Inflight Wi-Fi Not as Secure as You Think

Posted by Ross Moir on Mar 18, 2016 1:36:46 PM

Inflight_Wifi_Risks_Blog_Post.jpg
 
Image courtesy of satit_srihin at FreeDigitalPhotos.net

ARS Technica recently published an article on the security of inflight Wi-Fi.  Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services.  While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow.  Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story.  Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen.  But what can be done about it?

 

First, Wi-Fi on an airplane operates similar to public Wi-Fi networks.  Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service.  Once that is done – the user is granted access to the web.  There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear.  This means anyone listening can grab the data that passes through the access point.

 

Read More

Topics: Security, Wireless Security, cybersecurity, policy

3 Reasons a Security Policy Improves Information Security

Posted by Eric Noonan on Mar 2, 2016 10:30:43 AM
Policies_Improve_Security_Blog_Post.jpgProduct vendor's marketing focuses on advanced persistent threats - Stuxnet, China and all of the other fear, uncertainty and doubt (FUD) - that are almost completely out of your control.  So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization's information security policy.  Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.
 

3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security

 

1: Corporations Take a Policy Seriously

Corporations tend to take a policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the "why" behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time. 
 
Read More

Topics: cybersecurity, policy

Healthcare Cybersecurity Spend Rises: 4 Steps to a Wisely Spent Budget

Posted by Eric Noonan on Feb 29, 2016 3:52:38 PM

Healthcare_Cybersecurity_Spend_Rises_Blog_Post.jpgPredictably cyber/data security continues to be a rising concern from within the Healthcare industry, according to Modern Healthcare's 26th annual Survey of Executive Opinions on Key Information Technology Issues. That being said the percentage of total IT spend devoted to security is still woefully inadequate if the survey numbers are to be believed. You simply can't be secure on the spend levels highlighted in this survey.

I'm always skeptical of survey numbers because you can't qualify the data or responses and there is no right answer as to how much to spend on security. However, there are best practices and industry standards that will ensure your organization is spending the money you have wisely.

4 Steps to Ensure a Wisely Spent Cybersecurity Budget


1: Make Security a Line Item in the Budget, Separate from IT

There is no right metric for security spend but you should at least be able to articulate what you are spending annually. With a defined security budget you can slice and dice anyway you want, as a percentage of IT spend, cost per employee, as a percentage of revenue, etc.

Read More

Topics: Security Assessment, cybersecurity

Digital Hostage Taking: Ransomware's Impact on the Healthcare Industry

Posted by Casey Lang on Feb 26, 2016 11:17:36 AM

Ransomware_Blog_Post.jpgRecently, Hollywood Presbyterian Medical Center paid attackers for the decryption key that held the hospital’s systems and data hostage. While this style of attack is not new, increased attacks have businesses on edge. Ransomware is a malicious software that blocks access to a network or system until a ransom is paid. In many cases, the data is encrypted and there is no economical way to retrieve the data until the decryption key is given to the victim. Usually this only occurs when a ransom is paid. In the case of the Hollywood Presbyterian, they decided to pay the ransom of about 40 bitcoins, worth approximately $17,000.

Security consultants who have assessed healthcare practices have likely interviewed medical staff and got the strong sense (if not directly told) that their work was diverting attention away from patient care. This mentality is one of the reasons why the healthcare industry is facing challenges when it comes to information security. The culture of providing healthcare over all else, the justification for neglecting information security, has finally hit an impasse - patient health and safety was jeopardized by a cyber security incident. The attitude toward information security - the time it takes, the costs - has to change. It’s unfortunate, but it seems to have taken an incident like the one seen at Hollywood Presbyterian to highlight how information security actually aligns with the healthcare industries health-first ideals.

Read More

Topics: cybersecurity, ransomware

Four Presidential Priorities for Cybersecurity

Posted by Eric Noonan on Feb 24, 2016 11:37:34 AM

Erics_4PrioritiesforCybersecurity_Blog_Post.jpgIn a recent Wall Street Journal article President Obama announced a new "Cybersecurity National Action Plan" which would increase federal cybersecurity funding north of $19 billion. Although, it is unclear if any of this spending will actually be funded as House Budget Committee Chairman Tom Price (R-GA) and Senate Budget Committee Chairman Mike Enzi (R-WY) have already declared that both committees will not hold a hearing to review the president’s FY 2017 Budget. Politics aside, it's encouraging to see a dialogue happening at the highest levels of our government on such an important topic.

The Four Major Priorities that are Being Proposed

1: $3 Billion Fund to Kick-start an Overhaul of Federal Computer Systems

First, the President is proposing a $3 billion fund to kick-start an overhaul of federal computer systems and going forward, agencies will be required to increase protections for their most valued information and make it easier for them to update their networks. Additionally he's proposed creating a new federal position, Chief Information Security Officer, a position he notes that most major companies have already established. Of course the devil is in the details as to how the money is spent but in general the government, like most corporations, needs to invest more in cybersecurity. In our experience the investment should prioritize people and process rather than the short sighted rush to procure more tools supported by an already overworked staff following undocumented processes. 

 
Read More

Topics: cybersecurity