to an oversight, Indiana s Health Coverage Program left an active hyperlink open that gave direct access to Medicaid recipients information. This data breach revealed full names, addresses, Medicaid ID numbers, doctor information, patient numbers and more. The state of Indiana had over one million people enrolled in their Medicaid programme this April, and the information was available starting in February of this year. The hyperlink was available to the public, so it s difficult to say who had access to the information. Fortunately, Indiana s Health Coverage Program believes the breach has caused no damage to patients. They have offered all notified individuals a free year of credit protection, however, just to be safe. Washington State University This April, Washington State University discovered that a hard drive containing sensitive information concerning survey participants had been stolen. The hard drive was kept in a locked safe, but the safe itself was stolen from storage and has not been found.

Approximately one million individuals may be compromised by this breach. Most survey participants provided names and social security numbers, which are a valuable prize for identity fraudsters. Some participants health data may also be jeopardized. Although there is no sign of the stolen hard drive or its protective safe, WSU has notified all parties put at risk by the breach. Like Indiana s Medicaid programme, WSU has offered a year of free credit monitoring for every notified individual. The university is also taking measures to upgrade and strengthen security procedures to ensure this kind of incident does not happen again. Unfortunately, these three examples are only the tip of the iceberg. New reports and notifications keep hitting the news. Even doctors aren t safe from ransomware.

Ultimately, there is little patients can do to protect themselves, and the burden of responsibility falls heavily on the healthcare industry itself. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now Related Topics Healthcare fire safety: The innovation that outperforms conventional smoke detectors on false alarms and early detection Architect says sprinkler installation at Glasgow Hospital was used as an excuse to flout other buildings standards NHS cyber-attack: cybersecurity experts reflect on the lessons

Equifax hack exposes limitations of authentication based on personal information

Cybersecurity Credit monitoring company Equifax has revealed that the personal data of around 143 million Americans has been stolen. The files, which included names, social security numbers, dates of birth, addresses and driver s license numbers, were accessed by criminals between mid-May and July of this year. Credit card numbers for about 209,000 US consumers were also accessed.

Three senior executives sold shares in the company worth almost $1.8m after discovering the breach but before making it public. Inevitably, the share price has tumbled following the announcement. While it isn t the biggest data breach in history, it could be the most damaging Ines Gutzmer, head of corporate communications for Equifax, insisted that chief financial officer John Gamble, president of US information solutions Joseph Loughran and president of workforce solutions Rodolfo Ploder had no knowledge that an intrusion had occurred at the time they sold their shares. The Equifax breach is the biggest-ever theft of social security numbers, eclipsing the 2015 hack at health insurer Anthem Inc that exposed personal data of 80 million people.The latest hack exposes 143 million Americans to the risk of identity theft and fraudulent transactions carried out in their name. While it isn t the biggest data breach in history that honour goes to Yahoo it could be the most damaging, because the data obtained is routinely used to verify people s identity by banks and other institutions. On a scale of one to 10, this is a 10 in terms of potential identity theft, said Gartner security analyst Avivah Litan. Credit bureaus keep so much data about us that affects almost everything we do. Two of Equifax s competitors, Experian and TransUnion, will be affected too since they hold virtually the same data held by Equifax. Ridiculous Ryan Kalember, from cybersecurity company Proofpoint, told the Guardian that the breach has really called into question the entire model of how we authenticate ourselves to financial institutions.

The fact that we still use things like mother s maiden name, social security number and date of birth is ridiculous. Richard Smith, Equifax s chairman and CEO, said: This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. Senator Mark Warner, vice-chairman of the senate intelligence committee, has urged Congress to reframe data protection policies in such a way that businesses have fewer incentives to collect large, centralised sets of highly sensitive data . Equifax also reported fraudulent and unauthorised access to the financial files of four high-profile individuals in 2013, with Paris Hilton, Michelle Obama, former FBI director Robert Mueller and former US attorney general Eric Holder rumoured to be involved. Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: Now cybercriminals have a great wealth of opportunities to conduct spear phishing, fraud, identity theft, impersonation and social engineering attacks against the victims of the breach. We should be prepared for skyrocketing number of attacks targeting not only the victims, but their relatives, employers and partners. The breached database will likely be shared among various cyber gangs, exacerbating the damage. It s a very colourful, albeit very sad, example how a vulnerability in a web application can lead to disastrous consequences for an entire company, its customer base and far beyond.

Today, almost any critical data is handled and processed by web applications, but cybersecurity teams still seriously underestimate the risks related to application security. Most companies don t even have an up-to-date application inventory. Without knowing your assets, you won t be able to protect them. Many global companies still rely on obsolete automated solutions and tools for their application security, while cybercriminals are already using machine-learning in their attacks when targeting and profiling the victims for example. Last but not least, such a delayed public disclosure of the breach is quite dubious. Probably the disclosure was reasonably postponed in the interests of investigation, but it still could endanger the victims. Most important now is to make sure that we do not underestimate the scale of the breach, and have properly identified every victim and the integrity of data that was stolen. Equifax says it discovered the hack on 29 July. The Atlanta-based company has set up a website where people can check to see if their personal information may have been stolen.

Consumers can also call 866-447-7559 for more information. Equifax is offering customers free credit monitoring using its own breached service. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach?

This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now

Online security threats you need to protect your business from

Cyber criminals are continually coming up with newer more sophisticated ways of attacking businesses, which can make it hard to stay protected from the latest threats. The role of the web in running a business is also increasing, giving criminals more potential targets. According to 2017 s Cyber Security Breaches survey, 85% of businesses now have websites, 59% have social media pages and 61% hold personal customer data electronically.

The survey found that nearly half of all UK businesses were hit by a cyber attack in the past year. The consequences of such attacks ranged from websites being taken down and software being corrupted, to loss of access to third party systems the businesses relied on. The data held by retailers is making them a prime target for hackers and the number reporting data breaches has doubled in the past year. While there are numerous types of online attacks, the following are some of the most common ones your business needs to be protected from. Fraudulent emails are the most common type of attack experienced by businesses in the UK Ransomware The cyber attack on the NHS in May brought ransomware to the attention of many people, who may previously never have heard of it. Such attacks either completely lock users out of their computers, or encrypt their information, and demand payment in order to restore access. For the attackers to gain access to your system, someone usually needs to download an infected attachment, or click on a link. How to protect yourself To begin with, employees need to be taught to be wary about emails from senders they don t recognise. It s impossible to guarantee you ll never fall victim to such an attack, so you also need to back up your data.

This means you won t have to experience significant downtime, which can affect your business operations. Phishing Phishing attacks send out emails designed to trick the sender into revealing sensitive information, such as passwords or personal details. Criminals then use these details for further crimes, like identity theft. Fraudulent emails are the most common type of attack experienced by businesses in the UK. How to protect yourself Employees need to be educated about the risk of sharing sensitive information online. Rather than calling the phone number given in such emails, or clicking the web address, it is best to find out such information yourself to ensure it is legitimate. CEO fraud/whaling Unlike other attacks which target users en masse, whaling or CEO fraud is designed to hit specific companies. The attackers spend time researching their victim and gathering information they can easily find online. Employees also need to learn to look out for telltale signs an email may not be genuine, such as a slight alteration in the format of the email address They use the information to impersonate senior executives at companies and send out emails in their name.

They ll then ask for large sums of money, or sensitive information. How to protect yourself Intelligent email security can be used to check if emails are from a genuine source. Employees also need to learn to look out for telltale signs an email may not be genuine, such as a slight alteration in the format of the email address. Hackers sometimes simply add an extra symbol or letter to the real email address. Sensitive requests should also be verified via another channel before they are authorised. Simply calling the email s sender to confirm the request is enough to identify such attacks and prevent huge losses to your business. Malware Malware is an umbrella term for several types of attacks including viruses, worms and trojans. Viruses can be sent via emails, or automatically downloaded when you visit an unsecure website. They replicate themselves and spread through computer networks where they cause damage to files, or even allow criminals to access your computer.

You may not know you ve been infected with a worm or virus until your computer begins to slow down or programs start to crash repeatedly Worms exploit security vulnerabilities in operating systems and can give attackers the ability to remotely control your computer. They can do this to several computers, which they then use to create a network to carry out further attacks like distributed denial-of-service attacks. DDOS attacks are used to overwhelm websites and cause them to crash. You may not know you ve been infected with a worm or virus until your computer begins to slow down or programs start to crash repeatedly. You can also be unwittingly infected by trojans which infect your computer by getting you to download software which appears to be legitimate. How to protect yourself Installing security updates and patches to operating systems and software is crucial to remaining protected from such attacks. Firewalls and anti-virus software can also be used to prevent criminals from infecting your computer. If you re unsure about a website, look for the HTTPS letters at the start of the URL, which indicates it meets certain security standards. It s best to have several layers of cybersecurity, which use a number of methods to protect your business Password attacks Guessing passwords is another incredibly common way attackers can gain access to your business.

Password cracking software can be used to go through all the words in the dictionary and any common combinations. It can run through thousands of combinations in seconds, which means even if you only disclose partial information you ll make their job easier. How to protect yourself Strong passwords need to make use of a combination of letters, numbers and symbols, which don t make up a word, or use an obvious date like a birthday. A good way to set a strong password you ll remember is to use the first letter of each word in a phrase. Always change the default password you get for any system and limit the number of unsuccessful login attempts someone can make. Security essentials Antiviral software, firewalls and backing up data are just some of the fundamental security measures you need in place. It s best to have several layers of cybersecurity, which use a number of methods to protect your business. In many cases, humans are the weakest link, so you can achieve a lot by training staff in cybersecurity. The Cyber Essentials scheme addresses the most common online threats, which use widely available tools and require little skill.

The government-endorsed scheme focuses on ways to protect yourself from hacking, phishing and password guessing and is a good way to ensure you have the essential security controls in place. Free Download: the CyberSecurity Crashcourse Are you even aware if you have been the victim of a cybersecurity breach? This report will help you to find out and protect yourself, Eric Hansleman from 451 Research presents a rapid-fire overview of cybersecurity , because a firewall just won t do, you need multi-layered defences to truly protect your data.

Click here to download now

Virgin Trains had legitimate interest in publishing Corbyn images, rules ICO

data protection Virgin Trains did not breach data protection laws by publishing CCTV images of Jeremy Corbyn as he searched the company s train carriages in search of a seat, the Information Commissioner s Office has ruled. Such an action would ordinarily be in breach of the law, said the ICO, but Virgin had a legitimate interest in releasing the footage to rebut news reports that the Labour leader had been unable to find a seat. Richard Branson, founder of the rail operator, had tweeted out the footage, which was captured on one of his trains on 11 August 2016, to prove that spare seats were in fact available, contradicting the Labour leader s assertion that the train was ram-packed .

Photo: Virgin Trains under CC3.0 licence Corbyn was sat on the floor of the train when he made the comment, which were captured by a filmmaker accompanying him during his campaign to retain the Labour leadership. Countering Branson s tweet, Corbyn he had been unable to sit with his wife, and that he was only able to sit later because train staff had upgraded another family to first class. Virgin Trains did not entirely escape censure. The ICO found that the rail operator did breach the data protection rights several passengers whose faces it had failed to pixellate. Misleading In a statement, ICO head of enforcement Steve Eckersley said: In this case, the ICO s view was that Virgin had a legitimate interest, namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests. It would not have been possible to achieve Virgin s legitimate interests without publishing Mr Corbyn s image. Virgin could only show that there were empty seats on Mr Corbyn s journey if they showed Mr Corbyn on that journey. The Labour leader s celebrity was also a relevant factor, said Eckersley, as he would have different expectations than other passengers as to his privacy. This was especially the case given the video of the trip he himself had published and that he should reasonably expect Virgin to respond in kind .

By contrast, however, the other passengers whose faces were not pixellated were simply minding their own business and Virgin Trains had infringed on their privacy . Nevertheless, the ICO is taking no action against the company as only three people in the footage were recognisable, none of whom had contacted the ICO to complain. Shortly after the incident, Chris Brogan of B&G Associates wrote on IFSEC Global: The sixth condition of schedule 2 of the Data Protection Act addresses the use of personal data for the legitimate interests of the data controller as long as it does not prejudice the rights and freedoms or legitimate interests of the data subject. Virgin have a legitimate interest in protecting its brand . Jeremy made the issue public and Virgin has defended its rights. This is a balancing act and I suggest that the information tribunal/court would find in favour of Virgin. I cannot see under the circumstances how Jeremy would win the argument that the publication of his images by Virgin prejudiced his rights. Free download: The video surveillance report 2017 Sponsored by IDIS The Video Surveillance Report 2017 covers all things video surveillance based on a poll of hundreds of security professionals. Specifically looking at topics such as open platforms, 4K, low-light cameras, video analytics, warranties and this year due to the growing threat posed, the cybersecurity landscape.

Click here to Download now

Businesses have been hacked whether they realise it or not, expert warns

There are two types of businesses those who know they ve been hacked and those who don t know they ve hacked a leading security expert has said. Stuart Rawling, director of business development at Pelco Schneider Electric, made the stark warning at the event s opening panel Current trends and future of the industry . Rawling said businesses must have a solid security plan in place which brings together both human and cyber elements.

There is a risk of getting an antivirus solution and hoping that will solve everything, said Rawling. An antivirus won t help you against a zero-day attack by its very definition it s unknown. The theme that rapidly-advancing security technology cannot be expected to tackle threats without a human element and robust planning was a key element of the session. Professor Martin Gill, perpetuity research & director at industry awards the OSPAs, warned that leaving it to technology and it hoping it will all be ok is a dangerous path for the industry. We should be holding on to the human element. I speak to a lot of offenders, and one said to me recently technology doesn t jump off a wall and arrest you . I just interviewed 12 heads of retail and 12 loss prevention directors. And when asked what their best security system is they all agree: their staff. Rawling agreed, saying he doesn t see a day coming soon where a physical security guard is not deployed.

Ultimately there still needs to be a human decision made on what to do, he said. A response plan still requires a human response. What do you do when something happens? That s where security fails most often the operating procedure, not the technology. Fellow panellist Tony Weeks, head of technical services at NSI, said that technology cannot be implemented without human expertise. No matter how advanced the technology, you will still need people to configure and look after the systems, he said. The most important consideration is an outstanding security policy which addresses all aspects, the panel agreed. When I speak to offenders about why they chose their target the answer is always the same because it was easy, said Gill. That hasn t changed over 30 years.

Visit Europe s only large-scale security event in 2017 Taking place in London, 20 22 June 2017, IFSEC International gives you exclusive hands-on access to over 10,000 security solutions, live product demonstrations, and networking with over 27,000 security professionals.

Covering every aspect of security, from access control and video surveillance to smart buildings, cyber, border control and so much more.

Time is running out, register now to avoid missing out

Aurora debuts long range facial recognition sensor at IFSEC 2017

IFSEC 2017 launch Facial recognition technology developer Aurora has unveiled at IFSEC 2017 a long range sensor that extends near infrared capabilities to a wider range of distances, making it suitable for more applications. Queue management, surveillance and VIP identification are possible applications with the technological advance. Aurora s specialist biometric imaging and illumination technology is designed to work with the latest versions of the company s deep learning-based facial recognition engines.

With its near IR -based facial recognition, Aurora has logged millions of successful events in applications, including time and attendance, airport passenger management and access control. Now, the company s core technology, FaceSentinel LR, uses high speed global shutter technology and a high brightness near-IR ceramic flash to deliver HDR still frames to Aurora s facial recognition engine. Aurora s head of sales and marketing Gary James says FaceSentinel LR addresses issues common in the operation of facial recognition with visible light CCTV images. This can hinder accuracy in situations where the subject s face is not directly looking at the camera. James says: The sensor is highly compact, with very low power consumption, despite its powerful output and processing ability. This extends the operational range of our IR face recognition capability fivefold, opening up many new applications such as queue monitoring and covert identification. At IFSEC Aurora is also showcasing its FaceSentinel sensor integrated with the Fastlane Glassgate 300 turnstile, operating in both token-free Identification mode that allows registered users access simply by looking at the sensor and Verification mode, which adds a biometric layer to the functionality of any access control system. FaceSentinel uses artificial and infrared light to achieve unparalleled facial recognition speed, accuracy and reliability. Aurora s facial recognition technology is used throughout Heathrow Airport for boarding pass verification as well as within British Airways domestic self-boarding gates.

Integrated Design Limited (IDL) is the designer and manufacturer of Fastlane Turnstiles and Door Detective anti-tailgating products, and has over 30 years of experience and a worldwide on and installation network. At IFSEC International 2017, FaceSentinel and FaceSentinel LR are running on Integrated Design Limited s stand E1550. The company makes turnstiles and door tailgating detection products.

IFSEC International runs between 20-22 June 2017 at London ExCeL. Get your free badge now. Visit Europe s only large-scale security event in 2017 IFSEC International is taking place at Excel London, 20 22 June 2017, here are 5 reasons you should attend: Exclusive hands-on access to over 10,000 brand new security solutions Network with over 27,000 security professionals Discounts of up to 30% exclusively for IFSEC 150 hours of seminars, workshops and keynote speeches A 1-2-1 meetings service to pre-book face to face meetings.

Time is running out, register now to avoid missing out

Kitemark standard would be a progressive step towards strengthening IoT security

Symantec internet Security threat Report The recent Internet Security Threats Report from Symantec highlights that last year cyber attackers have been fishing for gold in all areas and frequently finding success, as seen by the sheer regularity of breach reports in 2016. While malicious emails and ransomware continued to wreak havoc on businesses and consumers alike, the study again highlighted new threats coming into the spotlight thanks to the increase in usage of connected devices. In an era where data is becoming the new currency, all personal and professional data needs to be properly protected especially with GDPR regulations fast approaching.

As more businesses take advantage of the benefits the internet of things (IoT) can bring to their business, they also need to utilise technologies available to them such as machine learning to help analyse and help detect and improve weaknesses in a network and spot abnormal activity when it occurs. We can expect various forms of attacks to continue to increase. There is no excuse not to be prepared. As we continue to see the exponential growth of connected devices, we will continue to see security issues that we hadn t even considered before, such as the Mirai botnet of 2016. Lessons will clearly be learned such as avoiding hard coding IP addresses, use of default password, while many of the protocols designed for smart connected devices will have their own potential flaws and vulnerabilities which organisations will have to tackle. Online Trust Alliance (OTA) To help make securing internet-connected devices easier for businesses, the Online Trust Alliance (OTA) has produced a framework in IoT security, offering guidance on how to secure embedded devices. This introduction of a kitemark standard for IoT devices is a progressive step towards ensuring safe practice is followed and that security of such devices against these types of hacks is stopped at source. In short, we can expect various forms of attacks to continue to increase. With this knowledge there is no excuse not to be prepared.

Cybercriminals are entrepreneurial, well-sourced and motivated and Symantec s report once again demonstrates that the threat of attack is a growing problem. Organisations and consumers need to be wary of attacks, as the damage could be far greater than just financial and reputational. Organisations must now realise that they can no longer afford for cybersecurity not to be their number one priority. Ensure a solid security strategy at Borders & Infrastructure Expo Join other high-end security professionals at the launch of Borders & Infrastructure Expo, in conjunction with Europe s most renowned security event, IFSEC International, addressing your critical needs for large-scale security projects. By attending, you ll access leading security providers showcasing the latest advancements in both physical and cyber solutions.

Click here to register your place now to join us at London Excel on 20 22 June 2017.

One in five UK firms hacked in 2016

Cybersecurity Large firms are most at risk from cybercrime, with British businesses lacking even the most basic security measures to keep confidential information secure, finds a survey by the British Chambers of Commerce (BCC). According to the survey of more than 1,200 businesses, one in five British businesses were hacked last year and only a quarter of businesses said they had security in place to guard against hacking. The findings from the survey have also discovered that it is larger companies, with at least 100 staff, that are more susceptible to cyber attacks.

Around 42% of large businesses reported cyber attacks, compared with 18% of small companies. High-profile attacks on company databases, have hit companies, including Yahoo and telecoms firm TalkTalk. Hackers into Yahoo s database had accessed a wealth of personal data, including email addresses, dates of birth and passwords and even encrypted or unencrypted security questions and answers from more than a billion user accounts in August 2013. In a Guardian article, Adam Marshall, BCC director-general, said: Cyber-attacks risk companies finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity. While firms of all sizes, from major corporations to one-man operations, fall prey to attacks, our evidence shows that large companies are more likely to experience them. Most businesses surveyed are reliant on IT providers to resolve issues after an attack, while banks and financial institutions as well as police and law enforcement agencies tend to have in-house expertise. The extension to data protection regulation coming into force in 2017 means firms will need to increase their responsibilities and requirements to protect personal data, or prepare to face penalties for not complying. TalkTalk had to pay a 400,000 fine in 2016 for security failings that led to it being hacked in 2015. The Information Commissioner s Office, which levied the fine, said the attack could have been prevented if TalkTalk had taken basic steps to protect customers information .

Marshall added: More guidance from government and police about where and how to report attacks would provide businesses with a clear path to follow in the event of a cybersecurity breach and increase clarity around the response options available to victims, which would help minimise the occurrence of cybercrime. Ensure a solid security strategy at Borders & Infrastructure Expo Join other high-end security professionals at the launch of Borders & Infrastructure Expo, in conjunction with Europe s most renowned security event, IFSEC International, addressing your critical needs for large-scale security projects. By attending, you ll access leading security providers showcasing the latest advancements in both physical and cyber solutions.

Click here to register your place now to join us at London Excel on 20 22 June 2017.

Why did it take Yahoo nearly four years to discover the biggest hack in history?

Why Did It Take Yahoo Nearly Four Years To Discover The Biggest Hack In History?

Yahoo s reputation has plumbed new depths after it admitted on Wednesday it had fallen victim to the biggest hack in history. It s the second damaging revelation in a few months, with the company revealing in September that it had suffered an attack not only huge in scale 500,000 accounts were compromised but that it had taken two years to even realise it. Users scrambling to change passwords therefore did so knowing that criminals had already had since 2014 to exploit their data.

That incident has now been surpassed on two counts, with the other hack affecting a staggering one billion accounts and this time occurring not just two but three years ago in 2013. Users are being urged to change passwords and security questions, but once again the words horse , stable , door and bolted seem pertinent. Some experts have advised users to go further still and close their accounts. Yahoo, which has for years been losing email market share to Gmail and Hotmail, can expect to see that trend accelerate. The company, whose shares tumbled 6% following the revelations and whose $4.8bn sale to Verizon is now in doubt, has been ticked off by Germany s cyber security authority for failing to adopt modern encryption techniques to protect users personal data. Below several cyber security experts share their verdicts on the latest hack and their punches are very much non-pulled. Any breach that involves personally identifiable (PII) information like names, addresses, and user credentials can haunt its victims for months or years J Paul Haynes, CEO, eSentire Any breach that involves personally identifiable (PII) information like names, addresses, and user credentials can haunt its victims for months or years. This information usually ends up on the dark web, where it s cycled through buyers who can use that information to commit various forms of fraud. Hackers can also use PII to access other systems, particularly if the victim used similar username and password combinations for other accounts.

The frequency of large-scale hacks may be contributing to security fatigue leaving people feeling helpless in the face of multiple incidents Joe Siegrist, CEO, LastPass The frequency of the large-scale hacks we re hearing about may be contributing to security fatigue leaving people feeling helpless in the face of multiple incidents. Take back control of personal security by not using and reusing weak passwords across your accounts. Creating unique, long, complex passwords with a password management tool is a simple way to do this. It s also advisable to do this instead of storing passwords in browsers as this could make them vulnerable to malware attacks. M&A and IPO activities are on the rise, so there is a good chance we will see breaches or hacks uncovered as companies carry out due diligence before deals are finalised Andersen Cheng, CEO, Post-Quantum The latest Yahoo breach is catastrophic in numbers easily the biggest data breach we have seen to date. Even more worrying is why this took so long to be disclosed, with the incident taking place nearly four years ago. It looks like these kinds of deals between companies will disclose even more of these historical incidents as we move forward. M&A and IPO activities are on the rise, and they will continue to gather pace in 2017, such is the sheer volume of, and demand to invest in, the next tech unicorn . With this uptick in activity, there is a good chance that we will see data issues such as breaches or hacks uncovered as companies carry out their due diligence before deals are finalised.

I expect there will be a few more unpleasant surprises uncovered next year. Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline just before the buyout may provide a valid reason for Yahoo s shareholders to sue Yahoo s top management if the deal fails or brings less money than expected Ilia Kolochenko, CEO, High-Tech Bridge Announcing such a massive breach three years after it has occurred, is a very serious, and hopefully well-thought out step taken by Yahoo. As we don t have any clear technical details around what has actually happened, it s difficult to make any conclusions on who or what was at the origins of the breach. However, I am pretty sure that this news has the potential to negatively impact the deal with Verizon. Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline just before the buyout may provide a valid reason for Yahoo s shareholders to sue Yahoo s top management if the deal fails or brings less money than expected. I don t think the breach will impact Yahoo s customers in any new manner now, unless someone makes the breached database public and enables the re-use of passwords and secret questions/answers. The attackers who breached Yahoo, must have already leveraged the compromised data for their own purposes. If they haven t done so already after September s disclosure, all Yahoo customers should consider changing their passwords, including accounts on all other services on which they registered using their Yahoo email. Migration to a more reliable email provider, such as Gmail, also makes sense.

The magnitude of this breach drives home how critical two factor-authentication is when it comes to account security Eldon Sprickerhoff, founder and chief security strategist, eSentire T he magnitude of this breach doesn t just impact Yahoo account holders, it extends to anyone using web mail services and drives home how critical two factor-authentication is when it comes to account security. We all have a role to play in the security of our own data. The same fate could be a reality for anyone not using two-factor authentication to secure their accounts. In Yahoo s case, account passwords were hacked. Think of it as a one-way encryption that can t be decrypted. But, if you take every possible alphanumeric and punctuation combination, mix it with every possible seed, and feed it through the hash function, you end up with all possible hashed passwords. You can then do a reverse lookup and find the actual password. What this means, is that with standard password technology in place (like the kind used by Yahoo), hackers can easily identify user passwords. Two-factor authentication takes security one step further, eliminating the need for hashes, and the risks associated with hashes.

It s a feature that s enabled by adding another form of identity verification to the account sign-in process, like a phone number. It s a simple step that provides significantly more protection to account holders. The greater risk with this particular breach is the countless other email accounts that could be impacted. Many Internet Service Providers (ISPs), like Rogers in Canada or Sky UK in the UK, use white-label Yahoo mail for their account holders. So, if you have a Rogers or Sky UK web mail account, you actually have a Yahoo email account. Regardless, the safest route for all users is to update all passwords and ensure two-factor authentication is enabled, immediately. Whether an external actor broke in, or the breach was through a trusted third party, once the attacker has gained a foothold they effectively become an insider , able to traverse and access systems with impunity Jamie Graves, CEO, ZoneFox We ve known for a few months now that Yahoo has suffered a big breach back in 2013, but what wasn t clear was the sheer scale of the information taken. These latest figures are seismic. While this hack is getting a lot of attention given the detrimental impact it is likely to have on Yahoo s purchase by Verizon, it is vital that businesses everywhere take note and learn a lesson from what could be the biggest cyber-security breach in history.

Whether the breach occurred due to an external actor breaking in, or through a trusted third party, once the attacker has gained a foothold they effectively become an insider , able to traverse and access systems with impunity. As with any insider or trusted partner, if proper monitoring is not put in place, then security incidents like the one that happened over the weekend can occur quickly and without warning. In order to identify and remedy the situation as fast as possible, businesses no matter how large or small, must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately.

Download: The Video Surveillance Report 2016 This exclusive report covers the security needs of surveillance systems as shaped by the physical environment including: What do security professionals think about plug-and-play systems Challenges like low-light conditions or large spaces and the threats posed in various sectors Which cutting-edge features such as mobile access, PTZ smart controls or 4K resolution are most important to security professionals What are the most important factors driving upgrades and would end users consider an upgrade to HD analogue Download the full report here.