Tag: security

Will Emphasising App Security Lead to More App Installs?

Posted on by Kernel

The app industry is incredibly competitive. There are millions of apps available today, with many more being released all of the time. As a developer, making a fantastic app is one thing; ensuring it gets lots of downloads is another.

There are a number of ways in which developers can boost their app’s download numbers. Some choose to buy app installs; others focus on implementing an effective marketing strategy. One important factor that is crucial for boosting download numbers is app security. Let’s find out more.

email security

What are the Threats?

Our modern lives are increasingly dependent on mobile apps. We use them for everything from socialising to financial management, and as a result, apps often hold personal and sensitive information about users. Cybercriminals are well aware of this and have devised various methods to compromise the security of apps and access this data.

Mobile apps functions are executed by a server hosted by the developer. These servers are often a target for cybercriminals, who can exploit weaknesses in the code or structure to access sensitive information. Poor data handling and storage is another way in which user information can be targeted, with mistakes of this kind often coming with serious legal and regulatory ramifications for the developer. How can developers protect their apps and users against threats posed by scammers and hackers? Find out below.

How are Apps Secured?

Protecting the server is a fundamental part of proper app security. The server code should be regularly reviewed and maintained by a dedicated team, allowing for the rapid identification of emerging issues that can be addressed before they develop any further.

All user data must be properly stored and encrypted, and all regulatory rules regarding data storage practices must be strictly adhered to. Writing data to a device’s internal storage can be an effective way of protecting it from external threats.

Your overall security strategy must be regularly reviewed and updated. Cybercriminals are constantly finding new ways to target apps, so you need to be prepared to overhaul your security systems to adapt to new threats.

Why is Security Important?

Why is app security so important? Your users will often divulge incredibly sensitive information when using your app, including things like contact details and financial information. If they feel like their data is not safe and that they could be at risk of identity theft or fraud, they are far less likely to download and use your app. What’s more, unsafe apps can result in bad reviews, which will push your app down the app store charts and seriously impact download figures.

Conclusion

Emphasising your app’s security will almost certainly lead to more installs. Safety is a top priority for many app users. They will not want to use any app that they feel could pose a potential security risk. Make security the number one priority in the development process and watch installs increase and your app rise in the charts. 

The post Will Emphasising App Security Lead to More App Installs? appeared first on IT Security Guru.

Lupovis eliminates false positive security alerts for security analysts and MSSPs

Posted on by Kernel

Strathclyde University’s cyber spin-out Lupovis has launched a new service designed to help security analysts and Managed Security Service Providers (MSSPs) identify false positive security alerts from genuine threats.

False positives are flagged by security products that identify an innocent activity as a malicious attack and security analysts often spend a significant proportion of their day investigating them. This drains resources and overwhelms often unstaffed security teams.

Through Lupovis’s new platform features, which are dubbed Prowl, MSSPs and security analysts can send an IP address to Lupovis using a dedicated API, which will then automatically confirm whether the IP address is coming from a bot, or a human attacker.

Utilising data from Lupovis’s cyber decoys, the API also provides critical intelligence, feeding security analysts and MSSPs with information around the location of an attacker and information on their Tactics, Techniques and Procedures (TTPs), enabling security teams to take appropriate action to prevent further attacks. Which, the company says, saves time and means analysts can focus their time investigating and remediating real threats, while eliminating bot noise.

“While the volume of attacks organisations face continues to rise, the number of unfilled cybersecurity jobs also grows, so security teams cannot afford to waste their time investigating false positives, they simply do not have the resources. Through our new platform feature, security teams and MSSPs can overcome this burden and easily check IP addresses to identify if the traffic are bots, or if there are any indicators of intelligence, which would reveal it is a human adversary they are facing. This saves time, improves efficiency, and means time and money is going towards security issues that matter to businesses, not ones that should be ignored,” said Xavier Bellekens, CEO of Lupovis.

The post Lupovis eliminates false positive security alerts for security analysts and MSSPs appeared first on IT Security Guru.

Keeper Security Cybersecurity Census Report: Cyberattacks rife on public sector organisations

Posted on by Kernel

According to new research by Keeper Security, the public sector’s digital infrastructure is a key target for cyberattackers in an age of global political turmoil and increasing macroeconomic instability, particularly as digital infrastructure underpins nearly every essential public sector function from emergency services to government authorities.

 

The Government and Public Sector Cybersecurity Census Report revealed that, on average, organisations in the public sector experience 44 cyberattacks each year—more than three every month—and more than a third (35%) experience over 250 attacks annually. In short, the company says, cyberattacks are becoming a weekly and, in some cases, daily threat to public sector organisations. Given their crucial role powering critical infrastructure, these attacks present not just a threat to individual organisations, but to the nation as a whole.

 

Cyberattacks can also damage public trust. In fact, over a third (39%) of respondents report they experienced reputational damage due to a successful cyberattack and 35 percent experienced disruption to their daily operations from an attack, over a quarter (29%) experienced theft of information and 25 percent had money stolen. With budgets under pressure, the sector can’t afford such losses—particularly when the 27 percent of those who had money stolen report the figure taken was between £500,000 and £999,999.

 

According to IT leaders, this onslaught of cyberattacks on the public sector is only expected to grow. The vast majority (88%) expect the total number of attacks to increase and, within that, 56 percent expect the number of successful attacks to increase as well.

 

Identifying and protecting against the threat

 

Despite the data showing that cyber threats and breaches are poised to increase, just 29 percent of public sector organisations believe they are ‘very well prepared’ to defend against cyberattacks:

 

  • Only 27 percent believe they are very well equipped to deal with employees leaving the organisation with credentials that give them access to data
  • Only 19 percent stated they have in place a highly sophisticated framework for visibility and control of identity security
  • 38 percent said they leave it to employees to set their own passwords and access is often shared between employees

 

The need for change is therefore urgent. More than two-thirds (69%) say that the time taken to identify and respond to a cyberattack has increased in the past 12 months. However, the majority (75%) believe they currently have the right skills and solutions in place. This apparent contradiction could be due to a need for improving how skill sets and solutions are deployed to make the most of them, as well as a need for cultural changes in how cybersecurity is approached.

 

Building and investing in the right security culture

 

Cybersecurity is recognised as essential by leadership in the public sector, with nearly two-thirds (65%) of respondents stating it was of significant importance to their C-suite and they dedicate resources to it. This commitment from leadership appears to be having a positive effect on the appetite for change in cybersecurity approaches in the public sector, with 83 percent of organisations having invested in cybersecurity personnel in the past 12 months.

 

Beyond hires, more than half (58%) of IT leaders increased spend on cybersecurity software, 53 percent increased cybersecurity training and 50 percent invested in new technology such as privileged credentials technology. However, more work needs to be done in increasing knowledge of key security concepts in the sector. Only 60 percent fully understand the concepts surrounding zero trust and zero knowledge as it relates to cybersecurity, as well as the rest of their organisation.

 

“While the public sector is taking key steps toward building a culture of security, such as regular threat assessments, significant vulnerabilities remain. In particular, the sector must put security at the heart of transformation efforts while credential management needs to be stepped-up to plug gaps that could be exploited by bad actors,” said Darren Guccione, Keeper Security Co-founder and CEO. “IT leaders must remain vigilant in demonstrating the value of security to their organisations. The sector must recognise that cuts to cybersecurity budgets only expose organisations to greater threats—both financial and reputational. Stronger defences, on the other hand, offer a long term return on investment by protecting against theft.”

The post Keeper Security Cybersecurity Census Report: Cyberattacks rife on public sector organisations appeared first on IT Security Guru.

Identity Thieves Bypassed Experian Security to View Credit Reports

Posted on by Kernel

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

The vulnerability in Experian’s website was exploitable after one applied to see their credit file via annualcreditreport.com.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.

The state of Identity Security: Widespread attacks, wasted investment and identity sprawl

Posted on by Kernel

Identity management is in dire straits, according to a recently conducted survey by identity security firm One Identity. Surveying over 1,000 IT security professionals, the results showed that 96 percent of companies report using multiple identity management tools, with 41 percent deploying at least 25 different systems to manage access rights. However, 70 percent of companies reported they’re paying for identity tools they’re not actively using. This investment in multiple disparate identity tools is having a direct impact on their overall security posture.

Companies have acquired multiple identity tools to deal with the surge in digital identities (or digital profiles accessing enterprise data and applications), creating identity sprawl that weakens their cybersecurity postures. More than half of companies (52%) manage more than 10,000 identities, which include access rights given to employees, devices, machines, digital identities,  and customers. For over half of UK respondents, this indicates the identities they manage have more than doubled over the past two years

“Legacy approaches to identity and access management have caused organizations to adopt multiple identity solutions, and the lack of interoperability between these tools has a direct business and security impact,” said Mark Logan, CEO of One Identity. “Our research shows that organizations see the negative impact that multiple, fragmented identity tools have on their business. By shifting security professionals’ mindset from a disparate, tool-based approach to a platform approach, businesses can improve their identity security defenses to protect against the modern threat landscape.” 

Elsewhere, other key findings from the survey include:

The need for shoring up identity-based defenses is significant. Nine in 10 organizations were hit by an identity-based attack in the last year, with almost 70 percent of companies experiencing a phishing attack. According to 80 percent of respondents, better identity management tools could have prevented the impact of many such attacks.

Essentially all companies (99 percent) report that identity tool inefficiencies have a direct cost on their business. In fact, 42 percent of businesses report that those inefficiencies are costing businesses over $100,000 per year. This kind of loss is further outweighed by spending on these tools, which 61% of UK respondents placed at between £50 and £50,000.

The deployment of multiple identity management tools impacts security posture and drains productivity. Consider that for those with multiple tools:

  • 44% reported increased risk due to potential gaps in coverage
  • 46% reported IT admins are spending too much time managing redundancies
  • 46% reported IT admins are managing too many tools to gain in-depth expertise in any of them
  • 41% report that IT team’s productivity is lower because they have to learn similar tasks across multiple systems

The good news is that companies are looking to improve their identity security, with an overwhelming 90 percent of companies surveyed planning to consolidate their security or identity management tools. Of that 90 percent, more than half plan to do so in the next year. More than half (54%) of respondents also believe that a unified identity platform for access and identity management would benefit their organization’s identity management strategy.

A free executive summary and key findings of the survey results announced today is available online here.

The post The state of Identity Security: Widespread attacks, wasted investment and identity sprawl appeared first on IT Security Guru.

Hack The Box launches its annual University CTF to inspire the next generation of security professionals to take the fight against cybercriminals

Posted on by Kernel

As the cyber skills gap widens to record new levels, disruptive cybersecurity training and upskilling platform, Hack The Box (HTB), has announced its annual global University ‘Capture the Flag’ (CTF) competition that will take place from 2nd – 4th December 2022 

 

This year’s event, which is open to students and academics at higher education institutions worldwide, is designed to inspire and prepare a new generation of security professionals to join the fight against cybercrime, at a time when they are most needed with the global talent shortage standing at 3.4 million.1 

 

With attacks spiking 28% in the last quarter of 2022 alone2, and cybercrime predicted to cost the global economy $10.5 trillion3 by 2025, students taking part will learn only the latest practical hacking skills needed to combat the ever-growing and evolving volume of sophisticated threats. Higher education professionals will also be introduced to innovative and effective new methods of gamified and hands-on teaching.  

 

HTB’s University CTF will see students across the globe face over 20 sophisticated cyber challenges, testing their skills in Cloud, Crypto, Pwn, Web, Forensics and more. This year’s challenges replicate the latest attack scenarios and cybercriminal techniques, helping to ensure students of all levels are prepared for a career in modern day cybersecurity.  

 

This year’s CTF aims to shine a light on cyberbullying and create an inclusive space where students all over the world can gain access to the latest skills and networks but also learn in an interactive, enjoyable and safe environment. Titled ‘Supernatural Hacks’ this year’s CTF focuses on helping students to interact safely online and build their digital citizenship, all whilst teams work together in a fictional wizarding world to defeat cybers darkest villains. Proceeds from the competition are being donated to Cybersmile, a multi-award- winning nonprofit organisation committed to digital wellbeing and tackling all forms of abuse and bullying online.  

 

Haris Pylarinos, CEO and co-founder of Hack The Box, says: “Universities are the breeding ground for the next generation of cyber professionals, and its critical students have experience tackling real world threats. The massive rise in the volume and sophistication of cyberattacks, means demand for new skills is booming and the old ways are no longer working.” 

 

“CTFs are a highly effective way to learn hands-on cyber skills through fun, gamified content. We’re seeing students join to not only sharpen their skills but also network with like-minded peers looking to enter a career in cyber. The competition is also an opportunity for academics and universities to learn new teaching methods that promote a ‘hacking mindset’ approach, needed to match the current threat landscape.” 

 

Haris continuesThe game has changed in cyber. Arbitrary degree and qualification hiring criteria needs to be phased out and businesses must prioritise practical-based skills and training experience. This will help cut the red tape holding back an untapped pool of highly skilled cyber talent waiting in the wings. 

 

Meanwhile, for younger generations increasingly looking for professions with purpose, hacking presents not only lucrative career prospects but an opportunity to do meaningful work stopping cybercriminal online – protecting businesses, governments, hospitals, schools and individuals from dangerous real-life threats. We’re excited to continue preparing the hackers of the future.” 

 

Last year’s University CTF winners included players from some of the biggest universities and schools in the world, University of Warwick, Hasso-Plattner Institute and 42 Paris. With more students looking to upskill themselves than ever,  HTB University CTF has also seen a 191% increase in participation from 2021 to 2021, with 2022 set to see record levels of participants.  

 

Teams, consisting of 1- 20 players, can enter the CTF from anywhere. All skill levels are welcome with challenge categories ranging from ‘Beginner to Hard’. The CTF style will be Jeopardy and FullPwn. As well as cash, swag prizes, and certificates of attendance can be earned for taking part

 

Hack The Box’s University CTF is sponsored by EY.  

Registration closes on 30th November, sign up here. 

  1. (ISC)2 Cyber Security Workforce Study
  2. Check Point Research: Third quarter of 2022 reveals increase in cyberattacks
  3. Cyber Security Ventures: Cybercrime To Cost The World $10.5 Trillion Annually By 2025

The post Hack The Box launches its annual University CTF to inspire the next generation of security professionals to take the fight against cybercriminals appeared first on IT Security Guru.

Microsoft Email Security Bypasses Instagram Credential Phishing Attacks

Posted on by Kernel

It has been reported that a credential phishing attack targeted 22,000 students at national educational institutions through a campaign where hackers impersonated Instagram.

The advisory was highlighted by security experts at Armorblox in an advisory released on the 17th November 2022.

The advisory says: “The subject of this email encouraged victims to open the message… The goal of this subject was to induce a sense of urgency in the victims, making it seem an action needed to be taken in order to prevent future harm.”

Seemingly, the email appeared to come from Instagram support. The sender’s name appeared as Instagram and the email address matched the social media site’s real credentials.

“This targeted email attack was socially engineered, containing information specific to the recipient – like his or her Instagram user handle – in order to instill a level of trust that this email was a legitimate email communication from Instagram.”

Once users clicked on a link in the email, they were taken to a fake landing page. There was a ‘This Wasn’t Me’ option which, when clicked, directed users to a second faux landing page specifically designed to obtain user credentials, including sensitive information.

The Armorblox advisory added: “The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks,” Armorblox explained.

Sami Elhini, biometrics specialist at Cerberus Sentinel, explained: “In this case, an email from instagramsupport.net should be viewed as suspicious as Instagram’s domain is instagram.com. Where a service provides support, it may be advisable to contact support directly if you are unsure what action to take.”

He also added that verifying the origin of an email is a good start, however further scrutiny is required concerning which domain the email originated from.

Erich Kron, security awareness advocate at KnowBe4, added that being comfortable with user interfaces and being able to navigate technologies does not mean individuals fully understand the risks.

“In our modern digital world, it is very important to stay educated on how to spot these sorts of social engineering attacks.”

This comes after warning of increased phishing attacks across the web.

The post Microsoft Email Security Bypasses Instagram Credential Phishing Attacks appeared first on IT Security Guru.

3 Ways Software Licensing Eliminates Vulnerabilities to Enhance Security

Posted on by Kernel

software security

 

In the digital era, various software is widely used to accomplish personal and enterprise tasks. Most software requires the user’s consent to access its full functionality. While you may entertain the idea of using free tools, unlicensed software can expose your organization to various security and financial risks. To enhance security and efficiency, software licensing is vital in today’s business landscape. Here are various ways licensing ensures better security.

1. Legal and Security Compliance

Using unlicensed software makes your organization vulnerable to existing and new risks. Typically, the practice is also considered piracy –the unlawful duplication, use, and distribution without consent from the owner. The copyright owner may take legal action against your company leading to fines and penalties depending on the severity of your violation.

Typically, companies running unlicensed software on their network are at a greater risk of experiencing devastating malware attacks. Software licensing lowers your overall risk surface. Every organization should have a continuous inventory of authorized and unauthorized hardware or software running on their network at any time. The practice makes it easy to identify inactive licenses to ensure legal and security compliance.

2. Reliable Protection Layer Against Cyberthreats

Installing unlicensed software increases your exposure to risks like malware by about 30%. Businesses that use unauthorized software face more cybersecurity incidents than companies that run licensed and updated software. That’s because malicious entities can embed malware in the pirated software and use it as an entry point to sabotage your network and data.

Licensed software has a built-in mechanism that can detect excessive user privileges. For instance, an audit may reveal unauthorized applications on your business computers. And since your company doesn’t sanction the application, it’s likely the end-user made the installation. Most systems are designed to resist end-user tampering, meaning the end-user has excess privileges allowing them to circumvent the security feature. This serious security issue may go unnoticed when using unlicensed software, exposing your organization to various security risks that can hurt your business.

3. Versatile Software Tracking For Modern Use

Software licensing has experienced significant advancements over the last decade. Previously, monitoring software on Windows computers was the core focus for most organizations. And while some workers were using their personal devices for work-related tasks, companies were less concerned with the software running on them.

On the contrary, modern companies rarely work from one operating system. Working from multiple operating systems is the norm in the hybrid work model. As more organizations embrace the BYOD policy, employees are at liberty to choose their favorite device to boost productivity.

While the approach minimizes your capital expenditure, it increases the threat landscape in most organizations. However, software security tracking has become a critical tool for mitigating cyber threats in a complex work model.

Endnote

While many organizations look for free software and tools to cut costs, it may not be a good strategy considering the inherent risks and potential financial implications. It’s prudent to implement a software licensing policy in your business to avoid security issues and ensure business continuity. 

The post 3 Ways Software Licensing Eliminates Vulnerabilities to Enhance Security appeared first on IT Security Guru.

Closed Door Security joins the Cyber Scheme

Posted on by Kernel

Closed Door Security, a leading provider of attack-driven cybersecurity services, today announced it has joined the Cyber Scheme, reinforcing its position as one of the UK’s leading and most widely accredited penetration testers.

The Cyber Scheme provides the highest standard of government approved examinations and is essential for technical consultants wishing to gain the NCSC CHECK status, to allow them to carry out penetration testing on public sector and critical national infrastructure networks.

As a member of the Cyber Scheme, Closed Door Security will be supporting red teaming projects, improving penetration testing standards, helping assess examinations, while also raising cybersecurity awareness and educating more organisations on threats. Closed Door Security is one of the only Scottish companies to join the scheme, which already boasts some of the UK’s most established penetration testing organisations.

“We are delighted to join the Cyber Scheme and be rubbing shoulders with some of the UK’s pen-testing giants. We are now one of the most highly-accredited cybersecurity companies in Scotland, and joining the Cyber Scheme supports us on our journey to become NSCS CHECK certified. Cybersecurity continues to shatter organisations every day, and we, as defenders, need to make it harder for criminals to exploit our Infrastructure. Penetration testing helps unearth weaknesses in systems that often go unnoticed, so with every weakness we find, and every company we educate, we firmly close a door on attackers,” said William Wright, CEO of Closed Door Security.

Closed Door Security is the only cybersecurity company based in the Outer Hebrides, and it was recently accredited by the internationally-recognised professional certification board Crest, as being a trusted and expert provider of penetration testing. The company experienced significant growth over the last year, taking on eight new employees and expanding into the United States market with Closed Door Security (US) LLC.

The post Closed Door Security joins the Cyber Scheme appeared first on IT Security Guru.

Salt Security API Protection Platform Now Available in the Microsoft Azure Marketplace

Posted on by Kernel

Salt Security, the API security company, has announced that it has achieved Microsoft Azure IP Co-sell Ready status, which means that the Salt Security API Protection Platform can be sold and marketed by Microsoft sellers globally. By earning this status, Salt said it can provide its customers with a more streamlined deployment and management process for taking advantage of the productive and trusted Azure cloud platform. In addition, the Salt Security API Protection Platform will gain greater visibility both within the Microsoft Azure Marketplace and among Microsoft sales teams and partners worldwide. 

 

According to the Q3 2022 State of API Security Report, malicious API traffic grew 117% over the past year, now accounting for 2.1% of all API traffic. Customers tap the Salt platform to discover their APIs, protect them during runtime, and improve their API security posture. The Salt Security API Protection Platform correlates user behaviour over time to pinpoint and stop attackers, using its rich context about all API usage to identify the reconnaissance activities of bad actors. The platform consolidates all pertinent information into a single attacker timeline generating a single alert, which allows incident response teams to quickly take action.

 

“Salt empowers organisations to drive digital transformation and business innovation initiatives with the confidence that their critical data and services are protected with the industry-leading API security platform,” said Gilad Barzilay, head of business development at Salt Security. “Microsoft Azure IP Co-sell Ready status further validates our integration with the Azure cloud platform and strengthens our commitment to our joint customers.”

 

The Microsoft IP Co-Sell Program enables Microsoft and partners to provide comprehensive solutions in a collaborative selling model to drive joint sales, revenue, and mutual customer success. 

 

“Through Microsoft Azure Marketplace, customers around the world can easily find, buy, and deploy partner solutions they can trust, all certified and optimised to run on Azure,” said Jake Zborowski, general manager, Microsoft Azure Platform at Microsoft Corp. “We’re happy to welcome Salt Security to the growing Azure Marketplace ecosystem.”

 

Salt Security applies cloud-scale big data, with the industry’s most time-tested AI and ML algorithms, to provide the insights needed for API security. Through its patented API Context Engine (ACE) architecture, the platform can identify the early indicators of an attack, stop attackers from advancing, and turn attackers into penetration testers, leading to valuable feedback for development teams to eliminate API vulnerabilities.

The post Salt Security API Protection Platform Now Available in the Microsoft Azure Marketplace appeared first on IT Security Guru.