Category Archive: Uncategorized

How to dictate text and speak commands in Windows 10

Need an alternative way to work in Windows 10 beyond your keyboard and mouse? Try your voice.

Using your voice to control Windows can be a helpful option if you physically can’t or don’t want to use your mouse and keyboard. You can dictate text to create emails, documents, and more.

Windows has long provided its own Speech Recognition tool to set up and use voice dictation. Windows 10 adds to the mix with its own speech settings. The trick is to get Windows to understand you clearly enough so the process is worth the effort. Learn the best way to set up and use voice recognition in Windows.

In any supported version of Windows, including Windows 10, you can set up voice dictation in Windows through Control Panel. To do this, open Control Panel in icon view and click the icon for Speech Recognition. At the Speech Recognition screen, click the link to Start Speech Recognition (Figure A).


Figure A


Choose the type of microphone you’re using, and then dictate the displayed words to teach Windows your voice. After you’re finished, the Speech Recognition bar pops up at the top of the screen. You can immediately begin dictating text.

Open a document, email, or other file in which you want to dictate. Click the microphone icon on the Speech Recognition bar to start listening mode. Dictate your text. You can dictate punctuation, symbols, and other parts of speech as well as specific actions such as “new line” and “new paragraph.” To find out what you can say, right-click the Speech Recognition bar and select Open Speech Reference Card. When you’re finished, click the microphone icon again to turn off listening mode (Figure B).

Figure B


If Windows is having trouble understanding your words, right-click the Speech Recognition bar, move to Configuration, and select Improve Voice Recognition. Windows takes you through a lengthy series of screens where you dictate certain sentences to help it better pick up your speech (Figure C).

Figure C


You can also view and modify certain settings for speech recognition. From the Speech Recognition Control Panel window, click the link for Advanced Speech Options. From here, you can opt to create a new voice profile, take the training for your current profile, opt to run Speech Recognition each time Windows starts, give Windows permission to review your documents and emails to better understand the words you use, and configure your microphone (Figure D).

Figure D


The Control Panel applet is an effective way to set up speech recognition, but it is time consuming. In Windows 10, you can also get started by accessing the relevant options in the Settings app. Open Settings. Go to Ease Of Access and click the setting for Speech. Scroll down the page and enable the switch to Turn On Speech Recognition. That action displays the Speech Recognition bar (Figure E).

Figure E


As an alternative to activating the Speech Recognition bar, you can use the speech recognition built into Windows 10. At the Speech setting in Ease Of Access, click the link to Get More Info About Dictation—a Microsoft support page explains how to use dictation and what commands you can say in Windows 10. In Settings, go to Privacy and select Speech, Inking & Typing. If this option is turned off, the button will say Turn On Speech Services And Typing Suggestions—click that button to turn on this service (Figure F).

Figure F


To use the Windows 10 speech recognition, open a document, email, or other file into which you want to dictate. Hold down the Windows key and press H to trigger the dictation toolbar. You can now dictate your text. When you’re done, press Win key + H to turn off the dictation toolbar (Figure G).

Figure G




via:  techrepublic

Save pagePDF pageEmail pagePrint page

How to Cultivate Security Champions at the Workplace

Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them?

The answer to this is not simple and is realistically beyond the scope of one simple article written by a SOC analyst. I do, however, have a suggestion to help.

The Human Factor

Everyone at a company effects, for good and bad, the security of the company for which they work. Clicking on phishing emails. Posting a file to a public Dropbox so you can work from home. Coding in that backdoor to make debugging an application easier. Putting convenience above security. These are just a few examples of how anyone can adversely affect the overall security of a company.

The worst part is that many times the person is not trying to be malicious. Their intentions can be good, but their lack of focus could breed horrible consequences.

On Security Champions and Why We Need Them

What if, as the security team, you could have people throughout your organization that positively affect the overall security? We’ll call them security champions. (Full disclosure: I stole the security champions term from somewhere but do not remember where.)

Security champions (my definition) are non-security professionals that promote and practice good security. These people help educate others to identify phishing emails. They do not belittle others for asking what might be considered simple security questions. They bake security into their development process and try to get others to do so. They think about security versus convenience. All without the security team having to tell them to do so.

Think of the time this could save you, a member of the security team. Heck, just a few less clicks on phishing emails would be worth it. Wouldn’t it be great to have your business partners, even just a couple, bring up security-related issues without prompting? How about having developers push for good secure coding practices without you having to beg them?

Yes, you will probably end up with a few security champions that actually create more work for you. But in the end, the more people you have thinking about, practicing and implementing good security, the more time you will save the security team. Not to mention the resources that might be willing and maybe even eager to help when you have questions or are looking into a possible event.

Security champions are not meant to replace security engineers, or whatever title you use, but to augment them.

Best Practices for Cultivating Security Champions

How, you ask? Well, that depends on your organization.

Start small with the people you work with every day. Find out which of them have a security mindset and cultivate that. Send them articles that they might find interesting and see if they take the bait and run with it. If they do, make sure they and their management know the value they are providing. Leverage your existing security awareness and education program. Present security topics. Presenting what a firewall does might motivate some, but I am guessing those are rare.

How about demonstrating how the last penetration tester you had (You are having regular penetration tests, correct?) got your crown jewels? How about something as simple as getting a Meterpreter shell on a box and showing what can be done, like taking control of the camera and installing key loggers. Keep it simple and light but accurate. Keep in mind, not everyone has your level of knowledge.

Some things you consider simple are things that can make a big impact on people. Think even smaller, visiting with people one-on-one as time and events present themselves. Last note, there is no better time than an incident debrief to educate users one-on-one or in a group.

The point is to get people’s attention. Show them why security is important. Show how easy it really can be for malicious actors to reign havoc in your environment. Show how they can have a direct impact in helping to prevent that. A few people will take it to heart and develop a security mindsight.

Many people in information security are problem solvers. Approach it that way. Demonstrate to them how a malicious actor could easily attack your AD / Kerberos infrastructure. (Kerberoasting, anyone?) See how many ask what can be done to mitigate it. Instead of answering, ask them what they would do, what they can think of. Make it a problem for them to solve. Just keep your audience in mind. What will entice one audience, say demonstrating the intricacies of Kerberoasting to your server administrators, will be lost on business partners.

This will take work. It is not a one and done. You will have to be an evangelist. Like most things, it requires careful care and feeding. Overdoing it can backfire. People will tune out. Put thought not only to your message but also to the audience. In the end, the time savings not to mention the more intangibles are well worth it.


via:   tripwire

Save pagePDF pageEmail pagePrint page

The Role of Incident Response in ICS Security Compliance

The data-driven nature of IR can provide many of the reporting requirements governing industrial control system safety, finance, consumer privacy, and notifications.

Regulatory compliance in industrial environments poses unique challenges not found in traditional IT settings. A leading source of this complexity stems from the pre-Internet, largely proprietary nature of industrial control system (ICS) networks, specifically their lack of open computing standards, which are taken for granted in IT networks. These closed ICS networks are extremely hard to update, and even harder to maintain in compliance with state, federal, and industry regulations.

In addition, most ICS networks lack built-in security components, notably automated asset management, proactive security monitoring, and real-time threat analysis and prevention. Plus, most of the applicable regulations and guidelines apply specifically to verticals such as healthcare and energy, and cover ICS only either indirectly or at a very high level. Consequently, the responsibility for security and incident response (IR) falls primarily on those who implement and utilize ICS, namely operational technology personnel, not the security team.

5 Core Elements of ICS Compliance
Although specific regulations and standards vary, there are five key elements to consider when developing an ICS compliance program:

Asset management: Identifying and classifying ICS assets and the data they contain.

Identity and access management: Using role-based access control (RBAC) and authentication, authorization, and accounting (AAA) to manage ICS assets.

Risk assessments, vulnerability management, and change management: All of these functions involve identifying risks and vulnerabilities, and patching ICS assets, which can be challenging because different vendors provide varying levels of support and maintenance.

Security controls: Isolating the ICS network from the rest of the organization’s networks. The key tool is encryption — of data at rest and in transit — to ensure the integrity of applications as well as data. Other important tools are monitoring and logging network activity.

Physical security: Mostly, this means restricting physical access to the ICS devices. Because internal security capabilities of most ICS devices are often very limited, organizations must ensure that proper external controls are in place to fill gaps.

ICS Compliance Frameworks
US ICS-CERT has some of the most detailed recommendations for security and compliance specific to ICS, specifically, Recommended Practice: Creating Cyber Forensics Plans for Control Systems (2008) and Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (2009).

Another good source of information for all organizations is the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems. It provides recommendations and best practices.

Most verticals have specific guidelines for what organizations should do in incident response. Generally, organizations should familiarize themselves with all existing frameworks, laws, and regulatory and compliance standards so they can use them to create effective plans, policies, and procedures.

Incident Response & ICS Compliance
Because meeting ICS regulatory compliance requirements involves documenting processes and procedures, the data-driven nature of IR provides many of the reporting elements to comply with the strictest regulations regarding finance, safety, consumer privacy, customer notifications, and so on.

For example, the foundation of ICS compliance is built on auditing of assets. Without proper auditing, an organization is forced to assume the worst when a breach or attack occurs — that everything has been infected.

Detection, also a central element IR, is tightly aligned with compliance. Being able to detect and respond to a breach when it occurs, instead of weeks or months later, enables organizations to limit or avoid regulatory sanctions, as well as public relations nightmares.

IR investigation and threat hunting, meanwhile, provide the audit trail for satisfying compliance mandates. If an organization suffers a breach it must be able to quickly determine when it happened, what damage was caused, and whether it has been remediated or not.

Finally, IR’s ability to document workflows and findings can play a central role in complying with disclosure requirements and help meet the short deadlines for notifying all internal and external stakeholders.


via:  darkreading

Save pagePDF pageEmail pagePrint page

In a Few Days, Credit Freezes Will Be Fee-Free

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.

KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.

There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries, including real estate brokers, landlords, insurers, debt buyers, employers, banks, casinos and retail stores. A handy PDF produced earlier this year by the Consumer Financial Protection Bureau (CFPB) lists all of the known entities that maintain, sell or share credit data on U.S. citizens.

The CFPB’s document includes links to Web sites for 46 different consumer credit reporting entities, along with information about your legal rights to obtain data in your reports and dispute suspected inaccuracies with the companies as needed. My guess is the vast majority of Americans have never heard of most of these companies.

Via numerous front-end Web sites, each of these mini credit bureaus serve thousands or tens of thousands of people who work in the above mentioned industries and who have the ability to pull credit and other personal data on Americans. In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks and abused to pull privileged information on consumers.

In other cases, it’s trivial for anyone to sign up for these services. For example, how do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord? Answer: Anyone can be a landlord (or pretend to be one).


The truly scary part? Access to some of these credit lookup services is supposed to be secured behind a login page, but often isn’t. Consider the service pictured below, which for $44 will let anyone look up the credit score of any American who hasn’t already frozen their credit files with the big three. Worse yet, you don’t even need to have accurate information on a target — such as their Social Security number or current address.

KrebsOnSecurity was made aware of this particular portal by Alex Holden, CEO of Milwaukee, Wisc.-based cybersecurity firm Hold Security LLC [full disclosure: This author is listed as an adviser to Hold Security, however this is and always has been a volunteer role for which I have not been compensated].

Holden’s wife Lisa is a mortgage broker, and as such she has access to a more full-featured version of the above-pictured consumer data lookup service (among others) for the purposes of helping clients determine a range of mortgage rates available. Mrs. Holden said the version of this service that she has access to will return accurate, current and complete credit file information on consumers even if one enters a made-up SSN and old address on an individual who hasn’t yet frozen their credit files with the big three.

“I’ve noticed in the past when I do a hard pull on someone’s credit report and the buyer gave me the wrong SSN or transposed some digits, not only will these services give me their credit report and full account history, it also tells you what their correct SSN is,” Mrs. Holden said.

With Mr. Holden’s permission, I gave the site pictured above an old street address for him plus a made-up SSN, and provided my credit card number to pay for the report. The document generated by that request said TransUnion and Experian were unable to look up his credit score with the information provided. However, Equifax not only provided his current credit score, it helpfully corrected the false data I entered for Holden, providing the last four digits of his real SSN and current address.

“We assume our credit report is keyed off of our SSN or something unique about ourselves,” Mrs. Holden said. “But it’s really keyed off your White Pages information, meaning anyone can get your credit report if they are in the know.”

I was pleased to find that I was unable to pull my own credit score through this exposed online service, although the site still charged me $44. The report produced simply said the consumer in question had requested that access to this information be restricted. But the real reason was simply that I’ve had my credit file frozen for years now.

Many media outlets are publishing stories this week about the one-year anniversary of the breach at Equifax that exposed the personal and financial data on more than 147 million people. But it’s important for everyone to remember that as bad as the Equifax breach was (and it was a total dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans — including access to consumer credit reports. If anything, the Equifax breach may have simply helped ID thieves refresh some of those criminal data stores.

It costs $35 worth of bitcoin through this cybercrime service to pull someone’s credit file from the three major credit bureaus. There are many services just like this one, which almost certainly abuse hacked accounts from various industries that have “legitimate” access to consumer credit reports.


According to the U.S. Federal Trade Commission, when the new law takes effect on September 21, Equifax, Experian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes.

The law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting Sept. 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.

Identity thieves can and often do target minors, but this type of fraud usually isn’t discovered until the affected individual tries to apply for credit for the first time, at which point it can be a long and expensive road to undo the mess. As such, I would highly recommend that readers who have children or dependents take full advantage of this offering once it’s available for free nationwide.

In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.

Under the new law, fraud alerts last for one year, but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval if you have a fraud alert on your file, they’re not legally required to do this.

A key unanswered question about these changes is whether the new dedicated credit bureau freeze sites will work any more reliably than the current freeze sites operated by the big three bureaus. The Web and social media are littered with consumer complaints — particularly over the past year — about the various freeze sites freezing up and returning endless error messages, or simply discouraging consumers from filing a freeze thanks to insecure Web site components.

It will be interesting to see whether these new freeze sites will try to steer consumers away from freezes and toward other in-house offerings, such as paid credit reports, credit monitoring, or “credit lock” services. All three big bureaus tout their credit lock services as an easier and faster alternative to freezes.

According to a recent post by, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).

TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.

Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

If you’d like to go ahead with freezing your credit files now, this Q&A post from the Equifax breach explains the basics, and includes some other useful tips for staying ahead of identity thieves. Otherwise, check back here later this month for more details on the new free freeze sites.


People should also remember there are things to help them keep up with there credit report.

Credit Karma and Quizzle are a couple.


via:  krebsonsecurity

Save pagePDF pageEmail pagePrint page

How to retrofit the cloud for security: 2 essential steps

You should build security into every enterprise-to-cloud migration. But if you didn’t do that, here’s how to reduce the risk after the fact.


At the majority of enterprises that migrate applications to the cloud, security is an afterthought. This doesn’t mean it’s not important, but that they looking to address security requirements after the workloads and data have already settled in the cloud.

I do not recommend this approach. But the reality is that some enterprises take this approach by default and don’t realize their miscalculation until after the fact. If this happened with your cloud migration, here are two steps to at least reduce your risk.

First, encrypt your data

Although it goes without saying that encryption is the foundation of cloud security, you must figure out a way to integrate encryption in workloads and data. Most cloud encryption surrounds data, both in flight and at rest.

The easiest way to encrypt data is in the database. This provides an abstraction from the physical data and the application. So, it’s often possible to turn on encryption without having to update the applications.

Second, use identities

Identity and access management (IAM) can be retrofitted after a cloud migration without a lot of effort. While it depends on the IAM system you use, the native IAM systems found in clouds such as Amazon Web Services and Microsoft Azure are typically both a better choice and a quicker choice. At the end of the day, of course, it’s your particular requirements that will determine your choice of IAM.

Keep in mind that IAM systems depend on directory services to maintain identity and to provide the proper authorization to those identities. You must deploy one of those systems if you don’t already have one. Also, keep in mind that IAM is only of value if all applications and data are included in the system, both in the cloud and on-premises.

I’m not a fan of shortcuts when it comes to cloud computing security. However, reality sometimes makes these shortcuts a necessary evil. The result is not as good as if security were integrated from the start. However, if security was not implemented, most data and applications are at risk for hackery. So securing the after the fact is better than not securing them at all.

This after-the-fact approach is similar to forgetting to install proper locks when a house is built and then boarding up the doors afterward. The doors are now ugly and inconvenient, but at least no one can just walk in.



via:  infoworld

Save pagePDF pageEmail pagePrint page

Will Google’s Titan security keys revolutionize account security?

Google wants its Titan security keys to be the new standard in two-factor authentication. Find out how to get and use Titan security keys.

Google’s Titan security keys are now available in the Google Store for businesses and individuals. If Google gets its way, the Titan keys will be the new standard in two-factor account protection.

The tiny Titan keys, which come in USB and Bluetooth form factors, were designed by Google to give users “a complete solution option from Google itself,” said Google’s Sam Srinivas.

Authentication keys are nothing new, nor is the FIDO authentication framework that Google has built Titan around. What is new is a company as big as Google marketing and selling its own hardware key. With as large a market as Google has, the Titan could be the hardware key that finally replaces vulnerable two-factor authentication (2FA) methods.

Second factors: Still vulnerable

Phishing attacks are growing in sophistication, and that growth comes with new methods for subverting two-factor authentication methods. One-time passwords are increasingly phished, websites that masquerade as legitimate login portals can steal 2FA keys, and some methods simply avoid triggering second login factors altogether.

With 41.6% of all account breaches attributable to phishing, password theft, and pretexting, Google thought it was evident that typical second authentication factors weren’t doing their jobs.

Hardware security keys, on the other hand, require a user to physically have a device linked to their account that is present at the time of login; this eliminates the need to transmit data at all, significantly improving security. In fact, Google Cloud product manager Christiaan Brand said that Google hasn’t had any “reported or confirmed account takeovers due to password phishing since we began requiring security keys.”

How Titan security keys work, and why the keys are a good solution for businesses

Titan security keys use the FIDO Universal Second Factor (U2F) protocol, which relies on public key cryptography. Adding a Titan device to an account ties a public encryption key to that account, which is verified against a private key using a cryptographic signature supplied by the Titan device during login.

Titan keys also protect against phishing attacks from fake login portals—even with a compromised password a Titan-enabled account is still protected. When a user logs in to a fake portal, Google said, the key will know that it isn’t a legitimate website and will stop the login process immediately.

Don’t assume that Titan keys are only usable with Google accounts—the FIDO protocol is a popular one that works with a multitude of websites and applications. Any website that supports U2F will work with a Titan key.

Titan hardware is also built to be secure—Google designed the devices around a secure element hardware chip that contains all the necessary firmware for it to function, and all of that information is sealed in during the manufacturing process, as opposed to being installed afterward. Thus, Google said, “the trust in the security key hardware is anchored in the sealed chip as opposed to any other later step which takes place during manufacturing.”

Additionally, Titan keys contain no personally identifying information, and Brand said “don’t know who their owner is.” If a key is found, it’s useless to the person who picked it up, unless they know the owner’s account names and passwords.

How to get and use a Titan security key

The retail kits available to the public, which are now on sale in the Google Store, are priced at $50 and contain two keys: A USB key for plugging in to a computer, and a low-energy Bluetooth key designed to be used with mobile devices or Bluetooth-capable computers. When testing the Titan key, I found both incredibly easy to use—all you need to do to add them (and be sure you register both) is to browse to and follow the instructions. You’ll log in to your Google account’s 2FA page, select the option to add a security key, and follow the onscreen prompts.

Android users can log in to an existing or new device by opening the Settings app, logging in on the Account page, and then following the options to use the Bluetooth-enabled key to sign in wirelessly.

iOS users will need to download the Google Smart Lock app to enable the Titan Bluetooth key on their devices. After the app is installed, follow the prompts to log in using your Titan key.

Once you’ve verified your identity on a particular device, you won’t have to log in with your Titan key again—it’s only necessary on new devices or browsers.

Enterprises interested in deploying Titan keys in their organization can contact their Google Cloud representative for pricing and ordering information, or purchase the keys through Google partner Insight.


Will Google’s Titan security keys revolutionize 2FA?

Whether Titan security keys will truly change the 2FA game remains to be seen. Google said that 2FA users consider most methods inconvenient, but the addition of a piece of hardware may not be perceived as simpler than waiting for a text or tapping a button on a smartphone.

Most of us already have an iOS or Android device in our pockets, and adding another fob to our keychains might not be the solution. With account security as poor as it currently is, something needs to give, and Titan keys may be the start.

The big takeaways for tech leaders:

  • Google’s Titan security keys are now available for businesses and consumers. Titan keys use the FIDO U2F protocol, which makes them able to secure Google accounts and other services that use U2F.
  • Titan keys don’t contain any personal information, so businesses shouldn’t worry about them being a security risk.


via:  techrepublic

Save pagePDF pageEmail pagePrint page

T-Mobile suffers data breach affecting 2.2 million customers

The third most popular mobile network in the US, T-Mobile, has suffered a data breach that affected more than two million of its customers.

According to the company’s website, on 20 August 2018, T-Mobile’s inhouse security team noticed unusual activity that was immediately “shut down.”

Data potentially compromised before the shutdown included subscribers’ names, billing zip codes, phone numbers, email addresses, account numbers and account types (e.g. pre-paid or billed).

Apparently, no social security numbers (SSNs), financial data or account passwords were accessed during the attack.

The alert doesn’t mention the number of subscribers involved but this is being reported by Motherboard as just shy of 3%, or around 2.26 million accounts.

Users caught up in the breach would be contacted with further instructions, T-Mobile said, though the company didn’t say how or when that would happen. (Motherboard quoted a spokesperson as saying that affected customers would be told by text message.)

If there’s good news in this incident, it’s that the breach seems to have been noticed quickly by T-Mobile’s inhouse security team, and the company has told its customers within a matter of days.

In plenty of other breach incidents, companies have realized what happened only after they were contacted by a third-party researcher, by the attackers themselves, or, in the worst-case scenario, by customers reporting fraud attempts.

This is often weeks or months – sometimes even years – after the event, by which time a lot of damage has been done.

According to the Privacy Rights Clearinghouse, so far in 2018 (to early August) 513 disclosed data breaches covering 819 million records have been recorded. For comparison, the whole of 2017 saw 831 breaches covering just over two billion records.


via:  sophos

Save pagePDF pageEmail pagePrint page

How to set up a rule in Microsoft Exchange to send an alert of a phishing attack

Empowering your employees to easily notify IT security personnel of a phishing attack requires an Exchange rule. This tutorial explains how to set one up.

In general, IT cybersecurity experts agree that when it comes to enterprise phishing emails, the most effective defense, and the only one that will inevitably stop such attacks, is a well-trained and educated workforce. While technologies like artificial intelligence and machine learning may stop many phishing emails from getting through to user inboxes, those tech solutions cannot overcome the careless click of a malicious link by one of your employees when the technology fails.

As we have mentioned before, a 2018 report shows that about 50% of an enterprise’s computer using employees will click on a link sent via email from an unknown user without first thinking of the potential consequences. To overcome this lack of urgency so prevalent amongst users, IT professionals should task the entire workforce with the responsibility of immediately reporting phishing emails when they are uncovered.

The Office 365 add-in, Report Message, allows Outlook users to report a phishing or other suspicious email with the click of a single icon on the standard Office Ribbon interface. However, by adding a new rule to Microsoft Exchange, admins can also receive a copy of the report—with no additional effort on the employee’s part.

This how-to article explains how to set up a rule in Exchange that will piggyback on Report Message to notify the proper IT security team in your organization that a phishing email has been reported.

Set up the Rule

Creating or modifying rules using the following technique requires Exchange Online Administrator authentication status. This tutorial also assumes you have installed and enabled the Report Message add-in for Outlook. (Check out the previous article for details.)

Open the online portal to Office 365 and logon with administrator credentials. Navigate to the Admin Center and then open the Exchange Admin Center submenu. Click the Mail Flow link in the left navigation bar. You should see something similar to Figure A. (Note, the example has no rules yet.)


Figure A

Click on the Plus button to create a new rule. Name your new rule (Phishing Submission) and then open the Apply this rule if dropdown box. Choose the entry: The recipient address includes. Add these two email addresses to the list as shown in Figure B.



Figure B


In the Do the following box, choose the Bcc the message to entry and add the appropriate security administrator or team as designated by your intrusion detection policy. Set the Audit this rule with severity level to medium, as shown in Figure C and click Save.


Figure C

Once this rule is established, whenever an employee reports an email using the Report Message add-in, the appropriate security personnel will receive a copy of the message automatically. This will allow your security teams to act swiftly and decisively to mitigate and counteract phishing attacks in accordance with your enterprise’s policies.


via:   techrepublic

Save pagePDF pageEmail pagePrint page

Do Something, Know Something, Learn Something – A 3-Step Guide to Keeping Your InfoSec Career Exciting

If you are like most infosec professionals, each day brings new and interesting challenges.

However, like most jobs, there are valleys that we fall into along the course of our professional development. How long can you stare at your SIEM tool before you start to experience some mild tunnel vision, or worse, severe burnout? Neither of these are productive paths for you or your employer.

When I find myself heading down that path of waning motivation, I exercise a 3-step plan to get back on track. I call it the Do Something, Know Something, Learn Something plan.

Here is how it works:

Set three recurring calendar events, each lasting an hour with a 30-minute break in between each task. For the first task, assign some of your daily activities that need your attention.

This may be writing up a report, updating your monitoring logs, or performing triage on the security events under your responsibility. This is the “Do Something” phase. This one is most important, as it is probably the bulk of what is required of your job duties. This task will not only recur daily but should be set to recur multiple times throughout the day.

The next task that should be on your calendar is the “Know Something” task. This is the task where knowledge is the goal.

If you maintain any certifications, this is where a continuing professional education (CPE) credit-eligible webcast can fill the task requirement. This task time-slot can also be used to familiarize yourself with a new regulation or perhaps to just catch up on some of the infosec news of the day.

The purpose here is to increase your knowledge about infosec topics that may come up during a lunch conversation, or perhaps an impromptu conversation with a senior executive in your office. This type of knowledge adds credibility to your role, which is a valuable asset both personally and professionally.

The third task is the “Learn Something” task. This is different from simply knowing, as it is where you use the time to actively research a new skill or learn a new tool.

If your employer is receptive and flexible, the learning can be tangentially related to infosec. For example, knowing the pin-out patterns of various cables may not be directly related to your particular job, yet it is valuable information that can improve your infosec skills in immeasurable ways.

I find that running this three-step pattern over the course of a month does wonders for breathing new life into my job routine. It also brings more value to your employer. Above all, be sure not to let your daily responsibilities slip. This is why the “Do Something” task needs to recur throughout the day.

I understand that you may not have a job that allows the daily attention to each task that I have described here; however, I am certain that there is a way to spread this plan out so that you can implement it to keep you from becoming numbed by the same tasks every day.

After all, we are working in one of the most exciting fields that doesn’t require any physical danger. I hope my three-step approach helps you to keep excitement alive while improving your skills and your value.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Guide to Securing Your Mobile App against Cyber Attacks

Thanks to the advent of technology, the number of mobile phone users are increasing day by day. You’ll be shocked to hear that by 2019, this number will cross the 5 billion mark! While mobile phones may have made our life easier, they have also opened up domains for many cybercriminals who are adapting and using new methods to profit from this rapidly growing number of potential victims.

What’s more, apps are used for nearly 90% of usage on mobile phones and tablets making it the number one source for cyber-attacks. People are using apps to access everything from online banking to shopping and even controlling home devices.

User data is like a goldmine for cybercriminals, as they can access anything from credit card details to email passwords and user contact lists. Users have also been scammed into downloading malicious adware, and at times, they unknowingly subscribe to fraud paid services.

This is why a lapse in any mobile app’s security is a daunting scenario for app owners and developers. According to a study, more than 60% of companies reported that an insecure mobile app caused a data breach, and 44% out of them did not take any immediate action to secure their app against further potential cyber attacks.

So, if you are an app owner or developer, start working towards certain frameworks and tools that provide ease and security to your users. Think about the ways you can avoid the mentioned security challenges and protect your app from cybercriminals.

To make your tasks easier, I have listed some of the mobile app security best practices that will benefit you as an owner and also provide your users with a safe and secure online experience.

1. Security by design

The first step towards securing any mobile app is to start by designing a threat model from the very beginning. Think like a hacker and identify every shortfall of your app’s design. Only then will it be possible to implement effective security strategies. You can also hire a professional security team to play the fake bad guys. It is a great way to test the security of your app as they throw different vulnerabilities at you.

Furthermore, if you are a growing eCommerce business and want to develop an online shopping app that can process sensitive information such as financial transactions and credit card credentials, consider the consequences that will occur if a security breach occurs. Ask yourself: in what ways can user privacy be compromised, and how you can prevent it from happening?

Keeping safety as a number one concern from the very beginning will give you ample motivation regarding security measures for your app.

2. Mobile device management

Online security starts with the device that the consumer is using to access your app. Each mobile operating system requires a different approach for its security, whether it is an iOS or an Android system. Developers must understand that the data stored on any device can drive potential security threats.

This is why you should consider encryption methods like 256-bit Advanced Encryption Standard to keep data safe in the form of files, databases, and other data sources. Also, when you are formulating the mobile app security strategy, keep the encryption key management in mind.

In the case of Apple, it has strict policy enforcement practices. Being an app owner, you can restrict any user from installing your app if you feel that the security of the user device seems compromised.

One of the most effective ways to manage iOS devices is to take help of mobile device management (MDM) or enterprise mobile management (EMM) product. There are many vendors such as MobileIron, MaaS360, and Good Technology that offer their services in this regard. Apart from this, you can use the Microsoft Exchange ActiveSync protocol as a policy management tool if you are looking for a cheaper and easier to use option.

Android phones, on the other hand, are a bit trickier to manage. Since they are relatively cheaper as compared to iOS devices, they often become a source of a security breach. You should only be using Android for Work (A4W) in the enterprise. This version of Android encrypts the device and separates personal and professional apps into two categories.

With the combination of the right devices, updated mobile operating systems and MDM, you can provide first level security for your mobile app.

3. App wrapping

App wrapping is a term that is used to define a methodology that segments your app from the rest of the device by capturing it in a secure environment. You will automatically get this option if you are taking help from an MDM provider. Just set a few parameters, and you can segment your apps without any coding required.

4. Strong user authentication

One of the most crucial components of mobile app security is to implement strong user authentication and authorization. You never know who is accessing your app. A seemingly simple question, “Who are you?,” can help secure your device against malware and hackers.

User authentication must include all aspects of user privacy, identity and session management and device security features. Try to enforce 2FA (two-factor authentication) or an MFA (multi-factor authentication). You can get technologies like OpenID Connect protocol or OAuth 2.0 authorization framework on board.

5. Hardening the OS

Another way to secure mobile apps is by hardening the operating system. There is a wide variety of methods in which you can do it. From day one, Apple has done a great job in enforcing security within its operating system. You can use these tools for iOS security:

6. Apply security to APIs

Make sure that you use APIs to manage all app data and business logic. API is a very useful tool for the mobile world, as they are the crown jewels for any enterprise. All data, whether it is in transit or at rest, should be secured.

For data in transit, you can use SSL with 256-bit encryption. For data at rest, you should secure the origin of the data as well as the device itself.

Remember, each API should have an app-level authentication. Make sure you validate who is using the service and limit sensitive data to memory as it can easily be wiped off.


When it comes to addressing your mobile application’s security, think that all mobile devices accessing the app are insecure and hackers can easily capture the data flowing to and fro from your app. It doesn’t mean that you’re overly paranoid.

These assumptions will help you stay on top of your security game, and you will always look out for new ways to harden the security of your mobile app against the most common security failures.

There are many other practices with which you can toughen up the security of your app, but these 6 tips will give you a basic framework that can be applied to any business, irrespective of its size. Which strategies do you use to protect your mobile app against cyber attacks?


via:  tripwire

Save pagePDF pageEmail pagePrint page