Login
Pledging to follow healthier habits is consistently the most popular new year’s resolution. That January 1st promise looks different to everyone: snacking less often, going to the gym more often, drinking more water, drinking less soda, etc. This year, instead of a juice cleanse subscription, opt for a healthier habit that’s not an unappetizing shade of green: follow this digital detox, instead! In three easy steps, you can make great strides in improving your digital wellness.
There are various aspects of your digital habits that you should consider updating for a more private and safer online life. For starters, update your passwords. Do you reuse the same password for multiple online accounts? Doing so puts your personally identifiable information (PII) at great risk. For example, if a business with which you have an online shopping account is breached by a cybercriminal, your login and password combination could make it on the dark web, through no fault of your own. Then, through a brute force attack, a criminal could use that same password and username combo to walk into your banking or tax filing accounts.
Remembering unique, complicated passwords and passphrases for your dozens of online accounts would be impossible. Luckily, there’s software that remembers them for you! It’s called a password manager, which acts as a vault for all your login information. Just remember one master password, and you can be confident in the security of your accounts and never have to deal with the hassle of forgetting passwords.
Another aspect of updating you should adopt in 2023 is making an effort to always upgrade to the latest software updates on all your devices. The easiest way to do this is to turn on automatic updates. From there, you don’t need to take any further action! Apps and operating systems (like Apple, Android, and Windows) often release updates to patch security vulnerabilities. When you run outdated software, there’s a chance a cybercriminal could take advantage of that security gap.
Finally, make sure that you keep updated on the latest security headlines. Consider setting up news alerts to notify you when a breach occurs at a company that you frequent or have an account with. Speed is often key in making sure that your information remains safe, so it’s best practice to have your finger on the pulse on the security news of the day.
A new year digital detox can be a whole family affair. Connect with your family, anyone connected to your home network, and your elderly relatives to get everyone on the same page with security best practices. Here are some common online security snags people of all ages encounter:
Everyone has an oversharer on their newsfeed. Alert your family members of the dangers of posting too much about their personal life. When someone takes those “get to know you” quizzes and posts their answers, cybercriminals can use that post to take educated guesses at your passwords. Additionally, social engineers can tailor social media scams to specific people in order to increase the chances of tricking someone into sending money or sharing valuable personal or banking details.
While spam filters catch a lot of phishing emails, phishers are getting smarter by the day and are making their attempts more and more believable. Connect with your loved ones and make sure they know how to recognize phishing emails, texts, and social media direct messages. Telltale signs of a phishing message include:
If you’re ever unsure if a message is a phishing attempt, the best course of action is to just delete it. If the “sender” is a well-known institution, follow up with a phone call using the official customer service number listed on their website. The phisher may also claim to be someone you know personally. In that case, give the loved one in question a phone call. It’s a good excuse to reconnect and have a nice conversation!
In the quest for free streams of the latest new show or movie, people often encounter unsafe sites that hide malware, spyware or other types malicious links and programs. Some types of malware can jump from one device to others connected to the same home Wi-Fi network. That’s why it’s important to make sure everyone under your roof practices excellent digital security habits. One wrong click could sink an entire household. Consider signing up your family for a safe browsing extension that can notify you when you stray onto a risky site. So, instead of putting your device at risk during movie night, connect with your friends or loved ones over one copy of a safely and officially purchased version.
As with any new health regimen, immediately zooming from zero to a hundred will likely be overwhelming and result in failure. The same goes for adopting new digital safety habits. If you try to do too much at once, all the security measures you put in place will likely get in the way of your daily online activities. The more inconvenient it is, the more likely you may be to cut corners; thus, negating all the progress you’ve made.
Being cybersafe doesn’t mean you can’t still enjoy your connected devices to the fullest. It just means that you may need to act with more intention and slow down before volunteering personal details online or clicking on links.
To supplement your digital detox, consider signing up for McAfee+ Ultimate to make 2023 the year for a safer online you. McAfee+ Ultimate includes all the tools you need to live your best online life safely and privately, including a password manager, web protection, unlimited VPN and antivirus, and $1 million in identity theft coverage and restoration for peace of mind.
Cheers to a digitally smart 2023!
The post Start the New Year Right With This 3-Step Digital Detox appeared first on McAfee Blog.
Have you ever been browsing online and clicked a link or search result that took you to a site that triggers a “your connection is not private” or “your connection is not secure” error code? If you’re not too interested in that particular result, you may simply move on to another result option. But if you’re tempted to visit the site anyway, you should be sure you understand what the warning means, what the risks are, and how to bypass the error if you need to.
A “your connection is not private” error means that your browser cannot determine with certainty that a website has safe encryption protocols in place to protect your device and data. You can bump into this error on any device connected to the internet — computer, smartphone, or tablet.
So, what exactly is going on when you see the “this connection is not private” error?
For starters, it’s important to know that seeing the error is just a warning, and it does not mean any of your private information is compromised. A “your connection is not private” error means the website you were trying to visit does not have an up-to-date SSL (secure sockets layer) security certificate.
Website owners must maintain the licensing regularly to ensure the site encryption capabilities are up to date. If the website’s SSL certificate is outdated, it means the site owners have not kept their encryption licensing current, but it doesn’t necessarily mean they are up to no good. Even major websites like LinkedIn have had momentary lapses that would throw the error. LinkedIn mistakenly let their subdomain SSL certificates lapse.
In late 2021, a significant provider of SSL certificates, Let’s Encrypt, went out of business. When their root domain officially lapsed, it created issues for many domain names and SSL certificates owned by legitimate companies. The privacy error created problems for unwitting businesses, as many of their website visitors were rightfully concerned about site security.
While it does not always mean a website is unsafe to browse, it should not be ignored. A secure internet connection is critical to protecting yourself online. Many nefarious websites are dangerous to visit, and this SSL certificate error will protect you from walking into them unaware.
SSL certification standards have helped make the web a safer place to transact. It helps ensure online activities like paying bills online, ordering products, connecting to online banking, or keeping your private email accounts safe and secure. Online security continues to improve with a new Transport Layer Security (TLS) standard, which promises to be the successor protocol to SSL.
So be careful whenever visiting sites that trigger the “connection is not private” error, as those sites can potentially make your personal data less secure and make your devices vulnerable to viruses and malware.
Note: The “your connection is not private” error is Google Chrome‘s phrasing. Microsoft Edge or Mozilla Firefox users will instead see a “your connection is not secure” error as the warning message.
If you feel confident that a website or page is safe, despite the warning from your web browser, there are a few things you can do to troubleshoot the error.
Remember, you are taking your chances anytime you ignore an error. As we mentioned, you could leave yourself vulnerable to hackers after your passwords, personal information, and other risks.
Your data and private information are valuable to hackers, so they will continue to find new ways to try and procure it. Here are some ways to protect yourself and your data when browsing online.
As we continue to do more critical business online, we must also do our best to address the risks of the internet’s many conveniences.
A comprehensive cybersecurity tool like McAfee+ Ultimate can help protect you from online scams, identity theft, and phishing attempts, and ensure you always have a secure connection. McAfee helps keep your sensitive information out of the hands of hackers and can help you keep your digital data footprints lighter with personal data cleanup.
With McAfee’s experts on your side, you can enjoy everything the web offers with the confidence of total protection.
The post “This Connection Is Not Private” – What it Means and How to Protect Your Privacy appeared first on McAfee Blog.
Your phone buzzes. You hope it’s a reply from last night’s date, but instead you get an entirely different swooping feeling: It’s an alarming SMS text alerting you about suspicious activity on your bank account and that immediate action is necessary.
Take a deep breath and make sure to read the message carefully. Luckily, your assets could be completely safe. It could just be a smisher.
Smishing, or phishing over SMS, is a tactic where cybercriminals impersonate reputable organizations or people and trick people into handing over their PII or financial details. Sometimes they can seem very credible with the information they have, and you may have even been expecting a correspondence of a similar nature.
So how can you tell when an SMS text is real and requires your attention? And how should you deal with a smisher to keep your identity safe?
Like email phishing and social media phishing,
SMS text phishing often tries to use a strong emotion – like fear, anger, guilt, or excitement – to get you to respond immediately and without thinking through the request completely.
In the case of one coordinated smishing attack, cybercriminals not only impersonated financial institutions but collected PII on their targets ahead of time. The criminals then used these personal details – like old addresses and Social Security Numbers – to convince people that they were legitimate bank employees.1 But since when does a bank try to prove itself to the customer? Usually, it’s the other way around, where they’ll ask you to confirm your identity. Be wary of anyone who texts or calls you and has your PII. If you’re ever suspicious of a caller or texter claiming they’re a financial official, contact your bank through verified channels (chat, email, or phone) you find on the bank’s website to make sure.
Smishers often keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. This adds false legitimacy to their message. For example, in the summer of 2022, Rogers Communications, a Canadian telecommunications provider, experienced an extended loss of service and told customers they could expect a reimbursement. Smishers jumped on the opportunity and sent a barrage of fake texts requesting banking details in order to carry out the reimbursement.2 However, Rogers credited customers directly to their Rogers accounts.
If you receive a suspicious text, go through these three steps to determine if you should follow up with the organization in question or simply delete and report the text.
Do you have text alerts enabled for your bank and utility accounts? If not, disregard any text claiming to be from those organizations. Companies will only contact you through the channels you have approved. Also, in the case of the Rogers smishing scheme, be aware of how a company plans to follow up with customers regarding reimbursements. You can find information like this on their official website and verified social channels.
If the tone of the text urges you to act quickly or proposes a dire consequence of ignoring the message, be on alert. While suspicious activity on your credit card is serious, your bank will likely reimburse you for charges you didn’t make, so you have time to check your bank account and see recent activities. Official correspondence from financial institutions will always be professional, typo-free, and will try to put you at ease, not make you panic.
Whenever you get a text from someone you don’t know, it’s a good practice to do an internet search for the number to see with whom it’s associated. If it’s a legitimate number, it should appear on the first page of the search results and direct to an official bank webpage.
Once you’ve identified a fake SMS alert, do not engage with it. Never click on any links in the message, as they can redirect you to risky sites or download malware to your device. If you have McAfee Safe Browsing on your mobile, it can be your backup if you accidentally open a malicious link.
Also, don’t reply to the text. A reply lets the criminal on the other end know that they reached a valid phone number, which may cause them to redouble their efforts. Finally, block the number and report it as spam.
A great absolute rule to always follow is to never give out your Social Security Number, banking information, usernames, or passwords over text.
To give you peace of mind in cases where you think a malicious actor has access to your PII, you can count on McAfee+. McAfee+ offers a comprehensive suite of identity and privacy protection services to help you feel more confident in your digital life.
1PC Mag, “Scammers Are Using Fake SMS Bank Fraud Alerts to Phish Victims, FBI Says”
2Daily Hive, “Rogers scam alert: Texts offering credit after outage are fake”
The post What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe appeared first on McAfee Blog.
Have you ever said something you wish you could take back? Maybe it was a comment muttered in the heat of the moment that hurt someone’s feelings. Or maybe you just had a night out full of silly antics that you wouldn’t want your boss or grandma to see.
These are completely normal occurrences that happen all the time. We’re human! We make mistakes and letting loose every now and again is good for us. When these scenarios happen in person, we’re able to apologize or explain ourselves; however, the social media age complicates things. High-def cameras and video recorders are in everyone’s pocket, meaning that in-person slip-ups or lapses in judgement can come back to haunt you in a cyberscheme known as doxing.
Doxing can be harmful to one’s reputation and can cost someone their job, their friends, or their privacy. Here are five things you should know about doxing, plus some tips on how to prevent it from happening to you.
The term doxing originated from the phrase “dropping documents/docs.” It refers to a situation where an enemy or a rival seeks to tarnish the reputation of someone else by releasing documents (aka dropping docs) about them. These documents often contain personally identifiable information (PII) – like full names, birthdates, addresses, employment details, financial information, phone numbers, email addresses – and private correspondences or embarrassing videos or photos. The doxer – or the person dropping the documents – will publish these private details online, whether that’s on a forum, on social media, or a blog.
Doxing is considered cyberbullying because it is a form of online harassment. The doxer often does so with the intent of drumming up widespread hate about the victim and having the release of these private details negatively affect the victim’s life, such as getting them fired from their job or breaking up a relationship.
Doxing happens most frequently to public figures, such as celebrities, politicians, streamers, and journalists. It is also a prevalent practice in the hacking community, where hackers reveal the identities of the real people behind forum usernames. However, anyone is susceptible to having their PII or sensitive photos or videos widely released on the internet for the sake of reputation sabotage. All it takes is for one scorned partner, a disgruntled coworker, or a disagreement to set a doxer on a warpath.
When the saboteur doesn’t have to dig into your past via the dark web or through hacking a personal device, doxing isn’t illegal. It’s malicious and can be emotionally damaging, but there is no law stopping a doxer from publishing the private details of someone else. Doxing crosses the line into a crime when it is accompanied by threats.
So, if a doxer didn’t hack a personal device or buy the PII off the dark web, where did they find these details? Oftentimes, people incriminate themselves with their social media footprint. What seems like ancient history in your social media timeline is again front and center after just a few minutes of scrolling.
Check out these tips that can lessen the chances of doxing happening to you:
In addition to the above tips, McAfee can help you fill in the gaps in your defense. McAfee Total Protection is an all-in-one privacy and identity protection service that includes all the tools you need to secure your PII and help you recover if identity theft occurs after a doxing incident. Personal Data Cleanup scans 40 risky data broker sites for your information. If you appear on any of those sites, McAfee will help you remove it to keep your PII out of a doxer’s hands.
The post 5 Things About Doxing You Should Know appeared first on McAfee Blog.
Our personal and professional lives are becoming increasingly intertwined with the online world. Regular internet usage has made us all prone to cyber-security risks. You leave a digital footprint every time you use the internet, which is a trace of all your online activities.
When you create new accounts or subscribe to different websites, you give them explicit (or implicit, through their family of apps or subsidiary websites) access to your personal and credit card information. In other cases, websites might track basic information without your knowledge, such as your location and search history.
There is an industry of data brokers specifically dedicated to keeping track of user data, packaging it, and supplying it to tech companies who use it to run targeted ads and enhance on-platform user experience. Given the widespread use of the internet and exponential improvements in technology, data has become a valuable commodity — creating a need for the sale and purchase of user data.
This article discusses how data brokers sell your personal information and how you can minimize risk.
Data brokers are companies that aggregate user information from various sources on the internet. They collect, collate, package, and sometimes even analyze this data to create a holistic and coherent version of you online. This data is then supplied to tech companies to fuel their third-party advertising-centered business models.
Companies interested in buying data include but are not limited to:
These companies and social media platforms use your data to better understand target demographics and the content with which they interact. While the practice isn’t unethical in and of itself (personalizing user experiences and creating more convenient UIs are usually cited as the primary reasons for it), it does make your data vulnerable to malicious attacks targeted toward big-tech servers.
Most of your online activities are related. Devices like your phone, laptop, tablets, and even fitness watches are linked to each other. Moreover, you might use one email ID for various accounts and subscriptions. This online interconnectedness makes it easier for data brokers to create a cohesive user profile.
Mobile phone apps are the most common way for data brokerage firms to collect your data. You might have countless apps for various purposes, such as financial transactions, health and fitness, or social media.
A number of these apps usually fall under the umbrella of the same or subsidiary family of apps, all of which work toward collecting and supplying data to big tech platforms. Programs like Google’s AdSense make it easier for developers to monetize their apps in exchange for the user information they collect.
Data brokers also collect data points like your home address, full name, Social Security number, phone number, and date of birth. They have automated scraping tools to quickly collect relevant information from public profiles.[Text Wrapping Break]
Lastly, data brokers can gather data from other third parties that track your cookies or even place trackers or cookies on your browsers. Cookies are small data files that track your online activities when visiting different websites. They track your IP address and browsing history, which third parties can exploit. Cookies are also the reason you see personalized ads and products.
Data brokers collate your private information into one package and sell it to “people search” websites like Spokeo or TruePeopleSearch. You or a tech business can use these websites to search for people and get extensive consumer data. People search sites also contain public records like voter registration information, marriage records, and birth certificates. This data is used for consumer research and large-scale data analysis.
Next, marketing and sales firms are some of data brokers’ biggest clients. These companies purchase massive data sets from data brokers to research your data profile. They have advanced algorithms to segregate users into various consumer groups and target you specifically. Their predictive algorithms can suggest personalized ads and products to generate higher lead generation and conversation percentages for their clients.
We tend to accept the terms and conditions that various apps ask us to accept without thinking twice or reading the fine print. You probably cannot proceed without letting the app track certain data or giving your personal information. To a certain extent, we trade some of our privacy for convenience. This becomes public information, and apps and data brokers collect, track, and use our data however they please while still complying with the law.
There is no comprehensive privacy law in the U.S. on a federal level. This allows data brokers to collect personal information and condense it into marketing insights. While not all methods of gathering private data are legal, it is difficult to track the activities of data brokers online (especially on the dark web). As technology advances, there are also easier ways to harvest and exploit data.
Vermont and California have already enacted laws to regulate the data brokerage industry. In 2018, Vermont passed the country’s first data broker legislation. This requires data brokers to register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and data breaches.
California has passed similar laws to make data brokering a more transparent industry. For risk mitigation of data brokerage, the Federal Trade Commission (FTC) has published reports and provided recommendations to Congress to reduce the engagement of data broker firms. Giving individuals the right to opt-out of the sale of their personal data is a step toward a more rigorous law regarding data privacy.
Some data brokers let you remove your information from their websites. There are also extensive guides available online that list the method by which you can opt-out of some of the biggest data brokering firms. For example, a guide by Griffin Boyce, the systems administrator at Harvard University’s Berkman Klein Center for Internet and Society, provides detailed information on how to opt-out of a long list of data broker companies.
Acxiom, LLC is one of the largest data brokering firms and has collected data for approximately 68% of people who have an online presence. You can opt-out of their data collection either through their website or by calling them directly.
Epsilon Data Management is another big player in the data broker industry that operates as a marketing service and marketing analytics company. You can opt-out of their website through various methods such as by email, phone, and mail. Credit rating agencies like Experian and Equifax are also notorious for collecting your data. Similarly, you can opt-out through their websites or by calling them.
McAfee is a pioneer in providing online and offline data protection to its customers. We offer numerous cybersecurity services for keeping your information private and secure.
With regard to data brokers, we enable users to do a personal data clean-up. Cleaning up your personal data online may be a difficult task, as it requires you to reach out to multiple data brokers and opt out. Instead, sign up for McAfee’s Personal Data Cleanup feature to do a convenient and thorough personal data clean-up. We will search for traces of your personal data and assist in getting it removed.
The post How Data Brokers Sell Your Identity appeared first on McAfee Blog.
Sextortion is something no parent wants to think could happen to their child, nor a topic most of us would ever imagine we’d need to discuss in our homes. However, according to the latest FBI reports, sextortion is a digital threat to children that, woefully, is on the rise.
According to the FBI, there has been a considerable increase lately in sextortion cases involving children and teens being coerced by adults online.
A sextortion scenario can emerge in several ways. Most often, it occurs when an adult (posing as a peer) engages in casual conversation with an underage child, gains their trust through online conversation, then pressures or threatens the child into sharing sexual photos or videos of themselves.
In some cases, the initial contact with the criminal will be a threat. The person may claim to already have a revealing picture or video of a child that they threaten to share if the victim does not send more pictures.
According to the FBI, this crime more often starts when young people believe they are communicating with someone their age who is interested in a relationship or with someone who is offering something of value. This catfish (false profile) relationship usually involves the predator using gifts, money, flattery, lies, or other methods to get a young person to produce an image.
These dangerous conversations can be initiated through text, a social or chat app, a gaming site, or any number of digital connection points.
After a criminal successfully obtains a photo or video from their victim, the threats can escalate to promises to publish the content or even hurt the child if they don’t send more. This emotionally harrowing situation can ignite shame, fear, and confusion in children who may be too embarrassed to ask for help or report the abuse.
While these criminals rarely request to meet their victims face-to-face, the emotional and physical impact of sextortion can be devastating to a child. According to the FBI, some victims report abusers who become vicious with non-stop harassment and threats. Victims can feel scared, alone, embarrassed, and increasingly desperate. Sadly, as reported in the news, this type of crime can leave some children feeling like they have no way out of the situation.
If you are a parent or caregiver, explain to your child how sextortion can happen to anyone online and why it’s important to only connect with known friends and family. Parents: Consider boosting your device security with parental controls that filter content, report your child’s online activity, and reveal potential problems.
Some essential safety protocols kids should follow online are worthy of repeating. They are:
1) Make social accounts private, don’t share personal information, and only connect with known friends
2) Ignore and block messages from strangers
3) Keep your guard up. People can pretend to be anyone online, and photos can be altered
4) Be suspect if anyone asks you to message or text with them privately
5) Never share risky photos with anyone online—even a trusted friend
6) Tell someone immediately if someone is threatening you online.
With your child, go through their apps, social networks, chats, gaming communities, and friend groups and do some editing, defriending, and blocking. Make sure both you and your child know and trust all their online connections. Remember: Open communication and an honest relationship with your child are the most powerful tools you have to keep your child safe online.
A sextortion situation for a child can be incredibly confusing and cause them to isolate and avoid telling anyone about it. Remind and be clear with your child that they would never be in trouble for coming to you with any problem. Let them know that sextortion is a crime for the perpetrator and that they have not broken any laws by sending photos (despite what an abuser might have told them).
Victims of sextortion should go to a parent or trusted adult and tell them they need help. While doing this can feel terrifying, it’s crucial for victims to know people understand and want to help. For parents and caregivers, contact the FBI at 1-800-CALL-FBI or report the crime online at tips.fbi.gov.
While the bad actors online are out to exploit and ruin our digital spaces, it’s important to maintain a healthy perspective rather than responding with fear. Remind your kids that there’s an army of people even more dedicated than the criminals; people like the FBI who are out to stop online crime and keep the internet safe for families. Additionally, as a parent or caregiver, your commitment to helping your family stay informed, equipped, and empowered online is how we all win.
The post Sextortion: What Your Kids Need to Know appeared first on McAfee Blog.
This month, McAfee celebrates three years of maintaining pay parity. Compensating employees equally for their contributions, regardless of gender or ethnicity, is one of the many ways we create a culture where all can belong and an environment where everyone is valued.
But equal pay sounds like a given, right?
It absolutely should be. However, unconscious bias and a slew of contributing factors, such as differences in how men and women negotiate pay raises and starting salaries, means inequality can slowly creep in across a business and become pervasive unless actively monitored. This means maintaining pay parity requires constant work and attention.
As the first cybersecurity company to achieve pay parity, we know first-hand the commitment involved in such an undertaking. We also know the overall impact for our employees, including greater trust, engagement, and loyalty. More than this, we believe simply, that pay parity is the right thing to do.
Today, I’m sharing more about our journey, our process, and our work to maintain pay parity.
How we began
Our pay parity journey began in 2018. Few companies had achieved pay parity at the time, but we realized it was an essential part of ‘walking the walk.’ It’s well documented that diverse teams perform higher, and when employees feel seen and valued for their contributions, they are more productive and increasingly innovative.
We developed a framework and conducted our first annual audit in late 2018. At the time, McAfee had experienced various changes. We had been a public company, then acquired by a $70 billion hardware company, and later sold to private equity. The result of all this change and being a newly private company creating a new identity and standing up new programs, had led to inconsistencies. The results revealed pay disparities across nine of our 45 countries. With our Board’s full support, we were unwavering in our commitment to resolve swiftly and invest in adjusting salaries immediately to ensure full pay parity in that year. Once we dissected the data, we couldn’t wait to reach parity over time, it had to be immediate. We also had full commitment to put measures in place to maintain any pay parity ‘drift’.
Our process
In its simplest form, we adhere to the following framework for achieving and maintaining pay parity:
Staying the course
Maintaining pay parity is a year-long exercise and is now part of our culture. At McAfee, we run quarterly audits and use a third-party vendor to help remove the notion of any perceived bias and subjectivity. If discrepancies are identified, we address them immediately. It’s important to note that pay parity can change daily based on new hires coming in and market changes. So, it can’t be a once-a-year review, you have to stay on top of it to ensure your organization is at parity.
We also work hard to keep pay parity front of mind for people leaders and hiring managers. Through regular training on diversity topics, we remind people leaders of the science behind unconscious bias and how to overcome it. To further remove any bias, we overlay promotions, awards, and relevant employee programs with a Diversity Impact Analysis to ensure allocation of awards is statistically aligned to the diverse population of that team or organization.
It’s the combination of these efforts that resulted in an exciting milestone: our latest independent audit revealed no disparity. This tells us our commitment to equality permeates our culture. The absence of any discrepancies did not happen by accident – it’s the result of intentional focus from our leaders, recruitment team, and hiring managers.
What the future holds
Since we began our journey three years ago, the world has experienced tremendous change and challenging times – some may feel more divided than united. This makes our commitment to pay parity and building an inclusive culture even more important.
We will continue to maintain parity, ask what we can do better, and share the best practices we continue to follow, as well as learnings along the way.
Ready to join a company that stands for equality? Search our openings at Careers.McAfee.com.
The post Three Years of Pay Parity: Lessons in Maintaining Equality appeared first on McAfee Blog.
Who loves tax season besides accountants? Scammers.
Emotions can run high during tax time. Even if you’re pretty sure you did everything right, you may still have a few doubts kicking around. Did I file correctly? Did I claim the right deductions? Will I get audited? As it turns out, these are the very same anxieties that criminals use as the cornerstone of their attacks.
So yes, crooks indeed love tax season. Particularly online. And they’ll bait your digital world with several proven types of scams in an effort to cash in on what can be a somewhat uncertain time.
The good news is that you have plenty of ways to protect yourself from these scams. Let’s look at what scammers typically have in store, along with some practical advice to protect yourself as you file your taxes—things you can do to keep crooks out of your business this tax season. Don’t delay, download McAfee’s tax season security guide to avoid the latest tax scams.
First, know that you’re probably doing a good job with your taxes. Less than 2% of returns get audited and most discrepancies or adjustments can get handled easily if you address them promptly.
Still, the wariness of the IRS and intricate tax laws makes for ripe pickings when it comes to hackers, who prey on people’s fear of audits and penalties. Common scams include fake emails, phone calls from crooks posing as IRS agents, and even robocalls that threaten jail time.
What are crooks looking to do with their scams? Several things:
As if we didn’t have enough to worry about at tax time without crooks in the mix.
Investigating the landscape even more closely, we can turn to the authority itself, as the IRS has published its most recent top 12 tax season scams, a broad list that includes:
|
|
For a comprehensive look at each one of these scams, and for ways, you can steer clear of them, check our Guide to IRS & Tax Season Scams. However, there are some common threads to many of these scams.
For starters, plenty of tax scams involve crooks posing as an IRS employee, perhaps via a phone call or email, to glean personal information from you, or to demand payment—sometimes under the threat of penalties or even jail time. Crooks won’t hesitate to use strong-arm tactics like these and play on your fears. The good news is that such tactics are typically a sign that the contact isn’t legitimate. In fact, a quick way to spot a scam is to know what the IRS won’t do when they contact you. From the IRS.gov website, the IRS will not:
What will the IRS do? Usually, the IRS will first mail a notification to any taxpayer who owes taxes. IRS collection employees might call on the phone or make an unannounced visit to your home or business. If they require payment, the payment will always be to the U.S. Treasury. Read about other ways to know what the IRS won’t do when they contact you.
Scammers won’t limit themselves to posing as the IRS. They’ll act as an imposter in several other ways as well. For example, they may pose as a popular do-it-yourself tax brand, a tax preparer, or even as a phony charitable organization that promises any donations you make are tax-deductible.
Here, they may send you phony emails or direct messages or even ring you up with bogus telemarketing or robocalls designed to steal personal information.
In the cases where the scammers reach you online, the emails and messages they send will vary in their tone and polish—in other words, how authentic they appear. Some will look nearly legitimate and cause even the most hardened of digital skeptics to click on a phony link or download a sketchy attachment. Others, well, will look clearly like spam, complete with spelling and grammatical errors, along with clumsy use of logos, layouts, and design.
Taken together, both are ways that scammers get people to visit sites designed to compromise personal information … or to download malware like keyloggers that skim account passwords and ransomware that encrypt a victim’s files hold them hostage for a price.
Social media attacks also made the IRS Dirty Dozen. In a social media attack, scammers harvest information from social media profiles and turn it against their victims. Per the IRS, because “social media enables anyone to share information with anyone else on the Internet, scammers use that information as ammunition for a wide variety of scams. These include emails where scammers impersonate someone’s family, friends, or co-workers.”
With those personal details gleaned from social media, scammers will send phony links to scam sites, promote bogus charities, or flat-out ask for money or gift cards to “help them out” at tax time.
No question that bogus emails, messages, and phone calls remain a popular way for scammers to steal personal and financial information. Spam emails, messages, and the malicious links associated with them abound this time of year as well. It’s always to keep a critical eye open for these, and it’s particularly true during tax season.
View all emails with attachments and links with suspicion, even if they appear to come from a person, business, or brand you know. Confirm attachments with the people you know before opening. And if you receive a message or alert about an account of yours, visit that company or organization’s website directly to enquire into the status of your account rather than taking a chance by clicking on a link that could send you to a phony website.
One way to protect yourself from an identity thief from claiming a return in your name is to file yours before they do. In fact, many victims of identity theft find out they’ve been scammed when they receive an IRS notification that their tax claim has already been filed. Simply put, file early.
Here’s another tool that can help you fight identity theft. And get this: it’s not only helpful, but it’s also free. Through the Federal Trade Commission, you are entitled to a free copy of your credit report from each of the three major credit reporting companies once every 12 months. In this report, you can find inaccuracies in your credit or evidence of all-out identity theft.
Keep in mind that you get one report from each of the reporting companies each year. That works out to three reports total in one year. Consider this: if you request one report from one credit reporting company every four months, you can spread your free credit report coverage across the whole year.
As with much of the guidance we offer around social media, one of the best ways to prevent such social media tax attacks is to make your profiles private so that only friends and family can see them. That way, scammers will have a far more difficult time reaching you. Moreover, consider paring back the information you share in your social media profiles, like your alma maters, birthday, mother’s maiden name, pet names—any personal information that a scammer may use to compromise your accounts or the security questions associated with them.
Protecting your devices with comprehensive online protection software can help block the phishing emails and suspicious links that make up many of these tax attacks. Likewise, it can further protect you from ransomware attacks like mentioned above. Additionally, our online Protection Score looks for weak spots in your protection and helps you shore them up, such as if discovers that your info was compromised or part of a data breach. From there, it guides you through the steps to correct the problem.
Further, consider online protection software that offers identity theft protection as well. A strong identity theft protection package offers cyber monitoring that scans the dark web to detect misuse of your personal info. With our identity protection service, we help relieve the burden of identity theft if the unfortunate happens to you with $1M coverage for lawyer fees, travel expenses, lost wages, and more.
The IRS offers steps you can take in the event you suspect fraud or theft. Their current resources include:
As mentioned above, you can get even more up to speed on the different tricks hackers are using by downloading our Guide to IRS & Tax Season Scams. It’s free, and it offers more ways you can protect your identity and information this tax season and year ‘round.
The post The IRS “Dirty Dozen” – Top Tax Season Scams to Steer Clear of This Year appeared first on McAfee Blog.
Have you ever been online and replied to a comment or post? Maybe it was on Reddit or on an influencer’s Instagram. Did other people reply to you, and were any of them unexpectedly hostile? When you’re online, a little hostility is sadly par for the course, but most people brush it off and move on to enjoy other aspects of life online. But what would you do if that unpleasant interaction went much farther than was reasonable? What if one day you discovered the most important parts of your identity had been maliciously and intentionally revealed online? Let’s talk about doxxing – what it is and how you can avoid becoming a victim of this kind of harassment.
Doxxing, derived from the hacker term “dropping docs”, is internet slang for revealing someone’s identity online for the purposes of harassing them. It usually goes way beyond simply revealing someone’s email address or name and may involve personal information like a home address or workplace, SSN, financial information, phone number, pictures, texts, IP address, and other important details. The tricky thing about doxxing is that aspects of it may not be a crime, depending on what you’ve made publicly available online. However, the context in which doxxing occurs is crucial. Often it’s the first step taken to incite more severe harassment. For instance, the doxxer may not plan on taking action against their target but instead hope that someone else does. When put up against a recent Pew Research report showing that 41% of U.S. web users experience harassment in some form, it’s clear that Doxxing is a dangerous trend online.
Doxxing is a problem that’s grown in scope simply because there’s so much more data about us being kept online. Third-party services, called data brokers, capture our account info, the sites we visit, how long we spent on them, and other kinds of metadata to create profiles they then resell to advertisers. If someone gets access to these troves of data, they can reveal extremely damaging information about an individual, or data that allows a person to be damaged. For instance, with a phone number and a current address, some criminals were able to call in SWAT teams on innocent individuals. Political dissidents are often doxxed by the governments their protesting against. And on a lighter note, the adult website Ashley Madison, which promotes extramarital affairs, had their members’ data leaked online, to the embarrassment of a few public figures.
The response should be very similar to the one you’d take if your wallet was stolen. Move fast, stem the loss, and begin remediation as soon as possible. Here are some broad steps that can be taken.
Of course, not being doxxed in the first place is the ultimate goal of a proactive online protection plan. Here’s what we recommend:
Identity theft protection services help protect your data, monitor your online accounts like emails, SSNs, and more. In addition to online monitoring, they should also offer insurance and even theft remediation if the worst should occur.
Before you tag your location, friends, or workplace in a photo think about who has access to this information. What’s gained or lost by sharing all that info? Also, security questions for your accounts should not use the name of your pet or your first-born child if you have posted those on Facebook.
Public Wi-Fi networks at coffee shops and airports may not be secure against hackers and snooping. That’s why we recommend using a VPN whenever you’re connected online. This powerful tool hides your activity and location whenever you’re online on an unsecured network.
Googling yourself is a great way to see if anyone is using your online identity in bad ways.
Social networks allow you to control who can see your data. Usually, with a few clicks, you can restrict what you show online to a great degree. For instance, makes your payments viewable to other users as a default, but can easily be changed to hide them from the public.
Using long, complex, unique passwords for every account is convenient and maybe the best way to prevent your information from being stolen. Yes, we said convenient because with a password manager you only need to remember one key to create and manage much longer ones for all your most important accounts.
The reality is that the more we live online, the more our identities will too. This does not mean we need to live a restricted life online. In fact, using comprehensive online protection, which features most of the tools above, we can remain free to enjoy life on our terms. Doxxing is something to be aware of, but with great protection, it’s far from anything we need to be worried about as we make the most of our lives online.
The post Doxxing, The Internet, and How You Can Lock Down Your Data appeared first on McAfee Blog.
With the holidays on the horizon, spirits are high—and it’s those same high spirits that hackers want to exploit. ‘Tis the season for clever social engineering attacks that play on your emotions, designed to trick you into giving up personal info or access to your accounts.
Social engineering attacks unfold much like a confidence scam. A crook takes advantage of someone’s trust, applies a little human psychology to further fool the victim, and then pulls off a theft. Online, a social engineering attack will likely involve a theft attempt of personal or account information that the crook can then use to make purchases, drain accounts, and so forth.
Not at all in the holiday spirit, right? Let’s take a look at some of their top tricks so that you can spot and avoid them.
As said, spirits can get high this time of year. There’s looking forward to gatherings with family and friends, the fun that comes along with hunting for that perfect gift, and the excitement of the holidays overall. And that’s what hackers count on—people getting caught up in the rush of the holidays, to the point where they may not look at emails, offers, shipping notices, and such with a critical eye. That’s how the scammers get their foot in the door.
Some of their favored tricks can look a little like this:
What are the holidays without that trendy “must-get” gift item, the one that’s seemingly out of stock no matter where you look? Scammers are keen on these items as well and will prop up phony ads and storefronts that pretend to sell those items but really don’t. Instead, they’re just a shady way for them to steal your debit or credit card information—or to lift a few bucks out of your pocket in return for nothing.
One way to keep from getting burned by one of these scams is to follow the old adage, “If it looks too good to be true, it probably is.” In this case, crooks are using feelings of scarcity and urgency to get you to bite. Here’s where you can take a moment before you click to do some research.
Answers to these questions can separate the good businesses from the bogus ones.
Like the above, crooks will create a sense of urgency about a hot holiday item or limited time offer. The twist comes when they request payment via a gift card rather than by credit or debit card or other legitimate online payment methods. This request is highly deliberate because gift cards are much like cash. Once the money on the card is spent, it’s gone, and these cards do not offer the same protections that come with other payment methods.
You can avoid this one easily. If anyone asks you to use a gift card as payment, it’s a scam. Gift cards are for gifts, not payment, says the Federal Trade Commission (FTC). If you come across such a scam, you can report it to the FTC as well.
Donating to a charity in someone else’s name is often a popular gift. Much the same, giving a donation to a worthy cause feels particularly good this time of year. Once again, scammers will take advantage of these good intentions by propping up phony charities designed to do nothing more than dupe you out of your money. Whether that’s a flat-out phony charity or one of the many other scam charities that have been known to pocket 90 cents of every dollar donated, this is the time of year to be on the lookout for both.
The advice here is much the same as the advice for avoiding phony businesses and retailers. Do your homework. The Better Business Bureau maintains a listing of charities that can help you make good donation choices. Also, your state government’s charity officials can help you separate good charities from bad—and even file a report if you suspect a scam is at play.
And once again, if a charity is asking for donations in the form of cash, gift cards, or wire transfer, just say no. That’s a surefire sign of a scam.
Scammers know you have packages in transit this holiday season, loaded with gifts that you’re eagerly tracking. Enter another classic scam—the phony shipping notice. The idea is that you already have so many packages on their way that you won’t think twice about opening an email with a “shipping notice” that comes in the form of an attachment. Of course, that attachment is a fake. And it’s loaded with malware.
Too bad for scammers, though. This is another one you can steer clear of rather easily. Don’t open such attachments. Shipping companies will almost certainly send along notices and invoices in the body of an email, not as an attachment. If you have a question, you can always visit the shipper’s website and look up your tracking info there. Likewise, follow up with the customer service department of the company that you purchased the item from in the first place.
While the holidays are a special time for scammers too, there are several things you can do to up the level of your protection now and year ‘round. A quick list includes:
No doubt, the holidays have a feel all to themselves, one which hackers and crooks want to take advantage of. They’ll craft their tricks accordingly and try to twist the good times that roll around at the end of the year into scams that capitalize on your good intentions. As you can see, it’s not too tough to spot them for what they are if you pause and take a moment to scrutinize those emails, offers, and sales. And that’s the thing with the holidays. We can all feel pinched for time at some point or other during this stretch. Look out for their pressure tactics and seemingly clever ways of using social engineering to rip you off. That way, you can spend the holidays focusing on what’s important—your friends and family.
The post Social Engineering: Tis the Season for Tricky Hackers appeared first on McAfee Blog.
If you pick up your teen’s phone on any given day, chances are the next stop you make will be Google. That’s because, if you’re like most parents, you’re beyond baffled by texting language kids use.
It’s okay, you are not alone if you feel out of the loop. As parents, we’re not invited to the party—and that’s okay. Slag belongs to the generation that coined it. And few of us are aching to use words like “sus” and “simp,” right? The goal of these updates isn’t to decode or invade. It’s digital parenting 101. The more we know about what’s going on in our child’s world, the better we can parent. It’s our job to know.
So once a year we do our best to decipher some of the more common terms you may hear or see your kids use. Keep in mind: Slang isn’t universal. It changes from city to city and culture to culture. Terms and meanings may vary. Many of the words are fun and harmless, while others are specifically meant to mask risky behavior. Remember, McAfee frees you to live your connected life safe from threats like viruses, malware, phishing, and more. Download award-winning antivirus that protects your data and devices today.
A real one. A person who is being authentic, genuine, trusted.
And I oop. A phrase used after a funny mistake or accident.
Awks. Short for awkward.
Baddie. Name for an independent female who is tough and beautiful.
Bands. Refers to bands around cash or a wealthy person. No doubt, the dude’s got bands.
Bet. A willingness to do something; means “yes” or “okay.”
Big yikes. When you see something, that is a huge embarrassment.
Booed up. To be in a romantic relationship.
Bop. A really good song. That song is such a bop!
Bread or Cheddar. Terms that refer to money.
Breadcrumbing. Sending flirtatious text messages to another person to get their attention but remain non-committal.
Bussin. Something is awesome. Her new hair color is bussin’.
Cake. When someone’s body looks good. The girl in my science class has cake.
Cancel. Reject or stop supporting a group or idea.
Cap. A term that means “lie” or “false.” He said we were a couple. Cap!
No cap. A phrase that means “no lie” or “for real” emphasizes telling the truth. I just saw him eat a bug. No cap!
CEO. A term used to describe something that you’re very good at, making you the CEO of it. I’m the CEO of being late to class.
Cheug. This term describes a person, idea, or situation that is outdated or inauthentic.
Clout. A term that relates to a person’s follower count, fame, or influencer status. Sometimes an expression for an extravagant way of living.
Chasing Clout. A term that describes a person who does and says things for the sole purpose of becoming more popular.
Curve. To reject someone romantically.
Cuffing. Wanting to date or cuff yourself to someone temporarily—at least until summer break.
Do it for the gram. A phrase that describes someone doing something for the sole purpose of posting online.
Drip. A term that describes someone’s style as sexy or cool. Zayne has some serious drip.
Facts. When you agree with someone.
Finsta. A second Instagram account used for sharing with a smaller circle of friends and followers.
Fish. Fishing for compliments.
Fit. Short for outfit.
Flex. To show off or show something off.
Get after it. Start with something with intensity.
Ghost. Suddenly stop all contact with someone online and in person.
Hundo P. Being 100% certain.
Hypebeast. A term that describes someone who cares too much about popular things rather than being self-aware and genuine.
I’m dead. Describes how you feel when something is hilarious.
I’m weak. Like, dead, describes how you feel when something is hilarious.
I can’t even. An expression used when you’ve had enough of someone or a situation.
Keep it 100. Stay true to yourself and stick to your values.
Lewk. Look.
Left on read. When someone does not respond to your text. He left me on read!
Lit. Cool or awesome.
Mood. A term used to express a relatable feeling or experience. Seeing that kid by himself kicking a can is such a mood.
Mutuals. People who follow and support one another on social media.
Oof. An expression used when something bad happens, and you don’t know how to respond.
Periodt. A term used to emphasize what you just said.
Purr. Expressing approval. I’ve got nothing but purr for my friends.
Receipts. Evidence to prove someone is either lying. Often in the form of screenshots, videos, or images.
Savage. A cool person or someone overly direct or candid.
Sketch. A sketchy or ominous situation, place, or person.
Skrrt. To leave quickly or get away from someone (the sound a car makes).
Ship. Short for relationship.
Simp. Used to describe a guy who is seen as being too attentive and submissive to a girl.
Sheesh. A term used to compliment someone when they look good or do something good.
Suh. A combination of “sup” and “huh” used as a greeting.
Sus. Short for suspect describing a situation, a person, or a claim. That guy is sus. Let’s get out of here.
Shawty. An attractive female. Sometimes a short, attractive female.
Sheee. An expression of disappointment, annoyance, or surprise.
Slaps. A term used when something is awesome. The DJ slaps.
Snatched. Describing a person or a thing that looks great. I’m jealous her makeup is so snatched.
Stan. A combination of “stalker” and “fan” refers to an overly obsessed fan of a celebrity.
Straight Fire or Fire. Describes something amazing. His new truck is straight fire.
Thumpin’. Word to describe someone going very. I didn’t even see him leave. He was thumpin’.
Vaguebooking. The act of posting vague Facebook or other social status updates for attention or as a cry for help. Wondering what the point of it all is anyway.
Whip. A word that means car. Have you seen his new whip?
Wig. When something has you so excited, your wig might come off; mind-blowing. The new Adele song!! WIIIIGGG!
Yeet. Throwing something out of rage. Also used as an exclamation for being excited.
NGL. Not Gonna Lie.
NMH. Nodding My Head; an expression of agreement.
NSA. No Strings Attached.
HWU. Hey, what’s up?
IYKWIM. If You Know What I Mean.
RLY. Really?
OG.Short for Original Gangster;a compliment for someone who is exceptional or authentic.
ORLY. Oh really?
SMH. Shaking My Head.
TFW. That Feeling When
TT2T. Too Tired to Talk.
L. Short for loose or loss.
V. Short for very.
W. Short for win. Their loss is our w.
WYA. Where are you at?
WYD. What are you doing?
YK. You’re Kidding.
YKTS. You Know the Score.
YKTV. You know the vibe.
Addy/Study Buddy. Terms used in place of the medication Adderal.
Break Green. A term that means to share marijuana with others.
Crashy. Combo of “crazy” and “trashy.”
Daddy. An attractive man, usually older, who conveys a sense of power and dominance.
Faded/Cooked. Terms used to describe being high on drugs.
Lit/Turnt Up. It can mean party or get drunk.
MOS/POS. Mom Over Shoulder; Parent Over Shoulder.
Kush/Flower/Gas. Terms used in place of marijuana.
Smash. To hook up for casual sex. Is he a smash or a pass?
Thirsty. Adjective for a person desperate for attention or sex.
Xan/Xans. Terms short for Xanax, a sedative used to treat anxiety. Also called xanny, beans, bars, and footballs.
ASL. Age/sex/location.
CD9. Can’t talk parents are here.
CU46. See You For Sex.
GALMA. Go Away Leave Me Alone.
GOMB. Get Off My Back.
GSW. Get Some Weed.
LMIRL. Let’s meet in Real Life.
KMS/KYS. Kill myself, Kill Yourself.
ONG. On God; a term that implies a person is serious enough to swear “on god.”
ONS. One Night Stand.
Spice or K2. Code for synthetic marijuana, which can be more harmful than actual cannabis.
URAL. You’re A Loser.
WWTP. Want to Trade Pics?
X or E. Letters that stand for ecstasy, otherwise known as “molly” or MDMA.
Zaddy. A well-dressed, attractive man of any age.
Zerg. A term that originated in the gaming community for gamers using the many against one strategy to win a game. A Zerg is a person who employs the same bullying tactics in real life. Stay away from him. He’s such a Zerg! Or Stay off that site. There’s too much zerging.
Protect your connected life today with McAfee Total Protection
*Content collected from various sources, including NetLingo.com, slangit.com, cyberdefinitions.com, UrbanDictionary.com, webopedia.com, and conversations on TikTok, Reddit, and YouTube.
The post Teen Slang and Texting Acronyms Parents Should Know appeared first on McAfee Blog.
Picture this: you open your MacBook and see an email claiming to be from your favorite online store. In the email, there is an attachment with “important information regarding your recent purchase.” Out of curiosity, you open the attachment without checking the recipient’s email address. The next thing you know, your device is riddled with malware.
Unfortunately, this story is not far from reality. Contrary to popular belief, Apple computers can get viruses, and XLoader has Mac users in their sights.
Let’s break down XLoader’s ‘s origins and how this malware works.
Where Did XLoader Come From?
XLoader originated from FormBook, which has been active for at least five years and is among the most common types of malware. Designed as a malicious tool to steal credentials from different web browsers, collect screenshots, monitor and log keystrokes, and more, FormBook allowed criminals to spread online misfortune on a budget. Its developer, referred to as ng-Coder, charged $49, a relatively cheap price to use the malware, making it easily accessible to cybercriminals.
Although ng-Coder stopped selling FormBook in 2018, this did not stop cybercriminals from using it. Those who had bought the malware to host on their own servers continued to use it, and in turn, quickly noticed that FormBook had untapped potential. In February 2020, FormBook rebranded to XLoader. XLoader can now target Windows systems and macOS devices.
Typically, XLoader is spread via fraudulent emails that trick recipients into downloading a malicious file, such as a Microsoft Office document. Once the malware is on the person’s device, an attacker can eavesdrop on the user’s keystrokes and monitors. Once a criminal has collected enough valuable data, they can make fake accounts in the victim’s name, hack their online profiles, and even access their financial information.
According to recent data, Apple sold 20 million Mac and MacBook devices in 2020. With macOS’s growing popularity, it is no surprise that cybercriminals have set their sights on targeting Mac users. Check out these tips to safeguard your devices and online data from XLoader and similar hacks:
Hackers often use phishing emails or text messages to distribute and disguise their malicious code. Do not open suspicious or irrelevant messages, as this can result in malware infection. If the message claims to be from a business or someone you know, reach out to the source directly instead of responding to the message to confirm the sender’s legitimacy.
Hackers tend to hide malicious code behind the guise of fake websites. Before clicking on an unfamiliar hyperlink, hover over it with your cursor. This will show a preview of the web address. If something seems off (there are strange characters, misspellings, grammatical errors, etc.) do not click the link.
Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor — a tool that identifies malicious websites.
Regardless of whether you use a PC or a Mac, it is important to realize that both systems are susceptible to cyberthreats that are constantly changing. Do your research on prevalent threats and software bugs to put you in a great position to protect your online safety.
XLoader is just the latest example of how the gap between the prevalence of PC versus macOS malware is steadily closing. To better anticipate what threats could be around the corner and how to best combat them, stay updated on all of the latest online safety trends and practice great security habits. This will not only help protect your devices and online accounts but also bring you greater peace of mind.
The post 3 Tips to Protect Yourself From XLoader Malware appeared first on McAfee Blogs.
We all like to think we’d know what to do if an emergency should occur. In split seconds, we try to recall the ratio of chest compressions to breaths of air learned in bygone health classes or that summer spent lifeguarding. We recognize the importance of a “to go” bag those final few days of pregnant pauses and false alarms before a baby arrives. We have seen enough television shows and cooking competitions to know Gordon Ramsey or Guy Fieri will be the first to scold us if we try to put out an erupted kitchen grease fire with anything other than salt and smothering.
We pick up a fair amount of knowledge and traits along the way to employ should disaster strike – and we absolutely take necessary precautions if we are knowingly in harm’s way. For example, those that live within a fault line’s reach are apt to prefer housing with stronger foundations and reinforced windowpanes. If you choose to live close to the warm waters of the Atlantic Ocean’s “hurricane alley,” you most likely know the fastest route to a causeway. An underground storm shelter to escape a tornado’s wily path can certainly come in handy.
We are taught that “hindsight is 20/20,” and that harboring regret is top on the list of feelings to avoid most throughout life. We obey the mantra many scouts learn in youth – being prepared – to the best of our ability. While earth’s natural disasters may never be preventable, it is clear preparation and readiness to face the inevitable can be a key differentiator when it comes to damage that can be incurred.
So far in 2021, we have witnessed major infrastructure impairments, interrupted supply chains, and havoc wreaked on local and federal economies.
This did not happen due to volcanic eruptions, tsunamis, nor mudslides, but rather through security breaches and attacks. And despite headlines shouting and nearly every security vendor urging enterprises the world over that cyberattacks are posed to continue to increase both in frequency and sophistication, especially ransomware threats, organizations have more often than not found themselves on the receiving end of hindsight and regret when it comes to these man-made, modern-day disasters.
So, the question begs to be asked, if the damages mentioned above could have been lessened or avoided through preparation and readiness, why is it still so difficult for CISOs to convince the c-suite that it’s better to be prepared for cyber-disaster, than sorry?
Staying safe and secure is the main goal in any disaster or emergency, but another less-talked-about goal is obviously to avoid what could have been prevented. The phrase, “I told you so,” will never land softly or kindly, especially when you are left surveying the ravaged ruins of what is left in the aftermath.
Many CISOs and SOC workers have encountered this situation recently, mentally kicking themselves or expressing frustration analyzing and evaluating breaches or attacks after they have occurred. Of course, the vulnerabilities are crystal clear when security experts look back on what happened, but muddy and missed when they play out in real time.
Scientists will inform us when a volcanic eruption may be imminent; a tornado will be prefaced with a loud siren meant to be heard throughout the county or immediate area; we often see tropical storms gain momentum and destructive qualities far before they transition to hurricanes and make landfall. This is to say, when it comes to natural disasters, they’re going to happen regardless, but damage prevention is dependent on prediction and experience.
Carefully measured and monitored gaseous pressure under the earth’s surface will indicate when a volcano may be imminent. Because of this, volcanologists can attempt to forewarn residents to vacate an area before disaster hits. This outcome is expected, and systems and processes are in place to thwart damage as much as possible. I imagine along with scientists; we’d be quite surprised if a volcano suddenly started spewing mass quantities of water instead of magma and ash.
We rely on patterns from previous incidents when it comes to geological acts of nature, but in the cybersecurity industry, disasters are man-made, and progressively more dangerous – created with motive, intent, and intelligence.
With cybercriminals, attacks have been unpredictable and indiscriminate. They are infiltrating via multiple attack vectors; sitting unknowingly across networks and systems, leeching data from an organization; and altering entire courses of business as resources are used to bring systems back online, determine causes, and quickly implement solutions. In short, cybercriminals are serving up water when we expect magma nearly every single time and enterprises are struggling to keep up.
The rulebook of what can be planned for and prevented has narrowed. Enterprises need to adopt an updated mindset, knowing that like a natural disaster, damage prevention from a cyber-disaster is dependent on prediction and experience.
We are going to continue to get water when we expect magma, flames when we’re on the lookout for floods, and harsh winds when we anticipate rumbles. Powered by human intelligence, cybercriminals will continue to evolve threats, it will just be a matter of who can stay one step ahead – the good guys or the bad guys. The only constant isn’t a matter of if an attack will happen, but when.
A movement toward proactivity instead of reactivity when addressing a breach or attack after it occurs is crucial against today’s cybercriminals. Organizations must recognize that no industry is immune to cybercriminals and get a better handle on SOC functions and processes, and control over where data travels and lies.
This can mean a massive overhaul of a security stack to streamline solutions and expose manual or siloed processes that can lead to hidden vulnerabilities, evaluating security staff and talent to create better efficiencies, or embracing AI-guided tactics to automate activities and provide quick, actionable next steps should a breach occur.
Early adopters of extended detection and response (XDR) technology are already seeing the benefits this proactivity can hold. The simple, unified visualization XDR provides is a strong vantage point for enterprises seeking greater situational awareness, enhanced insights, and faster time to remediate threats across all vectors from endpoint, network, and the cloud.
Today, the warning siren that disaster is forthcoming has been sounding for a while. Enterprises need to take heed of the alarm to thwart as much damage as possible, as like natural disasters, a cyber-disaster can lead to massive destruction and upheaval.
Want to learn more about McAfee’s XDR technology? Check out McAfee MVISION XDR.
The post Time to Batten the Cyber-Hatches appeared first on McAfee Blogs.
If you have a tween or teen, you’ve likely heard a lot of excited chatter about Roblox. With a reported 150 million users, there’s a good chance your child has the Roblox site on their phone, tablet, PC, or Xbox. In fact, in 2020, Roblox estimated that over half of kids in the U.S. under 16 had used the forum. However, as with all digital destinations, the fun of Roblox is not without some safety concerns.
Roblox is an online gaming forum (not an app or game as one might assume) where users can create and share games or just play games. Kids can play Roblox games with friends they know or join games with unknown players. Roblox hosts an infinite number of games (about 20 million), which makes it a fun place to build and share creations, chat, and make friends. Game creators can also make significant money if their games take off.
A huge component of Roblox is its social network element that allows users to chat and have meetups. During quarantine, Roblox added its own private space for users to host virtual private birthday parties and social gatherings.
Like any site or app, Roblox is safe if you take the time to optimize parental controls (both in-forum and personal software), monitor your child’s use, and taking basic precautions you’re your child starts using the forum. Especially with kids drawn to gaming communities, it’s important to monitor conversations they can be having with anyone, anywhere.
Roblox security tip: Adjust settings to prohibit strangers’ from friending an account. Consider watching your child play a few games and how he or she interacts or wanders through the app. Pay close attention to the chat feature. Keep the conversation open, so your child feels comfortable sharing online concerns with you.
If you have your child’s login information, you can easily view their activity history in a few vulnerable areas including private and group chats, friends list, games played, games created, and items purchased. It’s also a good idea to make sure their birthdate is correct since Roblox automatically filters chats and game content for users under 13. Roblox has a separate login for parents of younger kids that allows you to go in and view all activities.
As always, the best way to keep your child safe on Roblox or any other site or app is to take every opportunity for open, honest conversation about personal choices and potential risks online. Oh, and sitting down to play their favorite games with them — is always the best seat in the house.
The post What is Roblox and is It Safe for Kids? appeared first on McAfee Blogs.
Digital sovereignty and strategic autonomy are phrases that are used almost daily in EU policy circles, loosely framed around the EU’s ability to carve out its own future in the digital sphere, rather than having its terms dictated from abroad. To achieve digital sovereignty in practice, having access to as broad a range of suppliers is key, not unnecessarily restricting the market.
Our ability to self-determine Europe’s digital future is at risk when we become reliant on one source, that much is clear, and has been demonstrated recently in the global supply shortage of microchips. All measures that reduce this dependency will benefit digital sovereignty, which in practice means expanding competition in the market to as many players as possible.
The means to get there are varied, and Europe is rightly seeking to build infrastructure, expand the pool of skilled experts and facilitate market entry. The EU and member states are also putting in place measures to eliminate obvious security risks in supply chains that demand an extra layer of vigilance, such as critical infrastructure, which is in the interest of national security.
But the notion that homegrown European solutions are automatically better than non-European ones – sometimes backed by measures that give European vendors and suppliers undue advantage, or which place additional hurdles for companies that handle customer data outside the EU – is misguided.
In the cybersecurity domain, in particular, limiting interoperability and vendor choice will only reduce Europe’s resilience against cyberattacks, which is a crucial element to ensuring Europe’s digital sovereignty and strategic autonomy. This is as true now as it always has been, in a sector innovating at break neck speed to meet the challenges set by our adversaries.
In this competitive market, best-in-class providers at the cutting edge of security are the ones that will make Europe more cyber-secure, irrespective of where they happen to have their headquarters or data centers. Irrational decisions guided by protectionism should have no place in this debate. Indeed policies or practices requiring forced data localisation can often limit the benefits generated by scale and global reach, and negatively impact cyber security’s operational effectiveness.
A recent seminar organised by ECIS, the European Committee for Interoperable Systems, set out some clear principles that should guide Europe’s quest for digital sovereignty. Ensuring that the market operates as effectively as possible, supplier choice is as broad as possible, and interoperability and ability to switch suppliers is safeguarded, on the basis of clear standards, will be paramount.
That is not to say that all measures being considered are misguided. An industrial policy that improves Europe’s digital infrastructures will boost Europe’s supply of home-grown digital services and products. Countries also have legitimate reasons to safeguard their national security and are well within their rights to set criteria to this end. The real danger lies in confusing protectionism with digital sovereignty.
The post Restricting Supplier Choice Isn’t an Option to Enhance Digital Sovereignty appeared first on McAfee Blogs.
What does ‘good customer service’ mean to you in 2021? A friendly greeting when you enter a shop? Quickly fixing any issues with deliveries? Or, perhaps the company you entrust with your data maintaining strong security and privacy practices?
It’s been a long time since digital technology was a special interest topic. Product launches, business deals, and new innovations were once reported on only in industry magazines – now, you’d be hard pressed to find a mainstream newspaper that doesn’t have some kind of technology section. We’ve quickly become used to the fact that when the tech giants talk, everybody listens.
More recently, however, it’s become clear that the internet has taken another step towards the centre of the public conversation. While new devices and technological advancements are still (mostly) kept in separate sections of the media or tagged on to the end of the TV news, problems with technology often land straight on the front page.
Outside observers have spent decades treating hacks and attacks as something arcane, as a distant problem that only the technologists can understand and only they have to deal with. Consumers, meanwhile, were left to hope that any issue would soon be fixed – whether that’s waiting for access to their files to be restored or trying again the next day to get into a website.
A few recent stories have underlined that those days are, or should be, behind us. In just the last two months, ransomware attacks have interrupted the operations of pipelines, food producers and the health sector. For many, this has been followed as a story about the international nature of cybercrime and claims that cryptocurrencies are enabling new types of attack.
For those communities reliant on the targeted organisations, however, these cyber-attacks can mean higher costs when fueling their cars to get to work, or product shortages in their weekly shop. We know that there’s a lot of technical interest in analysing ransomware such as DarkSide, or the many other groups attacking sectors like manufacturing, oil and gas, and healthcare. We always need to remember, however, that the focus is not just how these attacks work, but how we can prevent the real-world impacts they have on people’s daily lives.
These are extreme examples: they are incredibly high-value targets, which criminal groups will go to extraordinary lengths in order to disrupt, and which have national consequences when they are affected. Services like online retail and customer support can be disrupted in just the same way. From the perspective of the people who use these services, however, the fact that these were ransomware attacks doesn’t matter. Whether it’s due to attacks, accidents, or mismanagement, what matters is the betrayal of trust and the knock-on effects of service loss.
Examples like this are why I believe that we should see cybersecurity as a much wider foundation than we do, underpinning not just a business’s IT infrastructure, but its reputation, its revenue and, yes, its customer experience.
In crowded markets, customer experience is often the key differentiator between competing businesses. A lot of the disruption that we’ve seen in many sectors thanks to the growth of digital and online approaches has come down to a better, more premium customer experience. Whole industries have arisen around easier ways to order taxis, listen to music, and buy food.
As consumers continue to seek better, simpler experiences, they will (and, I think, should) also start paying close attention to how businesses respond to such incidents and maximise service levels. Key things that shoppers might want to look for when weighing up their choices include:
Businesses, meanwhile, should be looking at how the efforts they take around cybersecurity can form part of the way they build customer confidence. By communicating clearly about the defensive measures we take – and, vitally, framing them in terms of the outcomes they have on people’s lives, not just the technical details – we can all help to make the public savvier about how they can make sure they truly rely on the services they rely on.
The post Why Security is Now the Foundation of Good Customer Experience appeared first on McAfee Blogs.
In Part 1 of our Through Your Mind’s Eye series, we explored how our brains don’t give each decision we make equal attention, and we take mental shortcuts known as biases. These biases allow us to react quickly, but they can also lead to mistakes and oversights. Because we all have biases that shape who we are, our decisions in and out of cybersecurity can be impacted in both good and bad ways.
Safety bias is focusing on shortcomings so as not to take a risk. Many studies have shown that we as humans would prefer not to lose money even more than we’d prefer to gain money. You may have heard about studies where people are offered a lower amount of money now or higher amount in two years. Most participants took the sure thing of money now rather than wait for more. However, this changes when people are faced with a loss decision. For instance, when asked if they would rather definitely lose $100 or take a 50% chance of losing $1000, most say they would take the option to risk losing $1000. Because of safety biases, progress in decision making is slowed and healthy forms of risk taking are held back.
Safety bias is seen in security development operations, risk assessment, policies and procedures, decision making, and identity and access management. For the area of security development operations, is your dev ops team applying traditional network controls to the cloud or are they looking at how they can refactor to help take their organization to the next level? Are they stuck in the past or moving to the future?
When was the last time you reviewed your security products and their capabilities for risk assessment? Are you keeping what you have because you already purchased those solutions, or are you reviewing them to ensure they’re the best at keeping your organization safe? For example, does your current solution have a vulnerability scanner that can identify advanced vulnerabilities? Would you upgrade if it didn’t? If you aren’t evaluating your security products against emerging threats on a regular basis, your risks can be impacted without realizing it.
There are also parallels with our example above where participants took the immediate sure thing. The same thinking causes companies to invest in solutions that may be overkill to address overly specific and high impact/low probability risk factors. They are solving for something with a low probability of happening and, as a result, may be spending much more on policies and procedures than necessary.
When there is an ambiguity in decision making, system owners may be reluctant to upgrade or apply the latest patches. There may also be an unwillingness of end-users to configure security features, and a lack of interest from developers to add new security features to an existing application. As a result, these system owners err on the side of caution so as to not break or change something since they see this as more of a risk than installing the latest patches. Likewise, developers may opt for cost savings rather than add in security features.
As you move from on-prem to cloud solutions, have you considered what software applications need to be retooled for optimization in the cloud for your identity and access management requirements? What new identity analytics solutions need to be put in place to be prepared for the future? Or are you keeping things “as is” because that is the safe thing to do?
Some social scientists lump the ostrich effect with safety bias. The ostrich effect is based on a myth that ostriches bury their head in the sand when they sense danger. Is your team “burying their heads in the sand” when they need to make a risky decision?
To overcome safety bias, get some distance between you and the decision being made. Imagine a past self already having made the choice successfully in order to weaken the perception that there will be loss. Another idea, if you feel this is something happening in your environment, is to balance out your team with both risk-taking and risk adverse team members.
Framing Effect – The framing effect also influences safety bias and relates to how something is “framed” or described. For instance, if something is worded in a negative way to emphasize the potential for loss, the receiver may be afraid to take a risk. You may have seen commercials for cyber services that say, “1 in 5 companies lost their data while using another service”. Instead of focusing on the 4 that did not lose their data, they focused on the 1 that did lose so you’ll think about them protecting you instead of their competition. Another example that drives home the point is related to health. Let’s say you needed an operation. How would you feel if the doctor told you that you had an 80% chance of recovery? Now what if the doctor said you had a 20% chance of death by having this same operation? Would you think differently how you approached the operation? Pay attention to how statements are phrased to overcome gut reactions when deciding.
Affinity Bias – Affinity bias is gravitating to what we know or are comfortable with as opposed to the unknown. For example, when you see a stranger wearing your college alma mater sweatshirt in another city you instantly feel a connection to them even though you have never met. This creates an “in-group” bias. This can manifest in cyber as an aversion to new product offerings. Are you still using the same solutions you’ve been using for the last 20 years because they are familiar and comfortable to you or are you using an XDR solution now? You may also feel your direct team alone has all the right answers and no one else knows how to secure the environment or application better than your team. Is that because it’s true or because you are most comfortable with them?
Similarity Bias – Similarity bias occurs because we as humans are highly motivated to see ourselves and those who are similar to us in a favorable light. We unconsciously create “ingroups” and “outgroups”. These could be related to the city or country where we grew up or live today, where we went to school, areas of interest, etc. Are you hiring people who are similar to who you currently have on the team or are you looking for skills and individuals that bring diverse perspectives or meet your needs in the next 1-2 years?
Loss Aversion – An example of loss aversion can be observed when companies have already invested in their traditional IT infrastructure so why move to the cloud? Moving to the cloud takes time and resources. Instead of modernizing, they keep buying new servers and storage to keep the environment running as it had been for decades.
Distance Bias – Distance bias is prioritizing what is nearby whether it is in physical space, time, or other domains. Prior to the pandemic when we were in conference rooms having conversations, how many times did you observe people in the meeting room failing to gather inputs from their remote colleagues on the phone? Or have you decided based on what you needed to do sooner in time instead of considering the long-term effects of what was best for the company?
As you saw in each of the biases featured in both of our articles, they are not mutually exclusive. There are many overlaps between the different types of cognitive biases. How do we address these?
Awareness of the cognitive biases at play for you and your teams is one of the first steps to ensuring your company is not at risk. After you have acknowledged the possibility of biases and flaws in your environment, examine where you may have biases influencing your cybersecurity posture. This requires personal insight and empathy by all involved.
Begin to educate others on where and how biases could be impacting your cybersecurity posture. Once that is done, have a thorough review of your current cybersecurity posture and adjust as necessary. Over the next few months, work on building habits across the team to ensure you are consciously removing biases that could be influencing your cybersecurity posture.
Our adversaries understand human biases and actively try to exploit them. Removing these biases as much as possible can help you and your team improve your security posture and defend your organization across all levels.
The post Through Your Mind’s Eye: How to Address Biases in Cybersecurity – Part 2 appeared first on McAfee Blogs.
Imagine this scenario: a CEO, CIO, CTO, CISO walk into a bar…
The CTO has heard about cocktails that go beyond the “pour and shake,” and asks the bartender what they know about molecular gastronomy to take their drink to the next level. The CIO considers the CTO’s choice, weighing the risk versus reward of trying something new. The CEO orders a Long Island iced tea – a bold, ambitious, and challenging choice that incorporates a bit of everything, but they know in their gut it is the right decision and direction. The CISO orders a water.
Why? Because somebody always must be the designated driver, taking the responsibility to protect the integrity of the entire team and organization. They are the eyes and ears, proactively anticipating what may happen, knowing the onus is also on them to respond reactively to anything that may occur.
While in a bar this may mean things getting a bit rowdy, in the security operations center (SOC) it means an entire business can be compromised, creating a catastrophic spiral of events that can have massive impact and implications for customers, not to mention severe cost to the business.
Needless to say, the consequences are more extreme than a hangover. They remain always-on in the mind of the CISO – and this isn’t the only challenge the role faces. It is no secret in the security industry that elevating the role of the CISO to carry equal weight and footing as the rest of the executive or c-suite has been an uphill battle. While progress has certainly been made, there is always more work to be done to thwart and combat the seemingly never-ending barrage of threats that continue to emerge.
Nearly every industry has been impacted in some manner by the events of 2020 and so far, across 2021. Attacks have increased and promise to become even more plentiful, more sophisticated. Enterprises and organizations have struggled against unforeseen challenges, yet at the same time have faced increased pressure and demand to modernize, digitize, and transform.
We’ve seen that with today’s distributed workforce, cloud usage has increased, and enterprises are tasked with maintaining efficiency across even more endpoints – and keeping those endpoints safe. This has presented a tremendous opportunity for CISOs to maximize their full power and impact by proving to be the clear connection and catalyst merging technology and business.
This means today’s CISOs may need to do more with less, convincing fellow c-suite members that integration is more important than introducing new toolsets, applications, or solutions at a time when enterprises may be more vulnerable or susceptible to risk due to staffing constraints or conflicting priorities across the business. With the amount of change rapidly occurring across enterprises, CISOs have an increased impetus, responsibility, and opportunity to show enhanced value to the organization. They must continue to shift the perception that security can be a barrier to business efficiency and success and instead show that security is more than a compliance function, but a true business enabler.
In order for CISOs to be successful, they must stay steadfast in aligning with the CIO, CTO, CEO, and all the way up to the board. They can do this by showing up with data to demonstrate the impact (both past and potential) made to business, including proof points related to vendor sprawl and legacy technologies (and any associated cost or complexity) as well as insight into threats that were prevented and the damage they could have caused.
CISOs will also need to continue the shift on their end, adapting their role and approach from waiting for a compromise to happen to understanding threat actors, their common techniques, and how to get ahead. In short, they need to become what they fight against – proactive threat management means you need to think like a threat actor. Ideally, the CISO should not only be able to articulate business risks and impacts – they also need to show foresight and maturity to suggest controls or process improvements that can improve business efficiencies because security is built in to protect and enable this agility.
Once CISOs truly understand the business side of an organization and can not only relate but prove this value to the rest of the c-suite, they can be viewed as more of a strategic partner. With this line of thinking, the SOC can move from being viewed as a cost center to being a more deliberate and proactive part of the enterprise facilitating business success.
The post Give CISOs a Shot – They Deserve It appeared first on McAfee Blogs.
Cybersecurity and biases are not topics typically discussed together. However, we all have biases that shape who we are and, as a result, impact our decisions in and out of security. Adversaries understand humans have these weaknesses and try to exploit them. What can you do to remove biases as much as possible and improve your cybersecurity posture across all levels of your organization?
Cybersecurity personnel have many things to address and decisions to make every day — from what alerts to investigate, to what systems to patch for the latest vulnerabilities, to what to tell the board of directors. However, our brains don’t give each decision equal attention—we take mental shortcuts. These mental shortcuts are known as biases and they allow us to react quickly.
In this two-part blog series, we’ll explore the types of cognitive biases that could be affecting your company’s security posture and give you tips on how to address these biases.
Do you feel you are biased? We all are to some extent. What do you see when you look at this picture below? Faces or a vase? Some people may see one or the other and some see both. This is representative of what happens in real life. Many of us are at the same meeting together but leave with different perspectives about the discussion. This is our cognitive biases influencing us.
A cognitive bias is a result of our brain’s attempt to simplify processing of information. The formal definition says it is “a systematic pattern of deviation from norms in judgment”. We as individuals create our own “subjective reality” from the perception of the inputs. Our construction of reality, not the input, may dictate how we behave.
Availability bias is a mental shortcut that our brains use based on past examples relating to information that is “available” to us around a specific topic, event, or decision. This information could come from things we saw on the news, heard from a friend, read, or experienced. When we hear information frequently, we can recall it quickly, and our brains feel it is important as a result. With all the urgent interrupts and overall volume of decisions needing to be made by CISOs and other cyber executives, it is very easy to get caught up in decision making based on past or recent information.
Availability bias impacts security in many ways. We often see the impact in the areas of risk assessment, preparedness, decision making and incident response. In the area of risk assessment, availability bias may arise when the company board of directors looks for an updated risk assessment. Rather than focusing on the entire company, data could be presented with respect to an area for which another company had a breach. For example, we have seen SolarWinds in the news a lot throughout the first quarter of this year, and our inclination might be to assess our risk in the context of that incident. However, the assessments should look at all aspects of the business in depth and not just focus on the supply chain risks. Are there issues that require more attention than what is trending in the news?
We also see availability bias in preparedness when organizations prepare for high impact, low probability events instead of preparing for high probability events. What we should worry about doesn’t always align with what we do worry about. Events that have a high impact but low probability of occurring, such as an airplane crash, a shark attack, or volcano eruption, often receive much attention but are less likely to occur. We remember these much more than we remember higher probability events like falling off a ladder or automobile accidents. For instance, can you name the last phishing campaign you heard about or the last time someone’s PII was stolen? Probably not, but these are examples of the high probability events your organization most likely needs to prepare for.
In the area of decision making, your CISO or the cybersecurity analysts may make decisions in favor of hot topics in the news. These topics may overshadow other information they know or is so mundane that it becomes background noise. As a result, decisions made are not well rounded. For example, if there was a recent IoT related issue like Dyn in 2016, your analysts may over focus on IoT related security decisions and neglect things like investing in new security controls for your mobile devices.
Availability bias also surfaces during critical incidents when emotions are typically running high and the focus is on quickly addressing the issue at hand. Focusing on securing the specific area where the incident occurred may leave us blind to another issue waiting in the wings. Let’s pretend someone broke into your home through a window, your first thought may be to secure all the windows quickly; however, if you didn’t look at all your security risks, you may forget that you can shake your garage door lock, and it’ll pop open.
Our analysts are typically exploring data thoroughly though executives may not always see the in-depth information. If you are at the executive level, I would recommend you review all the facts and consciously look beyond what is available quickly so you get the full picture of the incident, how prepared you are, risks, etc. If you are an analyst or in a position of influence, I would recommend summarizing the facts in way that accurately reflects the probability of those events occurring as well as considering all possible events.
Another bias that appears in cybersecurity is confirmation bias. This is when you look for things to “confirm” your own beliefs or you remember things that only conform to your beliefs (similar to availability bias). For example, your news feed may be full of things related to your political beliefs based on what articles you clicked on, shared, or liked. Chances are it’s not filled with things that oppose your beliefs. A few areas where confirmation bias is seen in cybersecurity is in decision making, security hygiene, risk assessment, preparedness, and penetration testing.
When you are making decisions, are you considering different points of view or just looking to your close group of trusted advisors who may think like you? Are you willing to push and challenge your own beliefs to ensure you are making the best decisions for the company?
When was the last time you reviewed your company’s security hygiene? Are you diligent about updating systems or do you believe it won’t happen to you because nothing has happened in the past? Are you using an XDR solution in your environment or do you feel you don’t need it because all your current systems are serving your needs just fine? Do you feel you are more secure when you are in the cloud vs on-prem despite human error affecting both?
How do you approach cybersecurity preparedness? Are you passive, reactive, or progressive? Similar to hygiene, do you feel an incident won’t happen to you so you look for data to confirm that? Or are you the opposite and feel you may repeat incidents if you don’t do everything possible to look for data to confirm those beliefs? If you are an executive, are you reviewing the facts and evidence for all your cyber processes or just those that you personally know well from early on in your career? I’ve seen some analysts ignore some of their alerts because they weren’t quite sure how to deal with them. As a result, they fall back on what they know or information that is readily available.
Sometimes organizations may hire third party companies or employ penetration testing performed on their environments. When you define the scope of work, are you looking for all the gaps or holes or just focusing on the weaknesses and strengths? When the results come in, do you address everything that is recommended or only focus on the items you believe will impact you?
It is hard to look beyond what we believe because in our eyes it is ground truth. It is important in making security decisions that we look beyond what we want to hear or see to ensure we are getting what we need to hear and see.
Unconscious or implicit biases are social stereotypes about certain groups of people that we form outside of our own conscious awareness. Just as you see in the picture, our mind is like an iceberg where the conscious mind is what we can recall quickly and are aware of. The subconscious mind stores our beliefs, previous experiences, memories, etc. When you have an idea, emotion, or memory from the past, it’s recalled from our subconscious by our conscious mind. The third layer – our unconscious mind – is deep inside our brain.
Everyone holds unconscious beliefs about various social groups, and these biases stem from our tendency to organize social worlds by categorizing them quickly. We often think about unconscious bias in the context of negative biases, but there are also positive unconscious biases, for example feeling a connection to someone from your hometown or college alma mater. Unconscious bias impacts security in the areas of decision making, risk assessment, incident response, cyber security policies and procedures, and identity and access management.
In the area of decision making, I’ve seen executives blindly trust the IT team because they are perceived as being the “experts”. While this may be true, they are wrestling with the same unconscious biases and skills shortages many of us are. Just as it’s important to seek out additional information and facts when making your own decisions, it’s equally important to review the data and provide feedback and alternate opinions to others. Often, it’s easy to go with the majority and not rock the boat. If you feel that something needs to change or be addressed differently, don’t be afraid to go against the flow. Mark Twain is quoted, “Whenever you find yourself on the side of the majority, it’s time to pause and reflect.” When was the last time you went against the majority?
Another unconscious bias that sometimes arises is related to age. Some people feel older workers are a greater risk to a company than younger workers because they perceive older workers as not being “up to date” on newer technologies. Conversely, some feel younger people engage in risky behavior like visiting potentially suspect websites or sharing too much information on social media. As a result, security analysts may focus on the wrong areas as the source of a security risk or issue based on their biases.
If you had an incident, how would you respond? Would you blame an unsecure IT environment, incompetent end users or would you look at the facts and evidence in and outside of your beliefs to determine what happened? How would you and your team respond to the incident? If your security operations team felt that IT had not done their part prior to the incident, you may be looking in the wrong area for the source of the incident. You may have heard the acronym PEBKAC. For those that don’t know what it means, it stands for “problem exists between the keyboard and chair”. Are you sure the problem is PEBKAC or does it lie somewhere in your environment?
Implicit trust is another form of unconscious bias. When was the last time your cybersecurity policies and procedures were thoroughly reviewed? Let’s say you feel your SOC analyst is amazing, and you trust everything they say. Because of this implicit trust, you don’t think to dive into the details. As a result, you could have a firewall running without any defined rules but wouldn’t know because you’ve never checked. This doesn’t mean your SOC analyst isn’t trustworthy, just that you shouldn’t allow your unconscious bias to overrule the necessary checks and balances.
We can sometimes also be led to overconfidence by unconscious bias. For example, when writing a paper or an article, we can be certain that there are no mistakes or typos, but often it’s because we’ve read or reviewed it so many times that our unconscious mind reads it as it should be and not what it actually is. Similarly, in the area of identity and access management, security analysts and software developers may blame users for issues and fail to look at the internal infrastructure or their own code because they have a false confidence that leads them to believe they couldn’t possibly be the problem.
To overcome unconscious and implicit bias, ensure you are sticking to the facts and asking all stakeholders, including those you may disagree with for inputs. Also look in the mirror. Did you make a mistake or are you excusing your behavior instead of facing it? Also, don’t be afraid to follow the words of Mark Twain and pause and reflect to ensure you are making the correct decision, addressing the incident in the correct way, or hiring the right person.
Because we all have biases and take mental shortcuts, we need to make a conscious effort to address them. Look beyond what you want to hear or see and what shows up in your news feeds to address availability and confirmation bias. Ensure you are sticking to the facts and asking all stakeholders, including those you disagree with, for inputs to overcome unconscious and implicit bias. You don’t want to be the next company in the news because your biases got in the way.
The post Through Your Mind’s Eye: What Biases Are Impacting Your Security Posture? appeared first on McAfee Blogs.
Cybercriminals are currently enjoying a golden age, with the volume and severity of attacks growing constantly, and an ability to commit hostile acts with impunity. The EU, in its overhaul of cybersecurity laws dubbed NIS2, is committed to ensuring that what’s illegal offline should also be illegal online. For that to happen, cybersecurity researchers need to have access to all the tools possible to detect, trace and prevent crime online, including access to the Internet’s yellow pages, also known as the WHOIS search.
Cyberthreat research is both an arts and science discipline. Our experts and software detection analysis in the ATR group sift through an enormous amount of data, from a broad range of sources, to detect the signs of a past, ongoing or future cyberattack. Each source of data that is out of reach is one tool less with which to keep up with cybercriminals. Access to the full set of WHOIS data, or lack thereof, is not going to make or break the future of cyber threat research. But it would give criminals an advantage, which is at odds with the core objective of the EU’s cybersecurity review.
The WHOIS search originally contained all the data of a person registering a website, including the contact details of the person responsible for the website. This information is crucial in the event a legitimate website comes under attack from malicious actors
But by continually scanning the registration data, cyber researchers can also pick up patterns that are indicative of malicious activity, such as preparing a botnet or priming a large number of websites ahead of a denial-of-service (DDOS) attack.
Using WHOIS data is particularly useful in preventing future cyber-incidents. Looking at data that indicates that a website or collection of websites are being rigged for a cyberattack can help stop the attack in its cradle. This data can also help cybersecurity researchers minimise the risk of false positives, where the contact data is consistent with a legitimate user, which will minimise the potential disruption for companies and people that have done nothing wrong but whose websites may have been flagged as suspicious.
This data was put out of reach after the EU’s GDPR law came into force, with the unfortunate and clearly unintended consequence of depriving cybersecurity researchers, law enforcement agencies and others from an important pool of data used to fight and prevent cybercrime.
With the review of the EU’s cybersecurity law, NIS2, we have a chance to set things right, by providing a legal basis to access personal data such as the contact details in the WHOIS, for the purpose of fighting crime online, without undermining the important privacy protections introduced in the GDPR. It is now up to lawmakers to ensure that this provision remains intact, as they consider whether to introduce amendments to the cybersecurity legislation text.
The post Defending Cybersecurity Can’t Be Done Blindfolded–The EU’s NIS2 Review Can Set This Right appeared first on McAfee Blogs.
Music is lovely, isn’t it?
It has the ability to brighten days with upbeat bars or provide a comfortable place of solace and reflection via gentle, soothing notes. Whether you typically opt for Black Sabbath, Shakira, or Bob Marley, music meets our ears in many different ways – and harmony is not always one-size-fits-all. We recognize this when a friend, sibling, partner, or stranger earnestly (yet tonelessly) attempts to mimic Mariah Carey’s five-octave range, resulting in room-clearing screeches that can only be found in a nature documentary.
While I’m not a Grammy-winning artist myself, my point is that harmony is relatable and relevant across any industry, method, measure, or format – even security. Trends and messaging have increasingly pointed to the consolidation of everything across Security Operations Centers (SOC) so they can act in a harmonious manner, not missing a beat to provide protection across the entire enterprise. We’ve seen this as conversations shift from endpoint detection and response (EDR) to extended detection and response (XDR), with the latter promising lower total cost of ownership as well as improved protection and productivity. Who wouldn’t want this!
But the truth is, it isn’t lack of desire for full protection in the most cost-effective and efficient manner, but lack of knowledge or perceived roadblocks. Enterprises across the world have been affected by the global pandemic, uprooting familiar processes. Companies were forced to introduce quick, sometimes temporary solutions for larger systemic issues all without 100 percent certainty where endpoints may lie and what damage this vulnerability presents, especially as bad actors extort the chaos created by COVID-19 to double down on attacks.
This upheaval has started to settle down and enterprises now have more time and energy to audit their businesses and processes with fresh eyes. It isn’t a matter of the pandemic, with hope, nearing its end, to just re-plug in an existing solution stack – but rather looking at how the business has changed and adapting to these changes for now and into the future. This includes changes across staff, solutions, shifting skillsets to manage increased workloads, and yes – increased, and perhaps hasty, consolidation attempts.
According to Enterprise Strategy Group, more than 80 percent of organizations are singing the tune of change with plans to increase spending on threat detection and response. They are hearing the melodious mandate to meet the needs of today’s “new-normal-digitally transformed-modern” enterprise. For many, this means an investment in extended detection and response (XDR) technology.
Enterprises are already feeling the pressure. They have their bottom lines trapped on repeat, looping in their minds. They are seeking counsel, support, and direction – not to be chastised by their choices – but rather guided to create and implement strategies that best fit their business.
That being said, the potential for XDR is tremendous. But you have to crawl before you can walk. I’m sure many of us may feel silly, or even stupid, thinking back to when we carried Walkman and Discmans, clunkily fumbling for them in our pockets or purses, forever tethered to the device if you wanted to listen to music. But at the same time, we recognize the progression from Walkman to iPod to iPhone to Bluetooth and voice-activated technology, and more. The Discman and Walkman crawled so digitized music could walk.
This natural progression is no different in the security industry, and the onus is on vendors to make this connection. Enterprises, after all, are not still storing floppy disks locked in a filing cabinet as a security measure. While XDR is the latest technology, the journey to XDR includes the fundamental need of endpoint detection and response (EDR) capabilities. EDR is a foundational piece in getting XDR right – or put another way, XDR is an efficient evolution of EDR platforms. EDR crawled so XDR could walk. XDR will walk so the next technology can fly.
This is what true innovation is, the constant desire to advance processes, products, and experiences. It is what XDR promises, to improve and streamline processes across enterprise SOCs, providing meaningful context, actionable intelligence, and the visibility and control necessary to connect solutions that orchestrate together in symphonic harmony.
In fact, from a philharmonic standpoint, symphonies by definition are made up of different types of instruments (endpoints) generating music (data) where each requires incredibly specific methods of tuning and expertise by musicians (SOC analysts) in order to ensure they can be harmonious with the group. Musicians are not born with their skillset, but rather they test and learn – and fail – trying to see which instrument is the best fit for them, which notes they can hit, and which notes are best suited for another instrument or musician to manage.
We must be the conductor and connecting point here to show the true benefits and value of XDR. While the journey is different for every enterprise (and vendor), the end goal is a protected society where good prevails over bad. It is our job to guide these choices and take responsibility regardless of where an enterprise is at in their journey – to show how innovation builds on itself, always striving to better experiences and outcomes.
Where are you in the journey to XDR? Check out the on-demand webinar below and start asking questions.
The post Stupid Is as Stupid Does: XDR Is About the Journey, Not the Destination appeared first on McAfee Blogs.
Since ransomware’s introduction in 1989 in the form of the AIDS Trojan, also known as PS Cyborg, distributed on diskettes, ransomware has continually increased and evolved into a heinous threat to our national security, public safety, and to our economic and public health. With ransoms paid in 2020 reaching more than $300+ million, it has become a disruptive economic leach on the resources of its victims. Local governments, educational organizations, hospitals, critical infrastructure services, businesses and organizations of all sizes have had to decide what to do when presented with a ransomware demand. These activities are highly disruptive, causing far more costs to the victims than just the cost of the ransom.
Ransomware is highly profitable. Today malicious actors are organized and coordinate their operations. We are seeing Ransomware as a Service (RaaS) businesses making it easy for those without the skills or infrastructure to threaten us as well. The scourge of ransomware must be addressed.
The Institute for Security and Technology (IST) stood up and initiated the Ransomware Task Force (RTF) late last year to address ransomware in a more wholistic fashion. In partnership with a broad coalition of 60+ experts from cybersecurity vendors, financial services, governments, law enforcement, non-profits, and international organizations, the RTF developed and released Combating Ransomware: A Comprehensive Framework for Action.
As you might expect, there were some very tough conversations during the development of the recommendations. For example, prohibiting / outlawing ransomware payments was one area of contention. There are valid reasons to want to prohibit payments. No one wants their corporate funds or governmental tax dollars going to pay for other forms of cybercrime or elicit nation state activities. Sadly, the state of cybersecurity maturity, in the U.S. alone, is not ready for such a step. Consensus was reached that we are really not ready to play that game of chicken.
Ransomware is a global problem and while many of the recommendations in the framework for action are directed at specific U.S. government bodies, it is important our international partners map the recommendations onto their specific governmental structures. Throughout the report it is clear the recommendations are global in nature and that coordinated, international diplomatic and law enforcement efforts are critical. There are 48 recommendations as a part of the report. Most of the recommendations are not technical but rather legal, economic, and diplomatic tools.
It is heartening to see the level of activity focused on addressing ransomware in the new administration. The Department of Justice is standing up a new task force dedicated to dealing with ransomware. The Department of Homeland Security (DHS) recently formed a ransomware task force and launched a 60-day sprint. Participating in the RTF Launch event, DHS Secretary Alejandro Mayorkas said the IST RTF report will help guide a whole-of-government approach to the problem. He also stated the White House is developing a plan to combat ransomware.
While all these efforts are welcomed, my hope is that the great work of the IST RTF described in Combating Ransomware: A Comprehensive Framework for Action is used as a foundation to feed these and future efforts so we can see real progress in the actionable outcomes we all desire.
I’d like to thank IST CEO Philip Reiner and his outstanding team for allowing me to participate as a member of the RTF. To all my fellow RTF members, I hope to work with each of you again.
The post Ransomware Task Force Releases its Comprehensive Framework for Action appeared first on McAfee Blogs.
In the working world, there’s a chance you’ve come across your fair share of team-building exercises and workshops. There’s one exercise that comes to mind that often results in worried, and uneasy faces during these seminars: The Trust Fall. This is where you fall backward with the expectation that your colleague will catch you before you hit the ground.
Whether you have been with an organization for many years or just started, the same “pit in stomach” feeling reverberates across bellies as people exchange nervous glances and weigh their odds against whomever they may be paired up with when The Trust Fall is announced. That feeling is doubt, and it isn’t fun. And the problem is, once doubt is introduced, it tends to stealthily expand in its always-on, silent, and transparent ways, either serving as an incessant top-of-mind presence or staying at bay only to rear its troubling head at an unexpected moment until it is addressed.
“I saw Chris drop his stapler once, will he drop me?” “I know Betsy is the Godmother to my children, but what if she sneezes as I’m falling?” “I just started at this company yesterday, I don’t trust anybody I don’t know!”
If you’re wondering what Trust Falls have to do with cybersecurity, we just need to take a deeper look at the concept of trust in its simplest definition. Trust is a concrete concept: it is either there or it is not. Trusting your colleagues is based on multiple parameters; will they be strong enough to catch me, do they look mature enough to take this seriously, how did they behave when the game was announced – trust is not easily won and can also be quickly lost.
This is a necessity in today’s enterprises as computing has moved from private data centers to most everything consumed as a service. There are endless choices to compare, contrast, and comprise a technology stack, but when organizations start leveraging outside infrastructure, tools, and solutions – the sense of trust in these solutions weakens, since integrity can be promised, but should never be assumed.
Examples of this are abundant. As we see organizations explore the concept of trust more and attempt to align practices with the reality of today’s security circumstances, we are seeing an increasing number of trust models being exploited via poor management. Intent and implementation are not enough against today’s threats.
So, my question to security operation center (SOC) staff, IT leaders, and the c-suite is: Do you have complete trust in your current security infrastructure?
In all honesty, can you with no doubt in your mind, say your organization’s data and computing are secure? Is there any area you are unsure about?
If you hesitated when responding, even if for just a moment, keep reading.
Putting guards up, constantly looking over your shoulder, always expecting the worst or for the other shoe to drop – these are not desirable feelings. As a security professional, these are the feelings that cause them to stock up on antacids, with them knowing they are the front-line defense keeping an organization secure and in turn, revenue flowing. For the CIO and CISO, the onus is daunting as they face the challenge to piece together fragmented and disparate infrastructure from a strategic standpoint to best serve the business in an efficient, transparent manner all while simultaneously maintaining compliance and data integrity.
While we want to believe that trust is an intrinsic trait – that we’re born bright-eyed and bushy-tailed ready to spout only the truth – we also unfortunately know the reality is not everybody has good intentions. We constantly see this unfold across the security industry where a company is breached, recognizing the flaw(s) that allowed the breach to occur, to then implement a solution to fix the issue. This break-fix cycle can result in always looking backwards and rushing around to fix yesterday’s problem to quickly get business functions up and running without looking at underlying problems or issues.
And no industry is immune. Hackers are coming after everything from Happy Hours and breakfast routines to our more personal and high-stakes data across the financial services and healthcare industries. They’re more strategic too, and we can only expect them to continue to evolve. Adversaries today are looking for “low-hanging fruit” targets to take advantage of trust models and move laterally within an organization – first finding an avenue to exploit and enter to later gain access to higher-value targets, data, and assets.
The rush to get business–as–usual back on track is made doubly difficult as business momentum doesn’t stop. Organizations are introducing new SaaS services, development teams are writing new code, and even software that you have already reviewed has new features rolled out. The wealth of personal and corporate cloud apps can lead to hasty decisions; increased sprawl of an organization’s tech stack as new tools and solutions are introduced; as well as new policies, updates, and procedures for staff to learn and execute. This can all compound into more time spent addressing and fixing the past with blinders on to the future and other vulnerabilities that may exist.
If this past pandemic-filled year has taught us anything, it is that plans do not always go according to plan.
Organizations that have traditionally leveraged a more piecemeal and solutions-based approach to security were blindsided as the work from home era was thrust upon them. From companies updating or adopting collaboration tools, sharing more data digitally, and opening access to external users to create greater efficiencies – the rule book was thrown out the window and malicious actors started looking at all the data being produced and shared like kids in a candy store.
The impact of these plans gone awry isn’t pretty and perhaps risk could have been mitigated by using a least or earned trust model as a strategic framework to ensure sound security posture. The ‘Zero Trust’ concept coined more than a decade ago outlining a model of restricting access and control across an organization’s infrastructure is only now getting increased attention.
The harsh reality is, cybercrime is up 300% since the pandemic began, according to the FBI’s Internet Crime Complaint Center (IC3). At a time when bottom lines are more important than ever as businesses bounce back, our Hidden Cost of Cybercrime report adds that 35% of those surveyed said security incidents resulting in system downtime cost them between $100,000 and $500,000.
The correlation of a pandemic occurring and malicious actors taking advantage of weaknesses caused by it is crystal clear, leading to increased awareness. In its Responding to COVID-19: What We are Hearing From Legal and Compliance Leaders report, Gartner states that 52% of legal and compliance leaders are concerned about third-party cybersecurity risks since COVID-191. Knowing that the increased number of remote workers and their mobile (and potentially unmanaged) endpoints are leading to more breaches and that these breaches are increasingly costly, organizations need to get a handle on their existing architecture and shift from awareness to action, eliminating assumptions of who is safe or allowed access.
A Zero Trust mentality allows organizations to restrict and compartmentalize access and data manipulation while still maintaining optimal user experience and productivity levels. Guidelines such as those from the National Institute of Standards & Technology (NIST) can provide a practical framework to explore and implement Zero Trust.
With hackers getting more sophisticated to impersonate and infiltrate networks via verified users, it is time to go back to the drawing board – starting at zero and assuming everything is a threat until proven otherwise. This is a mindset shift and strategy, not another tool or solution to plug in. It involves a recognition of the importance of context and control over security posture, which can only be attained with continuous assessment. It is also about acknowledging trust is about risk – and that while risk is sometimes necessary for growth, it cannot outweigh the reward, so must be strategically managed. This line of thinking must be carefully navigated as more and more enterprises seek to define and assign accountability and responsibility across infrastructure.
While the journey to Zero Trust isn’t the same for every organization, the imperative to adopt Zero Trust is, given our collective experiences throughout the last year and cybercrime poised to keep increasing. It is time to stop looking over shoulders and anticipating the worst, acting only in a reactive manner, and instead feel empowered to erase doubt when maintaining security and compliance across an organization.
To learn more and start the journey toward implementing a Zero Trust strategy, I encourage you explore McAfee’ Zero Trust Security hub.
Source: 1 Gartner Press Release, Gartner Says 52% of Legal & Compliance Leaders Are Concerned About Third-Party Cybersecurity Risk Since COVID-19, April 24, 2020. https://www.gartner.com/en/newsroom/press-releases/2020-04-24-gartner-says-52-percent-of-legal-and-compliance-leaders-are-concerned-about-third-party-cybersecurity-risk-rince-covid-19 (URL can be added as a hyperlink in source title)
The post Trust Nobody, Not Even Yourself: Time to Take Zero Trust Seriously appeared first on McAfee Blogs.
In a year where people relied on their digital lives more than ever before and a dramatic uptick in attacks quickly followed, McAfee’s protection stood strong.
We’re proud to announce several awards from independent third-party labs, which recognized our products, protection, and the people behind them over the course of last year.
The Cybersecurity Excellence Awards is an annual competition honoring individuals and companies that demonstrate excellence, innovation, and leadership in information security. We were honored with four awards:
Further recognition came by way of three independent labs known for their testing and evaluation of security products. Once more, this garnered several honors:
As the threat landscape continues to evolve, our products do as well. We’re continually updating them with new features and enhancements, which our subscribers receive as part of automatic product updates. So, if you bought your product one or two years ago, know that you’re still getting the latest award-winning protection with your subscription.
We’d like to acknowledge your part in these awards as well. None of this is possible without the trust you place in us and our products. With the changes in our work, lifestyles, and learning that beset millions of us this past year, your protection and your feeling of security remain our top priority.
With that, as always, thank you for selecting us.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post McAfee Awarded “Cybersecurity Excellence Awards” appeared first on McAfee Blogs.
“It’s alive! It’s alive!”
Even if you haven’t seen the 1931 film Frankenstein, you are more than likely familiar with the story of the “monster” created by Victor Frankenstein. You may associate this cry from its titular character with the image of what Victor conjured finally opening its eyes and slowly lurching off the table.
While amusing and entertaining, this ongoing trope has a flaw that has tainted most of our memories. The fact is, in Mary Shelley’s classic 1818 novel of the same name, Victor does not excitedly exclaim when that first forward lurch occurs – but rather runs away and hides.
That’s right – fear was the first instinct met when a human, Victor, created and powered a non-human entity. While a work of fiction, was this our first brush with the concept of Artificial Intelligence (AI)? We don’t necessarily align the year 1818 in our minds as a technologically booming era. We have certainly come a long way from shipbuilding patents equaling the heights of technology to the technology that empowers life and business today.
So why are so many of us still fearful like Victor when it comes to AI? Especially since, in its earnest efforts, most AI technology today is designed to better processes, outcomes, and experiences – not to mention ensure greater security and control. We constantly see doom-and-gloom headlines asking whether AI will replace human jobs or touting added expenses associated with implementation. There’s even an entire Wikipedia page devoted to the notion of an “AI Takeover.”
But the truth is, AI – and machine learning – technology has gotten to the point today where it is more of an anomaly if a company or business does not implement it in some form. It is so commonplace that many of us don’t even know it is there. From smart assistants to progressing the healthcare industry at a time where it needs all the efficiencies it can afford, AI is everywhere and the security industry is no stranger when it comes to benefitting from its advances as well.
Our company looks at AI as an enhancement not a replacement. We know AI can improve experiences, create greater efficiencies, and solve complex problems – but at the same time are realistic. We know that humans alone cannot possibly address and respond to the sheer amount of threats businesses face today. But we also know that machines and technology do not currently have the creativity, wit, and wisdom that humans possess.
This is an important factor in the cybersecurity industry. This realism and notion that AI is an enhancement aligns with the concepts and origins of AI itself.
Most AI we see today can be categorized as strong AI, or AGI – artificial general intelligence, and weak AI. The latter means that humans are involved in some facet of programming the technology, whereas with strong AI, technology is able to use algorithms to process, inform, and make decisions independent of human interaction. What we don’t talk about as much is artificial superintelligence (ASI), where technology gains advanced cognitive abilities that can match – or even surpass – a human.
ASI can be ideal for many industries, but we’re not quite there yet. Since most AI today is still in the strong AI stage, AKA the enhancement phase where humans are still needed to process and define what technology currently cannot: emotion. Machines cannot currently replace thinking like a threat actor – imagining scenarios that only humans experience, intuition, motive, and brain power can conjure.
Therefore, we need humans and machines working together as a team. Machines are able to keep pace with the number of emerging threats and help security operation center analysts manage a tremendous amount of data and convert it into actionable intelligence. But human skill is needed to prioritize threats based on context, insight, and consciousness that machines don’t have.
It is increasingly important to remember this as we see adversarial AI on the rise and threat actors use AI to infiltrate AI-powered solutions. With this increase, speed of response is crucial, which is where we see AI have the most impact across the cybersecurity industry when coupled with human strategy to reduce potential damage done to an organization.
We are far from the point where AI needs to invoke fear, but we have a responsibility to know the shortcomings of current AI alongside its benefits.
This open-minded outlook is critical as AI in its truest form is about intelligence – and we can always add to and grow intelligence. The concept of always-on learning levels the playing field for both humans and machines. We’re the same in this aspect in that the possibilities are endless based on what we both can conjure and create based on education, learning, and knowledge.
The post AI Is Alive! But Not Without Our Help appeared first on McAfee Blogs.
The connection between cybersecurity and poet Ralph Waldo Emerson is not directly evident, however he once said, “money often costs too much.”
This statement rings true across the financial services industry, as money is a key driver for cybercriminals acting with malicious intent. The always-on eye of Sauron on the financial services industry means there are greater implications to keep this industry safe as a top target – and to keep money where it belongs.
IT teams across these organizations have historically invested heavily in technology stacks to combat fraud and decrease the likelihood of an attack or breach, but attacks keep getting more sophisticated and frequent. This Sisyphean task of keeping up with modern-day breaches is complex, and protecting the money is costly, as Ralph’s quote woefully reminds us.
McAfee’s “Hidden Costs of Cybercrime” report supports this current state of the financial services industry, indicating that these organizations spend up to $3,000 per employee on cybersecurity. Another survey from the Financial Services Information Sharing and Analysis Center (FS-ISAC) found that, depending on company size, financial institutions spend between 6% and 14% of IT budgets for defense.
This spending shows no sign of stopping as organizations will always have the onus to protect data, employees, and their own bottom lines. As long as cybercriminals exist, the need for cybersecurity will be omnipresent. However, there is a major change the financial services industry can implement to manage threats faster with higher efficacy and become more proactive instead of reactive: Extended Detection and Response (XDR).
It’s been less than 10 years since JPMorgan Chase & Co. fell victim to the largest known cyberattack at the time – one that occurred two months after it had vowed to spend a quarter-billion dollars a year on cybersecurity. Due to the breach, they increased the planned spend to half a billion dollars, per Forbes. Similarly, Capital One Financial Corp. more recently agreed to pay an $80 million dollar fine, pledging also to increase its cybersecurity efforts as a result of a breach that disclosed more than 100 million customer records.
Both of these financial institutions present examples where XDR could have provided a benefit and perhaps thwarted these major breaches. With its ability to coordinate systems and processes as well as automatically aggregate threat analysis and remove manual hunting and analysis, XDR acts as a modern-day catalyst for security operations center (SOC) success. This combination of prevention, detection, analysis, and response across the SOC and enterprise allows for better decisions that are made faster.
Taking a closer look at the JPMorgan breach, it was only uncovered due to a routine and typical scan conducted by the SOC team. Hackers were able to infiltrate using custom malware and a previously unknown flaw, entering via a website owned by JPMorgan to then stealthily extract data over the course of months – all without being caught by SOC teams. This is not uncommon, as recent Ernst & Young research cited that only 26% of the SOCs polled identified a threat event.
XDR’s ability to control access across an organization’s entire infrastructure from a unified and coordinated interface, coupled with more interconnected visualization across the SOC, provides the context needed to look at cybersecurity in a holistic manner. This is critical given the erratic lateral movements of advanced threats. This means all vectors are protected together, from endpoint, network, and the cloud; therefore, providing better context and overall awareness of security posture across an entire organization.
This gift of proactivity empowering the SOC to act quicker cannot come at a better time as threat actors are still leveraging the upheaval COVID-19 wrought to take advantage of vulnerabilities created due to the pandemic. Not to mention, companies and employees are not clamoring to return to the office where endpoints are easier to track and manage.
The National Association for Business Economics found that only about 1 in 10 companies expect all employees to return to their pre-pandemic work arrangements. With employees apt to use personal devices, causing an ever-increasing endpoint explosion, hackers may again have an easy entry point to conduct crime. All industries are vulnerable, but the financial services industry remains forever-lucrative due to the monetary gains that could be achieved.
With an increase in virtual transactions and use of personal devices to conduct business, the industry is ripe for phishing attempts, malware, and ransomware attacks. Hackers are taking advantage of these surges, with McAfee and IC3 data indicating that business email compromise (BEC) scams have been increasing. This means, it may not take a zero-day approach or strategy from hackers to infiltrate if existing systems and solutions already prove insecure.
Cost is often a barrier to entry for many industries, but the financial services industry has shown it is committed to investing in cybersecurity, knowing it has the most to lose. There has been success across the industry due to this guarantee, but the breaches that do get thwarted do not make the headlines. Nonetheless, undetected breaches – and the reputation-damaging headlines that appear alongside them – lead to more information and data loss and disruption to business. For financial institutions seeking to eliminate the losses associated with cybercrime, XDR is worth exploring.
Want to learn more about McAfee’s investment in XDR and explore its approach? Check out McAfee MVISION XDR and schedule a check-up for your SOC.
The post More Money, Less Problems: XDR Investment Can Protect the Financial Services Industry appeared first on McAfee Blogs.
Imagine you’re driving down a highway to get to work. There are other cars on the road, but by and large everyone is moving smoothly at a crisp, legal speed limit. Then, as you approach an entry ramp, more cars join. And then more, and more, and more until all of the sudden traffic has slowed to a crawl. This illustrates a DDoS attack.
DDoS stands for Distributed Denial of Service, and it’s a method where cybercriminals flood a network with so much malicious traffic that it cannot operate or communicate as it normally would. This causes the site’s normal traffic, also known as legitimate packets, to come to a halt. DDoS is a simple, effective and powerful technique that’s fueled by insecure devices and poor digital habits. Luckily, with a few easy tweaks to your everyday habits, you can safeguard your personal devices against DDoS attacks.
The expansion of 5G, proliferation of IoT and smart devices, and shift of more industries moving their operations online have presented new opportunities for DDoS attacks. Cybercriminals are taking advantage, and 2020 saw two of the largest DDoS offensives ever recorded. In 2020, ambitious attacks were launched on Amazon and Google. There is no target too big for cybercriminals.
DDoS attacks are one of the more troubling areas in cybersecurity, because they’re incredibly difficult to prevent and mitigate.. Preventing these attacks is particularly difficult because malicious traffic isn’t coming from a single source. There are an estimated 12.5 million devices that are vulnerable to being recruited by a DDoS attacker.
DDoS attacks are fairly simple to create. All it takes are two devices that coordinate to send fake traffic to a server or website. That’s it. Your laptop and your phone, for example, could be programmed to form their own DDoS network (sometimes referred to as a botnet, more below). However, even if two devices dedicate all of their processing power in an attack, it still isn’t enough to take down a website or server. Hundreds and thousands of coordinated devices are required to take down an entire service provider.
To amass a network of that size, cybercriminals create what’s known as a “botnet,” a network of compromised devices that coordinate to achieve a particular task. Botnets don’t always have to be used in a DDoS attack, nor does a DDoS have to have a botnet to work, but more often than not they go together like Bonnie and Clyde. Cybercriminals create botnets through fairly typical means: tricking people into downloading malicious files and spreading malware.
But malware isn’t the only means of recruiting devices. Because a good deal of companies and consumers practice poor password habits, malicious actors can scan the internet for connected devices with known factory credentials or easy-to-guess passwords (“password,” for example). Once logged in, cybercriminals can easily infect and recruit the device into their cyber army.
These recruited cyber armies can lie dormant until they’re given orders. This is where a specialized server called a command and control server (typically abbreviated as a “C2”) comes into play. When instructed, cybercriminals will order a C2 server to issue instructions to compromised devices. Those devices will then use a portion of their processing power to send fake traffic to a targeted server or website and, voila! That’s how a DDoS attack is launched.
DDoS attacks are usually successful because of their distributed nature, and the difficulty in discerning between legitimate users and fake traffic. They do not, however, constitute a breach. This is because DDoS attacks overwhelm a target to knock it offline — not to steal from it. Usually DDoS attacks will be deployed as a means of retaliation against a company or service, often for political reasons. Sometimes, however, cybercriminals will use DDoS attacks as a smokescreen for more serious compromises that may eventually lead to a full-blown breach.
DDoS attacks are only possible because devices can be easily compromised. Here are three ways you can prevent your devices from participating in a DDoS attack:
Now that you know what a DDoS attack is and how to protect against it, you’re better equipped to keep your personal devices and safe and secure.
Stay Updated
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post What Is a DDoS Attack and How to Stay Safe from Malicious Traffic Schemes appeared first on McAfee Blogs.
Tax return preparation might be a little more complicated this year than usual for many Canadians with millions receiving Canada Emergency Response Benefit (CERB) payments and about 40% of the Canadian labor force turned to self-employment options to help them financially weather the pandemic storm.
Where there’s money and uncertainty, you’re likely to find scammers. After all, scammers tend to capitalize on uncertainty and use it as the entry point for their attacks. Whether it’s through a phishing email with a phony notice of reassessment, a text message threatening arrest, or a fake phone call from the Canada Revenue Agency (CRA), hackers often employ elements of fear in their attacks. McAfee’s 2021 Consumer Security Mindset study revealed that roughly 2 out of 3 Canadians (65%) plan to do their taxes online in 2021, with 12% of them doing so for the first time. With the increase in activities online, consumers are potentially exposed to more digital risks and threats, and knowing how these hackers tend to work doesn’t mean you have to live in fear. To help you identify and avoid potential threats, let’s take a look at some of the most common scams that hackers use during tax season.
Phone scams take one of two primary forms:
Some sophisticated scammers will weave stolen personal or financial data that they purchased on the dark web into their calls, such as bank or social insurance information. They intend to make their phony claims sound legitimate, hoping that an unsuspecting user will hand over their data or make a fraudulent payment.
So, what does a real call from the CRA entail? The CRA clearly outlines the reasons they’d be calling on their 2020 Tax Tips page and ways that you can follow up with the CRA to determine if a call is legitimate.
There are two instances where the CRA may contact you by email. One is during a telephone call or meeting with a legitimate CRA agent. The second is to send you a notification that you have a message or document for your review on a secure CRA site such as My Account, My Business Account, or Represent a Client. Anything else is likely a scam.
The one time where the CRA will send you an email containing links is if you have a call or meeting with an agent, as outlined above. Otherwise, you can be confident that an email with links is a scam.
This one is relatively straightforward: the CRA will never contact you via text, instant messaging, Facebook, WhatsApp, or any similar messaging service. If you receive such a message, delete it, and don’t click on any links embedded within it.
In many cases, hackers will aim to separate you from your money by demanding immediate payment in some form or other. They may request payment in pre-loaded debit cards, gift cards, e-transfer, or even bitcoin. Know that the CRA will never request payment in any of those forms.
When in doubt, ask yourself why this email or phone caller is demanding that you act immediately. Have you filed on time? Have you received written notice from the CRA already? Do you owe an installment payment? If the person contacting you leaves you unsure, you can confirm that the contact was legitimate by calling the CRA.
While recognizing the signs of tax-related fraud can help ease the burdens associated with these schemes, there are multiple steps you can take to prevent becoming a victim of tax scams in the first place. Follow these tips to stay on top of your tax return while securing your digital life:
Devices benefit from physical security. This is as simple as locking your smartphones, tablets, and computers with a PIN or password. Should one of those devices get lost or stolen, a lock provides a barrier for those who might try to access your personal and financial information on them.
Protecting your devices with comprehensive security software can help block the phishing emails and suspicious links that make up many of these tax attacks. Likewise, it can further protect you from ransomware attacks, another type of tax scam on the rise, where crooks hold your data hostage for a price. All in all, security software is always a smart move—tax time or any time.
Consider what’s on your old computer hard drive or stored away on your phone. Old devices tend to contain loads of precious personal and financial information. Look into the e-waste disposal options in your community that will recycle your old technology and do so securely.
While so many of our finances are handled electronically today (taxes included), we’d be remiss if we didn’t talk about physical security as well. Mail and porch theft still occur, which is one more way a thief can steal your personal and financial information to use in a scam. A locking mailbox is a purchase you may want to consider if you don’t have one already.
Recognizing the signs of tax-related fraud could allow you to take action and significantly suppress the repercussions. If you suspect you’ve fallen victim to fraud or believe that you’ve been tricked into giving away personal information as part of a scam, contact your local police service and make a report.
By staying proactive and vigilant, you’ll be in a better position to protect your identity and your data—and live your digital life with safety at the forefront.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Tax Season is Here: Avoid These Common Scams Targeting Canadians appeared first on McAfee Blogs.
Elder scams cost seniors in the U.S. some $3 billion annually. And tax season adds a healthy sum to that appalling figure.
What makes seniors such a prime target for tax scams? The Federal Bureau of Investigation (FBI) states several factors. For one, elders are typically trusting and polite. Additionally, many own their own home, have some manner of savings, and enjoy the benefits of good credit—all of which make for an ideal victim profile.
Also according to the FBI, elders may be less able or willing to report being scammed because they may not know the exact way in which they were scammed, or they may feel a sense of shame over it, or even some combination of the two. Moreover, being scammed may instill fear that family members will lose confidence in their ability to look after their own affairs.
If there’s one thing that we can do for our elders, it’s help them raise their critical hackles so they can spot these scams and stop them in their tracks, particularly around tax time. With that, let’s see how crooks target elders, what those scams look and feel like, along with the things we can do to keep ourselves and our loved ones from getting stung.
The phone rings, and an assertive voice admonishes an elder for non-payment of taxes. The readout on the caller ID shows “Internal Revenue Service” or “IRS,” the person cites an IRS badge number, and the victim is told to pay now via a wire transfer or prepaid gift card. The caller even knows the last four digits of their Social Security Number (SSN). This is a scam.
The caller, and the claim of non-payment, are 100 percent bogus. Even with those last four digits of the SSN attempting to add credibility, it’s still bogus. (Chances are, those last four digits were compromised elsewhere and ended up in the hands of the thieves by way of the black market or dark web so that they could use them in scams just like these.)
Some IRS imposter scams take it a step further. Fraudsters will threaten victims with arrest, deportation, or other legal action, like a lien on funds or the suspension of a driver’s license. They’ll make repeated calls as well, sometimes with additional imposters posing as law enforcement as a means of intimidating elders into payment.
The IRS will never threaten you or someone you know in such a way.
In fact, the IRS will never call you to demand payment. Nor will the IRS ever ask you to wire funds or pay with a gift card or prepaid debit card. And if the IRS claims you do owe funds, you will be notified of your rights as a taxpayer and be given the opportunity to make an appeal. If there’s any question about making payments to the IRS, the IRS has specific guidelines as to how to make a payment properly and safely on their official website.
It’s also helpful to know what the IRS will do in the event you owe taxes. In fact, they have an entire page that spells out how to know it’s really the IRS calling or knocking at your door. It’s a quick read and a worthwhile one at that.
In all, the IRS will contact you by mail or in person. Should you get one of these calls, hang up. Then, report it. I’ll include a list of ways you can file a report at the end of the article.
Whether it’s a disembodied voice generated by a computer or a scripted message that’s been recorded by a person, robocalls provide scammers with another favorite avenue of attack. The approach is often quite like the phone scam outlined above, albeit less personalized because the attack is a canned robocall. However, robocalls allow crooks to cast a much larger net in the hopes of illegally wresting money away from victims. In effect, they can spam hundreds or thousands of people with one message in the hopes of landing a bite.
While perhaps not as personalized as other imposter scams, they can still create that innate sense of unease of being contacted by the IRS and harangue a victim into dialing a phony call center where they are further pressured into paying by wire or with a prepaid card, just like in other imposter scams. As above, your course of action here is to simply hang up and report it.
Here’s another popular attack. An elder gets an unsolicited email from what appears to be the IRS, yet isn’t. The phony email asks them to update or verify their personal or financial information for a payment or refund. The email may also contain an attachment which they are instructed to click and open. Again, all of these are scams.
Going back to what we talked about earlier, that’s not how the IRS will contact you. These are phishing attacks aimed at grifting prized personal and financial information that scammers can use to commit acts of theft or embezzlement. In the case of the attachment, it very well may contain malware that can do further harm to their device, finances, or personal information.
If you receive one of these emails, don’t open it. And certainly don’t open any attachments—which holds true for any unsolicited email you receive with an attachment.
Beyond simply knowing how to spot a possible attack, you can do several things to prevent one from happening in the first place.
First let’s start with some good, old-fashioned physical security. You may also want to look into purchasing a locking mailbox. Mail and porch theft are still prevalent, and it’s not uncommon for thieves to harvest personal and financial information by simply lifting it from your mailbox.
Another cornerstone of physical security is shredding paper correspondence that contains personal or financial information, such as bills, medical documents, bank statements and so forth. I suggest investing a few dollars on an actual paper shredder, which are typically inexpensive if you look for a home model. If you have sensitive paper documents in bulk, such as old tax records that you no longer need to save, consider calling upon a professional service that can drive up to your home and do that high volume of shredding for you.
Likewise, consider the physical security of your digital devices. Make sure you lock your smartphones, tablets, and computers with a PIN or password. Losing a device is a terrible strain enough, let alone knowing that the personal and financial information on them could end up in the hands of a crook. Also see if tracking is available on your device. That way, enabling device tracking can help you locate a lost or stolen item.
There are plenty of things you can do to protect yourself on the digital front too. Step one is installing comprehensive security software on your devices. This will safeguard you in several ways, such as email filters that will protect you from phishing attacks, features that will warn you of sketchy links and downloads, plus further protection for your identity and privacy—in addition to overall protection from viruses, malware, and other cyberattacks.
Additional features in comprehensive security software that can protect you from tax scams include:
And here’s one item that certainly bears mentioning: dispose of your old technology securely. What’s on that old hard drive of yours? That old computer may contain loads of precious personal and financial info on it. Look into the e-waste disposal options in your community. There are services that will dispose of and recycle old technology while doing it in a secure manner so the data and info on your device doesn’t see the light of day again.
As said earlier, don’t let a bad deed go unreported. The IRS offers the following avenues of communication to report scams.
In all, learning to recognize the scams that crooks aim at elders and putting some strong security measures in place can help prevent these crimes from happening to you or a loved one. Take a moment to act. It’s vital, because your personal information has a hefty price tag associated with it—both at tax time and any time.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Spot, and Prevent, the Tax Scams That Target Elders appeared first on McAfee Blogs.
It’s tax time in the United States, and even if you’re pretty sure you did everything right, you’re worried. Did I file correctly? Did I claim the right deductions? Will I get audited? Unfortunately, tax season brings out scammers eager to take advantage of your anxiety.
First, know that you’re probably doing a good job with your taxes. Less than 2% of returns get audited and most discrepancies or adjustments can get handled easily if you address them promptly.
Still, wariness of the IRS and intricate tax laws makes for ripe pickings when it comes to hackers, who prey on people’s fear of audits and penalties. Common scams include fake emails, phone calls from crooks posing as IRS agents, and even robocalls that threaten jail time. With the information they get from you, hackers can take things a step further by stealing your identity and filing tax claims in your name.
As if we didn’t have enough to worry about at tax time.
The good news is that you have plenty of ways to protect yourself from hackers. Check out these tips to stay safe this tax season.
Straight from the authority itself, the IRS has published its top 12 tax season scams with new warnings brought on by the events of 2020.
For example, new to this year are scams associated with stimulus checks sent out by the government. The IRS says they have seen “… a tremendous increase in phishing schemes utilizing emails, letters, texts and links. These phishing schemes are using keywords such as “coronavirus,” “COVID-19” and “Stimulus” in various ways.”
This is very important: The IRS does not use email. If you get an email from someone saying they are the IRS and they want to talk with you about a problem, it is a scam.
Here’s what the IRS has to say:
The IRS will never initiate contact with taxpayers via email about a tax bill, refund, or Economic Impact Payments. Don’t click on links claiming to be from the IRS. Be wary of emails and websites − they may be nothing more than scams to steal personal information.
Social media attacks also made the IRS Dirty Dozen. In a social media attack, scammers harvest information from social media profiles. Hackers use the information to gain access to your online accounts in social media and beyond, like your bank account. Make it hard for them. Make your social media profiles private so that only friends and family can see them. Also consider so you can be safer from these kinds of crimes.
When a hacker poses as an IRS agent, they try to get personal information from you, like your social security number. They might demand payment, sometimes under the threat of penalties or even jail time. These strong-arm tactics are a dead giveaway that the email or phone call is fake.
What will the IRS do? Usually, the IRS will first mail a bill to any taxpayer who owes taxes. IRS collection employees might call on the phone or make an unannounced visit to your home or business. If they require a payment, the payment will always be to the U.S. Treasury. Read about other ways to know what the IRS won’t do when they contact you.
And remember: the IRS does not use email to contact you about tax problems.
A good defense is a good offense. File early. Protect yourself by filing your claim before they have a chance to file one as you. You don’t want to be one of those identity theft victims who finds out you’ve been scammed when you file your taxes only to get a notice in the mail saying your tax claim has already been filed.
Here’s other tool that can help you fight identity theft. And get this: it’s not only helpful, it’s free. Through the Federal Trade Commission, you are entitled to a free copy of your credit report from each of the three major credit reporting companies once every 12 months. In this report, you can find inaccuracies in your credit or evidence of all-out identity theft.
Keep in mind that you get one report from each of the reporting companies each year. That works out to three reports total in one year. Consider this: if you request one report from one credit reporting company every four months, you can spread you free credit report coverage across the whole year.
The idea is that, just like with your physical wellness, there are lots of steps you can take to protect your digital wellness. We’ve covered some of those steps in this blog. Consider one more: protect your digital life with a holistic security solution like McAfee Total Protection so you can enjoy life online knowing your precious data is protected. Tax time or otherwise, security software is always a smart move.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Who loves tax season besides accountants? Hackers appeared first on McAfee Blogs.
Tax season is always a high time for scams that put our money and information at risk. But this year securing your data may be more important than ever, due to a spike in unemployment fraud.
Millions of Americans have lost their jobs over the course of the pandemic, and states have seen a surge in unemployment applications, including fake claims using stolen information. In California, authorities report that between $10 billion and $30 billion was recently paid in fraudulent unemployment claims, while in New York authorities identified $5.5 billion in fake jobless claims since March of 2020.
ictims don’t even know that their information was used for a fraudulent claim until they receive an unemployment letter from their state, or a tax form from the IRS. Whether you’re concerned about your personal data, or just want to safely file your IRS return and hopefully get a tax refund, let’s take some steps to protect your private information for this tax season, and beyond.
The first thing to know is that there are a that we see evolving each year – according to the IRS, Criminal Investigation identified $2.3 billion in tax fraud schemes just last year. So, it’s always a good idea to take caution and be skeptical whenever you see something that seems too good to be true, like a free tax filing service you’ve never heard of before.
But recently, with so many people out of work, bad actors have decided to focus their attention on filing fraudulent jobless claims using stolen information from people who were actually employed.
If you’ve received a notice about unemployment benefits that you never applied for, contact your state unemployment agency and submit a claim. Then follow up with the Federal Trade Commission since they can help you by placing a fraud alert on your credit. This lets lenders know that you may be a victim of fraud, prompting them to take extra steps to verify your identity. The good news is that in the U.S. you only have to notify one of the three national credit bureaus and they will transmit your request to the other two.
My colleague Judy has shared some easy ways you can check your credit report and even freeze your credit in a blog post here. Starting 2021, you can also register for a six-digit Identity Protection PIN (IP PIN) with the IRS to add another layer of verification to protect yourself from tax-related identity theft.
Of course, tax season isn’t the only time your data can fall into the wrong hands. Keep your personal information safe by adopting these best practices and robust tools.
• Use comprehensive security software—For protection against the growing range of threats, choose holistic security software that goes beyond traditional antivirus products, by protecting your identity and privacy wherever and however you connect.
Stay Updated
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Don’t Let Tax Fraud Ruin Your IRS Refund appeared first on McAfee Blogs.
It is near-certain the need for security across the enterprise will never cease – only increase if year-over-year trends are any indication. We constantly see headlines with repetitive buzzwords and phrases calling attention to the complexity of today’s security operations center (SOC) with calls to action to reimagine and modernize the SOC. We’re no different here at McAfee in believing this to be true.
In order for this to happen, however, we need to update our thinking when it comes to the SOC.
Today’s SOC truly serves as an organization’s cybersecurity brain. Breaking it down, the brain and SOC are both the ultimate central nervous system and are extremely complex. While the brain fires neurons, connects synapses, and constantly communicates in order for the body to function, the SOC similarly works as a centralized system where people, processes, and technology must be in-sync to function. The unfortunate reality is though, SOC analysts and staff do not feel empowered to act in this manner. According to the 2021 SANS Cyber Threat Intelligence Report, respondents cited several reasons for not being able to implement cybersecurity holistically across their organization, including lack of trained staff, time, funding, management buy-in, technical capabilities, and more.
The technology that has the power to enable this synchronicity and further modernize enterprise security by taking SOC functionality to the next level is already here – Extended Detection and Response (XDR). It has the ability to provide prevention, detection, analysis, and response in a purposefully orchestrated and cooperative way, with its components operating as a whole. Think of it this way: XDR mimics the brain’s seamlessness in operation, with every element working toward the same goal of maintaining sound security posture across an entire organization.
Put another way, the human brain has approximately 100 trillion synapses, synchronizing and directing to make it possible to walk and chew bubble gum at the very same time with seemingly no effort on the human’s end. However, if one synapse misfires or becomes compromised due to an unknown element – you might end up on the ground.
Similarly, we’re already seeing many enterprises falter, trip, and fall. According to Ernst & Young, 59% of companies experienced a significant breach in the last twelve months – and only 26% of respondents say the SOC identified that event. These statistics show the case for XDR is clear – and that it is time to learn and reap the benefits of taking a proactive approach.
Organizations are still vulnerable to malicious actors attempting to take advantage of disparate remote workforces – and we’re seeing them get craftier, acting faster and more frequently. This is where XDR offers a pivotal differentiator by providing actionable intelligence and integrated functionality across control vectors, resulting in more proactive investigation cycles.
When it comes to analysis, data can quickly become overwhelming, introducing an opportunity to miss critical threats or malicious intent with more manual or siloed processes. Meaningful context is crucial and no industry is exempt from needing it.
This is where McAfee is providing the advantage with MVISION XDR powered MVISION Insights. The ability to know likely and prioritized threat campaigns based on geographical and industry prevalence – and have them correlated and assessed across your local environment – provides the situational awareness and analysis that can allow SOC teams to act before threats occur. Additionally, as endpoints only promise to increase, MVISION XDR works in conjunction with McAfee’s endpoint protection platform (EPP), increasing effectiveness with added safeguards including antivirus, encryption, data loss prevention technologies and more at the endpoint.
Think of the impact and damage that can happen without this crucial and context MVISION Insights can provide. The consequences can be dire when looking at industries that have faced extreme upheaval.
For example, in keeping with our theme, we know the importance of essential healthcare workers and cannot be grateful enough for their contributions. But as the industry faces extreme challenges and an increase in both patient load and data, we also need to be paying close attention to how this data is being managed, who has privilege to it, and what threats exist as even this typical in-person industry shifts virtual due to our updated circumstances. Having meaningful context on potential threats will help this industry avoid added challenges so focus can remain steadfast on creating impact and positive results.
Outside of the tremendous advantage of being less vulnerable to threats and breaches due to proactivity, incredible efficiencies can be gained by freeing cybersecurity staff from those previously manual tasks and management of multiple silos of solutions. The time is definitely now too – according to (ISC)², 65% of organizations already report a shortage of cybersecurity staff.
Coupled with staff shortages and lack of skilled workers, an IBM report also found that the average time to detect and contain a data breach is 280 days. Going back to the view that the SOC serves as an organization’s cybersecurity brain – 280 days can cause massive amounts of damage if an anomaly in the brain were to occur unnoticed or unaddressed.
For the SOC, the longer a breach goes undetected, the more information and data becomes vulnerable or leaked – leading not only to a disruption in business, but ultimately financial losses as well.
XDR is the future of the SOC. We know that simplified, cohesive visualization and control across the entire infrastructure leads the SOC to better situational awareness – the catalyst for faster time to remediation. The improved, holistic viewpoint XDR provides across all vectors from endpoint, network, and cloud helps to eliminate mistakes and isolated endeavors across an organization’s entire IT framework.
With AI-guided investigation, analysts have an automatic exchange of data and information to move faster from validation to decision when it comes to threats. This is promising as organizations not only tackle a shortage in cybersecurity staff, but skilled workers as well. According to the same (ISC)² survey as above, 36% of those polled cite lack of skilled or experienced staff being a top concern.
Knowing the power of data and information, we can confidently assume that malicious actors will never stop their quest to infiltrate and extort enterprises. True to the well-known anecdote, this knowledge brings about great responsibility. Enterprises will face challenges as threats increase while talent and staff decrease – all while dealing with vendor sprawl and choice-overload across the market.
SOC Assessment Tool
Time to schedule a check-up for your SOC. It may not be as healthy as you think and true to both the medical and security industries, proactivity and prevention can lead to optimized functionality.
Want to learn more about McAfee’s investment in XDR and explore its approach? Check out McAfee MVISION XDR.
The post SOC Health Check: Prescribing XDR for Enterprises appeared first on McAfee Blogs.
Albert Einstein once said, “We cannot solve our problems with the same thinking we used when we created them”.
Security vendors have spent the last two decades providing more of the same orchestration, detection, and response capabilities, while promising different results. And as the old adage goes, doing the same thing over and over again whilst expecting different results is…? I’ll let you fill in the blank yourself.
SIEM! SOAR! Next Generation SIEM! The names changed, while the same fundamental challenges remained: they all required heavy lifting and ongoing manual maintenance. As noted by ESG Research, SIEM – being a baseline capability within SOC environments – continues to present challenges to organisations by being either too costly, exceedingly resource intensive, requiring far too much expertise, and various other concerns. A common example of this is how SOC teams still must create manual correlation rules to find the “bad” connections between logs from different products, applications and networks. Too often, these rules flooded analysts with information and false alerts and render the product too noisy to effective.
The expanding attack surface, which now spans Web, Cloud, Data, Network and more, has also added a layer of complexity. The security industry cannot only rely on its customers’ analysts to properly configure a security solution with such a wide scope. Implementing only the correct configurations, fine-tuning hundreds of custom log parsers and interpreters, defining very specific correlation rules, developing necessary remediation workflows, and so much more – it’s all a bit too much.
Detections now bubble up from many siloed tools, too, including Intrusion Prevention Systems (IPS) for network protection, Endpoint Protection Platforms (EPP) deployed across managed systems, and Cloud Application Security Broker (CASB) solutions for your SaaS applications. Correlating those detections to paint a complete picture is now an even bigger challenge.
There is also no ‘R’ in SIEM – that is, there is no inherent response built into SIEM. You can almost liken it to a fire alarm that isn’t connected to the sprinklers.
SIEMs have been the foundation of security operations for decades, and that should be acknowledged. Thankfully, they’re now being used more appropriately, i.e. for logging, aggregation, and archiving.
Now, Endpoint Detection and Response (EDR) solutions are absolutely on the right track – enabling analysts to sharpen their skills through guided investigations and streamline remediation efforts – but it ultimately suffers from a network blind spot. Similarly, network security solutions don’t offer the necessary telemetry and visibility across your endpoint assets.
Of Gartner’s Top 9 Security and Risk Trends for 2020, “Extended detection and response capabilities emerge to improve accuracy and productivity” ranked as their #1 trend. They noted, “Extended detection and response (XDR) solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability…The primary goals of an XDR solution are to increase detection accuracy and improve security operations efficiency and productivity.”
That sounds awfully similar to SIEM, so how is an XDR any different from all the previous security orchestration, detection, and response solutions?
The answer is: An XDR is a converged platform leveraging a common ontology and unifying language. An effective XDR must bring together numerous heterogeneous signals, and return a homogenous visual and analytical representation.. XDR must clearly show the potential security correlations (or in other words, “attack stories”) that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require exceeding amounts of manual work; allowing SOC analysts to stop serving as an army of “translators” and focus on the real work – leading investigations and mitigating attacks. This normalized presentation of data would be aware of context and content, be advanced technologically, but simple for analysts to understand and act upon.
SIEMs are data-driven, meaning they need data definitions, custom parsing rules and pre-baked content packs to retrospectively provide context. In contrast, XDR is hypothesis driven, harnessing the power of Machine Learning and Artificial Intelligence engines to analyse high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.
The MITRE ATT&CK framework is effective at highlighting “how bad guys do what they do, and how they do it.” While traditional prevention measures are great at “spot it and stop it” protections, MITRE ATT&CK demonstrates there are many steps taking place in the attack lifecycle that aren’t obvious. These actions don’t trigger sufficient alerting to generate the confidence required to support a reaction.
XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
The ideal XDR solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritise and predict threats that matter BEFORE the attack and prescribe necessary countermeasures allowing the organisation to proactively harden their environment.
McAfee’s MVISION XDR solution does just that, by empowering the SOC to do more with unified visibility and control across endpoints, network, and cloud. McAfee XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations.
What if you could find out if you’re in the crosshairs of a top threat campaign, by using global telemetry from over 1 billion sensors that automatically tracks new campaigns according to geography and industry vertical? Wouldn’t that be insightful?
“Many firms want to be more proactive but do not have the resources or talent to execute. McAfee can help bridge this gap by offering organisations a global outlook across the entire threat landscape with local context to respond appropriately. In this way, McAfee can support a CISO-level strategy that combines risk and threat operations.”
– Jon Oltsik, ESG Senior Principal Analyst and Fellow
But, hang on… Is this all just another ‘platform’ play?
Take a moment to consider how ‘platform’ offerings have evolved over the years. Initially designed to compensate for the heterogeneity and volume of internal data sources and external threat intelligence feeds, the core objective has predominantly been to manifest data centrally from across a range of vectors in order to streamline security operations efforts. We then saw the introduction of case management capabilities.
Over the past decade, the security industry proposed solving many of the challenges presented in SOC contexts through integrations. You would buy products from a few different vendors, who promised it would all work together through API integration, and basically give you some form of pseudo-XDR outcomes we’re exploring here.
Frankly, there are significant limitations in that approach. There is no data persistence; you basically make requests to the lowest API denominator on a one-to-one basis. The information sharing model was a one-way ‘question and answer’ leveraging a scheduled push-pull methodology. The other big issue was the inability to pull information in whatever form – you were limited to the API available between the participating parties, with the result ultimately only as good as the ‘dumbest’ API.
And what about the lack of any shared ontology, meaning little to no common objects or attributes? There were no shared components, such as UI/UX, incident management, logging, dashboards, policy definitions, user authentication, etc.
What’s desperately been needed is an open underlying platform – essentially like a universal API gateway scaled across the cloud that leverages messaging fabrics like DXL that facilitate easy bi-lateral exchange between many security functions – where vendors and partner technologies create tight integrations and synergies to support specific use cases benefitting SOC ecosystems.
Is XDR, then, a solution or product to be procured? Or just a security strategy to be adopted? Potentially, it’s both. Some vendors are releasing XDR solutions that complement their portfolio strengths, and others are just flaunting XDR-like capabilities.
SIEMs still deliver specific outcomes to organisations and SOCs, which cannot be replaced by XDR. In fact, with XDR, a SIEM can be even more valuable.
For most organisations, XDR will be a journey, not a destination. Their ability to become more effective through XDR will depend on their maturity and readiness to embrace all the required processes. In terms of cybersecurity maturity, if you’d rate your organisation at a medium to high level, the question becomes how and when.
Most organisations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace XDR’s capabilities. They are already investigating and resolving endpoint threats and they’re ready to expand this effort to understand how their adversaries move across their infrastructure, too.
If you’d like to know more about how McAfee addresses these challenges with MVISION XDR, feel free to reach out!
The post XDR – Please Explain? appeared first on McAfee Blogs.
Quantum computing is the next frontier in computer science. It can bring untold benefits, allowing the development of new materials, tackling pandemics and making the world a greener, safer place. But it also threatens to break the encryption that keeps our data safe from prying eyes. France’s recent announcement to invest €1.8b into Europe’s quantum computing effort – on top of Germany’s two billion euros and the EU’s one billion euro quantum strategy – will help ensure Europe doesn’t miss the boat on what is set to become the cornerstone of innovation in the coming decades.
In short, quantum computing is an entirely new paradigm for making calculations on computers. Today, all computing relies on sequences of ones and zeroes to make increasingly complex calculations, culminating in the smartphones, cloud services and the supercomputers that exist today.
Quantum computing uses peculiar characteristics of physics to allow machines to perform complex algebra calculations in one fell swoop: “It would take ten thousand years to factor something on the fastest computer today, that could be minutes or seconds given a sufficiently powerful quantum computer,” said McAfee’s chief technology officer Steve Grobman on a recent podcast. “Think about it more as waves than binary,” added John King, a McAfee research fellow also on the podcast. “You reinforce the ones that you want, and dampen the ones that you don’t want,” he said.
To achieve these quirks of physics requires machines operating at temperatures colder than outer space, so it is unlikely that every person will have a quantum computer in their basement anytime soon. However, with the Internet and cloud computing, we will have the ability to harness the power of quantum computing remotely, just like data centres can be used from hundreds of kilometers away at the tap of a few buttons in a web browser today.
Nor is quantum computing always going to be superior to the well-developed binary technologies in place today, which are handsomely suited to making precise calculations. “Quantum computing is not well suited for general purpose computing, but for solving very specific math problems that are well suited to the quantum model,” said Grobman.
But the pattern-recognising abilities of quantum algorithms are uniquely well suited to complex problem. Think how to best distribute COVID-19 vaccines across populations, or even the world, or optimising global shipping networks leading to lower emissions from boats and planes.
On the flipside quantum is also, unfortunately, much better at breaking encryption algorithms than tradiditional computing power . Data that is considered secure today could be rendered public knowledge in the coming decade’s advances in quantum technology, with massive implications for company secrets and national security.
In the US and China, private and public actors are already pouring huge investments into quantum, and without considerable efforts, Europe exposes itself to gaping security holes, and missing out on harnessing the power of quantum to solve pressing problems such as climate change.
This is why France’s recent announcement is not just timely, but necessary, for Europe to continue charting a path of global success in the future. Today, the theory of quantum computers is way ahead of their actual capability. But in 10 years, it will be a different story, and given the scale of the challenge, acting now is of essence.
Making the most of quantum is not just about building the computers themselves. The entire paradigm of computer science is being upended. Europe is already facing a shortage of computer scientists, and its future computer science graduates must have the tools and knowledge needed to harness this new technology. This is why France is right to focusing funding not only on research and equipment, but also talent and skills to power this computer science revolution.
For McAfee, making the digital world safe is a top priority, and naturally our attention gravitates toward the opportunities and threats quantum computing poses to keeping data secure and safe.
But making the world a safer place isn’t just about preventing cyberattacks and encrypting valuable data. It’s equally about making the world greener and using the power of technology to solve our pressing societal and economic challenges. Quantum computing will play a key role in all these goals, provided the technology is in the right hands. Bad actors see the same opportunities in quantum to disrupt and bring chaos as we see in making the world a better place, and the only way to stymie their efforts is ensuring that Europe, along with the US and others determined to make the world a better place, stay one step ahead.
The post Europe’s Quantum Story is Accelerating, and the World Will be Better for it appeared first on McAfee Blogs.
On December 13, 2020, FireEye announced that threat actors had compromised SolarWinds’s Orion IT monitoring and management software and used it to distribute a software backdoor to dozens of that company’s customers, including several high profile U.S. government agencies.
This campaign is the first major supply chain attack of its kind at scale and represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage. Just as the use of nuclear weapons at the end of WWII changed military strategy for the next 75 years, the use of a supply chain attack will change the way we need to consider defense against cyber-attacks.
This supply chain attack operated at the scale of a worm such as WannaCry in 2017, combined with the precision and lethality of the 2014 Sony Pictures or 2015 U.S. Office of Personnel Management (OPM) attacks.
The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. In the past, cyber-attacks such as WannaCry relied on vulnerabilities, exploiting organizations that failed to install critical patches. In the case of SolarWinds-SUNBURST, any organization that simply updated its software could be vulnerable to attack, which is why we saw the impact across multiple agencies in the federal government and private sector. Furthermore, the backdoor used stealth tactics to monitor if it was being analyzed by looking for the presence of debuggers and network monitors and suppressing communications and alerts of other malicious behavior in those scenarios.
From a U.S. national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets. Attackers can, in turn, leverage this information to influence or impact U.S. policy through malicious leaks.
The attack impacted private companies as well. Unlike government networks which isolate classified information both from the internet and non-classified material, private organizations often have critical intellectual property on the same internet-facing network they store non sensitive information. Exactly what corporate intellectual property or private data on employees has been stolen will be difficult to determine, and the full extent of theft may never be fully known.
These cyber supply chain attacks are a concern for consumers as well. In today’s highly interconnected homes, a breach of consumer electronics companies can result in attackers using their access to smart appliances such as TVs, virtual assistants, and smart phones to steal their information or act as a gateway to attack businesses while users are working remotely from home.
What makes this campaign so insidious is that the attackers used trusted SolarWinds software to infiltrate victim organizations with the SUNBURST backdoor, which then enabled the attacker to take any number of secondary steps. This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that could result in kinetic damage, or simply implanting additional malicious content throughout the organization to stay in control and maintain access even after the initial threat appears to have passed.
Such an attack is particularly challenging in that it raises concerns around best practices cybersecurity professionals have been trying to communicate for years. For decades, we have been saying that it is critical to patch and keep software updated. In this case, however, it was patching and bringing new software into an environment that opened organizations up to attack.
Organizations must not read into these SolarWinds-SUNBURST revelations that they should not prioritize keeping their environments up to date. Doing so would certainly open them up to a variety of other attacks.
How do we reconcile these two conflicting security viewpoints? Organizations and cybersecurity practitioners must be vigilant in their review and understanding of the software being brought into their environments. Additionally, they must identify their most critical information and data and apply the principles of least privilege to these items, ensuring that sensitive information such as national secrets and intellectual property are protected.
One additional area of concern is when software vendors are impacted. In this scenario, it is possible for there to be a daisy chain effect. The adversary could modify either source code or a development toolchain within a victim’s environment to plant additional backdoors that are then distributed to their customers.
The SolarWinds-SUNBURST campaign is like a “smart bomb” on a crowded landscape of “dumb bomb” cyber threats. WannaCry was a dumb bomb in that it was fully autonomous and indiscriminate in what it attacked. Whereas this SolarWinds-SUNBURST attack is a “precision guided” smart cyber weapon that is being used to target specific organizations in very specific ways. Every organization that is of interest to the attacker might be targeted slightly differently.
McAfee has incorporated technical indicators gleaned from the FireEye and SolarWinds incidents into our cyber defenses and solutions portfolio to protect our environment and customers. The details of these supplemental protections can be found in McAfee’s knowledge base (KB) articles KB89830 and KB93861.
Please also see the following analysis blogs focused on SolarWinds-SUNBURST:
The post Why SolarWinds-SUNBURST is a Wake up Call appeared first on McAfee Blogs.
Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the program protects the data of U.S. citizens in the cloud and promotes the adoption of secure cloud services across the government with a standardized approach.
But within the FedRAMP program, there are different authorizations. We’re pleased that McAfee MVISION for Endpoint Access recently achieved FedRAMP Moderate Authorization, which allows users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).
As organizations across the country continue to adapt to a remote workforce, the U.S. government is “in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape,” Alex Chapin, our VP of DoD and Intelligence notes.
And he’s right – with the 2021 federal fiscal year in full focus, federal agencies are continuing to push cloud computing as the COVID-19 pandemic continues, creating a real need for security in these applications.
The FedRAMP Moderate designation allows MVISION to provide the command and control cyber defense capabilities government environments need to enable on-premises and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.
This is a massive win for the federal government as it continues to build out its remote workforce capabilities at a time when the GAO is continuing to release best practices for telework, highlighting how remote work is here to stay in the federal government.
MVISION Cloud is currently in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards to help the federal government secure its digital infrastructure and prepare for an increasingly digital operation. We look forward to working closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.
Organizations across the country – from the private sector to the federal government – have become more digital, especially following the shift to remote work this year. It’s no surprise that cybercriminals around the world have taken notice. According to a new report by McAfee and the Center for Strategic and International Studies (CSIS), cybercrime is now a nearly trillion-dollar industry, and the government sector is not immune.
Across the board, the issue continues to rise – increasing the cost of cybercrime by nearly 50% since our last report in 2018. The threats to the government from cybercriminals are even greater, leading to potential national security risks as dark actors look to steal U.S. secrets and intellectual property.
All levels of government – from state and local to the federal government here in Washington – are taking steps to mitigate the issues, but they must do so differently than their private sector counterparts. Government respondents to the survey reported the highest number of malicious attacks, highlighting the high-stakes environment in which governments operate.
Unfortunately, the report also found that while government organizations face more attacks than their private-sector counterparts, they also take longer to remediate them, leaving our government services, infrastructure, and other critical aspects of society at risk for longer than they need.
Earlier this week, McAfee’s CTO Steve Grobman joined CSIS for a conversation on the report and how we can continue to prepare for and mitigate the risk of cybercrime and its hidden costs with CSIS’ Jim Lewis and Zhanna Malekos Smith, former Federal CISO Grant Schneider and the FBI’s Jonathan Holmes.
Kicking off the discussion, Schneider highlighted the importance of the workforce and the need to take care of them so organizations can quickly rebound from an incident. Schneider noted that if an office were robbed, no one would blame the team, but with cybercrime, victims are often seen as the issue – leading to reduced employee morale and more issues later down the line.
Instead, Schneider argued on the importance of preparing the workforce and that preparation can take several forms, including risk management through NIST’s risk management framework. He also called for organizations to develop a recovery plan, engaging different departments, leadership and the public to be ready for when an incident occurs.
In his discussion of the report’s findings, McAfee CTO Steve Grobman noted they weren’t shocking. Grobman said that as we adopt new technologies, adversaries will continue to find new attack vectors.
This year was particularly notable as much of the federal government transitioned to a remote work environment overnight. As the workforce went remote – critical government information was accessed from home internet routers that lacked the same level of security as government office networks, increasing adversaries’ ability to successfully launch attacks.
Luckily, as Grobman noted, there are ways lawmakers can mitigate the threat of ransomware against government and the private sector.
Across the country, governments are facing ransomware attacks at an alarming rate, and every one of them – at every level – needs to have a plan in place. There needs to be a data-based discussion with leadership to decide how to balance the daily blocking and tackling of threats with limited complication to the continuation of operations and preparation for big intrusions like we’ve seen happen this year.
There are also policy solutions – many of these criminal groups operate in countries that allow them to do so. When negotiating trade deals with countries, the level of cybercrime and the government’s cooperation with or against those groups must be considered.
The cost of cybercrime is now nearly 1% of the global GDP, and it will only continue to rise, impacting companies and governments around the world unless we come together to stop it through basic cyber hygiene, preparation and policy solutions.
The post The Hidden Costs of Cybercrime on Government appeared first on McAfee Blogs.
Even the best psychics, science fiction and horror writers could not have predicted or written 2020.
It’s been quite the year. I am thankful that it’s almost over.
The COVID-19 Coronavirus started a global lockdown that sent millions of people to work from home, or wherever they could shelter in place. Personally, working at home didn’t seem like a bad option at the time. But after 8 months, sheltering in place, working from home, and sharing your Internet bandwidth with three others who also need real-time audio and video can be exhausting.
Professionally, it’s another story. It’s hard to understate the magnitude of the change. It was as if someone flipped a switch. One day, most of McAfee’s 7,000+ employees could be found working in McAfee offices. The next day, we had 7,000 “offices” of one person each. They were now voices heard on a phone, logging in from remote locations.
Whereas previously just 2% of workers were remote full time globally, by April 2020, 42% of the workforce was remote according to Stanford University economics professor Nicholas Bloom. By late August, the number of workers at home dropped to 35%. That said, once the pandemic ends, about 55% of employers surveyed by PWC said they expected staff to work from home at least one day a week. And more than 80% of employees said they supported that idea. In fact, Facebook, Microsoft and Twitter have all said remote work would be a permanent option.
Most organizations have found a way to make do with existing infrastructure. Since we’re apparently in it for the long-haul, it’s time to go back and verify that all appropriate security protections are in place. Because – let’s face it – in many organizations, security during this transition had to be prioritized behind keeping the business running. Cyber hygiene had to wait while organizations worldwide raced to the cloud in order to get their teams online and productive again.
Cybercriminals know home networks are often less secure and have leaped at the opportunity to find new and easier ways to access data and systems. In fact, McAfee’s Advanced Threat Research team observed a 630% increase in external attacks on cloud accounts with the greatest concentration on collaboration services (CARR). And, during Q2 of 2020, McAfee’s global network of more than a billion sensors registered a 605% increase in total COVID-19-themed threat detections.
For a security company like McAfee, the pandemic is an opportunity to share some lessons to help protect your people and data without getting in your teams’ way. It will not surprise you to learn we primarily run our own products and relied on them heavily for our WFH transition. I will be touting some of the benefits of our products in this article.
1. Maximize Visibility and Control
For many companies, the rapid transition resulted in less visibility and control than when everyone was in the office behind a web gateway. With WFH, visibility and control across the entire organization – cloud, web as well as both managed and unmanaged devices is imperative.
McAfee MVISION Complete, part of our new Device-to-Cloud suites, provides this visibility and control across endpoint, web and cloud. The solution unifies MVISION Insights, Endpoint, cloud access security broker (CASB), data loss prevention (DLP), cloud-based Secure Web Gateway (SWG) and (soon) remote browser isolation technologies to deliver comprehensive device-to-cloud protection. It enables us to:
2. Run an Effective Threat Management Program
Threat Intelligence programs are designed to answer questions such as:
Questions like these are called Intelligence Requirements, and some threat management programs flounder because they focus on answering the first two questions. Others struggle because they don’t have the resources to answer the last two in a good way. It takes substantial time to walk through indicators of compromise (IOCs) and determine whether you have coverage on your endpoints, your IPS, your Web Gateway, etc. It can take longer to update coverage. Having 95% coverage can sound like a lot, but advanced actors always seem to be able to locate the unprotected 5%.
3. Plan for Increased Threats to Home Workers
WFH has put a premium on making sure employees can depend on the same level of security they received in the office. In a post-pandemic future where WFH continues to be prevalent, cyber adversaries will focus their innovation on WFH users. To get ahead of this trend, we must find ways to increase our protections for WFH users.
4. Future-Proof … with the Right Protections
Enterprise security teams should plan for the likelihood that some of their employees working from home are going to get breached. It may be a compromised computer. It may be a connected IOT device. People will do the wrong thing, so it is important here to mitigate risk.
The technical measures listed earlier are a good start. In addition, you’ll need to make sure WFH users are patched as aggressively as they were when on-site. And, that you have a process for following up with the last 5% who are out of office during patch installation, or who power down their laptop during installation. You’ll also need vulnerability scanning agents installed on user workstations.
Finally, I see a renewed move back to centralizing the data to limit the endpoint exposure.
5. Education Never Ends
There’s no getting around it. People are both a company’s biggest asset … and also a company’s biggest security liability. Many employees are still prone to making silly security mistakes by ignoring best practices. So, any WFH security approach ought to feature a big education component. Spend more time with employees to educate and inform how to improve their security practices. What’s practical guidance for employees? There’s no one-size-fits all but the best advice I can offer is to be realistic. Don’t send out a detailed, 20-page paper on wireless security and expect miracles. The message needs to be brief, clear and simple.
I’d love to hear what you’re doing to secure your distributed teams… leave comments below.
The post Finding the Success Among the Pandemonium that is 2020 appeared first on McAfee Blogs.
For more than 20 years, the cybersecurity industry has been focused on enterprises, not on a larger national integrated security environment – and certainly not on comprehensive home security. Smart devices that make home life more convenient have been growing in acceptance and adoption, but by and large, the industry continues to concentrate on enterprise security. Even from a standards perspective, the National Institute of Standards and Technology (NIST) has focused on enterprises and the federal government, not the home.
The NIST Cybersecurity Framework, for example, a highly regarded security framework, is intended for enterprises, not homes. Yet today, the devices and connectivity in many homes outnumber those in small businesses of 20 years ago. Homes are following along the same path as small businesses, and like them, need more focused attention and protection.
COVID-19 forced organizational change in the blink of an eye, forcing an overnight transition from mostly centralized work environments to a highly distributed work-from-home infrastructure. This rapid shift to working from unsecured and unmanaged environments (IT, IoT, mobile, cloud, etc.), has greatly complicated organizational cybersecurity exposure challenges while creating a massive expansion of the digital attack surface. With many employees having to use personal devices for business purposes, enterprises now need to consider adopting policies that provide them greater management and control over these personal devices. The security challenge once focused on BYOD (bring your own device) has now morphed into BYEH — “Bring Your Enterprise Home.” We need new security standards and practices to address this shift.
While my company and others had the policies, management processes, controls, equipment and software in place to protect this new corporate ecosystem, they did so with the understanding the home is a very inhospitable security environment at present.
In my own home, for instance, there are many different systems of devices (wireless lighting, smart locks, multiple smart TVs, multiple streaming devices, smart plugs, wireless security system, digital assistants, wireless speakers, cameras, thermostats, and other home management connected devices. And this is before we add in the computers, laptops, iPads and smart phones for all its residents. An ever-growing number of IoT devices are helping people to transform their houses into smart homes, but homeowners often don’t know how to secure these devices. Additionally, many of the products don’t communicate or integrate with each other, exacerbating the discovery of security weaknesses.
Today, a bad actor can break into a home and steal things of value – bank account, credentials, sanity (by turning smart lights on and off at 3 am and blasting music from connected speakers) – without even physically walking through the door. This is a major problem for individuals, but it’s an even greater problem for enterprises and governments turning to remote work to continue operations during the COVID-19 pandemic.
Take all of the devices in each home, smart or otherwise, multiplied by all of the federal government employees alone, and you’ll have a vision for how large a threat vector we’ve just created by asking employees to work from home. Then add in government contractors, who may or may not have access to the same level of security as permanent employees. Then realize this is not just a government problem but a whole-of-nation problem, where businesses and other organizations need to assure their staffs’ remote access to their corporate properties are protected and secure.
Cybersecurity is not the only area we need to address. For example, ISPs often give priority to supporting enterprise customers when there are outages. Timelines from reporting-to-fix for enterprises is measured in hours, while timelines for correcting consumer outages is quite often measured in days. Now, however, the lines between what is a remote critical connection and what is not are highly blurred. How does an organization indicate to an ISP that a specific connection needs a critical designation and a priority response? How do we extend the concept of “home-points” being a component in an individual enterprise’s infrastructure?
Relatedly, broadband access and network connection speeds are now more important than ever. It may be time for the Federal Communications Commission to rethink its designation of broadband, as 25/3 Mbps is not really suitable for a family with multiple children engaged in remote learning while Mom and Dad work from home.
The waves of change that COVID-19 has set in motion have turned homes into workspaces, making every connected device in a home a risk to each person’s employer. Now the home isn’t just a smart home; it’s a remote office, as well as a schoolroom, a doctor’s office and the front door to malls and grocery stores.
As we work to adapt our economy and country in the wake of the pandemic, it’s critical that we also rethink the security of our homes to ensure there are standards for protection in place. Our homes are now part of an enterprise environment. It’s time that we as a nation considered the home as such and adopted policies and security practices to meet the new BYEH reality.
The post Home-Point Cybersecurity: Bring Your Enterprise Home appeared first on McAfee Blogs.
If you are someone who works for a cloud service provider in the business of federal contracting, you probably already have a good understanding of FedRAMP. It is also likely that our regular blog readers know the ins and outs of this program.
For those who are not involved in these areas, however, this acronym may be more unfamiliar. Perhaps you have only heard of it in passing conversation with a few of your expert cybersecurity colleagues, or you are just curious to learn what all of the hype is about. If you fall into this category – read on! This blog is for you.
At first glance, FedRAMP may seem like a type of onramp to an interstate headed for the federal government – and in a way, it is.
FedRAMP stands for the Federal Risk and Authorization Management Program, which provides a standard security assessment, authorization and continuous monitoring for cloud products and services to be used by federal agencies. The program’s overall mission is to protect the data of U.S. citizens in the cloud and promote the adoption of secure cloud services across the government with a standardized approach.
Once a cloud service has successfully made it onto the interstate – or achieved FedRAMP authorization – it’s allowed to be used by an agency and listed in the FedRAMP Marketplace. The FedRAMP Marketplace is a one-stop-shop for agencies to find cloud services that have been tested and approved as safe to use, making it much easier to determine if an offering meets security requirements.
In the fourth year of the program, FedRAMP had 20 authorized cloud service offerings. Now, eight years into the program, FedRAMP has over 200 authorized offerings, reflecting its commitment to help the government shift to the cloud and leverage new technologies.
Any cloud service provider that has a contract with a federal agency or wants to work with an agency in the future must have FedRAMP authorization. Compliance with FedRAMP can also benefit providers who don’t have plans to partner with government, as it signals to the private sector they are committed to cloud security.
Using a cloud service that complies with FedRAMP standards is mandatory for federal agencies. It has also become popular with organizations in the private industry, which are more often looking to FedRAMP standards as a security benchmark for the cloud services they use.
There are two ways for a cloud service to obtain FedRAMP authorization. One is with a Joint Authorization Board (JAB) provisional authorization (P-ATO) and the other is through an individual agency Authority to Operate (ATO).
A P-ATO is an initial approval of the cloud service provider by the JAB, which is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS) and General Services Administration (GSA). This designation means that the JAB has provided a provisional approval for agencies to leverage when granting an ATO to a cloud system.
The head of an agency grants an ATO as part of the agency authorization process. An ATO may be granted after an agency sponsor reviews the cloud service offering and completes a security assessment.
Achieving FedRAMP authorization for a cloud service is a very long and rigorous process, but it has received high praise from security officials and industry experts alike for its standardized approach to evaluate whether a cloud service offering meets some of the strongest cybersecurity requirements.
There are several benefits for cloud providers who authorize their service with FedRAMP. The program allows an authorized cloud service to be reused continuously across the federal government – saving time, money and effort for both cloud service providers and agencies. Authorization of a cloud service also gives service providers increased visibility of their product across government with a listing in the FedRAMP Marketplace.
By electing to comply with FedRAMP, cloud providers can demonstrate dedication to the highest data security standards. Though the process for achieving FedRAMP approval is complex, it is worthwhile for providers, as it signals a commitment to security to government and non-government customers.
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards. We are proud that McAfee’s MVISION Cloud is the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB).
Currently, MVISION Cloud is in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
MVISION Cloud allows federal organizations to have total visibility and control of their infrastructure to protect their data and applications in the cloud. The FedRAMP High JAB P-ATO designation is the highest compliance level available under FedRAMP, meaning that MVISION Cloud is authorized to manage highly sensitive government data.
We look forward to continuing to work closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post FedRAMP – What’s the Big Deal? appeared first on McAfee Blogs.
In January 2020, McAfee released the results of a survey establishing the extent of the use of .GOV validation and HTTPS encryption among county government websites in 13 states projected to be critical in the 2020 U.S. Presidential Election. The research was a result of my concern that the lack of .GOV and HTTPS among county government websites and election-specific websites could allow foreign or domestic malicious actors to potentially create fake websites and use them to spread disinformation in the final weeks and days leading up to Election Day 2020.
Subsequently, reports emerged in August that the U.S. Federal Bureau of Investigations, between March and June, had identified dozens of suspicious websites made to look like official U.S. state and federal election domains, some of them referencing voting in states like Pennsylvania, Georgia, Tennessee, Florida and others.
Just last week, the FBI and Department of Homeland Security released another warning about fake websites taking advantage of the lack of .GOV on election websites.
These revelations compelled us to conduct a follow-up survey of county election websites in all 50 U.S. states.
Using a .GOV web domain reinforces the legitimacy of the site. Government entities that purchase .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.
An adversary could use fake election websites for disinformation and voter suppression by targeting specific citizens in swing states with misleading information on candidates or inaccurate information on the voting process such as poll location and times. In this way, a malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.
The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, providing greater confidence in the entity with which they are sharing that information. Websites lacking the combination of .GOV and HTTPS cannot provide 100% assurance that voters seeking election information are visiting legitimate county and county election websites. This leaves an opening for malicious actors to steal information or set up disinformation schemes.
I recently demonstrated how such a fake website would be created by mimicking a genuine county election website and then inserting misleading information that could influence voter behavior. This was done in an isolated lab environment that was not accessible to the internet as to not create any confusion for legitimate voters.
In many cases, election websites have been set up to provide a strong user experience versus a focus on mitigating concerns that they could be spoofed to exploit the communities they serve. Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.
McAfee’s September survey of county election administration websites in all 50 U.S. states (3089 counties) found that 80.2% of election administration websites or webpages lack the .GOV validation that confirms they are the websites they claim to be.
Nearly 45% of election administration websites or webpages lack the necessary HTTPS encryption to prevent third-parties from re-directing voters to fake websites or stealing voter’s personal information.
Only 16.4% of U.S. county election websites implement U.S. government .GOV validation and HTTPS encryption.
| States | # Counties | # .GOV | % .GOV | # HTTPS | % HTTPS | # BOTH | %BOTH |
| Alabama | 67 | 8 | 11.9% | 26 | 38.8% | 6 | 9.0% |
| Alaska | 18 | 1 | 5.6% | 12 | 66.7% | 1 | 5.6% |
| Arizona | 15 | 11 | 73.3% | 14 | 93.3% | 11 | 73.3% |
| Arkansas | 75 | 18 | 24.0% | 30 | 40.0% | 17 | 22.7% |
| California | 58 | 8 | 13.8% | 45 | 77.6% | 6 | 10.3% |
| Colorado | 64 | 21 | 32.8% | 49 | 76.6% | 20 | 31.3% |
| Connecticut | 8 | 1 | 12.5% | 2 | 25.0% | 1 | 12.5% |
| Delaware | 3 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| Florida | 67 | 4 | 6.0% | 64 | 95.5% | 4 | 6.0% |
| Georgia | 159 | 40 | 25.2% | 107 | 67.3% | 35 | 22.0% |
| Hawaii | 5 | 4 | 80.0% | 4 | 80.0% | 4 | 80.0% |
| Idaho | 44 | 6 | 13.6% | 28 | 63.6% | 5 | 11.4% |
| Illinois | 102 | 14 | 13.7% | 60 | 58.8% | 12 | 11.8% |
| Indiana | 92 | 28 | 30.4% | 41 | 44.6% | 16 | 17.4% |
| Iowa | 99 | 27 | 27.3% | 80 | 80.8% | 25 | 25.3% |
| Kansas | 105 | 8 | 7.6% | 46 | 43.8% | 2 | 1.9% |
| Kentucky | 120 | 19 | 15.8% | 28 | 23.3% | 15 | 12.5% |
| Louisiana | 64 | 5 | 7.8% | 12 | 18.8% | 2 | 3.1% |
| Maine | 16 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| Maryland | 23 | 9 | 39.1% | 22 | 95.7% | 8 | 34.8% |
| Massachusetts | 14 | 3 | 21.4% | 5 | 35.7% | 2 | 14.3% |
| Michigan | 83 | 9 | 10.8% | 63 | 75.9% | 9 | 10.8% |
| Minnesota | 87 | 5 | 5.7% | 59 | 67.8% | 5 | 5.7% |
| Mississippi | 82 | 8 | 9.8% | 30 | 36.6% | 5 | 6.1% |
| Missouri | 114 | 8 | 7.0% | 49 | 43.0% | 7 | 6.1% |
| Montana | 56 | 15 | 26.8% | 21 | 37.5% | 8 | 14.3% |
| Nebraska | 93 | 35 | 37.6% | 73 | 78.5% | 32 | 34.4% |
| Nevada | 16 | 3 | 18.8% | 13 | 81.3% | 2 | 12.5% |
| New Hampshire | 10 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| New Jersey | 21 | 3 | 14.3% | 11 | 52.4% | 2 | 9.5% |
| New Mexico | 33 | 7 | 21.2% | 20 | 60.6% | 6 | 18.2% |
| New York | 62 | 15 | 24.2% | 48 | 77.4% | 14 | 22.6% |
| North Carolina | 100 | 37 | 37.0% | 69 | 69.0% | 29 | 29.0% |
| North Dakota | 53 | 3 | 5.7% | 19 | 35.8% | 2 | 3.8% |
| Ohio | 88 | 77 | 87.5% | 88 | 100.0% | 77 | 87.5% |
| Oklahoma | 77 | 1 | 1.3% | 24 | 31.2% | 1 | 1.3% |
| Oregon | 36 | 1 | 2.8% | 22 | 61.1% | 0 | 0.0% |
| Pennsylvania | 67 | 11 | 16.4% | 40 | 59.7% | 7 | 10.4% |
| Rhode Island | 5 | 2 | 40.0% | 3 | 60.0% | 0 | 0.0% |
| South Carolina | 46 | 15 | 32.6% | 33 | 71.7% | 13 | 28.3% |
| South Dakota | 66 | 2 | 3.0% | 14 | 21.2% | 1 | 1.5% |
| Tennessee | 95 | 23 | 24.2% | 38 | 40.0% | 12 | 12.6% |
| Texas | 254 | 10 | 3.9% | 86 | 33.9% | 6 | 2.4% |
| Utah | 29 | 8 | 27.6% | 16 | 55.2% | 7 | 24.1% |
| Vermont | 14 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| Virginia | 95 | 33 | 34.7% | 61 | 64.2% | 35 | 36.8% |
| Washington | 39 | 7 | 17.9% | 26 | 66.7% | 6 | 15.4% |
| West Virginia | 55 | 18 | 32.7% | 33 | 60.0% | 16 | 29.1% |
| Wisconsin | 72 | 16 | 22.2% | 61 | 84.7% | 11 | 15.3% |
| Wyoming | 23 | 4 | 17.4% | 15 | 65.2% | 2 | 8.7% |
| Total | 3089 | 611 | 19.8% | 1710 | 55.4% | 507 | 16.4% |
We found that the battleground states were largely in a bad position when it came to .GOV and HTTPS.
Only 29% of election websites used both .GOV and HTTPS in North Carolina, 22% in Georgia, 15.3% in Wisconsin, 10.8% in Michigan, 10.4% in Pennsylvania, and 2.4% in Texas.
While 95.5% of Florida’s county election websites and webpages use HTTPS encryption, only 6% percent validate their authenticity with .GOV.
During the January 2020 survey, only 11 Iowa counties protected their election administration pages and domains with .GOV validation and HTTPS encryption. By September 2020, that number rose to 25 as 14 counties added .GOV validation. But 72.7% of the state’s county election sites and pages still lack official U.S. government validation of their authenticity.
Alternatively, Ohio led the survey pool with 87.5% of election webpages and domains validated by .GOV and protected by HTTPS encryption. Four of Five (80%) Hawaii counties protect their main county and election webpages with both .GOV validation and encryption and 73.3% of Arizona county election websites do the same.
Separate Election Sites. As many as 166 counties set up websites that were completely separate from their main county web domain. Separate election sites may have easy-to-remember, user-friendly domain names to make them more accessible for the broadest possible audience of citizens. Examples include my own county’s www.votedenton.com as well as www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com.
The problem with these election-specific domains is that while 89.1% of these sites have HTTPS, 92.2% lack .GOV validation to guarantee that they belong to the county governments they claim. Furthermore, only 7.2% of these domains have both .GOV and HTTPS implemented. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.
Not on OUR website. Some smaller counties with few resources often reason that they can inform and protect voters simply by linking from their county websites to their states’ official election sites. Other smaller counties have suggested that social media platforms such as Facebook are preferable to election websites to reach Internet-savvy voters.
Unfortunately, neither of these approaches prevents malicious actors from spoofing their county government web properties. Such actors could still set up fake websites regardless of whether the genuine websites link to a .GOV validated state election website or whether counties set up amazing Facebook election pages.
For that matter, Facebook is not a government entity focused on validating that organizational or group pages are owned by the entities they claim to be. The platform could just as easily be used by malicious parties to create fake pages spreading disinformation about where and how to vote during elections.
It’s not OUR job. McAfee found that some states’ voters could be susceptible to fake county election websites even though their counties have little if any role at all in administering elections. States such as Connecticut, Delaware, Maine, Massachusetts, New Hampshire, Rhode Island and Vermont administer their elections through their local governments, meaning that any election information is only available at the states’ websites and those websites belonging to major cities and towns. While this arrangement makes county-level website comparisons with other states difficult for the purpose of our survey, it doesn’t make voters in these states any less susceptible to fake versions of their county website.
There should be one recipe for the security and integrity of government websites such as election websites and that recipe should be .GOV and HTTPS.
Ohio’s leadership position in our survey appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. Ohio’s Secretary of State used “the stick” approach by demanding by official order that counties implement .GOV and HTTPS on their election web properties. If counties couldn’t move their existing websites to .GOV, he offered “the carrot” of allowing them to leverage the state’s domain.
A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain.
Examples:
While Ohio’s main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.
Ultimately, the end goal success should be that we are able to tell voters that if they don’t see .GOV and HTTPS, they shouldn’t believe that a website is legitimate or safe. What we tell voters must be that simple, because the general public lacks a technical background to determine real sites from fake sites.
For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html
The post US County Election Websites (Still) Fail to Fulfill Basic Security Measures appeared first on McAfee Blogs.
It’s hard to believe, right, parents? In just a blink or two, you went from being the teenager dropping cool phrases like “rad” and “gnarly” to monitoring a teenager texting words like “lowkey,” “IRL” and “CD9” into her smartphone non-stop.*
For generations, teens have been crafting terms to differentiate themselves from other age groups. The difference today is that smartphone texting has multiplied the scope of that code to include words, emojis, numbers, and hashtags.
The times have changed, fo’ sho.’
You don’t have to speak your child’s language (please don’t). However, with new terms and risks emerging online each day, it’s a good idea to at least understand what they are saying.
Since kids have been spending more time online due to the pandemic, we thought we might discover a few new and interesting terms. We were right. We found stories of teens referring to the Coronavirus as “Miss Rona” and “Rona,” and abbreviating quarantine to “Quar.” A “Corona Bae” is the person you would only plan to date during a lockdown.
Much of the coded language kids use is meant to be funny, sarcastic, or a quick abbreviation. However, there are times when a text exchange can slip into risky territory. Seemingly harmless, text exchanges can spark consequences such as bullying, sextortion, privacy violations, and emotional or physical harm.
To help kids avoid dangerous digital situations, we recommend three things: 1) Talk early and often with your kids about digital risk and behavior expectations, 2) Explore and use parental monitoring software, and 3) Know your child’s friends and communities online and in real life.
Note: Context is everything. Many of these terms are used in jest or as casual banter. Be sure to understand the context in which a word is used.
Flex. This term means showing off. For example, “Look at her trying to flex with her new car.”
Crashy. Description of a person who is thought to be both crazy and trashy.
Clap back. A comeback filled with attitude.
Cringey. Another word for embarrassing.
Hop off. Mind your own business.
Spill tea or Kiki. Dishing gossip.
Sip tea. Listening to gossip.
Salty. Mad, angry, jealous, bitter, upset, or irritated.
“She gave me a salty look in class.”
Extra. Over the top or unnecessarily dramatic.
Left on read. Not replying to someone’s message.
Ghosting. Ending a friendship or relationship online with no explanation.
Neglext. Abandon someone in the middle of a text conversation.
Ok, Boomer. Dismissing someone who is not up to date enough.
(Throw) shade. Insult or trash talk discreetly.
Receipts. Getting digital proof, usually in the form of screenshots.
THOT. Acronym for That H__ Over There.
Thirsty. A term describing a person as desperate or needy. “Look at her staring at him — she’s so thirsty.”
Thirst trap. A sexy photograph or message posted on social media.
Dis. Short for showing blatant disrespect.
Preeing. A word that describes stalking or being stalked on Facebook.
Basic. Referring to a person as mainstream, nothing special. Usually used in a negative connotation.
Chasing Clout. A negative term describing someone trying too hard to get followers on social media.
9, CD9, or Code9, PAW, POS. Parents are around, over the shoulder.
99. All clear, the parents are gone. Safe to resume texting or planning.
KPC. Keeping parents clueless.
Cheddar, Cheese, or Bread. These are all terms that mean money.
Cap. Means to lie as in “she’s capping.” Sending the baseball cap emoji expresses the same feeling. No capping means “I’m not lying.”
Hundo P. Term that is short for “hundred percent;” absolutely, for sure.
Woke. Aware of and outspoken on current on political and social issues.
And I oop. Lighthearted term to describe a silly mistake.
Big oof. A slightly bigger mistake.
Yeet. An expression of excitement. For example, “He kissed me. Yeeeet!”
Retweet. Instead of saying, “yes, I agree,” you say, “retweet.”
Canceled. Absurd or foolish behavior is “canceled.” For example, “He was too negative on our date, so I canceled him.”
Slap or Snatched. Terms that mean fashionable or on point. For instance, “Those shoes are slap” or “You look snatched.”
And just for fun, here’s a laugh out loud video from comedian Seth Meyer’s on teen Coronavirus slang you’ll enjoy on YouTube.
* lowkey (a feeling you want to keep secret), IRL (In Real Life), CD9 also Code9 (Adult Alert used to hide secretive activity). ** Terms collected from various sources, including NetLingo.com, UrbanDictionary.com, webopedia.com, and from tweets and posts from teens online.
The post Can You Decode Your Teen’s Texting Language? appeared first on McAfee Blogs.
As Congress prepares to return to Washington in the coming weeks, finalizing the FY2021 National Defense Authorization Act (NDAA) will be a top priority. The massive defense bill features several important cybersecurity provisions, from strengthening CISA and promoting interoperability to creating a National Cyber Director position in the White House and codifying FedRAMP.
These are vital components of the legislation that conferees should work together to include in the final version of the bill, including:
One of the main recommendations of the Cyberspace Solarium Commission’s report this spring was to further strengthen CISA, an agency that has already made great strides in protecting our country from cyberattacks. An amendment to the House version of the NDAA would do just that, by giving CISA additional authority it needs to effectively hunt for threats and vulnerabilities on the federal network.
Bad actors, criminal organizations and even nation-states are continually looking to launch opportunistic attacks. Giving CISA additional tools, resources and funding needed to secure the nation’s digital infrastructure and secure our intelligence and information is a no-brainer and Congress should ensure the agency gets the resources it needs in the final version of the NDAA.
Perhaps now more than ever before, interoperability is key to a robust security program. As telework among the federal workforce continues and expands, an increased variety of communication tools, devices and networks put federal networks at risk. Security tools that work together and are interoperable better provide a full range of protection across these environments.
The House version of the NDAA includes several provisions to promote interoperability within the National Guard, military and across the Federal government. The Senate NDAA likewise includes language that requires the DoD craft regulations to facilitate DoD’s access to and utilization of system, major subsystem, and major component software-defined interfaces to advance DoD’s efforts to generate diverse and effective kill chains. The regulations and guidance would also apply to purely software systems, including business systems and cybersecurity systems. These regulations would also require acquisition plans and solicitations to incorporate mandates for the delivery of system, major subsystem, and major component software defined interfaces.
For too long, agencies have leveraged a grab bag of tools that each served a specific purpose, but didn’t offer broad, effective coverage. Congress has a valuable opportunity to change that and encourage more interoperable solutions that provide the security needed in today’s constantly evolving threat landscape.
The House version of the NDAA would establish a Senate-confirmed National Cyber Director within the White House, in charge of overseeing digital operations across the federal government. This role, a recommendation of the Cyberspace Solarium Commission, would give the federal government a single point person for all things cyber.
As former Rep. Mike Rodgers argued in an op-ed published in The Hill last month, “the cyber challenge that we face as a country is daunting and complex.” We face new threats every day. Coordinating cyber strategy across the federal government, rather than the agency by agency approach we have today, is critical to ensuring we stay on top of threats and effectively protect the nation’s critical infrastructure, intellectual property and data from an attack.
The FedRAMP Authorization Act, included in the House version of the NDAA, would codify the FedRAMP program and give it a formal standing for Congressional review, a critical step towards making the program more efficient and useful for agencies across the government. Providing this program more oversight will further validate the FedRAMP approved products from across the industry as safe and secure for federal use. The FedRAMP authorization bill also includes language that will help focus the Administration’s attention on the need to secure the vulnerable spaces between and among cloud services and applications. Agencies need to focus on securing these vulnerabilities between and among clouds since sophisticated hackers target these seams that too often are left unprotected.
Additionally, the Pentagon has already committed to FedRAMP reciprocity. FedRAMP works – and codifying it to bring the rest of the Federal government into the program would offer an excellent opportunity for wide-scale cloud adoption, something the federal government would benefit greatly from.
We hope that NDAA conferees will consider these important cyber provisions and include them in the final version of the bill and look forward to continuing our work with government partners on important cyber issues like these.
The post NDAA Conference: Opportunity to Improve the Nation’s Cybersecurity Posture appeared first on McAfee Blogs.
FreshRSS 