Posts tagged security
It’s safe to say that your API keys represent the keys to your cloud kingdom. Anyone in possession of these API keys can access your applications, hardware, and other software in a given cloud environment.
API keys, or access keys as they are sometimes known, are necessary in today’s computing environments. They provide the means to pass credentials between a cloud provider and an enterprise.
Potential for Harm When Access Keys are Stolen
Access keys are created when an organization is first setting up its cloud management services, and a great deal of damage can be done if they fall into the wrong hands. This is not just a possibility; this scenario has happened several times in the past. A cyber attacker breached OneLogin’s databases after gaining access to a set of Amazon Web Services (AWS) API keys.
There is a definite need for collaboration between organizations and cloud providers. The benefits offered in such arrangements are powerful business enablers and can help keep enterprises afloat in a very competitive landscape. That being the case, there needs to be a very solid approach to securing API keys, so that they can’t be stolen and used in criminal ways.
Some companies have learned that hard-coding API keys into their applications is a big mistake, because these can easily be intercepted. Access keys can be coded directly into applications and scripts and then forgotten about. Then they are left sitting in the applications, available to the first clever cyber attacker.
Securing Your Company’s API Keys
Here are some of the best ways to secure your company’s access keys against criminal attack:
- Identify and list all keys – there are some very good discovery tools available, which can scan your entire cloud environment for any and all API keys that may have been left unprotected. After enumerating all these access keys, you should then check any infrastructure weaknesses which may exist, and gather together all audit information relative to key usage.
- Eliminate embedded access keys – after having found all hard-coded access keys stored in your executable scripts and software applications, remove them so no one can access freely them. It’s a good idea to also cut all direct access from your own employees.
- Make your API keys secure – protect your access keys by storing them in a secure data vault with strong access controls, so that only authenticated users and authenticated applications can gain access.
- Rotate API keys – change your access keys every so often so they don’t remain static for a long period of time.
- Apply least privilege principle – use the principles of least privilege in granting access to your secure API keys. Grant access only to those entities that need them to carry out their normal functions. Also, cut any redundant permissions which were set up for the account role associated with the API key.
- Automate securing your credentials – to avoid direct access by employees, make sure that all API key access to your digital vault is automated by whatever tools and scripts are necessary to carry the process out securely. Guarantee that API access to applications is secure by using application authentication and machine IDs where appropriate.
API Keys are Necessary, but Keep Them Secure
Securing access keys may seem like a hassle, but it should be remembered that there are enormous benefits to cloud computing. It should also be kept in mind that by establishing that kind of setup with a cloud provider, a greater attack surface is made available to criminal-minded individuals on the Internet, and great care must be taken to deter their efforts.
If a cyber attacker were to gain control of your company’s access keys, they could control your entire cloud infrastructure. That would allow this person to disable any security controls and steal any sensitive company data or customer data.
Your company can avoid this doom-and-gloom scenario by following the steps listed above. When access keys are properly managed and kept as secure as possible, you can have peace of mind about the threat of cyber attackers, and can focus on leading your business to sustained growth and success.
The government’s stance on the future of the internet has forced several states to take action. In preparation for a possible roll back on the Obama administration’s standing rules, states are making laws of their own. Nevada’s Senate takes the side of those who are for the protection of internet users by introducing Senate Bill 538. This bill hopes to protect the online privacy of Internet users by requiring websites to notify users when they are collecting personal data.
What Is the Bill Trying to Prevent?
The Republican-led government recently voted to roll back the FCC’s privacy regulations. These rules made it mandatory for internet service providers (ISPs) to get your permission before selling your personal data. The House of Representative new bill would allow ISPs to collect and sell information about your browsing history and present users with unwanted advertisements. President Trump has made it known that he is in support of the resolution and plans to sign it.
Nevada’s Bill to Protect Internet Users
The state of Nevada hopes to keep the old rules alive by implementing their variation of the law. Nevada is not the only state either. Other states like Seattle are creating similar bills to protect online privacy, an act that shows their opposition to the current government landscape.
Senate bill 538 states that it is “AN ACT relating to Internet privacy; requiring the operator of an Internet website or online service which collects certain information from residents of this State to provide notice of certain provisions relating to the privacy of the information collected by the operator; and providing other matters properly relating thereto.” The bill also lists several rules that lay out what ISPs can and cannot do.
What Measures Are Consumers Taking?
Nevada’s new bill can potential prevent ISPs from taking advantage of internet users. On the other hand, these rules don’t apply to the rest of the country. Informed consumers are taking matters into their hands by investing in a VPN. A VPN is a way of hiding your activity from ISPs by encrypting your internet connection. Essentially, the only information that your ISP will see is you visiting the VPN, not your internet activity.
The problem with VPNs is that a good one is hard to find. Most VPNs are not as secure as one thinks. Some of these services have even been caught selling the very information that they are responsible for protecting. It is best to do extensive research before purchasing to find out about the company’s background.
The Future of Online Privacy
The FCC’s new Chairman, Ajit Pai, still seeks to move online privacy regulations to the FTC. Without ISP rules, the FCC is hoping that the providers will act in good faith, without betraying the trust of their customers. However, users believe that these service providers will take advantage of an unregulated internet. With many in disagreement with the Trump administration, we may see more and more states making their rules to protect online users.
Credit and debit cards are our most valued possessions. These tools give us access to our credit and bank accounts from anywhere, so it’s understandable that people want to keep them secure. When payment cards are stolen, thieves can gain the opportunity to take your money or increase your debt.
Card companies know the risk of fraud and people taking your private and personal information. That’s why they are always finding new ways to update the technology built in these cards. MasterCard unveiled its latest developments with the new fingerprint sensor-enabled payment cards.
Developments to Payment Cards
Payment cards have evolved over time. In the 1970’s, financial institutions introduced the magnetic stripe, allowing us to use ATM’s and process sales transactions without cash. The magnetic stripe is still used today, making purchasing items easier. More recently, card companies introduced the chip, which is the standard among Europay, MasterCard, and Visa.
While thieves and scammers can copy the magnetic strip, the chip cannot. Since the chip’s implementation, it’s become harder for scammers to steal and use payment card information.
Many people are already familiar with how to use a payment card. You swipe your card, and as an extra layer of security, you have to type your unique pin number. This pin prevents anyone other than yourself from using your card. Every method adds another layer of security so that only you can access your money.
New Fingerprint Sensors
Biometrics are the newest method of security for technology items. The most well-known adopters are phone makers. The newest smartphones use select fingerprints to provide quicker and more secure access to our phones. Now MasterCard is ready to introduce the technology into their payment card.
The new cards will still keep the magnetic strip and chip. However, they will add digital fingerprint scanner. Before issuing your card, your bank or credit card institution will store an encrypted digital template of your fingerprint on the chip. You have the ability to add two separate prints to the card; however, they can only be yours.
Engadget had a chance to demo the chip and notice positive results recently. You simply insert your card, put your finger on the scanner, and your purchase is complete. Editors at Engadget reports that process was fast and efficient. The card is also no different in size and shape from the general credit or debit card that you carry in your wallet.
The cards are currently available in South Africa for now. MasterCard plans to have the card debut across the world by the end of this year. As a result, we will most likely see banks and other financial institutions implement and distribute these cards to their customers soon after. In the end, the updated technology makes customer financial information safer. The new cards will also save these institutions money they would otherwise lose trying to solve fraud incidents. Hopefully, we will see the cards soon.
Focus on software and cloud-based technology is important, but hardware security is still the strongest line of defense against a cyber-attack. Software tools such as antivirus are not as effective as hardware-based security. Altering hardware is more difficult. The physical component, therefore, eliminates the possibility of malware being installed. The use of processors is what keeps things secure.
There are reasons to find alternatives, but it could prove to be costly. Because the first step to preventing a cyber-attack is with strong hardware.
Software Security Vs. Hardware Security
Software encryption programs are more cost effective and easy to use. But the security that software provides is only as good as the operating system. A lapse there can easily compromise the security provided by the encryption code. Hardware security is what keeps sensitive data the safest.
Companies Investing in Hardware
Many leading developers have noticed a growing need for hardware because of its effectiveness. IBM recently unveiled their z13s mainframe and have called it the most sophisticated computer system ever built. They assure users that the z13s is able to encrypt data twice as fast as previous generations without compromising performance.
Developing stalwarts of encryption will help in a myriad of ways. Several other companies have been looking to stop cyber threats with hardware, on both a big and small scale. For example, CyberInc’s Isla looks to eliminate all browser-borne malware, while IronKey intends to deliver secure USB storage solutions.
The Need for User Awareness
User awareness is arguably as important as anything else mentioned in this article. If someone doesn’t know how to properly handle the hardware or software they’re using, this could lead to a big problem. Users who are more aware of what’s out there behave more responsibly and take fewer risks with valuable company data.
Cybersecurity continues to be a concern. But hardware security is revolutionizing how viruses and malware are combated. Paying attention to this sector will pay dividends for users everywhere.
Photo apps are the social media platform most vulnerable to attack. By nature, they tend to have the most sensitive material. Worry grows among Snapchat and Instagram users because of this. As shown over the years, when a hacker is able to gain access to such sensitive material, it proves to be very damaging.
Users of photo apps would be wise to take as many preventative measures as possible. Storage location, the rise of location-specific information, and changes in an app’s terms of service do not help security. Developers need to do more. As it stands, too many users are vulnerable.
Security Flaws Made by Developers of Photo Apps
Neither Instagram nor Snapchat has end-to-end encryption. Both apps communicate primarily through pictures. Making sure the sender and recipient are the only ones able to see the messages should be a priority. Not having end-to-end is a problem.
Snapchat has also changed its terms of service recently. These changes now allow them to store and share information with third parties and their affiliates. Considering how the initial appeal of Snapchat was that all messages and photos vanished after a brief period of time, this upset users.
Security Measures for All Users
It’s highly suggested to take advantage of the phone software and security apps protecting a user’s photo access. With iOS 8, Apple made it possible to hide pictures on iOS devices. This is achieved by simply putting them in a designated folder. Additionally, apps such as HiFolder allow users to store private images locally in its password-protected vault.
Those measures only work for a phone’s internal storage of photos, however. For photo apps, users must take matters into their own hands. Linking an account to another social media platform like Facebook or Twitter is a big risk. As is using anything in the app that requests location. Being aware of which followers can be trusted is also necessary.
Most social media apps could stand to beef up their security as it stands. Because of its history of getting hacked, security for photo apps is especially important. More preventative measures by both developers and users must be in place.
Designed to provide free Wi-Fi for an entire city, Municipal Wireless Networks span further than an ordinary public hotspot provided by a local business. These networks are intended to help a wide variety of people stay connected. Especially if they otherwise do not have the means to do so. Roughly 80 cities in the United States already have citywide Wi-Fi programs in place.
Advocates for Municipal Wireless Networks cite the need for available internet access for all citizens. However, there are many who worry about the lax security that comes with any public Wi-Fi. Unreliability among hotspots offered at local stores is common knowledge at this point. The lack of security leaves users susceptible. Most hackers prefer working remotely, which does somewhat limit the risk. But users have also learned which sites to use and not use when on public networks.
Municipal Wireless Networks allow access citywide, though. The reach afforded to a hacker here is sprawling. Is this something that could put you at risk?
Precautions in Place for Municipal Wireless Networks
Infosec institutions warn users of the fragile nature of Municipal Wireless Networks. They also give a list measures that need to come standard with each of them. Firewalls, intrusion prevention systems, intrusion detection systems, all of these are necessities.
For newer citywide wireless networks, like the kiosks in New York City, a private option is being made available. The private network is more secure but has requirements that are mostly only available to the latest iPhones and iPads. New York City plans for these kiosks to be as widespread as payphones once were, with more than 7,500 across all 5 boroughs. Based on the available security options, that could do more harm than good.
Municipal Wireless Networks are well-intentioned services that come with a great risk. If your city has one, proceed with caution and only use them for casual browsing.
Is Your Educational Institution Protected from Cyber Terrorism?
When we think about major hacks and cyber terrorism, usually places like banks and governments jump out. For example, in one recent incident, a foreign nation possibly spied on the US, and the FBI doesn’t know what information may or may not have been accessed. Of course, any time money is involved, a hack becomes a big deal, which is why we think about banks. But one of the most affected sectors seems to get the least attention.
Is “one recent exploit” THE RIGHT/ best way to say whatever…
Wasn’t the info hacked, rather than “LEAKED”?
Statistically, what four sectors are most frequently breached?
• Financial (insurance, investments, real estate, etc.)
Did you notice government and banks are not on the list, but educational institutions are? So what’s the big deal when schools get hacked? Isn’t it just kids stealing test scores or changing grades? Maybe this is true in the movies.
In real life, educational facilities are the number 5 location for lost data, which leads to fraud and identity theft. School cyber terrorism is fast becoming an issue.
Schools get hacked for the same reason other industries are targeted. Schools keep personally identifiable information (PII) on students, and private schools, like universities, may also have financial information. Statistics show that while only 3 out of 10 educational facility hacks are after school records, 8 out of 10 result in the theft of PII.
Why Are Schools an Easy Target?
Most hackers are opportunists, and actually, schools remain fairly easy to hack. Why? Most schools are online now because it has become a major part of teaching. Records are also readily accessible online. However, schools often do not have the experienced IT department of major banks or the government. Malware, easily downloaded accidentally by students or teachers, remains one of the main ways in for hackers.
How Can Your Educational Facility Protect Itself?
It is time to develop a strategy for warding off cyber-attacks. At some point, it may become necessary to outsource network protection. Some of the important keys are:
• Monitoring tools designed to help identify problems
• Minimizing the number of logins with full access to records
• Regular updates and patches
• Education for teachers and students to reduce malware, spyware, and trojan downloads
• Anti-malware programs for auto-detection and protection
• Strong passwords
• A network firewall