RSA Conference: Where the World Talks Security

Moscone Centre, San Francisco USA

Booth #3008

FEB 13th – 17th 2017

Going to RSA This year?

We are!

As leaders in Data Security Software, we are committed to helping organisations find and secure sensitive information BEFORE a breach.

We make it part of our business practice to keep up-to-date with all developments in tech security across the globe, there’s no better way to keep a finger on the pulse, than to meet people face to face.

Visit our booth #3008 in the North Hall for a product demo and see for yourself how Ground Labs can find and secure sensitive data ensuring your organisations sensitive data is protected from cyberattacks.

We also enjoy some friendly competition and lots of prizes! Show off your golf skills on our putting green at our booth #3008, and you could win a prize!

 

 

Screen Shot 2017-02-10 at 10.20.22

 

Still not signed up? Use our code: XE7GRNDLABS and register here to get a FREE expo pass

 

emojipasswords

Emoji Passwords Coming Soon? That, And Other Password Changes On The Horizon

A “secure password”— many data security experts would argue that it’s an oxymoron.

For the longest time, passwords have been considered an extremely weak and easy to crack form of authentication, even if you don’t take into account the fact that the most popular password in the world is still ‘123456’.

Over the last couple of decades, customers have been forced to set increasingly complex passwords. To log in to an Adobe account, your password must:

1) Be 8 characters long

2) Include at least one alphanumeric character

3) Include at least one symbol

4) Include a mix of upper and lower case characters

Which is just ridiculous. And probably not very helpful— we’re willing to bet that P@ssword123 is probably somewhere at the top of their most used passwords list.

But the biggest problem with passwords like that? They are easy to forget, as perfectly described in this XKCD comic strip:

password_strength

 

The good news is, the days of our days of struggling with passwords may soon be over, thanks to a new set of guidelines being published by the United States National Institute for Standards and Technology (NIST).

NIST has put together a list of best practices for password protection, and the policies will soon be used by the US government.

Here are some of the more interesting changes they are putting into effect:

 

8 character minimum, 64 character max

A longer password is a safer password. Pretty straightforward.

The average user probably won’t want to use a password that’s almost half the maximum length of a tweet, but the key thing to bear in mind is that, if they want to, they can.

 

Ban all the common passwords

NIST wants to create a dictionary of the most common passwords used, and disallow users from picking anything from that list. They are currently planning on creating a dictionary of about 100,000 entries.

One problem they are aware of, though, is that users may try and cheat the dictionary system. For example, if iloveyou is a common password that’s banned, a user may just try and use iloveyou1 to circumvent that.

 

🙂 (-_-) ^____^

Currently, the character set that users can choose to create their passwords from contains about 90 characters. NIST would like to change that to include all printable ASCII characters, and possibly even include emojis.

Sometime soon, your password might consist of kissy faces and cool guys in sunglasses. The dream.

Sometime soon, your password might consist of kissy faces and cool guys in sunglasses. The dream.

 

Hints & Knowledge-based authentication (KBA)

So you’ve picked the most difficult password in the world, and then forgot it. That’s not a problem, as long as you know your mother’s maiden name, or the answer to whatever question you set when you registered your account. It also won’t be a problem for anyone else who might happen to know the answer, or who could make a lucky guess.

Brian Krebs reported recently that United Airlines employs this form of authentication, to horrible effect. It’s a great article if you want to learn more about why KBA doesn’t work, or hear more about how mashed potatoes are apparently a pizza topping.

 

Conclusion: It’s All About The Users

Every change being employed is in line with a set of very simple guiding principles, that are all about making passwords user friendly. Forcing users to use arbitrary safeguards only invites them to try and cheat the system. Instead NIST is aiming to put burdens on the verifier rather than the user wherever possible.

Passwords are not the most secure safeguard, not by a longshot. But until we can come up with a better solution, it’s all we’ve got, and it’s imperative we learn to make it work.

 

sayonara

If You Get Hacked Customers Will Say Sayonara

The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) reports that declining levels of online privacy and security have led to lower levels of activity on the internet.

Among households that have experienced a data breach, 40% refrained from conducting online transactions, while 35% avoided buying goods and services online.

The numbers are staggering, almost to the point of being incredulous.

But, there is a growing body of evidence that proves that once you get hacked customers will never go back.

 

NTIA Results on online activities avoided due to privacy or security concerns, percent of households (HHs)

NTIA Results on online activities avoided due to privacy or security concerns, percent of households (HHs)

 

We Assure You, Consumers Do Care About Their Privacy

A Reddit discussion about the NTIA survey results attracted more than 3,300 upvotes, with many users sharing their own concerns about the ongoing assault on their privacy.

The top-rated comment was one calling for better privacy. “So is the U S. Department of Commerce going to do anything about this? Or help others work towards more privacy?

Another riled-up consumer wrote: “I know Target and a couple companies that will never, ever, ever get my bank/cc shit again. They will use my prepaid AMEX and like it. And just to rock the boat, my prepaid is an AMEX, so I know they pay for me to use it.

 

Target: Case In Point

Target’s huge data breach fiasco in 2013 is the textbook example of how a data breach has a direct and negative impact on your sales.

 

target credit card

The now infamous Target REDcard

 

The epically disastrous hack saw 40 million credit and debit cards, and 70 million PII records stolen by data thieves. Target’s profits also dropped 46% compared to the year before.

Post-hack, 35% of Target customers surveyed said that the breach reduced the frequency at which they shop at Target, with 13% saying that they have stopped shopping at the retail giant altogether.

British telecommunication conglomeration TalkTalk also reported a loss in more than 100,000 customers and £60 million as a direct result of a data breach.

Customers are not short on places to shop. We live in a world where there can be 5 different convenience stores within a few blocks. If you fail your customers, they’ll walk.

 

The Finer Details

And in case you forgot, in addition to a dip in your sales, lawsuits and the costs involved in a data breach, you’ll also suffer fines courtesy of the PCI Security Standards Council and European Commission.

With data security standards like the PCI DSS as well as the EU’s GDPR, you should think twice if you’re still taking data security lightly.

Especially with the GDPR that is slated to take effect on 25 May 2018, fines can reach up to €20 million, or 4% of your business’ global turnover.

 

Bridging the Gap

The less customer data you store, the less hackers will take from you if you get hacked.

Your company will lose approximately $154 for every record lost in a data breach. But think of it this way: every record your company safeguards, is $154 you just saved.

You’ll never know when you will be the next target of a major data breach, so there’s no better time than now to get started on locking down your business’ sensitive data.

 

Screenshot (18)

 

With Ground Labs’ Enterprise Recon software, taking charge of your business’ data becomes easy and efficient.

Key features like real-time scanning, role delegation and scan scheduling help you easily take control of your data, and ensure that no sensitive data goes undiscovered.

It’s the most efficient and effective way to ensure that even if hackers break into your network, there will be nothing for them to steal.
Sign up for a free trial of Enterprise Recon today for a first-hand look at how you can keep your customers loyal, with strengthened data security.

Cover pic

Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and BeautifulPeople.com are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?

 

header 1

 

In the recent Rosebuttboard.com hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.

 

header 2

 

In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.

 

header 3

 

Adult dating site Fling.com has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.

 

Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.

 

Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.

 

The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

Union Jack

65% of Large UK Businesses Were Breached Last Year. Were You One of Them?

If statistics are anything to go by, UK businesses are as well equipped to fight back against hackers as a toddler is against a pack of wolves.

More than 65% of large companies in the UK have suffered at least one cyber security attack in the past 12 months, according to the recently released Cyber Security Breaches Survey 2016.

Such poor data security practices have led to devastating financial repercussions. In the largest data breach case, more than £3 million was lost.

Read more

2fa

Two-Factor To Multi-Factor- Why This PCI DSS 3.2 Naming Change Is A Big Deal

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard to concern yourself with, if you’re running a business dealing with credit cards.

Like most other security standards, the PCI DSS is an evolving one, advocating new safeguards or moving away from newly discovered vulnerabilities (such as SSL/ early TLS).

But as I was reading a blog post from the PCI Council’s official blog, titled ‘Preparing for PCI DSS 3.2: Summary of Changes’, they listed the naming convention change from ‘two-factor authentication’ to ‘multi-factor authentication’ as being, and I quote: “one of the biggest changes coming in PCI 3.2”.

Why is that?

 

The Difference Between Two-Factor Authentication and Multi-Factor Authentication

To understand why this is a big deal, we have to understand what two-factor authentication (2FA) and multi-factor authentication (MFA) are, and how they differ.

2FA is the addition of a second safeguard to your authentication process. For example, logging into your Gmail account typically only requires you to enter your password: one round of authentication, 1FA. This is generally considered unsafe, because anyone who manages to get ahold of your password has full access to your account.

If you set up 2FA, logging into your Gmail account will require you to not only provide your password, but also an additional form of authentication. Typically, keying in a special code sent to your cell phone. In short, if you have 2FA activated on your account, not only will hackers need to have your password, but also access to your cell phone.

MFA differs from 2FA in the sense that multi implies more than two, meaning that you are using two or more levels in your authentication process.

 

Why Is This Name Change A Big Deal?

At first glance, it doesn’t look like a big change for many — since MFA requires the use two or more levels of authentication, many companies will still be opting to use the same bare minimum of two levels they have been using in past versions of the PCI DSS.   

Even the official blog post, which lists the change as being “one of the biggest in PCI DSS 3.2,” doesn’t really go into details as to why this is a big deal- if anything, this paragraph extract seemingly implies the opposite:

“Previously in the PCI DSS, we required any untrusted, remote access into cardholder data environment to use “two-factor authentication” which is the equivalent of multi-factor authentication.  Changing the naming convention simply provides consistency that it must be at least two credentials at a minimum.”

Surely, by looking at the equivalence being drawn between 2FA and MFA, you would think the name change is no big deal. However, the reason this change actually means something is said in the use of the word ‘minimum’.

Using the term 2FA implies that companies should stop at having two-factors of authentication, when in reality they should be shooting for more.

 

Minimal? In Data Security?

The thing about security standards is that they focus on providing a benchmark for security, which is usually right on the line of the minimum you need to avoid, or mitigate, the risk of getting hacked. Because proposing the maximum level of security would be asking us all to work out of cardboard boxes in secure underground bunkers, using abacuses to count and paper cups connected by string to communicate.

The PCI DSS, and other security standards, make it easy for organizations to understand what they need to do to lay a solid foundation for data security. So if they say you should be authenticating two credentials at minimum, what they actually mean is: two is great, but getting more would be most excellent.

It’s a good bit of clarification for anyone aiming for more than just a certification of compliance, which should really be everyone.

verizonhack

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more

ftc qsa

Auditing the Auditors: Why Is The FTC Going After QSAs?

When it comes to PCI assessments there are three main parties involved: the business, the QSAs, and the PCI Council. The audited, the auditors, and the standard setters.

And while there has been a lot of focus on companies failing to protect sensitive data, and also media attention focused on the PCI standard and its effectiveness, the FTC is now going after the third member of the data security trinity, ordering nine QSAs to provide details on their PCI DSS auditing processes.

In their press release, the FTC stated that they are “seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.”

It’s not surprising to see the FTC taking action on this front, given the importance of privacy and data security today. It’s no exaggeration to say that our right to privacy is one of the critical pillars of society.

 

Paying by card

Imagine a world where consumers would feel afraid to swipe their credit cards, or enter their passwords online. If businesses can’t protect our private data, all trust will be lost.

 

Who’s to Blame For a Breach?

As mentioned above, for a long time the spotlight has been on businesses and the PCI standard. Organisations are expected to look after our data — after all, they are the ones storing it. When a data breach goes down, all the blame is assigned to the company. Some companies have attempted to sue their QSAs in the past, but none have succeeded.

The PCI Council has also been questioned numerous times, with people asking what good the PCI standard is if companies are still getting hacked and losing data.

What they fail to understand is that the PCI DSS is just that — a standard. It’s something you are meant to aspire to attain, and sustain. There is a big difference between aiming to be compliant and aiming to be secure, and sadly the distinction is lost on a lot of companies.

Which brings us back to the issue on QSAs, and their role in helping companies comply with the PCI DSS. It is their duty to uphold the standard, and to ensure that the companies they audit are meeting the standard effectively. They are essentially the driving instructors ensuring that poor drivers do not get the license to drive our roads and compromise our safety.

In the interest of fairness, it is also key that they do not use the audit process as a reason to sell their own PCI software tools, or even withhold on signing off on a business that does not purchase their wares. Returning to the car analogy, it would be akin to a driving instructor refusing to pass a student that doesn’t buy the teacher’s brand of windscreen wipers.

Which isn’t to say that they aren’t allowed to sell their PCI software solutions to their clients- just that they aren’t allowed to make it a prerequisite to passing their compliance test. Also, the PCI DSS dictates that when making recommendations for PCI tools, the client has to be presented with a choice of at least three different software to perform the required task.

 

Good For Consumers

Overall, this move by the FTC is an encouraging one, because it tells us that the FTC is truly interested in protecting the private information of consumers. To be clear, it does not mean that the QSAs are guilty of any form of misdemeanor — just that if there is, the FTC wants to know.

ransomware

Ransomware Attacks On The Rise: What Are You Doing To Protect Your Business?

“We do not negotiate with terrorists”. Except, most of us have, or would.

A relatively new breed of malware, dubbed “Ransomware”, is holding computer systems hostage and demanding payment for their safe release.  

What’s surprising is that these underhanded tactics often see a payout for cybercriminals — according to one study, about 50% of ransomware victims paid their extortionists, and another 40% of people said that they would pay the ransom too if it happened to them.

It’s estimated that at least $5 million is extorted from ransomware victims each year.

Cybersecurity experts are encouraging ransomware victims not to pay the extortionists for two reasons: firstly, there’s no guarantee you’ll get your data back, and secondly, because it only further encourages cybercriminals to continue running ransomware attacks.

This, of course, includes re-runs on your environment they know is not only easy to get into, but one that is likely to cave to their demands.

It’s a non-issue as long as no ransomware makes its way onto your systems, but the odds of that actually happening are ever increasing.

As far as we know, there are currently more than 4 million samples of ransomware in existence, where there were only 1.5 million samples in 2013. Hackers can’t get enough of the stuff.

Hackers are also finding new ways to bring ransomware to a system near you. It has been reported that a disproportionately large number of websites that run on the WordPress CMS are being hacked to deliver ransomware to end users.

All you need to do to catch the bug is visit one of these booby-trapped websites with an out-of-date version of Adobe Flash Player, Adobe, Reader, Microsoft Silverlight, or Internet Explorer, and you may be looking at a ransom amount of $500 (or a few bitcoins) in exchange for your computer back.

 

ransomware 2

 

Beating Ransomware

There are basically two different types of defense strategies against ransomware attacks — making sure you don’t get infected in the first place, and staying safe post infection.

User and staff education is a key data security practice. Making sure that you and your staff are well aware of possible online hazards like phishing emails or insecure websites goes a long way into making sure ransomware never reaches your systems.

Patching your systems and making sure that all your applications are up-to-date is also textbook good practice. Ransomware can find its way into your systems through vulnerabilities, so make sure that your network has no holes for cyberattacks to slip through.

Additionally, running anti-spam software that can detect malicious links in emails will definitely go a long way to helping you ensure that no one in your business will be opening any “uh-oh” links.

 

Hit me. Whatever. I’m over it.

Perhaps you won’t be nearly that stoic, but the best way to beat ransomware is to take away their leverage. This means making sure that there is no data on your systems that would be of value to hackers.

This works for two reasons — one, hackers are a lot less likely to hold your network at a high ransom price if they search your systems and find little or nothing of value. Secondly, should they still try and hold your network hostage, starting over will be a significantly cheaper endeavor than paying the ransom amount (which doesn’t guarantee you will get anything back).

There are two basic ways to go around this. The first method is simple — backup your data. Using removable storage is a cheap and simple solution for small businesses, and a surefire way to make sure that all your eggs are not in the same basket.

The second way is simply removing sensitive data from your systems. Many companies store large amounts of sensitive data, like credit card numbers, healthcare information and personal information, without any real business justified reason to do so. Often, they are not even savvy to the fact that they are storing all that data that hackers are after.

Keeping your systems clean is a form of risk mitigation. It ensures that even if you do get hit by ransomware, you will be in a good position to recover from the attack as quickly and painlessly as possible.

Removing sensitive data from your systems is easier than you think, using Ground Labs’ line of data discovery software. Regardless of the number of systems on your network, Ground Labs has a solution tailored to help you find and lock down your sensitive data. Visit our website to find out more, and sign up for a free trial today!