02 May 2018
Security 101

Security 101: A 2018 Thesaurus for InfoSec

There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.

Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.

 

MAY |

 

Q: ARE BLUEJACKING, BLUESNARFING AND BLUEBUGGING NEW SHADES OF BLUE?

A: Bluejacking, the earliest Bluetooth attack, is the sending of unsolicited messages to Bluetooth-enabled devices. Bluejacking is quite harmless and is usually limited to sending text messages, images or sounds to a targeted device. Bluesnarfing is more damaging and targets a user’s privacy – with an attacker connecting to an early-Bluetooth device, without the owner’s knowledge, and downloading their phonebook, calendar and more. Bluebugging goes further – with complete virtual takeover of the device. Once connected, an attacker can access your contacts, make calls, listen to calls, read your messages and emails and even track your location, without your knowledge.

Q: SAML OR OAUTH?

A: SAML (Security Assertion Markup Language) is usually used when solution requires centralized identity management; involves SSO with at least one enterprise participant; provides access to an application. OAuth (Open Authorization) is usually used when a solution provides access to resources, such as accounts, files, etc.; or involves mobile devices. Both technologies can be used at the same time. For example: SAML for authentication; once SAML token is processed, use it as the OAuth bearer token to access protected resources over HTTP.

Q: WHAT ARE THE TYPES OF BIOMETRICS?

A: There are two main types of biometrics: Physiological biometrics is something related to what we are, including specific measurements, dimensions, and characteristics of our body. Your face, eyes, vein pattern or a fingerprint are an example of physiological biometric data. Behavioral biometrics is what we do and is related to our personal habits and unique movements. Your voice, gestures, walking style, and the handwritten signature is the simplest example of this type.

Q: IS IT POSSIBLE TO STOP IDENTITY THEFT?

A: It’s almost impossible to completely prevent identity theft, however it is possible to reduce the risk by following some simple tips: 1. Be aware of your privacy settings on social media. 2. Use strong and different passwords when creating online accounts. 3. Do not check out suspicious emails which may be phishing for data. 4. Do not provide any information to websites which not using an SSL connection. 5. Protect your PC by using a firewall, antivirus and spyware protection software, and by keeping it up to date.

 

APRIL |

 

Q: WHY USE SAML?

A: The Security Assertion Markup Language (SAML) is an open standard that represents an XML-based framework for sharing security information about identity, authentication, and authorization across different systems. SAML eliminates the need for multiple applications and services passwords by enabling a token-based authentication exchange. It solves the key challenge by enabling single sign-on (SSO) functionality. SAML saves administrative time and increases security with centralized control over authentication and access.

Q: WHAT IS PCI COMPLIANCE?

A: PCI stands for the Payment Card Industry, and is often followed by the letters DSS, which stand for Data Security Standard. PCI compliant businesses must consistently adhere to the rules defined by the PCI Security Standards Council. Some of which are: Maintain an information security policy; Monitor and maintain a secure network; Implement strong access controls; Protect sensitive information. Customers, of such businesses, should feel safe and confident that their data will be protected.

Q: WHAT IS IDENTITY THEFT?

A: Identity theft is unwanted or unauthorized access to your personal information. Once someone gets hold of your personal details, they are able to commit all sorts of crimes using them, including telecommunications fraud, money laundering, cybercrimes, and more. Criminals use seemingly harmless pieces of information, like your date of birth, to gain access to other information about you, including your address, email, place of birth, insurance numbers, and passwords. Take care to protect your data by being aware of your privacy when sharing sensitive data.

Q: WHAT IS ADVANCED ENCRYPTION STANDARD (AES)?

A: The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. AES is capable of handling 128-bit blocks, using keys sized at 128, 192, and 256 bits. Key size is unlimited, whereas the maximum block size is 256 bits. AES is more secure and enables faster encryption than its predecessors DES and 3DES. Overall AES has proven to be a reliable cipher over time.

 

MARCH |

 

Q: BLUETOOTH: CONVENIENCE WITH A PRICE?

A: We are using Bluetooth technology every day to connect our headphones, fitness trackers, car’s hands-free system, etc. It’s important to know about security issues associated with technology. Bluetooth sends data wirelessly where it can be intercepted by the wrong people. To protect your information, consider to set your devices to “undiscoverable” when not in use. Never accept pairing requests from unknown parties. Download and install regular security updates for your devices.

Q: IS THERE A MISTAKE IN THE WORD “PHISHING”?

A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.

Q: WHAT IS DIFFIE-HELLMAN KEY EXCHANGE?

A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.

Q: WHAT IS SSL HANDSHAKE?

A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.

 

FEBRUARY |

 

Q: IS FACE RECOGNITION TECHNOLOGY FOR AUTHENTICATION ONLY?

A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.

Q: DOES TLS USE SYMMETRIC OR ASYMMETRIC ENCRYPTION?

A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.

Q: “OK, GOOGLE” SHOULD I BE CONCERNED ABOUT MY PRIVACY?

A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.

Q: WHAT IS OBFUSCATION?

A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.

Q: WHAT ARE THE FACTORS OF AUTHENTICATION?

A: There are three main categories of Authentication:

  • Knowledge is something you know, for example simple user name and password;
  • Possession is something you have, it may be your access card or keyfob;
  • Inherence is something you are, your biometric characteristic, like fingerprint.
    Sometimes, your location is considered a 4thfactor.Multifactor Authentication significantly increases security but will obviously impact user experience.

 

JANUARY |

 

Q: WHAT IS DATA ENCODING?

A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.

Q: IS BIOMETRICS THE ULTIMATE AUTHENTICATION SOLUTION?

A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authenticationfactor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?

Q: IS FACE ID MORE SECURE THAN TOUCH ID?

A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.

Q: WHAT THE “HEX”?

A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.

HEX.jpgThis purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)

This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.

ENCRYPTION RESOURCES

 

17 Apr 2018

Echoworx Adds Secure Bulk Document Delivery, Streamlining Sensitive Business Processes

RSA CONFERENCE – SAN FRANCISCO, CALIFORNIA – Companies and institutions across the globe are embracing Echoworx’s OneWorld encryption platform to ensure their important data is protected. And now by enabling the Secure Bulk Mail (SBM) feature within OneWorld, organizations can streamline their business operations while knowing that their communications are secure.

Echoworx President and CEO Michael Ginsberg says encryption has become part of the normal business process to prevent against data breaches and cyber-attacks and using it to automate processes has been a natural evolution. OneWorld provides organizations around the world with a single, flexible, easy-to-use encryption solution that can be integrated into their existing infrastructure.

“Over the last five years, encryption has gone mainstream, and because of its expanded usage, it’s moving from being an individual, manual process to being part of everyday business processes,” says Ginsberg. “We now have the tools to enable an institution or company to automate the secure bulk delivery of documents by generating personalized emails and then leveraging OneWorld’s multitude of encryption methods and reporting features, taking a heavy load off the institution.”

Organizations using Echoworx advanced encryption platform reap the benefits of being able to communicate with customers and partners quickly and securely. The platform offers large institutions, such as those in the financial sector, new and improved ways to engage customers and increase market share by offering secured services like e-statements. Documents such as financial statements and health records used to be mailed or faxed, but OneWorld’s SBM feature facilitates a paperless system, eliminating the cost and handling of paper transactions and enhancing customer experience.

“The change from paper mail to email is easy for any institution to adopt,” says Ginsberg. “Most consumers would prefer to receive statements by email, but sensitive information has to be kept private, so you need encryption. We added a secure bulk mailer feature at the request of our clients, who asked us to take it a step farther and address the delivery of bulk documents as well.”

While other services limit how encrypted documents are sent, organizations using SBM from Echoworx get all the options and benefits of the OneWorld encryption platform such as multiple encryption methods to ensure seamless communications to a variety of recipients, including TLS, S/MIME or PGP encryption, Secure PDF (full message), Secure PDF with secure Zip files, and Encrypted Web Portal.

Utilizing cloud services, Echoworx is not restricted by physical resources or IT intensive infrastructure maintenance. Their industry-leading encryption platform can be up and running in a jurisdiction within a short time, at an economical cost. To learn how Echoworx is emerging as a global leader in email security, stop by Booth 2019 at the RSA Conference from April 16-20 at the Moscone Center in San Francisco, California.

—-

About Echoworx

Echoworx is a trusted path to secure communications. As a pure-play encryption solutions provider, Echoworx works with finance, government, healthcare, legal, and compliance professionals to tailor secure communication solutions that don’t impede on customer experience. Our scalable encryption platform, OneWorld, can address multiple uses across an organization. Our encryption experts take pride in transforming chaos into order for leading multi-national enterprises using our SaaS encryption platform.


Media Contact

Lorena Magee, VP Marketing
media@echoworx.com
416 226-8600

 

14 Apr 2018

Working in the Cloud: How to Secure Large File Exchange

Exchanging files – it sounds so easy. But if you look at the multitude of file exchange activities in a typical organization today you’ll begin to understand the challenge.

First, there’s size.

Typical email configurations restrict attachment sizes to 20MB or less, which is not realistic to the actual size of files being sent today – In the past exchanging a 20 MB file was uncommon – today our clients are sharing files well over 100 MB on a regular basis – to recipients around the globe.

This leads to yet another issue – performance.  Email was never designed to handle extremely large files, so when it does it often leads to delivery and network performance problems. We’ve all experienced it. You send a message with a large attachment only to get an undelivered message hours, maybe even days later. Today most corporate policies stop you from even attaching files over a certain size at the point of sending.

Leading us to security.

Sharing files using FTP is too ‘technical’ and difficult to use for most customers and in B2C scenarios not at all – it is also a manual process.

Any requests to enable an FTP account requires setting up firewall rules to allow file uploads and downloads as well as security review and approval.

In addition, they lack automated processes like verifications notices. Ask operations to open just a few ports like FTP to allow file transfers – see how many get that approved quickly?

Recent report from Verizon cited 58% of Healthcare PHI data breaches were caused by insiders – 29.5% coming from misuse.

Driving to – Yep – unsupported file sharing services. These solutions have made their way into companies of all sizes. Make no mistake, your users will always follow the path of least resistance. It’s a classic dilemma – an employee, without file sharing options or failed emails, turns to outside solutions, somewhere, so they can ‘efficiently’ share files.

But the tipping point for most – audits. Evolving global regulations – such as GDPR, Dodd-Frank Act – require financial institutions to maintain reports on who accessed what files and when this was done.

By leveraging our encryption platform’s large file portal capabilities, businesses have full control over the large files they need to communicate.

Employees simply login into the secure webmail portal where they attach one or more large files along with an attached note. The files are then encrypted, in the portal, and a notification message continues onto to the recipient including a link to the portal with full audit and recall functionality – allowing users to easily share within corporate governance and company policies.

You can see an example of how this works by watching this short video demonstration.

By Christian Peel, ‎VP Customer Engineering, Echoworx

10 Apr 2018

Quiet before the storm: CLOUD act

Recent developments in the court case between the US Government and Microsoft have impacts to companies offering services globally.   The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) aims to simplify the way enforcement groups obtain personal data stored by U.S.- based technology companies.

What Has Happened:

In December 2013, a United States Magistrate Judge issued a warrant under the authority of the Stored Communications Act (SCA) to Microsoft for production of data that was hosted at a Microsoft Data Centre in Ireland.   Microsoft refused to comply with the parts of the order that required production from their Ireland Data Centre based on the warrant violating European Law.

Microsoft appealed the decision to the US Second Circuit court which received submissions in support of Microsoft from various parties.  The Irish Government submitted a brief stating that the warrant violated the European Union’s Data Protection Directive, Ireland’s own Privacy Laws, and that the US Government should have used the longstanding Mutual Legal Assistance Treaty between the US and Ireland which allows for the collection of data supported by local warrants.  The US Second Circuit found in favour of Microsoft and the US Department of Justice appealed to the Supreme Court.

Oral Arguments on the case were heard on Feb 27th.  However, in March, the US Congress Passed, and the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).  This law amended the SCA to make it a requirement that US based service providers must turn over data that is in their possession regardless of where in the world the data is located.  Based on this development, the US Department of Justice asked the Supreme Court to dismiss the case as moot and Microsoft did not oppose.

Even prior to this decision, there had been significant questions raised with respect to US Government Access to data on citizens in other countries.  The Article 29 Working Group had released a report calling into question if the US was adhering to the requirements of the US/EU Privacy Shield agreements. In the report they recommended that new negotiations between the US and EU begin to develop a plan to close a few identified gaps.   They Working Group warned that if action was not taken, they would take the issue to court to have the Privacy Shield agreement invalidated.

Impact on Market:

This is all happening in the context of the coming into force of the EU General Data Protection regulation which has strict requirements on companies who deal with the data of EU residents.  Specifically, Article 48 of the EU General Data Protection Regulation states that:

 Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

 This directly contradicts the requirements of the CLOUD Act which directly override the need to use the MLAT approach.

Naturally, this leaves many questions as to who’s laws are more relevant, the status of previously agreed treaties and agreements, and a few other questions. It is also likely to have a significant impact on US companies as subscribers move to cloud service providers in their local jurisdictions – or at least those in jurisdictions that do not have such legal entanglements.

Echoworx is a Canadian based company, and current Canadian law requires the use of Mutual Legal Assistance Treaties (MLATs) when that data is stored in a foreign country. Echoworx is also committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centres around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centres in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

21 Mar 2018

Echoworx Expands Encryption Business to Underserved Asia-Pacific Region

Cloud Security Expo, London (UK) – Email encryption provider Echoworx continues to expand its operations around the globe, with the Asia-Pacific countries (APAC) the latest region to benefit from Echoworx’s OneWorld secure communication platform.

With data centres in Mexico, UK, Canada, the United States, Ireland, and Australia, coming this spring, OneWorld offers organizations around the world a single, flexible, easy-to-use encryption solution that can be integrated into their existing infrastructure. To learn how Echoworx is emerging as a global leader in email security, stop by Booth S2715 at the Cloud Security Expo from March 21-22 at the ExCel Centre in London, England.

There is an urgent need for data security solutions in APAC. A new study from Marsh & McLennan Companies found that Asia-Pacific region has the worst cyber security in the world. Most breaches are never made public and discovery time on average was 520 days; the global average is just 146 days

Echoworx President and CEO Michael Ginsberg says companies in more countries are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches, and APAC is an underserved market.

“We moved into Mexico to serve Latin America and are one of the few encryption companies in that market,” says Ginsberg. “We have a first-mover advantage there and would like to parlay that stance in APAC, starting in Australia.”

Organizations using Echoworx advanced solutions reap the benefits of being able to communicate with customers and partners quickly and securely. Large institutions, such as those in the financial sector, have new and improved ways to engage customers and increase market share by offering secured services like e-statements.

Echoworx can address another growing concern among clients in various parts of the world: that their data is stored in their jurisdiction and not in another country or region.

“Different areas have different maturities and different concerns, such as where is their data being housed,” says Ginsberg. “Jurisdictional awareness is a big security purchasing decision when it comes to countries’ data.”

Ginsberg says Australia will be the launching point for Echoworx’s operations in APAC, with plans to have a data centre operating by mid-May, with Indonesia or Japan next on the agenda.

“With the advent of Cloud management, we have the capability to be up in a jurisdiction in a very short time and in an economical fashion,” says Ginsberg. “By utilizing Cloud services, we are no longer restricted by physical resources or IT intensive infrastructure maintenance, enabling us to be 100 per cent focused on how we can help our customers communicate better with the outside world in a secure fashion.”

The European Union (EU) is another area that will benefit from Echoworx OneWorld platform, as encryption is a logical solution for companies in EU and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. To learn how your organization can better protect its important data from attacks, stop by booth #S2715, grab a latte, and sit in on one of our presentations.

Don’t miss the Echoworx session, 10 Ways to Leverage Encryption by Taking a Customer-First Approach, in the Get GDPR Ready! Risk, Compliance Theatre on March 21, 2019 from 13:20 to 13:45 with Steve Davis, Solutions Architect.

With many areas around the world needing to step up information security as more organizations are realizing the importance of protecting their data, Echoworx intends to leverage its expertise in communication security.

“For our company, these types of opportunities will allow us to be truly global,” says Ginsberg.

—-

About Echoworx

Echoworx is a trusted path to secure communications. As a pure-play encryption solutions provider, Echoworx works with finance, government, healthcare, legal, and compliance professionals to tailor secure communication solutions that don’t impede on customer experience. Our scalable encryption platform, OneWorld, can address multiple uses across an organization. Our encryption experts take pride in transforming chaos into order for leading multi-national enterprises using our SaaS encryption platform. Visit us at Echoworx.com


Media Contact

Lorena Magee, VP Marketing
media@echoworx.com
416 226-8600

07 Mar 2018
Encryption, helping address GDPR compliance

Encryption, helping address GDPR compliance

As of May 25, 2018, all companies dealing with personal data in the European Union (EU) must be employing a high level of security to safeguard EU citizens’ information. Under the General Data Protection Regulation (GDPR), companies that aren’t taking adequate measures in protecting the data of those residing in the 28 EU countries (prior to Brexit) face fines of up to 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue. Regulatory authorities will have greater powers to act against businesses that don’t comply.

GDPR sets the baseline
David Broad, Information Security and Audit Lead for Echoworx, says the GDPR sets the baseline for how companies must protect their own information and that of their clients’. The baseline security practices must also be consistent with any third party service the company uses (such as Amazon), even if the company is located outside the EU. Regulations across the EU “used to be a fairly wide patchwork,” says Broad, and the GDPR will harmonize those rules. The EU has always had stringent regulations, but there were significant problems if a company was doing business in multiple countries as rules could differ in each.

“It was seen by many as a disadvantage, and an impediment to business,” says Broad. “Now, there will be one standard everyone understands and knows.”

A logical solution
Encryption is a logical solution for these companies and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. Increasingly, encryption is viewed as the go-to method to protect communications in transit and to safeguard stored information, according to Jacob Ginsberg, Senior Director with Echoworx.

Ginsberg says companies are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches and utilizing it. The GDPR encourages the idea of security and privacy by design from the early stages of development, he says. Those two aspects – privacy and security – were not always working in conjunction with each other and the GDPR will help to align them. Encryption can play a role in aligning these aspects.

The importance of encryption
Protecting information in transit – whether through email or large file exchange – can be a challenge for some organizations, as they may not control the network or the email server, and the server may not even be in the EU, says Broad.

“You can’t just send customer data over a network you don’t have control of,” he says. An organization may use some form of encryption for data in transit, or opt not to send encrypted data by email. Instead, it could send a benign message to a client telling the client to log in to the company portal to retrieve the pertinent information.

Not every company wants to build a portal due to the heavy investment in technology required, or because they may not need it all the time. For example, some companies may only need a portal for a short time each year – such as to receive annual tax documents.

Just as Amazon provides e-commerce solutions for sellers who don’t want to deal with logistics, payments, hardware and data storage, encryption providers such as Echoworx can help companies comply with the GDPR by providing encryption solutions and services to help customers protect important data.

Let’s connect
My colleagues will be at the IdentityNorth Annual Summit at the Mattamy Athletic Centre in Toronto, Canada this June. If you plan to be in town, come meet the Echoworx team. We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Register today, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx

26 Feb 2018

Is there a certainty to security?

The choice between Protection + Prevention vs Detection + Response is an illusion. As security practitioners, we all learnt that defence in depth was key. Yet we focused too much on defence as just a wall or line that would protect us. This type of thinking has been proven to be insufficient time and time again.

First, we put up firewalls and thought we were safe. Then we realized we need IDSes and eventually IPSes. SIEMs and other tools were next. These fulfil parts of the equation, but not all of them.  Once your defences are static and do not evolve based on feedback of what is actually happening, then they can be worked around. Aligning to only one of Protection + Prevention or Detection + Response will leave gaps.

If modern threats have taught us anything it is that no one solution is going to solve all the problems.  We need blended approaches that implement tools to protect our perimeters, but also other tools and systems that can detect anomalous traffic and tune networks on the fly to respond.

No significant Information Security standard – be it ISO 27001, the NIST Cyber Security Framework, Webtrust, or others – stops at simply doing one aspect of security. The key is to keep them balanced and all fed with tools, resources and funding to enhance capabilities across the board.

Many companies think that once they have a few tools deployed to control their perimeter they are done.  But how effective are these tools that they have deployed?  Just because the tools don’t detect anything doesn’t mean that there is nothing there.   For each tool that is deployed, businesses should think of how they will measure its effectiveness.

  • What did traffic look like before it was deployed?
  • What does it look like after?
  • What would it look like if it wasn’t working?
  • What could it be missing?

 

Understanding the limitations of tools that are deployed is key to understanding what else you should be monitoring for and being able to feed this into your Risk Management processes to forecast the next tools that you should be deploying. Reacting after an attack is too late. The damage is done.

It’s not a question of Protection + Prevention or Detection + Response, it’s more of a question of Protection + Prevention + Detection + Response. The hope would be that if you are monitoring your current tools, then you will detect gaps before they are an issue and the Response will then be a planned upgrade or deployment as opposed to an incident investigation.

 By David Broad, Information Security and Audit Lead, Echoworx

25 Jan 2018

How bad is bad? Mexico’s threat landscape

Mexico is one of the fastest growing economies in the world, focused in employing technology to spur businesses forward. But this dependency on technology comes with a dark side – businesses are significantly more vulnerable to cyber threats and data breaches.

Mexico has been attracting the attention of malicious cyber threat performers. The attraction is largely thanks to its growing regional and global geo-strategic significance, coupled with the nation’s increasing economic and financial wealth.

According to recent studies, Mexican organizations are facing similar threats to those operating in the world’s most developed economies. Mexico ranks second in Latin America – just behind Brazil – for the most cyberattacks, with the banking, retail, and telecommunications sectors targeted most.

Serious time of reckoning

The occurrence of cybercriminal activity in Mexico, the diversity of financial institutions, and the sector’s growing capital value are all targeting factors. Criminal groups, clearly capable, besieged the Mexican financial sector by compromising ATMs and defrauding bank customers on a significant scale. Less sophisticated attacks, such as the use of banking Trojans, ransomware, and POS malware, are widespread and pose a significant threat.

Key vulnerabilities observed in Mexico’s cyber landscape are a lack of a cybersecurity culture, old-fashioned system configurations, and obsolete versions of software applications. The right to privacy along with protection of personal information for both individuals and corporations is an extremely relevant issue for international organizations and the public sector. If cybersecurity is not strengthened, more businesses in Mexico will become exposed.

If Mexico wants to be a pioneer of data rights, the new infrastructure must effectively adapt to changes in the way information is transmitted around the world and they must comply not just with national and regional directives, but with international protection of information practices.

The question arises

Is your business at crossroads? Shoulder the costs of increasing defenses or become increasingly susceptible to the risk of attacks!

Sound choice would be to migrate towards a proactive model by incorporating security checkpoints opposed to a reactive model. Having the right security measures in place could prove to be a differentiator in edging out competitors.

A positive drift

According to PwC Mexico, “91% of Mexican companies have prioritized cybersecurity in their organizations and Mexico is the country with the most investment in cybersecurity in Latin America.” The financial sector has led the way in this area, followed by telecommunications, both of which are Mexico’s most globalized economic sectors.

Here is where the Government of Mexico should work closely in conjunction with private firms. The benefits of furthering research on the issue of data protection would be mutually beneficial, keeping the focus on creating a sustainable and securely growing economy.

Echoworx has responded to Mexico’s data security demands by setting up our advanced encryption platform OneWorld within a local data center near Mexico City. This expansion has been fueled by the increasing demand from multinational enterprises operating in Mexico to process and protect their sensitive information locally.

With our agile email encryption platform, it’s easier than ever for organizations to be compliant, maintain brand reputation, build customer trust, and gain a competitive edge – while maximizing the protection of their confidential communications, intellectual property, and other sensitive data.

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern safeguarding communications must be a top priority. As a leader in email encryption, Echoworx is focused on strengthening cybersecurity by collaborating with various equally passionate stakeholders to safeguard the collaboration and communication of sensitive information throughout Mexico.

Let’s connect
Our team will be at InfoSecurity Mexico at the Centro Citibanamex in Mexico this May. If you plan to be in town, you’ll find the Echoworx team in booth #209We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Stop by, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx

23 Jan 2018

Echoworx forges partnership with Moneta Technologies

Fortifying relations in Mexico

TORONTO, ONTARIO — It’s a New Year and with it comes new opportunities. Echoworx is delighted to announce its new strategic partnership in Mexico with Moneta Technologies. It was only last year that email encryption provider Echoworx opened a local data center near Mexico City, catering to Mexico’s demand for in-country data security, offering its advanced encryption platform OneWorld.

Moneta Technologies is a technology solutions company with expertise in electronic payments and focused in technology infrastructure development for banking and financial services, retail, and telecommunications.

Commenting on the partnership with Echoworx, Juan Pablo González, Managing Director at Moneta Technologies said, “These are very interesting times in Mexico’s vibrant economy and this alliance will help us serve as a trusted partner to our clients by providing best in class information and communication technologies that enable their growth and economic progress. Echoworx’s encryption solutions will help our clients to safeguard their customers’ sensitive information against theft and other data privacy attacks that favor targeting email.”

“Mexico ranks as the second country in Latin America with the most cyberattacks, behind Brazil, with many large organizations suffering from outdated and incompatible encryption capabilities. Stricter data security regulations continue to be put in place, such as the EU’s General Data Protection Regulation and Mexico’s General Law for the Protection of Personal Data, that will further impact organizations’ data protection and information practices. Our timing in engaging with Mexico could not be better,” echoed Randy Lenaghan, VP Sales at Echoworx. “Our email encryption platform is designed to address the diverse information and communication requirements within the banking and financial services industry and to effectively adapt to the changes.”

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern it is pertinent that a sustainable infrastructure is in place to safeguard every customer’s interest. This partnership reaffirms Echoworx’s commitment to Mexico and its focus in strengthening cybersecurity by collaborating to safeguard sensitive information.

About Echoworx

Echoworx brings simplicity and scalability to encryption. OneWorld, our flagship solution, is the first smart messaging encryption platform that makes secure messaging easy and cost effective – designed to adapt to any environment and all forms of encryption. Our passionate encryption experts transform chaos into order for world leading enterprises and OEM providers who understand the requirement for secure communication is of the utmost importance. Visit us at https://www.echoworx.com/

About Moneta Technologies

Moneta Technologies, is the expert company in electronic methods of payments, dedicated to the development of projects of technological infrastructure for financial institutions, retail, and telecommunications operators, among others, to accept and process electronic payments safely and without setbacks.

Media Contact:

Lorena Magee
VP Marketing
416-226-8600
magee@echoworx.com

05 Jan 2018

Spectre and Meltdown attacks, think the sky is falling?

Like most companies, Echoworx is aware of the recently announced vulnerabilities impacting most modern microprocessors.  We wanted to take a minute to provide the following guidance on the Spectre and Meltdown attacks to ensure awareness of the issues and to inform you on the steps that Echoworx is taking to address them.

What are these attacks?

Spectre is actually two different vulnerabilities, and Meltdown is one.  Both of these attacks exploit features of ‘modern’ microprocessors called ‘speculative execution’.   Speculative Execution is a technique of prefetching data and pre-executing instructions in case they are needed.   Basically if they are not needed, there are still remnants of the data in memory which can be read by other processes.

The Meltdown attack is the worst of the two in that it can reveal all of the computers memory, not just a few bits and pieces of it.  Meltdown is also easier to exploit.  Fortunately Meltdown is also easier to patch against.  Spectre on the other hand is harder to exploit, reveals less, but is harder to address through patches.  There are patches out for specific known exploits.

What is affected by these attacks?

“Modern” isn’t so modern… at least not in computer terms.   Basically any Intel processor built since about 1995 would be impacted.  Intel, AMD, ARM, processors and others are also impacted to varying extents.  There are some reports that certain processors are not exposed to all of the vulnerabilities, but it is unclear if this is proven to be so, or just hasn’t been accomplished yet. It would be best to err on the side of caution.

What should you as an individual do on your personal devices?

You should always keep up to date with patches, and this case is no different.   There are patches for Linux, Microsoft (Windows, Edge, IE), Apple (MacOS, iOS, tvOS, Safari), Android, Firefox, Chrome, and likely many other applications.  Applying these will help to protect you.

You should also make sure that your Anti-Virus/Internet Security software is up to date.   Microsoft has announced that their fixes might have compatibility issues with some anti-virus software.   The patch for windows will not install if you have an outdated AV or one that is incompatible.  I would update the AV software first, and then apply the MS patch.

Be aware that some of the fixes to this issue could cause a performance impact.  There are some pretty wild estimates of how bad of an impact there could be, but the vendors I have seen have so far reported minimal impacts.  For example, Apple reports a maximum of 2.5% against 1 benchmark for these fixes.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

23 Nov 2017

Trust Me: Be the Good Bank

Hey banks, millennials have trust issues. Yup, these sophisticated, well-travelled, highly educated people have conflicted relationships with personal information.

A new OnePoll survey commissioned by Echoworx revealed that millennials are more careful with romantic partners than they are with financial institutions. Almost 50 percent of respondents age 18 to 35 would not give a partner their home address until after at least five dates. Yet, 56 percent had shared sensitive information by email with their bankers and brokers, not realizing that email can be easily hacked and sifted to steal identities and key information. And not to put too fine a point on it, but less than 60 percent of the surveyed millennials could accurately define “encryption.”

All of your customers expect you to treat them well, so your ability to make them trust you lies in how well you do it. And a big part of that is having strong cybersecurity so they don’t have to worry about having their data lost or stolen.

Information culture shift

Millennials’ contradictions around personal information make sense when you think about how human interactions have changed. Today, dating isn’t only about meeting someone through hobbies, work or friends – you can do it through apps, too. But with apps, the community relationships aren’t there, so millennials are naturally careful about revealing their home addresses. On the other hand, they’re so used to the continued refinement of tech, especially in business, that they trust it to work for them.

People born in the 1980s and ‘90s grew up as handheld devices morphed into the multimedia portals that they are now. They take digital convenience for granted in the same way they take their own hands and feet for granted, and because of that, they don’t have their parents’ suspicion of devices and software. But they also don’t have the media-savviness of the generation following them, who started learning about privacy and internet safety as early as grade school.

The good, the bad and the non-committal

Millennials expect financial institutions to integrate their processes seamlessly into mobile, and that’s created a classic battle between good and evil.

On the evil side, there are people doing whatever they can to steal information. On the good side are businesses who use the highest security protocols in all their communications. But between good and evil, you’ll find others who are simply hoping they won’t get burned when things go wrong.

Millennials are now your primary workforce and client base, and the bad side will exploit every opportunity you leave open. All workplace communications are targets, so strong encryption is critical for front-lines, back-end and all internal media tools.

Business relationships, like romantic relationships, thrive on trust, and it’s much harder to rebuild than it is to behave responsibly from the get-go. Be the good side –secure communications, encrypt everything at the highest level, and don’t ever ask for info through unsecured email or apps.

15 Nov 2017

Indecent Exposure and Robotic Hacking

Would you send a naked selfie by email? A lot of us would say ‘no’, because we’re well aware of what could go wrong. What if the person you send the message to accidentally (or deliberately) shares it with someone else? What if your email account or theirs gets hacked? We’ve seen too many public figures humiliated when their private emails have been exposed.

But even if we won’t share certain photos, many of us will ignore 21st-century common sense and share other extremely personal information by email, just because a bank, broker or other service provider asks us to. Darn it, if they tell us to do this, it must be okay – right?

People, your gut fears are correct.

In a new OnePoll survey commissioned by Echoworx, 45 percent of millennials had been asked to send sensitive information by email to their banks, and 85 percent of millennials reported that they’d been specifically asked for their social security numbers by email. Almost 60 percent questioned whether using email to send this info was a good idea, and 55 percent have either had their personal information stolen, or suspected that it had been.

Yet they still shared these personal details by unsecured email. And by the way, less than 60 percent could accurately define the word, “encryption”, which is the process of converting information into code so the wrong people don’t see it.

Robotic hackers are real.

More than five million personal records are lost or stolen every day because they are not properly stored or encrypted. And when you’re transferring info from your wallet to your bank, you could increase the likelihood that you become a victim, especially if you use email.

Most email services can be easily hacked. This isn’t because some evil genius is after you, specifically; it’s because any number of bottom-dwellers are creating bots (robot software with malicious code) that go after everyonesimultaneously. Those bots have databases behind them that include every password that’s ever been hacked, plus dictionaries and languages and other sources of text that people might use for passwords and logins. The bots spin rapidly through combinations of passwords and logins until they break into your account, and then they sift it for personal information.

Really, it’s almost that easy.

How to play safely

While financial companies can’t control your email, they can control their own processes, interfaces, servers and encryption. In fact, there are a slew of regulations throughout the world telling companies they must do it or face consequences. For example, a regulation known as the GDPR applies to everyone doing business in Europe (e.g., most of the big US financial companies), with fines of 20 million euros for not protecting customer data. Yet it seems that some of our trusted institutions would rather risk the fallout than proactively create secure interfaces, so we could still send and receive personal information by email.

So, what can you do to protect yourself? Start by refusing to exchange private info by unsecured email. Ask what your institution does to protect your sensitive email communications, and think twice about the ones that don’t have clear policies and practices in place. And visit our Getting Personal portal to learn more about the risks and opportunities of sharing sensitive information.

By Alex Loo, VP Operations, Echoworx

05 Oct 2017

People More Willing to Share Data Online Than with New Dating Partners

 New study from the information encryption experts at Echoworx

TORONTO, ONTARIO – People are more willing to divulge their personal data in an email than they are to share that same information with potential dating partners, according to a new study from the information encryption experts at Echoworx.

The study, commissioned by Echoworx and conducted by market research company OnePoll in August 2017, surveyed 2,000 adults from across the United States. It found that while most people won’t reveal personal details, including their full names, to a potential partner until after an average of two and a half dates, they will readily provide sensitive information online.

“It’s interesting that those surveyed were more willing to send personal information across the web than to divulge facts to a person they are getting to know. It reveals that people are not aware of the risks they are taking in case of a breach,” says Sam Elsharif, VP Software at Echoworx.

Most Americans take just 20 seconds to decide whether an email in their inbox is safe, 28 seconds to determine if it’s safe to enter personal data into an online forum and 31 seconds to decide whether a website is safe to make a credit card purchase from, the study found. Yet when it comes to dating, most aren’t comfortable disclosing their home address until after an average of four dates and it takes six and a half dates before they’ll discuss salary. One in three say they wouldn’t feel comfortable about talking salary after any amount of dates.

They don’t have the same hesitation when it comes to divulging personal details of their lives online. Three-quarters of survey respondents admitted they have shared sensitive or personal data electronically and on average, they share three pieces of personal information by email each week. Thirty-eight per cent have sent information online to a healthcare provider, 35 per cent to a bank and 25 per cent to a government official.

Even though they may regularly share personal data online, most survey respondents question if it’s safe to do so and more than a quarter of them are unsure what encryption is, despite it being an important security measure.

“When it comes to sensitive personal data, like your social security number and banking details being shared online, it’s important to be cautious and verify the privacy policies, real needs, and legitimacy of the companies requiring it,” says Sam Elsharif of Echoworx.

Surprisingly, five per cent of survey participants say they feel comfortable disclosing their social security number with a possible partner after just one date – unfortunately encryption can’t help with that type of personal disclosure.

###

About Echoworx
Echoworx is a trusted path to secure communications. OneWorld, our flagship solution, is the first smart messaging encryption platform that makes secure messaging easy and cost effective – designed to adapt to any environment and all forms of encryption. Our passionate encryption experts transform chaos into order for world leading enterprises and OEM providers who understand the requirement for secure communication is of the upmost importance. Visit us at www.echoworx.com

Media Contact:

Lorena Magee
VP Marketing
416-226-8600
magee@echoworx.com

04 Oct 2017

Is Your Company Practicing Safe … Relationships?

Thank you to all the media who helped us spread the important message of practicing safe communications! They didn’t have to. They had a choice of hundreds to cover but they chose our story. When Trust Matters – Security is Critical.

Getting Personal: In the News

Media Post | Oct 5, 2017 |
People Are More Likely To Share Info In Emails Than On Dates: Study

LittleThings Oct 3, 2017 |
Study Shows That Americans Trust Computers With Personal Information More Than New People

MensHealth | Sept 28, 2017 | 
You Probably Trust Your Computer Way More Than You Trust Your Girlfriend

EBL News | Sept 28, 2017 | 
We trust the internet more than new lovers

Yahoo News | Sept 27, 2017 |
We Reveal More On Social Media Than On A Date

USA Today | Sept 27, 2017 |
We trust the internet more than new lovers

New York Post | Sept 26, 2017 |
Americans trust the internet more than new lovers

MSN Sept 26, 2017 |
Americans trust the internet more than new lovers

InfoSecurity Nov 28, 2016 | 
What Role Does Privacy Play in Your Digital Transformation Strategy?

04 Oct 2017

Getting Personal: Trust, New Lovers and the Internet

You’re a single woman on your first date with a new guy. The conversation is flowing, he’s laughing at your jokes – but you don’t feel comfortable sharing your full name yet or revealing exactly where you live.

Yet you may have readily shared personal information in an online form or in an email, with a cyberspace entity you don’t know.

A new survey, commissioned by Echoworx and conducted by market research company OnePoll, found that while most people won’t reveal personal details to a potential partner until after an average of two and a half dates, they are much more willing to provide sensitive information online. The study, conducted in August 2017, surveyed 2,000 adults from across the United States.

GettingPersonal1.jpg

Does this surprise you to learn many people are more willing to provide personal details online than with someone they are getting to know?

If you’re like most of the Americans in the survey, you take just 20 seconds to decide whether an email in your inbox is safe. You take 28 seconds to determine if it’s safe to enter your personal data into an online form. If an item on an online shopping site catches your interest, you take 31 seconds to decide whether the website is safe to make a credit card purchase from. Yet you likely won’t give your home address to a potential dating partner until after an average of four dates and you won’t discuss your salary until after six and a half dates. You might be among the one in three who doesn’t feel comfortable talking about your pay cheque after any amount of dates.

Have you shared sensitive or personal data while filling out an online form or in an email?
You’re not alone. Three-quarters of survey respondents admitted they have shared personal info while filling in an online form and on average they share three pieces of personal information by email each week.

You may have been sent information online to a healthcare provider, to a bank or a government official. But if you’re like most people, you say an online shopping purchase – perhaps those fabulous Manolo Blahniks – was the main reason you shared your data online. Other reasons include applying for a job or applying for a mortgage or insurance.

If you have shared your info online, you may have questioned how safe it was. Thirty per cent of the survey respondents feel uneasy about giving out information online. Have you sent an email you later regretted sending? So have 40 per cent of those surveyed.

You may have had your personal information stolen (24 per cent say so) or suspect it has been (22 per cent) or had your computer hacked, like one in five Americans. You may not know what encryption means, even though it’s a powerful tool for protecting your sensitive data.

Now back to that first date. If the romance continues, you’ll share your address, birth date, medical history and other personal details with this potential partner but you’ll be cautious and take your time.

When it comes to info such as your social security number and banking details, maybe it’s best to exercise the same caution before divulging your data online.

Before you leave, make sure to visit our Getting Personal portal to learn more about the risks and opportunities associated with sharing sensitive information.

You may also like: Solving the Encryption Conundrum in Financial Services