At times, the quest to stay on top of web application security can seem futile. It seems as though the adversaries are always a step ahead, and all we can do is try our best to contain the breaches.

In this blog, we’ll look at the root causes of concern for today’s CISO and share some practical strategies to deter cybercriminals.

Web apps, the big attack opportunity for cybercriminals

The CISO role can be an unenviable one. With ongoing reports of new application vulnerabilities and threats on an upward trajectory, the race to safeguard your organization’s digital assets is unending.

And as a CISO, you have the ongoing struggle of understanding the scope of the issue yet managing the finite and appropriate resources to secure web applications. The most obvious cybersecurity strategy is to take a people-centric approach, with a 70-80% focus on staff awareness. This works as a stop gap measure, however, in the meantime cybercriminals are actively working to expand their attack methods to target weaknesses in web applications.  

We are living in a software-defined world, and the vulnerability of web apps is a growing problem. Unfortunately, web app vulnerabilities can remain unremediated for an extended period of time – and cybercriminals know this.

Protecting your web apps in the real-world

Actively monitoring key web applications is difficult but necessary. While comprehending where you are vulnerable is critical, so is the requirement to act within real-world constraints without endangering your larger perimeter. So it’s understandable that, at times, the challenges may seem insurmountable.

Application defects require priority alignment with development teams, and protection tools must comply with customer experience (CX) and governance requirements. Additionally, cybersecurity skills are in high demand, and budgets are tight.

While it may be of little comfort – you are not alone – it’s equally difficult for other businesses to compete with the hugely successful and profitable business of cybercrime.

You may decide to pick your battles and only protect the sites connected to sensitive data, while ignoring the security of third-party hosted or brochureware sites. But the reality is that even brochureware sites offer rich assets for cybercriminals keen to harvest user passwords and credentials.

Is the cyber deck stacked against today’s CISO?

At first glance, it appears that the odds are against you being able to protect your web apps, let alone the entire perimeter. So let’s look at those odds and see why they are so daunting.

The asymmetry of task. Cybercriminals just need to find one way in, but you need to either eliminate or contain all of the ways in. While the traditional approach is only to protect what matters, those untended brochureware and third-party sites can become a real security problem.
The asymmetry of knowledge: Cybercriminals use a community approach to executing attacks, whereas you’re stuck in a stance of independent defense. There’s little communication or sharing of expertise from company to company; knowledge is siloed.
The asymmetry of resources: It’s hard to fight cybercrime on an uneven playing field. While the cybercriminals use stolen resources and criminal economics, you must battle for resources in a competitive job market and buy expensive, legitimate tools.
The asymmetry of incentive: Cybercriminals have a massive financial incentive to ‘win’. Whereas only disapprobation awaits you and your team should you fail to secure your entire perimeter.
The asymmetry of timing and target: Cybercriminals get to choose when and where they attack. But it’s unlikely that your internal expert cybersecurity team is equally ready and waiting to counterstrike at 2 a.m.  over a long holiday weekend.

Even with all your organization’s resources and focus made available to you, the incredibly tough and constantly evolving external environment means the odds are clearly not stacked in your favor.

If you own the risks, who owns the elimination?

Now that we have established the difficulties in the external environment, let’s discuss your freedom to address these problems in a typical company.

As CISO, you are usually accountable for the security of the application fleet. For example, you own the governance, risk, and compliance (GRC) process, commission the application security testing, and own the risk register. But how much control do you have to directly address the identified risks?

The responsibility for eliminating risk through fixing or replacing apps sits with the product team. To align priorities, you must advocate with the product and development team. However, it’s not uncommon for product teams to assign a bug or a mistake in their code as a vulnerability and hand it back to your security operations team with a request to contain the threat. Passing the parcel from team to team is an exercise in frustration, wasted time, and distracted resources.

Balancing business with security

While the emphasis must be on attempting to eliminate all cyberthreats, that containment can’t interfere with the normal functioning of your applications. Although numerous security tools can detect suspicious activity through signatures and heuristics, you still need to decide what to block or allow and consider the impact (financial or otherwise) on the customer experience.

Should your security tool block a legitimate customer transaction, the response from the business revenue owner (or even higher in the organization) to ‘sort your security stuff out or it’s going to be removed!’ is usually swift.

As CISO, you are required to implement a method that both minimizes CX mistakes and rapidly addresses them. This requires extensive testing with your application (not just a generic tool) and the services of a 24x7x365 end-user facing expert response team – available at even 2 a.m. over a long holiday weekend.

So, where do you find these people, how do you afford them, and how long unitl they are executing with CMMI 3.0+ maturity?

Given that security flaws, published threats and application changes are continual, the requirement to mitigate them is incessant. You may be up to date today, but tomorrow, another 50 vulnerabilities are going to be released, and you need to start all over again.

Control your own destiny, or someone else will

Then, there’s the question as to whether changes to security tools settings are subject to change management. Does fine tuning your environment for new threats and making modifications to containment configurations comply with your GRC policy? Is turning things on or off at will a sound policy?

What about risk management? If you tune something out, is the risk measured, identified, reported, and audited in line with the changing threat landscape? And are the impacts of those changes assessed for incremental risks?

The risk to CX introduces a significant pressure on the CISO to incrementally remove security controls. It’s only by proving the financial benefit of any introduced tools that the business and security get an equal vote. The necessary proof of value, however, only comes with an audit, and these tend to be well spaced throughout the year, and only focussed on specific apps. Namely, those connected to sensitive data, and not to brochureware.

Enough despair. There are practical strategies to help you hold cybercriminals at bay.

If you measure it, you can improve (and prove) it

By applying the same rigorous tests to your security operations models as you do to software design, you get a head start. Proven approaches include operational programs that apply a military style to defining functional requirements, i.e. observe, orient, decide and act. In short:

Observe the problems so you can determine what they are
Find, orient, and prioritize your issues on a weekly cadence
Decide how you will fix them
Act by allocating development time and security operations time

And audit. It’s one thing to present a threat chart, but only a cost and benefit analysis holds real sway when it comes to security reporting.

Build a compelling business case for an adequate security budget

Now we have established the costs to build what is required. What is the value to the business of this investment?

Considering the key value being reduction in expected breach loss, industry reports from the likes of IBM/Ponemon provide benchmarks by reporting average impact and likelihood of breach across industry, location and organization size.

If you consider an organization of US Healthcare company with 7,500 employees:

the average loss of a breach is $16M ($600 per employee). This scales up and down by industry (166% up for healthcare) and location (eg 220% up for US)
the likelihood of breach sits at 30% over two years
therefore expected loss is $5.3M

As this is all loss from breaches the web application component should be prorated. VDBR states that approximately 40% of breaches can be attributed to web application incursion, therefore the web application contribution is $2M over 2 years or $1M per year

So, with an annual budget which anticipates a loss of $1 million, what should you spend on avoiding it? 

Economic researchers from the University of Maryland, Gordon-Loeb, have famously published research that concludes that 37% of expect losses from cyber events should be spent on avoidance.

This leads to a web application security program budget of $400k per annum and final reason to despair:

If a 7,500 person US Healthcare company has more than 5 web applications to protect, the business case is woefully underfunded.

Share the burden of elimination

Development costs are a major consideration for any CISO, so it’s small wonder that so many focus on only a few business-critical apps and don’t address the perimeter. And, the good news is – there are some game-changing strategies to be aware of:

You can stop waiting for developers, and turn to edge compute

Empower your security team to write code objects that manipulate the behavior of applications and eliminate threats and risks.

Edge compute introduces a range of benefits, including:

The ability to modify app behavior without touching it directly
Resolving vulnerabilities in hard-to-access legacy or third-party apps
Addressing apps under strict compliance without requiring recertification
Focused regression testing

The use of edge compute can divide your costs by 30. And if you look at the price of your threat protection, you can divide that by 10. So, we’re talking orders of magnitude change.

Enlist independent services to redress the balance

If outsourcing is acceptable to the business, contract a 24X7X365 specialist team of skilled security developers to build and deploy security controls and address development flaws outside of the cost base.

For a given scope, time, and price you’ll get committed time/cost outcomes. As well as running always-on teams of developers, these organizations have libraries of fixes, and utilize machine learning, automation, and edge compute deployment and operational experience to enhance outcomes. They have a community of knowledge, are aware of other defenses and attackers, and introduce cross-company knowledge to promote a community effect. And that’s before they even start to rely on tools.

So, what asymmetry problems does this approach solve for you?

Asymmetry of task: Cybercriminals just need to find one way in, but the economics of a third-party team allow you to cost-effectively eliminate or contain all threats to your entire perimeter.
Asymmetry of knowledge: Fight fire with fire. Cybercriminals use a community of attack, but the power of enhanced cross-company knowledge levels up the playing field.
Asymmetry of resources: While cybercriminals use stolen resources and criminal economics, your investment in shared resources narrows the competitive advantage.
Asymmetry of incentive: Cybercrime pays big time. But the specialist organization that fights cybercrime stands to benefit financially and reputation-wise from doing it well.
Asymmetry of timing and target: Cybercriminals never sleep, and neither does the always-on specialist security team that becomes an extension of your own team.

Summary:

By applying existing techniques that are proven and effective in other parts of the business, and in other industries, to cybersecurity, the cause is hopeful.

However, there are specific challenges that you need to address including the external asymmetry which favors the cybercriminal. It’s also important to take a real-world approach to internal constraints; consider and address them and build them into a program where they are solved (before you deploy any security tools).

It’s also critical to align priority and budget. Manage the customer experience risks and ensure that auditing produces an equal vote in terms of giving security a proper seat at the table.

And seriously consider the value of edge compute. At a time where tools on their own are not enough, it provides a genuine alternative to advocating with the development manager. Consider outsourcing to specialist teams, or even augmenting your own team with AI (which can be built internally or purchased) and apply it to the tasks of risk elimination and threat containment.

It’s a tough environment out there and understanding your capabilities and limitations to secure the business is just part of the journey.

AT&T Cybersecurity Consulting with the help of RedShield can start you on the path to managing risk in your application portfolio.

Read More

The internet has opened up wonderful new possibilities in our world, making life easier on many levels. You can pay your bills, schedule your next family vacation, and order groceries with the click of a button. While the internet offers many positive benefits, it also has some negatives. Although not entirely used for illicit purposes, the dark web is one part of the internet that can be used by criminals for illegal purposes, like selling stolen personal information.

But just what is the dark web? Basically, it’s a part of the internet that isn’t indexed by search engines. As an average internet user, you won’t come across the dark web since you need a special browser to access it. It’s certainly not something you need to stress about in your day-to-day browsing, and you shouldn’t let it scare you off the internet. Unless you actively seek it out, you’ll likely never have any contact with the dark web in your lifetime.

A better understanding of what the dark web is and the possible threats it contains can help you protect yourself, though. This guide provides the essential information you need, explaining the different levels of the web and revealing how you can stay safe. With this knowledge, you can continue to browse online with confidence. Find out more below.

What is the dark web?

The “dark web” refers to websites that aren’t indexed by search engines like Google and Bing. This might seem strange since most people want their websites to be found through specific searches. Practices like search engine optimization (SEO) are specifically implemented to help websites perform well and rank higher in search engine results.

So, why would someone not want their website to be picked up by a search engine? The primary purpose is to preserve privacy and anonymity. The individuals and organizations on the dark web often engage in illegal activities and want to keep their identities hidden — something that is difficult to do with an indexed website.

It’s important to note that the dark web should not be confused with the deep web, which is a part of the internet individuals access regularly. Although the terms are sometimes used interchangeably, they actually refer to different things. Deep web content — which isn’t picked up by search engines, either — includes pages that typically require additional credentials to access. Your online banking accounts and email accounts, for instance, are examples of deep web content.

Different levels of the web

The internet is home to billions of websites — an estimated 1.7 billion to be exact, although that number changes every day as new sites are made and others are deleted. Your daily internet activity likely falls within the publicly available and readily accessible portion of the internet (otherwise known as the surface web). However, there are additional “levels” of the internet beyond that top level. Read on to learn more.

Surface web

The internet you use to search for more information is referred to as the surface web or open web. This is the readily visible part of the internet anyone can access with an internet connection and a normal web browser like Safari, Mozilla Firefox, or Google Chrome. Other terms for the surface web include the visible web, lightnet, or indexed web.

Examples of content you’ll find on the surface web include:

Open media websites and news sites like those affiliated with blogs, newspapers, magazines, and other publications. An example would be the home page of a newspaper like The New York Times or a media company like BuzzFeed.
Business websites for everything from major corporations to smaller local businesses. An example could be the website for a huge corporation like Bank of America or one for a smaller business like a local bakery.
Mainstream social media platforms like Facebook, Instagram, LinkedIn, and Twitter. Although you likely use these tools via an app, they all have dedicated websites.
E-commerce sites used for buying goods and services, like Amazon, Walmart, Target, apparel retailers, and beyond. Any company that sells products online can be considered an e-commerce site.

Basically, the sites you use daily — from your favorite news site to a local restaurant — are part of the surface web. What makes these websites part of the surface web is that they can be located via search queries and have recognizable endings like .com, .edu, .gov, or .org. You are able to find websites on the surface web because they are marked as “indexable,” meaning search engines can index and rank them. The sites are readily available on the search engine results pages (SERPs).

Interestingly, the surface web only makes up around 4% of the total internet, meaning the internet is a lot more than what you see on the surface. Think of it as an ocean — there’s the top layer of water you can see and then there’s the vast world beneath. The remainder of the internet is what’s below the surface.

Deep web

The deep web refers to any page on the internet that isn’t indexed by search engines as described above. The deep web is the first level beneath the “surface” of the visible web — and it’s significantly larger than the surface web, accounting for an estimated 96% to 99% of the entire internet.

It’s important to note that just because this type of content isn’t on the surface doesn’t mean it’s nefarious or has ill intent. A lot of the time, this content isn’t indexed because it includes pages that are meant to be hidden to protect consumer privacy, such as those that require login credentials.

Here are some examples of content on the deep web:

Fee-based content like news articles that are behind a paywall or membership-only content requiring login credentials are considered part of the deep web. For example, if you pay to access members-only content in a content creator’s fan club, you are using fee-based content.
Databases containing protected files that aren’t connected to other areas of the internet. These could be public or private files, like those from government entities or private educational institutions.
Intranets for educational institutions, corporate enterprises, and governments are used for exchanging and organizing internal information. Some of it is sensitive and not meant for public dissemination. Intranets usually require a login and are part of the deep web.
Secure storage platforms like Dropbox or Google Drive also require you to log in to upload and download files and photos. There are also proprietary data storage solutions used by companies that frequently handle sensitive data, such as law firms, financial institutions, and health care providers. An example might be a patient portal via a hospital or doctor’s office, where you can access your personal medical records.

Essentially, any webpage that requires a login is part of the deep web. That said, deep web content doesn’t necessarily have to fall into any of these categories. Any page that is non-indexable is technically also considered part of the deep web. It doesn’t have to require a login or contain sensitive data. Website creators and managers can mark pages as non-indexable if desired.

It’s worth noting that sometimes a single organization’s website will include elements of both the surface web and the deep web. Take a college or university website, for example. Most schools have a comprehensive website providing information about the school’s history, campus location, student body, available programs of study, extracurricular activities, and more.

However, many schools also have an intranet — sometimes linked from the main university page — that’s accessible only for students or staff. This is where students might sign up for classes and access their school email, for example. Since this is sensitive information and requires a unique login, it doesn’t need to be made publicly available via search engines.

In fact, it’s better in the interest of privacy that these pages aren’t readily visible. It helps to protect the user’s data. From this example, you can see that the “deep web” doesn’t have to be scary, illicit, or illegal. It serves a legitimate and useful purpose. You shouldn’t be afraid of the deep web. It’s further important to distinguish the deep web from the dark web — as the next section explains.

Dark web

As mentioned, the deep web and the dark web sometimes get confused. However, they are distinct. Technically, the dark web is a niche or subsection within the deep web. It consists of websites that aren’t indexable and can’t be readily found online via web search engines. However, the dark web is a carefully concealed portion of the deep web that people go out of their way to keep hidden.

What makes the dark web distinct from the broader deep web is the fact that dark web content can only be accessed via a special browser. The Tor network is often used to access the dark web.

Additionally, the dark web has a unique registry operator and uses security tools like encryption and firewalls, further making it inaccessible via traditional web browsers. Plus, the dark web relies on randomized network infrastructure, creating virtual traffic tunnels. All of these technical details serve to promote anonymity and protect dark web users’ privacy.

Is it illegal to browse the dark web?

The short answer is no, it’s not illegal to browse the dark web. In fact, there are instances where individuals can use it for good. Whistleblowers, for instance, can find the anonymity available through the dark web valuable when working with the FBI or another law enforcement organization.

That said, while it’s not illegal to browse the dark web, it’s also not completely void of criminal activity. Putting yourself in close proximity with illegal activities is rarely a good idea and could heighten your risk of being targeted by a criminal yourself. It’s often best to leave that part of the deep web alone.

There are also many technological threats on the dark web. Malicious software, also known as malware, is a critical concern and can affect unsuspecting users. Even simply browsing the dark web out of curiosity can expose you to such threats, like phishing malware or keyloggers. While an endpoint security program can identify such threats if they end up on your computer, it’s ideal to avoid them altogether.

Further, if you try to buy something on the dark web — even if it’s not illegal — there’s a chance you’ll be scammed. Dark web criminals use a variety of tricks to con people. For example, they may hold money in escrow but then shut down the e-commerce website and take off with the money. Due to the anonymous nature of the dark web, it’s very difficult for law enforcement to find such perpetrators.

How do criminals use the dark web?

Given its anonymous nature, the dark web clearly has an obvious appeal for cybercriminals. But just what do they use it for? The most obvious type of internet activity is the buying and selling of black market goods and services, from illegal drugs to illegal content. Cybercriminals may also run scams when selling such items, for example by taking a person’s money and not delivering the required product.

There are dark websites dedicated to the purchase and sale of illegal products or services (usually using untraceable cryptocurrencies like bitcoin) including:

Financial information like cloned credit cards with PIN, credit card details, online bank account logins, and more. People can then use these details to make legitimate purchases, negatively impacting your financial status and ruining your credit score in the process.
Account details for hacked accounts like email accounts, eBay accounts, social media accounts, streaming services, and more. For example, a person may buy a reputable eBay seller’s login details and then use their real account to make fake sales, pocketing the money and ruining the seller’s reputation in the process.
Personal data that can be used to steal someone’s identity, such as their name, address, Social Security number, and more. Identity theft is a serious problem that can negatively impact everything from your credit score to your private medical data.
Illegal services like people claiming to be able to fix credit scores for a fee. Many of these “services” are scams. They may also be law enforcement masquerading as criminals in an attempt to catch people who are up to no good.
Illegal goods like unregistered firearms and drugs. Law enforcement is increasingly cracking down on cybercriminals and the dark web.

Browsers like Tor, an open-source and free software, allow people to access dark websites where these goods are available, like a digital marketplace. These websites may look similar to any other surface or deep website you’d encounter. However, they differ in their domain suffix, ending in “.onion” instead of more obvious options like “.com” (Tor is actually short for The Onion Router, which is also where the term “onion routing” comes from — referring to anonymous communication on the dark web).

Onion sites often use scrambled names that make their URLs difficult to remember, minimizing the odds of being reported to authorities. It’s possible to search the dark web using specialized dark web search engines like Grams or link lists like The Hidden Wiki. However, these sources tend to be slow and unreliable, just like the dark web itself.

Some of this information can be extremely valuable on darknet forums. For example, while a Social Security number might go for $2, email credentials could sell for as much as $120,000. Hackers can make a lot of money and do so with less worry that they might get caught. Thanks to the Tor browser’s layers of encryption and IP scrambling, it’s difficult to track people down on this part of the web.

How to protect yourself online

Again, although the dark web isn’t inherently bad, you should still be proactive in preventing your personal information from falling into the wrong hands. Here are a few ways you can help keep you and your family safe online:

Protect your devices with passwords and antivirus software: One of the first lines of defense is to protect your devices. With passwords, ensure they’re unique and strong across accounts and keep them in one place, like a password manager. It’s also important to have antivirus software installed on your browsing devices to protect them from malware and other threats (you can even take this a step further by using a virtual private network or VPN).
Think before oversharing on social: Social media keeps us connected with our family and friends, but before you click “share,” make sure you’re not revealing any personal information like your home address or something else that could be compromising.
Sign up for a monitoring service: Whether it’s reviewing your credit report or an identity protection plan with 24/7 monitoring, additional trusted eyes on your accounts will help them stay protected.

Get a personalized protection plan today

The dark web might sound scary. The fact is, an everyday internet user like yourself likely won’t have any contact with this level of the internet. That said, it’s still important to take as many precautions as you can to keep your family and your technology safe.

McAfee provides everyday internet users with the tools they need to surf safely and confidently. Our award-winning antivirus software protects against threats like phishing, malware, and ransomware, and we also offer identity protection plans that come with a personalized Protection Score to check the health of your online information. Start browsing with confidence by using McAfee.

The post The Dark Web: A Definitive Guide appeared first on McAfee Blogs.

Read More

We live online these days, sharing everything from vacation pictures to what we eat for breakfast on the internet. The internet is also useful for daily activities, like buying groceries or paying bills.

While it’s convenient to connect with people and complete tasks online, cybercriminals are eager to use the internet to steal financial or personal data for their personal gain — otherwise known as identity theft. This is a criminal act and can affect your credit score in a negative way and cost money to fix. It can also affect employment opportunities since some employers conduct a credit check on top of drug testing and a criminal history check. Identity theft victims may even experience an impact to their mental health as they work to resolve their case.

The good news is that being able to recognize the signs of identity theft means you can act quickly to intervene and minimize any effects in case it happens to you. You can also protect yourself by using preventive measures and engaging in smart online behavior. This article provides essential information about identity theft, giving you the tools you need to become an empowered internet user and live your best life online.

5 steps to take if your identity has been stolen

The internet is a great place to be, but identity thieves hope to catch you off-guard and seek access to your personal information for their benefit. This could include private details like your birth date, bank account information, Social Security number, home address, and more. With data like this, an individual can adopt your identity (or even create a fake identity using pieces of your personal profile) and apply for loans, credit cards, debit cards, and more.

You don’t have to be kept in the dark, though. There are several signs that your identity has been stolen, from a change in your credit score to receiving unfamiliar bills and debt collectors calling about unfamiliar new accounts. If you suspect that you’ve been affected by identity fraud, you can act fast to minimize what happens. Here’s what to do.

File a police report

Start by contacting law enforcement to file a report. Your local police department can issue a formal report, which you may need to get your bank or other financial institution to reverse fraudulent charges. An official report assures the bank that you have been affected by identity fraud and it’s not a scam.

Before going to the police, gather all the relevant information about what happened. This could include the dates and times of fraudulent activity and any account numbers affected. Bringing copies of your bank statements can be useful. Also, make note of any suspicious activity that could be related. For example, was your debit card recently lost or your email hacked? The police will want to know.

Notify the company where the fraud occurred

You should also notify any businesses linked to your identity theft case. Depending on the type of identity theft, this could include banks, credit card companies, medical offices, health insurers, e-commerce stores, and more. For example, if someone used your credit card to make purchases on Amazon, alert the retailer.

Medical identity theft is another good example. In this case, a fraudster may assume your identity to gain access to health care services, such as medical checkups, prescription drugs, or pricey medical devices like wheelchairs. If someone uses your health insurance to get prescription drugs from a pharmacy, for instance, make sure to alert the pharmacy and your insurer.

File a report with the Federal Trade Commission

The Federal Trade Commission (FTC) is a government body that protects consumer interests. You can report identity theft via their portal, IdentityTheft.gov. They’ll then use the details you provide to create a free recovery plan you can use to address the effects of identity theft, like contacting the major credit bureaus or alerting the Internal Revenue Service (IRS) fraud department. You can report your case online or by calling 1-877-438-4338.

Ask credit reporting agencies to issue a fraud alert

A common consequence of identity theft is a dip in the victim’s credit score. For example, a cybercriminal may take out new lines of credit in the victim’s name, accrue credit card debt, and then not pay the balance. For this reason, contacting the credit monitoring bureaus is one of the most important steps to take in identity theft cases.

There are three main agencies: TransUnion, Equifax, and Experian. You can get a free credit report from each agency every 12 months via AnnualCreditReport.com. Check the report and note all fraudulent activity or false information and flag it with the relevant bureau’s fraud department. You should also initiate a fraud alert with each agency.

A fraud alert requires any creditors to verify your identity before opening a new line of credit. This adds an extra layer of security. An initial fraud alert lasts for 90 days. Once this expires, you can prolong your protection via an extended fraud alert, which will remain valid for seven years. You can notify one of the big three bureaus to set it up. They are then required to notify the other two bureaus.

A credit freeze is another smart move, which you can do through each of the three major credit bureaus. You can either call them or start the process online. This prevents people from accessing your credit report. Lenders, creditors, retailers, landlords, and others may want to see your credit as proof of financial stability. For example, if someone tries to open a phone contract under your name, the retailer may check the credit report. If there is a credit freeze in place, they won’t be able to view it and won’t issue the contract. If you need to allow someone access to your credit report, you can temporarily lift the freeze.

Change passwords to all of your accounts

Identity theft is often linked with leaked or hacked passwords. Even if you aren’t sure whether your passwords have been compromised, it’s best to play it safe. Change passwords to any affected accounts. Make sure to use strong passwords with a mix of numbers, letters, and symbols. Further, if there’s a chance to activate two-factor authentication on your accounts, this can provide added protection going forward.

Is it possible to prevent identity theft?

Ideally, you’ll never become the victim of identity theft, but things can happen. Cybercriminals work hard, but you can stay one step ahead by taking a few preventative measures. These include:

Learn how to recognize common scams. ID theft comes in many forms, from email phishing scams to social media snooping, device hacking, and data breaches. Learn the signs of a scam. For example, phishing emails are often poorly written and frequently follow certain formats, like claiming that an account of yours has been suspended.
Activate fraud alerts. Most financial institutions provide alerts about suspected fraudulent transactions, sending you a notification via phone call, text, or email if they notice suspicious activity on your account. The bank may also freeze an account automatically until any potentially unauthorized charges are clarified and confirmed by the account owner.
Protect your devices with strong passwords. Your devices, including your phone, tablet, and laptop, should all be password-protected. In case one of your tech tools is stolen, it will be harder for fraudsters to gain access to your personal data. Set strong passwords with a mix of letters, numbers, and symbols. Make sure they don’t include information a person could figure out easily, like your home address or birthday.
Use different passwords for different accounts. Any online accounts you use, from your banking app to your email, should be password-protected. Follow the same rules for setting strong passwords, but don’t duplicate passwords. If a hacker cracks the code for one account, they can easily guess their way into your other accounts. A password manager can help you stay on top of your passwords by encrypting them and storing them safely for easy tracking. McAfee Identity Protection includes a password manager that can secure your account credentials across devices.
Protect your documents. Protect hard copies of sensitive documents, like your Social Security card and birth certificate, by keeping them locked away. Also, dispose of documents with personal data by shredding them. This ensures that dumpster divers can’t access your information. Documents to shred might include invoices, bank statements, medical records, canceled checks, and junk mail with your name, phone number, and address.
Don’t overshare on social media. Social media is a great way to connect with friends and family, but it can also be a goldmine for identity thieves. Avoid sharing details like your kids’ or pets’ names, which are often used in passwords. Sensitive information, like a home address or birthday, can also be used to build a fake identity. You may want to set your social media accounts to private in addition to limiting what you share.
Review your credit report. You have the right to one free copy of your credit report every 12 months, which you can request via AnnualCreditReport.com. This provides you with a report from each of the three major credit bureaus. Review the report, verifying personal information, account details, and public records (like bankruptcies or liens) to ensure there isn’t anything suspicious.
Follow the news. When major corporations are targeted by hackers, they’re required to alert affected consumers. These breaches are also often reported in the media. To take a more proactive approach, though, check out the McAfee blog, which reports on breaches. If a business you use has been affected, change your passwords.

You can further protect yourself with antivirus software like McAfee’s Total Protection plan. This can help protect your devices against spyware and viruses. You can also enhance your network security with a firewall and virtual private network (VPN). A firewall controls traffic on your internet network based on predefined security parameters, while a VPN hides your IP address and other personal data.

Sign up for a protection plan today

Don’t let concerns about identity fraud keep you from enjoying all the conveniences and perks the internet offers. McAfee’s identity theft protection services can help you stay connected while keeping you safe. Tailor your package to your household’s needs to get the safeguards you want, like ID theft coverage, VPN, and 24/7 monitoring. Our Total Protection plan also comes with $1 million in identity theft coverage to cover qualifying losses and hands-on support to help you reclaim your identity.

With McAfee by your side, you can stay online confidently.

The post What to Do If Your Identity Has Been Stolen appeared first on McAfee Blogs.

Read More

Some European cell phone carriers, and now T-Mobile, are blocking Apple’s Private Relay anonymous browsing feature.

This could be an interesting battle to watch.

Slashdot thread.

Read More

Patchwork, an Indian hacking group also known by such bizarre names as Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, has proven the old adage that to err is human, but to really cock things up you need to be a cybercriminal.

Read More

Enterprises know they need defenses integrated into each aspect of their network while not being an inhibitor to innovation. Digital transformation realized through new 5G-enabled IoT, Operational Technologies (OT) and IT use cases are no exception. Therefore, security teams need to take a closer look at the best technology to support this innovation. Next-generation firewalls from Palo Alto Networks with AT&T Multi-Access Edge Computing (MEC) solutions are designed to help protect enterprises while optimizing security performance for these new use cases.

Prime time for innovation

AT&T MEC in combination with 5G/4G LTE create a private network solution that enables businesses to localize cellular data to improve their operations. The solution supports edge computing by routing application-specific traffic in a highly effective way. Built on a software-defined network, AT&T MEC enables direct access to cellular data for highly reliable local processing. This technology helps create new outcomes and capabilities by allowing applications to process data right where it’s needed. In addition, MEC enables customers to control their traffic flow, restrict devices and select application access for local business content, all while enabling macro cellular access when desired.

This means that businesses can locally process and transfer data-intensive files in near-real time, scale robotic operations, and offer highly immersive customer experiences. Some on-premises use cases for this include video AI, synchronous media collaboration and industrial manufacturing. These are just a few examples of how businesses are being transformed through edge computing technologies. And these use cases can span many industries – manufacturing, public sector, healthcare, education, stadiums, retail and more. AT&T MEC is leading the way in the rapidly evolving private cellular space driving the right innovation today and tomorrow. CRN has named AT&T to its 2021 Edge Computing 100 list – with recognition as one of those driving innovation in the IoT and 5G Edge Services Category.  The AT&T Multi-Access Edge Computing offering ties together cellular network architecture for real-time high bandwidth, low-latency access to latency-sensitive mobile applications. This is great news.  AT&T is helping businesses connect – harnessing LTE and 5G at the network edge.

Protection at every layer 

AT&T MEC not only helps to enable these business use cases but also provides additional privacy and control beyond the inherent security of AT&T’s 5G/4G LTE cellular network. With AT&T MEC your data is in your control so you can determine the location, cloud, local data center or somewhere else to route it. Data you consider sensitive or proprietary can be kept locally within your internal network, significantly mitigating the risk of it being illegally accessed or stolen. This helps give enterprise control and privacy of their data.

In addition to these privacy measures, security teams must also consider mobile devices that could inadvertently introduce threats. For example, a user accidentally downloads malicious software. Or, an IoT device becomes subject to a supply chain attack. In any environment, but especially in edge environments built for business-critical applications, businesses need to respond to these security events as fast as possible, identify malicious events, and act in real time. Therefore, defenses are needed to inspect the application flows to protect mobile devices and business-critical data in transit and at rest within your network. Adding this layer of security allows consistently enforced policies across all network environments, including private cellular networks like MEC network.

Proven, reliable technology and services

To protect against these advanced threats, AT&T now offers a managed next-generation premises-based firewall optimized to work with AT&T MEC. It starts with proven, reliable technology utilizing Palo Alto Networks ML-Powered Next-Generation Firewall platform based on a scalable, modular design that enables you to increase performance as your needs increase. This state-of-the-art firewall technology brings advanced capabilities to prevent known and unknown threats such as vulnerability exploits, ransomware, malware, phishing and data theft. It also includes unique technology from Palo Alto Networks called WildFire® which automatically detects and helps prevent unknown malware and taps into crowdsourced intelligence from more than 43,000 customers. Palo Alto Networks has been recognized by NSS Labs for having high security effectiveness and by Forrester Consulting for strong Return on Investment . Savings are possible  across many categories, but key areas are  in efficiency gains for IT and security and the reduced risk of a data breach.

Furthermore, this next-generation firewall is managed by AT&T’s state-of-the-art Security Network Operations Center (S/NOC) 24/7. The S/NOC team of security professionals use this highly secure, fully redundant site and its advanced intrusion detection capabilities to further analyze and respond to threats. They also help reduce complexity by assisting the customer with ongoing configuration changes to their firewall policies. 

Visibility and control

This next-generation firewall offering provides fully managed, end-to-end firewall protection for your mobile network data traffic including traffic routed through AT&T MEC. The firewall provides visibility of applications and mobile services including those using AT&T MEC Local Content Offload connectivity. In addition, it provides application layer protection by enabling application centric policies that could be used to block as many or all malicious applications or only certain types of malicious activities.

This offering can further help prevent malicious activity that could be concealed in encrypted traffic. Already without decrypting, it provides visibility into TLS traffic, such as the amount of encrypted traffic, TLS/SSL versions, cipher suites, and more. If an instance warrants decryption, the business has the flexibility to gain that additional insight for forensics, historical purposes, or data loss prevention (DLP) needs.

Conclusion

AT&T helps make it safer for you to innovate with leading edge technologies and the security elements to help protect this dynamic environment. Gain fully managed, end-to-end firewall protection for your private cellular network including traffic routed through AT&T MEC with next-generation firewalls provided by Palo Alto Networks.  To learn more- visit us at AT&T Cybersecurity Advanced 5G security solutions | AT&T Cybersecurity (att.com).

Read More

If there’s a particularly clear picture that’s developed over the past couple of years, it’s that our privacy and our personal identities are worth looking out for. We have your back. And here’s why. 

In the U.S., reported cases of identity theft continue to rise. Comparing the first three quarters of 2020 to the first three quarters of 2021, we can see that the number of identity theft cases reported to the U.S. Federal Trade Commission (FTC)are up. Moreover, fraud connected with government documents and benefits has jumped by nearly 100,000 reported cases. Likewise, bank fraud saw a jump as well with a solid 30% increase. 

Figure-1-2021-FTC-Fraud-Reports-Q1-Q3

 

Figure 2- 2020 Fraud Reports, Q1-Q3

Likewise, compare 2021 to the same period in 2019 and the contrast is yet more striking: well over double the number of reports of identity theft. Also note the massive bump in fraud across the board as well—notably in government documents and benefits, which went from nearly 18,000 reported cases to more than a quarter-million cases. 

Figure 3- 2019 Fraud Reports, Q1-Q3

And that’s just what’s been reported in the U.S. Far more crime goes unreported, and it is estimated that the cost of identity theft and fraud goes well into the billions of dollars.

Yet behind each stat is a person, a family, and a household that dealt with anything from a financial headache to a major life event no thanks to identity theft and fraud. Accordingly, we’re seeing to it that each and every person has the tools to prevent this from happening to them.

Here’s a little bit about our approach. We looked at some of the key areas where people’s private information can be vulnerable and designed a tool that offers easy-to-use, intelligent protection for Windows, Android, and iOS devices, with a consistent feel on whichever device you’re using it.

Connect safely a VPN

Unsecured networks can leave us vulnerable, like when we use public Wi-Fi. What’s at issue is that a cybercriminal can potentially capture your login credentials and other personal information as you use a public network in a hotel, airport, coffee shop, library, and so forth.

So, we made sure to include a Virtual Private Network (VPN) to keep your information protected from prying eyes. It does this easily by detecting when you’re on a public network and automatically turning on on your VPN. The VPN then scrambles or encrypts, your data as it flows over the network. Unlike some VPNs that require advanced settings to shield your data, our app offers seamless security.

Dark Web Monitoring

Given that data breaches large and small continue to occur with more regularity than any of us would like, always-on monitoring of your private information is key.

Whether one of your personal accounts is hacked–or worse–another website somehow gets ahold of your data and subsequently gets breached, your data may end up on the dark web. This is where cybercriminals buy and sell information.

To detect these dangerous leaks, we included dark web monitoring, which alerts you if your log-in credentials have been exposed. It can even provide you with a link to the site that uses those credentials when the information is available. This allows you to swiftly reset your passwords, mitigating the risk.

Identity theft insurance and recovery support

Should the unfortunate happen to you, we have your back. In several ways.

Recovering from identity fraud or theft can be expensive. We’ll help relieve the burden with $1M coverage for lawyer fees, travel expenses, lost wages, and more. If money was stolen directly from a bank account, we’ll also reimburse up to $10,000 stolen funds.

No question about it, recovery can be time-consuming, confusing, and even frustrating. With that, we offer licensed recovery experts who can work with you any time, around the clock, all year long. These pros can use a limited power of attorney to do the heavy lifting for identity recovery, taking all necessary steps to repair identity and credit.

In all, we protect your time and your money as part of protecting your identity too.

New: Identity Protection Score

Knowing your safe and staying that way just got far simpler. With a colorful view, you can see exactly what your Identity Protection Score is at a glance, which compiles your overall levels of security, privacy, and identity theft protection. Better yet, if it spots gaps in your protection, it guides you through straightforward fixes that can make you safer than before.

It’s an industry first, and something we all deserve—the ability to clearly see exactly how secure you are and to quickly shore up your protection whenever it’s needed.

Ease of Use

Also on our list, we wanted to make personal protection easy to use and available across all your compatible devices. So, whether you’re out with just your phone, or at home working at your PC, you have access to your protection, and can even pick up where you left off on a different device.

It’s about enjoying the internet

Ultimately, that’s what any of us want—to enjoy the internet with confidence, knowing that whatever it is we’re doing online is secure.

The way we use the internet continues to evolve. After all, it wasn’t long ago that the idea of using a phone to see who’s at the front door may have seemed a bit odd. Let alone having a little chat with the speaker on your kitchen counter. Yet that’s where we are today. And as the internet evolves, so will we. The protection we offer will cover your increasingly connected life in whatever shape that takes.

No question about it. We’re committed to protecting you, your privacy, identity, and certainly your devices too—and making all of it simple.

Here’s to a happy and secure year!

 

The post Protecting Your Privacy This Year appeared first on McAfee Blogs.

Read More

Graham Cluley Security News is sponsored this week by the folks at HYPR. Thanks to the great team there for their support! A new guide by the analysts at The Cyber Hut looks at how Zero Trust increases business agility and provides practical guidance for eliminating passwords to accelerate your Zero Trust strategy. Passwordless MFA … Continue reading “Free guide: “A Journey to Zero Trust With Zero Passwords””

Read More