Our Credit Application (Pdf: Fill & Download for Free

Top 10 Cyber Security breaches of 2015[Image Credit: Logic Works]Data breaches have become a status quo considering how attackers keep finding paths to infiltrate networks and steal confidential information. Last year, we have seen big industry breaches such as Sony, JP Morgan Chase, Target, eBay etc. This year hasn’t changed much. The security industry has seen not just targeted attacks at these organizations but also there is this theme around the nation-state-sponsored hackers because they are generally resourced the best, and their collective motivations run across the spectrum. While the security breach barrage on one end continues, investments are pouring into security technologies on the other end and it’s clearly not enough.Here are the top 10 cyber security breaches of 2015 categorized from least to most compromised records.10. SlackWhen it happened: March 2015No of records compromised: 500,000 email addresses and other personal account data (phone number, Skype ID, etc)Slack’s blog confirmed that Slack’s hashing function is bcrypt with a randomly generated salt per-password. We have seen so many unauthorized database incidents before. Haven’t we? Think about HipChat and Twitch. It was not too long before they experienced similar breach.Lesson Learned: For companies that are still relying on passwords, it’s a blow. Do not just use salting. Invest in technologies and people to prevent hackers getting access to your database in the first place. Overcome the post-breach mindset.9. Hacking TeamWhen it happened: July 2015No of records compromised: 1 million emailsThe Hacking Team develops spy tools for government agencies, including those that can go around traditional anti-virus solutions.This breach published more than 1 million emails from the Italian surveillance company, revealing its involvement with oppressive governments as well as multiple Flash zero-day vulnerabilities and Adobe exploits. As a cyber security professional, this is definitely frightening. A full list of Hacking Team's customers were leaked in the 2015 breach that included mostly military, police, federal and provincial governments.Lesson Learned: Patch your systems and applications. Inventory your systems and applications. This has been extensively covered as part of NIST SP-800-137, SANS CSC and ASD.8. KasperskyWhen it happened: June 2015No of records compromised: Affected multiple customersKaspersky blog reported that “We’ve found that the group behind Duqu 2.0 also spied on several prominent targets, including participants in the international negotiations on Iran’s nuclear program and in the 70th anniversary event of the liberation of Auschwitz”.If you don’t know about Duqu, it’s sometimes referred to as the stepbrother of Stuxnet. One of the most notable features of Duqu 2.0 was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. The technical details about this are published here.Kaspersky’s breach just proves that some of the security-conscious organizations can fall victim to determined hackers.Lessons Learned: Security teams have to adopt this as part of continuous monitoring strategy. Know your network. Train your teams to alert for any suspicious activity on the network. Do not just monitor inbound communications. Be watchful of all the security updates as a general best practice.7. CareFirst BlueCross BlueShieldWhen it happened: May 2015No of records compromised: 1.1 million records1.1 million members had their names, birth dates, email addresses and subscriber information compromised, but member password encryption prevented cybercriminals from gaining access to Social Security numbers, medical claims, employment, credit card and financial data.CareFirst discovered the breach as part of a Mandiant-led security review that found hackers had gained access to a database that members use to get access to the company's website and servicesLesson Learned: Enable DNS query logging to detect hostname lookup for known malicious C2 domains. Detect random string entropy - unknown certificates, file names etc. Disclose and communicate data breaches in a timely manner.6. LastPassWhen it happened: July 2015No of records compromised: 7 million usersThe password management company LastPass revealed that it had been the victim of a cyberattack, compromising email addresses, password reminders, server per user salts and authentication hashes. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed”, the company said.Salts are really not useful for preventing dictionary attacks or brute force attacks. One of the drawbacks of the hashing algorithm PBKDF2-SHA256 employed by LastPass is that it was not designed to protect passwords.Lesson Learned: For end users, make sure you rotate master passwords periodically. Also ensure that you have password reminders/recovery questions different for every critical application.5. Premera BlueCross BlueShieldWhen it happened: March 2015No of records compromised: 11.2 million recordsPremera BlueCross BlueShield said in March that it had discovered a breach in January that affected as many as 11.2 million subscribers, as well as some individuals who do business with the company. The breach compromised subscriber data, which includes names, birth dates, Social Security numbers, bank account information, addresses and other information. There were suits filed against Premera for waiting roughly six weeks to tell victims that their data might have been exposed. Pile of lawsuits filed against Premera— for being negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.ThreatConnect blog indicates that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the “m” with two “n” characters within the faux domain.It definitely looks like suspicious domain, prennera.com which is likely a spoof of Premera, and a malicious payload signed with the same digital certificate as malware from the Anthem hack.Lesson Learned: Enable DNS query logging to detect hostname lookup for known malicious C2 domains. Detect random string entropy - unknown certificates, file names etc. Monitor for overly short certificates, certificates with missing information, etc. Disclose and communicate data breaches in a timely manner.4. Experian/T-MobileWhen it happened: October 2015No of records compromised: 15 million people’s recordsT-Mobile uses Experian to process its credit applications. Experian Plc (EXPN.L), the world's biggest consumer credit monitoring firm disclosed a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc.Experian explained the details on its Web site:The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services or products, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.Brian Krebs reported in his blog that the Experian’s Decision Analysis credit information support portal allowed anyone to upload arbitrary file attachments of virtually any file type. Those experts said such file upload capabilities are notoriously easy for attackers to use to inject malicious files into databases and other computing environments, and that having such capability out in the open without at least first requiring users to supply valid username and password credentials is asking for trouble. Experian’s insecurity has dragged T-Mobile into its privacy scandal.Lesson Learned: Bake security assessment as part of acquisition strategy. Also, do not open systems exposed to internet without any form of authentication.3. Office of Personnel ManagementWhen it happened: June 2015No of records compromised: 21-25 million federal workers records (including both breaches)On Sep23, OPM Press Secretary Sam Schumach stated that “Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million”.These kind of breaches involving biometric data like fingerprints are unique and particularly concerning because you cannot rotate these unlike passwords. These are permanent identity of those people.A report (PDF) by OPM’s Office of the Inspector General on the agency’s compliance with FISMA finds “significant” deficiencies in the department’s IT security. The report found OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program. The audit also found that multi-factor authentication (the use of a token such as a smart card, along with an access code) was not required to access OPM systems. “We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program,” the report concluded.Lesson Learned: Implement multi-factor authentication for admins accessing sensitive systems, implement continous monitoring strategy. It is important to constantly fine-tune your logs and baseline your environment.2. Ashley MadisonWhen it happened: July 2015No of records compromised: 37 million clientele recordsAshley Madison made headline after a hacking group, the Impact team penetrated its servers and published the information of all 37 million users online.The hackers leaked maps of sensitive information - including internal company servers, employee network account information, company bank account data and salary information. According to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials.In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only.” Aside from hardcoded credentials, Szathmari also noted that the website didn't employ form or email validation to help screen out bots.Lesson learned: Never ever store clear-text sensitive data in your source code, rotate your API tokens and service credentials. Educate software developers about secure coding practices1. AnthemWhen it happened: Feb 2015No of records compromised: 80 million patient and employee recordsThe breach was revealed in February that exposed an astonishing 80 million patient and employee records. Anthem said the breach exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. The attack would not have been possible if Anthem had ensured that data at rest was securely encrypted and as a result, millions of peoples’ confidential information would not be in the hands of the hackers.Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT as part of Anthem breach.ThreatConnect blog indicates that the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. They also confirmed that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.Lesson learned: Do not just rely on perimeter security. Use a threat intelligence platform to be able to recognize potential malware activity from multiple threat intelligence sources and act upon. Encrypt data-at rest and ensure that the encryption keys, network access control and identity management all work together to ensure data is secure.In 2016, attacks are only going to get worse and we need to step up our game rather than just relying on tools. More security vendors will be targeted, drones hacked, ERP platforms continuing to be used as conduits to cause real-world physical damage by attacking industrial control systems, more darknets and blackmarkets surge and more nation-sponsored attacks to come.

A2A: As other have said, an accepted paper in a recognized journal counts as real publication, so you should definitely list this publication in your PhD applications. It’s good evidence that you are beginning to function as a real researcher. If this is your best piece of work, you may also want to give a quick summary of the project in your Statement of Purpose.It will be more persuasive if your faculty advisor or faculty co-author (if any) is able to write a recommendation letter that says good things about this project and that clearly indicates what your role was in the work. Extra credit if this person is someone who is on the faculty of a good research school, so that we know they understand what good-quality graduate-level research looks like.If you are allowed to put the paper (or a preprint version) online in some place like arXiv, that will make it easy for us to look at the content if we want to. Otherwise, offer to make the paper available to us upon request — mailing a PDF file if there’s no better way. It’s unlikely that we will have time to read a journal-length paper in any case, but someone on our faculty might want to see what it’s really about in order to determine whether you might fit into their research group.

Yes, it will. A higher price for something will reduce the demand for it.Applications for 2012 are 15% down on 2011. That overstates the impact of fees: some of the reflects people applying early to avoid the increase, some of it reflects people not applying, however there will be fewer people attending. [1]According to the OECD the UK already had amongst the highest prices for university attendance [2] - and that was before they were increased.The UK has the third highest university fees in the developed world, according to analysis by the Organisation for Economic Co-operation and Development.The annual Education At A Glance study (pdf)– conducted before fees almost treble next year to a maximum of £9,000 – shows the UK is the most expensive after the United States and Korea.According the UK Government (Department of Business Innovation & Skills) report from Sept 2010 [3], before the tripling of fees:Our results indicate that a £1,000 increase in fees results in a 4.4ppt decrease in university participationThanks to JP Spencer for his expaining his point. He is correct: no-one will be ''prevented'' in the sense of denied access for lack of funds upfront (there is no credit test on the loan, for example).However the higher price will reduce demand and being unaffordable is another way of preventing access.UPDATE Nov 2012Latest Ucas stats show applications for 2013 down 8.4% on last year, and that was after a 12.9% drop from Nov 2011 to Nov 2012.[1]http://www.guardian.co.uk/education/2011/nov/28/university-applications-uk-students-fees[2]http://www.guardian.co.uk/education/2011/sep/13/uk-young-people-education-oecd[3]http://www.bis.gov.uk/assets/biscore/corporate/docs/i/10-1188-impact-finance-on-university-participation.pdf