Category: cyber security

Cyber Security Checklist

https://www.itgovernance.co.uk/blog/5-essential-controls-to-include-in-your-cyber-security-checklist

IT Governance is a leading global provider of cyber risk and privacy management solutions, with a special focus on cyber resilience, data protection, PCI DSS, ISO 27001 and cyber security.

  1. Staff awareness training

Human error is the leading cause of data breaches, so you need to equip staff with the knowledge to deal with the threats they face.

Staff awareness training will show staff how security threats affect them and help them apply best-practice advice to real-world situations.

  1. Application security

Web application vulnerabilities are a common point of intrusion for cyber criminals.

As applications play an increasingly critical role in business, it is vital to focus on web application security.

  1. Network security

Network security is the process of protecting the usability and integrity of your network and data. This is achieved by conducting a network penetration test, which scans your network for vulnerabilities and security issues.

  1. Leadership commitment

Leadership commitment is the key to cyber resilience. Without it, it is very difficult to establish or enforce effective processes. Top management must be prepared to invest in appropriate cyber security resources, such as awareness training.

  1. Password management

You should implement a password management policy that provides guidance to ensure staff create strong passwords and keep them secure.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

What is Cyber Security

Cyber Security, (also known as Information Technology Security) is the protection of computer systems and networks from interruption of their service, theft or damage to their software, hardware or data.

Cyber attacks can cost organisations huge sums of money (including fines) but also cause damage to their business and loss of confidence by their customers and partners. There can also be loss of sensitive data relating to their business or customers and that can spread damage very widely.

The EU GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018 require organisations to implement appropriate technical and organisational security measures to protect personal data – or risk substantial fines.

Cyber security covers:-

  • Network security
  • Application security
  • Information security
  • Operational security
  • Disaster recovery and business continuity
  • User training

The technology is always changing and all organisations need to ensure they have the correct technology for the job and that it is kept up to date and protected against all threats.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Protection Against Data Breaches

Company data breaches can cause a lot of damage – financial and otherwise to customers and to the reputation of the business. Some companies never recover from a large scale data breach, so it is vitally important to protect your business against the possibility.

Data breaches happen through targeted attacks, theft, or even by accident.

Typically, a hacker gains access to an organisation’s private network and then can steal information on staff, customers and suppliers or research in progress, product data etc.

These attacks can be quick or take a lot of preparation and may take months or even longer to detect or in some cases are never detected.

How to Protect Against Data Breaches

  • Take all cyber security steps necessary – preferably with a qualified expert in charge
  • Insist on strong passwords across the organisation as weak passwords are the easiest way for hackers to gain entry to the systems.
  • Staff training. All staff who use the computers need to know how to recognise phishing attempts by email and by phone.
  • Robust security procedures can reduce the likelihood of human error or oversight.
  • Up to date security systems and updates – unpatched software leaves an open door to hackers.
  • Hackers sometimes gain access to larger company systems by first targeting smaller companies that are supplier to the larger company. Take precautions.
  • Frequent reviews of all security processes and systems is essential as new flaws turn up every day.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

 

How to Protect Your Domain Name

Your Internet domain name e.g. mybusiness.co.uk can be very valuable and a key part of your business. You may think it’s impossible for someone to take your domain name but it does happen and the scammers are clever in how they do it, leaving you with the difficult task of proving you are the rightful owner.

For a hacker to take your domain name, there are two basic methods:-

  1. They change your DNS configuration, to redirect traffic from your site to their site
  2. They modify your registration contact information, which gives them full control over your domain.

There is a database called WHOIS that keeps track of the owner’s details and contact person for every domain name as well as the name server data.

A hacker can also change the registration data in the WHOIS database. This then makes it difficult for you to prove that you are the rightful owner, not the hackers. The hacker may also move the domain registration to another registrar which makes it more difficult to get your domain name back.

Domain Locking

The best protection for your domain name is to have it locked. This is a service provided by the domain registrars and it stops unauthorized transfer of your domain name to another registrar.

Once your domain is locked, it will be almost impossible for the thieves to redirect your nameservers or transfer your domain name.

Only with authorization from you, will your registrar will unlock the domain when you need to make changes, and then it can be returned to locked status.

WHOIS Data Entry Protection

Every domain registrar must maintain a publicly viewable “WHOIS” database. For every registered domain, the database must contain personal contact information, including each domain owner’s street address, telephone number, and email address.

Most registrars offer a security feature called WHOIS protection which replaces your contact details with those of the registrar. This maintains your security.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Dublin’s Tram System Website Ransomed

The website for Dublin’s tram system (Luas) was hacked and the attacker demanded a ransom of just one bitcoin (worth about $4000).

The attacker wasn’t after money but to teach the authorities a lesson for ignoring her advice after warnings about weaknesses in their security.

“You are hacked,” the message read. “Some time ago I wrote that you have serious security holes.

You didn’t reply.

The next time someone talks to you, press the reply button.

You must pay one bitcoin in five days.

“Otherwise I will publish all data and send emails to your users.”

It then listed an address to send the bitcoin. The message was subsequently removed.

The company tweeted: “The Luas website was compromised this morning, and a malicious message was put on the home page. The website has been taken down by the IT company who manage it, and their technicians are working on it.

“We apologises to all Luas customers for the inconvenience,” Luas added on Twitter.

Luas carried 37.6 million people in 2017 and transports 100,000 passengers on average daily.

A ransomware attacker with a soul. Let’s hope the authorities take notice of the security weaknesses and don’t get caught out again.

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

Google and Google+

Google has said that it found a software glitch in its Google+ social network in March 2018 that could have exposed the personal data of as many as half a million users, but decided not to tell the public until months later.

Google found the flaw in March during an extensive privacy and security review according to Ben Smith, Google vice president of engineering. An internal committee decided not to disclose the potential breach of Google+ because there wasn’t evidence of any misuse of the exposed data, which included names, email addresses, ages and occupations. The bug was immediately fixed at the time, he said.

The Federal Trade Commission, as the nation’s chief privacy watchdog, has the authority to investigate data breaches. The FTC can fine companies when they violate terms of a consent decree.

Google has said it plans to shut down Google+ for consumers (but leave it running for businesses) and introduce new privacy tools restricting how developers can use information on products ranging from email to file storage.

Google+ was never anywhere near as successful as Facebook and social media networks. Even so, many users still have a profile that has personal information on it. Google will shut it down over the coming months for consumers, but keep the version built for businesses open and operating.

The other changes Google is making include requiring apps to ask separately for each type of information they want from a user, such as access to calendars or address books. On Gmail, Google’s ubiquitous email service, only apps that improve email functionality will be allowed to request access.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature