Thought leadership. Threat analysis. Cybersecurity news and alerts.
To this day, LinkedIn is still, by far, the most useful professional social network. Though there have been many concerns in regards to members being targeted by sale people, the issue is inevitable. As someone who make purchasing recommendations and decisions for multiple companies, even before LinkedIn was founded and became popular, I was getting at least 3 calls a day from the salesforce of various organizations.
Today I wanted to recommend my top 3 cybersecurity companies to follow on LinkedIn. All 3 are hand picked for a variety of reasons. Following any of those listed will most likely help you develop a better understanding of information and cybersecurity related issues. I’ve listed them in no particular order, as i believe all 3 truly deserve to be followed.
According to their LinkedIn profile, Imperva® (NYSE:IMPV), is a leading provider of cyber security solutions that protect business critical data and applications in the cloud, as well as on-premises. The company's SecureSphere, CounterBreach, Incapsula and Skyfence product lines enable enterprises to discover assets and risks, protect valuable information (such as intellectual property, business plans, trade secrets, customer and employee information, and the day-to-day data that drives your business). They also offer services that enable your business to comply with the myriad of increasingly stringent data protection regulations and mandates, as well as enforce policies, entitlements and audit controls.
Having worked with Imperva for over 10-years, I can attest to the facts that their staff is a great bunch of dedicated, diverse and highly skilled folks. Their customer service and support line is truly one of the most efficient in the industry, with nearly instant response. They never hide behind an email wall, and are always there, in person, when you need them most. If you are interested in web application protection (and you should be), including the DDoS protection and website acceleration, you should follow Imperva.
The Herjavec Group
I happened to recall the time when Robert Herjavec founded the company. In fact, I believe I was one of the first customers of The Herjavec Group; they had assisted March of Dimes Canada by implementing an email security appliance. Since that day, I have been virtually following Robert and his company. As the company grew, many things changed, including product and service offerings, people and offices. The one thing that has not changed, is their sense of pride, its core people and their quality of service.
In addition to timely updates that the company provides on LinkedIn and other social networks, if you haven’t already, you should also consider following Robert, as he often shares the stories and wisdom that made him into a Canadian success story.
No longer a startup, this Israeli success story does not cease to amaze. In the early days, they found a problem whereby automated code security software was cumbersome and unaffordable for SMB’s. They have created something that did not rely on heavy and complex deployment requirements and it was truly affordable for virtually any size organization. Like every other start up, as the company matured, it began attracting major talent, allowing them to close large deals while winning against seasoned enterprise players such as HP and IBM. More often than not, they deliver high quality content on LinkedIn in an attempt to raise awareness, ensuring top executives understand the importance of software code security.
Why do we fall victim to email phishing attacks?
Cyber criminals are crafty when it comes to email phishing attacks. Judging by the results of the most recent Google email phishing campaign, they are succeeding. Cyber criminals are smart, knowledgeable and won’t stop at any means to achieve their goals, which is to acquire your personal information and use it against you and the people on your contact list.
Almost daily, people receive fake emails asking for their personal information, such as user IDs and passwords. These phishing emails can be disguised as if they came from your bank, your email provider, a government agency or even your employer. Cyber crime gangs often prey on our own cybersecurity illiteracy and laziness.
Let me ask you a few questions:
Since cybersecurity illiteracy is what cybercriminals use as an advantage, cybersecurity literacy and awareness would be a good antidote.
The easiest way to spot a phishing email
Most fake emails can be spotted by simply looking at the “from” email address. An email from a fake sender would look something like this: Google Support <email@example.com>. This is definitely a fake. It might not be obvious, but that an email from Google would most certainly come from firstname.lastname@example.org.
In any event, here is the easiest way to spot a phishing scam. Please remember it, print it out and share with others:
If you receive an email whereby someone is asking for your personal information, including your user ID and / or passwords with a sense of urgency, most likely it’s a phishing scam.
Why? Because you bank, your email provider, or your employer WILL NEVER ASK FOR YOUR PERSONAL INFORMATION VIA EMAIL.
For example, you received an email that appears to be from your bank, and it looks something like this:
This is to inform you that due to suspicious activity, your savings account has been locked. Please click here to change your password immediately to re-gain access to your account.
Customer Service Manager”
While it appears legitimate, your bank will never ask to provide any personal information via email. In most cases, they will call you, and will ask you to go to the nearest branch to address any account security related issues.
Even when someone calls you and introduces him or herself as a banking specialist asking for your personal information, you don’t have to provide it. Hang up, call your bank using the number on the back of your bank card, and tell them that you were contacted, and if there are any issue they could help you address. Same goes to calls from any government agency, including the IRS.
A Sophisticated Phishing Attack
As reported by several cyber security researchers, and the mainstream media, cyber criminals unleashed a new, sophisticated phishing campaign targeting both individuals and corporate Gmail users. In fact, it’s so sophisticated, that even savvy users are being tricked by it.
An email arrives with a link, and when clicked, it asks for your Gmail user credentials. The trick is that the page looks exactly like the original Gmail sign on page. When you enter your user ID and password, the attackers automatically log into your Gmail account. When they are in, they immediately begin gathering additional information to support further attacks. Appears that they are looking for the attachments you’ve previously shared with others, and gather email addresses from your contacts.
The contacts they gather, inevitably become new targets. Now rogue emails are coming from someone the victim knows.
It's very hard to notice foul play since the URl in the email is disguised very well. In most cases, victims won't even look at the address bar at the top to validate the website's authenticity.
How to protect yourself against phishing attacks?
Fortunately, you can protect your account almost instantly by enabling 2-step verification for your Gmail account. Even if you don’t use Gmail, and use another Cloud email service, we recommend that you enable a 2-step verification without delay.
When 2-step verification is enabled, unless cybercriminals have direct access to your smartphone, it would be nearly impossible for them to use your password, even if you have fallen victim to a phishing attack.
Instructions on enabling 2-step verification for Gmail (personal use):
Instructions on enabling 2-step verification for Gmail (corporate accounts). Note that for corporate accounts, you need to share these instructions with your IT department, and Gmail administrator will be able to add the extra security centrally:
Have questions? Please contact us and we will be more than happy to assist.
30% of Business Have Sound DDoS Protection: Does Yours?
A DDoS attack is more than an inconvenience - it's devastation. Only a third of websites have the DDoS protection they need. Is yours one of them?
Distributed Denial of Service (DDoS) attacks-- they've been around for years. So why do only 30% of companies have solid DDoS protection?
It may be because not every DDoS attack makes the nightly news.
The majority of past DDoS attacks are small. The news of these small attacks doesn't travel beyond the company and those in the internet security industry.
But make no mistake. DDoS attacks are on the rise, and the stakes are growing higher each year.
A single DDoS attack can cause severe and long-term damage to your company's profitability and reputation.
What is a DDoS Attack?
DDoS attacks can take several different forms.
In general, a DDoS makes use of several computers or other internet-connected devices flood a single target with internet traffic. Once a company's network is overwhelmed by this fake traffic, it crashes.
Legitimate customers or users can't access your website or perform tasks using your network. Business comes to a halt.
A DDoS attack may also be used to distract your IT security team, allowing hackers time to dig deeper into your company's infrastructure and systems.
What Can You Expect in 2017?
Robin Birtstone of The Register warns that in 2017, we can expect to see more 100Gbps mega-attacks launched by more devious hackers. An influx of networked appliances and home accessories will increase the risk level as these things of the internet can be used to bombard websites with DDoS traffic.
In fact, Robin predicts that extortion using DDoS will become the new ransomware. Eighty percent of European IT professionals surveyed in 2016 expected their companies to be subjected to DDoS extortion attacks within 12 months.
How Can You Provide Your Business with DDoS Protection?
The best way to protect your business from a DDoS attack is to be prepared.
DDoS protection includes a solid plan to recognize the early signs of an attack and take definitive action to stop it. Of course, having this kind of preparedness takes the right knowledge and technology.
According to a 2015 report by Forrester Research, most companies are better served by outsourcing their DDoS protection rather than trying to craft on-site solutions. Choosing a leading DDoS security partner means your company will be prepared for whatever 2017's hackers bring.
The Driz Group has chosen to partner with leading cyber security firm Imperva. Working with their state of the art Incapsula system, we provide our clients with a comprehensive solution for DDoS protection.
The Driz Group offers a full range of cyber security services from risk assessment to 24/7 monitoring and protection.
Our team of professionals will work with your security team to ensure an integrated approach to your cyber security needs, including DDoS protection that assures you no interruption of service. We provide the hardware, software, maintenance and monitoring to keep your network secure and operational.
Forward Thinking Saves Times and Money
Some companies have recognized the growing threat that lies ahead. Are you one of those companies? Don't wait for your website to crash and your customers to call demanding to know why their transaction can't be completed.
Take action today to secure your website. Protect your business today and every day with comprehensive DDoS protection.
Web Application Security Checklist for 2018
Chances are, your web app isn't as secure as it needs to be. That's why we're sharing this 2018 web application security checklist. Have you hit all the marks?
With a great sigh of relief, we welcome 2018. This new year brings us all new possibilities and opportunities. This is also a great time assess your business operations. From paperwork to threat assessments, now is your chance to start the year off right.
Unfortunately, it isn't just legitimate businesses that are hoping to have a great new year. The hackers of years past haven't gone anywhere. This year like any other, hackers will be looking to exploit your company's internet vulnerabilities. Let us help you prepare.
Let us help you prepare.
Make Sure Your User-Friendly Apps and Hacker Hostile
Web applications make is easy and efficient for clients, customers, contractors and employees to access your company's network.
But, these web apps can also open the door to unwanted visitors. Coding errors, weak passwords, and other mistakes can leave you vulnerable to attack.
But you aren't alone.
The Driz Group stands ready to help you defend your network against whatever this year brings.
Start 2017 with this Web Application Security Checklist
To help you assess your web applications strengths and weaknesses, we've put together this web application security checklist. Use this list to ensure that your web apps are secure and ready for market.
1. Assess and Review. This step involves a comprehensive review of the application. Test each step of the program for vulnerabilities. In fact, we will provide you with a complete vulnerability assessment checklist to make the assessment as simple and transparent as possible.
Ensure that users cannot bypass steps or gain access to unauthorized areas of the network through the app.
Can a user enter a new ID and receive a password without authorization? How many password attempts can be made before a lock-out?
2. Plan and Challenge. Next, you'll want to conduct test attacks to assess your app's weaknesses.
From password challenges to brute force attacks, you'll want to determine what your app can withstand.
You'll also want to make sure sensitive information isn't revealed in cookies or other easily accessed code.
3. Re-assess and Report. Once you have made your initial challenges, re-assess the app's areas of vulnerability. Conduct usability testing, perform functional testing and assess the error messages.
Did quick fixes solve the problem or is there more work to be done? In your report, you'll want to indicate which problems should be given highest priority for remediation.
Also, make note of any institutional errors that may threaten other web applications.
4. Remediate and Test. In this step, you'll use the report prepared in step 3 to make changes to the app.
Remove security threats, repair coding errors and re-educate users to ensure your website's security.
Once you've implemented these steps, test the web application's security again.
This four-step web application security checklist summarizes the path you'll need to take to ensure your web application doesn't leave you vulnerable.
But, as with all good things, the implementation isn't always easy. The Driz Group employs a team of experts dedicated to identifying and addressing your website's vulnerabilities.
We can prepare a comprehensive web application security checklist designed specifically for your network and web applications. Just give us a call or send us an email to get started.
In the meantime, have a great and secure 2018!
Steve E. Driz, I.S.P., ITCP