Cyber Oregon https://cyberoregon.com Keeping Oregon Safe Online Tue, 13 Aug 2019 07:03:18 +0000 en-US hourly 1 https://wordpress.org/?v=5.2.2 DEF CON 27 Was Hacking Airplanes, Voting Machines, Cameras, Schools https://cyberoregon.com/2019/08/13/def-con-27-was-hacking-airplanes-voting-machines-cameras-schools/ Tue, 13 Aug 2019 15:00:15 +0000 https://cyberoregon.com/?p=5747 After a full week invading Las Vegas, top security conferences Black Hat USA 2019 and DEF CON 27 have come to an end…or is just the beginning? What a week it was! The conferences proved that nearly everything is hackable: Airplanes. This year marked the first-ever aviation village at DEF CON. According to an article…

The post DEF CON 27 Was Hacking Airplanes, Voting Machines, Cameras, Schools appeared first on Cyber Oregon.

]]>
After a full week invading Las Vegas, top security conferences Black Hat USA 2019 and DEF CON 27 have come to an end…or is just the beginning? What a week it was! The conferences proved that nearly everything is hackable:

  • Airplanes. This year marked the first-ever aviation village at DEF CON. According to an article in Cyber Scoop, “when it comes to cybersecurity, the mission is never-ending for the military.” Recently, government audits found flaws in weapons systems. Shannon Vavra writes that the Department of Homeland Security issued an alert that a vulnerability in small airplanes could allow hackers to alter flight data, such as engine readings, altitude, or airspeed.
  • Voting machines. The Washington Post article is saying, ‘Please break things’: Hackers lay siege to voting systems to spot weaknesses in security. Sen. Ron Wyden (D-Ore.) toured the Voting Village to see hackers working to expose weaknesses that could be exploited by attackers trying to interfere with elections. Most machines that are still used in elections across the country have well-known vulnerabilities.
  • DSLR cameras. Multiple vulnerabilities in Canon’s DSLR camera firmware could allow an attacker to plant malware on devices and ransom images from users, according to a ThreatPost recap
  • High schools. Eighteen-year-old hacker, Bill Demirkapi, presented his findings from his after-school hacking. Over the years, he has found serious bugs that would allow a hacker to gain deep access to student data, according to a Wired article.
  • Wi-Fi. We know Wi-Fi networks can be hacked, but security researcher, Mike Spicer, has been actively collecting and monitoring network traffic and web activity onsite at DEF CON for the last three years. He roams the halls with “Wi-Fi Cactus” hardware strapped to his backpack, made up of 25 Hak5 Pineapples, devices made to monitor, intercept, and manipulate network traffic. A complete write up is in C/NET’s article. It’s no wonder attendees tend to bring burner phones and leave their laptops in their hotel rooms!
  • Microsoft Azure? Microsoft is pushing for enhanced security for the Azure cloud computing service with the launch of increased bug bounty rewards, according to a ZDNet article. Financial rewards of up to $300,000 are available for Azure security challenges offered by Microsoft. In fact, Microsoft has awarded over $4.4 million in bug bounty rewards over the past 12 months. In other news, Apple has a huge bug bounty program, that will include rewards of up to $1 Million for a zero-click, full-chain kernel-code-execution attack. According to an InfoSecurity Magazine article, some security experts are concerned that these types of bounty programs could produce new exploits. Luta Security CEO Katie Moussouris says, “There is a logical limit which defensive prices cannot exceed because if you exceed them you start to see perverse incentives emerge. I think the offense market, also known as the black market, will very quickly adjust.”
It was a flurry of activity at Black Hat USA 2019.

Cyber Oregon supporters infiltrated Black Hat and DEF CON

Cyber Oregon supporters — including Crowdstrike, Eclypsium, Fidelis Cybersecurity, Fortinet, McAfee, Palo Alto Networks, PKI Solutions, Splunk, Symantec — had a strong presence at this year’s Black Hat USA, including several featured speakers and sessions, booths, and surprises. Eclypsium, Fidelis Cybersecurity, PKI Solutions, and Symantec, also had a big presence at this year’s DEF CON 27, including presentations and live-hacking demos.

Cyber Oregon sponsor, Eclypsium, saw lots of booth traffic at Black Hat USA 2019.

Cyber Oregon supporter, PKI Solutions enjoyed a lively presence onsite. Mark B. Cooper, president and founder of the company, spoke to a large crowd at DEF CON 27’s Crypto & Privacy Village, “How PKI and SHAKEN/STIR Will Fix the Global Robocall Problem.” In an effort to put an end to the robocall problem, the Federal Communications Commission (FCC) and major telecommunications companies including Comcast, AT&T, and T-Mobile are behind a new global standard called SHAKEN/STIR (Signature-based Handling of Asserted Information using ToKENs and Secure Telephony Identity Revisited) to combat robocalls and caller ID spoofing. Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed.

Mark B. Cooper of PKI Solutions (left) with a fellow attendee wear #hiptoencrypt sunglasses, a fun giveaway by PKI Solutions.

Beyond hacks: the new culture of cybersecurity

Exploiting vulnerabilities, discussions around the latest threats, and hacking everything were core themes, security transformation in organizations was also a hot and important topic, as outlined by Square’s head of security, Dino Dai Zovi’s DEF CON 27 keynote, “Every Security Team is a Software Team Now.” According to an article in Security Boulevard, the new culture of cybersecurity can be put into practice in these three ways:

1. Work Backward from the Job

This involves identifying the actual job that Dev or Ops (or whoever) is trying to do, and finding out how Security can align itself. It involves listening, cooperation, and integration, and as such it makes security an enabler that can collaborate with other groups on the achievement of shared goals.

2. Seek and Apply Leverage

Zovi’s next principle directly addresses two powerful techniques for making security work:

  • Leveraging Automation: In a world where security talent is scarce and where rapid delivery and release are priority #1, leveraging automation builds in speed, standardization, and the ability to scale securely.
  • Leveraging Feedback Loops: Using feedback loops proactively builds in observability and enables continuous, incremental improvements. Reliability is important, but without observability, its value is greatly diminished. Securing your environments without continuous monitoring is counterintuitive and counterproductive.

3. Understand That Culture > Strategy > Tactics 

Dai Zovi’s third principle emphasizes that “Culture is way more powerful than strategy, which is way more powerful than tactics.” If organizations get the culture part right, productive strategies and tactics will almost naturally follow suit. Dai Zovi advocates for a culture where security is pervasive and is distributed throughout the organization. This way risk and responsibility are owned by everyone in the organization and are not just the purview of security. If you give your people responsibility, you empower them to make a full commitment to security and quality. You’re also taking advantage of a major opportunity to create teamwork among everyone in the organization and to create a reality where everyone is working towards shared goals. 

Cyber Oregon partner blog of interest:

The post DEF CON 27 Was Hacking Airplanes, Voting Machines, Cameras, Schools appeared first on Cyber Oregon.

]]>
Cyber News Roundup: What to Expect at Black Hat and DEF CON https://cyberoregon.com/2019/08/02/cyber-news-roundup-what-to-expect-at-black-hat-and-def-con/ Fri, 02 Aug 2019 18:52:08 +0000 https://cyberoregon.com/?p=5721 Your phone is leaking your personally identifiable information (PII). Learn how to break modern encryption and hack into a car. Explore ways to hack physical security, including disabling alarm systems and cameras. Hear lessons learned from running a national penetration testing competition. These are just some of many topics that will be explored – and…

The post Cyber News Roundup: What to Expect at Black Hat and DEF CON appeared first on Cyber Oregon.

]]>
Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

Your phone is leaking your personally identifiable information (PII). Learn how to break modern encryption and hack into a car. Explore ways to hack physical security, including disabling alarm systems and cameras. Hear lessons learned from running a national penetration testing competition. These are just some of many topics that will be explored – and exploited – next week. As Las Vegas sizzles at 100 degrees plus, hot security technologies and cybersecurity findings will also be sizzling at this year’s Black Hat USA 2019 and DEF Con 27 conferences. Black Hat USA, one of the world’s leading information security events, paired with DEF CON, the world’s largest hacking conference, bring together top cybersecurity professionals who will discuss top trends, top threats, vulnerabilities, research – and the latest reverse engineering, attacks, and hacks. Welcome to Vegas, Baby!

Hot topics this year include:

  • New attack surfaces
  • Wireless 
  • Mobile
  • Auto and aircraft hacking
  • Social media manipulation driven by malware
  • Artificial intelligence
  • Biohacking

What are the biggest cybersecurity concerns?

A recent poll reveals that Black Hat attendees are most concerned about vulnerability management, ransomware, container security, and compliance. In his article, Black Hat 2019 Braving the Heat and Chaos in Search of Peace of Mind, Tony Bradley states that what businesses and cybersecurity professionals really want is peace of mind and less stress in their lives. With two back-to-back conferences exposing the dark side of security, there’s a lot to be worried about – and a lot to learn. Do you want to learn how to exploit rare technologies? Do you want a deep dive into the world of Linux containers? How about how to perform how to efficiently assess internal networks? Or how to attack and defend the Microsoft Cloud? Black Hat USA will offer ample technical trainings including cryptography, forensics, IoT, malware, social engineering, and pen testing.

The keynote at Black Hat, “Every Security Team is a Software Team Now,” sums everything up: how security teams are becoming increasingly focused on the software side of things, and how everything has to be secure by design from the start. According to an article in ThreatPost, does every software team have to have a security component? Security and how it fits into everything is the new normal.

The folks at McAfee weigh in on what attendees should keep an eye out for at this year’s Black Hat, offering perspectives on topics and the latest cyber concerns. Read the Q&A here.

Cyber Oregon Supporters Flood Vegas

Cyber Oregon supporters will have a big presence at this year’s Black Hat USA, including several featured speakers and sessions, booths, and surprises:

Following Black Hat USA 2019: DEF CON 27

DEF CON 27 won’t disappoint. Whether it’s exploiting Windows, embedded hacking, hacking a small aircraft, or breaking Google Home, speakers will share their latest thoughts and research and attendees will get the chance to live hack.

What does ThreatPost anticipate at DEF CON? In a podcast, editor Tom Springs outlines, “Your sort of bread and butter hardware hacking sessions, software hacking, cloud hacking stuff…stuff that you would definitely anticipate really looking forward to. And they’ve got a lot of good stuff on breaking Google Home and…doing a lot of really interesting things with a lot of the Windows cloud configurations…some really fun quirky stuff.” Quirky stuff including hacking a Roomba. Tara Seals of ThreatPost says that a hacked Roomba could use that data to map out the floor plan, to plan a physical robbery. #scary

Firmware vulnerability issues continue to be an issue. Eclypsium, enterprise firmware security company and Cyber Oregon supporter, recently issued a baseboard management controllers (BMC) vulnerabilities report finding critical vulnerabilities and weaknesses in the firmware of popular computer servers, according to a Cyberscoop article. The data has forced manufacturers to take action and mitigate the security flaws.

“Most hardware vendors do not write their own firmware and instead rely on their supply chain partners,” Eclypsium said in recently-published research. “Firmware is quite commonly licensed from a third party and used with little modification, allowing vulnerabilities to extend to many different brands and products.”

Cyber Oregon supporters will penetrate DEF CON 27 with presentations with subject matter experts and live-hacking demos:

On Friday, August 9 a DEF CON 27, cybersecurity expert Mark Cooper, president and founder of PKI Solutions and Cyber Oregon supporter, will present “How PKI and SHAKEN/STIR Will Fix the Global Robocall Problem.” More than 48 billion robocalls were placed in 2018 and the Federal Communications Commission (FCC) estimates robocalls will constitute more than half of all phone calls placed in the U.S. this year. In an effort to put an end to this, the FCC and major telecommunications companies including Comcast, AT&T, and T-Mobile are behind a new global standard called SHAKEN/STIR (Signature-based Handling of Asserted Information using ToKENs and Secure Telephony Identity Revisited) to combat robocalls and caller ID spoofing. Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed.

Cyber Oregon partner blog of interest

The post Cyber News Roundup: What to Expect at Black Hat and DEF CON appeared first on Cyber Oregon.

]]>
Oregon Cybersecurity Leader Charlie Kawasaki Featured on KGW https://cyberoregon.com/2019/07/14/oregon-cybersecurity-leader-charlie-kawasaki-featured-on-kgw/ Mon, 15 Jul 2019 05:16:40 +0000 https://cyberoregon.com/?p=5640 While many people understand the need to build a larger cybersecurity workforce with trained cybersecurity experts, it takes dedicated cybersecurity leaders to push this initiative forward. One standout in this effort is Charlie Kawasaki, vice chair of the Oregon Cybersecurity Advisory Council (OCAC), CTO of PacStar, and co-founder of NW Cyber Camp – which kicks…

The post Oregon Cybersecurity Leader Charlie Kawasaki Featured on KGW appeared first on Cyber Oregon.

]]>
While many people understand the need to build a larger cybersecurity workforce with trained cybersecurity experts, it takes dedicated cybersecurity leaders to push this initiative forward. One standout in this effort is Charlie Kawasaki, vice chair of the Oregon Cybersecurity Advisory Council (OCAC), CTO of PacStar, and co-founder of NW Cyber Camp – which kicks off today and goes through the week.

Last Thursday, Kawasaki was featured on KGW-TV’s 6:00 p.m. newscast in a nearly 10-minute interview for the segment “Those Who Serve: Struggle and Success.” Reporter Pat Dooris details Kawasaki’s good work with Cyber Oregon, OCAC, NW Cyber Camp, PacStar, the Technology Association of Oregon, and Oregon State University, among other organizations. Kawasaki’s family had struggles while he was growing up, which is a foundational element for his commitment to give back to the next generation. He now spends hundreds of hours volunteering – it is his passion. With his work with NW Cyber Camp, Kawasaki says, “It’s the geek Dad equivalent of coaching your daughter’s soccer team but also inventing the league and running the league all at the same time.”

If you didn’t catch the segment, you can watch it and read about it here.

KGW’s Pat Dooris interviews Charlie Kawasaki.

“I’ve worked with Charlie for many years and he is incredibly inspirational. The Cyber Oregon team and the Oregon Cybersecurity Advisory Council have known for a long time just how energetic and impactful Charlie has been for making important initiatives happen and now even more people will know just what a force of nature and great guy that he is thanks to this well-reported story on KGW-TV,” said Megan McKenzie, founder and CEO of McKenzie Worldwide and OCAC secretary. 

In the interview with Dooris, Kawasaki says he gives back because he understands through experience how much a helping hand can make a difference.

NW Cyber Camp 2019 takes place July 15 through July 19, 2019.

NW Cyber Camp 2019

NW Cyber Camp 2019 kicks off this week – July 15 through July 19, 2019 – in three locations throughout Oregon (Wilsonville, Gresham, Corvallis). It’s a week-long intensive summer camp for high school students that offers hands-on cybersecurity training. Students will learn how to defend computer systems and networks from cyberattacks, breaches, and malware.

On Thursday, July 18, local cybersecurity experts will present at the Cyber Oregon Cybersecurity Summit: The Cyber Workforce, taking place at Mentor Graphics, 8005 Boeckman Rd, Wilsonville, OR 97070, from 3:00 p.m. to 5:00 p.m.

The post Oregon Cybersecurity Leader Charlie Kawasaki Featured on KGW appeared first on Cyber Oregon.

]]>
Cyber News Roundup: Cybersecurity is the Biggest Threat to the Global Economy https://cyberoregon.com/2019/07/12/cyber-news-roundup-cybersecurity-is-the-biggest-threat-to-the-global-economy/ Fri, 12 Jul 2019 15:00:33 +0000 https://cyberoregon.com/?p=5618 “CEOs see cybersecurity as the number one threat to the global economy over the next five to 10 years,” according to the latest EY report, the 2019 CEO Imperative Study, that surveyed global CEOs among Forbes Global 2000 and Forbes Largest Private Companies. Top global concerns among CEOs are climate change, geopolitical instability and conflict,…

The post Cyber News Roundup: Cybersecurity is the Biggest Threat to the Global Economy appeared first on Cyber Oregon.

]]>
Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

“CEOs see cybersecurity as the number one threat to the global economy over the next five to 10 years,” according to the latest EY report, the 2019 CEO Imperative Study, that surveyed global CEOs among Forbes Global 2000 and Forbes Largest Private Companies. Top global concerns among CEOs are climate change, geopolitical instability and conflict, youth unemployment, lack of education, digitalization, and inequality, according to the report. Yet, despite these big issues, cybersecurity is the biggest threat to the global economy.

“Future corporate growth depends on trust, whether between corporations and customers, people and technology, or management and employees. The increasing risk of cyberattacks and the failure to find the right balance of digital and human in the workplace damages trust in all these critical dimensions,” explains Gil Forer, EY Global Markets’ digital and business disruption lead partner.

Cyber Incidents at All Levels

Whether you’re facing a business email compromise (BEC) or you’re using a photo editing app on your Android phone, cyber incidents occur at all levels with criminals constantly finding new ways to infiltrate your data. More than two million cyber incidents occurred in 2018, resulting in over $45 billion in losses, according to the Internet Society’s Online Trust Alliance’s (OTA) 2018 Cyber Incident & Breach Trends Report. The report finds that the financial impact of ransomware rose by 60%, while losses from BEC attacks doubled. Meanwhile, cryptojacking attacks more than tripled over the past year. According to a TechRepublic article, the actual financial impact of cyberattacks is likely higher than $45 billion, as many incidents go unreported. 

OTA believes that a whopping 95% of these breaches could have been avoided through simple approaches. OTA offers these 12 actions for organizations to improve their cybersecurity practices:

  1. Complete risk assessments for executive review, operational process and third-party vendors
  2. Review security best practices and validate your organization’s adoption or rationale for not adopting
  3. Audit your data and review your data stewardship practices, including data lifecycle management
  4. Complete a review of insurance needs including exclusions and pre-approval of coverage for any third-party services (such as cyber forensics, remediation provider, PR firm, etc.)
  5. Establish and regularly test an end-to-end incident response plan including empowering 24/7 first responders
  6. Establish/confirm relationships with data protection authorities, law enforcement and incident service providers
  7. Review and establish forensic capabilities, procedures and resources (internal and third-party providers)
  8. Develop communication strategies and tactics tailored by audience (e.g., messages to employees vs. messaging to media vs. notifications to customers)
  9. Review remediation programs, alternatives and service providers
  10. Implement ongoing employee training for incident response
  11. Establish employee data security awareness and ongoing education on privacy, incident avoidance (password practices, how to recognize social engineering, etc.) and incident response
  12. Understand the regulatory requirements, including relevant international requirements

Latest malware to hit Android

Have you heard of “Agent Smith” malware? If you’re one of the 25 million people with an infected device, you have. It’s a new string of Android malware that replaces portions of applications with its own code. The malware is called Agent Smith — named by the researchers at Check Point who discovered it – because of the methods it uses to attack a device and avoid detection. The way it works, according to an article in The Verge, is it hacks apps and forces them to display more ads so the malware’s operator can profit from the fraudulent views. According to Check Point, the malware has made its way to the U.S., where more than 300,000 devices have been affected. Article author Jacob Kastrenakes writes that the “malware would be hidden inside ‘barely functioning photo utility, games, or sex-related apps.”

Oregon Taking Action

Next week, two events are taking place that are a step forward in building the cybersecurity workforce. NW Cyber Camp 2019 kicks off Monday, July 15 through Friday, July 19, 2019 in three locations throughout Oregon (Wilsonville, Gresham, Corvallis). NW Cyber Camp is a week-long intensive summer camp for high school students that offers hands-on cybersecurity training. Students will learn how to defend computer systems and networks from cyberattacks, breaches, and malware.

In addition, the Cyber Oregon Cybersecurity Summit: The Cyber Workforce, takes place on Thursday, July 18, from 3:00 p.m. to 5:00 p.m., focusing on how to train the next generation workforce. Local cybersecurity experts will present, including:

Teresa Hess, Senior Director, Global Benefits & People First Office, McAfee

  • Teresa Hess, Senior Director, Global Benefits & People First Office, McAfee
  • Luke Goble, Chief Innovation Officer, sourceU
  • John Jacobs, Vice President, Systems Engineering, Fortinet

Cyber Oregon partner blog of interest

The post Cyber News Roundup: Cybersecurity is the Biggest Threat to the Global Economy appeared first on Cyber Oregon.

]]>
Training Tomorrow’s Cybersecurity Experts is Top Priority https://cyberoregon.com/2019/06/17/training-tomorrows-cybersecurity-experts-is-top-priority/ Mon, 17 Jun 2019 15:00:47 +0000 https://cyberoregon.com/?p=5566 Developing a strong workforce of skilled cybersecurity professionals is a top priority for the Oregon Cybersecurity Advisory Council (OCAC) to help protect the digital lives of all Oregonians. NW Cyber Camp, a hands-on immersive cybersecurity summer camp co-founded four years ago by OCAC Vice Chair Charlie Kawasaki, is a great program focused on training tomorrow’s…

The post Training Tomorrow’s Cybersecurity Experts is Top Priority appeared first on Cyber Oregon.

]]>
Developing a strong workforce of skilled cybersecurity professionals is a top priority for the Oregon Cybersecurity Advisory Council (OCAC) to help protect the digital lives of all Oregonians.

NW Cyber Camp, a hands-on immersive cybersecurity summer camp co-founded four years ago by OCAC Vice Chair Charlie Kawasaki, is a great program focused on training tomorrow’s cybersecurity experts. During the camp, high school students throughout Oregon will be introduced to cybersecurity and encourage to pursue one of today’s fastest growing careers given the significant increase in cyber attacks and data breaches across the country.  

Currently, Oregon has 2,911 cybersecurity job openings, according to CyberSeek.  “Given the extreme need for more cybersecurity professionals in the workforce, it’s imperative that we start training the next generation of cybersecurity experts by providing the kind of hands-on, immersive learning experiences that will get students excited about technology,” said Steve Parker, president of EnergySec, the new organizer of the camp.

NW Cyber Camp 2019, to be held July 15 through July 19, will provide valuable cybersecurity training to students and teach them how to defend computer systems and networks from cyber attacks, breaches, and malware. A new Advanced Cybersecurity Camp will be held July 22 through July 26 for students who want to continue their cybersecurity training after attending NW Cyber Camp. For more information about the camps and to apply, please visit: https://www.nwcyber.camp/

NW Cyber Camp 2019 Details

  • Co-Ed, Center for Advanced Learning, 1484 NW Civic Drive., Gresham, OR 97030
  • Co-Ed, Mentor Graphics, 8005 Boeckman Road, Wilsonville, OR 97070
  • Co-Ed, Oregon State University, Corvallis, OR 97330
  • Girls Camp, Oregon State University – Portland location, 621 SW 5th Ave, Portland, OR 97204
  • Advanced Camp, Co-Ed, Center for Advanced Learning, 1484 NW Civic Drive., Gresham, OR 97030

NW Cyber Camp and its supporters, including title sponsor PacStar, are making an impact on our youth. NW Cyber Camp, will feature leading industry professionals and cybersecurity educators who will share cybersecurity techniques to help students gain confidence, learn valuable skills, and prepare them for a future career in technology. Industry experts from Aruba, Facebook, Galois, Iovation, McAfee,  PacStar, PKI Solutions, Splunk, and other companies will be speaking at the camp. The girls-only camp session will feature women instructors and guest speakers. Register now at https://www.nwcyber.camp/register/

$21,250 in Scholarships Offered to Students for Public Key Infrastructure Training

PKI Solutions Inc., a sponsor of NW Cyber Camp again this year, will award five scholarships for an online in-depth Public Key Infrastructure (PKI) training course (each course valued at $4,250), to students selected from this year’s NW Cyber Camp. The scholarships will pay for motivated students to attend an intensive Microsoft PKI online training course, provided by Mark B. Cooper, known as “The PKI Guy,” a leading expert in this field. The course has a strong emphasis on security, best practices, and hands-on skills labs. “These awards will allow motivated students to learn more about PKI and the best ways to make computer systems more secure,” said Mark B. Cooper, president and founder of PKI Solutions. “It’s an exciting time for these student as they are on the cusp of determining their possible future careers. Cybersecurity is one of the hottest and most in-demand career paths right now.”

NW Cyber Camp 2019 is made possible by several leading companies including Title Sponsor PacStar. Platinum Plus Sponsors include Aruba, Facebook, HPE, and McAfee. Platinum Sponsors include FireEye, Galois, IBM, Iovation, ISACA, Mentor Graphics, PKI Solutions, and Umpqua Bank. Gold Sponsors are Fidelis Cybersecurity, and Splunk. In-kind sponsors include EnergySec, HP, Oregon State University, and the Technology Association of Oregon.

The post Training Tomorrow’s Cybersecurity Experts is Top Priority appeared first on Cyber Oregon.

]]>
Cyber News Roundup: Foreign VPNs and Botnets…the Latest Threats https://cyberoregon.com/2019/06/07/cyber-news-roundup-foreign-vpns-and-botnetsthe-latest-threats-2/ Fri, 07 Jun 2019 23:28:10 +0000 https://cyberoregon.com/?p=5535 Editor’s Note: This is your weekly cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including…

The post Cyber News Roundup: Foreign VPNs and Botnets…the Latest Threats appeared first on Cyber Oregon.

]]>
Editor’s Note: This is your weekly cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive weekly updates here.

This week in local cyber news, Cyber Oregon sponsor Palo Alto Networks acquired Portland-based Twistlock for $410 million, according to an article in Portland Business Journal. Malia Spencer writes that Palo Alto Networks will add Twistlock’s technology, which is focused on securing IT infrastructure tools such as containers and serverless functions, to its Prisma cloud security product. 

Be leery of foreign VPNs, urges Senator Wyden

In other news, you may have heard of virtual private networks (VPNs), which allow you to create a secure connection to another network over the internet. Yet, a new cybersecurity concern about VPNs has surfaced from the Department of Homeland Security (DHS), cautioning that foreign VPNs are a threat to data security and national security. The head of the DHS’s cybersecurity division says that VPNs, particularly ones made in authoritarian countries, are a big concern outlined in a letter responding to Senator Ron Wyden, who had expressed concern about VPN security. 

According to the Cyberscoop article, “Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes,” says Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA). “Even with the implementation of technical solutions, if a U.S. government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely. This exploitation could lead to loss of data integrity and confidentiality of communications transmitted over the application.” 

Says Wyden, “DHS has confirmed my fears: that using Chinese or Russian VPN services is essentially just taking your private data, wrapping it in a bow and then sending it directly to foreign spies in Beijing or Moscow. U.S government employees should not be using these apps, and I hope that DHS will take steps to prohibit their use on government-issued smartphones.”

The Emotet botnet is behind malicious URLs

You know what a VPN is, but what about a botnet? According to Norton, a botnet is a string of connected computers coordinated together to perform a task. Botnets can maintain a chatroom or taking control of your computer. There are illegal and malicious botnets that can gain access to your computer through some piece of malicious coding. The latest botnet attack is the Emotet botnet, which drove 61% of malicious payloads in the first half of this year. In a Proofpoint report, covered in the TechRepublic article, cybercriminals are increasingly trading malicious attachments for malicious URLs as an attack vector. The report found that malicious URLs in emails outnumbered malicious attachments by five to one – because of the Emotet botnet. “It is critical that organizations implement a people-centric security approach that defends and educates its most targeted users and provides protection against socially-engineered attacks across email, social media, and the web,” says Sherrod DeGrippo, senior director of Threat Research and Detection for Proofpoint.

Proofpoint offers these tips to keep your organization secure:

1. Assume users will click

Social engineering is one of the most popular ways for cybercriminals to launch email attacks, the report noted. Train employees and seek out solutions that can identify these types of threats, which seek to exploit the human factor. 

2. Build a robust email fraud defense

Business email compromise (BEC) attacks are on the rise, and are often difficult to detect. Make sure any solutions you use have classification capabilities and blocking policies. 

3. Protect your brand reputation and customers

Make sure you are fighting attacks over all mediums, including social media, email, and mobile—particularly those that attempt to harm your brand. 

4. Train users to spot and report malicious email

Regular user training and simulated attacks can teach employees to identify attacks, and can help organizations identify who might be the most vulnerable, the report noted.

Centralizing cybersecurity, time for a federal cybersecurity agency?

Should we have a federal cybersecurity agency? An article in CSO Online outlines all the reasons why this makes sense. Sam Bocetta writes how the U.S. is vulnerable to cyberattack because the government lacks central leadership on defense mechanisms and strategies. Currently, there are cybersecurity divisions within various agencies, including the Federal Bureau of Investigation, the Department of Defense, the Department of Homeland Security, and various intelligence groups such as the CIA and the NSA. Bocetta says that as governments try to tackle the breadth of cybersecurity, the question becomes how best to manage threats and organize defenses. 

“Cybersecurity has become a center of focus across the globe for both governments, private companies, and individual citizens.” Bocetta believes that spreading out the cybersecurity responsibility is not an efficient strategy, especially because it is hard to keep groups organized and focused on emerging threats. 

Cyber Oregon partner blog of interest

The post Cyber News Roundup: Foreign VPNs and Botnets…the Latest Threats appeared first on Cyber Oregon.

]]>
Wi-Fi Passwords Hacked at Local Coffee Shop; Cybersecurity Expert Offers Tips https://cyberoregon.com/2019/05/23/wi-fi-passwords-hacked-at-local-coffee-shop-cybersecurity-expert-offers-tips/ Thu, 23 May 2019 23:32:34 +0000 https://cyberoregon.com/?p=5538 Seventy percent of hacking incidents occur when users connect to unsecured Wi-Fi networks such as restaurants, airports, and coffee shops, according to Norton’s Wi-Fi Risk Report. While a free Wi-Fi connection in a public space seems fine for users on the go, people can make themselves an easy target for hackers and put their information…

The post Wi-Fi Passwords Hacked at Local Coffee Shop; Cybersecurity Expert Offers Tips appeared first on Cyber Oregon.

]]>
Seventy percent of hacking incidents occur when users connect to unsecured Wi-Fi networks such as restaurants, airports, and coffee shops, according to Norton’s Wi-Fi Risk Report. While a free Wi-Fi connection in a public space seems fine for users on the go, people can make themselves an easy target for hackers and put their information at risk.

Free or public Wi-Fis are hotspots (pun intended) for hackers and data snoopers who want to steal your private data, passwords, or financial information. Such was the case recently in Portland, at Floyd’s Coffee Shop, a staple in Old Town Chinatown, which recently had its Wi-Fi network hacked. Fox 12 Oregon’s KPTV covered this news story and interviewed local cybersecurity expert Mark Cooper, president and founder of PKI Solutions, to offer tips for companies and users. PKI Solutions, a cybersecurity firm based in Portland and supporter of Cyber Oregon, provides public key infrastructure (PKI) consultancy and training.

Source: Fox 12 Oregon’s KPTV

Floyd’s Coffee Shop learned that the hacker changed passwords, including ones for their surveillance cameras, and gained access to users who were logged onto the shop’s Wi-Fi network at the time. Since this incident, Floyd’s has taken additional security measures to protect the business and the privacy of its customers, according to the news report.

“One of the easiest things that a coffee shop in this case could probably do is to actually have two different Wi-Fi networks,” Cooper said. “And one of those scenarios is what we would call a guest Wi-Fi, and that connection would only have access to the Internet, wouldn’t have the ability to get access to cameras or the point of sales system.”

When you rely too much on the Wi-Fi security at coffee shops, you fall into the traps that hackers have laid out for you. According to PureVPN, here are some of the many things that hackers can learn about you:

  • All the historical data from your device
  • The name of all the places you last visited
  • About your personality or traits through the social apps you use 
  • The documents you send or upload to the cloud

Cooper recommends these security tips for customers to protect themselves and their data:

  • Really think about what you’re doing online in a public setting
  • Make sure the website you’re on in a public setting is encrypted. You can tell if it has a lock symbol in the URL.
  • Start using a virtual private network (VPN). This will launch an encrypted network that prevents anyone from seeing your activity even while you’re logged in on public Wi-Fi.
  • Turn off automatic Wi-Fi connection so that your device doesn’t join any network without your permission.
  • Look into two-factor authentication to access your accounts. See Stay Safer Online with Two-Factor Authentication for more information.  

As a result of this incident, Floyd’s is taking action. It is separating its Wi-Fi networks now, and established a time limit for how long customers can use it. The shop is also looking into a service that monitors Internet activity.

To watch the Fox 12 Oregon report: https://www.kptv.com/news/wifi-passwords-hacked-at-local-coffee-shop-security-compromised/article_88e645ae-7c49-11e9-9aae-5386cbe68e0b.html

For more information about cybersecurity resources for small businesses, please visit https://cyberoregon.com/small-business/#resources

The post Wi-Fi Passwords Hacked at Local Coffee Shop; Cybersecurity Expert Offers Tips appeared first on Cyber Oregon.

]]>
Cyber News Roundup: Five Billion Cybersecurity Threats a Month, WhatsApp, Windows Hack, Intel Vulnerabilities https://cyberoregon.com/2019/05/17/five-billion-cybersecurity-threats-a-month-whatsapp-windows-hack-intel-vulnerabilities/ Fri, 17 May 2019 15:00:00 +0000 https://cyberoregon.com/?p=5440 Is it possible for hackers to remotely hack into your mobile phone and steal your personal information just by calling your phone number? Unfortunately, the answer to that alarming question is yes for the 1.5 billion users who use the WhatsApp messaging application. Wired reports that the notorious Israeli spy firm NSO Group developed a…

The post Cyber News Roundup: Five Billion Cybersecurity Threats a Month, WhatsApp, Windows Hack, Intel Vulnerabilities appeared first on Cyber Oregon.

]]>
Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

Is it possible for hackers to remotely hack into your mobile phone and steal your personal information just by calling your phone number? Unfortunately, the answer to that alarming question is yes for the 1.5 billion users who use the WhatsApp messaging application. Wired reports that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones – and steal data from them – simply by calling them. 

According to a BBC article, WhatsApp hack: Is any app or computer truly secure, messages sent using WhatsApp are end-to-encrypted, meaning they are scrambled when they leave the sender’s device. However, messages can be read before they are encrypted or after they are decrypted. Spyware dropped on the phone by an attacker could read the messages.

Wired’s Lily Hay Newman writes that these zero-day bugs, in which attackers find a vulnerability before the company can patch it, happen on every platform. It’s part and parcel of software development. “Still, a hack that requires nothing but an incoming phone call seems uniquely challenging — if not impossible — to defend against,” she writes. This latest hack is another indicator that encryption and other such security measures offer protection and makes it much harder for attackers to read messages, but “cybersecurity is often a game of cat and mouse,” according to the BBC article. It states that any app could contain a security vulnerability that leaves a phone open to attackers.

This begs the question: is any device ever safe? It’s important for users to take action and install software updates for applications and operating systems, as they often contain software patches and fixes. Here are other preventative steps:

  • Install app and operating system security updates
  • Use a different password for every app or service
  • Where possible, enable two-step authentication to stop attackers logging in to accounts
  • Be careful about what apps you download
  • Do not click links in emails or messages you are not expecting

Speaking of patches, this week Microsoft warned of a Windows bug that could lead to another WannaCry-size attack. The company has taken steps of patching Windows 2003 and XP.7, Server 2008, and 2008 R2. In Dan Goodin’s article in ArsTechnica, he writes that Microsoft warns that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the steps of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“This vulnerability is pre-authentication and requires no user interaction,” Simon Pope, director of incident response at the Microsoft Security Response Center writes. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

Rounding out this week’s vulnerability news, Intel shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling. Zack Whittaker, in his TechCrunch article, writes that this secret-spilling flaw affects almost every Intel chip since 2011. These vulnerabilities, if exploited, can be used to steal sensitive information directly from the processor.

What could happen is hackers could exploit design flaws rather than injecting malicious code. Says Whittaker, “As more findings come to light, the data-stealing attacks have the potential to become easier to exploit and more streamlined.” Intel has released microcode to patch vulnerable processors. This article recaps the latest patches: https://techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/

Five billion cybersecurity threats to devices each month

In other news, Microsoft has launched a new Microsoft Threat Protection website, where it is showcasing its Automated Incident response capabilities for SecOps teams, Azure Sentinel, and its human-powered Microsoft Threat Experts service. Microsoft reports that it detected five billion cybersecurity threats on devices a month.

According to a ZDNet article by Liam Tung, Microsoft is trying to connect the dots between various signals to develop threat alerts and provide organizations with a clearer picture of attacks that are underway, such as a phishing attack that could be targeting devices, email accounts or which could come via the web. Over the course of 2018, Microsoft analyzed 300,000 phishing campaigns and eight million business email compromise attempts, according to data from Office 365 security analysts.  

Microsoft can see billions of threats and assess 6.5 trillion signals daily. Source: Microsoft

How to stay ahead of the cybersecurity game

Susan Rebner, CEO of Cyleron, makes these recommendations for organizations to make cybersecurity and risk management a priority throughout the organization. In her Forbes article, she writes that cybersecurity is not just an IT issue — it extends to the entirety of the organization:

  • Regularly communicate with your customers on your cybersecurity plans and how they will protect their data. Being fully transparent allows you to build trust.
  • Do more than just the minimum antivirus software. Use multiple layers of protection. Go above and beyond to protect your customer data.
  • Prioritize the data that needs protection and protect your organization’s crown jewels, such as customer payment details or private information. Understand where your greatest assets are located and take action to protect those assets in particular.
  • Ensure that vulnerability testing is a common practice in your organization, not just penetration testing. Don’t wait to deal with threats until they occur; anticipate threats. Test, test, test and then test again.
  • Educate your employees on cybersecurity best practices to create awareness and build a multilayer defense.

Additional cybersecurity resources available

Two new whitepapers are available to download from the Cyber Oregon website: https://cyberoregon.com/resources/#cyberpro

Center for Cybersecurity Policy and Law: To address concerns about security gaps across a growing number of connected devices, the Center for Cybersecurity Policy and Law has published a white paper designed to help hardware vendors minimize risks for end users.

The BSA Framework for Secure Software: BSA/The Software Alliance has developed The BSA Framework for Secure Software to provide a consolidated framework that brings together best practices in a detailed, holistic manner that can guide software security regardless of the development environment or the purpose of the software.

Cyber Oregon partner blog of interest

The post Cyber News Roundup: Five Billion Cybersecurity Threats a Month, WhatsApp, Windows Hack, Intel Vulnerabilities appeared first on Cyber Oregon.

]]>
Oregon Cybersecurity Advisory Council Drives Mission to Improve Digital Security for all Oregonians https://cyberoregon.com/2019/05/07/oregon-cybersecurity-advisory-council-drives-mission-to-improve-digital-security-for-all-oregonians/ Tue, 07 May 2019 20:27:39 +0000 https://cyberoregon.com/?p=5381 The Oregon Cybersecurity Advisory Council (OCAC) has been busy. If I had to put one word on the past 18 months, I would say, “relationships.” From our initial meeting in September of 2017 though today, the OCAC has met with cybersecurity companies, industry experts, higher education institutions, and high school students interested in cybersecurity. Our…

The post Oregon Cybersecurity Advisory Council Drives Mission to Improve Digital Security for all Oregonians appeared first on Cyber Oregon.

]]>
The Oregon Cybersecurity Advisory Council (OCAC) has been busy. If I had to put one word on the past 18 months, I would say, “relationships.” From our initial meeting in September of 2017 though today, the OCAC has met with cybersecurity companies, industry experts, higher education institutions, and high school students interested in cybersecurity.

Our foundational meetings in late 2017 led to the establishment of our mission and vision statements:

Our mission: To build tangible solutions to protect the digital lives of all Oregonians.

Our Vision: We believe cybersecurity is a shared responsibility and must be accessible to all.

The OCAC is not simply about cybersecurity for big business. We are for small business, nonprofits, educational institutions, and the individual Oregonian. Each one conducts business as well as their lives online. We believe every Oregonian’s information is valuable and should be protected. Every Oregonian should be informed and educated about how to protect their digital information online.

The Cybersecurity Advisory Council was established through Senate Bill 90 (SB 90) and signed into law in the summer of 2017 by Governor Kate Brown. The OCAC members were appointed by the Oregon State Chief Information Security Officer (OSCIO) and began meeting in September of 2017. The OCAC was established with five primary purposes.

  1. Serve as the statewide advisory body to the State Chief Information Officer on cybersecurity.
  2. Provide a statewide forum for discussing and resolving cybersecurity issues.
  3. Provide information and recommend best practices concerning cybersecurity and resilience measures to public and private entities.
  4. Coordinate cybersecurity information sharing and promote shared and real-time situational awareness between the public and private sectors in this state.
  5. Encourage the development of the cybersecurity work­force through measures including, but not limited to, competitions aimed at building workforce skills, dissemi­nating best practices, facilitating cybersecurity research and encouraging industry investment and partnership with post-secondary institutions of education and other career readiness programs.

Additionally, the acting OSCIO in September of 2017, requested that the OCAC develop an establishment plan for the Cybersecurity Center of Excellence (CCoE) as mandated by SB 90.

The CCoE Establishment Plan was built from a foundational Oregon Cybersecurity Needs Assessment conducted by the Portland State University Center for Public Service which voiced the needs and concerns of many Oregonians from small business owners in rural Oregon to IT professionals in highly regulated industry in Portland. The survey and small focus groups were developed to understand the needs of a variety of groups in Oregon from across a variety of areas within the state. In March, the OCAC presented the CCoE establishment plan to the Joint Legislative Committee on Information Management and Technology.

The OCAC has embraced all five of the mandates by SB90 and has begun to build on these requirements. While the OCAC spent most of the year building relationships and establishing a foundation to work from, we did accomplish many tasks and delivered a CCoE Establishment Plan on time. As you review the OCAC Annual Report, you will find three pages of names, organizations, and privately held companies who have contributed in many ways to the vision and direction of the OCAC.

So, where do we go from here? That is a big question, and a very important one as the OCAC begins to grow and build up on our foundation. First, OCAC will continue to grow in our relationship with the OSCIO and our support in being an advisory body to the State of Oregon. The council is not simply nine voting members, but a compilation of many non-voting members and many more extended workgroup members with a variety of skills as cybersecurity practitioners.

Second, we believe that workforce development is THE key to the future. The research from the Needs Assessment performed by the PSU CPS team indicates a significant workforce shortage in experts and workers in the cybersecurity field. This is not simply an issue in Oregon but a nationwide issue. Partnering with K-12 education, secondary education, and retraining programs is a critical component to developing a strong cybersecurity workforce for the future. This is accomplished through programs such as NW Cyber Camp and partnering with secondary educational institutions such as OSU and Mt. Hood Community College and their cybersecurity education programs.

Finally, we believe that continuing to develop a Cybersecurity Center of Excellence in the state of Oregon is beneficial for ALL Oregonians. Providing a central place for small business and individual Oregonians move towards is highly beneficial for all. CyberOregon.com is a great resource, but what if we also had a central location for the needs of those who did not know where to turn for hands-on help with cybersecurity issues? Our goal is never to compete with private industry, but to provide hub where private industry can work with public service to meet the needs of those most vulnerable in Oregon.

If you find yourself interested in how you can support the council, I encourage you to reach out. There are three ways you can be involved:

  1. Sponsorships: You can become a sponsor of the Oregon Cybersecurity Advisory Council (OCAC), CyberOregon, and the Cyber Oregon Summits.
  2. Join the Conversation: You can attend the Cyber Oregon Summits and other cybersecurity events in the state.  
  3. Legislative: You can contact your state representative and senators to voice your interest in seeing the CCoE plan develop and move forward with additional legislative funding and action on cybersecurity for the state of Oregon.

The post Oregon Cybersecurity Advisory Council Drives Mission to Improve Digital Security for all Oregonians appeared first on Cyber Oregon.

]]>
Cyber News Roundup: Power, Passwords, PII…What Trips Us Up in Cybersecurity https://cyberoregon.com/2019/05/03/cyber-news-roundup-power-passwords-piiwhat-trips-us-up-in-cybersecurity/ Fri, 03 May 2019 15:00:30 +0000 https://cyberoregon.com/?p=5357 One of the biggest concerns for the energy sector is a grand scale cyberattack shutting down our power grids and our cities. Power networks, considered critical infrastructure by the U.S. Government, have long been a target for hackers, but successful attacks are rare, according to Zack Whittaker in his TechCrunch article. The Department of Energy…

The post Cyber News Roundup: Power, Passwords, PII…What Trips Us Up in Cybersecurity appeared first on Cyber Oregon.

]]>
Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

One of the biggest concerns for the energy sector is a grand scale cyberattack shutting down our power grids and our cities. Power networks, considered critical infrastructure by the U.S. Government, have long been a target for hackers, but successful attacks are rare, according to Zack Whittaker in his TechCrunch article. The Department of Energy confirmed that a cyber event took place in March, involving an energy company that provides service to Los Angeles, California, Salt Lake County in Utah, and Converse County in Wyoming. A denial-of-service (DDoS) attack was launched, which involves overwhelming computer systems with information in a bid to take them down.

While this incident did not impact power generation or outages, it brings to light the fact that the energy sector continues to be a big target for attacks. According to a CNBC article, “The fact that such an easily preventable attack succeeded against a system serving such a large electrical distribution area is cause for concern, especially because energy is one of the U.S. government’s most important ‘critical infrastructure’ sectors, making these utilities subject to the strongest protections.”

Are we doing enough to secure PII?

Another security fundamental in question is if companies are doing enough to secure personally identifiable information (PII). According to an interview with Frank Abagnale, the renowned security expert behind Catch Me If You Can, “There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose. User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.” In its blog, IBM recommends the following password best practices for enterprises:

  • Ensure all passwords contain at least 12 characters.
  • Randomly generate all passwords (a password manager can be a big help here).
  • Require all passwords to be secret and unique between sites and applications.
  • Update passwords on a regular basis.
  • Consider an external password audit to uncover and strengthen weak passwords.

Passwords: Yea or Nay?

May 2, 2019 marked World Password day. According to his Forbes article, author Tony Bradley writes, “The prevailing logic when it comes to password security is that everyone needs to have passwords that are complex—long jumbles of random characters that don’t even attempt to emulate an actual word—and that every password for every account must be unique. That is a very high bar to ask people to meet.” Shahrokh Shahidzadeh, CEO at Acceptto, points out that there’s a good chance your passwords are already compromised and users should operate under that assumption. “Acknowledging that all credentials have already been compromised, even those that have not yet been created, combined with the weakness of existing user identity and access controls in place, will drive a transformative shift in cybersecurity,” says Shahidzadeh. Regarding alternatives to passwords, Mark B. Cooper, president and founder of PKI Solutions states, “We are set to see an explosion of two-factor authentication technologies. Devices from Tesla (Drive PIN) to banking systems are incorporating two-factor solutions that are streamlined for their users and customers.”

In an interview with Microsoft’s top cybersecurity executive, Brett Arsenault, CNBC’s Kate Fazzini writes that email-based and password-based hacking underlie everything from the simplest frauds to the most complex, multi-faceted hacking campaigns. “We all sort of declared years ago that identity would be our new perimeter. People are very focused on taking advantage of identity, it’s become a classic: hackers don’t break in, they log in. I see that as a huge, huge thing for us to work on,” states Arsenault.

Microsoft is one of the few companies looking to eliminate passwords entirely. Instead of passwords, Microsoft employees use a variety of other options, including Windows Hello and the Authenticator app, which provide other alternatives for logging in, like facial recognition and fingerprints.

Human error is still a top cybersecurity concern

Less headline grabbing, but equally troublesome for potential cyberattacks and data breaches are humans, and human error. Writes Alison DeNisco Rayonne in her TechRepublic article, human error remains the top cybersecurity concern for both C-suite executives and policymakers according to the newest report from Oracle. The report states that professionals must invest more in employees — via training and hiring — than in security-advancing technologies, such as new software, infrastructure, artificial intelligence (AI), and machine learning (ML), even though these technologies have the ability to significantly minimize or eliminate human error entirely.

Cyber Oregon partner blog of interest

The post Cyber News Roundup: Power, Passwords, PII…What Trips Us Up in Cybersecurity appeared first on Cyber Oregon.

]]>