Investigating the Security is Hard Mantra

Investigating the Security is Hard Mantra

Security is hard.  As one of the many companies who have been in the news recently.  Every developer has heard this many times and many have taken them to heart with little question. But with the recent versions of the .NET Framework, many of these security tasks have become rather trivial to code. It's important to share new insights and changes that will allow you to be more productive in the .NET world.Security Is Hard 101For example, securely hashing a password with PBKDF2 takes only have a handful of lines:public string HashPassword(string password, string salt) { const int PASSWORD_HASHING_ITERATIONS = 10000; using (var pbkdf2 = new Rfc2898DeriveBytes(Encoding.UTF8.GetBytes(password), Convert.FromBase64String(salt), PASSWORD_HASHING_ITERATIONS)) { var key = pbkdf2.GetBytes(24); return Convert.ToBase64String(key); } } With these kinds of libraries and frameworks at our disposal, is security still something that's hard? After all, with those ten lines of code we have the beginnings of a login system.Security STILL is HardUnfortunately, the answer is a resounding yes as Ashley Madison has recently found out. After being hacked and...
Read More
Ransomware Background and Protection

Ransomware Background and Protection

Ransomware is malicious software.  It is covertly installed on a victim’s computer.  The intent is to hold your computer and files for ransom, as a result, rendering them unusable until you pay a ransom fee.  We understand how to identify where vulnerabilities are and approaches to mitigate having to pay money to get your stuff back!In The BeginningThe first known ransomware was called “AIDS”, released in 1989 which used symmetric cryptography to encrypt the names of files on the victim’s hard drive and demanded $189 to be paid to the PC Cyborg Corporation to receive a repair tool. The flaw with symmetric cryptography is that the key could be extracted from the ransomware code.In 1996, the idea of public key cryptography was introduced by Adam Young and Moti Yung using asymmetric cryptography, which in essence means that the ransomware only contains the encryption key, and the attacker can only decipher it and then provide the symmetric decryption key to the...
Read More
Amateurs Hack Systems. Professionals Hack People.

Amateurs Hack Systems. Professionals Hack People.

Social Engineering 2015 marked an important year in the world of network security. For the first time, social engineering attacks outnumbered attacks on software vulnerabilities and exploits. This is a serious problem. Since January 2015, the number of victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion. The message to network security professionals is clear: Hackers are targeting the weakest link in any security perimeter ... the end user.What is Social Engineering? For companies to stay productive, they need employees to be able to work from anywhere on any device, often collaborating with people around the world. This mobility drives not only the need for secure file sharing and email accounts but also a fundamental shift in our approach to computer security.Social engineering happens when someone uses manipulation, influence or deception to get another person to release information or to perform some sort of action that benefits a hacker. Hackers will often take advantage of genuine...
Read More
Top Cybersecurity Threat Tactics You Need to Know About

Top Cybersecurity Threat Tactics You Need to Know About

Cybersecurity threat tactics are changing all the time.  Protecting your information is the single greatest challenge to information management. It seems every week we hear about another attack on a large company.  The hackers are getting smarter.  Protection is critical.  Everyone and every company is vulnerable.Cybersecurity Threat Tactics | Our InsightsTactic Number One: Spear PhishingSpear phishing is a targeted email attack in which a hacker uses email to masquerade as someone the target knows and trusts. This is often as simple as copying the name of a CEO from a company website and then sending an email using this name to anyone on the company’s corporate domain.Spear phishing is the single most common (and effective) social engineering tactic. You’ve likely seen subject lines like these before and hopefully hit “delete” right away:"Notice of pending layoff: Click here to register for severance pay." "In an effort to cut costs, we’re sending this year’s W-2s electronically."This may seem rudimentary, but hackers are getting...
Read More
Office 365 | Modernized Security Controls

Office 365 | Modernized Security Controls

Let's talk about advanced cybersecurity controls with Office 365.  We call it modernized security.  Who is ready? Here we go!  Identity is the new security boundary. For many decades, boundaries were dictated by traditional firewalls or routers. That was a simple life. Today, proper identity management is key to securing any environment. It used to be that we controlled what identities came into our networks and applications. It was our directory space. That’s no longer true in today's multi-cloud, multiple-identity world.Identity & the Dark WebMost people associate the “dark web” with a murky underworld where users buy and sell illegal items, such as drugs, counterfeit passports, or weaponry.  It is also proven to be a popular destination for users to traffic in stolen identity data. This includes banking information and online streaming credentials.  As a result, the extent to which our private and financial data is readily available to anyone willing to pay for it is downright scary."In the not-so-distant...
Read More
Protecting Your Company With Cybersecurity

Protecting Your Company With Cybersecurity

Ready for your cybersecurity assessment?  In today’s economy, businesses cannot afford to operate without an online presence. On the other hand, the moment you expand your reach into “the cloud,” even if you limit your digital activity to email and a simple website, your private data becomes a target for cybercriminals.Put Your Cybersecurity In An Experts HandsAccording to a report published by the Identity Theft Resource Center (ITRC) and CyberScout in January 2017, the number of reported data breaches in the United States rose from 780 in 2015 to a record high of 1,093 in 2016. In IBM’s 11th annual Cost of Data Breach Study, the average consolidated total cost of a data breach in 2016 came to $4 million.Underestimating the importance of cybersecurity can be financially devastating. Consequences can include lawsuits, server and website repair costs, increased public relations expenses, and loss of future business due to reduced confidence in your brand. Fortunately, there are some simple, internal measures you...
Read More
How To Avoid Phishing Attacks In Outlook and 0365

How To Avoid Phishing Attacks In Outlook and 0365

Brandon Vigliarolo and Tech Republic, a leading technology publication, provide us a compelling overview of how to avoid phishing attacks.  The world of cyber-criminals is attacking the simplest forms of internet usage, your email, and O365 software applications.Avoiding Phishing AttacksCyber-criminals have turned to phishing. It's easy, you can hit lots of people at once, and even one response in a thousand could net you a huge return.  And they are hammering on your email and Office 365 software environments.Option 1: Rely on Microsoft's junk mail filter Outlook's junk mail filter is reportedly able to distinguish between spam, phishing, and legitimate emails and filter them accordingly, even disabling hyperlinks and the ability to reply to a message. While this is a great feature in both the 2013 and 2016 version of Outlook it still has its holes, just like any automated filter. The best way to make it effective is to specify junk mail criteria at the Exchange server level and push those...
Read More