Skip to content

Digital security and the generations

The notion that only young people use the internet is long gone. The fact is that the online world has consumed all of us. We may not like it, but by all of us, we mean toddlers to seniors. And therefore, we should all consider ourselves the “digital generation.” But that does not mean we all perceive and use technology the same way. There are certainly tangible differences in how we interact with technology.

The younger a generation is, the sooner they were likely to have been introduced to technology. On the other hand, older generations may have become familiar to technology later in life, but combined with their life experiences, they might have approached their technology use more responsibly. The approaches different generations take is certainly different; some are earlier adopters of innovations, but one does not lag behind the other.

The Pew Research Center conducted research in 2021, where they measured generations’ use of the digital world. For example, 99% of Gen Z and Millennials claim they use the internet. Gen X has a slightly lower usage, which still comes to 96%, compared to the Baby Boomers, where only 75% claim they use the internet. The interesting finding of the study is that since the year 2000, the gap between the oldest and the youngest internet users has gotten smaller, from 56 to 44 percentage points.

The data doesn’t lie, and proves that in fact all generations are part of the digital world. The difference is their involvement, perception and use. Generations look at technology and innovation based on their own background and knowledge. And that differs among virtually all of them. Many of them came into a world that was already full of technology, and others had to adapt to it at a more mature age.

And the same goes for digital security. Contrary to popular belief, growing up with technology does not automatically make you more conscious of digital privacy and security. Industry leader NTT’s study shows that people over 30 are more likely to adopt better security practices than the younger generation, Generation Z. Gen Z, even though they grew up surrounded by technology and the risks it poses, are much more laid back and less responsible. They value flexibility and productivity over caution and responsibility. Furthermore, the study found that almost 40% of Millennials would opt to pay a ransom or already have paid one in the past.

To support that, let us present one more study. This time, LastPass studied people’s online behaviors regarding passwords. It revealed that from Baby Boomers to Gen Z, people approach their digital safety and security differently. They found that despite being exposed to technology at an early age, Gen Z is least concerned with their security. On the contrary, Millennials and Baby Boomers are most concerned about their online safety and take extra measures to ensure their digital security.

Not only are the various generations’ use of technology and approaches to digital security different, the threats awaiting them in the digital world also differ. Since they all act in a distinct fashion, they are vulnerable to different types of online safety threats. For example, for teenagers and young adults, currently Gen Z and Alpha, one of the biggest threats is cyberbullying. Older generations face financial abuse, identity theft and other security attacks. Their knowledge on the topic also varies, making them more or less vulnerable to digital threats.

Kids from the age of 3 use devices to watch videos, while our elders use them to stay connected to their families. And for everyone in between, whether it be a Millennial or a Baby Boomer, online behaviors are different, and it is evident that there are different digital security approaches. However, whether you are a security expert or a basic user, without the proper protection and education, you may fall prey to malicious actors on the internet at any time.

It becomes evident that there is no one approach to digital security that fits all. Whether it is one’s personal security, privacy and safety, or an approach taken by a business, the solution is not set. Personalized protection, however, is not always possible. Everyone’s needs are different, and to cater to all would be virtually impossible. Some people and businesses prefer to have somewhat greater or less control over their protection, while others prefer to not be disturbed by it at all. Perhaps the easiest solution in situations like that is to have protection that you don’t have to think about at all. A silent knight protecting your digital world at all times.

One way for customers to procure that is when their Telco or ISP takes direct care of their protection, so they don’t even have to think about it. A solution like this can be incorporated into an ISP or Telco product offering, for example, ESET NetProtect. This security approach can give customers peace of mind, knowing their provider is taking care of their digital security on their behalf.

ESET NetProtect is not only easy to integrate, but also a great addition to a sales plan. Its reputation builds on its easy integration into existing Telco or ISP service offerings, while delivering full-service protection against malware, loss of privacy and phishing on all personal devices. NetProtect makes safe and secure browsing a matter of course. This offering keeps devices safe and online browsing safe from suspicious domains and websites. It also has a filter that allows you to blacklist domains and content categories based on user preference.

And above all, this product runs on your device, without you having to worry about it. Its user-friendly management with a range of settings ensures your overall satisfaction.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

SSL Certificates: What You Need to Know

According to the International Telecommunications Union (ITU) report published at the end of 2021, about 4.9 billion people used the Internet that year. This represents a jump of 800 million more people than before the pandemic.

This means that every day, an immeasurable amount of data is made available on the web, including sensitive information such as names, addresses, document numbers, and bank details.

Therefore, malicious agents have a large space to act, breaking into websites and stealing passwords and financial information, among other data that may be useful for their criminal practices.

Key ways to hack into a website include:

  • Software vulnerability or poor server or network configuration;
  • Vulnerability of the website itself;
  • Weak passwords;
  • Attacks on those responsible for the websites.

One of the ways to protect your website is by deploying SSL certificates. They protect the communication between the server and the user. In addition, they are required for websites that receive payments and allow their customers to feel secure knowing who they are interacting with.

For these reasons, we prepared special content about SSL certificates, explaining their concept, importance, and operation, among other information. To facilitate your reading, we divided our text into topics. They are:

  1. What Are SSL Certificates
  2. What Is The Importance of SSL Certificates
  3. Types of SSL Certificates
  4. Subdomains
  5. How They Work
  6. How to Tell if a Website Has the Certificate
  7. How to Install SSL Certificate on a Website
  8. Are SSL Certificates Enough to Ensure the Security of a Website?
  9. What Are SSL and TLS
  10. What Are the Differences Between SSL and TLS
  11. Best Practices for the Security of Your Website
  12. History of SSL Certificates
  13. Digital Certificates: Learn about Their Characteristics
  14. Digital Certificates in the World
  15. Different Uses of Digital Certificates
  16. About senhasegura
  17. Conclusion

    Follow our text to the end!

What Are SSL Certificates

SSL certificates consist of data files hosted on a source server of a website, which make it more secure as they move from HTTP to HTTPS.

Their function is to authenticate the identity of the website and allow the encryption of the connection, as they contain the identity of the website and the public key, plus other information.

Therefore, when establishing communication between a device and the source server, SSL certificates are used to give access to the public key and confirm the identity of that server. Meanwhile, the private key remains secret.

What Is The Importance of SSL Certificates

Using SSL certificates provides several benefits, such as:

Data Protection
Their main purpose is to protect communication between the client and the server. For this reason, all bits of information are encrypted with the installation of SSL certificates. In practice, this information is blocked so that only the browser or server has the key to unlock it. With this, SSL technology allows the administration of sensitive data such as passwords, credit card numbers, and IDs without causing vulnerabilities when there are malicious agents.

They Enable Identity Verification
SSL certificates also make it possible to perform identity verification, providing security for those who use the Internet. This is because the digital environment is a fertile space for many types of scams, but this tool allows people to confirm who they are talking to before passing their data to fake websites.

When installing an SSL certificate, the user goes through a process called Validation Authority, which can validate their identity and their company’s, in addition to allowing them to receive reliable indicators.

It works like a verified Twitter account, but this is done on your website so that no cybercriminals create another one pretending to be yours, a practice known as spoofing.

They Are Critical to Receiving Payouts
If you have a business and receive payments through your website, you need to invest in SSL certificates. This is because they are among the 12 criteria required by the payment card industry (PCI). In other words, it is a fundamental resource for their transitions.

They Contribute to Optimizing Website Ranking in Search Engines
When you enable your website for HTTPS, it achieves higher rankings in search engines like Google, which since 2014 has favored this type of website. That’s what SEO experts around the world say, based on studies like the one by Brian Dean, founder of Backlinko.com.

Nowadays, when customers carry out most of their research on the Internet, this represents a great competitive advantage.

Detailed Traffic Data
If your website does not use HTTPs, you are missing information about the visits it receives. This is because when a secure browsing website uses referral links to an unsecured website, it appears as direct access, since HTTP websites do not receive referral data from HTTPS websites.

On the other hand, if you invest in SSL certificates, you will have access to your website’s traffic data in detail, regardless of its source.

SSL Certificates Favor Client Confidence
SSL certificates are important to ensure client confidence. This is because they let you know your data is protected. In addition, by installing an OV or EV SSL, it is possible to show your company in detail, ensuring it is a legitimate organization and enabling your business.

Free Installation
Supported by companies such as Facebook, Cisco, and Mozilla, a movement called Let’s Encrypt has democratized the use of SSL certificates, promoting their free and integrated installation to the control panel, even in the case of shared hosting.

Today, this solution is affordable. Even WordPress users can activate it through a special plan and generate more results for their business.

Types of SSL Certificates

There are three types of SSL certificates. They are: Extended Validation SSL (EV SSL), Organization Validation (OV SSL), and Domain Validation (DV SSL). Below, we explain each one in detail:

  • Extended Validation SSL Certificate (EV SSL)
    The Extended Validation SSL Certificate (SSL EV) allows the Certificate Authority to verify the applicant can use the chosen domain name, in addition to performing a company verification.

    To issue an Extended Validation SSL Certificate (SSL EV), it is necessary to contemplate the EV standards approved in 2007 by the CA/Browser Forum, going through the following stages:

  • Confirmation of the operational, physical, and legal existence of the organization;
  • Validation of the official records of the entity;
  • Verify if it has an exclusive right to use the chosen domain; and
  • Confirm there is an adequate authorization for the issuance of the EV SSL certificate.

    All types of organizations can benefit from EV SSL, but must comply with EV audit guidelines and undergo audits every year.

Organization Validation Certificates (OV SSL)
In this type of certificate, it is also checked whether the applicant can use a certain domain name, in addition to the institution’s validations. One of its greatest advantages is the trust provided to the user, since by clicking on the seal of the Secure Website, customers receive information, which increases their visibility about who is behind the website.

Domain Validation Certificates (DV SSL)
Another case in which CA verifies whether the applicant can use a given domain name. However, here, data related to the company’s identity is not validated and displayed, only encryption.

In this way, the user knows their data is encrypted, but cannot know who receives this information. The great advantage of this type of certificate is its almost immediate issuance, without sending the entity’s documentation. In addition, DV SSL still has an affordable cost.

Subdomains

Another way to differentiate SSL certificates is by taking into account the number of subdomains they have. Thus, they are divided into three: single-domain SSL, multi-domain SSL, and wildcard SSL. Check out their characteristics below:

Single-Domain SSL
As its name suggests, this SSL provides certificates for a single domain. When the entity needs other certificates, it needs to re-hire the service, which makes the domain types below more advantageous options.

Multi-domain SSL
One can use these SSL certificates in all categories (SSL EV, SSL OV, and SSL DV) and validate more than one domain with the same certificate. However, this service is limited, so we recommend you review the number of domains and subdomains covered by the certificate before opting for multi-domain SSL.

Wildcard SSL
Perfect for websites that need encryption security and have many domains, as it covers an unlimited number of domains. It includes VD SSL and OD SSL domain certificates.

How Do They Work?

When you enter sensitive data on a website that has SSL certificates, it is automatically encrypted and accessed only by the applicant.

With the protection of the encryption key, if there is a hacker attack and your information is intercepted, the malicious agent will not be able to view your data.

What’s more: SSL certificates also have the function of assuring the user they are accessing a legitimate website and not a page used for scams.

Through the lock symbol next to the URL, you can feel secure accessing a website and performing operations within it, which is positive for those who use your page for business.

How to Tell if a Website Has the Certificate

Websites that have SSL certificates display the symbol of a lock on the browser bar before HTTPS, as mentioned in the previous topic. This detail points out that entering your data on the website is a secure procedure, without risks related to hackers.

In this sense, all pages must have SSL certificates, especially those where credit card or username and password data are entered. Therefore, it is essential to verify that the HTTPS actually appears in the address.

Another important purpose of SSL certificates is to ensure the legitimacy of the website, providing security to its users.

How to Tell if a Website Has the Certificate

Websites that have SSL certificates display the symbol of a lock on the browser bar before HTTPS, as mentioned in the previous topic. This detail points out that entering your data on the website is a secure procedure, without risks related to hackers.

In this sense, all pages must have SSL certificates, especially those where credit card or username and password data are entered. Therefore, it is essential to verify that the HTTPS actually appears in the address.

Another important purpose of SSL certificates is to ensure the legitimacy of the website, providing security to its users.

How to Install SSL Certificate on a Websit

To obtain an SSL certificate, you will need a Certificate Authority (CA), which consists of a trusted organization capable of signing the certificate with its keys, certifying its validity. This service may be charged, but there are also free alternatives.

Then, your certificate must be installed on the website’s server, which can be facilitated with a quality host and a provider that takes responsibility for this task.

Once you have enabled the SSL certificate, you will be able to load your website over HTTPS and secure its encryption.

Are SSL Certificates Enough to Ensure the Security of a Website?

Information propagated around SSL certificates suggests that their implementation would be enough to ensure the security of a website. This is because when you adhere to this solution, the lock icon appears next to the URL, suggesting protection.

However, despite effective, SSL certificates are not enough to combat the action of cybercriminals, since the interception of the information exchanged between the user and the website is not their only means of action.

Moreover, if SSL deployment does not occur properly, not everything on the website will be protected by encryption. In these cases, the browser will still indicate a protected connection, which can generate a false sense of security.

Other exploits that can make the exchange of information risky include Scripting between websites, MIME mismatches, and Clickjacking.

These practices are widely used by malicious agents to obtain information exchanged between websites and users.

What Are SSL and TLS?

Transport Layer Security (TLS) is an encrypted protocol that provides security when navigating HTTP pages, accessing an email (SMTP), or transferring data in some other way.

The Secure Sockets Layer (SSL) Protocol came later and also guarantees security for website access. Through this feature, one can encrypt sensitive data so that it is not used by malicious actors.

TLS, in turn, represents a more current and efficient version of SSL, used to configure emails and provide security in information exchanges.

What Are the Differences Between SSL and TLS?

TLS works on different ports and uses more efficient encryption algorithms, including the Keyed ? Hashing for Message Authentication Code (HMAC), while the algorithm used by SSL is the Message Authentication Code (MAC).

These features provide protection in Internet communication protocols (TCP/IP), making it possible to view HTTP and HTTPS terminations.

In the case of HTTP, data travels freely, while HTTPS allows you to encrypt the data through SSL/TLS. To do this, the user needs to set up a secure connection.

Best Practices for the Security of Your Website

In addition to the implementation of SSL certificates, other practices are required to ensure the security of your website. Among them, we can highlight:

Employee Training and Awareness
Information security should be a constant concern in your company, so in addition to investing in technology, it is extremely important to make your employees aware of the risks involved in online interactions and train them to deal with these threats.

Use Plugins Focused on the Security of Your Website
One of the great advantages of using WordPress is the availability of plugins specifically designed to ensure the security of your website. Among the options, we highlight: VaultPress, WordFence, Sucuri, and Defender.

Choose a Good Host
Check the host options available in the market and choose the one that addresses all the demands of your company, including the security of your website users and your business strategy.

History of SSL Certificates
In 1990, the HTTP protocol emerged as a form of communication and became indispensable because of its practicality. However, this protocol did not provide protection for connections and for people who needed to enter their data on web pages.

Three years later, they tried to make this interaction more secure through the S-HTTP protocol, without great success.
The following year, Netscape produced the first version of SSL in order to provide security in communication between servers and clients that took place on the Internet.

Due to its numerous flaws, this version was never officially released, but in 1995, it would be replaced by a second version and, in 1996, by a third improved version.

In 1999, TLS 1.0, an upgrade of SSL V3, emerged, with little difference. Seven years later, in 2006, it was time to release TLS 1.1, which was already very different from its first version.

The changes that came in 2008 with TLS 1.2 were even more pronounced, and made it impossible to downgrade to versions before SSL V3.

In 2015, an outline of what TLS 1.3 would be, designed from the version that preceded it, began.

Digital Certificates: Learn about Their Characteristics

The provisional measure 2020-1 of 2001 enabled the creation of the Brazilian Public Key Infrastructure (ICP Brazil), which operates through the National Institute of Information Technology, an agency linked to the Civil House of the Presidency of the Republic.

From then on, it became possible to issue digital certificates, electronic documents that provide legal validity to operations carried out remotely.

In Brazil, the public key infrastructure is used, which we also call a single-root certificate. In practice, the management committee of ICP-Brasil approves technical and operational standards that must be performed by each Root Certificate Authority.

There are also Certificate Authority (CA) in Brazil, which consist of institutions that issue, distribute, renew, revoke, and manage digital certificates. Another purpose of these entities is to make sure the user has the private key corresponding to the public one, through a process called asymmetric encryption.

It works like this: each person or entity holding a digital certificate has access to two codes: a private certificate, which must be kept confidential, and a public certificate, which can be shared.

This means that whenever a document is encoded with the public key, it can only be decoded using the private key.
Another body associated with the Certificate Units is the Registration Authority (RA), which facilitates the interaction between the Certificate Units and the users, and the Time Certificate Authority, responsible for verifying the timing of the interaction and carrying out legal validation.

Several types of digital certificates differ according to the level of security they provide and their applications. These are:

Type A Certificate: This is a digital certificate used to sign any type of document. It is widely used by self-employed professionals, private organizations, and public agencies that need to save time and financial resources, with quick validations for several documents.

Type S Certificate: It consists of a certificate whose decoding can only be performed by those who have authorization. Therefore, if you work with sensitive documents, which include data such as monetary values and personal information, this is your best alternative.

Type T Certificate: This certificate must be used with the other models. This is because it records the date and time of digital transactions, ensuring this information remains in the files without changing.

Type A, S, or T1 Security: All certificates are secure, but type 1 is the one that provides the least security. This certificate is accessible due to the way keys are generated, with a process done by a program on the computer. It is valid for one year, as it can be accessed using a username and password.

Type A, S, or T3 Security: Type 3 digital certificates are generated and stored in a token or smart card. Therefore, only authorized people can access them, making the operation more secure and with a longer expiration time: three years.

Type A, S, or T4 Security: Here we are talking about ICP-Brasil’s most secure digital certificate model. Your private key is generated and stored within the Encryption Security Module and only allows copying to HSM. It is an inviolable model, which erases data if an invasion occurs. So, it is also known as a digital vault.

Digital certificates are increasingly useful for companies and manage a large number of files and sensitive data. After all, they allow files to be sent over the Internet without being misplaced or corrupted.

In addition, since 2018, there is the NF-e 4.0 version, which makes it possible to issue tax documents without using paper. However, those who want to adopt this electronic model to issue tax receipts need to rely on a digital certificate, because it enables the interaction between the servers of the Federal Revenue Service and the computers of the organization.

Digital Certificates in the World

Digital certificates are not a mechanism used only in Brazil. Other nations have also adhered to this resource in their daily lives.

To begin with, the National Identification Document (DIN), which is being implemented in Brazil, is similar to the models used by other countries, in order to bring agility, ease, and security to citizens.

In DIN, the user identification data is gathered in a chipped device, where professional documents and digital certificates can also be included.

Among the countries that have already joined the electronic signature to authenticate documents, the following stand out:

  • The United States;
  • Mexico;
  • Indonesia;
  • China;
  • Turkey;
  • Switzerland; and
  • Member states of the European Union.

With the mandatory digital identification system for all citizens, Estonia is an example of the efficiency of digital certificates to reduce bureaucracy. There, the process of selling and transferring a vehicle is completed in 15 minutes.

In addition, Estonians can use the same documentation for healthcare, access to bank accounts, distance voting, and identification when traveling in the European Union.

In Spain, people have a single document called DNI, which is integrated into the digital certificate and groups user information.

This documentation includes data on biometrics and can be used to drive a vehicle, travel, and report income tax via the Internet.

Currently, regulations related to digital identification are not shared between countries and each nation has its own mechanisms, security practices, and an ICP of its own.

However, with the need to sign documents online, international agreements may soon be made to allow the use of certificates beyond this barrier.

Different Uses of Digital Certificates

Here’s how the different types of digital certificates are used:
As we have already mZentioned in this article, digital certificates are used by websites, providing trust and security to their users.

Another widely used mode is in emails, to identify users, or to enable the digital signature of documents.
They are also used in credit and debit cards via chips that connect banks to commercial establishments in order to enable secure banking transactions.

They are also useful to digital payment companies that need to authenticate kiosks, ATMs, and vending equipment through their data center.

To counter cyber threats and protect intellectual property, a large number of organizations are inserting digital certificates into the IoT devices they operate.

People who develop computer programs also use digital certificates to prevent device cloning and theft of broadband services.

About senhasegura

Senhasegura is part of the MT4 Tecnologia group, which was founded in 2001, focusing on information security.
Present in 54 countries, the company aims to provide cybersecurity to its clients, who now have control over actions and privileged data.

With this, organizations can avoid disruptions related to the performance of malicious actors and information leaks.
The work of senhasegura assumes that digital sovereignty is a right of all and that applied technology is the only way to achieve this goal.

Therefore, it follows the life cycle of privileged access management, before, during, and after access, relying on machine automation, since managing privileged access manually is not enough. Among its commitments, the following stand out:

  • Provide more efficiency and productivity to companies, while avoiding interruptions due to expiration;
  • Perform automatic audits on the use of privileges;
  • Automatically audit privileged changes to detect abuses;
  • Ensure client satisfaction through successful deployments;
  • Provide advanced PAM capabilities;
  • Reduce risks quickly;
  • Bring companies into compliance with audit criteria and standards such as PCI DSS, Sarbanes-Oxley, ISO 27001, and HIPAA.

Conclusion

By reading this article, you saw that:

  • SSL certificates are data files hosted on the source server of a website, which make it more secure by allowing them to move from HTTP to HTTPS;
  • Their main function is to provide security to the communication between the client and the server;
  • Their technology makes it possible to manage sensitive data such as passwords, credit card numbers, and IDs without causing vulnerabilities;
  • SSL certificates make it possible to perform identity validation, as with Twitter accounts, but on websites;
  • They are essential to receive payments through a website;
  • When you enable your website for HTTPS, it achieves higher rankings in search engines like Google;
  • Whoever invests in SSL certificates has access to detailed data about their website visits, regardless of their origin;
  • SSL certificates ensure the legitimacy of your company, leaving your customers assured that their data is protected;
  • One can install an SSL certificate for free;
  • There are three types of certificates: Extended Validation SSL Certificate (EV SSL), Organization Validation Certificates (OV SSL), and Domain Validation Certificates (DV SSL);
  • They can also be classified according to the number of subdomains they present, such as single-domain SSL, multi-domain SSL, and wildcard SSL;
  • Websites that have SSL certificates can be identified by the lock symbol, which is in the browser bar, before https;
  • To install this feature on a website, you must have a certification authority (CA);
  • Although effective, SSL certificates are not enough to combat the action of malicious agents;
  • SSL and TLS provide protection in Internet communication protocols (TCP/IP);
  • You have also learned about best practices for your website security and the history of SSL certificates.
  • Another topic shared in this article was the creation of ICP Brasil, which allows issuing digital certificates, providing legal validity to operations carried out remotely.
  • There are different types of digital certificates, which can be used for the most diverse purposes.

    Was our text on SSL certificates helpful to you? Then share it with someone who might benefit from this content.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Senhasegura
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Presenting The SCADAfence Cloud

A SCADAfence New Feature Report

SCADAfence now offers new advanced services via our cloud. We use the cloud to deliver continuous OT security updates, software upgrades and OT health monitoring.

Continue reading

Cutting Through the Hype of Securing the Zero Trust Edge

What is Zero Trust?

Zero trust is a strategic approach requiring all network users to be authenticated, authorized, and regularly validated. The framework covers the internal and external users of an organization’s network.  

As a cybersecurity concept, it requires full awareness of security policy based on established contexts rather than assumptions. A well-defined zero trust architecture results in simpler network infrastructure, improved defense mechanisms, and a better user experience.  

How Does Zero Trust Work?

Zero trust pretends there is no traditional network edge in the cloud or hybrid, whether local. Its maxim is to always verify, and trust no user or device. 

The core philosophy of zero trust security is to presume that every user or device is hostile by default. As a model, it responds to the fact that the perimeter security approach isn’t 100% secure. The ability of cyber criminals to breach data even with corporate firewalls is enough proof. Users also access networks from different devices and locations, making  it  harder to clearly define perimeters while increasing the risk of security breaches.  

The approach zero trust uses is to treat all traffic as hostile. For instance, workloads get validated by a set of attributes before they can communicate. It also involves using fingerprint or identity-based validation policies to attain stronger security.   

  Zero trust draws on technologies, calls on governance policies, and uses push notifications for effective security. Since protection is environment-agnostic, zero trust secures applications. Moreover, it securely connects devices and users via business policies over any network. That way, it can enable a safe digital transformation. 

Why is Zero Trust Important?

The primary reason for introducing zero trust is to reduce risks. However, it also helps to manage risks associated with remote work, insider threats, and third-party and cloud security . 

  • Zero trust protects  organizations in various ways  including: Giving visibility to potential threats while improving proactive remediation and response. 
  • Preventing cyber threats like malware from gaining network access. 
  • Simplifying the management of security operations centers through enhanced automation. 

The Benefits of a Zero Trust Edge

The cloud environment is a highly attractive opportunity for cyber actors to steal troves of sensitive data, financial information, and intellectual property.  

While no security strategy offers a perfect solution to data breaches, zero trust helps reduce the surface attacks and the severity of cybercrimes. This includes the reduced cost and time spent responding to  breaches. 

The approach of not trusting any connection without the necessary verification is a crucial factor. Furthermore, companies deal with many cloud, data sprawl, and endpoints, making  it only logical to adopt a system that guarantees security.  

Other highlighted benefits include:  

  • Reducing the reliance on point solutions designed to detect and stop threat activity. 
  • Limiting possible avenues for data exfiltration. 
  • Enhancing the authority and use of authentication 
  • Reducing the literal movements of attackers within an organization
  • A sneak peek into all user activity
  • It offers improvements in both on-premises and cloud-based security posture.  

Cutting Through the Zero Trust Hype

There’s no doubt that zero trust architecture gives a new face to trusted network-defining perimeters. However, it remains a theoretical concept in practice for many establishments. 

The challenge for these organizations becomes looking beyond the buzzwords of vendors. They need to put the possible outcomes of any security technology into consideration. One major point to note is that the designs of security solutions follow core principles. The zero trust edge security model also has principles that need evaluation before its adoption. 

According to Forrester’s research, the Zero Trust concept focuses on the integrated, dynamic ecosystem of security capabilities and technologies. Simply put, the principles highlight three areas access denial to applications and data by default. These include threat prevention by granting access to networks utilizing continuous and contextual organization policy, risk-based verification across users, and their associated devices. 

Any establishment wishing to integrate the zero trust model  must consider certain parameters such as: 

Internal Applications

An application lacking micro perimeter compatibility or Application Programming Interfaces (API) support to automation finds zero trust implementation impossible. Also, adding new security parameters to existing applications to make them zero trust-aware may not work. Furthermore, it may lead to an existing application’s inability to accommodate a zero-trust model.  

What becomes obtainable is a  good level of reliance on custom applications, while determining the effort and potential cost required. 

Transformation in the Digital Sphere

Adopting the zero trust edge security model could be challenging for organizations using Cloud, DevOps, IoT, and IIoT. These applications do not inherently support the zero trust model. One reason is that they require additional technology to enforce or segment the model. In addition, a straight migration of a raised floor to the cloud discourages zero trust integration. Nonetheless, to bypass this challenge, organizations must develop new cloud applications as a service. That way, it will embrace the zero trust architecture.  

Legacy Infrastructure

Some legacy infrastructure and network devices lack authentication models for modifications to contextual usage. It is the very reason they can’t be zero trust edge aware. In addition, all zero trust implementations require a layered approach to enable systems. 

Organizations must weigh their options carefully before venturing into a zero-trust architecture. Monitoring behavior within a non-compatible application comes with limitations. They only get to monitor external interactions of the legacy device. On the flip side, having an accurate infrastructure inventory comes with benefits. Zero trust expects that administrators have a handle on all corporate infrastructures, from users to devices, data, applications, and services. It also requires where these resources reside. With all these in place, center administrators possess the power to detect and respond to cybersecurity threats promptly.  

The best way to approach the zero trust architecture is to conduct a thorough investigation. IT and security teams need to ensure that the network technologies of the organizations comply with the architecture. Trust models work strictly on keys or passwords with no dynamic models for authentication modifications.  

Security teams also need to navigate through the aggressive claims of vendors, extensively testing against its use cases, and ensuring product verification is top-notch for integration without creating vulnerabilities. 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

KIDS BACK AT SCHOOL. CHECK. DEVICES PROTECTED. CHECK.

 For many, a new school year symbolizes a new beginning. For kids it’s as much a celebration as New Year’s Eve for adults. New beginnings, a clean slate and starting over. No wonder we want to prepare for it as best we can, to set ourselves, and our children, up for success.
The preparation should not only include the purchase of school supplies and books, today a very important part is, digital security and privacy. We may omit this at times, but unfortunately the back-to-school season offers a great opening for phishing, ransomware and other scams to deceive both us and our children.

For many, a new school year symbolizes a new beginning. For kids it’s as much a celebration as New Year’s Eve for adults. New beginnings, a clean slate and starting over. No wonder we want to prepare for it as best we can, to set ourselves, and our children, up for success.
The preparation should not only include the purchase of  school supplies and books, today a very important part is, digital security and privacy. We may omit this at times, but unfortunately the back-to-school season offers a great opening for phishing, ransomware and other scams to deceive both us and our children.

Set yourself up for success

There are several threats to look out for, for example the aforementioned phishing scams or ransomware attacks. Make sure you watch out for the most common back to school scams, such as scholarship scams, tech support scams and other. However, using these tips you can prevent them from happening and have a cybersafe start of the new school year.

What to do?

  • Do not click unknown links or open suspicious emails
  • Avoid sharing personal information
  • Keep your operating system (OS) up to date
  • Never use unknown portable devices: USB sticks, other people’s smartphones
  • Watch out for bad grammar/generic openings
  • Use a strong password and don´t leave your device unlocked or unattended
  • Back up your data regularly
  • Ask your school or university about their privacy and security policy
  • If you are a parent, invest in efficient Parental Control

Secure your mobile device

Whether you are a parent, a teacher or a child, your phone is a powerful tool. It is certainly a great tool to keep in contact, stay on top of assignments and other school activities. But it is also a tool for malicious actors to invade your privacy and security. Keeping it safe is therefore one of the key things in ensuring a smooth and safe back to school transition.  

A great way to start is with ESET Mobile Security on your Android mobile devices. It is a solution that ensures security against a multitude of mobile threats while securing users’ data.  

ESET Mobile Security aims to provide a safe environment by leveraging its Anti-Phishing feature. The feature integrates with the most common web browsers (Chrome and many others) available on Android devices to provide protection to any and all online activities you want to carry out.  

We recommend you keep Anti-Phishing enabled at all times. All malicious websites, listed in the ESET malware and phishing database, will be blocked and a warning notification will be displayed informing you of the attempted attack. 

Other features of ESET Mobile Security include:  

  • Anti-Smishing – protects you from SMS and App notifications containing malicious links
  • Antivirus – protection against malware: intercepts threats and cleans them from your device   
  • Payment protection – lets you shop and bank safely online   
  • App lock – requires extra authentication to access sensitive apps; protects content when you’re sharing a device   
  • Anti-Theft – a powerful feature to help protect your phone and find it if it goes missing  
  • Network inspector – scans your network and all connected devices to identify security gaps   
  • Call filter – blocks calls from specified numbers, contacts and unknown numbers   
  • Adware detector – identifies and removes apps that display ads unexpectedly 
  • Real-time scanning – scans all files and apps for malware   
  • Scheduled scans – checks your device every time you charge it, or whenever you want   
  • Security audit – checks an app’s permissions   
  • Security report – provides an overview of how secure your device is   
  • USB on-the-go scanner – checks any connected USB device for threats   
  • Up to 5 devices – pay once, protect 5 devices associated with the same Google account  

ESET Mobile Security makes your Android phones and devices easy to find and harder to steal, and it helps to protect your valuable data. 

If you want to protect your phone with ESET Mobile Security, you’re in luck! From August 25 to September 7, the premium version of ESET Mobile Security will be 50% off. No need for a promotional code; the discount will automatically be added to your checkout! It couldn’t be easier.    

The most powerful tool

Your most powerful tool when trying to keep your children safe in the digital world is educating yourself, talking to them about healthy use of digital and the threats they may encounter. Have regular conversations with your children about privacy, security and proper online behavior. Make sure they feel safe to talk to you about anything that might make them feel uncomfortable in the digital world.

To better educate yourself and your children, visit saferkidsonline.eset.com.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research jointly presents Industroyer2 at Black Hat USA with Ukrainian government representative

  • ESET researchers Robert Lipovský and Anton Cherepanov recently presented their research on Industroyer2 at the Black Hat USA 2022 conference.
  • Joining the presentation was Deputy Director of Ukraine’s State Service of Special Communications and Information Protection Victor Zhora.
  • This is the first time that a Ukrainian governmental representative has taken part in such a high-profile cybersecurity conference.
  • ESET researchers pledged to continue working with CERT-UA to support its cyberdefenses.


BRATISLAVA, LAS VEGAS — ESET researchers Robert Lipovský and Anton Cherepanov recently presented  breakthrough research into Industroyer2 during a Black Hat conference in Las Vegas, along with Victor Zhora, the Deputy Director of Ukraine’s State Service of Special Communications and Information Protection (SSSCIP). This is the first time that a Ukrainian governmental cybersecurity expert has participated in one of the most prestigious cybersecurity research conferences in the world.

The “surprising” appearance of  Zhora during ESET’s presentation was an additional opportunity for research, expert, and media audiences alike to gain in-depth information on Ukraine’s capability to resist the cyber warfare waged by the Russian aggressor.

“The Industroyer2 attack was thwarted thanks to the swift response of Ukrainian defenders and CERT-UA. We provided the Ukrainian side with crucial analysis of this threat, which could have become the most substantial cyberattack since the beginning of the invasion had it succeeded. Our researchers are ready to continue to work with CERT-UA to support its cyber defenses,” says  Lipovský, ESET’s Principal Malware Researcher, who presented the Industroyer2 research at Black Hat with Cherepanov.

Earlier this year, ESET researchers responded to a cyber-incident affecting an energy provider in Ukraine. ESET worked closely with the Computer Emergency Response Team of Ukraine (CERT-UA) in order to remediate and protect this critical infrastructure network.

The collaboration resulted in the discovery of a new variant of Industroyer malware that ESET Research together with CERT-UA named Industroyer2. Industroyer is an infamous piece of malware that was used in 2016 by the Sandworm APT group to cut power in Ukraine. In this case, the Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. In addition to Industroyer2, Sandworm used several destructive malware families. These consisted of disk wipers for the Windows, Linux, and Solaris operating systems.

“Since the end of World War II, humankind has never faced such grave challenges as today, when Russia invaded Ukraine. However, the parallel war in cyberspace is an absolutely new challenge. The knowledge we have gained by this research should be part of a universal common knowledge that helps defend the civilized world from such threats. I’d like to express my gratitude to all our partners who keep supporting us in this unprecedented war and in our struggle for life,” added Zhora.

The State Service of Special Communications and Information Protection of Ukraine is a specialized executive authority whose key functions include provisioning secure government communications, the government courier service, information protection, and cyber defense.

For more technical information about Industroyer2, check out the blogpost Industroyer2: Industroyer reloaded, and for more about the Black Hat presentation, check out Black Hat 2022 – Cyberdefense in a global threats era on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Ethics and Morally Ambiguous Security Pursuits

Most cybersecurity professionals understand moral ambiguity. Just ask Marcus Hutchins, the “accidental hero” who stopped the WannaCry ransomware attack in its tracks.

Hutchins was working as a security researcher when he discovered a critical flaw in the malware — its kill switch. Not long after, he was indicted on federal charges related to his previous work as a malware developer on HackForums – a bustling collective of young hackers.

Thankfully, Hutchins was eventually cleared of all charges. But his story highlights the murky ethical landscape that many security researchers operate in.

On one hand, companies and individuals are better off when security researchers find and disclose vulnerabilities. On the other hand, some researchers find – or develop – exploits to sell on the dark web. For budding cybersecurity researchers, it’s not always clear where the line is.

After reading Hutchins’ story, I thought a lot about the nature of communities. Communities in the Internet age, specifically, and how they can lead us to the best things the Internet has to offer, or to the worst corners of others’ minds.

Take YouTube, for instance – its algorithm is designed to serve content that pushes users deeper into a specific topic, often toward morally questionable content. The same is true of TikTok, Facebook, and a slew of others. This subconscious manipulation is one of many reasons why it’s so difficult to find a like-minded community where you can collaborate and learn.

Hutchins didn’t need an algorithm to push him into the dark side. He found it while poking around a young hacking forum. Pretty soon, he would go from admiring malware to building his own, with increasingly dark results. Eventually, Hutchins built his own community, amassed followers on the order of tens of thousands, and attracted the attention of Kryptos Logic. And thus began his white-hat path toward neutering WannaCry.

“There’s [a] misconception that to be a security expert you must dabble in the dark side,” said Hutchins. “It’s not true. You can learn everything you need to know legally. Stick to the good side.”

I can only wonder how much more good Hutchins could have done had he found the “good side” long ago. Or, how much good current black-hat hackers could accomplish with encouragement from the right community.

The Modern Security Researcher’s Tribe

In the early days of hacking, only a handful of people could exploit vulnerabilities and gain unauthorized access to systems. These individuals were self-taught, like Hutchins, and their skills were not widely known or understood. As the Internet grew, more and more people became interested in hacking culture, sharing their knowledge and developing new techniques.

It’s a constantly evolving field.

Researchers used to be seen as “lone wolf” operators, working in isolation to scratch an intellectual itch. But the cybersecurity profession has undergone a dramatic transformation in recent years. Today’s security researcher is less likely to be a lone wolf and more likely to be part of a team, working together to uncover critical vulnerabilities and exploits (CVEs) and develop solutions. They are also more likely to use sophisticated tools and techniques to find vulnerabilities in systems. And thanks to the power of the Internet, they can reach a global audience with their findings.

This shift has been driven by the increasing complexity of attacks, which require greater levels of expertise to defend against. Security research is now an essential part of the modern IT landscape, and it is only going to become more important in the years to come.

One thing is certain, though: The work of security researchers has a profound impact on society. They are the ones who find the vulnerabilities that can be exploited to cause massive damage – like WannaCry. But the vulnerabilities they find could just as easily end up in the hands of bad actors who are intent on ripping off people and/or harming critical infrastructure.

The job is a delicate balancing act, one that requires a great deal of responsibility.

It’s important to remember that security researchers are not immune to the same biases and motivations that affect everyone else. They need support, and people to hold them accountable when they come across that ethically dubious line.

There’s no question that security research is a vital part of keeping our online world safe. But where do these researchers thrive? In what types of environments do they do their best work?

For many security researchers, it’s all about the community. It’s here where groups of like-minded individuals share information and ideas. And there are numerous online forums and newsletters where they can share ideas, debate techniques, and collaborate. In addition, there are conferences and in-person meetups to discuss the latest trends and challenges.  

By working together, they can pool their knowledge and resources, making it easier to identify and neutralize threats. In addition, the security research community provides a supportive environment for new researchers, helping them to develop the skills and knowledge that they need to be successful.

Today, the security research community is vast and diverse. It includes individuals from all walks of life, with varying levels of expertise. Some security researchers are full-time professionals, while others are hobbyists or students. But regardless of their background or experience, they all share one common goal: to find and report CVEs. That’s why we developed vsociety – for security researchers to share CVEs and gain communal support.

Of course, not all security researchers need or want to be part of a community. Some prefer to work independently, researching new vulnerabilities and developing innovative new solutions to exploits. For these researchers, the lack of community involvement can actually be a benefit, as it allows them to focus entirely on their work as they see fit. And, for that matter, not every community offers consistent, genuine support.

Take Twitter, where many security researchers gravitate due to a lack of good online communities. Twitter can be a great source of support, but it can also be a breeding ground for new threats. In recent years, we’ve seen several cases of hackers on Twitter developing and releasing malware that caused real-world damage.

Yes, social media intelligence can be a valuable asset for gathering insights on threats or contextualizing current research. But the information found on Twitter needs a thorough scrubbing for veracity and reliability.

Why? Because Twitter is rife with fake news and content disguised to harm organizations or people. The proliferation of misinformation requires security researchers on Twitter to always use keen judgment. But some activities on social media can fall in a gray area; meaning they may be illegal in certain jurisdictions but do not violate Twitter’s terms of service. If a security researcher runs with such information, they could be compromised..

Indeed, it’s more important than ever to find a cybersecurity community that nurtures “good faith” vulnerability hunting. After all, we’re on the verge of the new age in security research…

A New Catalyst for Good Emerges

Security researchers work tirelessly to find vulnerabilities in software and systems, and they report these bugs to the appropriate parties so they can be patched. Many of these researchers also participate in bug bounty programs, which offer rewards for finding and reporting security vulnerabilities. In other words, they get paid to hack systems and find weaknesses. Without security researchers, we would be living in a much less safe and secure world.

While bug bounties can be a great way to crowdsource security testing and build goodwill with the bug-hunting community, it can also be great for adding a misdemeanor (or worse) to your record. The good news is that the U.S. Justice Department recently directed prosecutors not to go after hackers under the Computer Fraud and Abuse Act (CFAA). But only if their reasons for hacking are ethical. Ethical reasons include bug hunting, disclosing CVEs responsibly, and above-board penetration testing.

This is huge news.

While some believe the new policy doesn’t go far enough to protect individual bug hunters, it does provide more freedom for security researchers to find and report CVEs without the fear of legal repercussions. Still, individual security researchers must mind the ethical gap. If they unwittingly cross a muddled line (made even more indecipherable by the policy’s bureaucratic speak), they could be met with legal consequences—making it all the more important for security researchers to learn how to apply caution and ethics in their bug hunting.

A Tribe Called Home

“In my career I’ve found few people are truly evil, most are just too far disconnected from the effects of their actions,” wrote Marcus Hutchins. “Until someone reconnects them.”

A good community – if it does its job well – can reconnect even the most ethically disconnected individuals. But it’s essential for everyone – from individuals to companies to government agencies – to do their part to improve cybersecurity. Whether it’s investing in better security tools or simply being more careful about what information is shared online, we all have a role to play. Our role is in building a community that security researchers may turn to for education, collaboration, and thought leadership.

As technology advances, so must the methods used to protect our data. Cybersecurity professionals are constantly working to stay ahead of hackers by developing new security measures and techniques. At the same time, security researchers are working just as hard to identify potential vulnerabilities in these systems so that they can be addressed before they can be exploited. As security professionals, we are constantly trying to stay ahead of the latest threats and vulnerabilities. We need to be able to quickly identify attacks, respond to them, and prevent them from happening again. To do this, we rely on security researchers who help us understand how attackers operate and what new techniques they are using. It is a never-ending race, but it is one that is essential to the safety of our digital world. And in today’s digital landscape, community plays a pivotal role in driving security researchers toward “good faith” vulnerability hunting.

There will be plenty more people like Marcus Hutchins. Some of whom discover the “dark side” and transition over to the “good side.” And others who discover the “dark side” and remain. With positive support from the right community, we can better steer the Marcus Hutchins’ of this world over to the good side of security research.

#security #community #ethics #hacking #hackers

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Blockchain Security – The New Threat. Part 2.

The Blockchain Threat

This is the conclusion of a two-part series. Read part one here.

One of blockchain technology’s claims to fame is that it enables trustless interactions between parties. For the most part, this is a true statement.

Corrupt technology and fallible human actors can cause unwanted outcomes. But for better or worse, the truth of the matter is that we’ll never be able to do away with the need for trust. Humans must remain in the equation in some way or another.

Blockchains simply alter who we need to trust.

For example, when sending money to someone, banks normally function as the trusted intermediary. They take the money you want to send, and then they pass it on to your friend.

Thanks to “trustless” blockchains, folks can send money to a far-off friend without the need for a trustworthy bank.

And despite there being no direct middlemen involved, trust is still involved in the process.

We’re not required to trust a bank in this case, but we are still required to trust. We must place our trust in the developers of blockchains, smart contracts, wallets, and the like.

It isn’t a bank handling our money — it’s thousands (and thousands) of lines of code.

But what if that code contains mistakes, or is compromised in some way?

How Blockchains Can Be Compromised

Blockchains are vulnerable in four main ways:

  • Phishing.
  • Sybil attacks.
  • Routing.
  • 51% attacks.

Phishing: Phishing in the blockchain world is accomplished by targeting wallet key owners. A bad actor may send an official-looking email that prompts the reader to enter their wallet key credentials.

Sybil: In a Sybil attack, one bad actor tries to take over a network by creating multiple nodes on a blockchain network. They then crash the network by flooding it with false network identities.

Routing: As the blockchain passes data back and forth via large, real-time data transfers, bad actors can intercept said data before it gets to the ISP. Once they’ve intercepted the data, these hackers can steal your data and/or money, all without ever setting off an alarm.

51% Attacks: In order to exert control over a blockchain ledger, a participant must own more than 50% of the network. This is theoretically possible if a group of blockchain miners band their computing power together to attain more than half of the mining power on the network. From there, these bad actors could edit the ledger as they see fit.

Being able to prevent hacks from happening is the best-case scenario.

But clearly, this doesn’t work — more than $1.2 billion has been stolen so far this year… and that’s only money taken from decentralized finance (DeFi) platforms.

Since hackers often move faster than these platforms, it can seem futile to try and keep pace with them.

But keeping pace with the threat are exactly what several blockchain-based cybersecurity firms are doing.

The Cryptos Tackling Blockchain Security

Take CertiK, a blockchain cybersecurity firm that provides a variety of security solutions for the crypto world. CertiK performs audits of crypto projects, aiming to reveal any issues that could be exploited by bad actors. After first letting project developers fix their code, CertiK publishes these reports online to remain transparent in its ratings. And it keeps an updated “Web3 Security Leaderboard” on its website for all to see.

Obviously, not everyone has the time, energy, and expertise to manually dig through code to find potential flaws.

And that’s one reason CertiK exists — to manage the technical side of research for investors and end users.

CertiK also offers on-chain smart contract monitoring via its Skynet platform.

Skynet is powerful. It monitors on-chain activity in real time, which enables teams to not only detect unintended network usage but also monitor growth metrics.

SkyTrace is another of its monitoring tools. It’s like Skynet but is specifically designed to track wallets. SkyTrace detects suspicious activity and fraud, and it can also verify that wallets comply with certain regulations before being interacted with. And this feature is free for public use.

CertiK also offers penetration testing for wallets, exchanges, and decentralized applications (dApps) to help discover bugs and exploits before they’re taken advantage of.

Then there’s Lossless, which got its start when one of its founders was affected by a DeFi hack.

Wanting to take matters of security into their own hands, they worked diligently to find ways to mitigate risk to their own personal assets.

And somewhere along the way, they realized the significant impact their idea could have within the entire DeFi space. Lossless was born – the first and only DeFi hack mitigation tool.

Rather than attempt to prevent hacks from happening, it’s fast and effective at stopping malicious actors as quickly as possible.

When most hacks happen, the affected projects are quite hopeless. It’s entirely up to the hacker to return any stolen assets. Hopefully, there’s some way to prevent further damage, but this isn’t always the case.

With Lossless, hacking scenarios play out differently.

Here’s how it’s typically used:

  1. A project integrates Lossless’ code into its own, which enables certain functions like token freezing.
  2. When a bad actor attempts to steal funds in some way, finders — who have access to the Lossless SDK to build hack detection tools — can stake LSS tokens to temporarily freeze the affected ones. Other parties can add to this stake if they believe the finder to be correct in their assumption.
  3. Members from the Lossless team, the project team, and other Lossless committee members then meet to determine whether the hack is legitimate.
  4. If there is a hack, the bulk of the money that was frozen is returned to the project. As a reward for preventing a potentially crippling hack, a percentage of the recovered funds goes to the finder and others that staked to them, as well as to the Lossless team. This incentivizes finders to develop cutting-edge threat detection, and it provides funding for the crypto’s team.
  5. If there is no hack, the money is unfrozen, and the finder’s stake is confiscated. This ensures only threats that appear legitimate are reported and the ability to freeze transactions is not abused.

Freezing assets might sound antithetical to crypto’s decentralized tactics, but many would see the financial damage done through hacked funds far outweighing any inconveniences.

And perhaps the committee that determines whether a hack has occurred may someday be replaced with a more decentralized body of individuals. The sky is the limit in the future. But for most projects, some amount of centralization is necessary at the start.

And most likely, unless you’re moving vast amounts of money or completing bizarre transactions, you’ll never be affected by it.

For many with money invested in DeFi protocols, the peace of mind a Lossless integration allows far outweighs any cons.

#vicarius_blog #blockchain

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

The Best Way to Thrive in Today’s Security Landscape

Most cybersecurity professionals understand moral ambiguity. Just ask Marcus Hutchins, the “accidental hero” who stopped the WannaCry ransomware attack in its tracks.

Hutchins was working as a security researcher when he discovered a critical flaw in the malware — its kill switch. Not long after, he was indicted on federal charges related to his previous work as a malware developer on HackForums – a bustling collective of young hackers.

Thankfully, Hutchins was eventually cleared of all charges. But his story highlights the murky ethical landscape that many security researchers operate in.

On one hand, companies and individuals are better off when security researchers find and disclose vulnerabilities. On the other hand, some researchers find – or develop – exploits to sell on the dark web. For budding cybersecurity researchers, it’s not always clear where the line is.

After reading Hutchins’ story, I thought a lot about the nature of communities. Communities in the Internet age, specifically, and how they can lead us to the best things the Internet has to offer, or to the worst corners of others’ minds.

Take YouTube, for instance – its algorithm is designed to serve content that pushes users deeper into a specific topic, often toward morally questionable content. The same is true of TikTok, Facebook, and a slew of others. This subconscious manipulation is one of many reasons why it’s so difficult to find a like-minded community where you can collaborate and learn.

Hutchins didn’t need an algorithm to push him into the dark side. He found it while poking around a young hacking forum. Pretty soon, he would go from admiring malware to building his own, with increasingly dark results. Eventually, Hutchins built his own community, amassed followers on the order of tens of thousands, and attracted the attention of Kryptos Logic. And thus began his white-hat path toward neutering WannaCry.

“There’s [a] misconception that to be a security expert you must dabble in the dark side,” said Hutchins. “It’s not true. You can learn everything you need to know legally. Stick to the good side.”

I can only wonder how much more good Hutchins could have done had he found the “good side” long ago. Or, how much good current black-hat hackers could accomplish with encouragement from the right community.

The Modern Security Researcher’s Tribe

In the early days of hacking, only a handful of people could exploit vulnerabilities and gain unauthorized access to systems. These individuals were self-taught, like Hutchins, and their skills were not widely known or understood. As the Internet grew, more and more people became interested in hacking culture, sharing their knowledge and developing new techniques.

It’s a constantly evolving field.

Researchers used to be seen as “lone wolf” operators, working in isolation to scratch an intellectual itch. But the cybersecurity profession has undergone a dramatic transformation in recent years. Today’s security researcher is less likely to be a lone wolf and more likely to be part of a team, working together to uncover critical vulnerabilities and exploits (CVEs) and develop solutions. They are also more likely to use sophisticated tools and techniques to find vulnerabilities in systems. And thanks to the power of the Internet, they can reach a global audience with their findings.

This shift has been driven by the increasing complexity of attacks, which require greater levels of expertise to defend against. Security research is now an essential part of the modern IT landscape, and it is only going to become more important in the years to come.

One thing is certain, though: The work of security researchers has a profound impact on society. They are the ones who find the vulnerabilities that can be exploited to cause massive damage – like WannaCry. But the vulnerabilities they find could just as easily end up in the hands of bad actors who are intent on ripping off people and/or harming critical infrastructure.

The job is a delicate balancing act, one that requires a great deal of responsibility.

It’s important to remember that security researchers are not immune to the same biases and motivations that affect everyone else. They need support, and people to hold them accountable when they come across that ethically dubious line.

There’s no question that security research is a vital part of keeping our online world safe. But where do these researchers thrive? In what types of environments do they do their best work?

For many security researchers, it’s all about the community. It’s here where groups of like-minded individuals share information and ideas. And there are numerous online forums and newsletters where they can share ideas, debate techniques, and collaborate. In addition, there are conferences and in-person meetups to discuss the latest trends and challenges.  

By working together, they can pool their knowledge and resources, making it easier to identify and neutralize threats. In addition, the security research community provides a supportive environment for new researchers, helping them to develop the skills and knowledge that they need to be successful.

Today, the security research community is vast and diverse. It includes individuals from all walks of life, with varying levels of expertise. Some security researchers are full-time professionals, while others are hobbyists or students. But regardless of their background or experience, they all share one common goal: to find and report CVEs. That’s why we developed vsociety – for security researchers to share CVEs and gain communal support.

Of course, not all security researchers need or want to be part of a community. Some prefer to work independently, researching new vulnerabilities and developing innovative new solutions to exploits. For these researchers, the lack of community involvement can actually be a benefit, as it allows them to focus entirely on their work as they see fit. And, for that matter, not every community offers consistent, genuine support.

Take Twitter, where many security researchers gravitate due to a lack of good online communities. Twitter can be a great source of support, but it can also be a breeding ground for new threats. In recent years, we’ve seen several cases of hackers on Twitter developing and releasing malware that caused real-world damage.

Yes, social media intelligence can be a valuable asset for gathering insights on threats or contextualizing current research. But the information found on Twitter needs a thorough scrubbing for veracity and reliability.

Why? Because Twitter is rife with fake news and content disguised to harm organizations or people. The proliferation of misinformation requires security researchers on Twitter to always use keen judgment. But some activities on social media can fall in a gray area; meaning they may be illegal in certain jurisdictions but do not violate Twitter’s terms of service. If a security researcher runs with such information, they could be compromised..

Indeed, it’s more important than ever to find a cybersecurity community that nurtures “good faith” vulnerability hunting. After all, we’re on the verge of the new age in security research…

A New Catalyst for Good Emerges

Security researchers work tirelessly to find vulnerabilities in software and systems, and they report these bugs to the appropriate parties so they can be patched. Many of these researchers also participate in bug bounty programs, which offer rewards for finding and reporting security vulnerabilities. In other words, they get paid to hack systems and find weaknesses. Without security researchers, we would be living in a much less safe and secure world.

While bug bounties can be a great way to crowdsource security testing and build goodwill with the bug-hunting community, it can also be great for adding a misdemeanor (or worse) to your record. The good news is that the U.S. Justice Department recently directed prosecutors not to go after hackers under the Computer Fraud and Abuse Act (CFAA). But only if their reasons for hacking are ethical. Ethical reasons include bug hunting, disclosing CVEs responsibly, and above-board penetration testing.

This is huge news.

While some believe the new policy doesn’t go far enough to protect individual bug hunters, it does provide more freedom for security researchers to find and report CVEs without the fear of legal repercussions. Still, individual security researchers must mind the ethical gap. If they unwittingly cross a muddled line (made even more indecipherable by the policy’s bureaucratic speak), they could be met with legal consequences—making it all the more important for security researchers to learn how to apply caution and ethics in their bug hunting.

A Tribe Called Home

“In my career I’ve found few people are truly evil, most are just too far disconnected from the effects of their actions,” wrote Marcus Hutchins. “Until someone reconnects them.”

A good community – if it does its job well – can reconnect even the most ethically disconnected individuals. But it’s essential for everyone – from individuals to companies to government agencies – to do their part to improve cybersecurity. Whether it’s investing in better security tools or simply being more careful about what information is shared online, we all have a role to play. Our role is in building a community that security researchers may turn to for education, collaboration, and thought leadership.

As technology advances, so must the methods used to protect our data. Cybersecurity professionals are constantly working to stay ahead of hackers by developing new security measures and techniques. At the same time, security researchers are working just as hard to identify potential vulnerabilities in these systems so that they can be addressed before they can be exploited. As security professionals, we are constantly trying to stay ahead of the latest threats and vulnerabilities. We need to be able to quickly identify attacks, respond to them, and prevent them from happening again. To do this, we rely on security researchers who help us understand how attackers operate and what new techniques they are using. It is a never-ending race, but it is one that is essential to the safety of our digital world. And in today’s digital landscape, community plays a pivotal role in driving security researchers toward “good faith” vulnerability hunting.

There will be plenty more people like Marcus Hutchins. Some of whom discover the “dark side” and transition over to the “good side.” And others who discover the “dark side” and remain. With positive support from the right community, we can better steer the Marcus Hutchins’ of this world over to the good side of security research.


#security #community #ethics #hacking #hackers

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

‘Security in the Cloud: The SaaS Backup Gap Challenge – and Solution.’

Though businesses have been gradually migrating to the cloud for the better part of the past decade, cloud security has only recently become a hot topic due to the drastic shift to remote work. 

 

When the COVID-19 crisis hit, many organizations had to scramble to enable their employees to work remotely. As a result, the adoption of SaaS applications spiked. For all of the benefits of migrating to the cloud, this frenzied adoption of SaaS apps has brought challenges that become more and more clear these days. 

 

For many businesses, the pace at which they migrated to the cloud was necessary for their business to survive – but it sometimes meant sacrificing security in order to get employees up and running as quickly as possible. 

Current cloud data security trends 

In many instances, organizations adopted applications and tools without the intent of ever using them in the cloud, often euphemistically calling them “bolt-on” solutions. 

 

As a result, they are not robust enough to meet the security demands of a cloud environment and are vulnerable to data leaks – and there are statistics that back this up: 

A recent cloud computing study found that 46% of companies use cloud-based applications built for the cloud – while just over half (54%) moved applications used on-premises to a cloud environment.

And over the last year and a half, at least 79% of organizations have been the victim of one cloud information breach. Even more strikingly, 43% of companies have reported ten or more violations in the past year and a half.

Addressing the assumption: SaaS vendor responsibility 

So, what makes SaaS data particularly susceptible to data loss – either as a result of human error or malicious intent? The answer: neglecting to back up SaaS data automatically! Only if you proactively choose to back up your SaaS data applications, will you be able to recover your cloud data in the event of system outages, deletions, and breaches.  

Many organizations make the dangerous assumption that their SaaS vendor is protecting their data and is compliant with regulations. But in fact, most have no (or very limited) data protection capabilities. Some offer data protection, but many fall short of meeting the range of cloud security challenges organizations face. The vendors only protect the applications (not the data being processed) – let alone the metadata. 

 

Consequently, as businesses integrate and move their work into the cloud, they encounter a fundamental challenge: The security protocols they’ve put in place on site aren’t at all what they’ll need in the cloud, where everything is software native and sophisticatedly integrated. The technology built to back up on-prem products is not geared to back up cloud products. It’s a bit like sending a text message to an old landline phone. 

How can you protect your company’s data? 

According to a 2021 study by Enterprise Strategy Group (ESG), only 13% of companies are in-house responsible for protecting all of their SaaS app data. Meanwhile, the study found that 35% rely solely on SaaS vendors to protect data, while 51% depend on both their SaaS vendor and an independent third-party solution to store backup outside of the production area. 

 

For many companies, their SaaS application data is a mission-critical resource at the core of their operations – and as such, these companies require the highest levels of security. So how should they protect this cloud SaaS data? The best solution is to turn to a true third-party backup and recovery provider to ensure your cloud data is safe and secure, regardless of what your SaaS vendor offers. 

 

Want to know more about Keepit’s security? Read our SaaS data security guide.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.