Compliance is Impossible Without a Clear PAM Strategy
Compliance is Impossible Without a Clear PAM Strategy
Compliance to industry and government regulations is tough and even tougher to stay up with the latest information.
But One Identity privileged access management solutions can help you meet not only today’s compliance needs but prepare for tomorrow’s. One Identity has put up a series of compliance technical briefs to help guide your developing compliance strategy.
Why PCI DSS Compliance is Impossible without Privileged Management:
PCI compliance and data security are not issues you can afford to ignore. Compliance with data security standards doesn’t seem to be getting easier. However, you can get ahead of the game by getting an auditor’s take on IT security compliance for the Payment Card Industry Data Security Standard (PCI DSS) when you read this tech brief.
While PCI DSS represents only a portion of data security compliance obligations you might be facing, it’s one of the most significant. When you read this brief, you’ll discover how having the proper processes and internal controls in place for accessing privileged accounts can protect your organization.
You’ll also learn best practices that can help you secure access to sensitive customer data while minimizing the risk of fraud and data breach.
After reading this brief, you’ll be able to:
- Understand the necessary IT-related controls that need to be in place to comply with PCI DSS
- Select the proper solution(s) to satisfy your key control and compliance objectives
- Achieve and demonstrate compliance while automating key tasks
Why ISO/IEC 27001 Compliance is Impossible without Privileged Management
Although ISO/IEC 27001 represents only a portion of the total scope of compliance obligations faced by most organizations, it is a critical piece of the compliance challenge, and the solutions recommended here for ISO/IEC 27001 compliance will help your organization achieve and prove compliance with other security mandates as well.
Article Source: oneidentity.com
WhatsApp: Mobile Phishing’s Newest Attack Target
In 2018, mobile communication platforms such as WhatsApp, Skype, and SMS have far less protection against app-based phishing than email.
Mobile phishing is a topic that just won’t go away. According to Verizon, 90% of all data breach incidents begin with a phish — and mobile is the fastest-growing vector of attack. Our research shows a new phishing site is created every 20 seconds. Yet, within mobile phishing there are many different techniques and campaigns being employed by attackers, making it difficult to keep up with the latest threats.
Furthermore, the many millions of apps that people use for communication on mobile devices mean that in-app defense against phishing is next to impossible — meaning that attackers can target users in places they do not expect malicious messages. These mobile-based attacks are three times more effective than desktop phishing, according to research from IBM.
Unlike in email, where the message is flagged as risky, this new phishing attack is not filtered at all in WhatsApp. In fact, when the link is shared in WhatsApp, it is sometimes expanded to display the snippet of the website, complete with logo and page title — all signifiers to the victim that this may be a legitimate domain.
Researchers at Wandera have observed a new trend that’s been growing in popularity among cybercriminals — with dozens of new attacks being detected every day, many last less than 24 hours before the campaign is shut down and recreated elsewhere. This vast family of phishing attacks can be identified by a number of common features, most notably centering on WhatsApp, the popular message application.
We’ve observed an increase in phishing attacks that center on WhatsApp — not just for the initial method of delivery but also to subversively reach many more targets after each success.
While traditional phishing campaigns make use of email, most attacks today are distributed via other vectors on mobile. There are multiple reasons for this. For one thing, email clients and associated security technologies are better than ever at detecting and filtering suspicious messages from inboxes, whereas less-mature communication platforms such as Skype, WhatsApp, and SMS have far less protection in place. Put simply, email is far less effective than app-based phishing in 2018.
Image Source: Wandera
When the user clicks on one of these links within WhatsApp, he or she is taken to a page that appears to be a limited time offer for a particular brand. These pages host content offering some kind of incentive for the user to complete a short questionnaire, typically employing a fake timer or countdown to instill a sense of urgency in the target.
These pages often also make use of mock Facebook comments, creating a false sense of social proof that these promotions are legitimate. Many of these fake commenters even express apprehension about the legitimacy of the page, only to later post that they have successfully completed the offer and have now received their reward. Some even include pictures of the gift as further evidence.
Most of these campaigns will aim to extract sensitive information from the target. In the examples discovered by Wandera, this ranged from personal data such as name, address, and phone number, to even more dangerous forms of personally identifiable information, such as credit card information.
These campaigns employ another hallmark of the modern mobile phishing attack. While efforts to encrypt the web by implementing HTTPS on websites are admirable, general user understanding about this technology remains low. Most mobile browsers display a “secure” marker near the address bar of sites that have successfully made use of an SSL certificate, which attackers have used to convince users that their phishing domain is secure in a more general sense. Many users mistake this information as validation by Google or Apple that the site itself is authentic.
Organizations such as Let’s Encrypt have been offering these certificates to website owners for free, providing a zero-cost way for attackers to bolster the perceived legitimacy of their phishing pages, and subsequently the efficacy of their attacks. These WhatsApp campaigns make frequent use of this technique.
The more novel part of this campaign is how victims of the attack are exploited to share the campaign with their contacts. This technique is not entirely new, but by integrating with WhatsApp, this method of campaign “virality” is much more effective than more primitive efforts, which explains why these attacks are increasing in frequency.
Either before or after completion of the form (depending on the specific campaign) on these malicious pages, the target cannot redeem their gift until they have sent a link to the page to a number of other contacts via WhatsApp. This way, with each successful phish, attackers are able to reach yet more victims — directly within the application that the campaign is designed to exploit.
Image Source: Wandera
A message is then auto-sent to what appears to be a random selection of WhatsApp contacts. This approach has the added benefit of coming from an individual that the target trusts, making them more likely to fall for the scam.
There has been a notable growth in this kind of WhatsApp phishing campaign in 2018, all making use of a number of familiar features to successfully extract data from WhatsApp users. Quantifying it is difficult because each attack is slightly different and attackers are constantly tweaking different elements on the campaign as they learn more about what works and what doesn’t. In an age of GDPR and increased scrutiny on data breaches and privacy concerns, it is essential that mobile users learn to identify phishing in all its forms.
Article Source: https://www.darkreading.com/
HACKERS AND MALWARE: 5 TIPS TO PROTECT YOUR PC
Malicious software or Malware is a program that is harmful to your computer. It includes viruses, Trojan horses, Spyware, and Worms. Hackers can use malware to perform a variety of functions such as stealing, deleting or encrypting sensitive your data, monitoring your computer and gathering sensitive information about your online activities.
There is the ever increasing cyber-threat in the world, hence the need for the average computer user to be security conscious. How then, can you protect yourself from hackers and malware? Below are tips that can help PC you protect yourself against hackers and malware.
Installing an antivirus software is an obvious step to protect yourself against malware. A lot of people do not bother about installing an antivirus in the PC. There are a lot of options available today when it comes to antivirus software. There is Webroot, Kaspersky etc. Microsoft also offers its own free protection in the Windows Defender Security Centre. It is important to regularly update your antivirus software’s database and run system scans monthly if possible.
Image source: pcmag.com
Phishing emails are designed and sent by scammers to your email in an attempt to trick you into giving out personal information, such as your passwords, credit card number etc. The scammer pretends to be from a legitimate company, for example, a bank, and he asks you to provide or confirm your details in order to verify your records due to a technical error. That is just one example. Phishing emails are designed to look genuine, and often copy the format used by the organization the scammer is pretending to represent.
Granted these emails are usually caught by your email application filter, but some of such emails do slip through, and you might unknowingly click on the links they provided. An up to date web browser should detect and block the link or site it takes you to. So it is important to regularly update your web browser whenever new updates are available.
Image source: palmbeachschools.com
Turn on Windows Firewall
Windows has an inbuilt firewall, which is enabled by default that serves to protect your PC from malicious attack via the internet. To check if your firewall is active, Go to Control panel > System and Security and click on Windows Firewall or you could type check firewall status from the search bar. You will see three green tick marks showing the firewall is working properly. If you do not see those tick marks, select each one to turn on the firewall.
Keep Your Windows Up-to-Date
Microsoft regularly issues small operating system updates weekly (Tuesdays) and larger updates once or twice a year. This is because hackers often find new ways to bypass Window’s built-in security features. These updates are downloaded automatically to your machine if properly configured. Whilst windows update can be switched off in other windows Os versions, except in Windows 10, you can check for new updates by typing windows update in your windows search bar from the start menu and click check for updates to view windows updates.
Image source: cocosenor.com
Regular Update of Web Browser
Web browsers are important applications for every PC users. Like other categories of software, they can contain a bug. These bugs or loopholes are what hackers capitalize on to create bogus websites with data or scripts designed to exploit them. Hackers can monitor everything you do once your web browser is compromised. They can collect sensitive information including passwords, credit card number, etc. That’s why it is important to use the latest version of your web browser. Check for updates to your favourite web browser on their official page or through the browser’s menus.
In chrome browser, at the top right, click more > update google chrome. If you don’t see this button, you’re on the latest version. Click relaunch.
Sometimes, malware and hackers may bypass all the security layers that we put place to protect your PC. If you suspect that a malware has slipped through your PC security, you should take the following steps to remove the malware:
Download and install windows malicious software removal tool from the windows download centre. This piece of software has the capacity to detect and remove specific types of malware and is very simple to use.
Some malware hides in windows and makes it difficult to detect and remove by antivirus and windows malicious software removal tool, you will need to download and burn an anti-malware into a boot CD/DVD.