World Backup Day: Six ways to backup your data

Today is World Backup Day, and it goes without saying that backing up data is a thoroughly sensible thing to routinely get into the habit of doing.

Not only does it make sense in case your laptop is stolen, or your hard disk fails, but it also means that should your computer become infected with ransomware. This is a particularly nasty strain of malware that encrypts your files and threatens to delete them if you don’t pay a ransom within a certain time period. ESET doesn’t recommend giving in to ransomware demands for many reasons both ethical and practical (not least because you mark yourself as a possible target for future attacks), but if your files are all safely backed up, you won’t even feel tempted to negotiate with them in the first place.

There are plenty of options available for people looking to backup up their data, all with their own pros and cons. Here are some of your options, but remember: it’s best to have more than one backup to be safe.

1. USB stick

usb stick

Small, cheap and convenient, USB sticks are everywhere, and their portability means that they’re easy to store safely, but also pretty easy to lose. There are questions about the number of read/write cycles they can take, so should be considered alongside other backup methods.

Pros:

+ Extremely portable

+ Very cheap

+ Can easily transfer data to other sources

Cons:

– Portability means they’re small and easy to lose

– Questions over read/write cycle longievity

2. External hard drive

external hard drive

External hard drives are just what they sound like – hard drives that live outside your computer, meaning they can be plugged in to other sources. If using them for backup, it’s best not to use them as an ‘extra every day hard drive’.

Pros:

+ Relatively cheap

+ Plenty of storage space for larger files

Cons:

– Potentially open to problems which lost files in the first place (a power surge or malware)

3. Time Machine

31K9Lw38KvL

For the Mac users out there, Time Machine is an option that backs up to external hard drives automatically. Apple sells  its own brand of dedicated wireless Time Capsules, but you can use any hard disk for it. Using this method, you’ll automatically keep backups hourly for the last 24 hours, daily for the last month and then weekly backups until the machine is full.

Pros:

+ Automated, meaning you shouldn’t forget to stay up to date

+ Frequency of backups means you should never be too out of date

+ Backs up whole drive, not just the key files

Cons:

– Dedicated wireless machine is expensive

– Mac only

4. Network Attached Storage

wdfMyCloud-2

Businesses tend to backup their files to network attached storage, but with more and more homes having multiple computers, the idea has a certain appeal, especially for those looking to save files from more than one source. With prices coming down, a dedicated wireless storage solution is a convenient option which requires less thought.

Pros:

+ Automatic backups mean you don’t risk forgetting

+ Wireless solutions also work with phones and tablets

Cons:

– Can be expensive

– Can be awkward to set up and maintain

5. Cloud Storage

dropbox

While network attached storage is essentially your own Cloud Server, there are plenty of third party cloud storage options around: free, paid, or free with paid extras. iCloud, Dropbox, Google Drive and OneDrive are big names, but others are available.

Pros:

+ Can be done automatically

+ A certain amount of space is usually free

+ Device agnostic

Cons:

– Requires an internet connection to work

– You can’t account for their security breaches

– Companies aren’t obliged to keep these services around forever

6. Printing

printer

At a first glance, this might sound a facetious inclusion. But while considerably less technically advanced, printing offers you a hard copy of your most important documents that will survive power outages, and are easy to store and access even if your computer is out of action for a few days. Of course it’s hard to keep documents up to date this way, and it won’t work for video or audio files, but for that novel you’d be devastated to lose, it’s certainly worth considering.

Pros:

+ A backup that won’t be affected by hardware outages or tech headaches

+ Impossible for hackers to access

Cons:

– Impossible for certain file types

– Awkward to manage

– Less practical for longer documents

– Not great for the environment

However you choose to backup your data (and it’s smart to consider using more than one solution, at least for your life-or-death files), make sure that you do it. Often people don’t think about what were to happen if their valuable files were to be lost, until it’s too late. Don’t make that mistake, and use World Backup Day to make sure your files are all safe and accounted for.

by Alan Martin, ESET

Ireland being hacked by ISIS? Experts sceptical

dubrape

Security experts at ESET Ireland have been following some big news headlines recently, about the Irish Freedom of Information website and Dublin Rape Crisis centre website “hacked” by ISIS, but have serious doubts this has anything to do with the terrorist group.

This week we saw media reporting the Freedom of Information website was hacked by a pro-Palestinian group, suggesting that attack might be somehow related to the attack a while back on the Dublin Rape Crisis centre website which mentioned ISIS in the defacement message.

Well, first of all, proper hacking and website defacement, also known as “electronic graffiti”, are two different things. Hacking into some organisation’s database and stealing their data is a feat that requires a lot more skill than just defacing a website and posting “Hacked by HolaKo” and “We are the best of the rest. Free Palestine #SaveGaza” as was the case with the Freedom of Information website.

Secondly, most of these recent defacements happened to organisations that were hosted on WordPress (apart from the ones in Ireland also The Sequoia Park Zoo in California, the MERS Goodwill charity in St Louis and the Moerlein Lager House in Cincinnati, USA), which could indicate a security flaw in the WordPress server itself, attracting the unwanted attention of hackers.

And thirdly, all sorts of websites have already been targets of “electronic graffiti”, from religious sites to governmental ones. And while a media headline “FBI hacked” may sound impressive, the organisation’s actual servers and databases are usually left intact. Commonly assumed these attacks come from any group opposed to that particular website’s agenda, it can just as easily be the work of provocateurs or ambitious young hackers trying to gain some notoriety and attracting media attention by using known names such as ISIS or Anonymous. Even though the FBI is investigating such attacks, there is no real indication of any connection between these defacements and the known terrorist group.

Irish government’s Freedom of Information website hacked

The Irish government’s Freedom of Information (FOI) website has been targeted by hackers posting a pro-palestinian message that some connect to ISIS, reports the Irish Mirror, but investigators are sceptical.

The website was attacked yesterday (March 24th) and is currently inaccessible, with the usual design replaced by a white screen bearing the message: “Hacked by HolaKo.” As music plays in the background, the message goes on to say, “We are the best of the rest. Free Palestine #Save Gaza.”

Ireland’s FOI website usually serves to provide information on the Freedom of Information Act, giving people the chance to ask questions and obtain information held by the Irish government.

As noted by the Irish Times, the incident is the latest in a string of similar hacks to WordPress sites in the past few months, while another recent attack targeted the Dublin Rape Crisis centre website. The organization’s website, http://www.drcc.ie, was replaced with a banner image on March 8th that linked to a Facebook page that has since been taken down. The message on the banner read: “Hacked by Islamic State (ISIS). We are everywhere ;).”

Other WordPress victims this month include The Sequoia Park Zoo in California, the MERS Goodwill charity in St Louis and the Moerlein Lager House in Cincinnati.

As reported by We Live Security, the FBI is said to be investigating recent hacks of this kind, but law enforcement and security analysts are sceptical that the attacks have any genuine links to ISIS.

“There are no indications that the individuals behind these latest hacks have any real connection to ISIS,” said Evan Kohlmann of Flashpoint Intelligence. “These defacements have taken place amid a spate of recent attacks where ordinary hackers have cynically used far-fetched references to ISIS as a means of attracting media attention.”

by Kyle Ellison, ESET

Security in healthcare: Mobile devices

 

In a time when smartphones seem ubiquitous, the pressure for businesses to allow their employees to access work resources with their personal mobile devices may be overwhelming. This presents a variety of potential problems that are especially troubling in the shadow of the Anthem data breach. What can healthcare IT and Security staff do to balance these opposing forces, to allow better access without giving criminals the keys to the castle? The answer to this question may be an important part of decreasing the trend of increasing medical breaches.

What are criminals seeking?

Many medical practices have a fundamental misunderstanding of what criminals are after. While some criminals may be after blackmail-worthy details of health problems, in the majority of data breaches the miscreant’s goal is to obtain a large quantity of saleable data to be used for medical or financial fraud. This list of valuable data comprises much of what that was lost in the Premera and Anthem breaches, as well as other notable recent healthcare breaches:

  • Names of patients and employees names
  • Physical and email addresses
  • Medical ID numbers
  • Social Security numbers
  • Payment card data

This information can be sold in bulk, with more complete record sets fetching a higher price, as they enable more lucrative fraud without the need for phishing for additional information from the victim. Medical ID and Social Security numbers are especially valuable for criminals, as payment card fraud is typically identified and blocked much more quickly; most banks have robust fraud-detection programs, and customers check payment cards more regularly and thoroughly than they do credit reports or medical reports.

While sometimes criminals may seek to access databases directly, they can just as easily find other ways into the network. Attackers often try to break into machines they view as less sensitive, which may have less stringent security, and work their way across the network to the more lucrative targets. Or they may phish login credentials from staff members, so that attackers can appear to be someone who is authorized to access the necessary resources to get to the database. This can potentially negate the beneficial effects of encrypting sensitive data, if the criminal gains the necessary permissions to access the unencrypted information.

In light of this, healthcare organizations should be implementing layered defenses so that even if a criminal gains access to a machine or user credentials that get them into the network, these attacks can still be stopped by other means. And this means businesses need to have a certain amount of control over the computing environment of their users. But how do you do this when users bring their own devices, especially mobile devices, which involve a significantly higher risk of loss or theft?

There are a variety of things Healthcare IT and security staff can do to decrease the risks inherent in implementing users bringing their own device (commonly called “BYOD” for short).

Choosing the mobile device

When employees are in charge of updating and upgrading their devices – as well as choosing which software to install – support costs can increase as problems may be more complicated to resolve. And if those users are the ones deciding what security settings to enable or disable, this may potentially open businesses to greater security risk if that device is lost, stolen or breached. It may be more cost effective to offer employees mobile devices that have mobile device management software installed, as this can standardize software and settings throughout the company.

Making restrictions clear

The decision to allow employees to access corporate resources with mobile devices is a delicate balancing act between the employee’s rights and the business’s legal obligation to protect data. This is particularly true for healthcare businesses, when HIPAA requirements come into play. This excellent fact sheet from the Privacy Rights Clearinghouse discusses these legal issues in greater detail.

In a time where text or instant messaging, and cloud services are every bit as prevalent as the mobile devices they’re often used with, it is important to make it clear to employees that it is not acceptable to circumvent security protocols when storing or transmitting patient data. Employers may choose to provide approved, secured messaging and cloud services, to make conformance easier for employees.

Mitigating the risk of lost or stolen devices

There is no such thing as perfect security. The best thing to hope for is decreasing risk, and mitigating the damage if a security incident does occur. The primary aspect businesses must consider when a device is lost or stolen is what data the device contained, and what company resources the device allows access to.

The two most obvious solutions to both are to require a passcode to access the device, and to wipe the device as soon as it is reported stolen. Many businesses choose to implement a policy that requires IT to have device access so that these steps can be implemented. One way to limit the value of stolen data is to encrypt as much as possible, both in transit and in storage, remotely and on the device itself. If a thief gains access to a device, but the data on it are scrambled, the data loses any value to an attacker. Keep in mind that if the thief gets the device and the user’s login credentials, he may still be able to view the data in its unencrypted form.

Offering other methods for securing connections

One important way to protect data that does not need to be viewed by more than one person, such as passwords, is to salt and hash the data. When this is done the password is not stored, and cannot be stolen, and it decreases the possibility of it being reverse-engineered. And it is safer to simply reset passwords and require the user to change it upon first login. This Crack Station post goes into the intricacies of effective salting and hashing.

Limiting the number of incorrect login attempts can help against brute force attacks, and employee security training may help decrease the effectiveness of social engineering. Another factor for limiting damage in the event of lost password is to restrict users’ access to only what they absolutely need to be able to perform their regular tasks. Likewise, requiring users to log in to resources periodically – rather than logging them in indefinitely – can limit the amount of damage that an attacker can do.

Requiring employees to use a Virtual Private Network (VPN) to remotely access network resources can greatly decrease the risk of eavesdropping attacks, especially if employees use public Wi-Fi to access work resources. Depending on the operating system of the user’s device, it may also be advantageous to provide employees with mobile anti-malware products that scan for malicious links and files.

Keeping BYOD as a benefit

While these steps to secure access via mobile devices may all appear to be potentially costly and complicated, it may be worth the effort in terms of the increase in staff productivity and responsiveness. Both employees and customers may view this as a benefit that may improve care outcomes due to improved patient engagement.  And as more and more healthcare organizations fall victim to large-scale breaches, this attention to details could change the safety of data and the future of healthcare security.

by Lysa Myers, ESET

Healthcare businesses in the crosshairs

Medical and healthcare data breaches on the rise – 27.5% increase, medical records fetch good coin on the black market.

In light of the recent Premera and Anthem breaches, a spotlight is now shining on healthcare businesses, regarding their ability to defend patients’ sensitive information. Security wonks have been warning for years that healthcare businesses are in a lot of trouble, security-wise. Criminals are targeting medical records because of their value, and as a result, medical breaches are the fastest growing type of breach. What can businesses do to get themselves out of the crosshairs?

According to the Identity Theft Resource Center, there were 783 medical breaches in 2014, compared with 614 breaches on the 2013 ITRC Breach List, a dramatic increase of 27.5 percent year over year. This has put healthcare industry breaches in first place for the largest number of breaches, for the last several years running, with over 40% of the total number of breaches. This is no surprise: medical records are worth more on the black market than payment card data.

So what can healthcare businesses do to help reverse this trend?

It is important to understand that there is no such thing as perfect security if you have a sufficiently determined adversary, but this does not mean we should not try to decrease risk and try to mitigate the damage if a security incident does occur. The biggest part of being successful at risk mitigation is decreasing the value of any one piece of the security puzzle, if it is successfully stolen. For instance, if an employee’s username and password are phished, they are of limited use if another factor of authentication is required to log into the user’s accounts.

Here are five things businesses should be doing to help decrease risk and mitigate damage in case of a breach:

  • Update promptly
    Regularly and promptly updating all software is one of the most important things you can do to minimize the vulnerabilities criminals can use to silently get into machines. And vendors often provide updates at no cost. When you get a notice from your vendor, be sure to go directly to the vendor’s website to get the update as soon as possible. This can be particularly problematic for medical machines, as older devices may still be running a version of Windows XP. This should either motivate businesses to upgrade those machines as soon as possible, or to at least put additional protection in place around the more vulnerable machines.
  • Passwords are not enough
    If you are protecting lots of patient data, a password alone is not enough. Consider two-factor authentication. This can be a biometric like a fingerprint or a one-time passcode that is provided to you, via a small digital key card or fob, or even an app on your smartphone.
  • Principle of Least Privilege
    The Principle of Least Privilege simply means that no person, machine, or system should have access to things they do not strictly need. For instance: Financial data should be in a different part of the network, and completely cut off from people who do not need to access it. And very few people, if any, should have Administrator-level access rights on their own machine. Any time you can restrict access without disrupting people’s ability to do their job, you should.
  • Encrypt everywhere
    When we have something that is valuable, we lock it up when it is not in use. It is the same with data; if you have valuable data, it should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from end to end minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defences.
  • Redundant defences
    Do not expect one security product to protect you against every possible threat. Make sure you have an anti-malware suite on all devices that access your network (do not forget smartphones, Android tablets, Linux servers, and Mac computers along with your Windows machines). You should also have a firewall at the gateway to your network and on all your individual machines.

Medical records are likely to remain a tempting target as long as there is a sufficient return on criminals’ investment of time and effort. It is important for healthcare practitioners and businesses to take extra care of their patients’ data, as well as their health. By increasing security, you can decrease the return on investment for criminals, and they may pass your organisation by.

by Lysa Myers, ESET

9-year-old cybersecurity expert hacks Android smartphone in minutes

Wondering how secure your Android smartphone is? Well, a 9-year-old cybersecurity expert has demonstrated how hackers could steal contacts, call logs and messages within just 15 minutes.

Speaking at the Security B-sides Conference last week, Harmony School of Science third-grader Reuben Paul took to the stage to promote safer smartphone security. His Keynote speech stressed the importance of being extra careful when downloading apps, showing how even seemingly safe software can be used by cybercriminals to access sensitive data and snoop on your location.

According to Fox, the 9-year-old Paul completed the hack within a quarter of an hour, claiming that it can happen anywhere, to anyone and at any time.

“If a child can do it then a regular hacker can do it… so I just want everybody to be aware [and to] be more careful when you download games and stuff like that,” he said.

Paul is a rising star of the computer security industry, speaking at a number of other conferences as well as acting as CEO of Prudent Games; a company which attempts to teach people about threats through educational apps. The company’s games include Cracker Proof, which teaches good password practice, and Crack Me If you Can, which teaches all about brute force attacks.

Paul’s speech at the Security B-sides Conference again highlighted how important it to be cautious when downloading apps and games. For more advice on avoiding ‘bad’ apps, remember the advice from our video below.

https://www.youtube.com/watch?v=-2lJQeZZGgI

Photo: YouTube screen grab from video uploaded by ISC2TV

by Kyle Ellison, ESET

Rebuild Iraq fraud email targeting Irish business

ESET Ireland warns Irish businesses not to fall for this variation of a fraud email, pretending to come from Iraqi-Asian Chamber of Commerce & Industry, inviting their company to join in the rebuilding of war-torn Iraq after years of US occupation.

The full message, targetting Irish business email adresses, reads as follows:

iraqiasian

The interesting addition to the email is the article from The Independent, highlighting profits of companies doing business in Iraq, although they’re mainly oil and security ones, which is supposed to convince the reader this email offers great opportunities for profit.

It is, of course, just another scam along the lines of African princes leaving you millions, winning the Spanish lottery, and other advance fee frauds, that are aimed at extracting money from the gullible.

Follow

Get every new post delivered to your Inbox.

Join 85 other followers