Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Microsoft will no longer invest in facial-recognition technologies
At a time when many tech companies are pouring money into facial-recognition research, Microsoft is selling off its investments into the technology. The company has announced it is divesting its shares in AnyVision, an Israeli facial-recognition company alleged to be contributing to mass surveillance in the West Bank.
A recent audit found that AnyVision’s technology was not used in a mass surveillance program, but Microsoft has chosen to pull its investment from the company anyway. “After careful consideration, Microsoft and AnyVision have agreed that it is in the best interest of both enterprises for Microsoft to divest its shareholding in AnyVision,” the companies said in a joint statement. “For Microsoft, the audit process reinforced the challenges of being a minority investor in a company that sells sensitive technology, since such investments do not generally allow for the level of oversight or control that Microsoft exercises over the use of its own technology.”
Microsoft has previously called on Congress to regulate facial-recognition technology more closely. In a 2018 blog post, company president Brad Smith argued that “the more powerful the tool, the greater the benefit or damage it can cause.” He called on the government to introduce regulation to prevent abuse of the technology and to protect human rights, and compared the need for regulation in the facial-recognition industry to regulations brought in in the 20th century regarding seat belts, air safety, or the regulation of food and pharmaceutical products.
Now, Microsoft is putting its money where its mouth is by pulling investment from AnyVision and also announcing it would no longer make minority investments in any other companies that sell facial-recognition technology. Microsoft said it made this decision based on a lack of oversight it has as an investor in smaller companies.
Microsoft’s stance against unchecked use of facial recognition is notable as other tech companies like Facebook and Amazon are investing heavily in facial-recognition technologies. Facebook recently had to pay a $550 million settlement in a lawsuit alleging it violated biometric privacy laws in Illinois by failing to obtain permission before using biometric data and for not being transparent about how that data was stored and used.
==================================================================
The use of the PIN and TPM for authentication in Wave VSC 2.0 could be a more simple and effective method than using facial recognition of which Microsoft is a strong proponent of in Windows Hello. The facial recognition seems to complicate things for organizations when it comes to potential investments in facial recognition by Microsoft, and releasing the investments may not necessarily make it better.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
=================================================================
https://www.wavesys.com/
Evasive malware increasing, evading signature-based antivirus solutions
https://www.helpnetsecurity.com/2020/03/26/evasive-malware-increasing/
Evasive malware has grown to record high levels, with over two-thirds of malware detected by WatchGuard in Q4 2019 evading signature-based antivirus solutions.
This is a dramatic increase from the year-long average of 35% for 2019 and points to the fact that obfuscated or evasive malware is becoming the rule, not the exception. Companies of all sizes need to deploy advanced anti-malware solutions that can detect and block these attacks.
In addition, widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017 have been detected. This ‘dropper’ exploit was number seven on WatchGuard’s top ten malware list and heavily targeted the UK, Germany and New Zealand. It downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that was used in phishing attacks in February 2020 that preyed on early fears of the coronavirus outbreak.
Businesses of all sizes need to invest in multiple layers of security
“Our findings from Q4 2019 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, CTO at WatchGuard.
“With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioural-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”
Other key findings from the Q4 2019 report include:
•Mac adware jumps in popularity in Q4 – One of the top compromised websites detected in Q4 2019 hosts a macOS adware called Bundlore that masquerades as an Adobe Flash update. This lines up with a MalwareBytes report from February 2020 that showed a rise in Mac malware, particularly adware.
•SQL injection attacks became the top network attack in 2019 – SQL injection attacks rose an enormous 8000% in total between 2018 and 2019, becoming the most common network attack of the year by a significant margin.
•Hackers increasingly using automated malware distribution – Many attacks hit 70 to 80 percent of all Fireboxes in a single country, suggesting attackers are automating their attacks more frequently.
==================================================================
https://www.wavesys.com/malware-protection
Excerpts:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
=================================================================
Wave Endpoint Monitor would make a GREAT DEFENSIVE LAYER to STOP malware that evades signature-based antivirus products. More people should know about WEM as it could SAVE organizations from the headaches and LOST MONEY of sneaky malware!!!!
==================================================================
https://www.wavesys.com/
#Privacy: Self-Encrypting Drives are the answer to data protection concerns now and in the future
https://gdpr.report/news/2020/01/07/privacy-self-encrypting-drives-are-the-answer-to-data-protection-concerns-now-and-in-the-future/
The data protection landscape is rapidly changing in scope, breadth and depth. With changes to data protection laws in recent years, organisations today must keep up with all that is happening in the world of data protection.
Data protection no longer solely applies to risk management such as business continuity and disaster recovery, but also governance and compliance.
The protection of electronically stored information – in all its different expressions – should be at the forefront of any business. The permanent physical loss of key information, such as customer account information or the loss of confidentiality of sensitive information, could have a severe negative impact on a business and bring with it huge penalties and legal costs.
The loss of confidentiality of information through a data breach can carry high security threats and put businesses of all sizes at risk.
As data and business processes evolve with technological advances, enterprises are actively examining how to improve the data protection function from the perspectives of people, processes and technology. The key to choosing the data protection technologies is to understand the overall data protection infrastructure portfolio into which individual data protection technologies should fit.
The strength is in the hardware
As a solution, data encryption has received strong endorsement from the enactment of state, federal and international data protection legislation. Over the years, the disadvantages of software-based encryption have become increasingly recognised in the industry.
After all, software encryption is only as secure as the rest of the computer or smartphone. In software encryption, there are more possible attacks vectors that can lead, among others, to the ability for a hacker to crack the password. Software encryption tools also share the processing of your computer, which can cause the whole machine to slow down as data is encrypted/decrypted.
Unfortunately, some users remain unaware of the potential to solve these problems with hardware-based encryption. Through an industry-wide, open specification for hardware-based Self Encrypting Drives (SEDs), e.g., Opal Family Specifications, developed by Trusted Computing Group (TCG), the issues caused by software-based encryption are being addressed and the reasons for using a SED continue to grow.
SEDs are storage media that perform on-board encryption/decryption, as well as pre-boot authentication, maintain hashed passwords and offer on-the-fly erasure. In a SED, the entire drive, including the Master Boot Record (MBR) is encrypted and write protected at rest. As a result, the master boot record cannot be corrupted.
Compared to software-based encryption, hardware-based encryption built into a drive offers simplified management, interoperability among drives from different vendors and most importantly no performance impact. In fact, using a SED is much more cost-effective than buying higher performance main laptop processors when software Full-Disk Encryption (FDE) is used. SEDs integrate to systems and image the same as non-encrypting drives, with no initial encryption necessary, nor re-encryption when drives are re-imaged.
SEDs and TPMs – the perfect match for data protection
In order to ensure better security, strong user authentication is needed. With a SED, access to the platform is based on secure authorisation performed by the SED and not by the less-secure software that can be spoofed into allowing unauthorised access to data. Combining hardware-based encryption with Trusted Platform Modules (TPMs) can provide even stronger security benefits in personal computers and can be used in a multitude of ways.
The TPM is designed as a root of trust for the computing platform. It can measure components such as the Basic Input/Output System (BIOS) to determine if the system has been hacked or an unauthorised change has been made. The SED has areas of protected storage that can be used in conjunction with the TPM. One use of these protected storage areas would be to keep a copy of sensitive software such as the system BIOS or MBR. If the TPM detects that the BIOS or MBR has been hacked, a new, unaltered copy of the software can be loaded before the system boots, resulting in a self-healing system.
The combination of SEDs and TPMs can also assure strong authentication. In this instance, the SED would store an alternative operating system in a read-only area of the drive. When the locked SED is powered up, a ‘shadow’ MBR is used to load this pre-boot Operating System (OS).
The purpose of the pre-boot OS is to allow the user to enter their authentication credentials such as passwords, fingerprints, smart cards, or other tokens which are used to unlock the SED so that the normal MBR and OS can be loaded. Even though the SED protects the pre-boot OS from being altered, the TPM can be used to provide another layer of security by measuring the pre-boot OS each time it is loaded to assure that it has not been altered in an unauthorised way.
Some enterprises want to assure that a SED can only be unlocked by authorised users and in an authorised platform. The TPM can be used to store authentication credentials which are required in order to unlock the SED. At power up time, not only must the user enter their authentication credentials, but the TPM must be used in conjunction with the user authentication credential in order to produce the authentication credential which can unlock the SED.
Through combining hardware-based technologies like SEDs with TPMs, enterprises add another layer of security to their systems, ensuring the possibility of any loss of data is drastically reduced.
Protection against future security threats
Hardware-based encryption like that found in SEDs bring a lot of advantages including compliance, stronger security, integrated authentication and low total cost of ownership with an additional benefit of rapid data destruction or crypto-erase. While these convincing reasons remain valid, additional security scenarios provide even more compelling justification for organisations.
Corporations are reinitiating their spending and investments in technology for the future, with information security proving to be a key area to benefit from increased spending. With new approaches such as SEDs, corporations can obtain improved data security without the shortcomings of software-based encryption. Once potential users correctly and completely understand the capabilities of SEDs and the misconceptions are corrected as well, the increasing availability of SED options will provide the solution to cope with data security threats both now and long into the future.
==================================================================
This article was posted in Trusted Computing Twitter.
This article should be REQUIRED READING for any individual interested in GREAT SECURITY!!!! Along with reading Wave's website individuals could have a GREAT UNDERSTANDING of what BETTER SECURITY is all about!!!! Please pass this knowledge to interested individuals and/or organizations.
==================================================================
https://www.wavesys.com/
200M Records of US Citizens Leaked in Unprotected Database
https://www.darkreading.com/cloud/200m-records-of-us-citizens-leaked-in-unprotected-database/d/d-id/1337377
Researchers have not determined who owns the database, which was one of several large exposed instances disclosed this week.
Researchers discovered an unprotected database holding 800GB of personal user information, including 200 million detailed user records. The entirety of the database was wiped on March 3.
User records inside the database held what appeared to be profiles of US users, according to researchers with Lithuanian research group CyberNews. Data contained exposed individuals' full names and titles, email addresses, phone numbers, birthdates, credit ratings, home and mortgage real estate addresses, demographics, mortgage and tax records, and information about personal interests, and investments, as well as political, charitable, and religious donations.
"We were shocked by the sheer scale of the data exposed: The combination of personal, demographic and real estate asset data was an absolute goldmine for cybercriminals," the CyberNews team says.
It seems much of the data in this "main folder" may have originated in the United States Census Bureau, researchers report. When they found the database on Shodan.io in late January, they reached out to the US Census Bureau as a potential owner and have not heard a response. They watched the database for a couple of months, they say, but assume it was exposed for longer.
Finding the database was "not that difficult," the researchers say, but attackers would need some basic technical knowledge to understand what they were looking for. While someone could have accessed the database by mistake, the chances of this happening would be low.
In addition to the main folder of unsecured data, the database contained two more folders seemingly unrelated to the trove of personal records held in the main folder. These folders held the emergence call logs of a US-based fire department, as well as a list of some 74 bike stations that formerly belonged to a bike-share program. The bike-share stations are owned by Lyft.
While the two smaller folders did not hold personal data, the fire department call logs did have dates, time, locations, and other metadata dating back to 2010. "The presence of the folders that contained bike-sharing and fire department service call data was what confused us the most," they say. It's possible the data in these two folders may have been stolen or was used by several parties at the same time, the researchers hypothesize. They were unable to confirm this.
"The structure of the data led us to believe that the database belonged to a data marketing firm, or a credit or real estate company," the team says. For example, categories and sections were marked as codes in a fashion similar to the dictionaries used by data marketers. The codes themselves, they explain, were specific to the US Census Bureau or used in its classifications.
Information in this database, if accessed, could be "incredibly useful" to phishers, scammers, and other cybercriminals who could use the personal details within it to launch sophisticated phishing campaigns, spam attacks, and social engineering attempts.
This wasn't the only large misconfigured database found exposing sensitive information this week. Just yesterday, a misconfigured Elasticsearch database exposed more than 5 billion records related to data breaches between 2012 and 2019. A UK research firm collected detailed information on the breaches, including domain, source, contact email address, and password.
Earlier this week, vpnMentor researchers discovered an unprotected AWS S3 bucket holding 425GB of data, representing some 500,000 files related to MCA Wizard, a mobile app that acts as a tool for a Merchant Cash Advance. Data in the documents included credit reports, bank statements, contracts, legal documents, purchase orders, tax returns, and Social Security data.
==================================================================
538 Million Weibo Users' Info for Sale on Dark Web
https://www.darkreading.com/attacks-breaches/538-million-weibo-users-info-for-sale-on-dark-web/d/d-id/1337386
The user data, which does not include passwords, purportedly comes from a mid-2019 breach.
Hackers have placed the personal information of more than 538 million Weibo users for sale online. The hacker claims to have breached the Chinese social network in mid-2019.
According to the ad offering the database for sale, the information includes names, Weibo usernames, gender, location, and, in some cases, phone numbers. The breach does not include passwords or payment information.
The data is being offered for $250 in its entirety, an amount likely kept low by the lack of passwords.
==================================================================
It's AMAZING that the two organizations in these articles were apparently unaware that a company named Wave Systems had two solutions, Scrambls and Wave VSC 2.0, that could have PROTECTED their data!!! THIS KEEPS HAPPENING OVER AND OVER when Wave has solutions that could PROTECT these organizations!!! Passing this information along could make organizations AWARE that there is a much better outcome WITH WAVE!!!
==================================================================
https://www.wavesys.com/
VPNs: Not a cybersecurity slam dunk for telecommuters in the age of COVID-19
https://www.scmagazine.com/home/security-news/news-archive/coronavirus/vpns-not-a-cybersecurity-slam-dunk-for-telecommuters-in-the-age-of-covid-19/
CISOs and cybersecurity teams around the world are watching their threat surface multiply as millions of staffers find themselves working from home for the first time in order to help constrain the spread of Coronavirus.
The removal of these people from the safe and controlled working environment found in their offices and tossing them into the wild, so to speak, means a greater dependence on VPNs, which may prove problematical as most large enterprises are not prepared to host the majority of their workforce online, and smaller companies may not be set up at all for this type of access.
Then there is the additional threat posed by workers operating outside the direct oversight of IT and security teams possibly making catastrophic decisions that could endanger the entire organization.
Stan Lowe, global CISO for Zscaler, noted that most businesses have enough VPN hardware to generally handle between 20 percent and 30 percent of their workforce working remotely. However, now that entire corporations have been forced to send their employees home with their laptops this is proving not to be anywhere near enough.
It is also no simple nor inexpensive matter to go out and purchase additional equipment, at least the type needed by larger firms that require a high degree of security, Lowe said. Zscaler is a provider of a cloud-based, remote access software.
“If you need more equipment, it takes time—you have to buy it, wait for it to ship and arrive then deploy it, update the hardware and keep it updated. And that’s just the VPN stack. Trying to scale VPNs and other legacy remote access technology, adding tens of thousands of users, can take months and break a corporate network,” he said, adding three to five months is a good guesstimate for such an upgrade.
For those companies that cannot increase their VPN capacity it might become necessary to put their workers onto shifts so the VPN capability that is on hand is spread out, Lowe said.
Even companies well-equipped to handle an influx in VPN usage face the daunting task of bringing those who normally occupy office space up to speed on how to use their VPN and make sure their home network can handle the added bandwidth.
“IT must be sure to educate their users, so they are aware of the impact on everyone and to limit their bandwidth-heavy activity, like Netflix streaming, to outside of office hours. This will ensure that productivity doesn’t drop and that users don’t try to forgo the VPN altogether, which could have dire consequences for the security of the business,” said Justin Jett, director of audit and compliance for Plixer.
Another unique situation that needs to be addressed, Jett said, is that not only are employees at home, but so is the rest of their family. A person attempting to do work at the kitchen table is competing with their spouse who is working from the den and their kids who may be gaming or streaming video in another room. All of these demands need to be balanced so work can get done, perhaps requiring the kiddies to limit themselves to board games during the day and steaming when office hours are over.
Then there is the cybersecurity aspect of this new reality. Using a VPN does not by itself make working from home more secure. Lowe pointed out that with people linking in from all over the world, possibly through an insecure router, a company’s attack surface is vastly increased. Even those with a safe connection can cause problems as cybercriminals are working overtime right now to come up with new phishing lures designed to grab login credentials from all the individuals who are now telecommuting full time.
“A VPN only secures the communication channel between the employee’s workstation and the corporate network. However, as a massive amount of home workers now start to use their personal workstations to access corporate assets, it’s only a matter of time until we see a soaring number of cyberattacks that originate from these personal devices that can be easily breached,” said Tal Zamir, co-founder and CTO of Hysolate.
If just one person makes a mistake a malicious actor could gain the information needed to access a corporate network. Placing even more pressure on the individual is the fact that there is nobody from the company’s IT department or security team within earshot to ask if an email is malicious or legit.
“If devices are infected with malware, even workers who use a VPN client cannot evade attackers who can ride their VPN connection to raise havoc in enterprise networks. The more users are working from home, the greater the risk. Organizations should instruct employees to use trusted dedicated workstations to access sensitive corporate assets and avoid using their multi-purpose personal devices,” Tamir said.
A VPN breach is about as bad as you can get, the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy, said Aaron Zander, Head of IT at HackerOne.
Companies able to add VPN capacity are not safe but must takes several extra measures to ensure errors are not made in their haste to deploy the new hardware.
“Triple check all of your network configurations, ACL’s, firewall rules, etc. Without a doubt in 9 months from now, we’ll be looking at news stories about two impacts resulting from COVID-19 — all the babies being born, and all the breaches that have happened because of negligent infrastructure,” Zader said.
=================================================================
There is NO NEED TO BUY extra security hardware, it is already BUILT-IN to most business pc's (TPM)!!!!
You need multi-factor authentication. Fast. You need Wave Virtual Smart Card!!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/
Russian hackers using stolen corporate email accounts to mask their phishing attempts
https://www.cyberscoop.com/fancy-bear-phishing-email-trend-micro-apt-28/
Hackers working for Russian military intelligence have long relied on zero-days and malware to target their victims, but in the last year they’ve kept it simple — using previously hacked email accounts to send a wide array of phishing attempts, according to new research from security firm Trend Micro.
Since at least May of last year, the group known as Fancy Bear, APT28, or Pawn Storm, has used hacked email accounts belonging to high-profile personnel working at defense firms in the Middle East to carry out the operation, according to Feike Hacquebord, a senior threat researcher at Trend Micro.
“The actor connects to a dedicated server using the OpenVPN option of a commercial VPN provider and then uses compromised email credentials to send out credential spam via a commercial email service provider,” Hacquebord writes in the research.
The group, which the U.S. Department of Justice linked with Russia’s Main Intelligence Directorate of the Russian General Staff (GRU) two years after its 2016 intrusion at the Democratic National Committee, has long been focused on conducting espionage against defense ministries and military entities for Moscow’s political and economic gain.
But Fancy Bear has also been firing off phishing attempts using hacked email addresses from the government, financial, utilities, and transportation sectors in the United Arab Emirates, India, Pakistan, Jordan, and the U.S., according to Trend Micro, suggesting the group has plenty of previously successful compromises.
It isn’t clear why the Russian hacking group, which has been active since 2004, is willing to risk revealing some of their successful crusades in order to run these campaigns, Hacquebord said.
“Pawn Storm could be attempting to evade filtering at the cost of making some of their successful compromises known to security companies,” Hacquebord said. “However, we did not notice a significant change in successful inbox deliveries of the group’s spam campaigns, making it difficult to understand the rationale behind the change in methodology.”
Hacquebord said he suspects Trend Micro’s new findings suggest that Fancy Bear may rely on targeting techniques that don’t rely on malware, which may reveal how the the GRU carries out its plans.
Fancy Bear has not necessarily abandoned its use of malware to target its victims — the group was using malware last summer to target Central Asian nations, diplomatic entities, and foreign affairs organizations, as CyberScoop first reported. The group has also in recent months targeted sports-related organizations, particularly Olympics-linked entities in advance of the planned Tokyo Olympics in 2020, and may have used malware to do so, according to Microsoft research.
Please see link above for the rest of the article.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
=================================================================
https://www.wavesys.com/
=================================================================
ANOTHER IMPORTANT reason to use Wave VSC 2.0!!!
BETTER SECURITY AT LESS THAN HALF THE COST!!!
Over 60% of the Fortune 1000 had at least one public breach over the last decade
https://www.helpnetsecurity.com/2020/03/18/fortune-1000-breach/
Over 60% of the Fortune 1000 had at least one public breach over the last decade, according to a Cyentia Institute research. On an annual basis, it is estimated one in four Fortune 1000 firms will suffer a cyber loss event. That ratio approaches 50% for the Fortune 250.
Moving beyond mega-corporations, the probability of cyber incidents drop substantially. SMBs have breach rates below 2% and are orders of magnitude less likely to suffer 10 or more in a year.
Estimating breach losses
The likelihood of breaches also varies by industry. Government agencies, information services, financial firms, and educational institutions have the highest rates. Construction, agriculture, and mining occupy the lower end of the frequency spectrum.
The traditional method of estimating breach losses—using a flat cost per record—is flat-out harmful. It results in $1.7 trillion of error due to overestimating losses compared to actual recorded values. We demonstrate a better method for more accurate cyber risk assessments.
We can use the number of exposed records to estimate breach losses, but it’s probabilistic rather than deterministic. An exposure of 1,000 records has a 6% chance of exceeding $10M. By comparison, a massive breach of 100M records has a better than 50% chance of racking up at least $10M in losses.
The financial impact
Financial losses following a cyber event typically run about $200K, but 10% of breaches exceed $20M. The cost of extreme events (95th percentile) to the mega corporations in the Fortune 250 approaches $100M (or more).
Typical and extreme losses differ substantially among industries. The information services and retail sectors show abnormally high losses that exceed many other sectors by a factor of 10.
Cyber events show harsh economies of scale. A $100B enterprise that experiences a typical cyber event ($292K) should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings ($24K) or more.
=================================================================
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
=================================================================
Teleworking?? Why take chances by not using Wave VSC 2.0 and Wave solutions??
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
DOD networks, under ‘unprecedented’ strain, are more vulnerable to attacks, official says
https://www.fedscoop.com/dod-telework-youtube-strain-cyberattacks/
As more non-“mission-critical” civilian, military and contractor employees login remotely to do their Department of Defense jobs, U.S. adversaries are ramping up attacks, an IT official said during a virtual town hall event Monday.
The DOD’s network is under “unprecedented” demand as the federal government goes to maximum telework capacity, Essye Miller, principal deputy to the DOD’s CIO, said during the event. Much of that strain is coming from remote workers streaming music and videos, prompting the department to suspend access to YouTube and encouraging everyone to avoid streaming music.
“With the increase in telework capability comes an increase in attack surface for our adversaries,” Miller said. “They are already taking advantage of the situation.”
The DOD and military services either declined to comment or did not respond to questions about how many nonessential DOD employees are teleworking.
The CIO’s office has three tiers of need for teleworkers: those who need access just to their DOD emails; those that need access to their files; and those that need full “office-like experience” to carry on their job. Currently, the CIO’s office is working with IT managers across the department to triage network access, Miller said. Many officials whose work is related to classified information or national security cannot telework.
“The Pentagon today seems a little more empty than usual, that is because we are stress-testing teleworking arrangements,” Lisa Hershman, DOD’s chief management officer, said at the virtual event.
The CIO’s office is working to create a “dos and don’ts” list and will offer remote workers a list of best practices to limit the vulnerabilities created from remote access. The Cybersecurity and Infrastructure Security Agency (CISA) put out an alert Friday reminding those who will use virtual private networks (VPNs) to patch and stay updated on security breaches.
Miller asked those who are working remotely not to “resort to more creative means” of chatting online with colleagues. The Defense Information Systems Agency (DISA) is working to create a DOD-approve chat platform, she said. Using non-DOD approved chatrooms “will ultimately create holes and establish unnecessary security postures for us,” Miller said.
The fallout from the novel coronavirus pandemic is unprecedented for the DOD, which has faced sequestration and furlough before. But for those past events, workers had to stop their work instead of working from home.
Daniel Walsh, acting director of the Pentagon Force Protection Agency, asked all to “follow personal hygiene against the coronavirus, but also cyber-hygiene.”
=================================================================
With Bill Solms and/or Steven Sprague and other employees, Wave could be very helpful to the situation with the DOD in this article!!! Below is a FREE TRIAL in the Wave VSC 2.0 link for BETTER SECURITY AT LESS THAN HALF THE COST!!!!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/
Beyond Burnout: What Is Cybersecurity Doing to Us?
https://www.darkreading.com/edge/theedge/beyond-burnout-what-is-cybersecurity-doing-to-us/b/d-id/1337310
Infosec professionals may feel not only fatigued, but isolated, unwell, and unsafe. And the problem may hurt both them and the businesses they aim to protect.
"Sometimes I feel like I'm just yelling into the chasm."
"I began to question everything that I believed to be true about myself."
"They see stuff that makes them wish they had bleach for their brains."
You can hear it gurgling through every conversation at a cybersecurity conference, from the expo floor to the press room to the neighborhood bar – that telltale combination of giddy fascination, wry gallows humor, and weary frustration. The field often attracts clever and creative individuals who want to help people. However, over time, curious minds crackling with ideas for how to fix the world's cybercrime problems may fizzle out.
The industry is beginning now to talk openly about "burnout" – but beyond leaving infosec professionals feeling frustrated and tired, the job can leave some feeling isolated, unwell, and unsafe.
And that's a problem not just for the professionals in the industry – it's an issue that reverberates into their families, their world views, and the cybersecurity of the businesses and systems they aim to protect.
Cybersecurity professionals are trying to save everyone. Does someone need to save them?
The Impact: 'The Only Ones to Feel Any Pain'
Over 400 CISOs and 400 C-suite executives revealed some sobering truths in a survey recently conducted by Vanson Bourne on behalf of Nominet. The "CISO Stress Report" found:
•21% of CISOs said they have taken a leave of absence because of job-related stress. Some CISOs took this significant step even though many reported being afraid to take sick days (41%) and neglecting to take all of their allotted time off (35%).
•48% of CISOs said their work stress has impacted their mental health, and 35% said it has impacted their physical health.
•40% of CISOs said their work stress has impacted their relationships with their families or children, 32% said it has impacted their relationships with spouses or romantic partners, and 32% said it has impacted their relationships with friends.
•23% said they are using medication or alcohol to manage stress.
•94% of American CISOs and 95% of UK CISOs reported working more than their contracted hours – on average, 10 hours per week more. In addition, 83% of American C-suite execs and 73% of UK execs confirmed they do, indeed, expect security teams to work longer hours.
Curtis Simpson, now CISO of Armis says he's begun to find some balance and even pick up hobbies, but it took him a long time "in the salt mines" before he reached this point.
"I personally spent my daughter's entire high school graduation ceremony having to quarterback the global response to an attack – an attack that would have been easily prevented if any of the specific guidance we had been sharing with the business was followed," says Simpson. "None of the guidance was followed, but the security team was, as is common, the only ones to feel any pain."
Simpson's experience is not uncommon; 45% of respondents to the Nominet survey stated their work as a CISO had caused them to miss a family milestone or activity.
However, long hours are something that workers in many fields suffer. So what makes infosec people special?
'Bleach for Their Brain'
Observing the habits of cybercriminals day in and day out can leave its mark – particularly on threat researchers and forensic investigators.
"You do see the darker side of humanity," says Adam Kujawa, director of Malwarebytes Labs.
He speaks specifically about stalkerware and of ransomware that extorts victims by threatening to dox them with false evidence that they viewed child pornography.
"That kind of stuff just breaks my heart," he says.
And as Marcus Carey (who has worn many security hats, from Navy cryptographer, to entrepreneur, to his current status as Reliaquest enterprise architect) points out, digital forensics specialists don’t just face the fraudulent threats of child pornography, but the reality of it. Because psychologists have already determined that researchers who investigate child sexual abuse material may have responses similar to post-traumatic stress disorder, and even one individual investigation may deal with terabytes of data, technologists are beginning to search for ways to better automate this process.
In reference to the digital forensic investigators who conduct these cases and many other kinds of cybercrimes, Carey says, "They see stuff that makes them want to bleach their brain."
'Always on a Swivel'
"I actually draw several parallels between [the cybersecurity profession] and the homeless population," says Dr. Ryan Louie, MD, Ph.D. Louie, a San Francisco-based board-certified psychiatrist who has worked with the homeless population and specializes in the mental health impacts of entrepreneurship and technology. He presented a session at the RSA Conference (RSAC) last month.
Louie explains that both infosec pros and homeless individuals are always looking to see who might hurt them. "[The homeless are] out in the open," he says. They don't have the shelter at nighttime. They always have to look out if someone's going to take their belongings, if anyone's going to harm them, where are they going to get help.”
It's a constant, 24/7 effort to address threats and an inability to "turn off," he says, and he has seen it in both groups of people.
Carey says he's rather amazed at the accuracy of this comparison. "Wow. You just blew my mind," he says. "My head is always on a swivel. It drives my wife crazy."
In a recent poll on Dark Reading's The Edge, 83.1% of respondents indicated that working in infosec had made them a "less trusting person," 59% said they were grateful for their increased caution, 4.9% said they wished they were more trusting, and 19.2% said that while they valued their caution, sometimes they wished they were more trusting.
When the need for safety or the fear of being harmed again becomes too great, it can become an illness, Louie says.
This matter of safety was also discussed by NSA senior researcher Dr. Celeste Paul in her recent RSAC keynote session about the "fundamental needs of security professionals." She referenced that a century ago, famed physician and educator Maria Montessori laid out the fundamental needs of humans, one of which was safety.
But cybersecurity professionals have a complicated relationship with safety.
The infosec job is largely to keep people (organizations, systems, individuals) safe. But because so many cyberattacks exploit the end user, infosec pros rarely try to make anyone feel safe – quite the contrary.
==================================================================
If CEOs, CISOs, BODs and SHAREHOLDERS were made aware of Wave's solutions and used them, stress levels would be much BETTER and the organizational efficiency would go UP in a BIG WAY!! BETTER SECURITY AT LESS THAN HALF THE COST!!!! Please see the site below for a company that has been ahead of its time!!!
==================================================================
https://www.wavesys.com/
Hackers find new target as Americans work from home during outbreak
https://thehill.com/policy/cybersecurity/487542-hackers-find-new-target-as-americans-work-from-home-during-outbreak
==================================================================
Here is a BIG OPPORTUNITY for the PROTECTION of organizations!!! BETTER SECURITY AT LESS THAN HALF THE COST!!! Please see the information and FREE TRIAL on the Wave VSC 2.0 web page below!!!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Five reasons why COVID-19 will bolster the cyber-security industry
https://www.scmagazine.com/home/security-news/news-archive/coronavirus/five-reasons-why-covid-19-will-bolster-the-cyber-security-industry/
Excerpt:
At the end of the day, more people will become even more dependent on the Internet and will unquestionably require safety of their data, privacy and a sense of control over their digital ecosystem. In light of the multidimensional digitalisation, cybersecurity companies now have a boundless opportunity to embody their innovations and leverage creativity for a sustainable benefit of the modern society.
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
==================================================================
See all the other features of Wave VSC 2.0 below. Wave can save corporations/organizations in many ways!!! Please pass along information that may be helpful to others.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
J.Crew says year-old breach exposed customer account info
https://www.scmagazine.com/home/security-news/j-crew-says-year-old-breach-exposed-customer-account-info/
J.Crew notified a group of customers that an unauthorized third-party accessed their accounts nearly a year ago using their login credentials and obtained personal information, including the last four digits of payment card numbers, expiration dates, card types and billing addresses as well as order numbers, shipping confirmation numbers and shipment status.
In a filing with the California Attorney General’s Office, J.Crew said it had disabled affected accounts and directed customers to contact the J. Crew Customer Care Center to reset their passwords. “We do not have reason to believe that the unauthorized party gained access to any additional information within your account,” the company said in the notification.
“For users, there is nothing good about the credential stuffing attack at J. Crew, but there are some useful lessons to be learned,” said Jonathan Knudsen, senior security strategist at Synopsis, calling for users to practice good cyber hygiene, including changing the password on other sites.
Because J.Crew didn’t reveal the attack publicly until almost a year after it occurred, Knudsen said hackers may have already used the information in other attacks.
“Businesses face an even higher risk when employee data appears as part of a credential dump or account sale, particularly if employees have used corporate addresses to sign up for personal services,” Emily Wilson, vice president of research at Terbium Labs, maintained. “Corporate contact details stand out starkly against consumer details in a big credential leak, putting that organization at an increased risk for phishing or direct account takeover, especially if employees are re-using passwords between corporate and professional accounts.”
She explained that “a set of corporate credentials in a third-party breach is an open invitation to walk straight into an employee account – and a corporate network by extension.” Businesses, she said, “need to know if and when their information appears online, regardless of the original source of the leak. Even if it’s not your breach, it’s still definitely going to be your problem.”
==================================================================
The third-party would need the computer (device-TPM) to access an employee's information and corporate network with Wave VSC 2.0!!!
ANOTHER situation where a company (J.Crew) COULD HAVE BENFITED IN A BIG WAY BY USING Wave VSC 2.0!!!
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Ex-DHS inspector general indicted for allegedly stealing government software
https://www.cyberscoop.com/fomer-inspector-general-indicted-charles-edwards/
Federal prosecutors on Friday announced charges against the former acting inspector general of the Department of Homeland Security for allegedly stealing proprietary software from the watchdog and trying to profit from it.
Charles K. Edwards, who served as acting DHS inspector general from 2011 to 2013, and his former associate Murali Yamazula Venkata, are accused of aggravated identity theft, wire fraud, and conspiring to steal government property to defraud the United States.
The alleged scheme took place from 2014 to 2017, after Edwards had already left DHS’s inspector general (IG) office. But the head-turning indictment accuses Edwards of coordinating with Venkata, who still worked at the IG’s office, to steal the IG’s software. Edwards and Venkata also allegedly took “sensitive government databases” containing the personal identifiably information of DHS and U.S. Postal Service employees.
Edwards then allegedly used the stolen code to improve software made by his company, Delta Business Solutions, and tried to sell it to the Department of Agriculture’s inspector general office.
Edwards needed some IT support to finish the operation, prosecutors said. Venkata and other unnamed individuals allegedly helped Edwards reconfigure his laptop so he could upload the stolen software and databases. The IT hands built a test server at Edwards’ residence that contained the stolen PII, and Edwards enlisted software developers in India to help him commercialize the software, according to the indictment.
Neither Edwards, Venkata nor Delta Business Solutions could be immediately reached for comment Friday. The DHS’s IG office did not immediately respond to a request for comment.
An inspector general is supposed to be an independent check on federal waste and abuse. But a 2014 Senate investigation found that, as acting inspector general, Edwards had delayed and altered investigations at the behest of senior Obama administration officials.
==================================================================
https://www.wavesys.com/data-protection
Excerpts:
Security = data protection
When we talk about security, what we really mean is protecting data from theft and misuse. Proprietary information, R&D, corporate strategy, customer names and phone numbers, social security numbers, passwords … All have potential monetary value, and all are targets. Data theft is a growth industry. As an example, tens of thousands of new malware strains pop up daily. With online tools, even a non-technical person can create one in minutes.
The IT perimeter has vanished
Data protection is easy enough when your data is sitting in secure servers. But today, it’s not. The workforce is increasingly mobile. More than 60 percent of corporate data lives not on servers but on laptops, tablets, and other devices (and more and more of those devices are owned by employees). Data is dispersed, constantly moving, and constantly exposed to the Internet and all the malware, viruses, and hackers lurking there.
Wave’s solution: start with the device
The Wave approach to this challenge is to make the IT perimeter irrelevant. Wave turns on and manages the self-encrypting drives (SEDs) and trusted platform modules (TPMs), or security chips, that are already embedded in many of your devices. The upshot is that each and every device is equipped with its own data protection system—while being centrally managed. This gives you unprecedented yet straightforward control over exactly who has access to your data, with what devices, over what networks.
We cost less too. Wave works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on 600 million–plus laptops and is now working its way onto mobile devices. Our software is all you need to reach a whole new level of data protection. It’s one of the big reasons why total cost of ownership can be almost half that of a traditional software-based system that doesn’t even work very well.
One in five SMBs use no endpoint security at all
https://www.helpnetsecurity.com/2020/02/27/smbs-breach-prepared/
An alarming number of SMBs (small to medium businesses) in the US and UK are not prepared for a potential cyber attack or breach, BullGuard warns.
One-third of companies with 50 or fewer employees report using free, consumer-grade cybersecurity, and one in five companies use no endpoint security whatsoever.
SMBs are not prepared for a breach
Additionally, worrisome, the BullGuard study found 43% of SMB owners have no cybersecurity defense plan in place at all – leaving their most sensitive financial, customer and business data, and ultimately their companies, at significant risk.
“Small businesses are not immune to cyber attacks and data breaches, and are often targeted specifically because they often fail to prioritize security,” said Paul Lipman, CEO of BullGuard.
“Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”
SMB owners overly confident in the safety of their company and customer data
The study also revealed some glaring discrepancies between what SMB owners believe versus what is actually occurring in the market. Nearly 60% of SMB owners believe their business is unlikely to be targeted by cyber criminals, however the results revealed that 18.5% of SMB owners have suffered from a cyber attack or data breach within the past year.
Unfortunately, while securing data can be simple, remediation is not. Companies that fall victim to a cyber attack often experience significant downtime that seriously impacts productivity, data privacy, and even revenue.
Once breached, 25% of SMB owners stated they had to spend $10,000 or more to resolve the attack, which could be devastating for a small company. As for time lost, 50% of SMB owners said it took 24 hours or longer to recover from a breach or cyber attack, while 25% reported they lost business as a result, and almost 40% stated they lost crucial data.
Despite these numbers, many SMB owners are overly confident in the safety of their company and customer data. One in five SMB owners surveyed stated their organization has zero vulnerabilities, however 50% of SMB owners stated their employees do not receive any cybersecurity training.
A significant number, 65%, of SMB owners report managing their cybersecurity in-house, but less than 10% say they have a dedicated IT staff member. The right solution makes it simple and extremely cost-effective for SMBs to manage their own cybersecurity, ensuring their business is secure and protected.
=================================================================
Imagine if SMBs knew that only known and approved devices were accessing their networks!!!
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/
https://www.wavesys.com/contact-information
Transmit Security, Authentication Company Used by Banks, Hacked
https://www.vice.com/en_us/article/wxepb4/transmit-security-authentication-banks-hacked
The breach impacted email addresses, passwords, phone numbers, and other sensitive information, according to a researcher mentioned in a breach notification obtained by Motherboard.
This week a cybersecurity company called Transmit Security, that focuses on providing corporate clients with tools to securely log users into different services, notified customers of a data breach at the firm. The breach impacted over a thousand email addresses, passwords, phone numbers, and other sensitive information, according to a researcher mentioned in Transmit Security's breach notification message. Transmit Security denied passwords were impacted in a follow-up email.
Transmit Security works with a number of large banks, including TD Bank and the First International Bank of Israel.
Please see link for the rest of the article
==================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
==================================================================
Wave VSC 2.0, better security at less than half the cost!!!
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
One in four Americans won’t do business with data-breached companies
https://www.zdnet.com/article/one-in-four-americans-wont-do-business-with-data-breached-companies/
With so many large-scale data breaches at major companies, is it possible for brands to regain consumer confidence again?
If you had an account with businesses such as Marriott, Under Armour, Panera Bread, T-Mobile, or Facebook, amongst others, there is a chance that you could be among the millions of people whose email addresses, passwords, passport number, credit card numbers, and billing address were exposed unlawfully.
In 2018, roughly five billion people had their information and sensitive data exposed due to hacks. But what do customers do when they've had their private information exposed by a corporation that's been breached via cyber attack?
Security company Security.org surveyed over 1,000 people in the US including over 300 data breach victims to learn more about their awareness of major data breaches.
This study included data breaches that occurred from Jan. 1, 2018, to Dec. 31, 2018, regardless of the public reporting date. Only breaches leaking over 500,000 consumer records that affected consumers on a national scale were included.
It found that most people were only loosely familiar with the total number of corporate breaches that occurred in 2018. Though the majority of people admitted to losing trust in corporations that experienced data breaches, most were unwilling to cut ties with these companies.
To counter this, most people made their account passwords harder to guess and were more selective with whom they gave their financial information after learning of a breach, even though one in three people who experienced a data breach ultimately weren't sure which information was targeted.
The findings showed that almost one in four Americans stop doing business with companies who have been hacked, and more than two in three people trust a company less after a data breach.
Almost all respondents (92%) agree that companies are financially liable to their customers after a breach and over one in five people are unwilling to give their financial information to a company who's been hacked
Breaches normally expose email addresses (49.5%) or full names (47.8%), but 13.8% of breaches expose credit card information and 11.8% of breaches expose debit card information.
Over two in five learned that they had been breached from the media, or from the breached company itself. Over one in 10 (12.7%) discovered after noticing a financial discrepancy on their records.
After learning of a data breach, almost three out of five (59.1%) made their passwords more difficult to guess, and almost half (44.6%) became more reluctant to enter financial information online. Almost one in six (13.6%) did nothing.
Fewer than one in 10 people (8.5%) will give a company their financial information within a month after they've been breached and over one in five (21.6%) would be unwilling to give any information to a company that has experienced a data breach.
Being in control of who has access to our information is important to us -- so why are we giving away this access with a simple click each day? Securing our accounts with unique passwords will help to minimize the breach, and being cautious when accessing accounts from public Wi-Fi, too.
Being ultra-cautious will help to keep you -- and your family -- safe online.
==================================================================
Wave VSC 2.0 could help with the problem in the above article. If marketing was done through the social media channels mentioning the transparency of logging into websites with Wave VSC 2.0, corporate users wouldn't have password problems. And also, with Wave ERAS preventing breaches by only using known and approved devices on the network, organizations could keep the bad guys from accessing sensitive data and these breaches would stop. Companies wouldn't then lose a quarter of their customers.
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/contact-information
Android malware can steal Google Authenticator 2FA codes
https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/?ftag=COS-05-10aaa0g&taid=5e585f34f3794d0001183984&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter
A new version of the "Cerberus" Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.
Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.
Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.
Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user's smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.
Cerberus gets Authenticator OTP-stealing capabilities
In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say they've spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan that launched in June 2019.
"Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application," the ThreatFabric team said.
"When the [Authenticator] app is running, the Trojan can get the content of the interface and can send it to the [command-and-control] server," they added.
ThreatFabric said this new feature is not yet live in the Cerberus version advertised and sold on hacking forums.
"We believe that this variant of Cerberus is still in the test phase but might be released soon," researchers said.
Feature developed for bypassing 2FA on banking accounts
All in all, the ThreadFabric team points out that current versions of the Cerberus banking trojan are very advanced. They say Cerberus now includes the same breadth of features usually found in remote access trojans (RATs), a superior class of malware.
These RAT features allow Cerberus operators to remotely connect to an infected device, use the owner's banking credentials to access an online banking account, and then use the Authenticator OTP-stealing feature to bypass 2FA protections on the account -- if present.
ThreatFabric researchers believe the Cerberus trojan will most likely use this feature to bypass Authenticator-based 2FA protections on online banking accounts, however, there's nothing stopping hackers from bypassing Authenticator-based 2FA on other types of accounts. This includes email inboxes, coding repositories, social media accounts, intranets, and others.
Historically, very few hacker groups and even fewer malware strains [1, 2] have ever had the ability to bypass multi-factor (MFA) authentication solutions.
If this feature will work as intended and will ship with Cerberus, this will put the banking trojan in an elite category of malware strains.
The new Cerberus capabilities are detailed in a ThreatFabric report that summarizes all the recent remote access-related upgrades detected in Android malware strains. The report contains additional insights about other Android malware operations, such as Gustuff, Hydra, Ginp, and Anubis.
==================================================================
One has to wonder whether any other 2FA products on smartphones have One Time Passwords (OTP) like Google Authenticator are susceptible to malware?? Below is a multi factor authentication solution that is based on hardware that is an international standard!! Customers Wave VSC 2.0 has been successfully tested amongst are the U.S. government, a global financial services company and others. Better security at less than half the cost!!!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/
Samsung cops to data breach after unsolicited '1/1' Find my Mobile push notification
https://www.theregister.co.uk/2020/02/24/samsung_data_breach_find_my_mobile/
Tight-lipped chaebol still won't talk about the dodgy app, though
Samsung has admitted that what it calls a "small number" of users could indeed read other people's personal data following last week's unexplained Find my Mobile notification.
Several Register readers wrote in to tell us that, after last Thursday's mystery push notification, they found strangers' personal data displayed to them.
Many readers, assuming Samsung had been hacked, logged into its website to change their passwords. Now the company has admitted that a data breach did occur.
A spokeswoman told The Register: "A technical error resulted in a small number of users being able to access the details of another user. As soon as we became of aware of the incident, we removed the ability to log in to the store on our website until the issue was fixed."
She added: "We will be contacting those affected by the issue with further details."
From the not-insignificant number of emails El Reg received about the website snafu, it remains to be seen whether Samsung's definition of "small number" is the same as that of the rest of the world.
Of potentially greater concern is the mystery 1/1 push notification from Find my Mobile, a baked-in app on stock Samsung Android distributions. Although the firm brushed off the worldwide notification as something to do with unspecified internal testing, many of those who wrote to El Reg said they had disabled the app. Stock apps cannot be uninstalled unless one effectively wipes the phone and installs a new operating system – unlocking the bootloader and reformatting with a new third-party, customised ROM.
Samsung did not answer our questions as to how a "disabled" app was able to receive and display push notifications. Nor did it say what other functions this "disabled" app was capable of executing. ®
==================================================================
Wave Systems Signs 15-year License Agreement with Samsung
https://www.wavesys.com/buzz/news/wave-systems-signs-15-year-license-agreement-samsung
Author:
Mike Lennon
Security Week -
Wednesday, May 30, 2012 -
Wave Systems has signed a 15-year software license and distribution agreement with Samsung, enabling Samsung to bundle Wave’s EMBASSY Security Center (ESC) and TCG Software Stack (TSS) technology with devices that include a Trusted Platform Module (TPM), an industry standard security chip embedded in the motherboard of a computer or other electronic device.
In an SEC filing, Wave said it would receive a per-unit royalty based on Samsung’s sales of products that include its technology, but did not provide estimates in terms of expected revenue derived as a result.
Security Week has full article.
==================================================================
Samsung could prevent breaches from occurring by using the technology from its partner Wave Systems!!!! The TPM/TEE could be used as a secure container for sensitive information, and the TPM could be managed by Wave's software!! Just a reminder for those at Wave and Samsung that may be able to use information for a problem that showed itself.
MITRE Engenuity to Evaluate Cybersecurity Products Based on Carbanak and FIN7 Groups
https://www.businesswire.com/news/home/20200220005985/en/MITRE-Engenuity-Evaluate-Cybersecurity-Products-Based-Carbanak
==================================================================
Wave Integrating MITRE’s Attestation Technique into its Endpoint Monitor for Remediating Advanced Malware
MITRE Details Technique at Black Hat 2013
https://www.wavesys.com/buzz/pr/wave-integrating-mitre%E2%80%99s-attestation-technique-its-endpoint-monitor-remediating-advanced-mal
Lee, MA -
July 31, 2013 -
Wave Systems Corp. (NASDAQ:WAVX), the Trusted Computing Company, announced plans to integrate The MITRE Corporation’s new timing-based attestation technique into Wave Endpoint Monitor (WEM), the industry’s first solution to leverage industry standard hardware to detect and remediate malware that can surreptitiously mount attacks before the operating system loads. MITRE is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government.
With this enhancement, Wave will integrate MITRE’s technique that doubly verifies that the core BIOS hasn’t been corrupted. The BIOS is the first software run by the PC when powered-on and is responsible for initializing hardware and getting the operating system running. It also contains the “core root of trust measurement” (CRTM) software, the first software in the boot trust chain that ends in the assurance that the computer booted safely.
“MITRE has made a significant contribution to the body of research by identifying a scenario in which malicious code could be introduced to the BIOS that would cause it to provide a false reading and allow the malicious BIOS to indicate the system had not been corrupted,” said Dr. Robert Thibadeau, Wave’s Chief Scientist. “MITRE’s technique offers a second control for determining the CRTM does not lie about itself and any of the rest of the trust chain.”
Dr. Thibadeau added, “While BIOS attacks are still fairly rare today—less than one percent by many accounts—they represent a new and dangerous attack vector, and we’re bound to see more in future years as the more popular preboot targets are secured by our existing WEM technology.”
The management of CRTM detection will be incorporated in a module for WEM, which Wave expects will be production-ready in early 2014 to meet the expected increase of these attacks. Wave Endpoint Monitor captures verifiable PC health and security by utilizing information stored within the TPM. If anomalies are detected, the attack is controlled, and IT is alerted immediately with real-time analytics.
MITRE research presented at Black Hat 2013
MITRE researchers John Butterworth, Corey Kallenberg, and Xeno Kovah presented their research on this vulnerability and technique, “BIOS Chronomancy: Fixing the Core Root of Trust for Measurement,” at Black Hat 2013.
The team’s research highlights a vulnerability in which a firmware rootkit tricks an endpoint’s Trusted Platform Module (TPM) chip into reporting a clean BIOS firmware, when in fact it has been compromised. MITRE’s research shows the importance of using timing-based attestation systems, which can defend against attackers who obtain the same privilege levels as the defender. John Butterworth, a Senior Infosec Engineer at MITRE, adds, “additional complexities are imposed on an attacker who tries to conceal a rootkit in the presence of timing-based attestation; even concealing the modification of a single byte will trigger a measurable change.”
The team’s findings come as vendors work to implement BIOS protection specifications as outlined by the National Institute of Standards and Technology (NIST) special publication 800-155, published in 2011.
=================================================================
Wave worked with MITRE six years ago, and now companies are working with MITRE on malware testing. Results (of these tests) will be announced in early 2021. Why wait until 2021, go with a company (Wave) that could protect your company now with technology that has proven itself, and already has MITRE incorporated into it!!!
==================================================================
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/
Fox Kitten APT campaign exploits VPN flaws hours after public disclosure
https://www.scmagazine.com/home/security-news/cybercrime/fox-kitten-apt-campaign-exploits-vpn-flaws-hours-after-public-disclosure/
Iranian APT actors have engaged in a long-running cyber espionage and data theft campaign that has victimized dozens of companies around the world, typically compromising them via virtual private network and Remote Desktop Protocol services, according to a new research report.
Vulnerable VPNs have been such a favorite attack vector of choice among these actors that they have become adept at exploiting VPN flaws within mere hours to weeks after they have been publicly disclosed, says the report, from ClearSky. This is too quick for most organizations to respond with patches.
The three-year-old campaign, dubbed Fox Kitten, has targeted companies and organizations operating in the IT, telecommunication, oil and gas, aviation, government, and security sectors, the report notes. IT service providers have been a particularly alluring target for the actors because through them they can get to thousands more potential victims.
VPNs exploited by the adversaries include Pulse Secure Connect, Global Protect by Palo Alto Networks, and Fortinet FortiOS, although ClearSky believes Citrix could eventually emerge as a candidate for exploit as well. In late 2019 and early 2020, VPNs have notably been exploited in a number of prominent ransomware attacks, and it is believed that Iranian state actors recently abused VPNs to execute attacks using the ZeroCleare and Dustman disk wipers against energy and industrial sector organizations.
“VPNs play an essential role in providing employees and especially third parties remote access to the network. Their two main functions are to create a data tunnel to between the third party and the corporate network – and to protect it. The latter is mainly achieved through encryption. Critical security breaches in VPN equipment from leading vendors is, therefore, something that organizations must understand and take action on,” said Noam Shany, product manager at CyberArk, in reaction to the repot. “In the last 12 months especially, flaws in how VPNs operate has led to many organizations examining other ways to provide remote vendors access to the most sensitive parts of the corporate network.
But infiltrating companies through VPNs is just one stage of a rather complex APT attack. After penetrating the network, the attackers attempt to establish a more permanent foothold through the installation of multiple backdoors.
“…[T]he attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report states. “At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination, and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”
The attackers’ tool set includes several of their proprietary creations, including POWSSHNET a backdoor malware program that opens RDP links over SSH tunneling, and STSRCheck, a database and open port mapping tool. They have combined these weapons with a series of customized open source and seemingly legitimate tools for the purposes of privilege escalation, persistence, command-and-control communications and data exfiltration.
Based on the adversaries, tools, techniques and overall infrastructure, ClearSky believes there is a “medium-high probability” that Fox Kitten is linked to the reputed Iranian APT group APT34 (aka OilRig and Helix Kitten) and a “medium” probability the campaign is linked to two additional APT groups widely believed to be sponsored by Iran, APT 33 (aka Elfin) and APT39 (aka Chafer).
ClearSky credited the industrial controls system security firm Dragos for initially reporting on aspects of this campaign in a separate report last month. In its report, Dragos called the campaign Parisite.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
==================================================================
It sounds like there are dozens of organizations and many more that could use Wave VSC 2.0 and Wave Endpoint Monitor for added protection for situations like in the article above!!!
Better security at less than half the cost!!!
https://www.wavesys.com/
Booz Allen Awarded $113m SEC Contract
https://www.infosecurity-magazine.com/news/booz-allen-awarded-113m-sec?utm_source=twitterfeed&utm_medium=twitter
Consulting firm Booz Allen Hamilton has been awarded a new $113m contract to deliver modernized cyber-defense operations to the United States Securities and Exchange Commission (SEC).
With this new 10-year contract, the Virginia-based firm will become the SEC's leading provider of cybersecurity services. The contract was awarded on December 12, 2019, but was kept under wraps until yesterday.
According to a statement released February 20 on Booz Allen's website, the SEC picked the 106-year-old company for the job after being impressed by its ability to comprehend the commission's standing and aims.
The statement read: "Booz Allen was selected for its clear understanding of the agency’s mission and the firm’s reputation for building and operating modernized cyber defenses for federal and commercial clients that deliver rapid, durable improvements to security program maturity and effectiveness while generating cost savings."
Booz Allen pledged to employ the same tools, techniques, and mindsets as today’s most advanced threat actors to defend the SEC. The company said one element of its strategy would be to discover unknown vulnerabilities before they can be used for malicious purposes.
"Our team will provide the SEC with leading-edge, threat-centric, proactive cyber defense with the ability to detect and proactively address unknown threats, keep up with the rapid pace of change in the cyber industry and provide advanced cyber capabilities at scale," said Booz Allen's senior vice president, Mark Gamis.
Booz Allen is the largest provider of cybersecurity professional services in North America and the only company to hold all three of the federal government’s elite cybersecurity accreditations: NSA’s Cyber Incident Response Assistance (CIRA) accreditation, NSA’s Vulnerability Assessment Service (VAS) accreditation, and GSA’s Highly Adaptive Cybersecurity Services schedule.
Gamis said the company would draw on its existing knowledge and experience to protect the SEC from bad actors.
"The SEC is essential to the strong functioning of the U.S. and world economy, so we are proud the agency is entrusting Booz Allen to deliver cyber defense operations to protect its data and other critical assets from increasingly aggressive and destructive cyber-attacks," said Gamis.
"We will leverage our deep expertise and experience delivering cyber tradecraft across US Government and commercial clients and deploying groundbreaking cyber capabilities to protect mission-essential services and high-value assets."
==================================================================
It's interesting that Booz Allen is owned by PwC. And PwC used Wave's 2FA for protecting their network. I don't know if this was a complete success, but there appears to have been no complaints with Wave's technology. Shouldn't this experience and Wave's award with Wave VSC 2.0 be a great reason why the SEC should be using Wave solutions. Wave SED management I believe was part of the Wave/PwC experience. These two solutions which already previously did their job for a 200,000 employee company (PwC) could help the SEC and Booz Allen for years to come on their mission!!!
MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer
https://threatpost.com/mgm-grand-breach-leaked-details-of-10-6-million-guests-last-summer/153054/
This week a hacking forum posted data from the breach—which included personal and contact details for celebrities, tech CEOs, government officials and employees at large tech companies.
A hacking forum this week published details of more than 10.6 million guests who stayed at MGM Resorts, the result of a breach due to unauthorized access to a cloud server that occurred at the famous Las Vegas hotel and casino last summer.
The incident—revealed in a published report on ZDNet Wednesday–once again highlights the importance of securing data stored on the cloud as well as the ripple effect breaches can have for companies and victims even long after they’ve occurred.
Personal details found on the forum included full names, home addresses, phone numbers, emails and dates of birth for 10,683,188 guests who had previously stayed at the MGM Resorts, according to the report. Those guests included celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.
ZDNet worked with a security researcher at Under the Breach, a soon-to-be-launched data-breach monitoring service, to confirm the authenticity of the data on the forum, and then reached out to MGM Resorts and some of the people affected by the breach for further confirmation.
MGM almost immediately confirmed the breach to ZDNet, linking it to a security incident that happened last summer, according to the report. Following the breach, the company conducted an internal investigation using two cybersecurity forensics firms, officials said.
“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM said, according to the report. “We are confident that no financial, payment card or password data was involved in this matter.”
MGM alerted all guests who were affected at the time, something that also appeared to be true in a comment made in August on a site called VegasMessageBoard by a community member who said he’d been notified that his data had been stolen at MGM Resorts in July.
Though the breach happened last summer, the guest details—which included personal info for celebrities as diverse as Twitter CEO Jack Dorsey and pop music star Justin Bieber — were mostly out of date, MGM officials said.
Those researching the breach said they also were able to confirm this is likely true by contacting some of those affected—including international business travelers, reporters attending tech conferences, CEOs attending business meetings, and government officials–who said they had not stayed at the hotel since at least 2017, according to the report.
The breach is no surprise to security experts, who noted that it’s easy for organizations who lack proper security expertise to make simple mistakes when deploying cloud-based solutions that can cost them later when the data is exposed by the cyberthieves who stole it.
These type of breaches are all too common. In October, a cloud misconfiguration allow hackers to steal an AWS administrative API key housed in a compute instance left exposed to the public internet, one of the many ways cloud deployments can go wrong from a security perspective, one expert noted.
“Configuration errors, malicious insiders, server hacks and client-side threats can cause data breaches,” Gad Bornstein, security evangelist with PerimeterX said in an email to Threatpost. “Data from breaches invariably make it to the dark web. Data from multiple breaches help bad actors execute bot-driven account takeover attacks with better success.”
Indeed, the fear with this type of breach is that threat actors will use the data to launch these or other types of attacks—such as phishing or email-based scams–long after a breach occurs, and when the company affected and the victims think they are out of harms’ way.
“This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time,” Adam Laub, CMO at STEALTHbits Technologies, said in an email to Threatpost. “It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots.”
=================================================================
Pentagon's tech agency reveals potential breach involving personal data
https://www.cyberscoop.com/disa-breach-pii/
The agency that secures the U.S. military’s IT infrastructure across the globe says sensitive personal data, including Social Security numbers, hosted on its network may have been compromised in a breach between May and July 2019.
The Defense Information Systems Agency notified potential victims of the breach in a letter this month, saying it had tightened protocols for protecting personally identification information (PII) because of the incident.
“We take this potential data compromise very seriously,” DISA Chief Information Officer Roger Greenwell said in the letter seen by CyberScoop.
There is no evidence that compromised PII has been used maliciously, he said, adding that potential victims will have access to free credit monitoring. Personal data about U.S. government personnel and contractors could be valuable to foreign intelligence agencies and financially-motivated criminals alike.
“DISA has conducted a thorough investigation of this incident and taken appropriate measures to secure the network,” an agency spokesperson said in a statement.
There have been multiple publicly reported breaches of Pentagon contractors in the last year. Miracle Systems, which provides IT services to the U.S. Air Force and Army, had one of its internal servers breached. In a separate incident revealed in October, a travel records system at the Department of Defense was breached in an incident that reportedly affected tens of thousands of department personnel.
Reuters was first to report on the DISA security incident.
==================================================================
It's startling to see the MGM breach and Pentagon 'incident', and that breaches continue to happen at the regularity that they do. Why is it that they still keep happening? Unfortunately, there are many organizations that don't know about Wave's better security at less than half the cost!!! If these organizations knew the capability of Wave's solutions breaches like MGM and the Pentagon wouldn't have happened!!!
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
https://www.wavesys.com/
Dell Technologies sells RSA to Symphony Technology Group consortium for $2.075 billion
https://www.zdnet.com/article/dell-technologies-sells-rsa-to-symphony-technology-group-consortium-for-2-075-billion/?ftag=COS-05-10aaa0g&taid=5e4c62026e49630001bab5a4&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter
The move simplifies Dell's portfolio of companies and allows RSA to focus on its core security mission.
Dell Technologies said it will sell RSA to a consortium led by Symphony Technology Group for $2.075 billion in a move to simplify its portfolio of businesses.
RSA provides security technologies for threat detection and response, identity and access management as well as fraud prevention. RSA has more than 12,500 customers.
According to Dell, the all-cash deal includes RSA Archer, RSA NetWitness Platform, RSA SecureID, RSA Fraud and Risk Intelligence, and the RSA Conference.
The Symphony Technology Group consortium includes the Ontario Teachers' Pension Plan Board (Ontario Teachers') and AlpInvest Partners (AlpInvest).
Dell's deal to sell RSA comes as Broadcom acquired Symantec Enterprise Security business for $10.7 billion and Symantec's consumer unit became NortonLifelock. McAfee, formerly part of Intel, is now independent with a new CEO.
Both RSA and Dell said that the focus will help their respective companies and customers. Jeff Clarke, chief operating officer of Dell, said the transaction "will further simplify our business and product portfolio." RSA can use private equity banking to grow its business.
=================================================================
Dell selling RSA should be a great opportunity for Wave!!! Below is a link to the link of Wave's White Paper on Wave Virtual Smart Card. Outlined in it is some of the advantages that Wave VSC 2.0 has over RSA Securid!!!
=================================================================
https://www.wavesys.com/
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
$645 Billion Cyber Risk Could Trigger Liquidity Crisis, ECB’s Lagarde Warns
https://www.forbes.com/sites/daveywinder/2020/02/08/645-billion-cyber-risk-could-trigger-liquidity-crisis-ecbs-lagarde-warns/#5cd5c0287ca8
==================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
==================================================================
Wave solutions could be the 'secret sauce' for a critical segment of the EU!!! There is too much at stake to not use better security (Wave)!!!!
https://www.wavesys.com/
IRS warns: Tax data thefts are spiking, so use 2FA
https://www.zdnet.com/article/irs-warns-tax-data-thefts-are-spiking-so-use-2fa/
US taxation agency urges professionals and the public to use multi-factor authentication for tax software.
As the US tax season kicks off, the Internal Revenue Service (IRS) has warned accountants and taxpayers to enable two-factor authentication (2FA) features available in tax-preparation software products.
Scammers, of course, know that the US tax season is ripe with opportunity, so the IRS has dispensed information security advice to protect taxpayers and accountants from the theft of tax information. Scammers can use tax data to file fraudulent tax claims enabled through phishing email and malware-laden attachments.
The IRS says it's received nearly two dozen reports from accountants about data theft in the past two months. So it's encouraging the use of multi-factor authentication as a "free and easy way" to protect clients and practitioners' officers from data theft, and it points out that tax software providers do offer free multi-factor options too.
Multi-factor authentication can help in the event a credential is compromised by requiring the person accessing an account to not only type in a username and password, but also have physical access to a second factor, like a token or a smartphone that receives a security code.
The IRS called out for multi-factor authentication with its Security Summit Partners, which includes state tax agencies, tax preparation firms, software developers, payroll processors, and banks.
The IRS Security Summit partners have been collaborating since 2015 to combat tax fraud with a focus on authentication, combating criminals' access to bank accounts, and raising awareness of cybersecurity issues.
"The IRS, state tax agencies and the private-sector tax industry have worked together as the Security Summit to make sure the multi-factor authentication feature is available to practitioners and taxpayers alike," said Kenneth Corbin, commissioner of the IRS wage and investment division.
"The multi-factor authentication feature is simple to set up and easy to use. Using it may just save you from the financial pain and frustration of identity theft."
Industry partners include Thomson Reuters, which offer multi-factor authentication for users of its CS Professional Suite accounts.
The IRS urges taxpayers and tax practitioners to always enable multi-factor authentication when it is available, for example on Gmail or Outlook accounts. But it says consumer should especially enable it for tax software products due to the sensitivity of the information held in the software or online accounts.
The agency also reminded tax software professionals to be cautious of phishing email, warning that scammers may claim to be a potential client, a cloud storage provider, a tax software provider or the IRS.
The main goal of tax-fraud scammers is tricking the tax professional into downloading attachments or opening links that lead to malware that can exfiltrate sensitive client data to a remote server.
=================================================================
The recommendation by the IRS should give a big lift to Wave VSC 2.0 for tax preparers and other industries!! Better security, easy to use, at less than half the cost; You need multi-factor authentication. Fast. You need Wave Virtual Smart Card!!! Other Wave solutions could help out tremendously here too!!
=================================================================
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
What is Trusted Platform Module?
https://www.embedded-computing.com/home-page/what-is-trusted-platform-module-2#
Great article...
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/contact-information
==================================================================
If BODs, CEOs, CISOs and organizations read this article and the information on Wave's website and bought Wave solutions, the costs of cybercrime to the World economy would go down dramatically, and these organizations would know they were protected with better security!!!!
FBI: $3.5B Lost in 2019 to Known Cyberscams, Ransomware
https://threatpost.com/fbi-3-5b-lost-in-2019-to-known-cyberscams-ransomware/152815/
Cybercriminals double down on successful internet scams, with a focus on phishing, BEC and other defrauding schemes that have proven to work.
Cybercriminals are focusing on previously successful internet scams to defraud businesses and individuals in the United States out of more money than ever before, according to the FBI’s annual report on cybercrime. Meanwhile, ransomware continues to take a big financial toll on victims.
Businesses and individuals lost $3.5 billion to cybercriminals last year while reporting more incidents of internet crime to the FBI than any year previously, according to the bureau’s Internet Core Competency Certification (IC3) 2019 Internet Crime Report, which was released on Tuesday.
The results demonstrate that cybercrime is flourishing despite increased awareness of cyber-scams and improved security products. People reported 467,361 complaints of cybercrime to the FBI in 2019—an average of nearly 1,300 incidents every day, and more than 100,000 more than the year prior, according to the report.
The success of cybercriminals in 2019 may be the results of their doubling down their efforts on scams that have already proven successful rather than inventing new ones, said Donna Gregory, the chief of IC3, in a press statement. Phishing and similar ploys, non-payment/non-delivery scams and extortion were the top crime complaints reported to the FBI in 2019.
She said that rather than see instances of new types of fraud, instead the FBI saw cybercriminals honing their skills with scams they know work — improving their approaches to make it more difficult for victims to detect or defend against the crime.
“Criminals are getting so sophisticated,” she said. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”
Indeed, just last week a new phishing scam surfaced that can deliver sophisticated malware called Anubis to Android mobile devices to steal user credentials, install a keylogger and even hold a device’s data for ransom.
However, the attacks that proved most costly to victims were different than those most-seen by the FBI last year, although these scams also are widely reported and proven to be effective. The 2019 report found that business email compromise (BEC), romance or confidence fraud, and spoofing (mimicking the account of someone known to the victim to gather personal or financial information) are the crimes that defraud people and businesses out of the most money, according to the report.
BEC or email account compromise alone cost people $1.7 billion in 2019, according to the report. The FBI received 23,775 reports of these scams—in which cybercriminals use social engineering or computer intrusion to transfer money from legitimate accounts to ones they can access. Indeed, security researchers also have reported a steady increase in the number of these type of attacks over the last several years.
Meanwhile, cybercriminals are continuing their raids on companies and government agencies with ransomware. The FBI’s Internet Crime Report reveals while the number of ransomware attacks decreased last year, the amount of loses increased and ransomware is now spiking back up.
“It’s interesting to see this trend gaining momentum regardless of the ever-increasing investment in cybersecurity solutions that should have stopped ransomware from infecting user devices and causing damage,” said Tal Zamir, Founder and CTO of Hysolate, via email. “Typical anti-ransomware solutions use endpoint security agents that are embedded in the operating system and try to protect it from malicious software. However, this approach is bound to fail as the underlying operating systems are bloated monolithic operating systems written decades ago and have hundreds of millions of potentially vulnerable lines of code. The current cat-and-mouse approach to fighting ransomware will not solve the problem — enterprises and individuals seeking to protect themselves against ransomware should consider fully segregating/isolating their sensitive resources, both local files and access to sensitive cloud resources.”
The FBI’s IC3 began reporting on cybercrime complaints in 2015, and there has been an uptick every year in the number of crimes reported—part of which could be attributed to more awareness over the years that the reporting program exists.
Losses, too, have steadily increased over the six years of reporting. In 2018, $2.7 billion in losses were reported to the FBI, which was a sharp increase over the prior year, when people reported $1.4 billion in cybercrime losses. Since reporting began, more than 1.7 million complaints have been logged by the bureau, resulting in $10.2 billion in losses.
While both companies and individuals get caught up in internet crime, companies that conduct their businesses online take the biggest hit for online scams — because they have to pay twice, noted one internet fraud expert.
“When stolen payment card info or login credentials are used to make purchases, e-tailers are left ‘holding the bag’ and are left responsible for not only refunding defrauded customers, but also for paying chargeback fees from the payment provider,” Kevin Lee, trust and safety architect at Sift, said in an email to Threatpost.
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/contact-information
==================================================================
Just think what the statistics since 2015 (when FBI started recording them) would have been like if all of these businesses were using Wave solutions. Since Wave offers better security, these statistics could have been much improved!!! Continuing with the status quo could increase the Billions in losses!!! This doesn't include what is not reported to the FBI!!! Better security at less than half the cost!!!
Phishing Campaign Targets Mobile Banking Users
https://www.darkreading.com/mobile/phishing-campaign-targets-mobile-banking-users/d/d-id/1337066
Consumers in dozens of countries were targeted, Lookout says.
A recent phishing campaign involving the use of SMS messages to lure potential victims into disclosing their bank-account access credentials is the latest evidence of growing attacker interest in users of mobile apps.
Lookout, which tracked the threat, Friday described it as impacting mobile users in dozens of countries, including the US. Among those targeted were customers of Chase, HSBC, TD, Scotiabank, and CIBC banks. The campaign appears to have started in June 2019 but is currently offline.
The mobile security vendor said it detected at least 4,000 unique IP addresses belonging to mobile users who appear to have fallen for the scam. Lookout said it is not sure how the victims were impacted financially because of a lack of visibility into how the attackers might have actually used the compromised credentials.
But campaigns like these are a clear warning for mobile users, says Apurva Kumar, staff security intelligence engineer at Lookout. "Mobile phishing is on the rise," Kumar says. "The attack was entirely mobile-focused, from delivering messages via SMS to rendering the phishing sites as mobile banking logins."
For bad actors, mobile phishing is an attractive attack vector because it is often easier to obfuscate details of a scam on the mobile form factor, she says. With the increased use of multifactor authentication for signing into many apps, consumers have grown accustomed to banks communicating with them via SMS and therefore are less likely to scrutinize the messages as carefully as they should.
Mobile devices are also attractive targets because of the amount of sensitive data they hold, Kumar says. "Many end users are still unaware that mobile phishing exists or is even a risk, even though they may be wary of email phishing attacks," she says.
Malicious mobile apps posing as legitimate apps are another growing problem for consumers, especially for those using Android devices. In a recent report, Upstream said it had identified some 98,000 malicious Android apps and some 43 million infected Android smartphone and tablets in 2019. In most cases, the malicious mobile apps were being used to perpetuate ad fraud on a massive and global scale. And troublingly, Upstream found that 32% of the most active malicious apps it blocked last year were available through Google's official mobile app store.
Spray-and-Pray Attack
According to Lookout, the SMS messages used in the recent phishing campaign spoofed the login pages of various banks in an effort to capture credentials and other sensitive information, such as answers to security questions for verifying the user's identity.
The threat actors used an automated off-the-shelf SMS tool to create unique phishing messages for customers of different banks and then sent the message out in mass volume. Lookout said it identified over 200 phishing pages imitating bank login pages that were used in the campaign.
"This is a phishing-by-the-numbers attack, blasting out as many messages as possible in an effort to get even a 1% response," Kumar says. It was a mass sending of untargeted text messages to mobile users with hopes of convincing a small percent of the recipients to enter their credentials, she notes.
Lookout hasn't been able to identify the threat actor behind the campaign, but there's nothing to suggest it was necessarily a sophisticated group considering it was launched from an off-the-shelf phishing kit. "It could be literally anyone, anywhere, which represents the risk from these kits being sold on the web," Kumar says.
=================================================================
Please read the article below for more information on Wave Knowd.
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
=================================================================
Wave did testing under NSTIC with Broadridge Financial!!! Wave Knowd could protect the banks' customers and banks in the article above and for other banks as well!!
Organizations struggling to find skilled security staff, leaving 82% of security teams understaffed
https://www.helpnetsecurity.com/2020/02/11/find-skilled-security-staff/
83% of IT security professionals feel more overworked going into 2020 than they were at the beginning of 2019, and 82% said their teams were understaffed, according to a Tripwire survey.
Hard to find skilled security staff
The strain on cybersecurity teams is exacerbated by the inability to find experienced staff, and 85% acknowledged it has become more difficult over the past few years to hire skilled security professionals.
“It’s getting harder and harder for organizations to fill open positions on their security teams,” said Tim Erlin, vice president of product management and strategy at Tripwire.
“Larger organizations, which you might assume have more resources, are experiencing the skills gap issue even more acutely than smaller organizations. It’s a challenge to hire the right skill sets – they keep changing along with security, which is always evolving.
“Nearly all of those we surveyed said the skills required to be a great security professional have changed over the past few years.”
In recent years, cybersecurity conferences and online communities have been emphasizing the need to manage work stress and increase focus on mental health. While 93% expressed interest in understanding wellness issues, only 19% of companies provide resources for managing the stress associated with the specific issues of IT security.
Addressing the skills gap
In assessing the various ways organizations address the skills gap and strain on their teams, the survey found the following:
•A large majority (85%) believe managed services are a good option for addressing security skills gaps.
•Nearly half (46%) said they plan to use more managed services in 2020.
•Half (50%) said they will invest more heavily in training existing staff.
CISO involvement
The survey also explored views on chief information security officer (CISO) involvement. Of the 85% that said they have CISOs in their organizations, 40% said their CISOs are not involved enough in day-to-day operations, while 10% believed their CISOs are already too involved.
Erlin added: “CISOs should be focusing on high-level strategy, but because their teams are understaffed and have an overwhelming volume of work on their desks, they may have to get involved in daily operations, if they haven’t already. To solve the problems caused by skills gap issues, training and managed services are both good approaches.
“By partnering with providers, organizations can free themselves from operational work and gain insights that will help inform decisions. And because recruiting and training isn’t always possible, managed services provide businesses a way to augment their teams.”
==================================================================
I post the Wave Alternative below since it can explain why Wave solutions would help the cybersecurity resource situation as mentioned in the above article!!! And with Wave's better security, CISOs and cybersecurity teams could function at a much higher level with less stress and greater efficiency!!!
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
Beauty and the Breach: Estée Lauder Exposes 440 Million Records in Unprotected Database
https://www.securityweek.com/beauty-and-breach-est%C3%A9e-lauder-exposes-440-million-records-unprotected-database
Cosmetic company Estée Lauder exposed 440 million records to the Internet in a database that was left accessible without proper protection, a security researcher says.
Headquartered in New York, Estée Lauder sells products in more than 135 countries and territories. The Estée Lauder Companies owns multiple internationally renowned brands.
The exposed database was discovered on January 30 by Security Discovery security researcher Jeremiah Fowler, who attempted to contact Estée Lauder immediately after identifying user email addresses in the database.
In total, 440,336,852 records were inadvertently exposed to the Internet, including audit logs containing a large number of email addresses in each document.
The exposed data, Fowler says, included user email addresses in plain text. Internal email addresses from the @estee.com domain were also present in the database.
Additionally, there were production, audit, error, CMS, and middleware logs left widely accessible to anyone with an Internet connection. References to reports and other internal documents were also found in the database.
Details such as IP addresses, ports, pathways, and storage details were exposed as well, potentially providing cybercriminals with access deeper into the company’s network.
The security researcher notes that the database contained “millions of records pertaining to middleware” that Estée Lauder is using.
Software that provides services and capabilities outside of what the operating system has to offer, middleware commonly handles data management, application services, messaging, authentication, and API management, Fowler explains.
“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” the researcher says.
Fowler, who says that the database was secured before he could investigate further, believes that no payment data or sensitive employee information was stored in the database.
What the researcher could not determine was the number of user email addresses exposed in the database and for how long the data was exposed to the Internet. It’s also unclear whether the data was accessed by threat actors or not.
SecurityWeek has contacted Estée Lauder for additional information on the exposure and will update the article when a response arrives.
==================================================================
Protect Content in the Cloud with Scrambls for Files
Scrambls Brings Privacy & Control to Social File Sharing with Instant Encryption
https://www.wavesys.com/buzz/pr/protect-content-cloud-scrambls-files
==================================================================
Estee Lauder is just one example of many where threat actors could be able to expose sensitive information, and this keeps happening over and over. Scrambls and Wave VSC 2.0 could help prevent problems such as the one in the above article!!!
==================================================================
https://www.wavesys.com/
Discrepancies between data sanitization policy creation and execution put data at risk
https://www.helpnetsecurity.com/2020/02/07/data-sanitization-policy/
Although 96 percent of the 1,850 senior leaders within large organizations have a data sanitization policy in place, 31 percent have yet to communicate it across the business, according to a Blancco survey.
Twenty percent of respondents also don’t believe their organization’s policies are finished being defined. Overall, over half of organizations (56 percent) do not have a data sanitization policy in place that’s being effectively communicated across the full company on a regular basis. This is increasing the risks of potential data breaches.
Not taking direct responsibility for IT asset erasure – 22 percent of employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22 percent place this responsibility with their line manager.
If data sanitization policies haven’t been communicated to either party effectively, the chances of sensitive information being leaked as a consequence of insufficient erasure increase dramatically.
Leaving equipment languishing in storage areas
87 percent of global enterprises admitted not sanitizing assets as soon as they reach end-of-life, while 31 percent reported taking more than a month to sanitize these devices. This puts companies at risk of equipment loss, theft, and data breaches.
Performing offsite erasure
34 percent of enterprise organizations are sanitizing PCs and laptops offsite at end-of-life. Working with a third-party provider to sanitize equipment offsite isn’t necessarily a bad thing, but it does present certain risks, particularly if organizations don’t have complete visibility into the chain of custody for their IT assets and have no way to prove that the data on their assets wasn’t compromised during the transportation process.
Any external contractor needs to provide detailed audit trails for the entire chain of custody and certified erasure at end-of-life for these assets.
Lacking clear ownership of data sanitization policies
Although 68 percent of respondents felt that ownership of data sanitization policies is clearly communicated within their organization, when asked who was responsible for their implementation, 18 percent of enterprises stated the DPO, 18 percent the Head of Operations, 17 percent the Head of IT Operations and 11 percent the CISO.
This lack of clear ownership could suggest enterprises consider data sanitization to be a “‘checkmark”’ exercise that must be done to satisfy compliance or operational requirements and that they are not taking data risks seriously.
“The lack of robust data sanitization policies across global enterprises is alarming,” said Fredrik Forslund, Vice President, Enterprise and Cloud Erasure Solutions at Blancco.
“If they fail to formulate and communicate these policies effectively, at every stage of the data lifecycle, they risk putting significant amounts of potentially sensitive data at risk. It is vital they put processes in place, with clear ownership, and auditability for control, assigned to their senior leadership team to mitigate these risks.”
Flexible workers least likely to comply with data sanitization policies
A third of the enterprises surveyed also felt that flexible workers were the least likely to comply with data sanitization policies, while 40 percent believed contractors or freelancers were the least likely to understand or comply with their data sanitization policy.
There is not only a lack of clear ownership around the implementation of data sanitization policies but also a lack of accountability regarding how enterprises are complying with them.
The responsibility is spread across different job roles including the Head of Compliance (30 percent), Head of IT Operations (15 percent), Head of Operations (14 percent), Head of Legal (11 percent) and DPO (9 percent), leaving enterprises open to compliance breakdown and fines.
Key U.S. and Canada findings
Thirty-three percent of respondents in the U.S. and Canada also believe that flexible workers, who work at home or remotely, are the least likely to comply with data sanitization policies – implying that they may pose a security risk.
Thirty-two percent of employees in enterprises in the U.S. and Canada are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Nineteen percent place this responsibility with their line manager.
More than a third (32 percent) of enterprises in the U.S. and Canada also stated that they are placing their Head of Compliance in charge of complying with their data sanitization policies which is encouraging. However, only nine percent are giving this responsibility to their DPO.
Key U.K. findings
Despite 97 percent of U.K. companies having a data sanitization policy in place, more than a third (37 percent) have yet to communicate it across the business. Overall, nearly half of companies (42 percent) do not have a data sanitization policy in place that’s being effectively and regularly communicated across the organization.
20 percent of employees in U.K. companies are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. 35 percent place this responsibility with their line manager.
Worryingly, 58 percent of U.K. enterprises also reported not being aware of when their organization’s IT security policy was last updated and 56 percent aren’t clear about what it contains, the highest percentage points from all the countries surveyed.
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpt:
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
==================================================================
Crypto erase remotely could help with the sanitization needs for an organization, and make them easier and more efficient when using Wave SED management when computers reach their end of life!! Knowing that an organization's data at rest is protected, this is another Wave solution that could ease the level of stress for organizations and organizations' CISOs!!
Impact of Stress and Burnout Worsens for CISOs
https://www.infosecurity-magazine.com/news-features/impacts-stress-burnout-cisos?utm_source=twitterfeed&utm_medium=twitter
The role of the CISO is one rife with challenges. Ultimately responsible for protecting an organization’s data, they must overcome issues such as an ever-evolving threat landscape, a widening attack surface, resources management and business alignment. It goes without saying that, whilst a CISO’s job can prove exciting and rewarding, it can come with high levels of stress and feelings of burnout.
Evidence of high stress levels in CISO/security leadership roles has been plentiful. In April 2019, research from Symantec revealed that 82% of IT security leaders across Europe were suffering from mental and physical burnout, with nearly two-thirds thinking about leaving their job (64%) or quitting the industry altogether (63%) as a result.
Earlier in the year, a report from Nominet discovered that 27% of CISOs felt stress was impacting their mental or physical health, with 23% saying the role was damaging their personal relationships. What’s more, 17% admitted they had turned to medication or alcohol to deal with workplace stress.
In fact, Infosecurity explored the issue of dealing with stress in information security job roles as far back as 2015.
What’s clear is that stress and burnout within security leadership occupations has been prevalent for some time, but new research from Nominet has revealed that the problem is continuing to intensify.
The firm surveyed 400 CISOs and 400 C-suite executives in the UK and US on the challenges of the CISO role and compiled it’s findings into The CISO Stress Report: Life Inside the Perimeter, One Year On. This research expanded on Nominet’s report from a year earlier and looked deeper into the causes and impact of stress on CISOs.
The research found that the vast majority of CISOs (88%) remain moderately or tremendously stressed, and although this marked a slight decrease from 91% in 2019, stress appears to be taking a greater toll on CISOs’ lives.
For example, 48% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year, whilst 31% reported that stress had impacted their physical health. What’s more, 40% of CISOs admitted that stress levels had affected their relationships with their families, with just under a third (32%) stating it had repercussions on their marriage, romantic relationships and personal friendships (up from 23%). In terms of coping mechanisms, the number of CISOs turning to mediation or alcohol as a result of stress has increased to 23%.
Almost three-quarters (71%) of CISOs said their work-life balance was heavily weighted towards work, with 95% working more than their weekly contracted hours (something that 87% of CISOs felt compelled to do by their organization). As many as 83% of CISOs admitted to spending half their evenings and weekends thinking about work, with just 2% always able to switch off from work outside of the office. Interestingly, almost all surveyed CISOs (90%) would opt for a pay cut if it improved their work-life balance.
However, it’s not just CISOs themselves suffering more from stress. Nominet’s report also discovered that 31% of CISOs (a 2% increase on last year) feel the impact of stress has affected their ability to do their job. This could be having negative impacts on organizations as a whole, not to mention exacerbating the fact that the average tenure of a CISO is just over two years.
Speaking to Infosecurity, Stuart Reed, VP of cyber at Nominet, said that there are inescapable elements of a CISO’s job that, by nature, make it a high-pressured role.
“In many cases, the pressures of the CISO role are being exacerbated into stress by internal organizational factors. On top of their day-to-day job, CISOs are facing poor work-life balances, they are missing family events and milestones, they fear losing their jobs and, in almost 100% of cases, the board is expecting them to deliver more. While the remit of the CISO will remain a constant, these factors could be controlled better.”
Dr Dimitrios Tsivrikos, lecturer in Consumer and Business Psychology, University College London, concurred: “While there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed. We do anticipate that stress levels will continue to rise until we address the issue of stress, mental health and wellbeing at work.”
So what must be done to do exactly that? For Reed, the responsibility for and ability to reduce the stress load on CISOs lies largely with the board.
“One of the key findings of the report was that, while boards were cognizant of the stress faced by their security teams, they were doing little to address the issue. If boards want their organization to be effectively protected, they need to reduce the stress being placed on the CISO – otherwise they risk it leading to burnout. Urgent red flag issues that need to be addressed are CISOs being expected to work overtime, CISOs feeling like their job is on the line in the case of a security breach and, most importantly, a lack of support for mental health problems. The board can address all of these areas. Doing so will significantly reduce the internal pressures on the CISO and foster a healthier working environment.”
Reed also told Infosecurity that, to help CISOs recognize and gauge their stress levels, Nominet has (today) launched the CISO Stress Calculator, or ‘Stressulator.’
“We created the CISO Stressulator off the back of the dedicated research report,” he explained. “We used the key findings from the report to identify areas where CISOs felt particularly stressed. While it is not a scientific assessment of how stressed a CISO might be, it should give an indication as to where they sit on the scale. Our aim with the CISO Stessulator is to generate awareness around the issue of CISO stress.”
By raising the issue of CISO stress, Reed concluded, “we hope that wellbeing will be taken more seriously.”
Infosecurity will be exploring strategies for combatting burnout and stress in security leadership roles in a live session as part of its next Online Summit, taking place on March 25 and 26 2020. Find out more and register for the event here.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
=================================================================
If CISOs read the data in the two links above, they could have a much better stress level to deal with in the future if they then used Wave solutions!!! Wave solutions could also dramatically impact organizations' stress levels for the better!!!
500,000 victims pummeled in multi-stage BitBucket malware scheme
https://www.cyberscoop.com/bitbucket-multi-stage-malware-campaign-cybereason/
An ongoing campaign from an unidentified threat actor has been deploying seven different kinds of malware — including ransomware — at once against an estimated 500,000 targets over the past couple of months to steal as much money as possible, according to new research from Cybereason.
The different kinds of malware deployed from just this one actor — which allows them to steal sensitive browser data, cookies, system information, two-factor authentication token information to bypass 2FA, and cryptocurrency from digital wallets — is “unprecedented,” Lior Rochberger, a security analyst at Cybereason, and Assaf Dahan, the head of threat research at Cybereason. The two released their findings on Wednesday.
“The combination of so many different types of malware exfiltrating so many different types of data can leave organizations unworkable,” Rochberger and Dahan write. “This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.”
The attackers make their scheme work by exploiting code repository platform BitBucket to store and disperse the malware, according to Cybereason.
“[It’s] an ongoing trend with cybercriminals where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and BitBucket to distribute commodity malware,” Rochberger and Dahan write in the blog post.
The campaign is relatively new — it popped up on Cybereason’s telemetry in December of last year, Dahan told CyberScoop. But the ultimate goal of the effort appears to be for money.
“The attackers aren’t satisfied with one payload, they want to use multiple to maximize their revenue,” the researchers write.
The attackers are running their scheme by targeting people scouring the internet for free commercial products, such as Adobe Photoshop. The threat actors will package them with multiple strains of malware, such as Azorult, which steals information and deletes its binary to erase traces of an infection.
“Legitimate applications are an easy, trusted way for attackers to gain entry and spread malware within an organization,” the researchers write.
Shortly after Azorult starts pilfering off information, Predator the Thief malware steals passwords from browsers, takes pictures and screenshots of the victims’ machines, and steals cryptocurrency out of digital wallets. The Thief malware can then connect with BitBucket to download more payloads, including STOP Ransomware, a Monero miner, and Vidar, which can steal web browser history, digital wallets, two-factor authentication tokens, and screenshots.
And although the researchers have ascertained what malware the attackers are using, Dahan told CyberScoop it’s not entirely clear who is behind the thievery.
“It’s hard to estimate who is the threat actor behind this campaign, because all the malware observed in the campaign fall under what we call ‘commodity’ malware. That means that almost anyone can buy them in the underground communities,” Dahan said.
=================================================================
This article reveals quite astoundingly that organizations should be using Wave solutions such as Wave VSC 2.0 and Wave Endpoint Monitor in a very beneficial way rather than ineffectively using 2FA tokens and antivirus software!!!
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
Reading what is in these links can help one see the great advantages in owning these solutions!!! The White Paper for Wave VSC 2.0 is also quite interesting!!!
=================================================================
https://www.wavesys.com/contact-information
GSA Wants More Ideas To Stop Fake Commenters From Flooding Rulemaking Process
https://www.nextgov.com/it-modernization/2020/01/gsa-wants-more-ideas-stop-fake-commenters-flooding-rulemaking-process/162786/
The General Services Administration took over management of the eRulemaking portal last year with a mandate to crack down on fraudulent commenting.
Federal agencies—particularly regulatory agencies—want and are often required to solicit feedback from the public when issuing new rules. Most often, these comments are submitted through a web portal such as the General Services Administration-run eRulemaking site.
However, with technology often comes unforeseen consequences. When it comes to commenting on rules, the ease of commenting through a website has led to a rise in fake comments posted by trolls, bots and other insincere operators.
GSA took over management in October of the eRulemaking program from the Environmental Protection Agency, which had run the website since 2002. With the change in agency management, GSA established the eRulemaking Program Management Office and began steps to upgrade the commenting portal. As they do so, the agency wants to hear some of the best ideas for preventing the flood of fake comments.
For example, in 2017, the Federal Communications Commission asked for public feedback on its Net Neutrality regulation. The call received some 22 million comments, though half of those were later determined to be fraudulent.
“What’s the big deal about fraudulent comments? Why should anyone care about these to begin with, given that we have a gating mechanism downstream from our agencies, they can resolve it?” Sanith Wijesinghe, an innovation area lead at the federally-funded MITRE group, asked during a public meeting Thursday held by GSA. “These identities were stolen from citizens at large, high-profile senators, celebrities. Elvis was supposed to be commenting on a couple of those. You now have, on the public record, a statement attributed to someone without their consent. It takes quite a lot of effort to correct that. And not everyone has the resources to do that.”
Wijesinghe noted this follows similar patterns to identity theft in other criminal activities, including the use of deceased individuals.
“Their next of kin are on the hook to try to resolve those issues,” he said.
There is a cost for federal agencies, as well, he added.
“Given that we now have the Evidence-Based Policymaking Act, the overhead associated with tracking down all of the assertions made in these comments is a non-trivial effort,” he said. “We really need to make sure our policies are truly evidence-based and not fake-evidence based.”
One potential solution is the use of CAPTCHA widgets, which asks the user to perform a task ill-suited to bots, such as identifying pictures with certain features or copying a string of characters that is blurred or otherwise obscured.
“Some of the ideas out there right now, including things like CATPCHA, raise the bar in terms of taking out some of those … not-so-smart kind of bots. But it’s only going to get worse,” Wijesinghe said, expressing concern over an impending arms race in this space.
He suggested restructuring the commenting process through eRulemaking to be more structured and less of a “free for all.”
“A more directed comment process where you can actually map comments to particular provisions” is one option he offered. While bots could still attack such a process, “It does increase the cost and potentially streamline the process downstream for our agencies.”
Michael Fitzpatrick, head of global regulatory affairs at Google, echoed Wijesinghe’s suggestion to use CAPTCHA technology, though the traditional use of that technology has its own problems.
“That adds a lot of friction to the process,” he noted. “That is the great balance for agencies and for the rulemaking process: We want to protect against bad actors but we don’t want to add a level of friction that deters democratic participation in the process.”
However, newer versions of the CAPTCHA technology can be made invisible to the user.
“The enterprise will undertake to screen every single interaction with the website using an individual token for that particular interaction,” Fitzpatrick explained. “Everybody is treated as a first-time user. There are sophisticated collections of data—not personal data—data around how the submission is being made. Click speeds, click patterns, the nature of the comment that is actually being filed. Using machine learning, you can draw a risk score between one and 10 that is predictive of whether or not that is a suspect, bot-driven submission.”
Once that algorithm is in place, agencies can then set a threshold for allowing comments, with scores that fall below that level flagged for further review.
“That can be two-factor authentication, it can be a phone call, it could be the dreaded reCAPTCHA widget,” he said. “That will substantially shut down the bot activity and will have very little to no disruption for legitimate users.”
Thursday’s public meeting also dealt with mass comments, in which a large number of respondents comment with the exact same content. While there are issues associated with this trend as well, mass comments are not illegitimate comments, according to several panelists, though at times agencies might want a larger number of individual, substantive comments.
Tobias Schroeder, director of GSA’s eRulemaking Program Management Office, said the agency does not have a specific timeline on changes or new technology upgrades, but said his office plans to move as quickly as possible.
A second public meeting is set for March 25 to get additional public comments, and GSA has a standing docket open for public comments until April 30.
Editor's Note: This story has been updated to correct the timeline for GSA taking over management of the eRulemaking program.
=================================================================
Requiring a TPM that is turned on could serve as an identifier to those devices/users who want to make public comments. That way any TPMs or unidentified devices that are there for nefarious purposes could be kicked off the network. And since TPMs are ubiquitous, most business users have them in their devices. This would be more simple and secure than CAPTCHAs!!! There are over 1 billion TPMs in existence. Using them for this and many other instances makes a lot of sense!!
=================================================================
https://www.wavesys.com/
CERN drops Facebook’s Slack competitor, citing privacy issues and low usage
https://www.cnbc.com/2020/01/31/cern-cuts-workplace-by-facebook-blasts-privacy-issues-low-usage.html
CERN, the European Organization for Nuclear Research, on Friday ended its use of Workplace by Facebook, the company’s communications tool for companies.
The organization disclosed its decision to stop using the enterprise Facebook tool on Tuesday, citing a lack of usage by CERN members and concern about data privacy.
CERN, the European Organization for Nuclear Research, on Friday ended its use of Workplace by Facebook, the company’s communications tool for companies.
The organization disclosed its decision to stop using the enterprise Facebook tool in a press release on Tuesday, citing a lack of usage by CERN members and concerns about data privacy.
“Many people preferred not to use a tool from a company that they did not trust in terms of data privacy,” CERN said in its release. “To date, about 1000 members of the CERN community have created a Workplace account and there are roughly 150 active users of the platform per week.”
Please see the link above for the rest of the article.
==================================================================
Just think what Wave could do for Facebook by providing both Scrambls and Knowd for Facebook Workplace!!!
==================================================================
Protect Corporate Use of Social Media and Cloud Services with Scrambls for Enterprise
Encrypt Postings and Shared Files to Ensure Privacy and Compliance
https://www.wavesys.com/buzz/pr/protect-corporate-use-social-media-and-cloud-services-scrambls-enterprise
==================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
https://investorshub.advfn.com/secure/post_new.aspx?board_id=17
SEC Urges Better Cybersecurity Practices at Financial Firms
https://www.wsj.com/articles/sec-urges-better-cybersecurity-practices-at-financial-firms-11580207402
==================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wins competitive evaluation against market leader in two-factor authentication tokens
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
=================================================================
If the SEC is going to urge practices like multi factor authentication, organizations should help prevent breaches with better security by using Wave VSC 2.0!!! 160,000 breaches in the last 18 months show how well existing 2FA enterprise products are helping prevent breaches.
==================================================================
The first link below has Wave's solutions which could make a huge positive impact in the cybersecurity market!! The second link has more great details about Wave VSC 2.0 that aren't covered in the article above. The third link contains very interesting information in the Wave VSC 2.0 White Paper!
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Government tightens law around IoT cyber security
https://www.computerweekly.com/news/252477375/Government-tightens-law-around-IoT-cyber-security
Excerpt:
It will mean robust security standards are built in from the design stage and not bolted on as a afterthought.
==================================================================
It sounds like the new law should also have an activated TPM as law in corporate cybersecurity. With 160,000 breaches in the last 18 months, activated TPMs turned on with Wave software could transform these breach statistics for the better!!! Unknown devices (bad guys) would be kept off the network, and having TPMs in the network would only allow the good guys on the network. Use the built in protection in corporate devices (TPMs) to help organizations actually take advantage of much better cybersecurity!! Software only is not working as well as hardware (TPM) and software!!!
==================================================================
https://www.wavesys.com/
Wyden calls on NSA to examine White House cybersecurity following Bezos hack
https://thehill.com/policy/cybersecurity/479797-wyden-pressures-nsa-to-examine-white-house-cybersecurity-following-bezos
==================================================================
This could end up being a really interesting article!!
==================================================================
Wave can be very, very helpful in so many cybersecurity (Trusted Computing) ways!!
https://www.wavesys.com/
Mitsubishi Electric Blames Anti-Virus Bug for Data Breach
https://www.bankinfosecurity.com/mitsubishi-electric-blames-antivirus-bug-for-data-breach-a-13628
Hackers Exploited AV Software Zero-Day Vulnerability Before Vendor Patched Flaw
Mitsubishi Electric says hackers exploited a zero-day vulnerability in its anti-virus software, prior to the vendor patching the flaw, and potentially stole trade secrets and employee data.
The Japanese multinational firm's Monday announcement arrives more than six months after the company says it first detected the breach on June 28, 2019.
"We have confirmed that trade secrets may have been leaked to the outside," Mitsubishi Electric says in a statement. "To date, no damage or impact related to this case has been confirmed."
There's irony, of course, in a company falling victim to a data breach because attackers exploited its security software. But security researchers have continually warned that security software is like any other software, in that it can contain unknown vulnerabilities that hackers can sometimes exploit to their own advantage (see: Devastating Flaw Found in Microsoft's AV Engine).
Mitsubishi Electric is one of Japan's largest companies, making a broad range of products, including turbines and nuclear power and satellite equipment. It also has a considerable consumer product line, including air conditioners and LCD televisions.
Hackers Erased Log Files
The Japanese firm says that after it detected unauthorized access, it restricted external access to its systems. But the resulting investigation was hampered by a lack of log files, which the company says "were erased by the hackers."
Mitsubishi Electric says data it believes was exposed during the attack includes records belonging to 1,987 job applicants, employee data for 4,566 new graduate recruitment applicants, information on 1,569 retired employees, as well as corporate-confidential technical and sales materials.
The company says it started notifying breach victims via email and postal mail on Monday.
Left unanswered by Mitsubishi Electric is the question of what anti-virus software the company uses, the timeline of the attack, or how long it took the company to detect the intrusion after it happened. Mitsubishi Electric didn't respond to a query from Information Security Media Group.
But a case study from 2015 published by Trend Micro says that Mitsubishi Electric Information Systems Corp., which oversees IT for Mitsubishi Electric Group, used some of its products. Trend Micro didn't respond to a request for comment.
As with every type of software, flaws sometimes crop up in Trend Micro products that require patching. In January 2016, for example, the company patched a flaw in one of its consumer products that it said attackers could have exploited to run any code on a user's machine (see: Yes Virginia, Even Security Software Has Flaws).
Mitsubishi Electric Has Used Trend Micro
According to the 2015 case study, products used by Mitsubishi Electric Information Systems Corp. included OfficeScan, which is endpoint detection software that uses multiple techniques - including machine learning, reputation analysis and behavioral analysis - to detect malware. The company also used Trend's Deep Discovery Email Inspector, which aims to detect targeted attacks, including those using malicious compressed files.
The case study describes Mitsubishi Electric's problem before using Trend Micro's software as having "difficulty defending against sophisticated email attacks disguised zero-day malware as legitimate traffic from customers and suppliers."
The age of the case study, however, means that Mitsubishi Electric may have long moved on from using Trend Micro's products. Also, large companies tend to use a variety of security products, so the problem could lie elsewhere.
Japanese national newspaper Asahi Shimbun reports that Mitsubishi Electric believes that the gang behind the attack is affiliated with a Chinese advanced persistent threat group called "Tick."
In November 2019, Trend Micro published a detailed report on Tick, aka Bronzebutler or Rebaldknight. The report describes a campaign that Trend Micro dubbed Endtrade, which ran throughout last year.
"Tick targets companies in defense, aerospace and satellite industries, specifically those with head offices in Japan and subsidiaries in China," Trend writes.
The group regularly practices spear phishing, meaning it often steals email account credentials and then uses the compromised accounts to send malware. Trend Micro notes that the group's emails are often written in correct Japanese, and also that the attackers have developed "new malware families capable of detection evasion for initial intrusion."
In addition, Tick appears to have devoted time and resources to finding ways to bypass Trend Micro software defenses. "They have also incorporated techniques and mechanisms for detecting specific cybersecurity products and processes, as well as attempt to terminate a Trend Micro product's process," according to the security firm's report.
Not a Timely Breach Notification
Mitsubishi Electric's data breach notification arrives more than six months after the company says it detected the intrusion.
Legally, however, it appears to be in the clear. Law firm DLA Piper says Japanese organizations aren't required to report data breaches to the country's Personal Information Protection Commission or to victims. But the PPC does recommend that organizations do so, and DLA Piper writes that it is standard market practice to do so.
In April 2018, furthermore, Mitsubishi Electric pledged to follow "timely and appropriate information disclosure" in regards to data breaches.
"In the unlikely event that valuable information or confidential corporate information entrusted to us by others were to leak, this would not only cost the trust and confidence invested in the company," it says. "The improper use of this information could also threaten national, societal and individual security."
At some point, Mitsubishi Electric did inform the Japanese government about the breach, Japan Times reports. According to the publication, Chief Cabinet Secretary Yoshihide Suga said the company has "confirmed there is no leak of sensitive information regarding defense equipment and electricity."
Mitsubishi Electric has made recent moves to strengthen its information security practices. In April 2019, the company created a Product Security Incident Response Team, which handles security issues with its products and services, according to its Information Security Report, which was published in July 2019. The company's PSIRT also runs a 24/7 security operations center.
==================================================================
Well renowned organizations have successfully used Wave solutions. Those solutions could have protected Mitsubishi Electric and many other organizations (160,000 in the last 18 months)!! Why continue with the stress and large loss of money, buy better security at less than half the cost!!!
==================================================================
https://www.wavesys.com/
LastPass is in the midst of a major outage
LastPass issue appears to impact users with accounts dating back to 2014 and earlier.
https://www.zdnet.com/article/lastpass-is-in-the-midst-of-a-major-outage/?ftag=COS-05-10aaa0g&taid=5e25a4920a3ab60001228d28&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=twitter
Password management service LastPass is currently going through a major outage as users are reporting being unable to log into their accounts and autofill passwords, with some users reporting issues going back for days.
User reports about login issues have been flooding Twitter, but also the company's forum, Reddit, and DownDetector. Users are reporting receiving the following error when trying to log in: "An error has occurred while contacting the LastPass server. Please try again later." Both home and enterprise users are impacted.
According to reports, LastPass' support staff has been either non-responsive, or denying reports of any technical issue happening at all. Despite issues being reported as far back as three days, the company has not updated its status page to reflect the incident, nor do they provided any type of explanation or useful help to their userbase.
"The fact that LastPass is denying on twitter that there is any outage when multiple people are reporting auth server issues and are locked out with no support response means that I have to walk," said one user on Reddit. "The worst part is not the outtage itself but their (lack of ) response. You gotta be able to trust your password manager and now I can't."
@LastPassHelp I can't login, I have these errors:
On your site: "An error has occurred while contacting the LastPass server. Please try again later."
On the chrome extension, no error but I can't log in.
On Windows, see the screenshot pic.twitter.com/UtXOguANx0
— Fako (@Fakochair) January 19, 2020
pic.twitter.com/n2ggS5DWuS
Please see more at the link above.
==================================================================
Can users afford outages like this? Changing to a more reliable and secure solution like Wave VSC 2.0 could save a lot of unnecessary stress and lost productivity on the part of LastPass business users.
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
==================================================================
For all of Wave's great solutions and articles, please visit the link below:
https://www.wavesys.com/