Small Businesses Lose $80K on Average to Cybercrime Annually, Better Business Bureau Says

The growth of cybercrime will cost the global economy more than $2 trillion by 2019, according to the Better Business Bureau’s 2017 State of Cybersecurity Among Small Businesses in North America report.

Cost of a Cyber Attack

When it comes to small businesses, the report said the overall annual loss was estimated at almost $80K or $79,841 on average. And as more small businesses become equal parts digital and brick-and-mortar, securing both aspects of their company is more important than ever.

The risks small business owners face in the digital world has increased their awareness of the dangers of this ecosystem. A survey conducted by GetApp in 2017 revealed security concerns ranked second as the challenges small businesses were facing.

In its report GetApp says, small businesses have to implement a multipronged approach with defense mechanism designed to “Ward off attacks from different fronts.”

However, the company doesn’t forget to address the challenges small business owners face when it comes to tackling cybersecurity with limited budgets and IT expertise while at the same time running their business.

Adopting a Small Business Cybersecurity Strategy

Why is adopting a cybersecurity strategy important for small businesses? Because according to eMarketer, in 2017 retail e-commerce sales globally reached $2.304 trillion, which was a 24.8% increase over the previous year.





Of this total, mCommerce accounted for 58.9% of digital sales and overall eCommerce made up 10.2% of total retail sales worldwide in 2017, an increase of 8.6% for the year.

What this means for small businesses is they can’t afford not to be part of this growing trend in digital commerce. They have to ensure the digital platform they have protects their organization and customers whether they are on a desktop, laptop or mobile device.

Have Clear Goals and Objectives

When it comes to cybersecurity, having clear goals and objectives will greatly determine the success of the tools, processes, and governance you put in place to combat cybercriminals.

According to GetApp, with the right cybersecurity solution in place, your small business will be able to detect and prevent a cyber-attack before it takes place.

It is important to note, there is no such thing as 100% security, whether it is in the digital or physical world. Given enough time and resources, bad actors may be able to find a vulnerability in any system. The data breaches at some of the largest organizations in the world are proof of this fact.

As a small business, your goal is to make it as difficult as possible for these bad actors to penetrate the security protocols you have in place.

Don’t Rely on a Single Solution

The GetApp report says small businesses have to fortify their organization against different threats emerging from multiple fronts.

The company says there is no single cybersecurity solution which offers complete defense against all the different types of threats that are out there. At any given time a small business can be under attack from a distributed denial of service or DDoS attack, ransomware attacks, cryptojacking, and others.

To address these challenges, GetApp recommends small businesses to implement a cybersecurity strategy with investments which include a combination of antivirus, firewall, spam filter, data encryption, data backup, and password management applications.

Last but not least, even if you have the best system in place, you have to stay vigilant at all times. Cybercriminals rely on complacency.

Source: https://smallbiztrends.com/2018/12/cost-of-a-cyber-attack-small-business.html

Council on Foreign Relations encourages global initiative to combat botnets

A global initiative of public and private organizations is needed to eliminate computer-effecting botnets, according to a new paper from the Council on Foreign Relations (CFR).

The report was written by Robert Knake, senior fellow for cyber policy at CFR and senior research scientist at Northeastern University’s Global Resilience Institute, and Jason Healey, senior research scholar in the Faculty of International and Public Affairs at Columbia University.

Criminals use botnets, or groups of computers infected with malicious software, to propagate spam, send phishing emails, guess passwords, impersonate users, and break the encryption, the report stated. Botnets are also used to carry out distributed denial of service (DDoS) attacks. DDoS attacks result in individual computers that make up the botnet to send internet traffic to a target, thereby blocking legitimate traffic.

As much as 30 percent of all internet traffic may be attributable to botnets, the report said. Many DDoS attacks are used by companies to take down their competitors’ websites or servers. China, Russia, and Iran, however, have all harnessed botnets for geopolitical purposes, according to the report.

Knake and Healey contend that government must partner with the private sector to fight this threat. As Knake explained in a recent blog post, a public-private partnership to combat botnets doesn’t have to be initiated by government agencies. Private companies may be better suited to place pressure on the actors that enable botnets to persist, he wrote.

Knake noted that most botnet takedowns had been led by private companies, such as Microsoft, which has pursued more than a dozen. Financial services firms are particularly vulnerable to them, getting hit on a daily basis with botnet-enabled fraud, Knake wrote.

A relatively small effort would help significantly reduce botnet infections, according to Knake’s post. The formation of a new organization to coordinate takedown activities would be a good place to start. A new anti-botnet organization could be used to pressure device makers, website registrars, cloud computing providers, and internet service providers (ISPs) to improve cyber hygiene.

“I can guarantee that it would only take the slightest amount of pressure from its largest customers to get Amazon to figure out a way to keep its on-demand computing platform from being botmasters’ preferred platform,” Knake wrote in his blog post on the CFR website.

The organization could also pressure device makers to prevent initial infections and make cleanup of infected devices easier.

Source: https://homelandprepnews.com/stories/31499-council-on-foreign-relations-encourages-global-initiative-to-combat-botnets/

IoT & Cybersecurity: Where we are and what needs to change

Threats are now emerging beyond home and medical devices towards IoT control systems connected to national infrastructures. It is no exaggeration to say that IoT vulnerabilities are a threat to our national and personal security – dangers brought into sharp relief by the growing weaponisation of cybersecurity on the world stage

Cybersecurity agenda

Over the last decade, the scale of cyber attacks have increased dramatically and there has been a huge increase in the scale of cyber attacks against global IT infrastructures. The increase in the number of attack vectors enabled by the internet, the level of sophistication of the attacks, the ‘staying power’ of the cyber gangs, are all markers of how cybersecurity has become the subject of major international conflict.

The rewards of cyber crime over the last decade have been lavish and can be measured in trillions of dollars. And the size of this cyber treasure chest will only increase exponentially over the next decade.

The cyber war is an asymmetric battle. According to Carbon Black, cyber criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and businesses, while the same organisations and businesses are spending a mere $96 billion per year to defend themselves against these attacks.

But it’s not always the case that these threats are created by what people in the West would call ‘rogue’ states or actors.

Militarisation of cyber attacks

The biggest single factor that has emerged in the cybersecurity landscape over the last decade is the brazen and overt participation of nation states in the battle. The size of a state’s cyber capability has now become the biggest statement of its national power and global influence.

So loud are the noises around cybersecurity that cyber-aggression appears to have bumped the threat of nuclear and biowarfare down the security agenda.

In the mid-noughties there appears to have been a joint US/Israeli project to attack Iran’s nuclear programme. A virus was created which attacked the SCADA infrastructure around this programme and thus the centrifuges which were being used to enrich uranium.

Stuxnet surfaced once activated in 2010 when it preyed upon Siemens PLCs to the extent that around a third of Iran’s centrifuges were taken out of action. This might be termed a ‘successful’ attack upon the process control layer of a large utility project.

To say that cyber warfare is preferable to weapons of mass destruction might appear an understatement. However one should at the same time be mindful of the huge impacts cyber attacks could have on energy and utility companies, upon hospitals, and upon the military apparatus and democratic institutions we take for granted. Lives can be placed at risk.

Internet of Things

The massive increase in the number of devices connected to the internet continues unabated. This year there will be in the region of 23bn connected devices. This number is projected by IHS to rise to 75bn by 2025. This huge growth presents an ever increasing ‘attack surface’ for the cyber gangs to attack.

The traditional target area for IoT cyber attacks has its origins very much in the home device front. A prime example would be the 2016 Mirai botnet attack which infected around 600,000 IoT devices. The devices affected in the main were internet routers, but connected cameras were also compromised.

Mirai wreaked havoc by launching a distributed denial of service (DDoS) attack and overwhelming the devices’ networks.

By 2018 the hackers had switched their focus to the wireless protocols which exist for smart home devices, specifically the Z-Wave wireless protocol. This year, a vulnerability was discovered which affected up to 100 million smart home devices. Burglar alarms, security cameras, and door locks could be disabled, for example, allowing thieves to enter unchecked.

Another major area of vulnerability is that of accessing an individual’s home banking systems via the ‘voice hacking’ of smart speakers.

The recent news about FreeRTOS – a real-time operating system ported to around 35 microcontroller platforms – being an easy target for hackers has further eroded confidence in the security of IoT home devices.

As well as connected domestic appliances there is growing concern about the threats to healthcare devices. There are around 100m such devices installed worldwide. From insulin pumps, to diagnostic equipment, to remote patient monitoring, the areas for potential attack are huge and life-threatening.

Industrial IoT

Cybersecurity firm Carbon Black issued its Quarterly Incident Response Threat Report in November. The report represents an analysis of the latest attack trends seen by the world’s top incident response (IR) firms.

The report found that a growing number of attacks are now taking advantage of IoT vulnerabilities. An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organisations’ primary networks, allowing island hopping (whereby attackers target organisations with the intention of accessing an affiliate’s network).

This latter point underscores the continuing trend of exploiting IoT devices in the enterprise domain to attack business and to move from there into other ‘supply chain’ networks in order to disrupt additional enterprise operations.

The threats emerging away from these home and medical devices towards IoT control systems connected to national infrastructures are increasing in number and truly terrifying.

Process control devices in the industrial world present vulnerabilities in our oil and gas industries, and in our water purification and power plants. A nation’s vital utility infrastructure could potentially be brought to its knees by cyber attacks against the IoT device layer.

This threat isn’t new, although comparatively rare in the past. The Industroyer (Crashoverride) malware framework took out approximately one fifth of Kiev’s power for one hour in December 2015. A number of other different malware attacks targeted against industrial control systems in energy plants have also been discovered in the last few years.

It is now well understood that nation states such as Russia, China and North Korea have been probing other nations’ power generation facilities with a view to potential future hacks. The dangers are well understood by many governments but as of yet these vital infrastructure areas are still massively vulnerable to attack.

Understanding the risks

Only recently, Ciaran Martin, head of the UK’s National Cyber Security Centre (the NCSC) gave an apocalyptic warning about cyber threats to the UK. Martin said that Britain will be hit by a life-threatening ‘category 1’ cyber emergency in the near future.

Similar warnings have been coming out of the US recently, and President Trump’s National Cyber Strategy outlined the same types of threats against US infrastructure. Trump has constantly talked about the threats to US Power Grids – primarily again via the IoT layer – and it’s an area of deep concern for the Federal Government.

In the last month, Trump has been offering to share cyber attack and defence capabilities with NATO allies at the same time as UN calls for an ‘amnesty’ in the use of cyber attacks against critical infrastructures.

But at the business level the understanding of cyber risks is patchy. British business is predominantly uneducated and complacent when it comes to the risks posed by cyber threats and the vulnerability of IoT devices wherever they might be on their network.

Who is responsible?

In the IoT domain for both home and enterprise devices we need secure device design and manufacture, secure deployment, and secure onward protection.

It is the device manufacturer’s responsibility that IoT devices are delivered uninfected with malware, or rogue components. They have a responsibility to ensure that default passwords cannot be implemented in a live environment and to ensure that system software is able to be patched and updated going forward as new threats are understood.

But there is a dual responsibility between device supplier and the end user. Users of these devices in public sector organisations and business enterprises also have a responsibility to ensure that this layer of their IT infrastructure is of itself secure and that it cannot be compromised by weaknesses in other layers of their own cyber defence, or by malware which might be passed on through their supply chain, i.e. ‘island hopping.’

The role of businesses

Starting with the boardroom, businesses must enact a top-down approach to avoid backlash from the market. All companies should be aware that their cybersecurity will be subject to considerable public scrutiny when things go wrong. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

News published in early November told us that Facebook had lost 1m users in Europe in the last couple of months after its highly publicised breaches, and we can expect them to lose more user share going forward.

In the home IoT market, consumer confidence is key. If any particular brand of fridge, TV, baby alarm, speaker, or burglar alarm was exposed as being the source of attacks, consumers will vote with their wallets.

A recent survey conducted by Opinium in the UK showed that businesses which were breached or caused other businesses to be breached would experience repercussions from other businesses.

One in five businesses would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number would use the incident to negotiate a further discount. Just three percent of businesses said they would take no action.

The survey also showed that victims of cybercrime could find it more difficult to attract new customers, with 35 percent of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cybercrime. Just over a quarter said they would avoid using a company that had been publicly associated with a major cybersecurity breach.

Shareholders tend to react when market share is impacted, when the brand of a company is trashed in the market, or when a CEO’s position is undermined by high profile incidents.

CEOs and senior executives have been put on notice that the buck stops with the boardroom. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

Regulatory headwinds

Although only guidelines, the UK has made an admirable headstart towards IoT regulation with its recently released ‘secure by design’ guidelines.

The code – which the government claims is a ‘world first’ – has 13 guidelines, to ensure connected items are ‘secure by design’. It is long overdue and needs to be replicated by other countries.

The guidelines include: no default passwords; a vulnerability disclosure policy; pushed software updates; the secure storage of credentials and security-sensitive data; encrypted in transit communications and secure key management; resilience to outages; monitoring of telemetry data; and making it easy for users to delete personal data from any device.

The code of practice is designed with the home device market in mind. However, the guidelines can have a strong influence on the move towards industrial IoT regulatory requirements too.

In this latter scenario, primary responsibility would pass more towards the implementer or the end user of the industrial control technology.

It’s remarkable that these guidelines took so long to surface given the UK’s long history of consumer protection.

Similarly, the EU has a history of tackling technology giants who impinge on the privacy of individuals (GDPR being the latest culmination), so it’s surprising that a similar code of practice hasn’t emerged from Brussels yet. We can only assume that regulations are ‘in the pipeline.’

As for the IoT layer in the enterprise domain, the IIoT, expect a lot of focus to be driven by governments anxious to protect core businesses and infrastructure. Oil, gas, power generation, aviation and water industries are all highly dependent on IoT to run their businesses effectively.

These are obviously all vulnerable right now. It’s clear that notice has been given by aggressor states that these infrastructures are eminently hackable. It seems to me that the only thing stopping significant disruption is fear of reprisals.

Take The Sunday Times report in October that claimed British military forces had practised a cyber attack that would ‘plunge Moscow into darkness.’ This attack would be an immediate response if Putin’s forces were to move against the West.

Britain no longer possesses small battlefield nuclear weapons – in the eyes of the UK government and many others, cyberweapons have become the most effective military deterrent.

Source: https://thestack.com/iot/2018/11/22/iot-cybersecurity-where-we-are-and-what-needs-to-change/

Bots on a plane? Bad bots cause unique cybersecurity issues for airlines

While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.

Source: https://www.scmagazine.com/home/security-news/bots-on-a-plane-bad-bots-cause-unique-cybersecurity-issues-for-airlines/

Man Ordered to Pay $8.6 Million for Launching DDoS Attacks against Rutgers University

A New Jersey man received a court order to pay $8.6 million for launching a series of distributed denial-of-service (DDoS) attacks against Rutgers University.

On October 26, the U.S. Attorney’s Office for the District of New Jersey announced the sentence handed down by U.S. District Judge Michael Shipp to Paras Jha, 22, of Fanwood, New Jersey.

According to court documents, Jha targeted Rutgers University with a series of DDoS attacks between November 2014 and September 2016. The attacks took down the education institution’s central authentication server that maintains the gateway portal used by staff, faculty and students. In so doing, the DDoS campaigns disrupted students’ and faculty members’ ability to exchange assignments and assessments.

The FBI assisted Rutgers in its investigation of the attacks. In August 2015, the university also hired three security firms to test its network for vulnerabilities.

Jha’s criminal efforts online didn’t stop at Rutgers. In the summer and fall of 2016, Jha created the Mirai botnet with Josiah White, 21, of Washington, Pennsylvania and Dalton Norman, 22, of Metairie, Louisiana. The trio spent the next few months infecting more than 100,000 web-connected devices. They then abused that botnet to commit advertising fraud.

In December 2017, the three individuals pleaded guilty in the District of Alaska for conspiring to violate the Computer Fraud & Abuse Act by operating the Mirai botnet. It was less than a year later that a federal court in Alaska ordered the men to serve five-year probation periods, complete 2,500 hours of community service, pay restitution in the amount of $127,000 and voluntarily relinquish cryptocurrency seized by law enforcement during an investigation of their crimes.

Judge Shipp passed down his sentence to Jha within a Trenton federal court. As part of that decision, Jha must serve six months of home incarceration, complete five years of supervised release and perform 2,500 hours of community service for violating the Computer Fraud & Abuse Act.

Source: https://www.tripwire.com/state-of-security/security-data-protection/man-ordered-to-pay-8-6-million-for-launching-ddos-attacks-against-rutgers-university/

How to secure your online business from cyber threats?

Ecommerce revenue worldwide amounts to more than 1.7 trillion US dollars, in the year 2018 alone. And the growth is expected to increase furthermore.

However, with growth comes new challenges. One such problem is cybersecurity. In 2017, there were more than 88 million attacks on eCommerce businesses. And a significant portion includes small businesses.

Moreover, online businesses take a lot of days to recover from the attacks. Some businesses completely shut down due to the aftermath of the security breaches.

So, if you are a small business, it is essential to ensure the safety and security of your eCommerce site. Else, the risks pose a potential threat to your online business.

Here we discuss some basics to ensure proper security to your eCommerce site.

Add an SSL certificate

An SSL Certificate ensures that the browser displays a green padlock or in a way shows to the site visitors that they are safe; and that their data is protected with encryption during the transmission.

To enable or enforce an SSL certificate on your site, you should enable HTTPS—secured version of HyperText Transfer Protocol (HTTP)—across your website.

In general, HTTP is the protocol web browsers use to display web pages.

So, HTTPS and SSL certificates work hand in hand. Moreover, one is useless without the other.

However, you have to buy an SSL certificate that suits your needs. Buying a wrong SSL certificate would do no good for you.

Several types of SSL certificates are available based on the functionality, validation type, and features.

Some common SSL certificates based on the type of verification required are:

  1. Domain Validation SSL Certificate: This SSL certificate is issued after validating the ownership of the domain name.
  2. Organization Validation SSL Certificate: This SSL certificate additionally requires you to verify your business organization. The added benefit is it gives the site visitors or users some more confidence. Moreover, small online businesses should ideally opt for this type of SSL certificate.
  3. Extended Validation SSL Certificate: Well, this type of SSL certificate requires you to undergo more rigorous checks. But when someone visits your website, the address bar in the browser displays your brand name. It indicates users that you’re thoroughly vetted and highly trustworthy.

Here are some SSL certificate types based on the features and functionality.

  1. Single Domain SSL Certificate: This SSL certificate can be used with one and only one domain name.
  2. Wildcard SSL Certificate: This SSL certificate covers the primary and all the associated subdomains.
    Every subdomain along with the primary domain example.com will be covered under a single wildcard SSL certificate.
  3. Multi-Domain SSL Certificate: One single SSL certificate can cover multiple primary domains. The maximum number of domains covered depends on the SSL certificate vendor your purchase the certificate from. Typically, a Multi-Domain SSL Certificate can support up to 200 domain names.

Nowadays, making your business site secure with SSL certificate is a must. Otherwise, Google will punish you. Yes, Google ranks sites with HTTPS better than sites using no security.

However, if you are processing online payments on your site, then SSL security is essential. Otherwise, bad actors will misuse your customer information such as credit card details, eventually leading to identity theft and fraudulent activities.

Use a firewall

In general, a firewall monitors incoming and outgoing traffic on your servers, and it helps you to block certain types of traffic—which may pose a threat—from interacting or compromising your website servers.

Firewalls are available in both virtual and physical variants. And it depends on the type of environment you have in order to go with a specific firewall type.

Many eCommerce sites use something called a Web Application Firewall (WAF).

On top of a typical network firewall, a WAF gives more security to a business site. And it can safeguard your website from various types of known security attacks.

So, putting up a basic firewall is essential. Moreover, using a Web Application Firewall (WAF) is really up to the complexity of the website or application you have put up.

Protect your site from DDoS attacks

A type of attack used to bring your site down by sending huge amounts of traffic is nothing but denial-of-service-attack. In this attack, your site will be bombarded with spam requests in a volume that your website can’t handle. And the site eventually goes down, putting a service disruption to the normal/legitimate users.

However, it is easy to identify a denial-of-service-request, because too many requests come from only one source. And by blocking that source using a Firewall, you can defend your business site.

However, hackers have become smart and highly intelligent. They usually compromise various servers or user computers across the globe. And using those compromised sources, hackers will send massive amounts of requests. This type of advanced denial-of-service attack is known as distributed-denial-of-service-attack. Or simply put a DDoS attack.

When your site is attacked using DDoS, a common Firewall is not enough; because a firewall can only defend you from bad or malicious requests. But in DDoS, all requests can be good by the definition of the Firewall, but they overwhelm your website servers.

Some advanced Web Application Firewalls (WAF) can help you mitigate the risks of DDoS attacks.

Also, Internet Service Providers (ISPs) can detect them and stop the attacks from hitting your website servers. So, contact your ISP and get help from them on how they can protect your site from DDoS attacks.

If you need a fast and straightforward way to secure your website from distributed-denial-of-service attacks, services like Cloud Secure from Webscale Networks is a great option.

In the end, it is better to have strategies in place to mitigate DDoS attacks. Otherwise, your business site may go down and can damage your reputation—which is quite crucial in the eCommerce world.

Get malware protection

A Malware is a computer program that can infect your website and can do malicious activities on your servers.

If your site is affected by Malware, there are a number of dangers your site can run into. Or, the user data stored on your servers might get compromised.

So, scanning your website regularly for malware detection is essential. Symantec Corporation provides malware scanning and removal tools. These tools can help your site stay safe from various kinds of malware.

Encrypt data

If you are storing any user or business related data, it is best to store the data in encrypted form, on your servers.

If the data is not encrypted, and when there is a data breach, a hacker can easily use the data—which may include confidential information like credit card details, social security number, etc. But when the data is encrypted, it is much hard to misuse as the hacker needs to gain access to the decryption key.

However, you can use a tokenization system. In which, the sensitive information is replaced with a non-sensitive data called token.

When tokenization implemented, it renders the stolen data useless. Because the hacker cannot access the Tokenization system, which is the only component that can give access to sensitive information. Anyhow, your tokenization system should be implemented and isolated properly.

Use strong passwords

Use strong passwords that are at least 15 character length for your sites’ admin logins. And when you are remotely accessing your servers, use SSH key-based logins wherever possible. SSH key-based logins are proven to be more secure than password-based logins.

Not only you, urge your site users and customers to use strong password combinations. Moreover, remind them to change their password frequently. Plus, notify them about any phishing scams happening on your online business name.

For example, bad actors might send emails to your customers giving lucrative offers. And when a user clicks on the email, he will be redirected to a site that looks like yours, but it is a phishing site. And when payment details are entered, the bad actor takes advantage and commits fraudulent activities with the stolen payment info.

So, it is important to notify your user base about phishing scams and make your customers knowledgeable about cybersecurity.

Avoid public Wi-Fi networks

When you are working on your business site or logging into your servers, avoid public wifi networks. Often, these networks are poorly maintained on the security front. And they can become potential holes for password leaks.

However, public wifi networks can be speedy. So, when you cannot avoid using a public wifi network, use VPN services like ProtonVPN, CyberGhost VPN, TunnelBear VPN, etc, to mitigate the potential risks.

Keep your software update

To run an online business, you have to use various software components, from server OS to application middleware and frameworks.

Ensure that all these components are kept up to date timely and apply the patches as soon as they are available. Often these patches include performance improvements and security updates.

Some business owners might feel that this is a tedious process. But remember, one successful cyber attack has the potential to push you out of business for several days, if not entirely.

Conclusion

In this 21st century, web technology is growing and changing rapidly. So do the hackers from the IT underworld.

The steps mentioned above are necessary. But we cannot guarantee that they are sufficient. Moreover, each business case is different. You always have to keep yourself up to date. And it would help if you took care of your online business security from time to time. Failing which can make your business site a victim of cyber attacks.

Source: https://londonlovesbusiness.com/how-to-secure-your-online-business-from-cyber-threats/

Travel staff are the weakest link in cybersecurity, says expert

Travel industry staff are the “weakest link” in the fight against cybercrime, a security expert has warned.

Cyber consultant Bruce Wynn said cybercrime attacks risked bringing down entire businesses.

He was speaking at the launch of anti-fraud group Profit’s Secure Our Systems campaign, backed by Travel Weekly.

Wynn, who has 40 years’ cybersecurity experience and is one of several experts supporting the seven-week campaign, which aims to give the industry the tools to fight cybercrime, said: “The weakest link in any cybersecurity chain is the thing that fills the space between the keyboard and the floor.”

There was a 92% rise in the number of cyberattack reports made to Action Fraud between January 2016 and September 2018, from 1,140 to 2,190, according to The City of London Police’s National Fraud Intelligence Bureau. Reports of hacking, in which fraudsters gain unauthorised access to data, saw the biggest increase, up 110%.

Wynn believes all travel firms will have experienced cyberattacks but some may not know it.

“You need to have planned well ahead for what you will do when you do discover you’ve been attacked, including how to recover from some of the damage that will have been caused,” he said.

He said a ransomware attack, for example, could be “catastrophic” as a company could lose all data without an adequate data recovery plan. It could also face a GDPR fine.

“It will cost you big time if criminals get into your system and even just corrupt your information to the point you can no longer do business confidently,” he warned.

Other threats include cloned websites, impersonating chief executives and insider fraud, with criminals using techniques such as phishing and hacking to get into companies’ computer systems to steal money or information.

Wynn said one of the most productive attacks is spear phishing, which targets an individual for sensitive or confidential information and often relies on the vulnerability of the person involved.

“The bad guys are going to get in and they will do damage,” he said. “Who are your staff going to call? Your troops need to know how to detect something suspicious, and what to do.

“Computer technicians can try to ‘backstop’ some of it, but staff need to be educated and trained and get a professional to assess how their business can best manage its risk in terms of cybercrime as part of its wider risk assessments.”

At the very minimum all companies should have up-to-date systems in place with anti-virus and anti-fraud software and back-up programs that are regularly tested to ensure any data lost can be recovered.

Wynn believes 80% of attacks can be mitigated at “almost zero cost” to businesses. “Thirty minutes now [on planning] could save lots of money, embarrassment, legal costs and even your business, later on,” he said.

Wynn recommended free resource Cyber Essentials, at cyberessentials.ncsc.gov.uk. The government-backed scheme offers guidelines on self-assessment and access to professional advice on cyber security.

What are the cyber threats?

Here are some common terms for malicious technology and fraudulent activity.

DDoS attack – a distributed denial-of-service attack is where multiple computers flood a server, website or network with unwanted traffic to make it unavailable to its intended users temporarily or indefinitely.

Ransomware – a type of malicious software (malware), usually deployed through spam or phishing, designed to block access to a computer system, typically by encryption, until a sum of money is paid. It can be spread through email attachments, infected software apps, compromised websites and infected external storage devices. Famous examples include the WannaCry attack last year.

Rootkits – a set of software tools that enable an unauthorised user to take over a computer system without detection.

Trojan – type of malicious software often disguised as a legitimate app, image, or program. Typically users are tricked into loading and putting Trojans on their systems.

Viruses – a piece of computer code capable of copying itself, normally deployed through a spam or phishing attack that typically has a detrimental effect, such as corrupting the system, stealing, or destroying data.

Worms – self-replicating malware that duplicates itself to spread to uninfected computers.

CEO fraud – a senior executive in a company is impersonated to divert payments for products and services to a fraudulent bank account. Typically the fraud will target the company’s finance department via email or over the telephone.

Account takeover fraud – a form of identity theft in which the fraudster accesses the victim’s bank or credit card accounts through a data breach, malware or phishing, to make unauthorized transactions.

Insider fraud – when an employee uses his or her position in an organization to steal money or information to threaten security

Cloned websites – when a fraudster copies or modifies an existing website design or script to create a new site in order to steal money.

Phishing – when emails purport to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.

Spearphishing – email scam targeted to one specific individual, organisation or business often to steal sensitive information for malicious purposes. These purport to be from someone you know and use your name.

SMiShing (or SMS phishing) – type of phishing attack where mobile phone users receive text messages with a website hyperlink which, if clicked on, will download a Trojan horse (malicious software) to the phone.

Hacking – unauthorised intrusion into a computer or network.

Bot– a computer infected with software that allows it to be controlled by a remote attacker. This term is also used to refer to the malware itself.

Exploit kit – code used to take advantage of vulnerabilities in software code and configuration, usually to install malware. This is why software must be kept updated.

Keylogger – a program that logs user input from the keyboard, usually without the user’s knowledge or permission, often using memory sticks on laptop ports.

Man-in-the-Middle Attack – similar to eavesdropping, this is where criminals use software to intercept communication between you and another person you are emailing, for example when you are using third-party wi-fi in a café or on a train.

Source: http://www.travelweekly.co.uk/articles/314616/travel-staff-are-the-weakest-link-in-cybersecurity-says-expert

Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident.

Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies.

Chance of incident bigger at large company

CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems.

The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks.

Internal cause more common at smaller companies

Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent.

About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank.

Smaller: less safe

Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies.

Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

The FBI Is Investigating More Cyberattacks in a California Congressional Race

The hacks — first reported by Rolling Stone — targeted a Democratic candidate in one of the country’s most competitive primary races

WASHINGTON — The FBI has opened an investigation into cyberattacks that targeted a Democratic candidate in a highly competitive congressional primary in southern California.

As Rolling Stone first reported in September, Democrat Bryan Caforio was the victim of what cybersecurity experts believe were distributed denial of service, or DDoS, attacks. The hacks crashed his campaign website on four separate occasions over a five-week span, including several hours before the biggest debate of the primary race and a week before the election itself, according to emails and other forensic data reviewed by Rolling Stone. They were the first reported instances of DDoS attacks on a congressional candidate in 2018.
Caforio was running in the 25th congressional district represented by Republican Rep. Steve Knight, a vulnerable incumbent and a top target of the Democratic Party. Caforio ultimately finished third in the June primary, failing to move on to the general election by several thousand votes.

“I’m glad the FBI has now launched an investigation into the hack,” Caforio tells Rolling Stone in a statement. “These attacks put our democracy at risk, and they’ll keep happening until we take them seriously and start to punish those responsible.”

It was unclear from the campaign’s data who launched the attacks. But in early October, a few weeks after Rolling Stone’s report, Caforio says an FBI special agent based in southern California contacted one of his former campaign staffers about the DDoS attacks. The FBI has since spoken with several people who worked on the campaign, requested forensic data in connection with the attacks and tasked several specialists with investigating what happened, according to a source close to the campaign.

According to the source, the FBI has expressed interest in several details of the DDoS attacks. The bureau asked about data showing that servers run by Amazon Web Services, the tech arm of the online retail giant, appear to have been used to carry out the attacks. The FBI employees also seemed to focus on the last of the four attacks on Caforio’s website, the one that came a week before the primary election.

An FBI spokeswoman declined to comment for this story.

A DDoS attack occurs when a flood of online traffic coming from multiple sources intentionally overwhelms a website and cripples it. The cybersecurity company Cloudflare compares DDoS to “a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.” Such attacks are becoming more common in American elections and civic life, according to experts who monitor and study cyberattacks. “DDoS attacks are being used to silence political speech and voters’ access to the information they need,” George Conard, a product manager at Jigsaw, a Google spin-off organization, wrote in May. “Political parties, campaigns and organizations are a growing target.”

Matthew Prince, the CEO of Cloudflare, told Rolling Stone last month that his company had noticed an increase in such attacks after 2016 and the successful Russian operations on U.S. soil.

“Our thesis is that, prior to 2016, U.S.-style democracy was seen as the shining city on the hill. The same things you could do to undermine a developing democracy wouldn’t work here,” Prince says. “But after 2016, the bloom’s off the rose.”

The FBI has since created a foreign influence task force to combat future efforts to interfere and disrupt U.S. elections.

Southern California, in particular, has seen multiple cyberattacks on Democratic congressional candidates during the 2018 midterms. Rolling Stone reported that Hans Keirstead, a Democratic candidate who had challenged Rep. Dana Rohrabacher (R-CA), widely seen as the most pro-Russia and pro-Putin member of Congress, had been the victim of multiple hacking efforts, including a successful spear-phishing attempt on his private email account that resembled the 2016 hack of John Podesta, Hillary Clinton’s campaign chairman. Hackers also reportedly broke into the campaign computer of Dave Min, another Democratic challenger in a different southern California district, prompting the FBI to open an investigation.

On Friday, the nation’s four top law enforcement and national security agencies — the FBI, Justice Department, Department of Homeland Security and the Office of the Director of National Intelligence — released a joint statement saying there were “ongoing campaigns by Russia, China and other foreign actors, including Iran” that include interference in the 2018 and 2020 elections. Cybersecurity experts and political consultants say there are many reports of hacking attempts on 2018 campaigns that have not been publicized. But the proximity of the attacks is significant because Democrats have a greater chance of taking back the House of Representatives if they can flip multiple seats in Southern California.

Source: https://www.rollingstone.com/politics/politics-news/california-congressional-race-hack-745519/

Central planning bureau finds Dutch cybersecurity at high level

Dutch businesses and the public sector are well protected against cybersecurity threats compared to other countries, according to a report from the Central Planning Bureau on the risks for cybersecurity. Dutch websites employ encryption techniques relatively often, and the ISPs take measures to limit the impact of DDoS attacks, the report said.

Small and medium-sized businesses are less active than large companies in protecting their activities, employing techniques such as data encryption less often, the CPB found. This creates risks for small business and consumers that could be avoided.

The report also found that the Dutch are more often victims of cybercrime than other forms of crime. This implies a high cost for society to ensure cybersecurity. In 2016, already 11 percent of businesses incurred costs due to a hacking attempt.

The threat of DDoS attacks will only increase in the coming years due to the growing number of IoT devices. This was already evident in the attacks against Dutch bank websites earlier this year. A further risk is that over half the most important banks in the world use the same DDoS protection service.

According to the paper Financieele Dagblad, this supplier is Akamai. The company provides DDoS protection for 16 of the 30 largest banks worldwide. The Dutch banks ABN Amro, ING and Rabobank said they were not dependent on a single provider.

The CPB report also found that the often reported shortage of qualified ICT staff is less of a threat than thought. The number of ICT students has risen 50 percent in four years and around 100,000 ICT jobs have been added in the country since 2008. Already 5 percent of all jobs are in ICT. This puts the Netherlands at the top of the pack in Europe, alongside the Nordic countries.

Source: https://www.telecompaper.com/news/central-planning-bureau-finds-dutch-cybersecurity-at-high-level–1264818