Category: Threats

August 15, 2019

The link between GDPR and the Dark Web

Over a year after its widely anticipated debut on May 25th, 2018, the General Data Protection Regulation (GDPR) is still a point of confusion for many SMBs. Although our European partners have been keeping a pulse on developments for quite some time, privacy regulations are quickly pervading into the global security landscape across the US, Canada, Australia, and New Zealand with cascading consequences and implications. In order to prepare MSPs and business owners for upcoming change, the ID Agent Team will unravel how the Dark Web and GDPR are inextricably connected. But first, let’s refresh on the basics: A GDPR Crash Course Designed to protect the data security and privacy of EU citizens, the GDPR was introduced as a replacement to the Data Protection Directive of 1995. As an overview, the regulations empower consumers with greater ownership over their personal information; highlights including the “right to be forgotten”, a fortified consent process, and more stringent breach notification protocol requirements. Aside from expanding the definition of “data processing” to include collection, retention, deletion, breaches, and disclosures of personal data, the penalties associated with infractions are no laughing matter. Since its implementation, multinational corporations have seen fines amounting to $23M. Or even worse, 4% of global revenue. Dark Web + GDPR So where does the Dark Web fit into this? Just this past week, we covered a recent report by the Federation of Small Businesses (FSB) proclaiming that UK-based SMBs were suffering nearly 10,000 cyber attacks per day. Although the majority of these are serious security breaches, some are slipping through the cracks as “leaks” that go unnoticed. These manifest themselves as vulnerabilities caused by password recycling, lost devices, accidental website updates/ emails, and even rogue employee behavior. Unlike more overt incidents, data compromises are much more difficult to detect, especially for small businesses with minimal security measures in place. Therefore, sensitive information collected from such leaks ultimately finds a home on the Dark Web, without anyone being the wiser. As we know, cybercriminals will exchange valuable credentials for cryptocurrency, and then leverage leaked information to orchestrate crippling fraud tactics. In the past, companies were able to sidestep any ties back to them due to loose privacy regulations and limited feedback loops. However, those days are soon coming to an end. The GDPR mandates that companies of all shapes and sizes must disclose consumer data breaches, and will also be held liable for such accidental leaks. For example, the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) of the UK has published specific guidance for risk management, data protection, detection, and minimization of impact. The Solution The global standards for data protection may be rising, but so have the solution sets for SMBs. By partnering up with MSPs who have enlisted in proactive Dark Web monitoring solutions (like Dark Web ID!), you can future-proof your company from facing GDPR fines or dealing with business process interruptions. Case dismissed. Need more proof? See what Ryan Markel, President of Take Ctrl, LLC, has to say about working with our team: “My clients are so grateful that they are not aware when their passwords are compromised that they are telling their colleagues at other companies they have to work with us”. Sources: https://www.parkersoftware.com/blog/gdpr-dark-web https://www.law.com/legaltechnews/2019/01/23/could-the-gdpr-right-to-access-make-personal-data-more-vulnerable/?slreturn=20190712111548 https://cybersecuritysummit.co.uk/wp-content/uploads/sites/29/2017/10/White-Paper-GDPR-Data-Breaches-the-Dark-Web-June-2017.pdf https://www.swknetworkservices.com/dark-web-breaches-compliance-gdpr/ https://gdpr.report/news/2017/07/03/growing-threat-dark-web/ http://www.securityeurope.info/the-eus-gdpr-and-crime-throwing-some-light-on-the-dark-net/ https://mashable.com/article/how-gdpr-changed-internet-2018/ https://lmgsecurity.com/should-your-data-breach-response-plan-include-dark-web-scanning/ https://cyansolutions.co.uk/monitor-dark-web-stop-security-breaches-fast/ Cybersecurity and GDPR: https://www.ncsc.gov.uk/information/GDPR UK’s Cyber Essentials certification: https://www.cyberessentials.ncsc.gov.uk/advice/

June 27, 2019

How to Spot a Phishing Attempt

Phishing is one of the most common, yet dangerous methods of cybercrime. Despite cybersecurity experts’ warnings over the years, it seems that internet users still consistently fall prey to these simple but effective attacks.

April 18, 2019

The Wipro Breach: A Demonstration of Third-party and Supply Chain Risk

Advanced phishing and supply chain vulnerabilities – these seem to be the successful attack vectors that hackers have used to compromise Wipro, an Indian multinational corporation that provides information technology, consulting and business process services. Notable security researcher, Brian Krebs, reports confirmation that a nation-state actor had been inside the company’s systems for months, identifying opportunities to attack its vast customer base – currently, at least a dozen of the firm’s clients have been targeted as a direct result of this breach. Additional sources have claimed that Wipro’s corporate e-mail system had also been compromised for some time, forcing the company to build out a new private system. Who’s the Bad Guy? While the attack has not been attributed to a specific group, security researchers note that it bears a resemblance to those launched by the Chinese hacking group APT10 – almost always beginning with a phishing campaign targeted against a third-party partner. The group has a demonstrated history of attacking Managed Service Providers in order to gain access to a larger swath of targets. Last year, the Australian Cyber Security Center blamed APT10 for attacks on at least nine global service providers, and the UK’s National Cyber Security Centre said it is aware of malicious activity currently affecting UK organizations across a broad range of sectors. Takeaways The Wipro breach seems to be a textbook case of exactly how not to handle a breach. Refusal to acknowledge and inconsistencies in what they will acknowledge have done nothing but increase not only confusion in reporting on the incident, but also mistrust in the company. Additionally, it highlights how critical it is that organizations properly protect their assets and address the vulnerabilities inherent to human error. Companies must extend beyond robust network security and incorporate systematic employee training, supply chain security assessment and ongoing monitoring, and third-party security, among other methods of defense. Last October, the FBI warned Managed Service Providers about the increasing occurrence of Chinese hacking groups targeting them specifically. MSPs have unparalleled access to their clients’ networks, so compromising an MSP can give these groups direct access into dozens, hundreds, or even thousands of businesses and their client data. The number one way attackers penetrate networks is with stolen credentials, according to the alert. ID Agent provides a robust suite of services to address the risks highlighted in the Wipro breach. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps like those used to infiltrate Wipro’s systems. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.

September 28, 2018

Update: Facebook Breach Information is Now For Sale on the Dark Web

Update, October 4, 2018: Our cybersecurity division has confirmed that the individual account information associated with the Facebook breach is now being sold on popular Dark Web markets for $3 to $12. In comparison, a database of 2 million users is typically sold on the Dark Web for about $30. This means the infamous hackers could see an unusual payday of $150 to $600 million.

April 26, 2018

A New Wave of Brute Force Attacks: Here’s What You Should Know

Last month, the United States Department of Justice indicted nine Iranian hackers for a wave of brute force attacks. These attacks resulted in the digital theft of more than 31 terabytes in information worth $3 billion in intellectual property.

April 12, 2018

Zappos Lawsuit Drives Home Need for Ongoing Credential Monitoring

Pay attention to this one! 6+ years later, Federal appeals court rules that data breach resulting in the theft of PII, even though the PII had not yet been used in any illegal activity, was harm enough to allow lawsuits to proceed against the company whose systems were compromised!

February 19, 2018

Why You Should Add Dark Web Monitoring to Your Service Offering

A large-scale data breach has the power to cripple any organization, including your customers’ companies. Unfortunately, these data breaches usually start with compromised credentials sold to the highest bidder on the dark web. Right now, all that stands in the way of your customers and a massive, costly breach is a few passwords — unless you’re offering dark web monitoring as a service.

November 30, 2017

I Now Have Everything I Need to Exploit You.

MSPs should read this, then enroll themselves and every customer in SpotLight ID NOW Chances are, you’ve come across cleverly-crafted ads on sites like CNN.com, Facebook, Yahoo and others that say something like, “Use this site to find out anything… about anyone.” If you are like most good citizens, you probably passed up on the opportunity to use one of these sites to dox, or to search for and publish private or identifying information about an individual on the Internet, typically with malicious intent. Good for you!

November 20, 2017

Pa$$w0rds, the Dark Web, and a job I love.

Coming up with a strong password gives me a headache. About 3 years ago, I came up with the most (in my mind) brilliant password EV3R. You see, I used an 8 in the first part of the password to make the word Gr8 – great. Great! I could remember that, because it made me grin at my own cleverness every time I typed it. “You sneaky SOBs will never crack my code!”

November 15, 2017

Identity Theft’s Reality

ID Agent is excited to offer this guest blog post from Megan Wells. Megan is a data journalist and content strategist at InvestmentZen who has written content on how data theft impacts Americans, technological interventions for personal and commercial finance and content for IBM and NASDAQ. With her examination of costs and the impact of Data Breaches, she shares how detrimental identity theft can be for MSP customers and their employees. Be sure to download her useful Infographic at the link below!

Please fill in the form below to subscribe to our blog

Country