Are you safeguarded against Ransomware?

On Friday May 12, 2017 saw one of the largest global Ransomware attacks in the internet history. In two days, the attack had left over 125,000 computers across 104 countries useless. Public utilities in Spain and England’s National Health Services (NHS) had to shut down operations. Ransomware, is often transmitted by email or web pop-ups, involves locking up people’s data and threatening to destroy it if a ransom is not paid. As a classic Ransomware tactic, affected computers were asked to pay $3000 in bitcoin to the culprit strain known as WannaCry. Its majestic scale was eclipsed by poor execution and low ransom fees — certain signs of an amateurish attack.

According to Kaspersky Labs, the WannaCry, Ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates. “On May 12, 2017 we detected a new Ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”

Vulnerabilities exploited by the Attack

This attack not only impacted computers and businesses but also impacted innocent patients who were kept waiting before receiving care. A lot of organizations are responsible for this attack. Security experts believe the malware may have initially asked people to download it through email in the form of a phishing attack. After that, the malicious code traveled to a broader network of computers that were linked together through the Windows file-sharing system. Organizations across the globe take a lot of efforts to stop phishing however most took the “bait” in this case. Another aspect that helped WannaCry conduct the attack successfully was users’ complete neglect towards updating the OS. There are still millions of computers using Windows XP, and without custom support, they’re all vulnerable — not just to this latest Ransomware, but to dozens of other vulnerabilities unearthed in the last three years. The vulnerability targeted last week doesn’t exist in systems released since Windows 8 (which introduced SMBv3), so the main targets were Windows 7 and Windows XP. Windows 7 users are still receiving patches, but XP has been unsupported since April 2014.  As organizations handling tons of information, we must understand and accept that the most crippling wars of the future will be in cyberspace, with no bloodletting. To stay prepared, we must build robust counter-intelligence, including a highly capable cyber-expert who is proactive rather than reactive.

Preventing Cyber-attacks

Organizations need to play smart to prevent Ransomware attacks. While it is important to have firewalls and staff trainings around cyber-security, it is equally important to have the most updated software and the right hardware installation. Most computers impacted by WannaCry were on Windows XP that was stopped way back in 2008, and organizations like the NHS had time till 2014 to switch over. However, most of the networks hit on Friday had complex embedded systems that could barely survive a patch.

Installing antivirus software and being wary of suspicious emails or pop-ups is a comprehensive strategy against Ransomware attacks and should be a part of your business security plan. Creating regular back-ups of your data will go a long way in your preparedness to tackling cyber-attacks.

We hope WannaCry makes people more aware of the loopholes that exist in their systems.

For any requirements of SSL certificates kindly visit HTTPS.IN

Are you safeguarded against Ransomware?

Encryption for security

On Friday May 12, 2017 saw one of the largest global Ransomware attacks in the internet history. In two days, the attack had left over 125,000 computers across 104 countries useless. Public utilities in Spain and England’s National Health Services (NHS) had to shut down operations. Ransomware, is often transmitted by email or web pop-ups, involves locking up people’s data and threatening to destroy it if a ransom is not paid. As a classic Ransomware tactic, affected computers were asked to pay $3000 in bitcoin to the culprit strain known as WannaCry. Its majestic scale was eclipsed by poor execution and low ransom fees — certain signs of an amateurish attack.

According to Kaspersky Labs, the WannaCry, Ransomware is based on a vulnerability that was identified in the Windows Server Message Block protocol and was patched in Microsoft’s March 2017 Patch Tuesday security updates. “On May 12, 2017 we detected a new Ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed,” Microsoft’s summary of the attack began. “While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the malware, known as WannaCrypt, appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install MS17-010 if they have not already done so.”

Vulnerabilities exploited by the Attack
This attack not only impacted computers and businesses but also impacted innocent patients who were kept waiting before receiving care. A lot of organizations are responsible for this attack. Security experts believe the malware may have initially asked people to download it through email in the form of a phishing attack. After that, the malicious code traveled to a broader network of computers that were linked together through the Windows file-sharing system. Organizations across the globe take a lot of efforts to stop phishing however most took the “bait” in this case. Another aspect that helped WannaCry conduct the attack successfully was users’ complete neglect towards updating the OS. There are still millions of computers using Windows XP, and without custom support, they’re all vulnerable — not just to this latest Ransomware, but to dozens of other vulnerabilities unearthed in the last three years. The vulnerability targeted last week doesn’t exist in systems released since Windows 8 (which introduced SMBv3), so the main targets were Windows 7 and Windows XP. Windows 7 users are still receiving patches, but XP has been unsupported since April 2014.  As organizations handling tons of information, we must understand and accept that the most crippling wars of the future will be in cyberspace, with no bloodletting. To stay prepared, we must build robust counter-intelligence, including a highly capable cyber-expert who is proactive rather than reactive.

Preventing Cyber-attacks
Organizations need to play smart to prevent Ransomware attacks. While it is important to have firewalls and staff trainings around cyber-security, it is equally important to have the most updated software and the right hardware installation. Most computers impacted by WannaCry were on Windows XP that was stopped way back in 2008, and organizations like the NHS had time till 2014 to switch over. However, most of the networks hit on Friday had complex embedded systems that could barely survive a patch.

Installing antivirus software and being wary of suspicious emails or pop-ups is a comprehensive strategy against Ransomware attacks and should be a part of your business security plan. Creating regular back-ups of your data will go a long way in your preparedness to tackling cyber-attacks.
We hope WannaCry makes people more aware of the loopholes that exist in their systems.

For any requirements of SSL certificates kindly visit HTTPS.IN

Why is Ransomware a dangerous form of cyber threat?

Rаnѕоmwаrе Trоjаnѕ аrе a tуре оf cyber ware thаt іѕ dеѕіgnеd tо еxtоrt money from a vісtіm. Oftеn, Rаnѕоmwаrе wіll dеmаnd a рауmеnt іn order tо undo changes thаt thе Trojan vіruѕ hаѕ mаdе tо the victim’s computer. Thеѕе сhаngеѕ саn іnсludе:
1 Encrypting data thаt is ѕtоrеd on thе victim’s dіѕk – ѕо thе vісtіm саn no longer access the іnfоrmаtіоn
2 Blосkіng normal access to the vісtіm’ѕ ѕуѕtеm
Hоw Rаnѕоmwаrе gets onto a соmрutеr
The most common wауѕ in whісh Rаnѕоmwаrе Trоjаnѕ аrе installed аrе:

• Via рhіѕhіng еmаіlѕ
• Aѕ a rеѕult оf vіѕіtіng a wеbѕіtе thаt соntаіnѕ a mаlісіоuѕ program

After the Trоjаn hаѕ bееn іnѕtаllеd, it wіll either еnсrурt information thаt’ѕ ѕtоrеd оn thе vісtіm’ѕ соmрutеr оr blосk thе соmрutеr from runnіng normally – whіlе аlѕо lеаvіng a rаnѕоm mеѕѕаgе thаt dеmаndѕ the рауmеnt of a fее, іn оrdеr to dесrурt thе fіlеѕ оr rеѕtоrе thе ѕуѕtеm. In most саѕеѕ, thе rаnѕоm mеѕѕаgе wіll appear whеn thе user rеѕtаrtѕ thеіr соmрutеr аftеr thе іnfесtіоn hаѕ tаkеn effect.

Ransomware trending

Rаnѕоmwаrе methods – аrоund thе world
Aсrоѕѕ thе wоrld, Rаnѕоmwаrе is іnсrеаѕіng іn рорulаrіtу. Hоwеvеr, thе rаnѕоm messages аnd mеthоdѕ оf еxtоrtіng mоnеу mау dіffеr across dіffеrеnt rеgіоnѕ. Fоr еxаmрlе:
Fаkе mеѕѕаgеѕ аbоut unlісеnѕеd аррlісаtіоnѕ.
In ѕоmе соuntrіеѕ, thе Trоjаnѕ оftеn сlаіm tо hаvе identified unlicensed ѕоftwаrе thаt is runnіng оn thе vісtіm’ѕ соmрutеr. The mеѕѕаgе thеn asks fоr payment.
False сlаіmѕ about illegal соntеnt. 

In nаtіоnѕ where software piracy is lеѕѕ соmmоn, this аррrоасh іѕ not аѕ successful fоr thе суbеrсrіmіnаl. Inѕtеаd, thе Rаnѕоmwаrе рорuр message mау pretend to bе from a law enforcement аgеnсу аnd wіll сlаіm to have found child роrnоgrарhу оr other іllеgаl content оn the соmрutеr. Thе message will bе accompanied by a dеmаnd tо рау a fіnе.
Whаt mаkеѕ rаnѕоmwаrе ѕо effective?

Onе rеаѕоn—fеаr. Juѕt lіkе аnу trаdіtіоnаl extortion ор, rаnѕоmwаrе operations succeed bесаuѕе thеу capitalize оn fear, whісh ultіmаtеlу fоrсеѕ vісtіmѕ to dо something іrrаtіоnаl ѕuсh аѕ paying суbеrсrіmіnаlѕ. Fear оf lоѕіng уоur jоb because you lost іmроrtаnt dосumеntѕ tо rаnѕоmwаrе can bе сrіррlіng. Gеttіng lосkеd out оf уоur ѕуѕtеm or never bеіng able tо ореn уоur files аgаіn іѕ a scary thоught. Pоѕѕіblу bеіng indicted for роtеntіаllу еmbаrrаѕѕіng brоwѕіng hаbіtѕ (ѕuсh аѕ wаtсhіng аdult or іnаррrорrіаtе videos) оr unwanted рublіс еxроѕurе саn соmреl you to рау. And from whаt wе’vе seen so far, fеаr-mоngеrіng wоrkѕ, аѕ рrоvеn bу thе US$325 mіllіоn paid bу individuals аnd businesses worldwide to a single ransomware vаrіаnt called CrурtоWаll іn 2015.

The quantity of big business casualties being focused by ransomware is expanding. As a rule, the assailants particularly research and focus on a casualty (like whale-phishing or lance phishing – and these in actuality might be methods used to access the system). The delicate records are encoded, and a lot of cash are requested to reestablish the documents. By and large, the aggressor has a rundown of document expansions or organizer areas that the ransomware will focus for encryption.
Because of the encryption of the records, it can be for all intents and purposes difficult to figure out the encryption or “break” the documents without the first encryption key – which just the aggressors will approach.

The best guidance for aversion is to guarantee organization secret, touchy, or vital records are safely moved down in a remote, un-associated reinforcement or storeroom.

SSL CERTIFICATE IS A MUST FOR WEBSITES

Website owners and people involved in the web often ask why SSL certificate is necessary for them. The best way to provide an answer to this question is seen when making a purchase online while caution needs to be exercised. It is easy to insert your credit card into an automated transfer machine, but one becomes very thoughtful in transacting business over the internet with that same credit card. The idea is that, at least if you notice anything funny after your purchase with the ATM, you could easily walk into the bank and make a complaint. However, someone in China who wants to buy from a website in the US would want to be very sure that their credit card details would not be made public.

A consumer would need every possible argument to ensure that his security when performing a transaction is guaranteed hence he has to be cautious when deciding on the SSL certificate provider.
What is SSL? SSL is an acronym for secure socket layer. It is a standard security technology that is used to establish encrypted link between a web browser and a web server. SSL certificate is a necessity for a website that collects information such as credit card and other personal data of customers on their site.

You can also see cyber security through the SSL certificate in the eye of landlord and his tenant. You would agree with me that if there were no organisation set up to check the activities of landlords, some exploitation would be going secretly by these landlords to their tenants. Therefore, in most case before a landlord can make a lease he must first register to be an authorised landowner so he could be checked. Despite these organisations, some still carry out business without legitimacy,so one must ensure that the SSL certificate is purchased. so the tenants are aware of this and as a website owner without SSL certificate customers regards you to be illegitimate

The organisation that manage the SSL certification, issues the SSL certification to website owners through their host. Organisation like Symantec SSL, GeoTrust SSL, Thawte SSL, RapidSSL are renowned brands in the market to source for SSL certificate. When a website is issued a security certificate, it gives the site a sense of legitimacy. What then are the benefits of having an SSL certificate?

First of all, if a customer walks to a bank, a notice that there is no security personnel at the gate, what would be such customer’s perception? Ideally, the customer would fear, even his safety leave alone the security of his funds. This is the same thing that happens when a potential customer visits a website and notice a lot of security certification issues. If you have used the Google release of the 42^nd version of the Chrome browser, you should be familiar with this image:

The three different scenarios in the picture show three security level of a given website. Google.com has recommended that website owners have an SSL certificate. The following are the major benefits of having an SSL certificate.

Encrypts Information                                                                                
With the presence of SSL certificate on your website, every information that is relayed to your website will only be available for authorized parties – by authorized parties, I mean those who are supposed to see this information. The SSL certificate converts this information to codes that cannot be easily understood by any other third parties in the case where the system is hacked.
Google as one of the primary internet decision makers – have information’s about consumer behavior and have noticed that most customers would not want to shop on sites that do not have a secured encrypted layer in place.

To help you choose the suitable SSL certificate visit HTTPS.IN and avail of our technical support offered by us.

CYBER-SECURITY RISKS ARE HIGHER IN BANKING INDUSTRY

The ascent of the data society has given an abundance cyber security chances for the associations to upgrade administrations to clients through new channels. These have spared time, cash and exertion from an operational viewpoint. Be that as it may, on the inverse end, cyber-criminals are finding better approaches to adventure shortcomings and attempting to grow perpetually complex techniques for assault–or discovering innovative rehashes of old traps. The cost to shoppers – and to society in general – is developing, while an absence of worldwide collaboration enables the pattern to proceed.
Let us face the fact that online security is a major hurdle for all organizations including the Banks, consider the recent ATM’s hacked

Higher Cyber-Security risks in Banking Industry

 

Large portion of these dangers are fundamental. Basic spam or phishing messages, which urge clients to share data about themselves, keep on being a noteworthy issue crosswise over enterprises. In any case, the danger scene is likewise winding up plainly progressively mind boggling. There is a merging of disconnected misrepresentation and online violations, particularly in monetary administrations organizations – consider the current assaults in which global programmers take information that is then utilized by neighborhood crooks to deceitfully pull back cash at banks. Cyber-criminals likewise search for the weakest connections in the data inventory network, which implies establishments can go under circuitous assault notwithstanding when their own frameworks are secure. Outsider suppliers and different performing artists hold huge measures of information about buyers, making them targets also.

Despite the fact that cyber-crime rises above industry fringes, monetary establishments such as banks frequently lead the path by encountering new dangers and improving their cyber-security resistances. In light of a study of 250 managing an account officials, alongside top to bottom master talks with, this report takes a gander at cyber security difficulties and openings particularly as they identify with banks. Among the key discoveries are:

Both technologies and threats are developing.
Utilizing new channels of correspondence are essential to better serve clients, however keeping pace with developing advancements—and their related dangers—are additionally key difficulties. Cell phones and applications are essential cases of the harmony between more noteworthy productivity and new sorts of cyber risks. Some money related foundations battle here, while others discover approaches to join ease of use and security. As indicated by this current report’s hazard radar (see page 7 for points of interest), which depends on our review discoveries, phishing, botnets and portable malware were evaluated among the in all probability dangers confronted, and furthermore among the ones with the greatest effect.

Perception stays low.
Enhanced information of dangers is frequently referred to as basic to upgrade cyber-security. Banks are attempting to teach their clients, to a limited extent through new channels of correspondence, for example, Twitter and YouTube, notwithstanding more regular site refreshes. About one in three (30 percent) of those surveyed rate constrained client mindfulness as a key test, making it one of the main four issues confronted. In any case, the issue is not exclusively outer: indiscreet workers are frequently referred to as a specific worry, for instance. What’s more, absence of learning now and then achieves ideal to the extremely top of associations: Nearly one in ten respondents (eight percent) referred to an absence of C-suite comprehension of the issue as a key test.

Readiness for cyber security risks stays inconsistent. 
Only one in five of the officials surveyed for this review respects their association’s general readiness for cyber-security chances as “high.” When checked on in more noteworthy detail, the innovation related parts of their readiness perform best, yet just about portion of respondent’s rate their banks as exceedingly arranged. In other key elements, for example, interior and outer participation, and more extensive lawful support, readiness is significantly weaker. Most strikingly, short of what one in four banks trust their inward assets are profoundly arranged – maybe the least demanding part of readiness to determine. However, this mirrors the way that banks are at present just ready to spend sufficiently only to guarantee clients stay trusting. In that capacity, there seems, by all accounts, to be a distinction between the accessibility of assets and data and the inclination to utilize them in battling cyber crime.

Trust trumps financial misfortunes.
Regardless of rising misfortunes and the observation that they will keep on increasing, banks are just spending recently enough on cyber-security to make clients confide in them. Without a doubt, when solicited how noteworthy the effect from cyber-security assaults has been, about twice the same number of officials indicated client trust than the individuals who referred to budgetary misfortunes (39 percent versus 23 percent, separately). Characteristic of this, a greater part of banks say spending plans ascend in accordance with saw dangers, while an absence of interior assets is referred to as one of the key obstacles on the way toward better cyber security.
Cyber tech is a brilliant advancement in human technology, as a result of the cutting edge reform made to various sectors of the industry at large. Unfortunately, every form of invention has its peril, here banking sectors have been a major victim of cyber risks.

It is advisable to organize cyber security drill regularly to keep everyone in the organization is alert about the risk threats looming in the cyber space.

For any requirements of SSL certificates kindly visit HTTPS.IN
 

How will GST Impact IT Industry

Let us begin by finding how GST Impact IT Industry will roll out,by going to the process from the beginning.

Ever since the Constitution Amendment 101^st Bill was passed in the parliament (on the 8 August 2016), businesses and consumers have been talking about the ramifications of Goods and Services Tax (GST). GST is a refurbishment of the existing tax system to make it more simplified.

 GST Impact on the IT Industry

The existing system of levying an excise duty, value-added tax, and central sales tax has been “taxing” to the consumer and to the businesses. GST abolishes all these various taxes and levies only one tax rate across the nation. More importantly the point of levy is supply. Supply or sale of goods and services includes transfer, barter, rental, lease, etc. For example, GST will replace a lot of direct and indirect taxes such as, Central Excise Duty, Service Tax, Countervailing Duty, Special Countervailing Duty, Value Added Tax (VAT), Central Sales Tax (CST), Octroi. Entertainment Tax, Entry Tax, Purchase Tax, Luxury Tax, Advertisement taxes, and Taxes applicable on lotteries. According to the GST, goods and services are divided into four tax slabs of 5%, 12%, 18%, and 28% with lower rates for essential items and the highest for luxury and de-merit goods that would also attract an additional tax percentage.

GST will also allow easy compliance with the already complicated income tax system in the country. Since it brings uniformity in the tax rates, businesses need not worry about setting up stalls in a tax-friendly area bringing in more competitiveness in the trade industry boosting Indian Exports. GST will also remove hidden costs of doing business since it removes cascading taxes.

Even though GST is expected to provide an economic growth, the GST council is yet to determine the rules regarding tax refund, registration, invoice debit and credit, the framework on input-tax credit, valuation. The proposed sales tax under the GST will also serve to reduce the current costs of production and boost the manufacturing sector. It is expected that most goods may become cheaper after the implementation of GST, however quite a few services will become expensive after the tax comes into effect. To name a few, services like Telecom, Insurance, Banking, Healthcare, Education and Transportation are set to become more expensive. Surprisingly, the greatest sources of revenue for the government, petroleum and alcohol for personal consumption are kept out of the GST gambit.

GST Impact on the IT Industry

IT services have been taxed under the “services” category at 15%, the onset of GST will see IT services being taxed in the 17-18% category thus enhancing the cost of IT services. This is how GST will impact I T industry for the end-customers who do not claim tax input credit.
It certainly gets tricky with Annual Maintenance Service Contracts or AMCs, traders, under GST, will be eligible to avail the credit of services. Currently, IT service providers can’t claim credits of quality including the assessment or deal charge spent on setting the IT infrastructure. Also, services charged by an IT service provider to a client who is a broker is an expense incurred for the IT service provider. Under GST, both the IT service providers and their clients will be eligible to claim full credit of GST. This is expected to eliminate the cascading effects of the present tax structure. In the eCommerce space, the cascading tax will most certainly get stuck with the platform providers if they do not update the platform. For eCommerce traders, the GST is expected to increase administrative costs.

Also, since e-tailers have hundreds of sellers on their platforms, it significantly increases compliance burden. Small sellers will face cash-flow issues and will claim for refunds on the tax paid on inputs, which the eCommerce platform may not support. The tax collection at source (TCS) guideline under GST will increase the administration and documentation workload for eCommerce firms.
Triggering financials transformations across all major industries, the implementation is just a couple of months away. If you are a business, it is time to get in touch with experts and see if you need to enroll for GST. The accounting will certainly change, more importantly this may also be an opportunity to look for new business ideas.
For your requirements or information of HTTPS certificates please visit HTTPS.IN.

SSL certificates validity period has changed.

3-year SSL Certificates lifetime reduced and here is the guide for you

Recently CAB forum reduced the maximum duration of the SSL certificates from 3 years to 2 years+ (27 months) keeping in mind the inherent security and logistics issues.

Let us consider the new scenario for each type of certificates, as practices/equipment require to replace certificates are infrequently as possible, so you want to use 3-year certificates as long as possible, considering, CAs have chosen to stop issuing products prior to the industry-mandated deadlines. This may mean that some CAs may chose to discontinue issuing 3-year SSL certificates before/by March 2018,if you have an existing 3-year certificate, you will need to revalidate, if you reissue in the last year of its lifetime.

Since, March 1st, 2018 all new SSL certificates will be restricted to a maximum of 825 days (2 years + 3 months renewal buffer). which affects DV (Domain Validation) and OV (Organization Validation) certificates.

 

Reduced Validity of SSL Certificate

Given that this will impact how certificates are deployed and managed, we wanted to put together a quick summary of how this will impact those who use 3-year SSL certificates.

If You have an existing OV certificate:

If you have an existing 3-year SSL certificate then it will continue for 3 years. However,the new mandate will apply from the reissuance of the existing validity period.

Since the change took effect very quickly and has caused a large amount of existing validation information to suddenly expire, which affects both new and existing certificates.

Validation is the process of proving the existence of your legally registered company. When your existing validation information expires, you will be required to re-do this process which will then be valid for the next 825 days

The impact of the same can be gauged by when was the validation effected, which date may not be apparent to you, because it is not necessarily the same as the start date of your certificate. This could effect a 1 or 2-year OV certificate as well,from a technical perspective, reissuing a certificate is the same as issuing a new certificate. This means that after March 2018, ALL newly issued certificates (including reissues) must have a maximum validity of 825 days

If you have a DV certificate

Starting March 2018, DV certificates will now be limited to 825 days. earlier you could continue to get a 3-year certificate and when you re-issue a DV certificate it is already common practice to re-validate domain ownership. This simple practice, which can be performed in a few minutes by setting up a DNS record, uploading a file to your server via FTP, or confirming an email.

If You have an EV certificate

EV certificates are not affected by either of these changes. since they meet the highest standards for identity, EV certificates are already limited to have a maximum of 27 months and validity information can only be reused for a maximum of 13 months

This is as per the latest information received from CAB forum. Subscribe to our blog for latest information and updates.