Employees Are the Weakest Link in Computer Security

Employees Are the Weakest Link in Computer Security

by Tom Krazit | @tomkrazit | June 20, 2016, 12:26 PM EDT

Even the best technology can’t offset weak employee passwords and carelessness.

If your company is like most, you’re spending an awful lot of your information technology budget on security: security products to protect your organization, security consultants to help you understand where your weaknesses lie, and lawyers to sort out the inevitable mess when something goes wrong. That approach can work, but it fails to consider the weakest link in your security fence: your employees.

We’ve come a long way since the days of the Blaster and Zapper worms in the early 2000s, malware that infected computer systems and caused pure chaos in corporate networks for people not yet hardened enough to question the links and attachments that arrived in their inboxes. Yet as we’ve put together the agenda for Structure Security, a conference focused on information security to be held on Sept. 27 and 28 in San Francisco, it’s a topic that has come up again and again: How the best-laid plans designed by security experts can still be derailed by users with sloppy passwords or a tendency to leave smartphones or laptops in cabs.

If you’re a large company, you can invest in protecting your users from themselves. You can require smartphone users who want to access your network to let your operations people remotely erase sensitive data in the event of a theft or loss. Or you can insist users change their passwords every 30 days and require a 16-character password with letters, numbers, symbols, and doodles. For a lot of small to medium-size companies, however, cultural resistance to security overreach and a lack of resources to enforce even high-minded policies can result in significant loss of proprietary information, money, or both.

It doesn’t have to be this way. This September at Structure Security, we plan to showcase a number of individuals and companies who are working on ways to help everyone—from overworked chief information security officers to lower-level employees with basic information security literacy—stop problems before they happen.

Some of these approaches include:

  • — Breaking through the information-sharing resistance among corporate information security professionals, which could help prevent newly discovered threats from spreading faster than they can react.

  • — Using artificial intelligence and machine learning to better predict user behavior and hacking tactics, featuring startups such as Area1 Security, which is working on ways to detect and prevent attackers from targeting specific employees with sophisticated scams.

  • — Finding problems in your products and internal apps as quickly as possible by crowdsourcing “bug bounties,” a fast-growing information security practice that we’ll discuss with Casey Ellis, founder and CEO of Bugcrowd and Maarten Mickos, CEO of HackerOne.

  • — Designing your products or internal applications in a way that assumes your users are themselves overworked, frustrated by the growing complexity of password requirements and two-factor authentication and security images. This requires product-development teams and security engineers to work much more closely together than is the norm in this industry, according to our board of advisors.

Information security in 2016 is a tricky balance. The threat has never been more pronounced, as anything not yet connected to the Internet is probably in development by a hot startup, and as third-party cloud providers control an increasing amount of critical infrastructure. But the people in the trenches who are responsible for security discipline need more help from the people whose software they are required to use simply to do their actual jobs.

Organizations that don’t prioritize helping their users secure themselves can spend all the money they want on the security products that the $75 billion information security industry is quite happy to sell them; yet after all that effort, they still might be leaving their house keys in the front-door lock.

Read more

Homeland Security Issues Ransomware Alert for Networked Systems

Homeland Security Issues Ransomware Alert for Networked Systems

DHS issued a ransomware alert in conjunction with the Canadian Cyber Incident Response Centre to warn individuals and organizations.

The US Department of Homeland Security issued a ransomware alert through the US Computer Emergency Readiness Team (US-CERT) to organizations that use networked systems, warning them of the potential dangers stemming from this type of malware.

In conjunction with the Canadian Cyber Incident Response Centre (CCIRC), DHS explained that the alert is designed “to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”

Hacking Detected

“Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading,” the alert states. “Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.”

US-CERT adds that ransomware attacks can target individuals or businesses. Moreover, paying the requested ransom “does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.”

If data was encrypted through the ransomware, paying the ransom to decrypt the data also does not guarantee that the malware itself was actually removed.

Along with phishing attacks, ransomware can infiltrate a system through vulnerable Web servers, according to the alert. A weakened entry point can be exploited, giving attackers a way to gain access to an organization’s system.

Not only can ransomware attacks create temporary or permanent loss of critical data, they can also disrupt regular business operations and create financial losses. This could happen when it comes time to restore system files.

Finally, an organization’s reputation could be severely damaged through such attacks, and through the recovery process.

However, US-CERT did recommend several steps for ensuring an easier recovery should a ransomware attack take place. For example, organizations should ensure that they have a data backup and recovery plan for all critical information.

Additionally, application whitelisting can help prevent malicious software and unapproved programs from running. By only allowing specific programs to run, it could help block malware.

The following recommendations were also listed:

  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
  • Do not follow unsolicited Web links in emails.

A final key takeaway in the alert is that organizations are discouraged from paying the ransom. As previously mentioned, this does not guarantee that the files will be released, according to US-CERT.

By Elizabeth Snell

Read more

Preparing Healthcare Data Security for Hackers in 2016

Preparing Healthcare Data Security for Hackers in 2016

Healthcare data security measures must be stronger than ever as more hackers are looking for ways to infiltrate covered entities’ networks.

The healthcare industry is undergoing a digital revolution. For the most part, this means positive developments in the speed, efficiency, and effectiveness with which the industry can treat patients and prevent diseases.

Unfortunately, it’s also a boon for hackers.

Hacking Detected

In fact, the healthcare industry was the most targeted sector for cyberattacks in 2015, with over 100 million medical records compromised. Last year, two of the largest known cyberattacks targeted healthcare organizations. The hack on health insurance giant Anthem’s network was responsible for 70% of all compromised records that year.

Given the increased digitization of health records and the growing reliance of medical procedures, monitoring, and life-saving devices on digital technology, this growing wave of cyberattacks is cause for great concern – and the healthcare industry’s vulnerability to targeting by cyber-criminals will only increase. Here’s why:

Personal Data

The growing use of Electronic Health Records (EHRs) in the healthcare industry has created a plethora of online data, offering hackers a tantalizing trove of financial and informational plunder. These records hold the most sensitive data imaginable, from medical histories, psychological profiles, and family connections to billing data and addresses.

These same records can be used by threat actors to conduct insurance fraud, perform identity theft, and even extort victims. What’s more, unlike stealing financial data like credit card details, once medical information has been stolen, it doesn’t expire and cannot be cancelled with a phone call – and therefore can be reused over and over again by the perpetrators. As such, healthcare data is extremely valuable on the black market. Health records for individuals can sell for around $60 each, nearly 20 times the black market value of a stolen credit card number.

Intellectual Property

Beyond deceptive acts against individuals, there is also the threat of corporate cyber-espionage. This is particularly acute in the pharmaceutical industry, with its long-term R&D processes and wealth of valuable intellectual property.

In short, the high resell value of both corporate and individual data helps make healthcare organizations extremely desirable targets.

Lack of Awareness

The healthcare industry is undergoing a massive technology transition – from migrating health records to digital, to using new storage and processing techniques to analyze patient data. The rush to digitally revolutionize the industry is in full force, but it’s coming at the expense of securing the data of these systems, which has lagged behind. Other industries with a more mature approach to securing data have already established policies and procedures in case of attacks, including sharing security strategies and tactics.

Healthcare still needs to catch up.

Lack of Knowhow & Human Resources

Additionally, there is a woeful lack of security professionals in the healthcare industry, and many of those working in the field have admitted to feeling inadequately prepared to defend their organization against a cyberattack.

New Attack Vectors

Critical medical devices such as insulin pumps or digital pacemakers can also be potentially compromised by threat actors. A few years ago, a security researcher presented ways to remotely modify the dosage rates of an insulin pump. In another case, researchers showed how easy it was to manipulate baby monitors. As these devices become increasingly connected, they also offer dangerous opportunities for threat actors.

Healing Healthcare Security

One important bill impacting the future of healthcare cybersecurity is the Cybersecurity Act of 2015. The bill requires the Department of Health and Human Services (HHS) to assess the healthcare industry’s capability to respond to cyberattacks, and includes a taskforce to determine how information security tactics from other industries can be integrated into the healthcare sector.

Together with HIPAA, healthcare and related organizations are mandated to secure EHRs or face possible fines. These regulations are forcing the sector to take full responsibility in managing the threats.

While regulation tries to provide standards, it does not provide a security panacea. Because healthcare is such a valuable target, threat actors will eventually find a way to penetrate organizations. And, as the latest attacks have demonstrated, existing methods of detecting threat actors before they cause damage have proven ineffective.

The goal of a cyberattack is not to enter a foreign network just to say they did, but to seize valuable data from the network. That’s why there needs to be a paradigm shift in the approach of cybersecurity. The healthcare sector needs to shift focus from preventing infiltration to preventing information from being tampered with or stolen. Hackers always seem to find a way into a network, and healthcare organizations, so critical to so many people’s lives, must find a way to carry on with business as usual while they are combatting the threat.

Cyber-crime is a growing industry and is not going away anytime soon. However, the healthcare data security threat can be significantly reduced if emphasis is put not on keeping the hackers out, but rather, on rendering the attacks themselves harmless.

By Roy Katmor of enSilo

Read more

The Inconvenient Truth About SEO

The Inconvenient Truth About SEO

Do you own a website? Do you want to be number one on Google? Whatever you do, don’t spend money on aggressive search engine optimization (SEO).

I know that sounds like an extreme position to take. However, a lot of website owners see search engine optimization as the answer to their search ranking woes, when things are considerably more complex.

The inconvenient truth is that the best person to improve your ranking is you. Unfortunately, that is going to take time and commitment on your part. The answer doesn’t lie in hiring a SEO company to boost your website ranking for Google. The problem starts with the term “search engine optimization” and the misconceptions surrounding it.


What SEO Isn’t

Most website owners perceive SEO as a dark art, shrouded in mystery. They have heard phrases like “gateway pages” and “keyword density” or have been bamboozled by technobabble about the way websites should be built. All of this has left them feeling that SEO is the purview of experts. This is a misconception reinforced by certain segments of the SEO community.

The problem is that these kinds of complex techniques do work, to a point. It is possible to improve placement through a manipulation of the system. However, although it can have short term benefits, it will not last without continual investment. This is because the objective is wrong. SEO shouldn’t be about getting to the top of Google for particular phrases. In fact, we shouldn’t be optimizing for search engines at all. We should be optimizing for people. After all, that is what Google is trying to do.


Why You Shouldn’t Be Optimizing For Search Engines

Google’s aim is simple: connect its searchers with the most relevant content. If you are more worried about a good ranking than providing relevant content, then you are going to be fighting a losing battle.

If you hire a SEO company to improve your placement and you measure their worth on the basis of how high they get you in the rankings, then you are out of line with what Google is trying to achieve. Your primary objective should be better content, not higher rankings.

Valuable Original Content

Image credit: Search Engine People Blog.

The SEO company can use every trick in the book to get you better rankings, but over the long term they will lose, because Google is constantly changing how it rates websites so it can provide more accurate results.

Remember, you shouldn’t be optimizing for ranking in search engines, you should be optimizing for users.


A Better Way

Google does not make a secret of how to gain a high ranking. It states clearly in its webmaster guidelines:

“Make pages primarily for users, not for search engines.”

So how do you actually do that? Again Google provides the answer:

“Create a useful, information-rich website, and write pages that clearly and accurately describe your content.”

In short, write useful content. This could include (but is not limited to):

  • • Publishing white papers
  • • Writing a blog
  • • Sharing research findings
  • • Producing detailed case studies
  • • Encouraging user-generated content
  • • Creating useful applications or tools
  • • Running a Q&A section
  • • Posting interviews

The list could go on. The key is to produce content people find useful and want to share.

Yes, there are some technical considerations when it comes to search engines. However, any reasonably well-built website will be accessible to Google. You don’t need an expert SEO company for that (at least not if the Web designer does their job right).

As an aside, it is worth noting that if you take accessibility seriously for users with disabilities (such as those with visual impairments), then you will also make a website accessible to Google.

However, setting those technical issues aside, it all comes down to content. If you create great content, people will link to it, and Google will improve your placement. It really is that simple.

The question then becomes, how do you create great content?


The Inconvenient Truth

This is the point where we come to the inconvenient truth. It is hard for an outside contractor to produce the great content that will keep users coming back and encourage them to share. In my experience, this is much better done internally within the organization. The problem is that this doesn’t sit well with most organizations. Its easier to outsource the problem to a SEO company than to tackle an unfamiliar area internally.

Admittedly, a good SEO company will have copywriters on board who can write content for you. However, their knowledge will be limited, as will their ability to really get to know your business. Yes, they can write a few keyword-heavy blog posts that Google will like the look of. However, this won’t fool users, and so the number of links to that content will be low.

The truth is that if you are serious about improving your placement on search engines, it has to be done internally.

This truth is all the more painful, as most organizations are not configured to do this properly.


Organizational Change Required

The more I work with organizations on their digital strategy, the more I realize how few are structured to do business in a digital world. The issue of SEO is an ideal example of the problem.

Responsibility for the website normally lies with the marketing department. Although marketing is well-experienced in producing and writing marketing copy that outlines the products and services the organization provides, they are not best equipped to write content that will be heavily linked to.

It is not surprising that if you search on a term like “call to action,” the top results are almost exclusively informational articles, rather than companies helping with services in this area.

The problem is that marketeers are experts in the product or service being sold, not necessarily the surrounding subject matter. For example, the marketing department of a company selling healthy meals will know everything about the benefits of their product, but will have a limited knowledge of nutrition. Unfortunately, people are more likely to link to a post on healthy eating tips than they are to link to some marketing copy on a particular health product.

What you really need is the nutritional expert who designed the meal to be posting regularly to a blog, talking about what makes a healthy diet. A blog like this would include lots of linkable content, would be able to build a regular readership and would produce keyword-rich copy.

The problem is that this is not how organizations are set up. It is not the nutritional expert’s job to write blog posts; that responsibility belongs in marketing.


The Long-Term Solution

Ultimately organizations need to change so that online marketing is a more distributed role with everybody taking responsibility for aspects of it. I am not suggesting that the central marketing function has no role in digital, but rather recognizing that they cannot do it alone. Others will need to have some marketing responsibilities as part of their role.

For example a company selling healthy meals should allocate one afternoon each week for their nutritional experts and chefs to share their expertise online. It would become the marketing department’s responsibility to support these bloggers by providing training, editorial support and technical advice.

Unfortunately, these experts are often the most valuable resource within a business, and so their time is incredibly valuable. The idea of “distracting” them from their core role is too much for many companies to swallow.

However, in the short term there is still much that can be done.


A Short-Term Solution

As we wait for companies to wake up and change the way they are organized, there are ways of working within the system.

If you haven’t already, consider hiring an employee dedicated to creating content for your website. You can partially finance it with the money you save by getting rid of your SEO company.

If that is beyond your budget, consider hiring a short-term contractor or a part-time staff member. You could even use an existing member of your staff as long as they have time set aside to prevent the Web being pushed down the priority list. Although this person won’t have the knowledge to write all the content themselves, by being situated inside of the business it will be much easier for them to get access to those within the organization who do.

Arrange meetings with these experts and talk to them about their role. Identify various subjects based on their knowledge and then either record a video interview or write up a blog post based on what they share. Also ask these experts what news sources they read or which people within the industry they follow. Monitor these sources and ask your expert to comment on what is shared. These comments can be turned into posts that add to the wealth of content on your website.

Finally, you may find that the experts within the business are already producing a wealth of content that can act as source material for content that users will find interesting.

For example, our fictional nutritional expert probably already has documentation on the health benefits of certain food types or how certain conditions can be helped through healthy eating. Admittedly this kind of material might be too dry or academic, but with some editing and rewriting it would probably make great online content.

The content you post does not have to be long, it just has to be link-worthy. The key is to share the opinion of your expert and provide content of value to your audience.

As that audience grows, start asking questions. Maybe even get some of your readers to share their experiences or knowledge. Over time you will discover that not only will your readers want to contribute, so will your experts. As they see the value in posting content regularly to the website, they will start blogging themselves. All you will have to do is suggest topics and edit their output.

I know what you are thinking: it just isn’t that simple.


No More Excuses

I realize this is a big cultural shift for many organizations. Marketing teams will feel they are losing control, the person responsible for blogging will feel out of their depth and the experts may resent being asked lots of questions. However, what is the alternative?

For better or worse, Google demands good content in return for high rankings. Pretending that SEO companies can magically find a shortcut that allows you to avoid this trade off just isn’t going to cut it.

If you care about how you rank, it is time to take responsibility for your website’s content. Once you overcome the initial hurdle, you will find that producing quality content on an ongoing basis becomes second nature.


My message can be boiled down to the following points:

  • • Website owners are unhealthily obsessed with their rankings on Google.
  • • We should be creating primarily for people and not search engines.
  • • The best way to improve your ranking is to produce great content that people link to.
  • • That great content is better produced in-house, rather than being outsourced to an agency.
  • • A good web designer can take you a long way in making your site accessible to search engines.
  • • Before you spend money on an SEO company, make sure you have the basics in place first.

SEO Companies Do Have A Role

I think it is important to stress that I do believe SEO companies have a role. The problem is they are often brought in when there is still much work that could be done internally within the organization.

To me its about return on investment. Why spend money improving your search engine rankings when you could spend the same money improving rankings and producing more engaging content? Or why not spend money on improving your rankings and building a more accessible website?

That is what I am proposing. I am saying that content and solid design should be first. Once that is in place then, sure, hire an SEO company.

There are two exceptions to that general rule of thumb.


First, the SEO industry is changing. They are increasingly helping clients with content and that is great. However, if that is the role they are going to take then they need to stop saying they are about “search engine optimisation.” Creating great content is not primarily an SEO job. They have a branding issue there.

Also, although I am happy for an SEO company to help educate clients about content they shouldn’t be writing copy for them week and week out for them. Take the approach of a content strategist who trains up the client, provides them a strategy and then encourages them to take on the role themselves. Isn’t that better for the client?


Cleaning up after bad web designers

The second exception is where the web designer has built an inaccessible website. Unfortunately, it falls to the SEO company to clean up the mess.

However, I wouldn’t expect a web developer to provide all of the technical subtleties of an SEO company. That is probably too specialized for most web designers to do.

I don’t doubt that these subtleties are important and do make a difference to rankings. However, once again it is important that we have the basics in place first:

  • • Great content.
  • • A solidly built website.

Setting The Right Priorities

Hopefully that helps clarify my position slightly. I am not for a minute trying to destroy the SEO sector (as I was accused of repeatedly). What I am trying to do is set priorities straight.

I guess in short it is the phase “search engine optimization” I have a problem with. It implies we should be accommodating the idiosyncrasies of search engines above the needs of users.

That is something I will never compromise over, and I am sure something the vast majority of SEO companies would agree with.

Read more

Demo