ANCHOR CYBER FEED

The most frequent way that malicious software and other threats get into computers and networks is via malicious "phishing" emails designed to entice users into opening documents or clicking on web links that will result in the compromise of their computer. Spearphishing is a more focused type of phishing, where the "lure" is customized to the target organization or individual. Whereas broadly-targeted phishing emails may be relatively easy to detect, spearphishing emails can be very convincing and difficult to detect. Some tips to avoid being compromised by spear-phishing messages: Implement a good email security device or service. This will filter out the majority of phishing and spearphishing attempts.  Check closely the "from" and "reply-to" addresses of suspicious emails. These won't always match for legitimate emails, but often in the case of spearphishing one or the other is an obviously inappropriate address. Check web links t

When it comes to security, it would seem like encryption is a good thing, right? Encryption is a good tool for protecting the confidentiality of your information, but (as the trend of ransomware has shown us) it has a down side. Secrecy can work for the the good guys and the bad guys both. Securing your network requires being aware of what is going on and what communications take place, and encryption can make that difficult. Just a few years ago, encryption on the web was used primarily just for logins and for sensitive parts of session, such as payments. However, that began to change in 2010 when Google changed Gmail to use HTTPS by default. That was followed by Facebook and Google search going to HTTPS by default in 2011 (Google completed the switch in 2012), Twitter in 2012, YouTube in 2014, and Wikipedia in 2015. Netflix has announced their intention to move entirely to HTTPS, but currently most of their actual streaming is still un-encrypted. Currently, most networks see more

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the  the complete list of posts in this series here . When most people think of technical controls for information security, the first one they tend to think of is anti-virus software. After it was first widely commercialized in the late 1980s, antivirus software became known as the thing you needed to have to deal with the security of your computer. And by the mid-90s, when the connecting, communicating, and downloading over the Internet became more and more the reason for using a computer, antivirus software came to be seen as an essential accessory to modern computing life. The traditional approach of anti-virus software was to check digital files against a set of “signatures” of known virus (or, more broadly, malicious software or malware) files, in order to delete or quarantine dangerous files found stored on the computer. This technique has been refined and enhanc

Do you believe your organization has an effective and comprehensive cyber security plan? Don’t bet on it. Eight in 10 small-businesses with less than 250 workers don’t have a basic cyber-attack incident response plan, even though a majority was hit by cyber crimes. With today’s technology making information highly convenient and accessible, smart organizations are taking a big picture approach to their cyber security and preparing for a multitude of worse-case scenarios so they are able to quickly detect and mitigate a breach when it occurs. ​ Many small companies don’t think that they are a target for a cyber breach, as they feel that they do not have the sensitive information a hacker would be interested in. What they fail to realize is they have become an easy target to cyber hackers. http://www.foxbusiness.com/features/2016/04/27/cyber-attacks-on-small-businesses-on-rise.html https://www.entrepreneur.com/article/252138

The attention on information security over the past several years has made hiring qualified personnel for security positions extremely difficult. The availability of talent is low, and salaries are sky high. So how can an organization find and hire personnel to meet their security requirements? In a recent survey of large and midsize organizations, only 29% of IT pros said they had a qualified cybersecurity expert in their IT department. 23% said they had access to an contracted or 3rd-party expert. The rest? Apparently they are on their own, and while most IT pros have at least a basic understanding of security, this is generally not adequate to meet all of an organization's needs. And if this is true of even large organizations, what are smaller organizations to do? One answer is to outsource your IT security needs to a trusted partner. Most organizations use outside providers for various security needs, such as providing assessments or security software. But operating i

Cyber breaches and hacks are, for the most part, preventable today. Most of what is happening to the average user or corporation could have been prevented with a solid Cyber strategy, a quality cyber program and quality tools. The problem is that users and corporations are inundated with solutions and ideas to "fix" the problem. So many conversations we have around security are started through users exploring the next "thing" available, promising to fix it all. Things are great, but may not effectively manage your cyber risk, especially if you have never evaluated what risks there actually are in your environment. This shouldn't be done at a basic level either. For the very same reason you shouldn't get the opinion of a "doctor" in an alley for a nickel, nor should you invest in a security assessment that isn't comprehensive or performed by experts. Cyber security is not IT and is best evaluated by expert consultants which each having over

Drupal pre-announced major updates yesterday in three different modules to fix some very critical vulnerabilities that have been discovered. These vulnerabilities may allow for remote code execution on vulnerable servers, so installing these updates should be at the top of anyone's priority list who is running a Drupal website. The updates themselves were released just this afternoon (Wednesday the 13th). Drupal is a very popular web-based content management system (CMS), implemented in PHP, that is used by organizations large and small, from the White House and CNN to small businesses. https://www.drupal.org/psa-2016-001 https://www.drupal.org/security/contrib