Technology has for a long time been out of the laboratories and has held, in its own right, a position in the companies’ executive committees. The transformation that ‘digital technology’ is injecting into all types of organizations requires that the top-level executives understand the basis of this new era.  According to Gartner’s report “2014 Gartner Financial Executives International Technology CFO Study”, CFOs must be prepared for this trend as they have an increasingly important role in IT decision-making. It also stated that 30 percent of the CFOs interviewed (almost 40 percent if we talk about SMBs) claimed they took these decisions, compared with 24 percent in 2013.  If there is an area where they should pay special attention, this is without doubt that of information security.

No, cybersecurity is no longer the sole responsibility of IT managers. Nor is it that of the security managers, who often report to the former. CFOs also play a key role in defining the organization’s strategy regarding this subject.  Until now their only duty in the ICT area was to control the department’s budget and assess, together with the CIO, in which security solution they should invest and whether they should increase this in one sense or another. And above all, they must know how to act to protect their organization against the ever increasing risks appearing in the market, ranging from an infection caused by one of the multiple existing malwares, now operating in any platform, to an advanced persistent threat, amongst others. For this reason it is essential that the CFO works closely with the CIO on the development of a security plan which integrates perfectly into the company’s business model and its operations, as well as into its relationship with its employees and shareholders, and that it safeguards the brand and the corporate reputation.

From cost controller to evangelist

How should the XXI Century CFO act?  Experts recommend someone capable of analyzing along with the CIO, the value and vulnerabilities which come with the use of IT and who knows how the company should act when attacked, because it is now practically impossible to prevent ever more sophisticated security incidents. What one needs to know is how to minimize their impact.

On the other hand, the Chief Financial Officer must realize that these types of attacks directly impact on the company’s business and its market value.  This is pointed out in the report “The Value Killers Revisited: A risk management study” by Deloitte, which states that the issues that ‘kill’ this value are not only limited to factors such as the recent credit and euro crisis experienced by the market or M&A transactions, but also include others like cyberattacks, which nowadays are unfortunately very common, as has been seen with recent notorious cases (the Sony Pictures case is only one of many).

Therefore the inclusion of cybersecurity with the issues to be addressed in the risk committees and audits in which they participate is an obligation for CFO’s today, and they should bear in mind which of the company’s assets need the greatest protection in order to guarantee the continuity of the business.  Additionally they must participate in the development of a contingency plan for a possible cybersecurity incident and be certain that they know what to do, as should the CIO and the other members of the Executive Committee.  It is advisable that companies organize simulated attacks to ensure that everyone responsible is prepared should a high range cyberattack really occur.

The Chief Financial Officer should also explain to the managers the risks implicit within the new digital scenario pointing out the most dangerous players, and also assess which methods, technology and human resources are the  most appropriate to combat them. According to experts, one area on which they should concentrate is to have monitoring systems which facilitate the rapid identification of attacks in real time in order to respond with greater agility. It is necessary to anticipate these situations as much as possible. Today, for instance, it is unthinkable that customers are the ones who have to report a possible fraud related to the services offered by the company. The company must act as quickly as possible and be proactive rather than reactive if a security breach occurs, and have their communication and performance strategy already prepared for customers and third parties who may be affected.

Obviously all the above does not mean that from now on the CFO has to lead exclusively the cybersecurity initiatives in his organization. But he does have to start participating more actively and evangelizing about the importance of data security and about the policies to protect them within the Executive Committee. In short, companies (and also society) are now so digital that is simply impossible for its top executives, including the CFO, to ignore the risks and threats which the new scenario entails and which steps are the most appropriate to solve the problem.

The post The Chief Financial Officer as the new guarantor of corporate cybersecurity appeared first on MediaCenter Panda Security.

The boom in information technology has led to a transformation which has been increasing in recent years due to the widespread adoption of Internet and mobile devices. Individuals and companies are all are imbued with ‘digital life’, which now defines the way we act, buy, work… the way we live. This reality has also marked a before and after in another sector:  that of information security which is becoming more complex every day.

According to IDC, companies are becoming increasingly aware of the risks in the market – from an infection caused by one of the many existing malwares, now spread to any platform and device, to a persistent advanced threat – and almost 50 percent of the companies in Europe (45 percent to be exact) increased their security budgets in 2014. In fact, Spain is the third country in Europe where more companies have increased their investment in this area, just behind the United Kingdom and Germany. Moreover, according to Gartner, another major IT consultant, the fear of suffering targeted cyber-attacks is what is encouraging 40 percent of the largest companies to make far-reaching plans for 2018 to defend themselves against these risks. Plans which they currently lack and which go far beyond preventive controls such as firewalls, traditional antivirus and vulnerability management, and which follow a more global and integrated control of all security areas.

In this context, the way of buying and selling security has also changed radically. According to independent analysts in the ICT sector, companies no longer sell only security, which is just the necessary lever to sell anything related to technology: cloud, big data, Internet of Things, mobility… Let’s say security has become a ‘building block’ for almost every aspect. In fact, these macrotrends carry the most sophisticated formulas for information security. For example, big data and analytics allow behaviors to be modeled in order to prevent attacks.

More sophisticated and intelligent solutions offered as a service

In general, the market trend is to offer as a service the most sophisticated and intelligent security solutions.  Advanced security services, managed and based on the cloud system, are on the rise. As it is no longer possible to put up walls as in the past, we now have to protect companies from below, from the processor itself to the highest levels. In this new approach security must be seen as a more global concept which includes more aspects from communications to storage, passing through many more elements. The key to this more complex world is, on the one hand, that security is immersed in a complete cloud solution, and on the other, that it includes different capacities in order to provide a more comprehensive service.

The price of being safe

 With this more complex scenario with “the ‘baddies’ becoming increasingly ‘badder’ and smarter”, with the proliferation of more sophisticated attacks with different formats making them more difficult to stop, will companies have to invest more money to be safe? The answer is ‘no’. In fact prices have dropped in recent years, especially since the boom of the cloud based system. What happens is that now companies have to protect themselves against more threats. There is a new range of risks and this is why investments in security are becoming increasingly higher.

Obviously, the investment made by large corporations is still higher than that made by the smaller companies.  But at least, it seems that they are all starting to be aware that an attack can cost them a lot of money and can damage their image.  How they deal with it is another matter, but the awareness is there, and also at the highest level within the companies. Moreover, news about security is one of the few subjects in the IT world which makes the headlines in newspapers around the world. Still, as we said, SMB’s are the most vulnerable.  Unfortunately they are generally the least prepared and the main victims of many attacks.

With the Internet of Things the risks can be limitless

Another major risk looming on the horizon in this new digital scenario derives from the so-called ‘Internet of Things’. Given the growing proliferation of all kinds of sensors and gadgets such as the popular wearables, devices which we will all wear in the near future like watches or smart glasses  (many people already do this), and the unstoppable advance of the smartphone, the risks will constantly increase. The Internet of Things means bringing the digital into the physical world, and this will lead to endless security risks. Undoubtedly, with this trend there are many challenges ahead to overcome, not only with regard to safety, but also privacy, complying with the regulations, etc. Therefore, the Internet of Things makes the current situation even more complex, opening up at the same time interesting business opportunities which we should all exploit to the full.

The post Security challenges in the digital era appeared first on MediaCenter Panda Security.

We daily capture them on our phones. We have dozens of them stored on our computers. We share them on social networks and we love to see those of others. We are talking about the images in JPEG format, the most used one because when compressed the pictures don’t lose much quality. Indispensables, and yet, could be the tool used by a cybercriminal to access any corporate or institution network.

This was proven by security expert Marcus Murray, who researched a new way a cyber-attacker could exploit a malicious JPEG to compromise Windows servers and access any company’s sensitive information.

The researcher demonstrated how someone could performed this attack during the RSA Conference in San Francisco, an event that gathers dozens of experts in computer security every year. Murray implemented a ‘demo’ to compromise a similar security network to any US government agency network.

Murray changed the attributes or metadata that any JPEG file stores including in it a malicious code. Then he got this image to infect the corporate network. How did he do it? By a form that allowed users to upload a profile picture to the alleged government agency web page. Once inside, the file became a gateway for the attacker.

Thanks to the malicious JPEG, the cyber-criminal’s administration permissions over the network grew more and more, reaching a point at which he could steal sensitive information or even take control over the network.

The rest of the process is simpler: the criminal only has to exploit his advantage to install malicious software that infects the computers to spy the corporation or steal confidential information. According to Murray, this attack can be performed in “even mixed environments” with Windows and Linux.

On the conference in San Francisco, he showed how to introduce a remotely accessed Trojan he created using Metasploit, the popular open source project that allows trying different kinds of attacks as part of a ‘pentest’ (penetration test).

That’s how he prove that only with a picture you can access any company’s network and steal their confidential information, without the employees realizing the damage a file so seemingly harmless could make.

The post A JPEG may jeopardize your company’s network appeared first on MediaCenter Panda Security.

When you visit a webpage, your computer actually accesses the server where the files displayed on your screen are located. If you enter a password on this site, it will also go to the server, where it will be stored. Companies use secure protocols, like the popular OpenSSL, which encrypt communications of computers connected to the network.

So when in April 2014 a serious vulnerability in the software package of OpenSSL was published, companies all around the world held their breath. Since 2012, the open source SSL protocol version was not complying with its protection duty.

The ultimate responsible for the finding was Google’s engineer Neel Mehta, who found it after thoroughly reviewing the tool’s open source code. Mehta along with team members of Codenomicon gave CVE-2014-0160 a simplest name: Heartbleed. With a logo of a bleeding heart to expose the severity of the fault.

The vulnerability allowed cybercriminals to access users information (passwords, bank accounts, and other sensitive information) stored on the Internet servers using OpenSSL.

The news kept on edge thousands of companies that used this system to encrypt communications in their webpages or between internal servers. Even ‘routers’ use the SSL system. One of the affected organizations was the Community Health System (CHS) in the United States: compromising the data of 4.5 million patients until the authorities fixed the error.

Fortunately, as with any other security breach, a fix was found. OpenSSL team developed a software update which made it disappear. Professionals had only to follow a few steps to safeguard their communications again.

However, a recent report carried out by a group of security experts revealed that 74% of the largest companies in the world are still at risk. The reason being that those companies have not yet gotten rid of the malware. In addition to installing the new version (1.0.1g or higher) they had to cancel and change the encryption keys and the library certificates. This process requires some computer skills and, in many cases, contact with the digital certificates’ suppliers. Something many of them left half done.

Although some experts doubted the test results, the fact is that Heartbleed is not a regular ‘bug’. When vulnerabilities affect only one program they can be quickly fixed but during its two years of life the OpenSSL breach infected 66% of the active pages on the Internet, according to Netcraft. Even Yahoo! or Flickr were affected and had to fix the problem.

The cryptographic library is one of the companies most used software, from an online shop to a simple user identification on a corporate platform. OpenSSL is often used to protect mail servers, chats and virtual private networks.

Internet users couldn’t do anything about it, just trust that the people responsible for their most visited websites had solved the security breach. Companies did have homework to do in order to solve the problem. We just hope that, at least, the report results make the stragglers get down to work.

 More | Heartbleed, how bad was it?

The post Heartbleed. Why do the vast majority of companies remain vulnerable? appeared first on MediaCenter Panda Security.

Passwords are the unfinished business of Internet users. We have all had the same problem. After carefully picking the perfect password with capital letters, numbers, special characters and which is finally long enough, we have to sing up for another service. Whether it is to open bank account, a new profile on Instagram or to access our telephone bills via the Web we have to remember yet another password.

Although some platforms help us with this task by sending us a password to enable us to enter the account and which can be modified later, we end up learning it by heart instead of changing it.

That email with our password is then forgotten and ends up at the bottom of our inbox.

We already warned you when more than five million Gmail passwords were leaked on a file and security experts have demonstrated with various safety studies that this is an upward trend. If we look back to that forgotten email among other hundreds, you can figure out that its very existence poses a risk, because its content is at the mercy of the cybercriminals who are always ready to steal the information.

If you, like most people, suffer from ‘digital Diogenes syndrome’ it will be difficult to rescue all those emails with sensitive information and to prevent their theft. And to remember all the online services you have signed up for and for which you have kept the original password.

Whatever the case we recommend a useful and simple option called Scan Inbox. A tool which detects forgotten private information in your inbox and deletes it permanently. You don’t even have to download the service. It is available ‘online’.

The program works in Gmail, Hotmail, Yahoo or AOL and searches for and locates sensitive information such as automated emails with passwords or bank account numbers which you think are secure.

To use this tool you only have to indicate your mail server and it will automatically access and scan your email.  Dashlane, the company owning the service, ensures that this intrusion is temporary and no personal information is stored.

Once the analysis is executed and completed, Inbox Scan gives you a full report on the inbox’s ‘health’ with regard to security. The report includes details like the number of passwords and the number of new accounts created, those which might have been affected by a security breach and which passwords have been reused.

All the information is presented in a visual way: a lower bar indicates the time and above it a series of bubbles arranged chronologically. Each of these represents one of the accounts you have created. The bigger the bubble the more important it is, and the color red indicates whether this tool has found a password associated with the account in question.

If the display is not enough for you and you wish to study the report in depth you can download it in PDF. From there on, you just have to change the compromised passwords and delete all the sensitive emails.

An alternative for you to store your passwords safely

If you wish to have all your passwords stored in one place, you can use the password manager of our antivirus software Panda Global Protection.

If you use this you will only have to remember one master password to access all your Web services. In this way, you will never forget another password again!

The post InboxScan: the service that checks if you have saved your passwords in your email appeared first on MediaCenter Panda Security.