Vulnerability Scanning


Vulnerability scanning is the systematic identification, analysis and reporting of technical security vulnerabilities that unauthorized parties and individuals may use to exploit and threaten the confidentiality, integrity and availability of business and technical data and information. External vulnerability scanning specifically examines an organization’s security profile from the perspective of an outsider or someone who does not have access to systems and networks behind the organization’s external security perimeter. Your external IPs be scanned once a year, once a quarter or monthly.

Read More

Mobile Application Scanning


Mobile platforms by default make certain promises about their environment. Development teams should not rely on these promises to protect critical data and code. Architecture review and threat modeling process will includes assessing and documenting security risks in the context of use cases, services, roles and functions unique to your application. The threat modeling is performed in collaboration with your business, engineering, operations and corporate security teams to understand and create the system’s security objectives, threat profile, attacks, vulnerabilities and countermeasures from design to deployment.

Read More

Darkweb Credential Monitoring


We provide the best approach to eliminate the biggest cause of massive data breaches, the weak and/or stolen password. We continuously monitor the dark web for stolen databases and identities, and maintains the encrypted data in our proprietary database. When integrated with an IAM solution, we can provide superior visibility into user-centric risk and the ability to automate appropriate corrective actions, preventing the abuse of compromised credentials.

Read More

Are your protecting your WordPress website from attacks?

With the popularity of WordPress, and the support it gets from the development team, it’s easy to think that your installation of WordPress is secure. Since you didn’t code it from scratch, you might assume that it is hardened and you don’t have to do any further tinkering with security.  Well, you may just want to put some effort into locking down your WordPress installation.  As with any website, you need an IT Security Policy, walk through an IT Security Checklist

There are several methods that are generally used in an attack on a website. First you have mis-configurations. This can mean everything from leaving the ‘wp-config’ file readable to the world to allowing any kind of file to be uploaded in a form to weak password security.  The second type of access can usually be gained through bad coding techniques. If you add a Plugin or write your own code to add to the WordPress installation, this can possible allow and attacker to take advantage of bad code to break into your site. And lastly you have can lump other attacks into infrastructure attacks. Maybe you don’t have a firewall running, or intrusion prevention service running to stop attacks. Or you are hosting you website on a shared service like Godaddy or Hostgator and someone else’s website is vulnerable, leading to a compromise of the whole hosted server.

For now, lets address some easy things you can do to reduce configuration weaknesses that could lead to a hacked website.

1)      Password – no matter how many times you say it, people still use weak passwords that can be guessed or broken with brute force attacks.  There are several free and paid login protection plugins you can use.

2)      File Permissions – this is a bit trickier if you do not know how file permissions works. You can get an easy primer from the WordPress help file,  Its also provide a lots of details for the more technically savvy.

3)      Monitoring – you should know what is going one with access attempts or changes in your files and configurations of your WordPress site. There are a number of tools you can search for monitoring and logging activity. Its especially important to monitor for healthcare IT security.

4)      Security Testing – even if you have installed security plugins and have configured your website correctly, you should still periodically test the security for vulnerabilities. You can pay third party companies to do penetration testing or you can try some of the plugins on your own. Testing is important to risk management and assessment

There are lots of different tools you can use to secure your site. The first step is to know that it will not stay secure without you actively implementing security measures.

What are the Top 5 Internet Security Trends for 2013

As the Internet and technology advances at increasing speeds, the concerns over security are keeping pace. New threats to security emerge every day. Check out the National Vulnerability Database . With access to the Internet expanding to various devices other than the laptop or desktop, there are more opportunities for attacks. With the ever increasing connectedness of our society, it is important to look at the Internet security trends 2013 and be prepared.

Each time you access the Internet, you are putting yourself and your technology at risk by exposing it to the security risks, known and unknown. The security trends for the coming year are looking to focus around a variety of threats including cyber conflict, ransomware, madware, social software and cloud-based cyber attacks. Like it or not, these concerns aren’t going away any time soon, so it is best to gain a baseline understanding of them so that you’ll be able to protect yourself in the coming year.

1. Cyber Conflict

Increasingly, cyber conflict is becoming a serious threat between states, organizations and individuals. While the threats at the state and organizational level may not be of immediate concern, cyber conflict can become very serious when you’re dealing with others sitting behind a computer screen. People are less considerate and often more bold when sitting at a keyboard. Threats and aggression come quickly as discussions online become heated. You can protect yourself and your family from cyber conflict by becoming more aware of how you interact on the Internet. Bullying and aggression are of great concern for families with children. Be sure to educate your children and monitor their Internet usage closely.

2. Ransomware

It’s actually just what it sounds like – virtual ransom demands from criminals. This is a growing threat due to the increasing sophistication of cyber-criminals. Be aware and protect yourself online by consulting with an Internet security firm if you are in a position where you feel exposed to the threat of cyber-criminals. Fast incident response is key when dealing with Ransomware.

3. Madware

Mobile adware or Madware is a growing concern as more and more people are using mobile devices to connect to the Internet. Madware can cause a HIPAA security violation easily of you lose patient data to an attack as well as pose a problem to the functionality of your mobile devices. Often mobile apps expose mobile device users to various forms of madware. Consult your mobile device dealer or an Internet security firm in order to protect yourself from madware. See this good illustration of madware from

4. Social Software

Social media security is a growing concern as more and more people and social media platforms emerge. The social media reputation risk is high when people use social media platforms carelessly or are uneducated about the multitude of privacy and security risks that come from social media.

5. Cloud-based Cyber Attacks

Cyber attackers are turning to the cloud as more people and companies are using it as a way to store the massive amounts of data they accumulate through their desktops, laptops, tablets and mobile devices. This can be a great concern for people who are relying on these cloud-based services to store their valuable documents, entertainment collections and pictures. The recent news article of Wired technology journalist Mat Honan getting hacked through Amazon and Apple cloud services, “Apple account hack raises concern about cloud storage”  illustrates the damage.

As you can see, each of the Internet security trends of 2013 pose a real threat to your security online. Now is the time to take serious steps to protect yourself from these emerging trends so that you will be able to start the new year off right. It may seem like these things will never happen to you, but usually these attacks come when you least expect it. Just like home invasion, if you’re an easy target, you’re more likely to get hit by any one of these threats. The best defense is a good offense and in this case. For help in cloud, network and social media security, contact us at KRAA Security.

Enhanced by Zemanta

Data Breach Problems on BYOD

In today’s world, more and more employees are using their own devices to access company websites and work screens. iPhones and iPads are two devices that are very popular now and being used as the all in one device for many people. They don’t realize that these devices may not be that secure and for a company, it can have very costly data breach situations. Healthcare companies are especially susceptible to HIPAA patient data loss implications. If you lose data that is federally protected, then you open yourself up to legal repercussions and lawsuits from individuals as well and potential monetary penalties.

Many companies have adopted bring your own device (byod) policies because a lot of employees would just as soon use their own equipment. After all, they already have it and they are quite used to using it in most aspects of their lives. While this may seem like a perfectly reasonable solution, it may not be wise unless companies have truly looked at the issues with their risk management team. Fines as high as $1.5 million dollars

Person with PDA handheld device.

Person with PDA handheld device. (Photo credit: Wikipedia)

have already been assessed in at least one situation in a teaching hospital that lost data on a mobile device that was unencrypted.

Companies are now required to perform a risk assessment and implement a data breach protection program, including for mobile devices. Those without a plan in place can be on the receiving end of some pretty hefty fines. Some important numbers that companies should be aware of are:

-84% of employees use their smart phone for everything, including work and personal use

-47% of all people don’t use a password protection on their mobile devices

-51% of companies have no ability to erase data from a lost or stolen device

-49% of employees have received no training at all on mobile device security from their company

These issues are going to need to be addressed by all companies if they truly wish to remain out of hot water and avoid these issues with HIPAA protected data loss. A BYOD policy may save money in not having to supply equipment to employees but it also may leave you open to lawsuits and big fines. Deciding which route they want to take should rely heavily on risk assessment.

Data needs to remain safe at all times and this needs to be addressed by technology companies as well. Being able to erase information from a lost device, over the air and remotely is a technology that is a must for these sorts of companies who handle sensitive materials. Companies should really explore all options in protecting and destroying data if they follow a BYOD policy.

Enhanced by Zemanta

The Dangers of Employee Social Media Usage

Employers are hearing constantly of social media this and social media that. When your employees go on break or eat lunch, they are always on their cell phones talking. But, now there are also applications on phones like Facebook, Twitter, FourSquare and others where an employee can actually send photo uploads while being mobile and even post to Facebook automatically. Are employees using social media securely?

Does your company have anything in place for protecting confidentiality through social media usage? Do you have a Social Media Security Policy? Employees sign agreements when joining the company but did the business cover disclosing things like pictures or private conversations and even meeting information via Google Buzz or Facebook? What about brand new products being developed that are trade secrets?

If your employees are online working to do their job and Facebook, MySpace, or gaming sites like Pogo are not blocked, how do you know they are doing their work 100% of the time? Just because their production numbers look great, doesn’t mean they are not slacking. Have you done a Social Media Security Assessment?

It is becoming an epidemic in the work force with employees breaking rules and ultimately being fired every day. If security monitoring technologies are in place you could possibly sue the former employee but your trade secrets are gone and so might be your reputation. If an employee is bad-mouthing your company and tells everyone to not buy or shop with you, there goes your business immediately.

You can make a legal policy for employees to sign when they start their job that they will not talk, disclose, or say anything bad about the company on social media sites. If businesses do not step up soon and do something it can be a total free for all!

Here are a few interesting facts to consider. One out of every ten employees admitted overriding their job’s security system so they could access restricted sites. In 2009, 24% of eight hundred employers surveyed said they had to discipline an employee for using social media sites. Another study showed 8% of employees were terminated for accessing Facebook out of two hundred businesses polled. Twenty eight thousand people were polled in the United Kingdom at the beginning of 2010 and a whopping 87% said they can do what they want; it is their right to do so. There is a whole category of companies geared towards your social media reputation such as   There are options out there if companies are willing to explore.

It is now believed that social networking will replace email by 2014 as the main way to communicate for 20% of all business owners or users. Is your company prepared for Secure Social Media?

Email Security Tips for General Petraeus (even if a bit late)

Could General Petraeus Have Kept His Emails Secure?

The terms Email and Security generally do not go together. Email is inherently insecure, not because of the communications vehical itself, but in how it is used. The moment data leaves your possession, you have lost control. What the other party does with afterwards leaves you out of the loop with keeping it secure. Email security will be a problem in the foreseeable future. But there are some steps General Petraeus could have done to maybe have a more of a warm and fuzzy feeling about what he was sending.

1) Dont Email. That’s a good first step in securing Email. Even if you share an account with someone and keep drafts of the email in a folder rather than actually sending the email, it is still sitting on someone else’s server, beyond your control. The government is success in subpoenaing Email service providers for logs and old data. If you don’t really have to email your shady doings, that’s a good step.

2) Encrypt Email. Say you are forced to Email. Encryption has been around for a long time. PGP is a past master at email encryption. If only you and the other do not share your secret keys, no one is going to really get past PGP encryption.

English: Public key encryption diagram: email ...

English: Public key encryption diagram: email example. (Photo credit: Wikipedia)

3) Email Antivirus. It should go without saying these days that anti-malware and anti-virus should be checking all inbound and outbound emails. Say you were using PGP encryption but accepted an attachment that has a virus, your encryption would be useless.

4) Secure Passwords. So this is Internet Security 101. If you have a weak password on your encrypted email, then your encryption protect is again useless. People still use easy to guess passwords, things you can probably find on their Facebook page such as pet’s name, kid’s name, college etc. This is your first line of defense. The Huffington Post just had a great article on weak passwords “The Top 25 Worst Passwords Of 2011: See What To Avoid”  I particularly like the “trustno1” as a password.  Here are the top ones:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

5) Encrypt Login. When you are accessing you emails, make sure its over an encrypted login. If you don’t see the “https” in the URL, you are not encrypted. So if someone was on the same network as you, they could potentially capture your password. It is a simple security measure but one most people do not really think about.

So there could have been several thing General Petraeus could have done to protect himself further, the best would probably have been no online communications for the shady activities.

Enhanced by Zemanta