Cybersecurity – Page 3 – Axiom Cyber Solutions

Cybersecurity Stress-Testing: Don’t Stress About Your Company’s Safety

The rates at which cyber crimes have been growing in the past year are astronomical. Ransomware cases more than doubled in the last half of 2016 alone, over 29 million personal records were stolen in data breaches, and half of all phishing scams were targeted at stealing people’s personal financial information; the persistence with which cyber criminals are trying to attack the public is most definitely not in question any longer.

With these hackers trying to get to your information on a daily, if not hourly, basis, it is important to implement strong cybersecurity defenses. But it isn’t enough to simply install some type of security and not test its strength. How do you know just how strong those defenses are anyway? You can’t know what you don’t know, and because of this, conducting a cybersecurity stress test can make your company far more secure.

Why conduct a stress test?

Before discussing some of the things to test for within these stress tests, there is the question of why you should conduct this test in the first place, as it is something that will cost your business time and money to complete? First off, the cost of recovering from an attack is far greater than the costs that go into preventing one. Not only are there the monetary costs involved, but the hit to your public image can take a drastic toll on your customer base as well. Yahoo, for example, has disclosed multiple, separate data breaches within the past six months totaling more than 1.5 billion users whose accounts were left exposed to hackers because of the company’s lack of cybersecurity.

In addition to the monetary and secondary costs of cleaning up the security mess of undergoing a cyber attack, whether it is apparent to you or not, your company has sensitive data that is valuable to hackers. When a company is hit by some cyber attack, as with the Yahoo breaches, there are negative repercussions that can affect the customers of that entity. Many victims of data breaches find that their identities have been stolen as a result of being involved in an insecure breach. When the costs expand outside of your company’s wallet, it can seriously damage others in drastic ways.

How to conduct a cyber stress test

Now that we know a couple of reasons as to why it is important to stress test, it is important to discuss how to stress test your company. There is not set-in-stone, mapped out way of completing this process, however, there are a few basics which most companies adhere to when conducting such a test, as well as some tips to keep you secure.

Teach and test your employees — Taking the time to teach your employees about cyber threats, such as phishing which can only affect a company if an employees makes an error, is incredibly important if you want your test to be successful, and should be your first step. Employees are both your strongest asset and your greatest weakness when it comes to cybersecurity, dependent upon their awareness of cyber threats. As with sports or learning a musical instrument, once you learn the basics, practice makes perfect. J.P. Morgan is just one of the many companies that partakes in cybersecurity stress testing, and they do this by sending their employees fake phishing emails — they were even able to dupe 20% of their staff into falling for the scam. This highlights a very important part of stress testing: be sure to follow up and make sure your cyber defenses are working.
Seek out expertise — For small businesses especially, cybersecurity can be an overwhelming, yet necessary, hoop to jump through when it comes to protecting your business. Oftentimes companies who do not have a very large staff on hand are not able to afford to keep an IT employee on the payroll, however, it can be much more economical for these businesses to reach out to someone outside of their business who specializes in cybersecurity. Stress tests don’t have to be stressful, especially when you don’t have to go it alone.
Know your goal — The obvious overall goal of a stress test is to determine where vulnerabilities in your defenses lie and plug them before bad guys can get into your company’s network; however, it is also to minimize the impact of a potential cyber event, as cybersecurity professionals believe it is not a matter of if, but when, a company will be the next target. An important aspect of this step involves identifying the key people and functions that are mission critical to the business, and prioritizing the order in which they are addressed during incident response.
Act on the findings — None of this work is worth it if you do not do something about it. If a stress tests’ results tell you that your store-bought firewall is not getting the job done as far as protecting you from attack, research further on things like managed firewalls and other defenses which you can implement in order to be more secure.

The point of a cybersecurity stress test is to find weaknesses and room for improvement in your company’s cyber defenses so that they can be repaired. This is such a prevalent issue that the European Union is planning on stress testing all of its banks in the neat future, as they believe that cyber attacks pose the greatest threat to their operations. If you are in need of assistance or have further questions about stress testing your company, contact Axiom Cyber Solutions at 800-519-5070 or email us at info@axiomcyber.com.

Hailey R. Carlson | Axiom Cyber Solutions | 03/07/2017

Image Source

The Dangers of Internet Connected Toys

02 March 2017
by: Axiom Admin
in: Cybersecurity,Internet of Things (IoT)
Tags: IoT
note: no comments

Smart toys are pretty cool but they also come with some inherent cybersecurity vulnerabilities that could lead to your or your child’s sensitive information being exposed or even worse, a hacker interacting with your child. Internet connected (IoT or smart) toys like CloudPets, Hello Barbie, and Cayla have recently hit the news for all the wrong reasons; they’ve been hacked.

An unsecured MongoDB led to the exposure of voice recordings, pictures, and account information for the CloudPets line of IoT stuffed animals. Over 2.2 million recordings were accessible and due to poor password security requirements, over 800,000 accounts reportedly were vulnerable to being hacked. So far, following the disclosure of the vulnerabilities by a cybersecurity researcher, the maker Spiral Toys has downplayed the severity of the incident but reportedly as of 2/28/17 has filed a breach notification with the California Attorney General.

In mid-February, Germany banned a doll called “My Friend Cayla” and urged parents to destroy the doll due to hacking concerns. The connected doll was classified as an “illegal spying device” as interactions with the doll were recorded and transmits the information to a voice recognition company. It is believed that the Bluetooth connection on the dolls were insecurely implemented which could lead to hackers being able to interact with children.

These are just two of the recent examples but they are not at all isolated. The Hello Barbie doll allegedly could have been turned into a surveillance device due to security vulnerabilities. A Fisher Price stuffed animal teddy bear also was found to be vulnerable to leaking sensitive information. And what parent could forget about the 2015 VTech data breach that exposed the data of 5 million parents and children?

And it not just smart toys that are being hacked and affecting children. There have been numerous stories of parents being woken in the middle of the night by strange voicestalking to their children or even strangers watching them through hacked baby monitors. The stories of hacked baby monitors are not new but what is worrisome is that many parents still do not take basic precautions like researching if the systems are vulnerable to hacking before purchase or even failing to change the username/password.

So enough with the doom and gloom, what can parents do to allow their children to still have the latest and coolest toys without sacrificing security? It is important that parents do not ignore the dangers of internet connected toys simply because they are toys. IoT devices are continually being hacked to attack (5000 IoT devices attack university) or collect information on their owners (spy agencies plan to use IoT vulnerabilities to spy).

Here are a few things that parents can do to help secure their family and smart toys against hackers:

Immediately change the username and password of the device, if possible.
Review what personal information you share about your family. The less the better. Share only what is required.
Use privacy settings to adjust who has access to data.
Turn off location tracking or restrict as much as possible
See if there is a way to disable two-way communication
Tell your children to inform you of any unusual interactions with their toys. Talk to your children about sharing personal information, even with their toys.
Use strong passwords. Don’t trade ease of use for security.

Potential Security Threats to Wearable Technology

The first computer, known as Electronic Numerical Integrator and Computer (ENIAC), was made over the course of three years, took up over 1,800 square feet, and weighed nearly 50 tons. Since then, computers have gotten smaller and more innovative, first to fit our desks, then our laps, our pockets, and now, we can wear computing devices on our bodies.

These devices, known as wearable technology, can be divided into five major categories: smart headgear, smart watches, fitness trackers, wearable medical devices, and smart clothing/accessories. As you can tell by the categories, these devices range from vanity gadgets, like Google Glass, to health-related devices, such as the ZIO wireless patch (which wirelessly tracks cardiac arrhythmia) and fitness trackers like Fitbit which help you manage your health.

The market for wearable technology is expected to grow to be worth over $34 billion with 411 million smart wearable devices sold by 2020, with the majority of the devices being comprised of smart watches and fitness trackers. With such a high amount of anticipated growth, there are also many factors that need to be considered, primarily the potential vulnerabilities that these devices can pose to their users.

Potential Vulnerabilities

Insecure Wireless Connections

Wearable devices often offer the ability to connect us even further by linking to our smartphones, laptops, and tablets via Bluetooth, Wi-Fi, and other connections. While this allows us to do things like track our food intake in tandem with exercise on fitness trackers and related tracking apps, it also creates another potential point of entry for hackers to gain access to our information.

Lack of Encryption

Like other Internet of Things (IoT) devices, wearable technology relies heavily on cloud-based computing. While ‘the cloud’ has become a buzz word, it is not a very secure space. Data being stored on manufacturer’s or service provider’s cloud servers is highly vulnerable because of a lack of encryption by service providers. This lack of security allows for hackers to have easier access to sensitive data stored in these devices’ clouds. Some third-party apps, which connect to these wearable devices, neglect basic security standards and hold onto information that is not encrypted. The kind of data that’s automatically being collected and stored by wearable devices is very valuable to hackers trying to steal sensitive information.

Nonexistent Regulations

Manufacturers will have to address the many security issues surrounding wearable devices — whether they choose to self-regulate or be bound by government regulations, a decision needs to be made in order to protect individuals and businesses from attack. These IoT devices need to be secured before being brought into businesses in order to protect the company’s network. Regulations could potentially shift the responsibility for any subsequent breaches or attacks that occur from the manufacturers of these devices to the company’s who fail to secure their networks.

Sensitive Data Exposure

Devices like fitness trackers, smart watches, and VR headsets contain a plethora of information about their users. On a smart watch, for example, users have the ability to receive text and email alerts, and even conduct online banking activity as well. When users use these devices, which are lacking in regulations and lacking in encryption, they could potentially be exposing any of the sensitive data accessed on these devices, including login credentials, banking information, Social Security numbers, and much more. Because of the potential severity of a malicious actor accessing this data, it is important for individuals and businesses alike to look at how they can secure these devices.

Secure your Devices

We can now all pretend to be David Hasselhoff in Knight Rider with spy-like smart watches, or submerse ourselves in virtual worlds with VR headsets, and while these are great technological advancements, it is essential that these devices are protected. Fitness bands or smart watches that monitor and capture information about things such as your movement using GPS or your personal information like logins and passwords can provide a malicious actor with details about our daily routines and current location or allow them access to your private accounts. While this can be a scary thought, there are steps that can be taken in order to protect you from these, and other, vulnerabilities.

Remote erase feature– If your business allows wearable technology, employees should be encouraged to enable the ability to remotely erase data from and/or disable their device if it is ever lost or stolen. This is similar to the ‘Find my iPhone’ feature on Apple smartphones, and it is a feature that wearable device manufacturers should really consider implementing in the future production of devices in order to protect their users.
Increased regulation– As mentioned before, whether it is among the manufacturers or by government intervention, regulations are necessary in order to keep a certain high-quality standard for these devices’ integral cybersecurity upon their creation.
Custom security levels– By allowing users the ability to choose their own level of security, this gives them responsibility over their own safeness. Users seldom consider security when wearing their devices, so defaulting to the least secure settings opens a vulnerability for hackers to exploit; however, if users are prompted to look directly at their own level of cybersecurity for the massive amounts of data stored on these devices, they are likely to decide to better protect themselves.
Encryption of data– If a hacker was tricky enough to actually gain access to your wearable technology device, having that data encrypted makes it that much harder for him/her to gain access to the sensitive information stored on it. Though there is currently a lack of encryption when it comes to these devices, Bluetooth encrypting and the encryption of valuable data will aid users in enhancing their overall cybersecurity.
Physical protection of devices– A small Apple watch is much easier for someone to steal from you while you walk down the street than it would have ever been to steal ENIAC back in the ’40s. Like many IoT devices today, a major concern is that a passerby might grab your device out of your pocket when you’re not looking. By storing your devices in safe places and passcode locking them, you can make it harder for physical criminals to take your data or access it if they do. As mentioned above, if this were to occur, newer wearable technology oftentimes comes with a remote erase feature in order to save your data.

Hailey R. Carlson | Axiom Cyber Solutions | 02/20/2017

Power Grid Cybersecurity– Keeping America’s Lights On

The Energy Department’s Warning

The U.S. Energy Department has released its Quadrennial Energy Review, in which it warned of U.S. electrical power grids being in ‘imminent danger’ of cyber attack. The Department also stated that a widespread power outage caused by a cyber attack could mean the undermining of “critical defense infrastructure” and much of the economy, as well as place the health and safety of millions of citizens in jeopardy. As attacks of this nature are becoming more frequent and sophisticated, The U.S. Department of Homeland Security has gone as far as to say that an attack on a U.S. power grid by a foreign enemy is one of their top concerns because such an attack could be one of the quickest ways to destroy the U.S. economy.

The issue of power grid security has become a concern for the Energy Department after allegations of Russian hacking on the U.S. election last year, as well as a supposed Russian attack on a Vermont electric utility at the start of the new year; However, whether or not these alleged Russian hacker scares are true, attacks of this nature have actually happened in the past quite frequently, and it is important to learn from these previous attacks on grids across the globe in order to properly secure these sources of energy from further attack.

Cyber Attacks on Energy Systems Across the Globe

Idaho, United States

In 2007, researchers for the Department of Energy conducted a vulnerability test on the power plant system at their Idaho lab. The staged attack, dubbed ‘Aurora,’ was launched by researchers to see where vulnerabilities might be hiding which ultimately resulted in the self-destruction of a generator. experimental cyber attack caused a generator to self-destruct. Though these were not malicious actors hacking into the system, this experimental cyber attack highlighted just how easy it would have been for a hacker to break in and cause harm. This was a bit of a wake up call for the federal government and electrical industry, as it made them think about what might happen if such an attack were carried out on a larger scale and by someone looking to cause harm to the American people.

Thankfully, by researching the vulnerabilities of the power grid in Idaho, the Energy Department has learned how to strengthen the cybersecurity defenses on these devices more so than ever before; though this is good news, acting undersecretary of DHS’s National Protection and Programs Directorate, Robert Jamison, said that vulnerabilities of this type cannot be easily eliminated, rather they need constant monitoring and updates that tests like these can aid in.

Kiev, Ukraine

Though the cyber attack on the Idaho power plant was a staged event and not malicious in its nature, some grid attacks do not pan out so nicely. Just last month, an alleged Russian cyber attack was launched on a Ukrainian power grid in the country’s capital. This was the second year in a row where a holiday-timed cyber attack hit the Kiev grid. Vsevolod Kovalchuk, acting chief director of Ukrenergo, stated that a power distribution station near Kiev unexpectedly switched off early on a Sunday morning, leaving the northern part of the capital without electricity, adding that the outage amounted to 200 megawatts of capacity, which is equivalent to about a fifth of the capital’s energy consumption at night. He said there were only two possible explanations for the accident: a hardware failure or external interference; either way, regardless of which of these was the actual cause, it comes down to an inherent cybersecurity flaw.

Grid Vulnerabilities in the Modern Age

In the continental United States, there isn’t a single national grid; instead there are three major grids, (1) the Eastern Interconnect, (2) the Western Interconnect, and (3) the Texas Interconnect (in addition to the grids covering Alaska and Hawaii). As these electric grids comes into the 21st Century through things like Smart grids, which automate operations and ensure that components of the grid can communicate with each other as needed, cybersecurity needs to be even stronger in order to properly protect these grids. There are four major vulnerability areas in 21st Century electric grids (detailed below), and it is important for the U.S. to take note in order to properly prepare for future cyber attacks on power grids.

Platform Configuration– This vulnerability comes from improper OS and application security patches maintenance, inadequate access controls, and unenforced password policies.
Platform Software– This security flaw is similar to what businesses and individuals face daily, with cyber attacks such as DDoS, lack of intrusion detection and prevention, and malware/ransomware threats as well.
Network Configuration– A grid experiences Network Configuration Vulnerability if network configurations or connections are not protected by something, specifically a hardware firewall. If there is nothing between the hackers and the network to protect it, it falls into this category. Also under this category are Network Perimeter Vulnerabilities which include any network leaks or insecure Internet connections.
Network Communication– This vulnerability occurs when communication between people via devices connected on the network are compromised. This, like Network Configuration Vulnerabilities, is primarily caused by a leak in network security.

In their Quadrennial Energy Review, the Energy Department also stressed the importance of incorporating cybersecurity in these grids because of their impact on the Internet of Things.

Grid control systems now handle, sense, and control endpoints numbered in the thousands. Widespread DER/DR penetration implies that future grid control systems may have to coordinate millions of end point control devices to support grid functions. These devices vary in type, from digital sensors and smart boards built into transformers, to mobile devices used by field operators and grid control managers… Grid control systems must evolve from being centralized to a hybrid of central and distributed control platforms… grid security and reliability assurance concerns mean that Federal authorities must be included in designing 21st-century grid control systems.

Hailey R. Carlson | Axiom Cyber Solutions | 01/25/2016

Image Source

Are you Vulnerable When it comes to Cybersecurity?

In the cyber world, we often hear about how everyone today is vulnerable to attack–Be it businesses, individuals, or even nations, no one is safe from the cyber threats that run rampant today. Though we know generally what the term means, it is important for us to define what it means to be vulnerable in the context of cybersecurity.

So, what is cybersecurity vulnerability? Vulnerability is a term that refers to a flaw in a company’s system which leaves it exposed to and defenseless against the attacks of cyber criminals. A company is considered vulnerable when there are little-to-no protections between its data and malicious actors who want to steal that information. It’s like protecting your car from being broken into–if you leave it unlocked, it is much easier for criminals to get inside; by locking the vehicle, however, you make it that much harder for people to break in, and they will likely skip over your car to get into one that is easier to attack. Hackers often do the same thing when it comes to secure and vulnerable entities.

There are numerous flaws within a company that can leave it vulnerable, and among some of the most dangerous of these cybersecurity vulnerabilities are access control issues, buffer overflows, and social engineering.

Access Control Issues

Access controls are a major factor for any business’ operations in that they determine who is allowed to do what. This authorization is referred to as privileges (or permissions) which are access rights granted by the operating system. This can mean figuring out who is allowed into a company’s server room or determining who has access to private files that include sensitive client data.

If used properly, access controls can keep your business safe by not allowing certain information or locations to be easily accessed by everyone, even some employees within the company who simply do not need access to that information. If these controls are misused or not used at all, however, it can put your company data at risk by having control out of your hands.

Buffer Overflows

Buffer overflow is a very common cybersecurity vulnerability that is, unfortunately, also very hard to detect. A buffer is a reserved memory space; in a buffer overflow attack, an application, one that stores data in more space than its buffer, is exploited into manipulating other buffer addresses and using them for the criminal’s vicious plans. The manipulation of other buffer addresses includes overwriting the data, damaging that data, and sometimes deleting the data as well. Thankfully this vulnerability is as hard for the hackers to carry out as it is for systems to detect.

Social Engineering

Social engineering is a focused attack which tries to trick users into divulging confidential information, such as organization secrets, or granting them access to private company computers without the victim’s knowledge. It is easier for cyber criminals to trick humans than to hack into your company through intricate code, so this is a common attack method for these malicious actors. There are multiple scams included in social engineering, but the most prevalent of this type of vulnerability appears in the form of phishing emails.

The best way to protect against a phishing email is to educate your employees on what to look for, including (1) an urgent request/deadline, (2) an embedded link within the email, (3) poor grammar or spelling throughout, and (4) the email appears to be coming from an unknown sender. Social engineering is different from other cybersecurity vulnerabilities in that it preys on the weaknesses and lack of knowledge in the human operators of computers, rather than entering the business through a flaw in the technology itself.

How to Reduce Your Company’s Vulnerabilities

Vulnerabilities are what cybersecurity companies like Axiom seek to reduce in businesses everywhere. As with anything in the cyber world, there is no silver bullet solution to keeping your company safe from its own network flaws; however, there are a few things you can do in order to reduce your company’s vulnerabilities:

Educate your Employees– Employees can be your weakest link in regards to cybersecurity if they are not knowledgeable about looming threats and vulnerabilities–educate these employees, however, and you’ve got your greatest asset in the fight to stay secure. Not only should IT employees be well-versed in current cybersecurity vulnerabilities, but for all employees, from the highest level executives to the newest interns, cybersecurity education needs to be a company-wide mission. If an employee authorizes something that they are not aware is malicious, no firewall can say that it is not allowed; employees are the first line of defense in protecting your data.
Run a vulnerability analysis– By running such an assessment, you can spot security holes and flaws that leave you vulnerable to attack. Generally this process first defines flaws, identifies them if they are present, and then classifies them into their proper categories. Once these existing threats are known to your company, you can take the necessary steps to secure your business in these areas. Knowing where you stand currently in regards to cybersecurity vulnerability can give you an idea as to whether or not your security defenses are where they need to be to give you the peace of mind that you are properly protected.
Keep software security patches updated– These patches can remedy flaws or security holes that were found in your vulnerability analysis. For those who can be forgetful in keeping anti-virus and anti-malware software up-to-date, you can set up automatic updates to stay ahead of this security flaw.
Back up and encrypt your sensitive data– Locate where your important data, such as names, social security numbers, bank account information, passwords, and other personally identifiable information (PII), is stored and make it as secure as you possibly can. By having backed-up copies of this sensitive information and then encrypting these files, hackers won’t even be able to use this data if they are sneaky enough to steal it.
Talk to a professional– Taking on the task of securing your business can be a challenge, but you don’t have to go it alone. Many companies, particularly smaller businesses who lack an in-depth IT department, reach out to professionals to manage their cybersecurity defenses. Axiom Cyber Solutions is proud to be helping businesses of all sizes across the country to get and stay secure from those flaws that leave them vulnerable with our SecureAmerica Automated Threat Defense Platform.

All companies are vulnerable to attack–in fact IT professionals say it’s not a matter of if an entity will experience a data breach, but rather when. That being said, by implementing these steps above, you can make it harder for hackers to get to your private information and make yourself and your company less vulnerable to attack.

Hailey R. Carlson | Axiom Cyber Solutions | 1/17/2017

Cyber-Aware Employees: A Company’s Greatest Asset

Cyber security professionals often harp on the importance of businesses adopting the latest technologies–Next-Generation Firewalls, cloud-connected-everything, two-factor authentication, and much, much more– to protect their enterprises from attack; However, none of these defenses are effective in the least if their operators are not aware of the vulnerabilities and threats that face them. Who are these operators? Your employees–and they need to know how to protect themselves and your company from attack.

Employee error was sited as the number one cause of data breaches in 2015, and though a small portion of these might have been caused intentionally by malicious employees, IT pros believe that nearly 80% of breaches they deal with are caused by employee negligence and lack of cyber security knowledge. As Sir Francis Bacon and the characters on Schoolhouse Rock have taught us all, knowledge is power. It’s the kind of power that, when spread to others, makes us all stronger as a unit–and this applies to companies as well. You can strengthen your company’s overall cyber security defenses by educating your employees with these helpful tips:

Implementation of Password Best Practices

Almost every one of us could fill a Rolodex with the number of websites we subscribe to which require some sort of password to access the specific account, so it seems obvious that password security is a key issue when it comes to protecting yourself while online; however, in a world where ‘123456’ and ‘password’ still top the list as the most popular passwords, it is worth reviewing with your employees some of the ‘password best practices.’

Create unique, strong passwords for each account—Employees should create passwords that are longer than 8 characters in length, have a combination of letters, numbers, and symbols, and these passwords should not contain “guessable” words and phrases, such as employee’s username or the company name.
Change passwords often—Of those surveyed, 76% of employees are prompted by IT to change passwords on work accounts every 1-3 months. This not only allows for current employees to protect their active accounts, but it gives the IT department the ability to detect dormant accounts which are often the gateways which leave a company vulnerable to attack.
Require multi-factor authentication—In addition to passwords, many companies require their employees to enter in another identifier in order to indicate their true validity. These include things such as a time-sensitive code, facial recognition, fingerprints, and even retina scan.

Training of All Employees

Have a cyber security plan–All companies should have a strong cyber security plan in order to protect their business. Many people think that the IT department of a company is the only place where people need to be well-versed in all that is cyber security, including knowledge of the company’s cyber security plans; however, the reality is that protecting a company on the cyber front is the responsibility of all employees. Pat Toth, a Supervisory Computer Scientist at NIST, said, “You can’t just rely on one person in a 10-person company; everyone needs to have a good understanding of cybersecurity and what the risks are for the organization.”
Educate everyone–Toth’s sentiment not only applies to lower level employees, or even solely to mid-level employees and below–Everyone from the CEO on down to the newest employee should be knowledgeable, not only of the corporation’s cyber security plan, but also current cyber threats and how to identify them.
Threat awareness & testing—Ransomware and DDoS have plagued companies more than ever in 2016, and the primary way they got access to private information has been through phishing schemes. Phishing occurs when impostors pose as reliable entities, such as banks, universities, or other well-known companies, via electronic communication, to solicit personal information which they can then use to steal people’s identities or infect their computers with malware. Employees receive emails with a suspicious link and when they click on it, they are infected with some cyber-attack which can either leak data from their own computer, or give the hacker unauthorized access to vital information. It is important for corporations to train their employees to be able to spot such threats. Companies like J.P. Morgan have taken a different approach to training employees on this when they sent out fake phishing emails to employees shortly after training them on the cyber-scheme. They were able to trick 20% of their employees–a scary thought when factoring in the massive size of the company.
Secure handling of sensitive data—Employees need to know how to handle your company’s sensitive data. Be it digital encryption or hard copy paper shredding, employees need to take every precaution when it comes to protecting your data. Though it is important for employees to do things such as back up information to an external hard drive, they should be responsible in making sure that that is not stored in an easily accessible place.

Promotion of Open Communication Among All Employees

If an employee finds a suspicious email in their inbox, they should feel comfortable verifying its validity with others. It is important for employees to be able to ask questions when they are in doubt, as this shows that they have paid attention during training sessions and don’t want to do something that would put the entire company in jeopardy. Promoting open communication about cyber security best practices among all employees will help them to learn from and teach each other, making every member of the company cyber-aware.

Educated employees are able to recognize threats and they continually take simple steps that allow them to practice strong cyber security defenses– if you fail to teach your employees how to defend against attack in the first place, it is not them who have failed the company, rather you. By making your employees cyber-aware, you can protect your business better than with any other piece of machinery. Employees don’t have to be tech savvy to be technologically responsible and aware of their impact on the company’s overall cyber security.

For more tips on how to keep your employees educated on the latest cyber security threats, read Employees: The Greatest Risk and Defense In Cyber Crime, written by Axiom Cyber Solutions President, Shannon Wilkinson.

Hailey R. Carlson | Axiom Cyber Solutions | 12/22/2016

Women in IT: Empowering Innovation

Throughout history, women have been fighting for the ability to pursue their dreams and a major part in this pursuit has been the fight to be able to participate in the workforce. Women started heavily joining the workforce during 1954-1980; Currently, 57% of adult women are a part of the labor force, and that number continues to grow. While this shows great progress for women determined to have careers, the mathematical and technical industries are still heavily male-dominated.

One industry that many are aware of this gender gap is I.T., with women only making up a mere 26% of the available positions. This statistic is surprising because the cyber-world itself is struggling to fill positions with qualified individuals. By 2020, it is predicted that there will be 1.4 million jobs available in computing-related fields, however, U.S. graduates are on track to fill only 29% of those jobs, with women filling just 3%. Though this may seem disheartening, major companies like Apple, Google, and Microsoft are actively working to promote increases diversity in companies, as they recognize that the majority of workers in technology are white males. Studies show that hiring women in IT roles is beneficial to businesses, as tech companies with women in leadership positions have a 34% higher return on investment than their counterparts. This, coupled with the fact that 35% of young people interested in STEM (Science, Technology, Engineering, and Math) careers are girls, with that number growing increasingly each year, shows that there is hope for more women being a part of the future of technology.

Axiom Cyber Solutions President, Shannon Wilkinson, is featured on the cover of the latest issue of Las Vegas Woman Magazine as being a woman of importance in the Las Vegas community, as a business owner, woman in IT, and as an example of a successful woman (read the full cover story here). In honor of her being both featured on the cover of Las Vegas Woman, as well as being an influential woman in IT, we decided to delve a little deeper into her experience in the technology world, what has aided in her success, and what she has to say to women with a similar career goal in mind.

How did you get into the IT field?

“The first time I used a computer was when I was in 5^th grade and it was the beginning of my attraction to technology. My classroom received a donation of a computer and we were allowed to skip recess to use the computer and I spent many an afternoon waiting my turn to use the computer. Later in life, in college as I started to think about what I wanted to do as a career when I graduated, I realized that my idea of being a lawyer probably was not right for me and I should do something that I’ve always loved because I am a firm believer in the phrase “if you find a job you love, you’ll never work another day in your life” and the rest is history!”

What motivates you?

“I like to solve problems through the use of technology. America’s businesses are under constant attack by cybercriminals but for many, cybersecurity is a difficult and expensive endeavor. Through Axiom’s automated, intelligent, and innovative Threat Protection Platform that sits behind our firewalls, we are able to extend cybersecurity protection to all businesses that is easy to use and affordable.”

Do you find that you are treated the same as men in the industry?

“I personally have never felt any difference from being a female in the technology field. I’ve never accepted the idea that I couldn’t be successful in the technology field because I was female. I didn’t let the fact that I struggle with math due to numlexia (dyslexia of numbers) stop me from pursing a university degree that required advanced mathematics because that meant giving up on myself and my dreams.”

What woman/women inspire(s) you?

“Both my mom and step-mom (who I just call Mom as well) both have inspired me throughout my childhood and adult life. By watching them dedicate their lives to their careers, I gained a respect for hard-work and witnessed the power of confidence in self. It is through seeing them be successful in life that I learned that there is nothing that can hold me back except myself. I had to believe in me before anyone else would.

If I had to pick a historical figure, I would pick Eleanor Roosevelt as one of my favorite quotes comes from her. “No one can make you feel inferior without your permission.” Again, that speaks to me about having confidence and trust in yourself.”

What is your favorite part about your job?

“I enjoy trying to find new ways to solve old problems so in short, the innovation. Our ransomware algorithm arose out of a company discussion about how to help stop the rising flood of ransomware attacks that were crippling businesses. We knew that there had to be a better way to stop ransomware and it took about two days but we came up with a way to stop ransomware from activating through an algorithm that lives in each of our devices.”

What advice do you have to young women considering a career in an IT-related field?

“Don’t play into the nay-sayers that will tell you that your gender will somehow prevent you from being wildly successful. Believe in yourself and your abilities. If something is hard, work at it harder. Never give up on yourself.”

As you can see, Shannon Wilkinson and women such as herself can do anything they set their minds to, both within the IT world and beyond. Though statistics on women in technology may be intimidating, it is clear that with the right attitude, determination, and perseverance, your gender nor any other factor will stand in the way of your success. If you’re interested in learning more about cybersecurity and what it takes to be in the field, please visit https://axiomcyber.com/.

Hailey R. Carlson | Axiom Cyber Solutions | 11/18/2016

The 2016 Presidential Candidates & Their Views on Cybersecurity

No matter which side you might fall on, we all can agree that this has been by far one of the most interesting political seasons to say the least.

As chaotic and controversial as this election has been though, it is all finally dwindling down next Tuesday, November 8th, as we will finally find out who will be our next President of the United States. This election is one of the most important yet and it will surely go down in history as one that has been the basis for many discussions and disputes in the homes of Americans. Among the many issues discussed, cybersecurity has been a major talking point at many of this year’s debates and campaign rallies. Millennials have even weighed in saying that a candidate’s position on cybersecurity is an important issue to them.

Being a technology-related topic, this is one of the newer issues that candidates must weigh in on that has not been involved in many previous elections. Because of this, many people may have questions surrounding this topic. To help answer some of these questions, below is more information on each of the candidates’ views on cybersecurity as well as their plans of attack, should they be elected.

Hillary Clinton

Former Secretary of State and 2016 Democratic Presidential candidate, Hillary Rodham Clinton, encompasses her cybersecurity plan under her more broad national security goals. Clinton focuses her plan on combating what she claims to be foreign threats from countries including China and Russia, though she recognizes that there are domestic threats as well. She sees that cybersecurity will be of great importance if she were to be elected, saying, “[Cybersecurity is] one of the most important challenges the next president is going to face…” Clinton promises to stay ahead of cyber-threats, saying, “Our country will outpace this rapidly changing threat, maintain strong protections against unwarranted government or corporate surveillance, and ensure American companies are the most competitive in the world.” Clinton has outlined a few preliminary steps that would be crucial to her cybersecurity plans, and consequently, her overall nation security plan as well:

Promote cybersecurity by building upon the U.S. Cybersecurity National Action Plan and upgrading government-wide cybersecurity.
Safeguard the free flow of information across borders to find alignment in national data privacy laws and protect data flows between countries.
Protect online privacy and security through bringing together cybersecurity and public safety communities to work together on solutions that address law enforcement needs while preserving individual privacy and security.

Donald Trump

Well-known business man and former television producer/host turned politician, Donald J. Trump, is the 2016 Republican Presidential nominee. Similar to his Democratic rival, he believes that the threat of cybersecurity is not only real, but needs to be dealt with swiftly and with extreme precision. His overall view on the issue is well summarized when he says, “The scope of our cybersecurity problem is enormous. Our government, our businesses, our trade secrets and our citizens’ most sensitive information are all facing constant cyber-attacks.” During a campaign event in early October, Trump said that if he did become President, “…improving cybersecurity will be an immediate and top priority for my administration.” Though the candidates both agree that cybersecurity is a major threat, like most things, Donald Trump has a different view on how to handle it than Hillary Clinton:

Order an immediate review of all U.S. cyber defenses and vulnerabilities by a Cyber Review Team of individuals from the military, law enforcement, and the private sector and have this Review Team provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats.
Establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on various cyber-attacks.
Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.
Develop the offensive cyber capabilities needed to deter attacks by state and non-state actors and, if necessary, to respond appropriately to attack.

Third-Party Candidates

The third party candidates also competing to become POTUS this year include Libertarian candidate, Gary Johnson, and Green party candidate, Jill Stein. Though the two have not participated in the televised Presidential debates, they each have a stance on cybersecurity. Johnson claims that he would have as little federal government control on the Internet as possible, having “criticized the Patriot Act and cybersecurity legislation for allowing the government access into the lives of private citizens.” Jill Stein says that were she elected, she would plan to negotiate an international treaty banning cyberwarfare with the nation’s overall security in mind.

Go Vote!

Regardless of your stance in this political race, make sure that you exercise your right to vote! No matter which issues matter most to you, Americans throughout history have fought for us all to have the freedom to participate in this political process, and it is extremely important for each individual to go out and vote in this election in order to have his or her voice heard!

As Franklin D. Roosevelt once said, “Nobody will ever deprive the American people of the right to vote except the American people themselves and the only way they could do this is by not voting.”

Hailey R. Carlson | Axiom Cyber Solutions | 11/03/2016

Image source (pre-edit)

Password Security: The Most Basic and Essential Cybersecurity Defense

National Cyber Security Awareness Month (NCSAM) is being recognized for the thirteenth year in a row this October, and with this anniversary comes the reminder that enhanced cybersecurity defenses are necessary for everyone from large, multinational corporations all the way down to families and individuals. The overall theme of the month is that cybersecurity is our shared responsibility, meaning that it is not just the duty of IT professionals or CEOs to be cyber aware, but it is all of our collective obligation to act as a cohesive unit in the fight against cyber crime.

Many people become overwhelmed with the amount of information they are supposed to remember surrounding cybersecurity–“don’t click on this type of link,” “watch out for this sign of malware,” and so many more–but these issues cannot even begin to be addressed until we refine the most basic and essential cybersecurity measure of them all: strong password security.

At this point in our technological age, everyone is well aware of passwords being of significant importance when it comes to safety and security on the Internet; though most may agree with this sentiment in theory, many are not implementing this idea in practice, despite being well-aware of the consequences.

The Myspace data breach from earlier this year left 360 million accounts’ passwords exposed on the Internet. Despite this massive amount of personal information now out there in the open, many people did not feel the same way about this breach as they might a breach of another website, primarily due to the fact that they had not visited the site since the prominence of Facebook and Twitter came about. Though many people may not have accessed that site in quite some time, some still use their Myspace password or one similar to it as passwords for other websites. Consequently, these dormant accounts with poorly secured passwords have left people vulnerable to a plethora of other attacks. Password security is an area of cybersecurity that needs to be taken much more seriously in order to avoid these types of threats.

Secure Password Tips

The average person today has a whopping 22 passwords just for their professional data, and that does not even include their personal information like social media and private email accounts. ‘Password hygiene’ is the active implementation of password security best practices and some tips to make keep your password hygiene squeaky clean include:

Do not use the same password for different accounts–Three-quarters of consumers use ‘repeat passwords’ across multiple platforms. When they do this, if one account is compromised, they leave all other accounts protected by the same password exposed to further attack.
Change your passwords often–By leaving passwords stagnant rather than changing them regularly, it is that much easier for hackers and other cyber criminals to guess your password and give them access to your personal information. Forty-seven percent of people are securing their financial accounts online with passwords that have not been changed in five years, and this is extremely dangerous. In addition to changing your own passwords often for both professional and personal accounts, it is important for employers to avoid using default passwords when setting up accounts for new employees. Default passwords give criminals an open, unsecured door into your entire enterprise.
Never give out your password to anyone–When you share your password with even one other person, you are exposing your accounts that much further to cyber criminals. By being solely responsible for your own data, you can contribute to the NCSAM philosophy of security being our shared responsibility by being personally accountable for your own data.
Do not use easy to guess words or phrases in your password–Though you may sincerely love your dog or favorite band, it is important to be aware of what information people know about you that they can use to guess your password. Though you should not blatantly use ‘dictionary words,’ this idea can be a good jumping off point for coming up with more complex passwords. One way to do this is by being liberal about character substitutions, such as replacing “o” with “0,” “e” with “3,” or “i” with !.”
When possible, utilize sites’ multi-factor authentication–Most websites now use two-factor authentication where there is not only a password used to protect your account, but also a one time code you enter in to verify your identity. This simple step takes a few minutes at most and can make a huge difference in your personal cybersecurity defense.
Use a password manager to make remembering passwords simple–A big complaint by most of us is that there are just so many passwords to remember across the different areas of our lives, and it can be very difficult to remember all of these when they are also meant to be intricate and hard for hackers to guess. One way to ease this burden is by utilizing a password manager. A password manager is generally a free database that you can download to your computer (often coupled with a smartphone application option) where you can store all of your passwords. When this is used, you only have to remember one complex password rather than your entire catalog of password information.

One of the biggest fallacies people believe surrounding cyber crime is “It won’t happen to me,” when in reality, it is likely that this will not be the case. A major philosophy of many cyber experts is that it is not a matter of if we will all be attacked online, but when. While this is a rather daunting thought, there are ways which we can lessen these chances, the most basic of which being securing our passwords. By coming together and taking this small step, we can be more accountable for our presence online as a whole, sharing the struggle of cybersecurity as our shared responsibility.

Hailey R. Carlson | Axiom Cyber Solutions | 10/21/2016

Image Source

Cybersecurity Fatigue: Overwhelmed by Online Security Issues

No matter what side of the political fence you fall on, you are probably exhausted by now with the constant 24-hour a day news cycle bombarding us all with ads for politicians on both the local and national scale. While this is a fairly common occurrence, as we experience this feeling every few years, many people are feeling a similar weariness which has not been seen before when it comes to cybersecurity.

A new study published by the National Institute of Standards and Technology in partnership with the Institute of Electrical and Electronics Engineers has found that over 94% of people between the ages of 20 to 60 years old feel “overwhelmed and bombarded, and tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.” This exhaustion leads to many people flat out ignoring security warnings, while others tend to grow worn out by security updates and the ever-expanding grocery list of passwords which they must remember. These experiences of high levels of fatigue coupled with many of the respondents’ claims of not knowing anyone who has been attacked and being skeptical of an attack on themselves as well, leads to people throwing security and safety measures out the window, putting themselves and the companies they work for in danger of attack.

What websites can do to ease security fatigue

While many times it is recommended that users do something to combat security issues and cyber-crimes, this is exactly what is leading to their fatigue. Because of this, the study says websites and online services needed to do a better job of coordinating how they approach security to lighten the load on users. A few ways which they can achieve this are by:

Limiting the number of security decisions users need to make
Making it simple for users to choose the right security action
Designing for consistent decision making whenever possible

These are some of the best ways we can combat security fatigue at the source, but one of the biggest issues raised from the study not resolved by these steps is that of password security.

Password security fatigue, solved

Many people in the study claimed that not only having to have different, intricate, and long passwords for each site was stressful, but trying to remember them all actually made them simply resort to the poor practice of using the same one for all sites. The average number of passwords per person today is 22 compared to just one not that many years ago, so it is easy to see how people can get overwhelmed when it comes to password security. The study says that you are not supposed to remember all of your passwords, however, rather you should use a computer password manager which can store everything for you and even generate new, complex passwords, saving you even more time. With this, you only need to remember one password and then you have access to all others. KeePass is just one of the many password managers out there that is free, easy-to-install, and gets the job done. By simplifying password security, we can ease the stress put on ourselves by security fatigue.

What companies can do to ease security fatigue

In addition to websites and users, companies have a significant role when it comes to easing user security fatigue. There will continuously be a new variant of ransomware, a more intricate phishing scam, or some other threat posed to companies and their employees. With all of these threats imposing themselves on employees constantly, companies need to have clear, specific guidelines to show users what to do in the event they become exhausted by implementing cybersecurity best practices. By clearly going over what to do in various situations with set ‘plans of attack’, companies can prepare their employees by instilling good cybersecurity habits in them. “If safe behavior becomes habitual, then when we feel swamped by the craziness of the online world we will at least fall back into habits that have been designed to protect us, rather than put us at greater risk,” says the reports’ co-author Mary Theofanos.

Security fatigue in America is a real thing and it is a major threat to the future of cybersecurity. By websites, companies, and users coming together to try and ease this process, hopefully, we can make the online world a little more safe and a little less overwhelming.

Hailey R. Carlson | Axiom Cyber Solutions | 10/14/2016

Image Source

Page 3 of 7 < Previous 1 234 5…7 Next >

Category Archives: Cybersecurity

Category Archives:
Cybersecurity