Developing Secure IT Products to Defend against Cybersecurity Threats

According to the website StaySafeOnline.org, “building security into information technology products is key to enhanced cybersecurity. Security is an essential element of software design, development, testing and maintenance. The software we use every day on our phones, tablets, and computers may have vulnerabilities that can compromise our personal information and privacy.” (About, 2014) With a technological environment changing as quickly as it does today to accomodate the needs of an ever increasing number of savvy users pushing everything from social security numbers to personal medical information, the need to develop secure software is paramount.

And safety considerations don’t begin and end with the finished product alone. As a recent article on IEEEXplore points out, security risks might also include attacks against ” product code during development, any supplier or original equipment manufacturer (OEM) involved in developing the product’s software components, or (even) the product distribution channels.” (Baize, 2012)

So how does a software developer address these issues during development and distribution? And how can an organization know that the software they’ve purchased is safe? Typically software vendors utilize the secure software development life cycle which includes considerations such as “ protection of the overall product development environment, focusing on not only avoiding source code leakage but also prevent ing unauthorized source code modification; integrity of the source code supply chain…for open source software being embedded in products; and embedding controls for product code integrity and authenticity verification, during both delivery and execution of the products.” (Baize, 2012)

Another development in the defense against malicious cyber attacks is the design of products atat are not only attack-proof, but are also capable of detecting and defending against these attacks – in other words, products that are “attack-aware”. “Software security practitioners have made great progress incorporating into software the techniques that stop attacks targeting the most common security flaws…Most modern software can distinguish legitimate input from input containing (malicious code). If secure software can detect and stop malicious strings, it can and should also log and report incidents that are being prevented. This will provide the intelligence that security products need to better monitor activity and ensure quick attention, which can lead to prevention of data breaches.” (Baize, 2012)

While this all sounds great in theory, the truth of the matter is that cyberattacks can and do occur. Here’s a list of things to look out for which may indicate that your computer has been attacked:

• You have standard programs and files that won’t open or work.
• Files that you didn’t delete…have disappeared, have been placed in the (delete) bin, or have been deleted.
• You cannot access programs using your usual password. You find that your passwords have been changed within your computer.
• There is one or more programs on your computer that you didn’t put there.
• When you’re not using the computer, it is connecting itself to the internet frequently.
• File contents have been changed and you didn’t (make) the changes.
• Your printer may behave strangely. It may not print no matter what you do or it will print different pages that you did not command it to. (wikiHow, 2014)

We encourage you to contact the TSC immediately at X2920 or by e-mail at techhelu@sju.edu if you notice any of these symptoms or if you have any other reason to believe that your computer has been compromised.

Resources

About. (2014). Retrieved from StaySafeOnline.org: http://www.staysafeonline.org/ncsam/about
Baize, E. (2012). Building Security In. Retrieved from IEEEXplore: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6226545
wikiHow. (2014). How to know if You’ve Been Hacked. Retrieved from wikiHow: http://www.wikihow.com/Know-if-You%27ve-Been-Hacked

NCSAM: Celebrating 11 Years of Cybersecurity Awareness

This October marks the 11th anniversary of National Cybersecurity Awareness Month (NCSAM). Sponsored by the Department of Homeland Security and the National Cyber Security Alliance, NCSAM has helped to educate online consumers and businesses about cybersecurity issues and the best practices for avoiding them.

As a growing number of consumers turn to online shopping as their primary means of doing business, the number of cybercrimes – and the financial impact of those crimes – continues to rise; and the numbers are staggering.

According to the website Statista, the number of digital shoppers in the United States rose to 191.1 million with another 5.5 million joining their ranks by the close of 2014.

Another article on the same site stated that as of 2012, internet sales generated an estimated 593.16 billion dollars of revenue.

The US Government, in its 2013 IC3 Report, cites 262,813 complaints of cybercrime, with total combined financial losses of over 781 million dollars.

Clearly, the Internet commerce financial pie is a large one; and everyone seems to be looking for a piece of it.

As technology continues to advance, so do the tactics of those seeking to gain your personal information. The National Cyber Security Alliance, on its StaySafeOnline.org website suggests observing the following practices in order to ensure your personal – and financial – safety while online:

Keep a Clean Machine: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
Plug & scan: “USBs” and other external devices can be infected by viruses and malware. Use your security software to scan them. (Tips and Advice)

Those wishing to know more about NCSAM and suggested best practices can check out StaySafeOnline.org for further details.
If you have any questions, or believe that your computer has been compromised, please contact the TSC at x2920 or by e-mail at techhelp@sju.edu.

Resources:
Federal Bureau of Investigation Internet Crime Complaint Center. (2013). Retrieved from 2013 Internet Crime Report: http://www.ic3.gov/media/annualreport/2013_ic3report.pdf
Number of US Internet Shoppers Since 2009. (2014). Retrieved from Statista: http://www.statista.com/statistics/183755/number-of-us-internet-shoppers-since-2009/
Tips and Advice. (n.d.). Retrieved from StaySafeOnline.org: http://www.staysafeonline.org/stop-think-connect/tips-and-advice
US-b2c-e-commerce-volume-since-2006. (2014). Retrieved from Statista: http://www.statista.com/statistics/239372/us-b2c-e-commerce-volume-since-2006/

Happy Data Privacy Day!

Happy Data Privacy Day! This is a day for respecting #privacy, safeguarding #data & enabling trust #DPD14

Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint.  Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on January 28.  Data flows freely in today’s online world. Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it. Being a good online citizen means practicing conscientious data stewardship. Data Privacy Day is an effort to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives.  Data Privacy Day is led by the National Cyber Security Alliance, a nonprofit, public-private partnership dedicated cybersecurity education and awareness, and advised by a distinguished advisory committee of privacy professionals.

To begin taking a proactive approach to your online privacy and security, follow these steps from STOP. THINK. CONNECT., the national cyber-security awareness campaign. 

STOP. THINK. CONNECT.

  • Secure your devices. Keep your devices from prying eyes. Set passcodes or pass phrases (long passwords) to be sure only you can access your smartphone, tablet or PC.
  • Secure your accounts. Passwords are no longer the only protection from would-be hackers. Enable two-factor authentication to add another layer of security.
  • Make passwords long, strong and unique. Passwords should be different for each account, have as many characters as allowed and include numbers, symbols and letters, capital and lowercase.
  • Think before you app. Before downloading a mobile app, understand what information (your location, access to social networks, etc.) the app accesses to function.
  • Back it up. Store digital copies of your valuable work, music, photos and other information on an external hard drive or online cloud.

– See more at: http://staysafeonline.org/data-privacy-day/privacy-tips/#sthash.mAeB2iW7.dpuf

Windows Service Center Scam

Fresh off the heels of last week’s Crypto Locker issue comes a new threat to Cyber Security : the MS Windows Service Center Scam.

More involved than just an e-mail hoax, this scam involves users receiving a phone call from someone claiming to be a customer service representative. “The main pitch is that there have been complaints from the user’s internet service provider stating the existence of a severe problem with the computer with respect to viruses. The how’s and why’s of the contact between the service provider and the service center is usually left to the victim’s imagination, which in most cases gets slowed down upon hearing the two terms “Microsoft” and “virus”.” (Internetcleaner, 2013) During the course of the phone call, the unsuspecting user will be referred to a website where they can download a program which they are told will remove the virus from their computer.  What actually happens, however, is that “. . .a malware gets installed on to the victim’s machine, which apart from showing that there are a huge number of viruses on the machine, also makes sure to collect all of the user’s personal data from the computer. The malware is also quite apt at concealing its true purpose as it is supposed to cling on to the machine and record all of the victim’s future online correspondences and data entries.

Apart from that what’s stated above, the other side of the card is not uncommonly, money. If someone provides a service, they are sure to charge for it as well. The repair fee is definitely quite exorbitant considering the irony of the word “repair” and to add to the woes of the victims. . .” (Internetcleaner, 2013)

Another particularly malicious aspect of this scam is that the so-called customer service representative will offer to take control of the user’s computer remotely.  If the user allows this, the individual on the other end of the line can access the user’s private information while installing malware designed to capture passwords, banking account numbers, e-mail account details, and other useful information.

Remember, companies like Microsoft do not contact their users to inform them that they may have a virus on their computer.  They also do not solicit banking or credit card information for the purposes of charging a fee for the removal of viruses.If you receive a call like this, it’s best to hang up and scan your computer for viruses.  If you find that your machine has been compromised, please contact the Technology Service Center immediately at  X2920 for assistance.

Resources:

Internetcleaner. (2013, June 3). Clean Internet Charity The Official Blog of the Clean Internet Charity Foundation. Retrieved from Clean Internet Charity: http://cleaninternetcharity.com/2013/06/03/the-microsoft-windows-service-center-scam/