Does Bringing an ’Ethical Hacker’ In House Pay Off?

A study last year estimated that the global losses from cybercrime ranged from $375 to $575 billion – for just 2014 alone. This figure is only expected to get higher with each passing year as cybercriminals become more sophisticated, and their ranks grow with more opportunistic hackers looking to cash in on an increasingly lucrative trend. Given that, it’s easy to see how and why panic among both enterprises and SMBs might start to set in. What’s most troubling about the cybercrime phenomenon is not only the amount of money or information that could be stolen, but how much businesses need to spend just to protect themselves. Adequate cybersecurity protocols aren’t free, and even when a company has put expensive measures into place, there is no guarantee that they will catch every single potential threat – all it takes is just one malicious email, or one spear-phishing attempt, to make it through, after all. One innovative method that businesses have explored is employing an in-house “ethical hacker” to identify potential security risks and patch them ahead of time. Essentially, these personnel are former hackers who may have used their skill sets for illicit means – stealing bank account information, breaking into corporate databases, committing identity fraud – but are now being turned legitimate by companies looking to take advantage of their skills for more beneficial purposes. Instead of hacking into the enterprise’s systems to steal something, these ethical hackers instead hack into the company’s systems to exploit certain cybersecurity vulnerabilities, essentially attempting to beat the bad guys to the punch. Once they have identified a company’s major security flaws,...

The Lessons of Cybersecurity Awareness Month and What to Expect in the Year Ahead

For 11 years now, the U.S. government has recognized October as Cybersecurity Awareness Month. While the original goal may have been to acknowledge the growing risks that cyberthreats pose to national security, it has – unfortunately – become all too clear in recent years that cybersecurity is an issue that affects not just government agencies, but anyone and everyone, regardless of industry. Consider how, in the last few years, claims of identity theft and tax fraud have skyrocketed, targeted data breaches at major companies – from big banks to retailers to healthcare providers – are compromising millions of records containing personally identifiable information (PII) and the IT departments responsible for safeguarding against these risks seem virtually powerless. And with businesses progressively moving their operations online – shifting email, files and other data into single-vendor cloud platforms like Microsoft Office 365 or Google Apps – these risks and their ripple effects will only continue to grow. As our lives become increasingly digital and interconnected, implementing proper cybersecurity and staying one step ahead of new threats will only become more important. To that end, and as Cybersecurity Awareness Month winds down, here are a few cyber risks you should put on your radar to protect yourself and your data in 2016: 1. BYOD Workplace Policies Bring Your Own Device (BYOD) policies may allow employees the freedom to use their own familiar phones, tablets or laptops for work purposes. But, it also presents a glaring security flaw when you consider that 43 percent of smartphone users in the U.S. don’t use any kind of password, PIN or pattern lock protection – let...

How One Challenging Gig with My Band Prepared Me for a Career in Cybersecurity

Sometimes, connections between work and play appear when they’re least expected. You wouldn’t expect, for example, a guitar-shredding metal-head to carry over much from his time on stage to his career in cybersecurity, but that’s exactly what happened to Julian Weinberger, CISSP and Director of Systems Engineering for NCP engineering. Julian isn’t performing in the U.S. anymore, but during his time in Germany, one gig in particular brought so many challenges that he still thinks about it today. We sat down with Julian to discuss what happened that night. What specific event involving your band has taught you the most about working in security and business continuity? A few years ago, after hustling to line up free gigs, I landed my first paid performance. Unfortunately, I ran into myriad unanticipated issues: a string on my first guitar broke, my backup guitar didn’t work, my cable made weird noises, and, as if that wasn’t enough, my in-ear system stopped working. Although none of these issues were my fault, they wreaked havoc on the gig – and when you’re hired to entertain, you risk not being paid if you’re unable to deliver, regardless of the circumstances. It’s similar with enterprise network security. If things break — and they will — you need to be prepared with a plan to fix it. So how did you respond on stage? And what did that teach you about security? When performing on stage, technical difficulties must be fixed within seconds, and it’s the same case with security. For instance, if your microphone cuts out – or worse, your organization is faced with security issues...

OPM Breach Shows Need for ‘Nimble’ Government Network Security

No matter how you look at it, the Office of Personnel Management (OPM) is on the hook for revealing the records of millions of Americans. The only question is how many millions. If you believe the agency’s own report, then it’s 4 million. Four million current, former and prospective government employees whose personal information became public following a cyberattack conducted throughout the early part of this year. The numbers are even worse if the reports from the Associated Press, Bloomberg and other prominent news sources are accurate. They claim the number of victims is closer to 14 million. Although the OPM investigation is still ongoing, the federal government has already begun the task of investigating and explaining the attack. As White House Press Secretary Josh Earnest told reporters last week: “Protecting the computer networks of the federal government is a daunting challenge. It does require the federal government to be nimble, something that’s difficult when you’re talking about an organization that’s this large.” Earnest is right. When you’re talking about the federal government as one body, it’s difficult to imagine it being fleet-of-foot and responding effectively to new and emerging cyberthreats. On a smaller scale, though, there are plenty of government agencies, at all levels, that are getting the job done locally, and taking proactive steps that should prevent them from becoming the next OPM. Let’s look at one government agency in Iowa that’s upgraded its remote access and, in the process, is protecting its network. Read Case Study Lessons from the Heartland Iowa Vocational Rehabilitation Services (IVRS) is a state agency, headquartered in Des Moines, that partners with...

IT Security? “Yes Please,” says Uncle Sam – But Offers No Tangible Help

When it comes to IT security, government agencies around the world are aware of the challenges and risks small and medium-sized enterprises (SMEs) face. So it only figures that they offer help, in the form of initiatives aimed specifically at SMEs. Germany has one of the most active administrations in this respect, as it finances or supports a whopping 21 initiatives. And while the U.S. government would do well to follow Germany’s lead and further IT security by offering numerous assistance programs to SMEs, unfortunately, a recent study from management consultancy Detecon International shows that most U.S. initiatives are focused on admonitory finger-wagging rather than hands-on help with implementation. Yet, hands-on help is exactly the type of assistance that would have the biggest impact on raising the security level of SMEs. Most German public initiatives prioritize awareness of the issue at the upper management level. However, only a small part of the surveyed initiatives – 35 percent – can be mapped to concrete measures within the Federal Office for Information Security (BSI) IT baseline protection catalogs. Furthermore, 36 of 56 assistance programs analyzed lack a concrete goal with achievable benchmarks for success. Instead, they focus on information security as a whole and therefore try to pursue many targets at once, with a shotgun, light-handed effect. Naturally, IT security has to be approached holistically. There is no use securing remote access for employees with a VPN when a company’s Wi-Fi network is open and therefore accessible from outside the enterprise. But because SMEs have usually only limited resources at their disposal, it is important to prioritize and focus on the...

Mobile World Congress: E.ON Achieves Secure Remote Access with Samsung, NCP

Last month, Samsung hosted one of the largest, most-visited booths at Mobile World Congress in Barcelona – and rightfully so. The company chose the world’s largest mobile industry trade show to launch its newest phones, the Galaxy S6 and S6 Edge, to the 93,000 industry influencers in attendance. Samsung also hosted an Enterprise Mobility Showcase, where guests could “hear [Samsung’s] business strategy with key strategic partners, and meet the industry opinion leaders who are working with them.” NCP engineering is proud to have been one of those featured partners. As part of that presentation, Samsung revealed a case study exploring how it developed a secure smartphone – the KNOX – that could be used by officials from E.ON, a German electric utility. NCP’s role involved outfitting the phone with one of its most important elements – secure remote access capabilities. Because of the sensitive nature of the information passing through those devices, and the fact E.ON supplies critical infrastructure to Germany, Samsung and NCP had to follow stringent requirements laid out by the Federal Office for Information Security (BSI), the German national security agency. The BSI lists several factors for secure mobile communication, all of which Samsung and NCP had to abide by, including: Secure digital identity certificates issued by a trust center per system/user, All security operations in the device based on this digital identity, Secure two-factor authentication, Encryption of all stored local data, Secure data communication between the mobile device and the related server, Secure boot process, Controlled process for installing additional software (digital signature). The Samsung KNOX meets these requirements through integrations with etaSuite, which provides...