Le baromètre de la cybersécurité: l’étude démontre l'impact de la cybercriminalité sur la vie privée et la sécurité

Septante pourcent des américains interrogés par ESET s'inquiètent de l'utilisation abusive des informations personnelles fournies aux sites Web lors de leurs transactions bancaires ou de leurs achats en ligne. Aujourd’hui, une écrasante majorité d'américains considèrent la cybercriminalité comme une menace pour leur pays, et cette menace ne fait que croître. Il ne s’agit que de quelques-unes des principales conclusions du baromètre de la cybersécurité d’ESET, une enquête faite auprès de 3.500 adultes en Amérique du Nord (2.500 aux États-Unis et 1.000 au Canada).

En tant que chercheur qui, depuis des années, analyse les enquêtes concernant la cybersécurité, Stephen Cobb , chercheur senior chez ESET, ai constaté la préoccupation croissante du public pour la cybercriminalité. Cependant, il a été choqué de voir les résultats : neuf sur dix des américains interrogés déclarent que la cybercriminalité constitue "un défi majeur pour la sécurité intérieure des États-Unis".

En tant que criminologue, il a été tout aussi choqué de constater que les personnes interrogées considéraient la cybercriminalité comme un défi plus important que le trafic de drogue ou le blanchiment d'argent. Constater que moins de la moitié des participants pensent que le gouvernement et les forces de l'ordre en font assez pour lutter contre la cybercriminalité, a été tout aussi inquiétant.

De quel type de baromètre s’agit-il ?

Le baromètre de la cybersécurité d’ESET est une enquête qui évalue les attitudes et les expériences du public en matière de cybercriminalité, de cybersécurité et de confidentialité des données. Ce qui fait la différence avec d’autres enquêtes – comme celles des entreprises qui vendent des produits et services de sécurité – c’est que ce baromètre a été conçu par des décideurs gouvernementaux. L'enquête se compose d’une série de questions similaires à celles utilisées pour des études menées dans l'UE pour la Commission européenne. Le but est de récolter des données qui peuvent être utilisées en confiance par les responsables politiques et les décideurs. Les résultats obtenus doivent résister à d’éventuelles accusations de partialité lors de la conception de cette enquête et permettre les comparaisons.

Ce lien permet de télécharger un PDF du rapport ESET Cybersecurity Barometer USA report 

Le rapport concernant le Canada se trouve sur: ESET Cybersecurity Barometer Canada.

Quelles sont les spécificités de l’enquête ?

Dans cette enquête, ce qui frappe, ce sont les préoccupations exprimées par les personnes interrogées au sujet des menaces causées par la cybercriminalité ainsi que le manque de confiance dans la possibilité d’une amélioration rapide. Près de 87% des participants s’attendent à ce que le risque d’être une victime de la cybercriminalité augmente.

D’autres éléments importants sont la manière dont les Américains réagissent à la cybercriminalité, y compris un pourcentage inquiétant de personnes interrogées qui affirment être moins enclins à faire des achats ou des opérations bancaires en ligne à cause des problèmes de sécurité et de confidentialité (respectivement 19 et 20%).  Ces résultats démontrent clairement les opportunités manquées par la distribution et le secteur bancaire. Les spécialistes du marketing numérique doivent tenir compte que pour 44% des participants, les problèmes de sécurité et de confidentialité ont eu comme résultat qu’ils fournissent moins d’informations personnelles sur les sites. Le rapport souligne aussi la relation entre les préoccupations au sujet de la cybercriminalité et le taux de récidive. Près de 70% des américains adultes interrogés signalent avoir reçu des mails ou coups de fil frauduleux leur demandant leurs données personnelles. Le même pourcentage a exprimé ses préoccupations à ce sujet.

Un nombre bien plus important (86%) est préoccupé par le fait qu’ils pourraient être la victime d’un vol d’identité alors que seulement 30% - donc moins de la moitié - avait fait une déclaration de vol. C’est donc particulièrement choquant de voir que trois américains sur dix ont déjà été victime d’un tel vol. Mais, comme le rapport le mentionne, ce niveau élevé de préoccupation nous permet d’apprendre beaucoup de choses très intéressantes.

Pourquoi une telle enquête ?

Comme les lecteurs réguliers de WeLiveSecurity.com le savent, Cobb a déjà expliqué pourquoi il faut évaluer l’opinion publique en matière de cybersécurité et de protection. Cela se trouve dans: Why ask the public about cybercrime and cybersecurity?

D’après lui, les gens choisissent leur gouvernement et aident ainsi à déterminer la politique en matière de cybercriminalité. Par leurs impôts les citoyens payent une grande partie des efforts gouvernementaux visant à réduire la cybercriminalité.  Dès lors, savoir ce que pense le public de la cybercriminalité, de la cybersécurité et de la confidentialité des données est essentiel pour le développement réussi d’une politique contre la cybercriminalité et d’importance capitale en ce qui concerne les efforts de la société dans le domaine de la cybersécurité.

Les résultats de cette enquête constituent jusqu’à présent la plus forte indication de la rapidité avec laquelle les systèmes et les données sont utilisés abusivement. Ainsi, la confiance du public dans la technologie sera encore affaiblie, à moins que la cybersécurité et la dissuasion de la cybercriminalité ne soient traitées avec une plus haute priorité par les gouvernements et les entreprises. Comme indiqué dans le rapport, maintenir et développer cette confiance est d’une importance capitale pour le bien-être économique de l’Amérique, maintenant et à l’avenir.

A propos d’ESET

Depuis 30 ans, ESET® développe des logiciels et des services de sécurité IT de pointe destinés aux entreprises et aux consommateurs, partout dans le monde. Avec des solutions allant de la sécurité des terminaux et des mobiles jusqu’à des solutions de chiffrement et d’authentification à deux facteurs, les produits conviviaux et hautement performants d’ESET confère aux consommateurs et aux entreprises la tranquillité d’esprit nécessaire pour pleinement tirer parti des potentiels de leurs technologies. ESET assure une protection et une surveillance discrète 24 h sur 24, mettant les solutions de protection à jour en temps réel afin de garantir la sécurité des utilisateurs et les activités des entreprises, sans la moindre interruption. Les menaces en constante évolution requièrent une société spécialisée en sécurité IT qui soit elle-même évolutive. S’appuyant sur ses divers centres R&D de par le monde, ESET est la première société de sécurité IT à avoir décroché 100 récompenses Virus Bulletin VB100 et ayant identifié, sans exception, tous les malwares en circulation et ce, sans interruption depuis 2003. Pour toute information complémentaire, consultez le site www.eset.com ou suivez-nous sur LinkedIn, Facebook et Twitter.

Can you spot the phish? Take Google’s test

Tomáš Foltýn

Everybody loves quizzes. So why not take this one and hone your phish-spotting prowess?

Google’s technology incubator Jigsaw has revealed a quiz that tests users’ abilities to identify phishing attacks. In asking you to distinguish legitimate emails from phishing scams, the test reveals some of the most common scenarios that fraudsters use with a view to stealing your finances, data or identity. It comes complete with to-the-point explanations as to why this or that message is, or is not, a phishing attack.

According to Jigsaw’s blog post, the test is based on the company’s security trainings with “nearly 10,000 journalists, activists, and political leaders around the world from Ukraine to Syria to Ecuador”.

All eight scenarios draw on real-life techniques deployed by scammers. The examples vary and include files shared via Google Drive, email security alerts, Dropbox notifications and, of course, attachments that ask for your immediate attention but are, instead, intended to download information-stealing malware onto your machine.

Phishing remains the most pervasive of online cons and has for long been a highly effective method for fraudsters to steal people’s sensitive data. “One percent of emails sent today are phishing attempts,” according to Jigsaw’s figures.

Indeed, many security incidents begin with a user simply clicking on a malicious link or opening a dangerous attachment that is most commonly delivered via email or social media. Even though email filters do a good job of winnowing out many such scam attempts, some fraudulent emails will still slip through. Which is where phish-spotting skills can be critical, as can anti-phishing protection that is commonly part of reputable security software.

And, as Jigsaw itself recommends, you should enable two-factor authentication (2FA) wherever possible, if you haven’t done so already. The extra factor offers a valuable additional layer of protection in return for very little effort. It is best implemented via a dedicated hardware device or delivered through an authenticator app, rather than via text messages (although SMS is still better than nothing). The availability of various 2FA methods on various online services can be checked on this site.

Back to the testing, however: If you got all the answers right, congratulations! That said, it’s probably better not to be lulled into a sense of complacency. Many scams can be even more devious and are, indeed, “difficult to spot even for a trained eye”.

Did you fall for any of the eight examples? There’s no need to feel ashamed. At least you should have a better understanding of the threat, making you better equipped to protect yourself from actual phishing attacks.

If you’re up for some more testing, you may also want to head over to this questionnaire devised by researchers at the Universities of Cambridge and Helsinki. The test, which we wrote about last year, will gauge your susceptibility to falling for online scams and other types of internet crime.

The complete article on:

https://www.welivesecurity.com/2019/01/24/spot-phish-take-googles-test/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Email Security does not end with your password

Email is a crucial part of most people’s daily lives, but few people consider how it’s secured, apart from entering a password to access our accounts. What options are available or even advisable to use for securing email?

What is email security?

For the purposes of this post, I’ll define email security as pertaining to both the content of messages, as well as the accounts people use to access their emails.

Email security does not end with authentication for accessing our accounts: message content can be validated and secured, sender identity can be authenticated, authorization of email senders can be maintained, and the integrity and functionality of the email app itself can be better secured. 

If you’re the administrator of your email account, you’ll naturally have a different subset of options than if your account is being administered by someone else. Depending on your threat model, which options are needed may vary somewhat, but most of us could benefit from adding more methods to our repertoires.

Securing message content

Few people seem to be aware that sending an email can be as open to eavesdropping as sending a message on a postcard. Fortunately, there are a variety of ways to add layers of security to the process of sending a message. One method is akin to putting a message in an envelope; people can still see where the message came from, and where it was sent to, as well as the content of the message if an eavesdropper is able to intercept it at some point in the process (especially after the envelope is opened). This type of protection is considered “transport-level”, as it helps protect the message in transit across the internet.

It’s also possible to secure the message from “end to end”, meaning the message is encrypted at the source before it ever hits the network, and then decrypted by the recipient. This shortens the time that a message might be read even by an eavesdropper, as it can’t be read when it’s in transit or until its contents are decrypted. The eavesdropper would also need to have the decryption key as well as the email to access the data within an intercepted message.

Administrators often choose to implement transport-level protection, as it’s the type that’s most transparent to users and because it usually doesn’t require their direct interaction. If end-to-end encryption is needed, it’s a good idea to choose technologies that make this process simple, and to create policies that dictate when this type of encryption must be used.

Ensuring valid, appropriate content

It’s a fact of modern life that much of what arrives in our inbox is not anything we want to receive. When you add up the amount of spam, scams, phishing and malware that’s being sent, there’s a lot of traffic that is wholly unwelcome. Most organizations and email service providers have some manner of filtering for this sort of detritus in place already, to help stem the flow. Depending on our own levels of risk tolerance, there are a variety of ways that this can be done.

Most email providers operate a simple blacklist of known spam, phishing and malware to decrease the amount of unwanted and malicious email that reaches their customers. But many organizations would be wise to be more proactive with their filtering. You could also limit messages by attachment type; either allowing only those files from an approved list of safer or more common file types or excluding unusual or more-risky file types.

Keep in mind that while many popular file types may seem safer, they can still include powerful macro code or malicious, embedded files. No file type should be considered completely safe. It may be more helpful to view file types less in terms of their potential danger, and more in terms of their level of risk versus potential impact on workflow. While many people send things like documents, spreadsheets, or presentations, very few people have valid work-appropriate reasons to send or receive executable file types via email, so these can be excluded in most organizations with a minimum of hassle.

Some organizations also choose to screen emails before they’re sent out from their network too, for malware and/or confidential company data. Most companies maintain some sort of sensitive files or information such as payment or ID card details, healthcare information, or confidential company data and would do well to log its whereabouts. It can be useful to set gateway anti-malware scanners to more “paranoid” settings, as a potentially slower scan of files going through email will be less noticeable or disruptive.

Email authorization and authentication

Spoofing email is trivially easy for miscreants, and while there are ways to limit this, the available options are not yet widely used. These techniques help authenticate message content, indicate which users and accounts are authorized to send from your domain, and can help verify that email headers are internally consistent.

Because these authorization and authentication techniques are not commonly implemented, the best-use case for most companies is to deploy these methods to help protect your brand integrity or prevent certain types of Business Email Compromise (BEC). You can also use them to log emails that fail to authenticate properly, for forensic purposes.

Use of email authentication and authorization should be considered part of good administration hygiene, like promptly removing (or at least changing the passwords of) accounts that are no longer in use (such as those formerly belonging to employees who are no longer with the company).

Account protection

Most of us are aware of authentication for our email accounts, as this is the type of email security most of us have. Several of the other types of email security we’ve discussed in the previous paragraphs exist in part to help mitigate the damage caused by stolen login credentials, which is to say it’s a huge problem that causes a cascade of other woes. But multi-factor authentication is another very effective level of protection for access to our email accounts.

Rather than just providing a username and password, which is one single “factor” of verifying that you are who you say you are, multi-factor authentication combines these credentials with another method. The most common example of a second method is a one-time key – often sent by email or SMS, or created by an app or dongle – that is input after you’ve successfully entered your username and password. Multi-factor authentication can either be tied directly to the login process for an email app, or to a network login process, depending on your specific needs and threats.

Software protection

Last but not least, it’s also important to protect your email by regularly updating the software you use, including your operating system and the app or browser you use to access email. This will help address vulnerabilities that could allow attackers to access your emails. You may wish to do this with automatic update capabilities in the software itself or in your operating system, or by going directly to the vendor’s website for downloads.

Final Thoughts

Whatever methods you choose to incorporate – be it for email or computer security in general – it’s important that they be things people in your organization can and will use. This means observing the workflow of the people who will be using these technologies, choosing options that are either applied automatically or are easy to use, and then training users about how and when to use protection methods.

CES: Smart cities and the challenge of securing the neighborhood

Cameron Camp

In our final report from CES we take a look at smart city initiatives

This year at CES there was an entire section devoted to smart city initiatives municipalities are rolling out in many cities around the world, or planning to. As we noted in our look at automotive security and IoT security previously, the technologies surrounding transportation are converging; so too are the technologies that make cities work. From automated street lights that change color to alert you of a hazard, to centrally-planned dynamic traffic flows and car-to-car communication, cities will change rapidly. But how they will manage these changes is another story.

Stage one is the deployment of sensors that passively assess traffic flows, pedestrian traffic and potential hazards. Shortly thereafter, cities will deploy more active measures, such as controlling traffic lights and entire systems based on holistic input from the swarms of sensors.

One of the hotspots (literally) will be city lamp posts, especially if they are connected electrically. This will be the focus of considerable attention, as they are a perfect platform for Wi-Fi, temperature and other ambient condition sensors, and hence, potential hosts for super-high-speed, ubiquitous, wireless connectivity. Want to get a feel for what’s happening across the whole landscape? Fire up a mesh of a bazillion sensors on the lamp posts and start getting a better picture. All this without significant development and acquisition of land.

Next will be law enforcement, or more specifically, rolling out these new rafts of collected data (after being sifted and enriched) to provide real-time data as they drive, walk, or ride around the city.

So the swarms of sensors will feed the central offices, which will then feed data back out to the swarms of consumers . . . after being digested and enriched.

The problem is that cities are extremely ill-prepared to staff and manage all the complexity, let alone secure it all. If, for example, attackers are able to gain access to one part of the sensor network, it becomes potentially easier to use as a potential onramp to escalate to more privileged access and hop back to the critical data stores and exploit them as well.

This dynamic would be much easier to manage if cities had vast budgets to hire the best cybersavvy technicians and specialists, but it is important as it is paradoxically rare. Here, “fire and forget” just doesn’t work well. We’ve seen breach after breach where organizations had the right technology deployed, but failed on implementation or triage and escalation of potential breach incidents.

For cities that try to outsource their needs, concerns such as data leakage and misuse come to the fore. In light of the raft of legislation for protecting personally identifying data, the potential blowback from leaking security information for example, would make for some rough public relations for the mayor of a city, who’s staff might not be digital experts at all.

Most cities are primarily concerned with keeping the lights on, the water flowing, the streets open, the trains running and so on. The politicians and critical infrastructure managers are far more concerned with high availability than high security – or indeed, any security at all. Year after year at the Black Hat conferences we see examples of city systems trivially exploited. Yet, with the increasing interconnectivity of their systems, smart cities will soon be saddled with understanding and implementing cybersecurity well.

Oh, and without significant budget increases!

https://www.welivesecurity.com/2019/01/14/ces-smart-cities-securing-neighborhood/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

InterSystems Iris Data Platform™ nu gecertificeerd op Amazone Web Services Marketplace, Google en Microsoft Azure

InterSystems, wereldwijd marktleider in informatietechnologieplatforms voor gezondheids-, bedrijfs- en overheidsapplicaties, heeft aangekondigd dat zijn IRIS Data Platform™ beschikbaar is sinds 15 januari op Amazon Web Services Marketplace. Het platform is nu verkrijgbaar bij de drie grootste cloud computing-providers: AWS, Google Cloud en Microsoft Azure. 

InterSystems IRIS Data Platform™ is een technologische basis die alle functies van gegevensbeheer binnen één enkel platform biedt: opslag, interoperabiliteit en analyse van real-time gegevens. Het platform laat de ontwikkeling toe van applicaties die de besluitvorming vergemakkelijken alsook een vlotte gebruikerservaring voor alle kanalen van een organisatie garanderen, ongeacht de sector, van openbare diensten tot gezondheidszorg, financiële dienstverlening en logistiek. Het is beschikbaar in twee versies "Free Community" en BYOL - "Bring Your Own License".

Met één muisklik kunnen klanten en ontwikkelaars het platform nu ontvangen. Ontwikkelaars kunnen zo  eenvoudig verschillende modules uitproberen:

• "Quick Start" die de ontwikkeling versnelt  door het gebruik van de multi-modelarchitectuur

•  Ontwikkeling op IRS van InterSystem met Java en .NET

•  Optimalisatie van SQL-prestaties en big data datamining, inclusief de Apache Spark-connector geïntegreerd in het platform.

Met AWS Marketplace kunnen klanten van InterSystems onmiddellijk het IRS Data Platform ™ aanschaffen, migreren en gebruiken. AWS zorgt voor alle facturatie, betalingen en productondersteuning. Zo wordt het dagelijks leven van de financiële en IT-afdelingen veel eenvoudiger. Bedrijven kunnen het verenigde gegevensplatform snel implementeren in een krachtige en zeer beschikbare cloudomgeving. Ze kunnen ook nieuwe innoverende toepassingen ontwikkelen en deze beschikbaar stellen terwijl tegelijkertijd de time-to-market korter wordt.

"De certificering door AWS Marketplace is de derde in de afgelopen zes maanden op een belangrijke marktplaats, " aldus Carlos Nogueira, Verantwoordelijk Data Platforms bij InterSystems.. "De hedendaagse bedrijven hebben nood aan flexibiliteit om te kiezen hoe hun applicaties kunnen ingezet worden om de vraag van de markt voor te zijn. InterSystems streeft naar een cloud-first benadering waarmee zijn partners en klanten snel datagedreven toepassingen kunnen ontwikkelen, die klantervaring en operationele efficiëntie op alle niveaus van het bedrijf verbeteren en ook in sommige sectoren levens redden. "

 

Over InterSystems

InterSystems is de drijvende kracht achter wat belangrijk is: de machine achter   relevante applicaties in de medische sector, de financiële wereld, de overheid en bij andere organisaties waar de zorg voor menselijk leven en levensonderhoud een rol speelt. InterSystems is een leverancier van strategische technologie sedert 1978. Het bedrijf is in private handen. Het hoofdkantoor staat in Cambridge Massachusetts, terwijl er wereldwijd diverse bijkantoren zijn voor verkoop en technische  ondersteuning. De softwareproducten worden dagelijks gebruikt door miljoenen  mensen in meer dan

80 landen.

Meer informatie is te vinden op www.intersystemsbenelux.com