Posts tagged with "cybersecurity"

Graph via BeyondTrust.com for Atlas VPN for use by 360 Magazine

In 2020 Number of Vulnerabilities in Microsoft Products Exceeded 1,000 for the First Time

Microsoft products are used by billions of people worldwide. Historically, however, they are known to have many vulnerabilities that pose security risks to users of the software.

According to data presented by the Atlas VPN team, the total number of vulnerabilities in Microsoft products reached 1,268 in 2020—an increase of 181% in five years. Windows was the most vulnerability-ridden Microsoft product. It had a total of 907 issues, of which 132 were critical. However, Windows Server had the largest number of critical issues. In 2020, 902 vulnerabilities were detected in Windows Server, of which 138 were critical.

Issues were also found in other Microsoft products, such as Microsoft Edge and Internet Explorer. Together, these browsers had 92 vulnerabilities in 2020. In total, 61 or even 66% of these vulnerabilities were of critical level. Meanwhile, Microsoft Office had 79 vulnerabilities, 5 of which were critical. 

Ruth Cizynski, the cybersecurity researcher and author at Atlas VPN, shares her thoughts on the situation :

 “These numbers are a massive problem because every Microsoft product has millions of users. Therefore, it is important that consumers update their software applications on time. Software updates can include security patches that can fix vulnerabilities and save users from getting hacked.”

Elevation of privilege is the most common Microsoft vulnerability

A wide range of vulnerabilities was discovered in various Microsoft products last year.  However, some types of vulnerabilities were more common than others. Elevation of privilege was the most frequently detected issue in Microsoft products. It was discovered 559 times and made up 44% of all Microsoft vulnerabilities in 2020.

Next up is remote code execution. In total, 345 such vulnerabilities were found last year, putting it in second place on the list. Remote code execution accounted for 27% of the total number of Microsoft vulnerabilities in 2020.

Information disclosure occupies the third spot on the list. There were 179 such issues discovered in 2020. Together, they made up 14% of all Microsoft vulnerabilities that year.

To learn more, click HERE.

Cybersecurity illustration by Heather Skovlund for 360 Magazine

Amazon × MGM Studios Merger

Amazon announced that it will be acquiring MGM Studios for $8.45 billion, in an effort to bolster the already growing Amazon studios and making it the second largest acquisition on Amazon’s part, following its $13.7 purchase of Whole Foods in 2017.

According to cybersecurity expert Mark Stamford, CEO of OccamSec, a deal of this scale will require a complete review of its cybersecurity infrastructure, as the process of fully merging these entities are rarely completed in the expected timescale.

Mark continues:

  • The standard “merger” due-diligence template goes into great detail looking at financial & legal status issues, but rarely seems to consider the potential liability associated with linking into an organization with a seriously compromised infrastructure. 
  • Trying to coherently map risks or produce an enterprise security plan for this type of environment is incredibly challenging, when multiple systems are coming together
  • With such notable deals, most attackers reside within the organization’s network for over 100 days before discovery, so there is a very real risk of starting work on merging infrastructure, whilst being observed by an interested resident attacker, who will be keenly looking out for an opportunity to vector into the core organization’s networks

Mark says, “Exercising strategic due-diligence during a merger or acquisition, is the most effective what for any organization, like Amazon, to protect itself from cyber threats.”

We had the opportunity to ask Mark Stamford some questions as far as the merger and his expert opinion(s):

Q: What changes can be expected with a merger like the Amazon/MGM Studio merger?

MS: The merging of two different cultures always prompts a lot of changes. In this case, MGM is going to become more like Amazon than the other way round.

Q: Do the benefits outweigh the risks with this type of merger?

MS: Yes, I assume so, from a cyber perspective, the main risk is joining two networks together that have different structures, and probably issues. So, for example I was called in to help with some M&A work once, the new network was plugged in…and brought a heap of malware with it which quickly spread into the acquirers’ network.  It later transpired that some of the IP, which was the very reason for the merger, had been stolen.

Q: What challenges is Amazon, an online retailer, facing when merging with MGM Studio?

MS: Both operate in different ways. The majority of movie making companies seem to follow the “if it ain’t broke don’t fix it” mantra. So, technology tends to be a hodge podge, along with processes etc.… Amazon meanwhile is a tech company, and while primarily known as a retailer, has considerable presence in the cloud (with AWS) so has a lot of cutting-edge technology at its disposal.

Q: What are some ways to help the process move along with ease?

MS: Again, in a cyber perspective there needs to be due diligence done on the MGM environment. At the same time, since both organizations probably have a range of security tools, seeing who has the best tool for the job can save money in the long term.

Also, not to be discounted is the human element in cyber security – any merger results in layoffs. So, the potential for a “disgruntled insider” increases. The way to help with that is communication – not more monitoring.

Q: How can Amazon prevent cyber-attacks during the process of the merger?

MS: MGM makes a nice target right now, since at some point their technology will be integrated into Amazon, and if I was a bad guy, I would assume they are the softer target of the two. Amazon should work with MGM to ensure their security is at a “good” level, and work on the integration aspects – two distinct cyber security teams need to become one, quickly.

Q: In your opinion, does Amazon face cyber risks from vendors or third parties with the onset of the merger?

MS: I think amazon always faces this risk, as does everyone. Since the organization is increasing in size, the “attack surface increases” so yes, they do face risks.

Q: What are the biggest cybersecurity threats at the moment?

MS: Motivated attackers, be that nation states, criminal groups, hacktavists, or others. Ransomware is getting a lot of press right now. However, I think the biggest threat is the endless cost spiral companies are trapped in trying to deal with this.

Q: What are some ways to ensure that the infrastructure is not compromised?

MS: Defense in depth continues to be the key. Layers of security, which work together, and consider the context of the organization (how it makes money or delivers its service) in order to support that mission.  I assume Amazon will expand their cyber security program across MGM fairly quickly, which checks a number of boxes and provides a good starting point.

One issue may be that a movie studio faces different kinds of attackers than Amazon. Movie studios are primarily about their IP, everything else always seemed to be secondary to that. Stealing a movie is a different attack then ransomware, which we have seen borne out in practice (various insider attacks to steal content for example).

Q: What are your certifications in the cybersecurity field?

MS: I have been involved in cybersecurity since I was 11. Was senior penetration tester for a global consulting company, ran a security program at a global investment bank, and have been running a security company for 10 years.

Q: What does effective cybersecurity look like to you?

MS: Cost effective, business aware, and layered.

Graph via Sophos for Atlas VPN for use by 360 Magazine

India, Austria, and US Most Hit with Ransomware

Ransomware attacks are one of the leading cyber threats that organizations have to face.

According to the data presented by the Atlas VPN team, organizations in India, Austria, and the United States are among the most hit with ransomware attacks. To compare, more than 50% of companies in the mentioned countries experienced such attacks in the past year, while the global average is 37%.

Out of 300 interviewees from India, 68% suffered from a ransomware attack. At the same time, 57 out of 100 respondents from Austria experienced a ransomware attack in the last year. Next up, in the United States, 51% of participants, out of 500 questioned, reported that they were hit with a ransomware attack.

Retail and Education Sectors Suffer the Most Ransomware Attacks

Some organizations in specific sectors are more susceptible to hacker attacks due to their lower security levels or valuable data. However, cybercriminals do not shy away from attacking even the biggest companies or government administrations.

Out of 435 respondents in the retail industry, 44% were hit with a ransomware attack last year. Hackers strike retailers when it could hurt them the most, for example, on Black Friday or Christmas seasons.

Retailers share first place with education organizations—out of 499 education interviewees 44% experienced such malicious attacks. Cybercriminals usually deploy ransomware attacks at the start of a school year to cause maximum disruption.

The business and professional services industry suffered the third most ransomware attacks, with a total of 42% out of 361 respondents stating they experienced a ransomware attack in the past year. Companies in this industry are usually smaller with less staff, meaning they might not have a dedicated person to ensure security. Out of 117 participants in the Central government and non-departmental public body (NDPB) sector, 40% reported being attacked with ransomware in the last year.

Conclusion

Cybersecurity writer and researcher at Atlas VPN Anton Petrov shares his advice on how to protect your organization against ransomware attacks.

“Prepare a plan in case you… get hacked. Always have a backup of your data so you don’t have to pay a ransom. Investing in cybersecurity will cost you less than having to deal with the aftermath of a ransomware attack.”

Like with everything else, there’s a way to protect your data in order to make sure hackers don’t get to it and cause serious financial damage.

Purdue × Abu Dhabi work on cybersecurity of drones

By Jim Bush

Abu Dhabi has intentions of making the city a leading hub for technology and innovation in the Middle East.

Part of that evolution is utilizing unmanned aerial vehicles (UAVs), or drones, to assist with as many tasks as possible, from delivering packages to aiding in police operations to helping investigate crashes on highways to delivering high-value transports, like organs for transplant.

With autonomy, though, comes risks of hackers and complications between interacting agents.

A group of Purdue University researchers have been tasked to make sure drones and their systems could operate securely, safely and efficiently in the United Arab Emirates capital. Inseok Hwang, a professor in the School of Aeronautics and Astronautics, is principal investigator on a three-year, $2.3-million grant from the Technology Innovation Institute in Abu Dhabi to study the application of secure drone swarms in urban environments.

The project requires expertise in autonomous vehicles, control, sensing, virtual reality and security. James Goppert, a visiting assistant professor in the School of Aeronautics and Astronautics and managing director of the UAS Research and Test Facility, and Dongyan Xu, the Samuel D. Conte Professor of Computer Science and director of CERIAS (Center for Education and Research in Information Assurance and Security), Purdue’s cybersecurity research and education center, are co-principal investigators on the project.

“We will address this problem in a highly integrated, interdisciplinary way,” Hwang said. “We will consider it from the program level to the high-level network of systems, so we accomplish the hierarchic way from the very detailed lower level, the software and hardware level, to the large network of vehicles and from the single vehicle to multivehicle. So it’s multidimensional. That’s one of the unique pieces of this project.”

The project will utilize one of Purdue’s unrivaled assets, the UAS Research and Test Facility. The 20,000-square-foot, 35-feet high facility, located at Hangar 4 of the Purdue University Airport, features the largest indoor motion capture system in the world and offers unique capabilities for novel research.

Goppert will build a mixed reality environment, combining a virtual reality urban environment with a scaled physical model of the city. The drones will fly and navigate the city, and the environment can be programmed to simulate a wide range of settings, including weather, traffic and urban development, to test the drones’ applicability and agility. The testing will be done with single vehicles as well as swarms, which could include 10 drones.

Hwang said he hasn’t seen any research done using mixed reality to this scale. Neither has Goppert.

“Our unique capability is that we have such a large environment to do it,” Goppert said. “Just running so many vehicles at once is going to be a challenge. In the past, several vehicles have been used. But if we’re going to be running swarms where each vehicle needs a rendered virtual mixed reality image, that’s going to be really computationally challenging. That’s what we’re pushing forward.

“We thought we could try to bring it as close to real-life as possible to get as many of the bugs worked out before they actually deploy such a system. We can do it all in software, but there’s an added advantage in bringing it closer to reality by making some of it actual robots.”

Hwang and Xu will have a multitiered approach from the cybersecurity and robustness standpoint. Xu will investigate from the cyber perspective of security, encryption, authentication and peer-to-peer communications. Hwang will develop a mathematical model and use the control theoretical solution approach, assessing potential cyberattacks on the systems and working to design a controller in such a way that the system becomes more resilient to attacks.

“This project reflects exciting synergies between two areas of technical excellence at Purdue: aeronautics and astronautics, and cybersecurity,” Xu said.

Ultimately, all of the research will be integrated and pieced together around the state-of-the-art test bed, which could happen toward the end of the second year of the three-year grant.

With a variety of drones tasked with different assignments, “how do we make sure they play well together?” Goppert said. “We’re trying to simulate that within our facility.”

About Purdue University

Purdue University is a top public research institution developing practical solutions to today’s toughest challenges. Ranked the No. 5 Most Innovative University in the United States by U.S. News & World Report, Purdue delivers world-changing research and out-of-this-world discovery. Committed to hands-on and online, real-world learning, Purdue offers a transformative education to all. Committed to affordability and accessibility, Purdue has frozen tuition and most fees at 2012-13 levels, enabling more students than ever to graduate debt-free. See how Purdue never stops in the persistent pursuit of the next giant leap at https://purdue.edu/.

Note to journalists: Journalists visiting campus should follow visitor health guidelines.

  • Campus is open, but the number of people in spaces may be limited. We will be as accommodating as possible, but you may be asked to step out or report from another location.
  • To enable access, particularly to campus buildings, we recommend you contact the Purdue News Service media contact listed on the release to let them know the nature of the visit and where you will be visiting. A News Service representative can facilitate safe access and may escort you on campus.
  • Correctly wear face masks inside any campus building, and correctly wear face masks outdoors when social distancing of at least six feet is not possible.
Rita Azar Illustrates an Eyewear Article for 360 MAGAZINE

Luxottica Hacked

By Justin Lyons

According to Italian press sources, Luxottica was the victim of a cyberattack Saturday.

Luxottica owns eyewear brands like Oakley, Ray-Ban, Coach, Chanel and Versace as well as retail brands like LensCrafters, Sunglass Hut and Target Optical. It is the largest eyewear company in the world with more than 80,000 employees.

SecurityOpenLab, an Italian cybersecurity site, said its sources confirmed Luxottica offices suffered a complete system failure due to ransomware attacks, shutting down operations in Italy and China

SecurityOpenLab also said union sources confirmed that workers received an SMS message saying the second shift on Sept. 21 had been suspended.

Users began reporting an inability to reach sites for LensCrafters, Sunglass Hut, Ray-Ban and other Luxottica brands on Saturday. It was also reported that One Luxottica, a user portal for the company, was down, but it appears to be up again at the time of writing.

BleepingComputer spoke to Bad Packets, a cybersecurity firm, who told them Luxottica used a Citrix ADX controller device, which is vulnerable to CVE-2019-19781, a flaw in Citrix devices.

This flaw is exploited by ransomware actors as it provides network access and credentials used to deeper infiltrate a network.

Luxottica took the servers to its eyewear brand websites offline. While websites for Oakley, Ray-Ban, Coach and more are accessible now, a manager at LensCrafters storefront told 360 MAGAZINE that the Ciao operating system crashed Saturday and that they still have little to no ability to process insurance or complete transactions.

Though Luxottica has not made a public statement, the same source told 360 MAGAZINE that IT support was unavailable while systems were down. LensCrafters is currently logging orders for a later date when systems are back up.

360 was also told that LensCrafters will offer 50% off frames and lenses for the inconvenience to customers.

Highest Cybercrime Risk Countries

Although developed countries are better prepared to tackle statewide cybersecurity challenges and have better IT education, that has little impact on cyber threats on an individual level. According to the new global Cyber Risk Index, cybercriminals tend to target people who have higher incomes and spend more time online.

According to the Cyber Risk Index, if you live in one of these countries – you are a more attractive target for cybercriminals:

1. Iceland
2. Sweden
3. United Arab Emirates
4. Norway
5. The United States
6. Singapore
7. Ireland
8. New Zealand
9. Denmark
10. The United Kingdom

NordVPN lists ten countries whose residents are the most enticing targets for cybercriminals according to the Cyber Risk Index, which covers 50 countries.

smartphones, cell, tech, app, illustration, 360 MAGAZINE, sara sandman

IAITAM: Cybersecurity Risks for Companies

IAITAM: TOO MANY COMPANIES, AGENCIES WITH VULNERABILITIES “WIDE OPEN TO ATTACK”  FROM BREACHES DURING COVID-19 STAY-AT-HOME SHUTDOWNS

After Issuing Repeated Warnings, IAITAM Highlights 4 Biggest Problems Happening Now.

Today, the International Association of IT Asset Managers (IAITAM) is warning that breaches of corporate and government data appear to be running at a level even higher than experts had feared going into stay-at-home orders due to COVID-19.

Last month, IAITAM repeatedly warned of “nightmare data risks” for unprepared government agencies & companies, especially as end-of-the month billing procedures were being carried out remotely.

IAITAM President and CEO Dr. Barbara Rembiesa said: “We anticipated that things would get bad. Companies and agencies may be hoping and praying they are safe, but the work-from-home environment has created a multitude of opportunities for leaks. Too many organizations have left themselves wide open for attack. Understanding the pathways for access within a company’s data network is a valuable lens for businesses and agencies to avert leaking their own assets.”

Based on its preliminary analysis of early published reports, IAITAM is breaking down the biggest problems into four categories:  

1. Assets left unsecure  –  An intentional decision to make devices less secure to allow for work from home (WFH) use.  One example would involve removing admin permissions so that employees can complete the task without administrator oversight. Another would be allowing the use of “unpatched” business computers that allow hackers to load malicious files with admin privileges.  In some cases, companies with high-end virtual private networks (VPNs) pre-loaded on business computers are allowing people to work from home on personal devices either with no VPN or with a lower-end virtual private network that may be less hacker resistant.

2. “New” assets created –  More and more reports are emerging of companies purchasing new devices or technology to account for employees working from home.  In one case reported directly to IAITAM a national health care company ordered 9,000 new laptop computers from a major online company and gave its IT department less than a week to prep the new machines and deliver them to users, who had little or no time for training and other security-related instructions. The concern:  The more corporate assets that you have, the higher risk of intrusion. Each asset becomes a doorway or entry point for a breach, particularly when it (or its user) are underprepared. IT Asset Managers help with this by providing the data necessary for corporate security teams to know what exists, where it exists, and what is on the device.

3. Assets now unsecure in at-home environments –  Many company devices were deployed into a WFH situation quickly, leaving little time to ensure that they would be secure via a virtual private network (VPN) or other means. Just last week, school districts in Oakland and Berkeley, California unwittingly became an accomplice in their own data breach by accidentally making Google Classroom documents public, which contained access codes and passwords for Zoom meetings, as well as student’s names and comments.

4. Employees unwittingly inviting in the intrusion –  Human error allows for mistakes and creates a vulnerability (i.e. clicking on phishing emails or downloading malware). Google reported last week that it is stopping 18 million coronavirus scam-related emails every day, many of them targeting cash strapped businesses looking for loans or other capital. An internal memo from NASA on April 6th revealed that increased cybersecurity attacks had been directed at their employees working remotely. These phishing attempts were disguised as appeals for help, disinformation campaigns or new information about COVID-19, to gain login credentials or install malicious software. This is a prime example of how an employee could unwittingly invite in an intrusion. IT Asset Managers are at the forefront of education and communication campaigns within organizations to help teach end users what they should and should not be doing.

Even companies that do not make a mistake themselves could still find themselves the victim of a coronavirus-related breach. Earlier this month, The Small Business Administration experienced a glitch with a coronavirus loan relief fund platform that publicly leaked the personally identifiable information of business owners across the nation.

The good news is that most or all of these issues can be mitigated with proper IT asset management (ITAM). Professionals in the ITAM industry facilitate corporate asset protection. Uncovering the vulnerabilities now, and then putting an action plan into place will save companies money in the end. If companies and businesses act now, they can turn today’s crisis into tomorrow’s opportunity.

IAITAM President and CEO Dr. Barbara Rembiesa recently went on camera
to share more about what companies and government agencies should be doing.

ABOUT IAITAM

The International Association of Information Technology Asset Managers, Inc., is the professional association for individuals and organizations involved in any aspect of IT Asset Management, Software Asset Management (SAM), Hardware Asset Management, Mobile Asset Management, IT Asset Disposition and the lifecycle processes supporting IT Asset Management in organizations and industry across the globe. IAITAM certifications are the only IT Asset Management certifications that are recognized worldwide. For more information, visit www.iaitam.org.

360 MAGAZINE, illustration

The (Predictable) Rise of Internet Crimes During the Coronavirus Lockdown

Everyone be careful! Don’t let the boredom of home-sheltering entice you to commit a fatal mistake. Don’t use your computing device (computer, tablets, phone etc.) to engage in criminal activity. Don’t access your spouse’s phone or email without permission, don’t let frustration or anger cause you to send harassing or threatening messages to others, don’t think online sports betting is legal, and most certainly, let the draconian penalties of incarceration for accessing child pornography sites or illegally infringing copyrighted materials be strident warnings to stay clear.

We are speaking about Internet crimes today with renowned federal criminal defense attorney Dr. Nick Oberheiden. Attorney Oberheiden represents clients who are facing investigations for alleged Internet crimes conducted by the Federal Bureau of Investigation (FBI), the U.S. Justice Department (DOJ), the U.S. Department of Homeland Security (DHS) and other federal agencies in cases across the United States.

Q. Dr. Oberheiden, just to start easy, what exactly are Internet crimes?

A. The concept of online crimes (or Internet crimes) has changed over time. Originally, Internet offenses were considered those that could only be committed with the help of a computer such as hacking someone else’s computer system. Today, the general definition of online crimes has broadened to include any offense that was committed with the help of a computer irrespective of whether a computing device was essential or not. Drug trafficking and prostitution are two such examples. Technically, in order to sell drugs or to agree to illegal prostitution, you don’t necessarily need a computer. People have dealt with drugs and engaged in prostitution forever face-to-face on the street. However, nowadays an increasing number of these types of offenses and transaction also include the utilization of cell phones and computing devices when it comes to organizing deals and selecting people for criminal conspiracies, which can add more severe penalties at sentencing. When computing devices are a platform to commit a crime, you can consider the underlying offense an Internet crime.

Q. So, under this definition, blackmailing and extortion or electronic harassment would also count as Internet crimes?

A. Yes, that’s correct. Anytime someone uses a computer to do something illegally, that’s considered on online offense. To be clear, to use these verbal attack offenses, we all enjoy the freedom of speech under the First Amendment; however, the First Amendment does not protect any and all types of speech. Hate speech, intentional harassment, and using speech for extortion or blackmailing do not enjoy constitutional protection and can be prosecuted as felonies. So, for example, if you write an email or post something on the Internet that has the potential to be interpreted as a threat towards someone else, announce or insinuate violence, request money or anything else of value if one of your conditions is not met, or you call a person names— your behavior may fall quickly within the scope of unlawful conduct. So, when emotions are broiling, don’t use the Internet to express your anger and don’t attack the dignity or safety of another person in any electronic (or non-electronic) format.

Q. Is there a heightened risk of committing Internet offenses during this Covid-19 pandemic when we are sheltered at home?

A. I think so. When in-person interactions vanish, online offenses will rise. Keep in mind that many Internet crimes occur in the context of social tensions like divorces and family unrest. Spouses sometimes think that accessing their husband’s or wife’s computer or phone to take a quick peak if they can find evidence of an affair or hidden financial details is legitimate detective work. It is not! The fact that you are married makes no difference because being married does not include an implicit or explicit permission to invade your partner’s privacy. Similarly, some people may feel tempted to turn a blind eye to legal boundaries because they think that Internet crimes are “invisible” and thus not detectable. Almost every convicted child pornography offender started with that mindset. The truth is, the FBI has specialized task forces that can trace pretty much any of your visits to any website no matter what codename you use and no matter where you are. Just recently, to give you an example, I represented a client a huge international bitcoin fraud case spanning virtually every state within the United States as well as offshore islands. Admittedly, it took law enforcement months to link all the pieces and actors, but, in the end, the case resulted in a dozen of arrests and a plethora of criminal charges. Don’t put yourself into such a position. Don’t be naïve. I always tell clients: whether online or offline, assume that an FBI agent and your parents are watching what you are up to—so, act accordingly.

Q. In addition, what are some of the most common Internet crimes you see the FBI and the Department of Justice are prosecuting?

A. Chief focus of federal authorities are two types of Internet crimes: crimes committed for commercial gain or to cause corporate harm, and, in a category of its own, child pornography. To give you an example in the first category. I recently represented an individual who out of frustration of being fired accessed his former employer’s data system and literally erased the entire company network files—from his living room. Federal prosecutors don’t like when someone use access information or technology skills to cause harm. Whether it is hacking, phishing, spoofing or wagering on sports events over the Internet, I know from countless criminal defense cases that the Justice Department is very determined to take you down especially when there are real victims like in the case of defrauding and obtaining money through false or fraudulent pretenses. If you use the Internet to defraud seniors or create some form of a crime scheme, the FBI might very well knock at your door in the near future. This is particularly true when it comes to protecting minors. Federal prosecutors and federal agents are absolutely relentless when it comes to child pornography and prostitution involving minors. In fact, child pornography cases represent approximately twenty percent of all federal prosecutions. If you stand convicted for inducing, let alone, coercing a juvenile to engage in sexual conduct, don’t expect mercy.

Q. What are the penalties for Internet crimes?

A. Unlike some other countries, U.S. penal codes do not recognize “one” online crime. The penalties depend on the alleged offense someone commits. So, for example, if you access your wife’s cell phone without her or against her permission, you could be charged as a felon under 18 U.S.C. 1030. The exact outcome would depend on many factors such as the frequency, how you would use the accessed information, your criminal background and much more. Even if you escape imprisonment, you should wonder yourself if it is worth risking being a “felon” for acting stupidly in this one hot moment. Contrast this to, for instance, child pornography. The most lenient outcome in child pornography cases, that is any form of child sexual exploitation, you can expect is five years in federal prison with sentencing outcomes routinely reaching twenty years and more of incarceration.  

Q. Despite these extreme penalties, why do Internet offenses continue to rise?

A. I think it is the idea that because you act in seemingly protected anonymity, you are not in the public but in a private area without any witnesses, no one can find or identify you. Of course, that’s only partially true. It is correct that Internet offenses typically don’t have any witnesses especially when compared to, let’s say, a bank robbery or other offenses that are predicated on human visibility. However, every time you use the Internet whether you are searching for something or whether you are visiting a website, you leave traces. Specialized detectives and computer crime experts from the FBI absolutely have the ability to identify you—perhaps not always right away, but if you are in the United States and the FBI is pursuing your case, chances are high that you will get caught eventually.

Even though each of the 50 U.S. states have some version of online crimes in their penal codes, almost all prosecutions involving Internet crimes and computer offenses are federal in nature. That means the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice are leading the prosecutions, often in connection with the investigators from the U.S. Department of Homeland Security and other agencies. In general, penalties for federal felony violations are not just more severe, but, also, if you are convicted, you don’t have the option of parole. In other words, if a federal judge orders you to 10 years in federal prison, you can’t expect to be released after half or two-third of the time; parole does not exist under federal law. Typically, in the federal justice system, ten years means serving ten years.

Cyberattack, IAITAM, tech, 360 MAGAZINE

IAITAM v MICROSOFT

Association of IT Asset Managers (IAITAM) CEO Dr. Barbara Rembiesa issued the following statement today:
 
Microsoft’s announcement that it will let end-users buy some of their own apps and licenses through Office 365 should be regarded with great concern by business owners, financial officers, and IT Asset Management (ITAM) program heads.” 
 
“This is the road to chaos and monumental waste, particularly if other software makers follow suit.  By basically bypassing all controls on licensing and purchases within companies, it will be incredibly difficult to know what has been purchased, who has purchased it, when it needs to be renewed, what needs to be ‘patched’ and which software is no longer being protected against hackers.  The result will be a rat’s nest of confusion, bad records and huge fines.”
 
“For years now, I have emphasized that you cannot manage what you do not know you have. For that reason, IAITAM developed a centralized ITAM model that incorporates 12 Key Process Areas (KPAs) and a set of best practices that assists IT Asset Managers with executing those processes. These identified best practices allow the ITAM program to be centralized, while the people they manage have appropriate empowerment and decentralized control.”
 
“For the model to work, the ITAM Program Manager has to be able to set up a program that tracks and stores information about specific IT assets with a centralized view of those assets as needed and required for future planning and compliance purposes. This includes being able to identify what software is in the environment and ensure that the software is licensed properly. The program begins with Acquisition Management and ends with Disposal Management. During that lifecycle, a Software Asset Manager needs to know that what the organization has in its environment remains compliant.”
 
“However, Microsoft’s announcement will change all of that.”
 
“Microsoft has said that on Nov. 19, 2019, it will begin allowing end-users to purchase Office 365 Power Platform low-code services, PowerApps, PowerBI and Flow. The user would be responsible for paying for the transaction and the applications themselves would be licensed to the user. The specific services are meant for business users and not IT administrators nor developers. The way most prior and existing licenses have worked, users would have to get permission from their administrators (to include the IT Asset Manager) to add those services.”
 
“Under the new way of doing things, if an organization receives an audit letter from Microsoft, the software publisher will have information on what is installed or supposed to be installed in the environment as an outgrowth of the business-driven transactions. Because the end-user would be in control of the license, the IT Asset Manager would have no way to prove what licenses are in the IT environment. This could lead to huge fines, as well as a security issue. If Microsoft finds that the organization or its end-users cannot prove software license compliance, the publisher could receive millions of dollars in penalties because the organization would be out of compliance.”
 
“The job of an IT Asset Manager is to protect an organization from losing control over its IT assets. Remaining in compliance with software license terms is a major money-saving aspect of a mature ITAM program. Without being able to prove compliance, the program’s core competency would collapse, and its value would become severely diminished.”
 
Following ITAM best practices is a roadmap for organizations to protect and get the most out of their IT assets. IAITAM offers courses and training opportunities throughout the year for agencies and businesses seeking to strengthen their cybersecurity and IT management.

ABOUT IAITAM
The International Association of Information Technology Asset Managers, Inc., is the professional association for individuals and organizations involved in any aspect of IT Asset Management, Software Asset Management (SAM), Hardware Asset Management, Mobile Asset Management, IT Asset Disposition and the lifecycle processes supporting IT Asset Management in organizations and industry across the globe. IAITAM certifications are the only IT Asset Management certifications that are recognized worldwide. For more information, visit www.iaitam.org.

Energias de Portugal and Sepio Systems

EDP, One of Europe’s Major Electricity Operators, Completes a Strategic Investment in the Cybersecurity Company Sepio Systems

Energias de Portugal, which ranks among Europe’s major electricity operators, and is one of Portugal’s largest business groups has completed a strategic investment in the Israel- and US-based cybersecurity company Sepio Systems. EDP is a vertically integrated utility company that has electricity, gas and renewable energy operations in 16 countries and EDP Renewables is the fourth wind power operator worldwide.

EDP is expanding partnerships in Cyber Security to further strengthen connectivity and resilience that are vital to the infrastructure, and advance new business opportunities. Over the last couple of years, attacks on critical infrastructure have surged, and the potential repercussions are significant. A loss of data is concerning, but a loss of electricity is catastrophic to both businesses and society.

“Sepio’s approach to protecting enterprises against attacks arising from rogue devices is very creative and a well-executed idea in the cybersecurity space, and we were even more impressed after experiencing it firsthand.” Said Luis Manuel, Board Member at EDP Ventures. “The software provides granular visibility into our assets and, best of all, allows us to define and enforce a security policy for hardware devices. We believe Sepio is well-positioned to protect assets in both the IT and OT domains and we look forward to supporting Sepio Systems to help them grow further.”

Also participating in the investment is Mindset Ventures, an international Venture Capital firm that supports the growth and development of innovative companies that provide solutions to the relevant markets in Latin America, and the existing investors – Pico Venture Partners and Founders Group.

The partnership with EDP will help Sepio Systems accelerate the development and deployment of Sepio’s Rogue Device Mitigation solution among utilities, financial institutes, and large enterprises in Europe.

Sepio Prime is the world’s first end-to-end solution that offers comprehensive mitigation of hardware-based attacks, including rogue peripherals, invisible network devices, and manipulated firmware. Sepio Prime has been successfully deployed in over 20 mid-sized to large banks, insurance, and telecom companies in the U.S., Singapore, Brazil, and Israel. The current install base secures over 600,000 workstations and network ports.

“The massive cyber-attacks and data breaches we see lately are due not just to the rise of cybercrime but also to the ease of getting hold of attack tools that were accessible to governments and intelligence organizations until only few years ago”, said Iftah Bratspiess, CEO of Sepio Systems. “We founded Sepio to help organizations address the rapidly growing threat of malicious hardware devices. By applying deep intelligence and hardware fingerprinting technology we can instantly and accurately detect and identify manipulated peripherals and network devices.”

Mr. Bratspiess added, “Having a top global vertically integrated utility such as EDP invest directly in Sepio is not only a vote of confidence in the company, but a testament to the significant risk organizations see in the uncontrolled use of hardware devices. In addition, the support and network of Mindset Ventures provides a huge leap forward in successfully engaging with top tier companies in Brazil. The new funding will fuel our technology roadmap as well as the expansion into new verticals and territories.”

About EDP Ventures

EDP Ventures is the corporate venture arm of EDP group, an early-stage venture capital mainly focused in Seed and Series A, aiming to support and stimulate the open innovation process in the energy sector. Currently managing +70M€, EDP Ventures looks for disruptive technologies and business models focusing in Renewable Power technology, Smart Grids, Energy Efficiency, Electric Mobility, Energy Storage, AI and ML, Cybersecurity, Digital and Predictive analytics. It is located in Lisbon and São Paulo. For more information visit www.edpventures.vc

About Mindset Ventures

Mindset Ventures is an international Venture Capital firm with investment focus primarily in the United States and Israel. We support the growth and development of groundbreaking companies by providing them with access to advisors and potential clients, especially in Latin America. For more information visit http://mindset.ventures/

About Sepio Systems

Sepio is disrupting the cyber-security industry by uncovering hidden hardware attacks.

Sepio Prime provides security teams with full visibility into their hardware assets and their behavior in real time. A comprehensive policy enforcement module allows administrators to easily define granular device usage rules and continuously monitor and protect their infrastructure. Leveraging a combination of physical fingerprinting technology together with device behavior analytics, Sepio’s software-only solution offers instant detection and response to any threat or breach attempt that coming from a manipulated or infected element.

For more information visit http://sepio.systems