Covid-19 prevents people from coming to work and operating the on-premise security systems that controls large amounts of assets. Hub security enables to do that remotely with the same security standard
EY announced in early March the launch of its Baseline protocol project. The new initiative is a an open-sourced paackage of blockchain tools that will allow enterprises to build and deploy blockchain-based products securely and privately on the public Ethereum blockchain. The project is part of a joint effort between EY, ConsenSys and Microsoft.
The Baseline protocol leverages several technologies, including zero knowledge proofs, off-chain storage and distributed identity management so that enterprises can define and synchronize processes and agreements using common standards, with full privacy, and without storing sensitive business information on the blockchain itself.
“This initiative builds on that groundwork and starts filling in gaps such as enterprise directories and private business logic so enterprises will be able to run end-to-end processes like procurement with strong privacy,” said Paul Brody, EY Global Blockchain Leader.
The Baseline protocol will also support smart contracts and industry-wide tokenization standards. In doing so, they will enable an ecosystem of interoperable business services. Key process outputs like purchase orders and receivables are tokenized and integrated into the decentralized finance (DeFi) ecosystem.
The initial release of the Baseline protocol includes the process design and key components to enable volume purchase agreements and lays the groundwork for blockchain applications that link supply chain traceability with commerce and financial services.
“With the Baseline protocol, we are developing enterprise processes that are ecosystem ready because they are being built in a truly blockchain-native manner. When delivered on the public Ethereum network, this will drive adoption and the whole ecosystem,” said Yorke Rhodes, Principal Program Manager of Blockchain at Microsoft.
By supporting smart contracts and tokenization, as well as integrating into a DeFi ecosystem, enterprises will have access to an extensive toolbox of resources with which to research and develop blockchain solutions. The protocol enables confidential and complex collaboration between companies and enterprises without leaving sensitive data on-chain.
While the World Health Organization (WHO) hasn’t declared the novel coronavirus a global pandemic yet, the infectious disease continues to spread at a rapid pace, affecting both the global economy and global health. The virus has been detected inover 85 countries as of Money and data from Johns Hopkins University confirms more than 110,000 cases of the virus attributed to the COVID-19 disease.
In an attempt to control the spread of the virus, we’ve seen an increase in restrictions on travel. Last week the US announced that travelers coming into the US on direct flights from Italy and South Korea will be screened for symptoms, while travelers from China are already being screened. One sector of the tech economy already feeling the immediate impact of the changing policies is industry events. From travel bans to bans of large gatherings, officials are canceling industry conferences left and right; leaving conference organizers, attendees, exhibitors, and sponsors scrambling to make new plans.
But now, due to the coronavirus outbreak and an increase in travel restrictions, the way we work may be undergoing a radical shift. Now more remote workers are working from home than ever as the global workforce shifts to mitigate the spread of COVID-19. Soon the cohorts working from home will grow into armies as the Chinese Lunar New Year comes to an end and Chinese companies begin restarting operations. Now because of the heightened pace of coronavirus’s spread, the return to work is likely to usher in the world’s largest work-from-home experiment. In 2020, working from home is no longer a privilege –– it’s a necessity.
While we won’t know the coronavirus’s effects on the overall nature of work for some time, we do know that working from home lends serious questions to the heightened cybersecurity risk for many InfoSec and IT security employees. Unlike working from the office, working from home often means working in an unsecured environment. This shift’s effect on many working specifically in banking and cloud enterprise should cause alarm. Employees with high-access management permissions should be on high alert as they self-quarantine, especially if they are responsible for accessing highly sensitive financial, business or consumer data without proper endpoint security measures in place.
In another risk, outlined in a December 2019 weekly tech advice column, the FBI’s Portland office released an ominous warning to US homeowners, “Your fridge and your laptop should not be on the same network.” That’s because your most vulnerable IoT devices –– think wireless cameras, baby monitors, smart thermostats and smart locks, all hold unique vulnerabilities that can be easily exploited. It’s no secret in the cybersecurity world that today’s hackers specifically target home IoT devices to gain entry to your home’s wireless network.
The FBI’s best advice for keeping your devices secure and safe? “Keep your most private, sensitive data on a separate system from your other IoT devices.” According to the FBI’s recommendation, you should have two routers at home: one for your IoT devices and another one for your more private devices.
Whatever the future of work may look like, the cybersecurity implications of a home-based workforce cannot be denied. Companies and cybersecurity professionals must mobilize to provide their organization’s workforce with proper cybersec and threat prevention training. In order to mitigate the cyber risks of a home workforce, heightened education and training is needed for the cyber risks associated with the post-corona economy.
Learn more about Hub Security’s miniHSm device and military-grade key management solutions and how they can help you stay secure and protected –– no matter where you’re working from.
With the blockchain industry’s value estimated to hit $23B by 2023, it’s hard to keep track of the amount of blockchain-based solutions launching each month. As the industry grows though, so does its risks. While the security features inherent in blockchains make DLT resistant to attack, they do not make it immune. In fact, DLT technology is subject to a number of issues that centralized databases are not.
The growing list of blockchain technology providers who have become victims of malicious hacks and attacks is starting to make many wonder if blockchain is really as secure as it’s made out to be. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data –– especially on the cloud.
As more governmental, industrial, and commercial sectors adopt the use of blockchain and DLT-based technology, there’s a growing need for discussion. Below are some points to consider which also serve as a means to raise awareness of the risks still associated with the use of blockchain and Distributed Ledger Technology.
One of the most common points of vulnerability with DLT technology is actually outside of the blockchain. Endpoint vulnerabilities are critical because of where they take place: at the time and place humans and blockchains meet. Simply put, an endpoint could be anywhere an individual is using to access sensitive data such as the computer of a bank employee.
Since most hackers know there’s no use in attempting to guess a user’s keys, they spend a lot of time trying to steal them. The best chance of obtaining keys is to attack the weakest point in the entire system, a personal computer or mobile device.
The process of accessing the blockchain in order to receive that data is what makes endpoints so vulnerable. Endpoints provide malicious attackers the opportunity they need to get nasty code in or out. Once a device is exploited, hackers can piggyback off the credentials of high-access users in order to do the most amount of damage.
As DLT adoption continues to grow, many look to new solutions to provide them with the security and protection DLT technology promises. But while many new products continue to grow, it also creates another security vertical of great concern: vendor risks. Often, companies looking to deploy 3rd-party blockchain apps and platforms are not aware of the security risks associated with faulty and exposed vendors.
It’s not uncommon for vendor solutions to have limited focus on security measures with weak security controls on their own systems, flawed code, and even personnel vulnerabilities that can easily expose their clients’ blockchain credentials to unauthorized users. This threat is especially relevant when discussing products that involve the use of smart contracts. Since an organization’s entire operation and policies can be housed as a smart contract on a blockchain, a vulnerability of this magnitude has the potential to be catastrophic.
While Bitcoin has been around awhile, blockchain technology is still considered highly experimental. While we still don’t know the full scale of what’s possible ––– security experts can agree on one thing: every new blockchain product that leverages DLT technology must undergo vigorous testing before being released to the public. While some DLT projects are tempted to launch their half-heartedly tested code on live blockchains, the cyber risks can be damaging and long-lasting.
As new technologies enter the market, developers are incentivized to be first or early with the release of applications, often at the risk of deploying insufficiently tested code on live blockchains. Given the decentralized model of many blockchain solutions, the risks are often greater due to the irreversibility of the technology.
The on-ramp of digital assets is one of the most critically exposed points in the development of a blockchain-based solution. More specifically, how are the assets and information securely signed on to a blockchain? This all comes down to the private keys used to sign and encrypt blockchain transactions. If someone gets ahold of the keys, the entire downstream blockchain-based solution is corrupted.
Not only is protecting these keys critical but also ensuring they’re used safely, e.g. not exposed by software when used to sign a transaction. Additionally, the process of approval for using the keys must be protected –– otherwise, someone can hack or impersonate an approver and sign a malicious transaction. And of course, this element of your blockchain solution needs to be considered from the start, or else it will likely prevent or slow down a successful transition into production.
Adopting new technologies always comes with the fear of the unknown. While blockchain-based solutions continue to provide customers with high levels of security and transparency, the onus falls on product designers to begin considering security from day one. From design to development, every step in the product development cycle is crucial to ensuring products are safe, reliable and secure for consumer use.
With the explosion of distributed ledger technology (DLT) as a safe and secure solution for transparently handling and sharing information across organizations, many businesses are jumping on the DLT bandwagon. Proponents of the distributed ledger technology known as blockchain consider it to be one of the best ways to secure transactions.
But while blockchains have many desirable features, such as transaction efficiency, there are still other conditions and requirements to consider when leveraging blockchain technology for business. The publication of DTCC’s most recent paper on the matter outlines key risks associated with the use of the nascent technology and an acknowledgment of the many security risks still associated with its use for both small businesses and enterprises alike.
“With the adoption of DLT across the financial services ecosystem likely to continue to increase in the coming years, we need to be certain that all DLT-related security risks are identified and addressed to maintain the safety and stability of the markets,” said Stephen Scharf, Chief Security Officer at DTCC.
With hundreds of new blockchain-based products released each year, many of today’s development teams don’t consider the security risks associated with the use of DLT early enough on in the project development cycle. Infosec usually isn’t on every founder’s mind when they start projects, especially when it comes to pilots. Once things are in the air, often they are forced to take a few steps back once they realize they hadn’t considered security performance and infrastructure from the get-go. Interestingly, the same is often true for blockchain vendors who are in a rush to get their products deployed.
The fact of the matter is, most don’t consider the fact that all blockchains aren’t created equal. It’s important for businesses to be aware of this fact when evaluating whether the technology they’ve chosen will have the proper security measures they require –– both internal and regulatory.
For fintech solutions looking to meet security regulation standards, opting for a simple cloud-based solution often can do more harm than good. Trusting cloud providers can be risky business –– or better yet, a major risk for your business. However you choose to look at it, while many cloud providers promise to keep highly sensitive data secure many also fail to do so as the recent WSJ’s Cloud Hopper investigation revealed.
When establishing a private blockchain, businesses must consider the best platform for deployment. While blockchain has inherent properties that provide security, known vulnerabilities in any infrastructure can be manipulated by those looking to get their hands on yours or your customer’s data.
Ideally, you should have an infrastructure with integrated security that can:
Considering these capabilities before developing your DLT-based solution will ensure your blockchain network has the added protection it needs to prevent attacks from both within and without.
Encryption requires high levels of cryptography and secrecy. Often encryption aids in the transfer of data from one point to another, safeguarding the data lest it is intercepted or falls into the wrong hands.
Encryption is most commonly used on documents and messages before they’re transmitted, but if the recipient of the information cannot verify its source or the identity of the sender, the authenticity of the information may not be trustworthy.
This is the primary reason for the use of keys when decrypting data. Keys are shared between the sender and receiver of encrypted communications and verified by digital certificates in order to establish the integrity of any incoming information.
In the world of data encryption and decryption, there are typically two kinds of keys, private keys, and public keys. Private keys are when both the sender and recipient of the information have an identical key that allows for the translation of the incoming data. In cases of private keys, both parties must make efforts to keep the key secret and safeguarded –– which can become challenging when more than two keys are involved.
That’s where public keys come in useful. Used more often today, public keys can be used to encode information and a private key is required to decrypt it. A good example of this would be credit card usage. While a credit card company may provide an authorization device with a key that is readily available, customers must input a pin that allows the machine to decrypt their information, making the sharing of sensitive financial data more regulated and secure.
Public keys are the basis for a Public Key Infrastructure when decrypting highly-sensitive data. PKIs enable the use of digital signatures and encryption across large user sets. The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys.
Often they help establish the identity of people and devices, enabling controlled access to systems and resources, protecting data and authenticating transactions. Many of today’s emerging technologies, especially within the fintech space, are becoming more and more reliant on PKI technology to guarantee security and protection of sensitive data.
A hardware security module (HSM) is a dedicated cryptographic processor designed to protect highly critical and sensitive keys and assets. HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world. This piece of hardware may look small, but is mighty powerful. It has the ability to securely manage, process, and store cryptographic keys inside its hardened, tamper-resistant shell.
Hub Security is proud to announce its partnership with Seagate as part of its new initiative to explore ways to create safe and secure data management solutions.
The Spanish telecommunications giant Telefonica recently reported it will launch a new partnership with the local Association of Science and Technology Parks (APTE) to grant 8,000 Spanish firms access to its blockchain.
With all the cyber threats that exist today, banks are more vulnerable than ever to becoming the next victim of a malicious cyberattack. With the growing list of fintech solutions offered in banking and the most recent Cloud Hopper investigation released by WSJ, 2019 was an early indicator of cyberthreats still to come in the year ahead.
According to a new report released by the Federal Reserve Bank of New York, just a single cyberattack targeting one of the largest U.S. banks would likely have a major ripple effect on the global financial system. Even today, with a growing awareness of the cyber-risks involved in a banking sector driven by technology, there’s a greater risk facing banks than ever before.
With all this in mind, here are the top five cyber risks every financial institution should be prepared to defend against in 2020.
Credential stuffing is a type of cyberattack that usually targets the personal data of banking customers. Using stolen account credentials, hackers can gain unauthorized access to user accounts using automated large-scale login requests. The stolen information can then be used to bombard websites and servers in order to try to gain access to critical IT infrastructure. This practice is known as credential stuffing.
List of keys and logins are often obtained via the dark web and allows hackers to save lots of time by avoiding the need to play the password guessing game.
“There is an automated process where the hacker can log thousands to millions of breached passwords and usernames using standard web automation tools,” says Brian Brannon, VP of security product strategy for Safe Systems, an IT security firm that works with community and small banks.
Credential stuffing differs from a brute force attack because in credential stuffing operations attackers are often using usernames and passwords that are known to have been good at some point or another. For banks, credential stuffing is an emerging and credible threat that will only get worse as the number of data breaches increases.
Cloud services come in very useful by helping banks offset IT expenses, boost system uptime and ensure their data is being stored safely. But the promises of the cloud have come with a few hard-earned lessons when it comes to customer data and security.
With so much information stored on the cloud, particularly for the use of public services, cloud providers have become easy targets for malicious attackers looking to gain access to financial institutions. To get a clearer picture of the problem, consider that over 1.4 billion records were lost to data breaches in March 2017 alone –– many of which involved cloud servers.
With the Wall Street Journal’s recent release of their investigation into the global hacking campaign known only as ‘Cloud Hopper,’ the true depth of the risks associated with compromised cloud data couldn’t be more evident, or alarming.
For the Cloud Hopper attack, hackers known as APT10 gained access to cloud service providers, where companies believed their data was being safely stored and protected. Once in, the hackers freely and anonymously hopped from client to client, evading investigator’s attempts to eliminate them for years.
According to WSJ, the attack went far beyond the 14 companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group Inc., Tieto Oyj, and International Business Machines Corp.
To make things worse, investigators said many major cloud companies stonewalled clients as to what was happening inside their networks. Contrary to what many bank executives might think, the sole responsibility for protecting corporate data in the cloud lies with the cloud customer, not the service provider. Hence, no cloud provider is legally or contractually obligated to ensure the safety of customer data –– as much as they may promise to do so.
Phishing is a common type of cyberattack that’s often used to steal user data, including login credentials and credit card numbers. But lately, there’s been an increase in phishing attacks targeting bank employees. Phishing occurs when an attacker tricks an unsuspecting victim into opening a malicious link, leading to an installation of malware which then freezes the system as part of a ransomware attack.
An attack can have devastating results on a business –– especially a financial institution like a bank. Phishing can be used to gain a foothold in a network as a part of a larger attack like an advanced persistent threat (APT) event. In this scenario, an employee is compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.
With access to an employee’s email account, cybercriminals can read a bank’s sensitive information, send emails on the bank’s behalf, hack into the employee’s bank accounts, and gain access to internal documents and customer financial information. This can result in millions of dollars worth of damage in both financial and reputational risks for the institution and its employees.
Ransomware is a type of malware that encrypts data, making it impossible for the owners of that data to access it unless they pay a hefty fee. In March 2017, the WannaCry virus spread independently through the networks of unpatched Microsoft Windows devices, leaving thousands of computers infected and making off with a total of 327 payments totaling $130,700.
Although ransomware has costs businesses more than $75 billion per year in damages (Datto), ransomware still remains one of the most common forms of cyberattack. Banks remain top targets for ransomware attacks, as cybercriminals follow the money for big payoffs. According to a Kapersky Labs report, cybersecurity statistics show attacks were launched from within more than 190 countries, with financial services the second most targeted industry after healthcare.
Successful ransomware attacks, especially on smaller banks, are the result of a lack of IT resources, outdated security tech and protocols, and inadequate endpoint cyber-protection. To help protect themselves against ransomware, financial institutions should place many uniquely-tailored protection layers throughout their networks –– each one acting as an obstacle to block malicious software attacks.
While a majority of exploitation attempts stem from software vulnerabilities, they can just as easily begin from vulnerable pieces of hardware. Anything from an employee device to a router connected to an unsecured network can put an entire organization’s digital infrastructure at risk.
For many CISOs, this may sound like preaching to the choir –– but unbeknownst to many is how easily exploitable their IoT devices are since they’re often not required to have the same level of security scrutiny as computers. Unsecured IoT devices, such as, home routers, printers, and IP cameras are all vulnerable to attack.
As institutions continue to connect more gadgetry to the internet, the number of potential security weaknesses on their networks are also more likely to increase. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Once they have an entryway from an IoT device, they have full access to the entire network, including all customer data.
Today’s hackers also have the unfavorable ability to easily exploit a bank’s API system since many legacy APIs weren’t designed with the cloud in mind. This leaves many systems vulnerable from the get-go –– and open banking has just been making the problem worse.
If after reading this article, you’re starting to doubt the security of your organization’s IT structure, know you’re not alone. Here are just a few methods you can adopt in order to create a more safe and secure digital landscape and defend against potential cyberthreats.
Regularly review your cloud infrastructure to ensure it’s up to date. Assess your cloud security’s current state compared to security benchmarks, best practices and compliance standards.
Use a vulnerability management tool to help you automate threat detection and protect against potential threats before they become a problem.
By only providing access permissions to employees who require it, you’re ensuring your organization is well-protected from within –– especially if you employ contractors or part-time workers.
Having a plan in place helps you avoid data loss and allows your to minimize downtime after a disruption. This only works if you backup your data regularly and often.
Encrypting your data cryptographically, and protecting the cryptographic keys to that kingdom, ensures your most sensitive digital assets are always protected –– even if your IT structure is critically compromised.
Learn more on HUB Security for banking and digital asset protection
Keep up with cyber security news!