If your company uses, collects, stores or relies on first-party data (and what successful company these days doesn’t?), you face all kinds of security-related risks.

f you cringe every time you see a headline about a massive data breach, fasten your seatbelt. It’s going to get much worse before it gets better. For most companies, it’s a question of when not if they’re going to have a data breach. The bigger question is how big the blast radius is going to be and what can you do preemptively to avert or contain it.

The facts are sobering: The average annual cost of a data-security breach for a company that misuses or loses data is $4.24 million, according to a recent IBM security survey, nearly 10% higher than it was before the pandemic. And that’s just the initial price tag. The real cost of a data breach cuts much deeper and can be existential: 60% of small- and medium-size businesses go bust within six months of a massive data breach.

Sadly, despite these statistics, most companies still don’t view data security as a top priority. If your company uses, collects, stores or relies on first-party data (and what successful company these days doesn’t?), you face all kinds of security-related risks that can make that $4.24 million seem like a bargain.

1. Someone misuses the data you collect

Here’s a shocker: One in four data breaches is caused by employees rather than outside attackers. That’s important because your company is not just on the hook for securing data you collect; you also need to secure how it’s used. Thanks to the EU’s GDPR and California’s CCPA privacy laws, if someone in your company (or one of your partners) misuses your data, you face steep fines. And if you are fined 4% of the topline for simple data misuse, it could bankrupt your whole company.

2. Your data breach gets media attention

A data snafu at scale is a PR disaster. It erodes consumer trust in your brand and customers’ trust in your relationship. A recent PwC report found that 69% of consumers believe that the companies they use are vulnerable to being hacked, and 87% of consumers are even willing to walk away if a data breach occurs. And that doesn’t even factor in the pricey marketing costs of rebuilding a damaged reputation.

3. Data mishandling exposes you to regulatory action

That’s right, misusing data can open you up to a whole new universe of penalties, fines, sanctions and legal costs, which can be enormous and go on for years. You could easily spend a billion dollars addressing your case — just ask Facebook about that one.

4. A data breach costs you deals

This one hits you directly in the wallet. Once you have a security situation, current business customers can shut off deals. At the very least, you’ll spend countless hours documenting your processes and reassuring partners their data and reputation are safe. And if a data-security issue leads to a court action or some regulatory action, all your business customers now have reasonable cause to back out too. Which leads to this next one …

5. Or it can cost you your entire business model

If the world decides that it just can’t afford to do things the way you’re doing them, you’ll have to change your whole model (we’re looking at you, Ashley Madison). The pivot can be an expensive and existential threat.

6. Lax security locks you out of the deal flow

Once you’re caught in a security disaster, you can be labeled as a business risk in an ecosystem. And that basically cuts you out of a marketplace.

7. Security snafus are a massive time suck

All the time and suffering a security problem demands, especially the attention of key people in the organization, can be a massive operational setback. Plus, who wants to work for a company with a bad rap? Suddenly you can’t attract or retain the most mobile and valuable talent.

8. Data breaches devalue your business

If you can’t secure your data, you won’t be able to do all the good things that can be done today with the secure application of data. And that’s the risk of not doing the right thing for the business — and not realizing your company’s full potential and upside. And that might be the biggest risk of all.

Managing all this risk isn’t easy, and there are lots of stakeholders to wrangle. But nobody’s got their eye on all the data — and all the ways data breaches could bite your company.

But there is one way to mitigate all these risks: Deploy technology that prevents risk from even being created, rather than just tools to clean up better after a breach or violation.

You want technology that does three things well:

• Enables the creation and enforcement of a digital version of the sharing agreement or contract.
• Allows the data to be processed inside a shared enclave.
• Documents every transaction and communicates to the relevant parties, so only agreed-upon recipients receive the insights from processing.

You’ll save money on legal fees and improve productivity since only the most necessary approvals will be required by expensive attorneys. And since you can now trust your data-sharing partnerships, your insights will soar along with accompanying revenues from such projects. You owe it to yourself to have a fully automated security solution that’s got your back.

Your company’s survival depends on it. source

The ‘Mother of All Breaches’ Just Happened — Here’s the Security Implications for Businesses

At the beginning of the year, Security Discovery and Cybernews researchers uncovered a dataset of 26 billion(!) leaked entries associated with LinkedIn, Twitter.com, Tencent, Dropbox, Adobe, Canva, Telegram and other platforms. Government agencies in the U.S., Brazil, Germany, the Philippines, and Turkey are also among the organizations hit by the “mother of all breaches” (MOAB).

As the investigation team reported, a significant share of information in the dataset was compromised during past data breaches. However, the stash also contains new data.

Aftermath for businesses

Simply put, this 12-terabyte behemoth will send shockwaves through the business community, posing a continual threat to personal information and corporate security.

But this is not just a breach; it’s a comprehensive toolkit for threat actors to orchestrate an endless number of cyberattacks, including identity theft. Criminals can maliciously exploit the stolen personal data from the MOAB dataset. It is a powerful weapon capable of wreaking havoc on a global scale.

So, in the coming weeks, it’s time to move to a proactive stance. Here are some signals businesses should listen to when monitoring their infrastructure:

1. Uncommon access scenarios. In light of a data breach like this, keeping a close eye on access logs for any unusual activity is critical. A sudden surge in requests or unfamiliar IP addresses could indicate unauthorized entry. Logins during non-standard hours, especially outside of ordinary business hours, may be considered malicious activity as well.
2. Suspicious account activity. In an attempt to take over the compromised account, scammers may reveal themselves through unexpected adjustments in user privileges or alterations to account roles. Frequent changes in login locations, irregular login times, and spikes in data access are also red flags.
3. Surge in phishing attempts. Massive breaches often provide fertile ground for cybercriminals to launch phishing attacks targeting employees or customers related to affected brands. Unscheduled phishing training or educational campaigns may help your staff and clients recognize phishing scams at early stages.
4. Abnormal network traffic. Another alert of malicious activity is unexplained spikes in outbound traffic and unusual communication patterns between internal systems.
5. Boost in helpdesk requests. A growing volume of user requests to the support team can also indicate a problem, especially when there is a sudden surge in inquiries related to compromised accounts or suspicious activities.
6. Customer feedback. An influx of complaints about unauthorized access, account compromises, or suspicious transactions should trigger an immediate investigation.

A new security paradigm

Unfortunately, the MOAB is just a single event in the never-ending war between cybercriminals and corporations. In an age of the constant growth of security threats, companies must develop a refined sense of foresight. Recognizing patterns and anomalies within their data is not just a skill; it’s a necessity. The MOAB underscores the importance of proactive monitoring, urging companies to invest in robust systems that swiftly detect irregularities.

Importantly, entering this new reality means that user security is again becoming more crucial than user experience. Some companies have a hard time accepting that fact. However, in the long run, it’s worth the gamble.

It doesn’t imply building a kind of imposing wall with menacing guards around your infrastructure that makes users avoid your service. The security measures you deploy can be easy to use for customers. The latest identity verification options — such as self-check-in at airports — prove the concept while staying user-friendly and secure.

Guide to the transformation

Effective information security management powered by global standards such as ISO/IEC 27001 and ISO/IEC 27002 is at the core of the process. By adhering to the standards, an organization guarantees that it has established an Information Security Management System for addressing security risks associated with data owned or managed by the company. Despite certification often being associated with enterprise-level organizations, middle-sized companies, especially those from industries where data safety matters, such as FinTech, should not skip this step. Moreover, unlike ISO 27001, you don’t need certification to prove compliance with ISO 27002, which, being more informative than regulatory, details the controls required.

Enhancing authentication policies may be the next step to take. Unfortunately, you can’t rely on your customers to be prudent while setting logins and passwords. Nevertheless, nudging them to select more advanced options is under your control.

More companies across different sectors now implement multi-factor authentication involving users’ biometrics like fingerprint scans or face recognition. With the idea of a passwordless future pushed by tech giants like Google, this approach is gradually becoming an industry best practice. On the one hand, setting a “Privacy Screen” to secure Google Drive on iOS mobile devices through Touch ID or Face ID requires additional action on the user’s end. On the other, once the feature is enabled, user satisfaction soars as well.

Finally, the adoption of liveness detection technology — both for IDs and selfies — in identity verification procedures is crucial. It helps determine whether the source of a biometric sample is a live individual, and provides evidence that a user-submitted document photo is a genuine passport or other document. Additionally, this step can be made mandatory, not only during registration for a service but also at the purchase stage. Neural networks under the hood of the liveness detection process are constantly improving, showing high accuracy rates. That also contributes to data processing speed, making it possible to perform a liveness check in seconds.

Final thoughts

The MOAB incident serves as a call to action for businesses worldwide. Unfortunately, the brand names on the MOAB list prove that there is room for improvement for all the companies, including enterprise-level. It’s more critical than ever to bolster defenses, sharpen our cyber instincts, and fortify our systems against the impending storm.

Still, there is no need to turn the sign-in or payment processes into a math quiz with a bunch of problems to be solved on the customer’s part. UX still matters, especially for companies from B2C sectors whose success is measured by the number of active users. For this reason, a mobile banking app is always more secure than an e-book subscription service. source

8 Ways a Data Breach Could Take Out Your Company Tomorrow

By Lawrence Williams source

Wireless networks are accessible to anyone within the router’s transmission radius. This makes them vulnerable to attacks. Hotspots are available in public places such as airports, restaurants, parks, etc.

In this tutorial, we will introduce you to common techniques used to exploit weaknesses in wireless network security implementations. We will also look at some of the countermeasures you can put in place to protect against such attacks.

Topics covered in this How to Hack WiFi Tutorial

• What is a wireless network?
• How to access a wireless network?
• Wireless Network Authentication WEP & WPA
• How to Crack WiFI (Wireless) Networks
• How to Secure wireless networks
• How to Hack WiFi Password

What is a wireless network?

A wireless network is a network that uses radio waves to link computers and other devices together. The implementation is done at the Layer 1 (physical layer) of the OSI model.

How to access a wireless network?

Wireless Network Authentication

Since the network is easily accessible to everyone with a wireless network enabled device, most networks are password protected. Let’s look at some of the most commonly used authentication techniques.

WEP

WEP is the acronym for Wired Equivalent Privacy. It was developed for IEEE 802.11 WLAN standards. Its goal was to provide the privacy equivalent to that provided by wired networks. WEP works by encrypting the data been transmitted over the network to keep it safe from eavesdropping.

WEP Authentication

Open System Authentication (OSA) – this methods grants access to station authentication requested based on the configured access policy.

Shared Key Authentication (SKA) – This method sends to an encrypted challenge to the station requesting access. The station encrypts the challenge with its key then responds. If the encrypted challenge matches the AP value, then access is granted.

WEP Weakness

WEP has significant design flaws and vulnerabilities.

• The integrity of the packets is checked using Cyclic Redundancy Check (CRC32). CRC32 integrity check can be compromised by capturing at least two packets. The bits in the encrypted stream and the checksum can be modified by the attacker so that the packet is accepted by the authentication system. This leads to unauthorized access to the network.
• WEP uses the RC4 encryption algorithm to create stream ciphers. The stream cipher input is made up of an initial value (IV) and a secret key. The length of the initial value (IV) is 24 bits long while the secret key can either be 40 bits or 104 bits long. The total length of both the initial value and secret can either be 64 bits or 128 bits long.The lower possible value of the secret key makes it easy to crack it.
• Weak Initial values combinations do not encrypt sufficiently. This makes them vulnerable to attacks.
• WEP is based on passwords; this makes it vulnerable to dictionary attacks.
• Keys management is poorly implemented. Changing keys especially on large networks is challenging. WEP does not provide a centralized key management system.
• The Initial values can be reused

Because of these security flaws, WEP has been deprecated in favor of WPA

WPA

WPA is the acronym for Wi-Fi Protected Access. It is a security protocol developed by the Wi-Fi Alliance in response to the weaknesses found in WEP. It is used to encrypt data on 802.11 WLANs. It uses higher Initial Values 48 bits instead of the 24 bits that WEP uses. It uses temporal keys to encrypt packets.

WPA Weaknesses

• The collision avoidance implementation can be broken
• It is vulnerable to denial of service attacks
• Pre-shares keys use passphrases. Weak passphrases are vulnerable to dictionary attacks.

How to Crack WiFI (Wireless) Networks

WEP cracking

Cracking is the process of exploiting security weaknesses in wireless networks and gaining unauthorized access. WEP cracking refers to exploits on networks that use WEP to implement security controls. There are basically two types of cracks namely;

• Passive cracking– this type of cracking has no effect on the network traffic until the WEP security has been cracked. It is difficult to detect.
• Active cracking– this type of attack has an increased load effect on the network traffic. It is easy to detect compared to passive cracking. It is more effective compared to passive cracking.

WiFi Password Hacker (WEP Cracking) Tools

• Aircrack– network sniffer and WEP cracker. This WiFi password hacker tool can be downloaded from http://www.aircrack-ng.org/
• WEPCrack– this is an open source Wi-Fi hacker program for breaking 802.11 WEP secret keys. This WiFi hacker app for PC is an implementation of the FMS attack. http://wepcrack.sourceforge.net/
• Kismet– this WiFi password hacker online detects wireless networks both visible and hidden, sniffer packets and detect intrusions. https://www.kismetwireless.net/
• WebDecrypt– this WiFi password hack tool uses active dictionary attacks to crack the WEP keys. It has its own key generator and implements packet filters for hacking WiFi password. http://wepdecrypt.sourceforge.net/

WPA Cracking

WPA uses a 256 pre-shared key or passphrase for authentications. Short passphrases are vulnerable to dictionary attacks and other attacks that can be used to crack passwords. The following WiFi hacker online tools can be used to crack WPA keys.

• CowPatty– this WiFi password cracker tool is used to crack pre-shared keys (PSK) using brute force attack. http://wirelessdefence.org/Contents/coWPAttyMain.htm
• Cain & Abel– this WiFi hacker for PC tool can be used to decode capture files from other sniffing programs such as Wireshark. The capture files may contain WEP or WPA-PSK encoded frames. https://www.softpedia.com/get/Security/Decrypting-Decoding/Cain-and-Abel.shtml

General Attack types

• Sniffing– this involves intercepting packets as they are transmitted over a network. The captured data can then be decoded using tools such as Cain & Abel.
• Man in the Middle (MITM) Attack– this involves eavesdropping on a network and capturing sensitive information.
• Denial of Service Attack– the main intent of this attack is to deny legitimate users network resources. FataJack can be used to perform this type of attack. More on this in article

Cracking Wireless network WEP/WPA keys

It is possible to crack the WEP/WPA keys used to gain access to a wireless network. Doing so requires software and hardware resources, and patience. The success of such WiFi password hacking attacks can also depend on how active and inactive the users of the target network are.

We will provide you with basic information that can help you get started. Backtrack is a Linux-based security operating system. It is developed on top of Ubuntu. Backtrack comes with a number of security tools. Backtrack can be used to gather information, assess vulnerabilities and perform exploits among other things.

Some of the popular tools that backtrack has includes;

• Metasploit
• Wireshark
• Aircrack-ng
• NMap
• Ophcrack

Cracking wireless network keys requires patience and resources mentioned above. At a minimum, you will need the following tools

A wireless network adapter with the capability to inject packets (Hardware)

• Kali Operating System. You can download it from here https://www.kali.org/downloads/
• Be within the target network’s radius. If the users of the target network are actively using and connecting to it, then your chances of cracking it will be significantly improved.
• Sufficient knowledge of Linux based operating systems and working knowledge of Aircrack and its various scripts.
• Patience, cracking the keys may take a bit of sometime depending on a number of factors some of which may be beyond your control. Factors beyond your control include users of the target network using it actively as you sniff data packets.

How to Secure wireless networks

In minimizing wireless network attacks; an organization can adopt the following policies

• Changing default passwords that come with the hardware
• Enabling the authentication mechanism
• Access to the network can be restricted by allowing only registered MAC addresses.
• Use of strong WEP and WPA-PSK keys, a combination of symbols, number and characters reduce the chance of the keys been cracking using dictionary and brute force attacks.
• Firewall Software can also help reduce unauthorized access.

How to Hack WiFi Password

In this practical scenario, we are going to learn how to crack WiFi password. We will use Cain and Abel to decode the stored wireless network passwords in Windows. We will also provide useful information that can be used to crack the WEP and WPA keys of wireless networks.

Decoding Wireless network passwords stored in Windows

Step 1) Download the Cain and Abel tool

• Download Cain & Abel from the link provided above.
• Open Cain and Abel

Step 2) Select the Decoders tab and choose Wireless passwords

• Ensure that the Decoders tab is selected then click on Wireless Passwords from the navigation menu on the left-hand side
• Click on the button with a plus sign

Step 3) The passwords will be shown

• Assuming you have connected to a secured wireless network before, you will get results similar to the ones shown below

Step 4) Get the passwords along with encryption type and SSID

• The decoder will show you the encryption type, SSID and the password that was used.

Summary

• Wireless network transmission waves can be seen by outsiders, this possesses many security risks.
• WEP is the acronym for Wired Equivalent Privacy. It has security flaws which make it easier to break compared to other security implementations.
• WPA is the acronym for Wi-Fi Protected Access. It has security compared to WEP
• Intrusion Detection Systems can help detect unauthorized access
• A good security policy can help protect a network.