How a Hacker can Attack a Mobile Application

Transcription

1
Cyber Warnings E-Magazine – January 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
CYBER WARNINGS
CONTENTS
Welcome to Blackhat 2014! ............................................................. 3
How a Hacker can Attack a Mobile Application .................................... 5
The Many Faces of Insider Threats ....................................................... 8
1 Heartbleed vulnerability, 600 products, 100 vendors ..................... 12
Published monthly by Cyber Defense Magazine and
distributed electronically via opt-in Email, HTML, PDF and
Online Flipbook formats.
PRESIDENT
Stevin Victor
[email protected]
EDITOR
PierLuigi Paganini, CEH
[email protected]
As Cyber Threats Increase, Good Hygiene Can Help........................... 18
ADVERTISING
Customer Concerns about Mobile Payment Security ......................... 21
Context-Based Authentication for the Enterprise .............................. 24
Protecting Files, Government Style .................................................... 28
Cognitive Biometrics: The Final Frontier of Authentication ................ 32
Dynamic Cryptography and Why it Matters? ..................................... 34
Why is password creation so hard? (Part 3) ....................................... 37
Secure your code with analysis and scanning..................................... 43
Email Threats: A thing of the past? .................................................... 46
Dodging disaster: Cybersecurity and business continuity .................. 49
Consumers Need to Know About Corporate Data Breaches in a Timely
Fashion ............................................................................................... 52
Improve Your Computer’s Security in 5 Simple Steps......................... 56
Jessica Quinn
[email protected]
KEY WRITERS AND CONTRIBUTORS
Pierluigi Paganini
Patrick Kehoe
Tom Cross
Bob Dix
John Dancu
Reed Taussig
Paul Brubaker
Oren Kedem
Milica Djekic
Josephine Rosenburgh
Art Dahnert
Fred Touchette
Stephen Cobb
Tom Feige
Mike James
V Bala
Joe Ferrara
Ivo Wiens
Hitansh Kataria
Joan Pepin
Dan Virgillito
and many more…
Combat Advanced Cyberattacks with Shared Security Intelligence.... 59
Phishing Attacks aren’t a Passing Threat ............................................ 62
Interested in writing for us:
[email protected]
Why Security Incidents are different — and more dangerous — than IT
Incidents ............................................................................................. 68
CONTACT US:
The cinch of Hacking: Social Engineering............................................ 71
Toll Free: +1-800-518-5248
Fax:
+1-702-703-5505
SKYPE:
cyber.defense
Magazine: http://www.cyberdefensemagazine.com
Enterprise Security and the Machine Data Tsunami........................... 76
Top 5 breaches in the financial sector ................................................ 78
Is It Time to Outsource Your Security Education? .............................. 81
Cyber Defense Magazine
Copyright (C) 2014, Cyber Defense Magazine, a division of
STEVEN G. SAMUELS LLC
848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-188465, DUNS# 078358935.
All rights reserved worldwide. [email protected]
Executive Producer:
Gary S. Miliefsky, CISSP®
2
Cyber Warnings E-Magazine – July 2014 Edition
Welcome to Blackhat 2014!
As the summer starts to come to a close, Black Hat returns to Las
Vegas for its 17th year running to bring together some of the brightest,
most innovative minds in the IT Security universe. With more than a
150 of the industries top solution providers and start-ups displaying
their latest technologies, services, and tools that help the information
technology world we know thrive. The six day conference will include
four days of IT Security training followed by two days of IT security
briefing. Join Cyber Defense Magazine as we take a trip Las Vegas to
educate ourselves in the essential skills and knowledge to defend ourselves against today's threats.
With over 1 Billion smartphones being shipped in 2014, hackers have a playground set for deploying
their tools for cybercrime, fraud and spying. The number of automated and free tools for hacking have
risen significantly thereby only increasing chances of such incidents. Read on in this edition about
commonly used exploits and loopholes in the mobile devices ecosystem.
Other vast areas where much focus should be laid on are enterprise security and insider threats.
Disgruntled or negligent employees can cause much harm to an organization’s data including its trade
secrets. In this age, where corporate espionage is rampant, security systems should be hardened to
shut down all classes of insider threats.
Heartbleed continues to be present in the news due to the fact that more than 590 different products
from 100 different vendors have so far been recorded as vulnerable. Device manufacturers and
vendors are sifting through code to identify OpenSSl versions and are also working on patches.
We hope you enjoy this month's edition of Cyber Warnings e-Magazine as we cover these and other
exciting topics, as well as a trip report by our Executive Producer, from the Black Hat USA
conference.
To our faithful readers, Enjoy
Pierluigi Paganini
Pierluigi Paganini, Editor-in-Chief, [email protected]
P.S. Congrats Dave Schippers (USA) – this month’s contest winner!
3
4
How a Hacker can Attack a Mobile Application
by Patrick Kehoe, Chief Marketing Officer, Arxan Technologies
We live in a mobile, personal world -- in 2014 IDC, TechCrunch estimates that ~1.9B mobile
phones will be shipped with nearly 1B being smartphones. Businesses that are most
efficiently adapting to today’s “App Economy” are the most successful at deepening
customer engagement and driving new revenues in this ever-changing world. However,
where business opportunities abound, opportunities for “blackhats” to conduct illicit and
malicious activity abound as well.
Application hacking is becoming easier and faster than ever before. Let’s explore why:
It’s Fast
Recent research found that in 84% of cases, the initial compromise took
hours or less to complete
It’s Relatively
Easy
There are automated tools readily available in the market to support
hacking, and many of them are available for free!
Mobile Apps are
“Low-Hanging
Fruit”
In contrast to centralized web environments, mobile apps live “in the wild”,
on a distributed, fragmented and unregulated mobile device ecosystem.
Unprotected binary code in mobile applications can be directly accessed,
examined, modified and exploited by attackers – especially specialists
from the new “black market economy” who realize greater efficiencies
and scale in app hacking
Hackers are increasingly aiming at binary code targets to launch attacks on high-value
mobile applications, across all platforms. For those of you who may not be familiar, binary
code is the code that machines read to execute an application – It’s what you download
when you access mobile applications from an app store like Google Play. Well-equipped
hackers seek to exploit two categories of binary-based vulnerabilities to compromise apps:
Exploitable Binary-based Vulnerabilities
Code Modification or Code Injection – This is the first category of binary-based
vulnerability exploits, whereby hackers conduct unauthorized code modifications or insert
malicious code into an application’s binaries. Code modification or code injection threat
scenarios can include:
•
A hacker or hostile user modifying the binary to change its behavior – For example,
disabling security controls, bypassing business rules, licensing restrictions,
purchasing requirements or ad displays in the app – and potentially distributing it as a
patch, crack or even as a new application.
•
A hacker injecting malicious code into the binary, and then either repackaging the
application and publishing it as a new (supposedly legitimate) app, distributed under
5
the guise of a patch or a crack, or surreptitiously (re)installing it on an unsuspecting
user’s device.
•
A rogue application performing a drive-by attack (For example, via the run-time
method known as swizzling, or function/API hooking) to compromise the target
application (in order to lift credentials, expose personal and/or corporate data,
redirect traffic, etc.)
Reverse Engineering or Code Analysis – This is the second category of exploitable binary
vulnerabilities, whereby application binaries can be analyzed statically and dynamically.
Using intelligence gathered from code analysis tools and activities, the binaries can be
reverse-engineered and valuable code (including source code), sensitive data, or proprietary
IP can be lifted out of the application and re-used or re-packaged. Reverse engineering or
code analysis threat scenarios can include:
•
A hacker analyzing or reverse-engineering the binary, and identifying or exposing
sensitive information (keys, credentials, data) or vulnerabilities/flaws for broader
exploitation
•
A hacker lifting or exposing proprietary intellectual property out of the application
binary to develop counterfeit applications
•
A hacker reusing and “copy-catting” an application, and submitting it to an app store
under his/her own branding (as a nearly identical copy of the legitimate application)
A summary of Binary Exploits is provided is the graphic.
6
Ways That App Are Being Hacked Via Binary Exploits
With so much of your organizational productivity riding on the reliable execution of your
apps, and such a small a barrier for hackers to overcome superficial protection schemes,
Application Hardening and Run-Time Protection are mission-critical security capabilities that
are required to proactively defend, detect, and react to attempted application compromises.
Hardening and Run-Time Protection can be achieved with no impact to source code, via an
automated insertion of “guards” into the binary code. When implemented properly, layers of
guards are deployed so that both the application and the guards are protected, and there’s
no single point of failure.
Arxan enables developers and security engineers to protect applications with such guards.
Arxan’s unique patented guarding technology:
•
Defends applications against compromise via a range of techniques including: Code
Obfuscation, Pre-Damage, Encryption, String Encryption, Symbol Stripping and
Renaming
•
Detects attacks through Jailbreak or Root Detection, Resource Verification,
Checksum, Debugger Detection, Swizzling/Hook Detection, and other means
•
Reacts to ward off attacks with Self-Repair, Custom Responses, and Alerts
Arxan’s approach is unique and scalable, requiring no changes to source-code and making it
easy to integrate into existing applications. Arxan also works with all major computing
platforms, with the ability to standardize on application security process and tools. This
reduces the need to leverage multiple security providers and integrate application protection
solutions.
Recent history shows that despite our best efforts, the “plumbing” of servers, networks, and
end-points that run our apps can easily be breached, so it is high-time to focus on the
application layer!
About the Author
Patrick Kehoe is the Chief Marketing Officer of Arxan Technologies. He
and the team at Arxan are in the business of understanding application
security vulnerabilities and deploying approaches to protect applications - building on over 10 years of research and intellectual capital on this
topic. Patrick brings over twenty years of experience working with
software, hardware, and service providers in the High Tech industry. He
holds a degree in Computer Science from Vanderbilt University and a
MBA from the Darden Graduate School of Business at the University of
Virginia. In his spare time, he enjoys triathlons and traveling with his family. Patrick can be
reached at (301) 968-4290 and at the Arxan website http://www.arxan.com
7
The Many Faces of Insider Threats
By Tom Cross, Director of Security Research, Lancope, Inc.
The WikiLeaks disclosures and other news events have caused the insider threat to recently
become a more prominent topic. According to a survey conducted by Lancope, concerns
over the insider threat are rising, with 40 percent of respondents citing it as a top risk to their
organization. It is important to understand that there are several types of insider threat, and
that each type requires a different approach from a cybersecurity standpoint.
Who Is the Insider Threat?
At Lancope, we view the insider threat as three distinct categories of threat actor:
Negligent Insiders - Insiders who accidentally expose data – such as an employee who
forgets their laptop on an airplane
Malicious Insiders - Insiders who intentionally steal data or destroy systems – such as a
disgruntled employee who deletes some records on his last day of work
Compromised Insiders - Insiders whose access credentials or computers have been
compromised by an outside attacker
When people talk about the insider threat, they are often referring to negligent insiders who
accidentally harm systems or leak data due to carelessness. However, the other categories
of insider threat also represent significant challenges for organizations. It is important to
understand what impact each category of insider threat has for your organization so that you
can implement the right responses. A program focused on one of these types of threats
won’t necessarily protect the organization against the others.
What steps can you take to protect your organization against each type of insider threat?
Negligent Insiders
Negligent insiders don’t mean to do anything wrong – they are just employees who have
access to sensitive data and inadvertently lose control of it. A large number of security
incidents and “data breaches” fit this description.
Various measures can be used to deter negligent activity and “keep honest people honest.”
Access controls can prevent people from obtaining sensitive data that they do not need in
order to do their jobs. Encryption of data at rest can also help prevent data loss by negligent
insiders in the event that they lose their laptops or other equipment. User education also
matters here. Anything you can do to get employees to be more conscientious with company
data can have a positive impact – for example, providing dummy datasets to developers so
that they don’t work with real PII information on development systems. You want the path of
8
least resistance for people to get their jobs done to also be a path that protects sensitive
data.
Malicious Insiders
Malicious insiders are employees who intentionally set out to harm the organization either by
stealing data or damaging systems. In most cases, malicious insiders were once happy
employees – cases of malicious attacks on computer systems by employees often result
from a breakdown in the relationship between the employee and the company, which can
happen for a variety of different reasons.
Research by the CERT Insider Threat Center at Carnegie Mellon University surrounding
hundreds of real-world cases of attack by malicious insiders has shown that most incidents
fit into one of three categories:
IT Sabotage - Someone destroys data or systems on the network
Fraud - Someone is stealing confidential data from the network for financial gain
Theft of Intellectual Property - Someone is stealing intellectual property for competitive
advantage or business gain
The motivations that turn insiders against their organizations are diverse, and can include:
Job/Career Dissatisfaction
When someone is extremely dissatisfied with their current work or career situation, they may
attempt to harm their employer by destroying or stealing data.
Monetary Gain
When exposed to valuable data that could make them money on the black market, some
employees will be unable to resist the temptation to steal and sell it.
Espionage
Both nations and corporations have been known to plant insiders within organizations for the
sole purpose of stealing trade secrets and intellectual property for espionage.
Activism
Activists are associated with a particular ideological movement, and can use the theft and
exposure of confidential data to bring attention to their cause.
Good access controls can help prevent damage done by malicious insiders. Checks and
balances are also extremely important in this arena, especially as it pertains to financial
data. It is critical to have multiple people keeping an eye on sensitive transactions so that no
one person can single-handedly circumvent company policy.
Cases of insider malice are often identified and investigated through the use of logs. It is
important to collect logs from endpoint systems and network devices. Different kinds of logs
9
might be relevant to different kinds of incidents. For example, a case of financial fraud might
be detected by examining database logs from a credit card processing system, whereas a
case of data theft might be noticed through monitoring of network traffic. Proactively
monitoring network and system transactions can serve as a deterrent in discouraging
malicious insiders from sabotaging or stealing data, since they know that their activities
might be discovered.
Compromised Insiders
A compromised insider is really an outsider – it is someone who has access to your network
as an authorized user, but they aren’t who they are supposed to be. Compromised insiders
are a much more challenging type of insider threat to combat since the real attacker is on the
outside, with a much lower risk of being identified. Typically, no amount of deterrence will
discourage them from carrying out their attack. Furthermore, traditional security solutions
that focus on catching malware and exploits cannot identify unauthorized use of legitimate
accounts. In this case, closely monitoring network activity is really the only way to uncover
and shut down this type of threat.
Leveraging Network and Security Monitoring
Monitoring activity through various logs is really the key to successfully identifying and
shutting down all of these classes of insider threat. By leveraging network activity logs from
various technologies such as firewalls, IPS systems, SIEMs, packet capture and NetFlow,
organizations can more easily be aware of and subvert insider attack attempts. All of these
technologies have their strengths and weaknesses in terms of expense, level of network
visibility provided, and privacy concerns, but should all be evaluated as part of an effective
insider security strategy.
By collecting and analyzing metadata from throughout the entire network, NetFlow in
particular provides a wide breadth of visibility at a reasonable cost and without the privacy
concerns associated with full packet capture. NetFlow can be leveraged for both real-time
threat detection, as well as to create a network audit trail of previous transactions for use in
forensic investigations. Some NetFlow-based monitoring solutions such as Lancope’s
StealthWatch System also enable the integration of identity data so that organizations can
see exactly who is responsible for causing specific issues.
Being aware of the various insider threat profiles can help organizations use network logs to
zero in on certain behaviors on their network that could be indicative of an attack, such as
unusually large file transfers or attempts to access restricted areas. For example, excessive
amounts of traffic from one user’s computer to the printer could signify an attempted theft of
intellectual property. Or, if a user is frequently communicating with an unfamiliar IP address
in another country, it could indicate that the user’s computer is compromised.
10
It Takes More Than Technology
It is also important to recognize that technology alone cannot prevent insider threats. It has
to be a cross-organizational effort that also involves HR, Management and Legal. For
example, if HR alerts IT about a disgruntled employee, their network activity can be
monitored so that anomalous behaviors such as logging on at unusual hours of the day can
be swiftly investigated. And without the involvement of other groups within the company,
malicious behaviors discovered by IT cannot be properly addressed.
In a recent survey conducted by The Ponemon Institute, 54 percent of respondents said that
they did not have a multi-disciplinary insider threat program in their organization. An
additional 17 percent of respondents said that they did have a defined insider threat
program, but that the participants were limited to just the IT department. While it has begun
to garner some attention recently, the insider threat definitely requires more of a focus
moving forward.
In order to be truly effective, insider threat management programs need to involve a broad
understanding of the various types of attackers and motivations attached to insider threats,
as well as include the right mix of tools and individuals necessary to effectively detect and
thwart attack attempts.
About the author
Tom Cross is Director of Security Research at Lancope. He has over a
decade of experience as a security researcher and thought leader. He is
credited with discovering a number of critical security vulnerabilities in
enterprise-class software, and frequently speaks on security issues at
conferences around the world.
11
1 Heartbleed vulnerability, 600 products, 100 vendors
2 months later, and they are still patching!
by Kasper Lindgaard, Director of Research and Security, Secunia
590 different products from 100 different vendors have so far been recorded as having been
made vulnerable by the Heartbleed vulnerability, which was publically disclosed on April 7th,
after an untidy disclosure process – a process which caused Heartbleed to send the IT
community reeling, and triggered much more commotion than the vulnerability’s actual
criticality warranted.
When the news about Heartbleed broke, software vendors around the world scrambled to
identify which of their products and services were affected by the vulnerability.
The sense of urgency stemmed from the fact that 1) Heartbleed was exploited immediately
after disclosure (and may have been exploited before), and 2) from the disclosure process,
which had caused rumors and information about Heartbleed to swirl around various online
forums for a week prior to the public disclosure. Additionally, some of the big providers had a
head start and were able to patch their servers prior to disclosure – confirmed are Facebook,
Akamai, CloudFlare and of course Google, whose researcher Neela Mehta originally
discovered Heartbleed.
This semi-publicity effectively meant that all hackers great and small would have had ample
opportunity to develop and use exploits, targeting any product relying on a vulnerable
version of OpenSSL – and thereby any organization using one of those products within their
IT infrastructure, as well as private users using one of these products.
The underlying drama was that because of the nature of Heartbleed, you couldn’t actually
tell if you had been hacked. You were essentially fighting flimsy ghosts that could quickly
turn into corporal monsters.
The vendors: Identification and fixing
For the software vendors, time was of the essence – development teams, product teams and
internal IT teams everywhere went through code to identify which products had which
versions of OpenSSL installed.
Once identified, the vulnerable programs needed to be patched, the impact applicable to
their set-up analyzed and then customers had to be informed of the issue(s) and of the fix,
which could include a reset of passwords.
In the ensuing weeks, the internet abounded with stories about servers and routers being
vulnerable and how the risk of erroneous updates was making matters worse. Experts were
advising businesses and end-users on what actions to take to protect themselves, and
everybody’s pulse was kept up, which from a security awareness perspective is a positive
effect that hopefully has some residual effect.
12
Their customers: Assessing and protecting
Once the vendors had mapped the consequences and developed patches for those of their
products that were affected by Heartbleed, their customers were able to act: IT security and
operations teams in organizations everywhere were hard at work assessing risk and putting
together a prioritized patch strategy for dealing with all eventualities, while of course focusing
on protecting the most business critical data first.
For many organizations - vendors and customers alike – dealing with Heartbleed was a test
of their policy for handling security incidents. For some, it was a grim lesson in why such a
policy is a basic necessity of modern day business life. It would also be reasonable to
assume that the vast majority of organizations have revisited their security policies in the
aftermath of Heartbleed and given some additional thought to how they protect their data.
What is an acceptable time to patch?
Many vendors, especially the smaller ones with only a few affected products and services in
their portfolio, reacted quickly to Heartbleed. But for the big vendors like Cisco, IBM and HP,
with huge portfolios, mapping and fixing was – and still is – a huge task. Some are still, two
and a half months later, issuing patches for vulnerable products.
13
14
Two and a half months is a long time for a vendor to take to fix a vulnerability that is being
exploited just after disclosure. It also begs the question: If a vendor has e.g. 50 products,
what is an acceptable time to take to issue patches?
On June 5th, the question of time-to-patch became even more pertinent: OpenSSL released
a new set of patches, which fixed 5 vulnerabilities, including one within the handling of DTLS
fragments, which can be exploited (but has not been, at this stage) to cause a buffer
overflow and potentially execute arbitrary code on servers running a vulnerable version of
OpenSSL.
While the original vulnerability, disclosed on April 7th, was only rated “Moderately Critical” by
Secunia Research - because it only enables information retrieval information, but not code
execution; with this new series of vulnerabilities, the stakes were raised for everyone to get
their house in order.
In Secunia’s annual Vulnerability Review we see how patches are released within the first 24
hours of disclosure for 79% of all publically known vulnerabilities.
All in all, that answers the question about patch time: two and a half months is too long!
Coordination!
So what lessons does Heartbleed teach us? First and foremost that communication,
coordination and patience are key ingredients to successful disclosure:
There is a reason why we in the security industry must insist on a proper process for
vulnerability coordination and disclosure. We know that premature disclosure increases the
risk of exploits being made, because a patch will not be available, and this puts users at risk.
Successful disclosure involves a lot of people – security researchers, coordinators,
developers and vendors. Their efforts need to be timed and aligned, and that requires a lot
of communication - and patience!
And it is not just the researchers that need a disclosure policy: Companies must also have a
policy for handling security incidents and how to fix and coordinate them.
More information about Heartbleed: secunia.com/heartbleed
Secunia Advisories on Heartbleed
15
About The Author
Kasper Lindgaard is the Director of Research and Security
of Secunia.
He originally joined Secunia as Security Specialist in
February 2011, and became Head of Research in September
2012.
Kasper Lindgaard is in charge of developing and managing
Secunia’s Research Team, and is responsible for the quality and reliability of Secunia
Research, including the Secunia Advisories. Secunia’s Research Team is respected
throughout the security industry as provider of verified vulnerability intelligence of the highest
caliber.
Kasper Lindgaard works closely with software vendors and the security community to ensure
that Secunia Research is able to deliver the timely and accurate vulnerability intelligence that
is the core of Secunia’s business.
As a Secunia spokesperson, Kasper Lindgaard offers insights into vulnerability intelligence
and trends in the security community.
Prior to joining Secunia, Kasper Lindgaard worked with development and code auditing.
Kasper Lindgaard can be reached online via email and at our company website
http://www.secunia.com/
16
17
As Cyber Threats Increase, Good Hygiene Can Help
By Bob Dix
With data breach stories constantly showing up in the news and on the television, it’s a great
time to think long and hard about what each of us can do to improve cybersecurity.
None of us can do everything, but ALL OF US can do something. In fact, Juniper Networks
has released an infographic that highlights the threats facing critical infrastructure and how
individuls can use the NIST Cybersecurity Framework as a toolbox to identify proven best
practices to better protect themselves.
An often-overlooked area of cybersecurity is hygiene. Cybersecurity has had top-billing with
media and policy makers for so long now that many people have begun blindly nodding their
heads in agreement without fully understanding the topic. When attacks do occur, or
18
vulnerabilities are exposed, they express outrage and alarm, but cannot wrap their heads
around what really occurred or why, and—perhaps most importantly—how to respond, or
better, what might have prevented the event in the first place.
This should not be the case. A cohesive, comprehensive and sustained national awareness
campaign will help the public understand how to more effectively protect themselves,
thereby alleviating many immediate threats. The United States has had success creating a
number of national education and awareness campaigns that have provoked change in
people’s behaviors. Forest fire prevention and H1N1 protection awareness succeeded
because the public was briefed on the topics, including the threat, and a widespread
campaign was organized. A comprehensive campaign to improve the cyber health of
American citizens and businesses should be a top priority. Areas of public awareness must
include:
Never opening email links or attachments unless the sender is known and trusted
•
Periodically changing passwords
•
Installing and regularly updating proper anti-virus and anti-spyware software
•
Regularly installing operating system software updates
•
Enabling firewall security
As the U.S. GAO[1] has noted, threats from external sources are up 782 percent from 2006
to 2012. Declines from threats are not on the horizon. Therefore, the imperative lies on each
of us to help inform and protect the information systems critical to our everyday lives.
Basic issues, such as those noted above and more, produce roughly 80 percent of
exploitable vulnerabilities that contribute to cyber-events. More than ever, now is the time for
government and its industry partners to help the public better understand the nature of
cybersecurity and what steps they can take to improve and ensure their safety.
•
Start by raising more awareness in K-12 school communities
•
Provide tips and expertise to small businesses (through social media, pamphlets?)
•
Use traditional and non-traditional communications channels to drive local decision
makers to update cybersecurity information and make resources available
Operationalizing the effort
These actions and activities have been long discussed and may seem simple enough, many
people even may consider them common sense. However, it is true that threats,
19
vulnerabilities and their fallout remain a serious challenge. How can we activate this type of
campaign?
•
Engage a consortium of leaders from government, industry, academia, and nonprofits, as well as the wide array of associations National Governor’s Association,
National Association of State CIO’s, National League of Cities, National Association
of Counties, U. S. Chamber of Commerce, National Retail Federation and others,
building on current efforts such as the National Cyber Security Alliance and the DHS
Stop, Think, & Connect campaign.
•
Leverage the government agencies with regular contact with citizens, like the Small
Business Administration, Internal Revenue Service, U.S. Postal Service, Federal
Trade Commission, and others, to distribute materials offering insights or pointing to
a website where they can get information about how to protect themselves.
•
Similar efforts should be made with state, local, tribal, and territorial constituents.
Our elected officials can and should lead by example. Each of them should include links and
information on their constituent home pages pointing to information about basic cyber
security hygiene and how to better protect themselves from an infection in cyberspace.
Better conveying cybersecurity’s impact on the daily lives of Americans and making it
relatable is crucial to broadening awareness. Building a common sense approach to
cybersecurity will help empower individuals and demonstrate how to positively contribute to
the health of our cyber-ecosystem.
This approach will not solve all of the cybersecurity risk management challenge. However,
addressing the 80 percent hygiene challenge will make a significant positive impact on
raising our overall security profile and disrupting the efforts of the bad guys. None of us can
do everything, but all of us can do something.
Let’s get going.
[1] http://www.gao.gov/highrisk/protecting_the_federal_government_information_systems/wh
y_did_study#t=1
About the author
Bob Dix is the Vice President of Government Affairs and Critical
Infrastructure Protection for Juniper Networks. Dix has enjoyed a
distinguished career in both the public and private sector, and is widely
recognized across industry and government as a subject matter expert and
a leading policy expert in furthering government/industry partnerships to
protect U.S. critical infrastructure.
20
Customer Concerns about Mobile Payment Security
As we continue to delve deeper into the Digital Age, new products and services are
introduced that strive to push the envelope further. Social media, online banking and
electronic health profiles are just a few of the advancements that have had an impact on the
way people are managing their lifestyles online.
While more and more consumers maneuver their lives in this customer-not-present
environment, ensuring information privacy and shielding customers’ identities from misuse
becomes a defining factor in what makes a business successful. According to IDology’s
2013 Fraud Report, 66% of surveyed organizations experienced suspected fraud attempts in
the last 12 months. 36% of respondents noted that these fraud attempts had increased.
Because of this, protecting customers’ identities has become a #1 priority for organizations
as identity theft and fraud continues to rise.
Fairly recently, organizations have begun offering their product and/or service on mobile
devices – for example, there has been a more widespread implementation of mobile
payment services. However, the mobile environment brings a whole new set of challenges in
relation to security. On the one hand, mobile payments users spend nearly twice as much
through digital channels overall than people not buying on mobile devices. However,
concerns over security, privacy and convenience keep 80% of consumers from changing
their payment behavior and using mobile payments.
With people becoming more comfortable sharing personal and financial information online
and on their mobile device, it is more important than ever for both consumers and
businesses to work together on security and the protection of consumers’ identities through
innovative technology solutions that enable robust identity verification and fraud prevention.
Vulnerability of Information
Fraudsters continue to search for and find new ways to gain access to personal data.
Emails, social media profiles and banking sites are vulnerable to a cyber attack and raise
concerns among consumers. Fraudsters can also simply purchase a legitimate identity from
the black market.
If a financial account is accessed by a criminal it can lead to negative effects that extend far
beyond one website. Users may recycle passwords for multiple accounts online and one
security breach can result in a domino effect that leaves a trail of headaches in its wake.
When it comes to mobile phones, the risk seems to amplify. NQ Mobile, smartphone security
software provider, reported 65,000 new malware threats released worldwide in 2012 – up
from 24,000 in 2011 – and that number is only rising. Fraudsters have been able to take
advantage of security holes within mobile apps as well as the lack of technology
standardization to steal legitimate customer information from mobile devices and use it to
defraud businesses of all shapes and sizes.
21
Mobile Payments and Restricted Access
One of the major security concerns related to mobile payments is that apps are often left in
the “on” position by consumers. This means that even when an app is not open and active,
consumers choose to automatically log-in with usernames and passwords to be able to
quickly access information and make payments.
Problems instantly arise when a phone is lost, stolen or misplaced because the finder has
the ability to begin purchasing items without restriction.
Also, fraudsters have been able to exploit phony Wi-Fi networks and other methods that
monitor consumers’ online activity in order to steal valuable personal information. However,
with the proper security checks in place, businesses that accept mobile payments from
customers can ensure that the customer is who they say they are and that their identity is
protected from misuse.
Methods to Eliminate Concerns
While companies may focus on fraud prevention for customer-not-present transactions over
the Internet, it is also necessary to have a system in place to stop fraudulent activity when it
comes to mobile payments.
End-to-end identity verification platforms that go a step further and incorporate a robust fraud
prevention solution give companies the tools they need to ensure the customer is legitimate
while securely processing more customer transactions without unnecessary friction no
matter how they pay for their goods/services.
As identity theft become more and more pervasive, pure identity verification is no longer
enough. It becomes crucial for businesses to gain more insight into what attributes make up
a customer identity – so they can quickly pinpoint suspicious behavior and manage risk in
real-time. In particular, it is very important to be able to dynamically flag various indicators of
fraud such on identity, activity, location and device-based fraud and then quickly and easily
make decisions on how transactions will proceed.
Whether someone is ordering from his or her phone, online or through a call center, security
measures can be put in place to authenticate customers before a purchase is made.
Educating customers about the security features of phones, such as passcodes, and
requiring proof of identity adds protection to the process in a day and age where consumers
are concerned about the safety of private information.
About IDology, Inc.
IDology, Inc. provides real-time technology solutions that verify an individual’s identity and
age for anyone conducting business in a consumer-not-present environment to help drive
revenue, decrease costs, prevent fraud and meet compliance regulations. Founded in 2003,
IDology offers a solution-driven approach to identity verification and fraud prevention that
ultimately helps increase customer acquisition and improve customer experience. IDology
22
has developed an innovative and on-demand technology platform that allows customers to
control the entire proofing process and provides the flexibility to make configuration changes
that are deployed automatically – without having to rely on internal IT resources or IDology’s
customer service – so customers can stay ahead of the fraud landscape while maintaining
compliance. For more information, visit http://www.IDology.com or call 866-520-1234.
About the author
John Dancu has served as President and CEO of IDology since 2005
and is recognized for his leading edge innovations in both the identity
and fraud spaces. John has a widespread track record in advising
customers, including many Fortune 500 companies, and pioneering
industry collaboration initiatives. With John’s leadership, IDology has
evolved into a recognized leader across multiple industries including
mobile payments, financial services, government and e-commerce for
innovation and has become a leading voice coordinating the fight
against fraud.
John reputation as an innovator has been driven by continual advancements to identity
verification and fraud detection methodologies so much that corporations and government
agencies seek out his advice on current trends. The fraud landscape is continually evolving
and through IDology solutions, John has helped businesses reduce losses, improve
processes and collaborate across industries with solutions that attack identity, location and
activity-based fraud.
23
Context-Based Authentication for the Enterprise
By Reed Taussig, CEO, ThreatMetrix
Today’s enterprise employees use their own devices on the job more than ever before,
leading to a consumerization of enterprise IT. As the workforce connects onsite and remotely
to critical enterprise applications using personal devices, sophisticated security measures
are needed now more than ever before. Bring-your-own-device (BYOD) is now a business
reality, leaving corporate IT with little visibility or control over the devices that employees and
contractors use to access both critical and non-critical applications.
In this fast-changing IT environment, traditional access security controls – such as password
verification and cumbersome two-factor authentication – are becoming increasingly obsolete.
Today’s employees accessing mission-critical applications look like consumers on business
websites and must be treated as such. Enterprise security practitioners must find new
approaches for securing access to corporate data to address this major source of risk
exposure.
To overcome archaic security measures and efficiently secure today’s workforce, enterprises
must implement a comprehensive security solution that includes context-based
authentication, which establishes trust for each account login based on fully anonymous user
identity, device usage, geo-location, behavior and other factors without compromising
consumer identity or workforce efficiency.
In fact, Gartner estimates that by the end of 2016, more than 30 percent of enterprises will
rely on contextual authentication for remote workforce access. [Source: Gartner Magic
Quadrant for User Authentication, 2013]
Enterprise Challenges with BYOD
Remote workforce logins are open to the same types of misuse and abuse as consumerbased applications with potentially far greater business risk. A cybercriminal or internal threat
logging into an employee’s account using stolen credentials can do far greater damage to a
company than a customer using a stolen credit card.
Enterprise security professionals must walk a fine line when it comes to securing workforce
access to applications. Cost-effectively mitigating the risks of data breaches must be a top
priority – no company wants to end up in the news headlines because of a data breach.
Conversely, security must be balanced with the user experience so as not to create friction
or negatively impact workforce efficiency.
Time-consuming authentication techniques will erode overall productivity. Worse, the more
inconvenient the security system, the more motivated the workforce will be to find ways
around it.
24
Key Components of Context-Based Authentication
As an alternative to traditional workforce authentication models context-based authentication
offers
a
comprehensive
solution
that
includes
the
following:
Remote workforce access protects sensitive data from illegitimate access by ensuring that
it is legitimately remote employees, contractors and partners who are accessing your internal
applications rather than potential cybercriminals.
Frictionless two-factor authentication offers real-time, passive assessment of user logins
and enables businesses to streamline access for known and trusted combinations of
accounts and devices – reducing effort and inconvenience for the workforce by not requiring
additional one-time passwords for each login.
Single sign-on systems enable enterprises to deliver secure, frictionless access to their
business applications for all authentic users. Context-based authentication secures single
sign-on systems through a combination of device analytics, identity analytics and behavioral
analytics to evaluate the entire login’s context and determine whether or not to establish trust
for the login.
Using this process, businesses can detect anomalies and keep cybercriminals out while
streamlining legitimate workforce connections. It can also detect anomalous behavior that
might indicate an insider threat, such as unauthorized password sharing.
Benefiting from a Shared Global Network
Context-based authentication is most effective when paired with a global trust intelligence
network. For businesses looking to reduce the threat of data breaches and other risks from
unauthorized application access, combining context-based authentication with a global trust
intelligence network is the most flexible and cost-effective way to increase security while
reducing the cost and friction for workforce access.
Cybercriminals targeting enterprises today are rapidly growing in size and sophistication.
Until a few years ago most data breach attempts came from targeted phishing emails and
opportunistic, individual hackers. Today’s online threat environment consists of wellorganized and well-financed cyber-terrorist rings and crowd-sourced malware and botnets.
The only viable defense against these global forces is a global network.
By sharing information across business boundaries through context-based authentication
and a global trust intelligence network, enterprises and businesses across industries can
have the most accurate contextual information of users and devices accessing missioncritical applications.
25
About the author
Reed Taussig has more than 30 years of experience in the computer
hardware and software fields. Prior to ThreatMetrix™, Mr. Taussig was
president and CEO of Vormetric, Inc., a leader in data privacy and
protection. Under his leadership, Vormetric established itself as a leading
provider of encryption solutions for the Payment Card Industry Data
Security Standards industry.
Mr. Taussig also served as president and CEO of Callidus Software (NASDAQ: CALD), the
leading provider of enterprise incentive compensation management application systems. As
founding CEO and the fifth employee, Mr. Taussig led the growth of company to more than
$70 million in revenues and over 350 employees.
Prior to Callidus Mr. Taussig was the president and CEO of inquiry.com, a pioneer in the
B2B Internet space as well as senior vice president of operations for Gupta Technologies,
the leader for PC client server software development tools and databases. Mr. Taussig holds
a bachelor of arts degree in economics from the University of Arizona.
26
27
Protecting Files, Government Style
Enable Safe, Secure Content Sharing for Government Agencies
by Paul Brubaker, director of government solutions, AirWatch® by VMware®
Mobility is changing the way we do business around the world. With an increased adoption
of smart devices for personal and work use, almost every industry has been rapidly
embracing the digital frontier. One major shift since the adoption of mobility in the enterprise
is the rapid increase in content sharing. Employees are now creating, editing and sharing
content directly from their devices, enabling productivity and communication on an
unprecedented scale. Documents can be maintained on the fly from a smartphone or tablet
and sent to a recipient with a few taps of the finger.
Government organizations are also exploring new ways to share documents securely.
Mobile devices are enabling government agencies to increase collaboration away from the
office and reduce the need for employees to stay in touch face-to-face to pass along
confidential information.
However, mobility brings new challenges to the security landscape, especially with the
incredibly sensitive data government agencies must share to do their jobs. So how can
governments create, edit and share information confidently without risking exposure to
unauthorized sources?
Simple passcodes and device locks are standard fare for keeping information protected on
mobile devices. But government agencies need even more protection. With national security
at risk, governments can use three effective strategies to ramp up their protection to prevent
sensitive data leakage.
Use encryption for end-to-end containerization of data
Encryption is one of the most important components of government mobility security.
Encryption protects information by encoding it in a way that only authorized persons can see
it. This can be used to protect the contents of documents, email attachments and more.
Devices and applications can be configured to encrypt information automatically until an
authorized user verifies their identity.
With government-level containerization solutions available on the market today, encryption
should be standard fare to store, edit and share content, whether it’s on a device, in-transit
to another device or being edited.
Content containerization also offers the benefit of protecting information automatically.
Information is encrypted and decrypted as it is needed, enabling employees to make
changes to documents and save them without going through an extra step. This ensures
encryption is always functioning, whether employees realize it or not.
28
Verify employee identity with multi-factor authentication
As with most businesses, the importance of knowing who is trying to access information
cannot be understated. This is why many companies use name badges, unique computer
logins and even license plate number tracking for parking spaces. But most employees say
the same thing about passwords on their mobile devices: it’s just too difficult to remember a
complex password and too cumbersome to input it multiple times a day (imagine having to
enter a 12-digit passcode on an iPhone just to make a phone call).
Instead of relying solely on employee passwords for security, agencies can use multi-factor
authentication to increase protection. In conjunction with passwords, employees can be
verified by directory services, such as AD/LDAP. By integrating security with directory
services, IT ensures that users must know the device passcode in addition to being a
recognized user in the corporate directory. Another form of validation is the use of tokens.
These are one-time-use codes used to verify employee identity for a single active session.
For example, many webmail providers use two-factor authentication where users must enter
their regular password along with a unique code sent to their mobile device. Because tokens
can be used only once, would-be attackers cannot gain access by knowing just the tokens.
The added benefit is that these codes can require the user to have an additional device
independent of their computer, such as their cell phone, on which to receive the token,
adding another element of identity verification.
Set advanced device restrictions to limit functionality
Encryption and multi-factor authentication can keep unauthorized users out of protected
document stores. However, once a user is inside, what is keeping them from forwarding the
information to a personal email account or sending documents to the office printer? Although
employees can be authenticated, this does not prevent them from making mistakes or
jeopardizing security on their own, whether accidentally or intentionally.
A proven way to prevent data leakage of sensitive content is by using device and application
restrictions. Common restrictions include limiting access to the camera, preventing
screenshots within certain applications and stopping connections to unsecure Wi-Fi
networks. With respect to content, government agencies can prevent copying/pasting,
sharing, email forwarding and printing while employees are within the content application.
These features can even be assigned to different users based on their AD/LDAP
permissions, enabling certain users to print or share files while disabling these features for
others. Customizing the experience for different users establishes levels of trust to protect
information from leakage while promoting/encouraging employee productivity throughout the
workday.
Despite these efforts, content can still be leaked if employees aren’t aware of how to
proactively secure information. Establishing safe device usage habits, smart password
policies and most importantly, meaningful reasons to follow the rules ensure that employees
act with care when using sensitive information. Encryption, multi-factor authentication and
device restrictions, in conjunction with conscious security measures, will keep government
documents safe and in the right hands.
29
About The Author
Paul Brubaker, Director of Federal Government Solutions, AirWatch®
by VMware®
Paul Brubaker is the director of federal government solutions at
AirWatch by VMware, the leading enterprise mobility management
(EMM) provider. In this role, Brubaker oversees all federal government
activities, includes sales, marketing, events and strategy.
Brubaker, a two-time presidential appointee, has held a number of leadership positions in
government and the private sector. Most recently, he served as director at the United States
Department of Defense, where he was responsible for planning and performance
management activities for the Office of the Secretary of Defense. A former GAO evaluator,
he served as the Republican staff director of the Senate Subcommittee on Oversight of
Government Management where he led the passage of the Clinger-Cohen Act for then-Sen.
William S. Cohen (R-ME). Brubaker was the deputy CIO of the Defense Department under
President Bill Clinton and in 2007, he was confirmed by the U.S. Senate to become the
research and technology administrator at the Transportation Department under President
Bush.
In the private sector, Brubaker served as CEO, president, CMO and at the executive level of
several successful small and mid-sized technology-focused companies, including Silver
Lining, Synteractive and Procentrix. Additionally, he was the general manager for the North
American Public Sector Internet Business Solutions Group (IBSG) at Cisco Systems,
developing innovative applications and creating market expansion opportunities across the
enterprise.
He received the Department of Transportation Secretary’s Gold Medal in 2009 and the
Department of Defense Medal for Distinguished Public Service in 2001. He was also
recognized with numerous awards for his contributions to public service and his collaborative
work with the public sector and private industry.
Brubaker earned a bachelor’s degree in political science from Youngstown State University
and a master’s degree in public administration from Kent State University.
Paul Brubaker can be reached at [email protected] and at our company website
http://www.air-watch.com
30
31
Cognitive Biometrics: The Final Frontier of Authentication
Reducing fraud, eliminating friction and enabling more functionality are just a few of the
benefits awaiting companies that make the switch
By Oren Kedem, VP Product Management, BioCatch
Most companies that enable users to perform Web transactions (e.g. banks and eCommerce
sites) have implemented security controls to address online and mobile fraud. These
controls fall into two main categories: transaction-focused intelligence, which looks for
anomalous actions, and device-focused intelligence, which look for a new device, unusual IP
geo location, or signs that the device is infected with financial malware.
With a growing number of reports of major hacks into companies like Bank of America,
LinkedIn, Groupon, and Target, these authentication methods continue to be thrust into the
spotlight as unreliable for catching all fraud.
Passwords, the most popular form of authentication, are easy to steal with 90% of usergenerated passwords in existence subject to malicious activity.
Other types of authentication mechanisms are equally ineffective, as more than 20% of
genuine users fail. Security questions are often so “secure” that the real user doesn’t know
(or remember) the answer. Questions can be subjective with multiple possible correct
answers, and some answers change over time. SMS one-time-code verification requires the
end user to have a cellphone on them.
The simple truth is that “traditional” authentication is taking a toll on banks, eCommerce sites
and companies protecting data. Each time an online banking user fails to authenticate, for
example, it can cost a bank upwards of $10 to resolve the issue over the phone or at the
local branch, without even factoring-in the customer frustration that negatively impacts their
willingness to continue doing business with the bank.
As the technology continues to advance, cognitive biometrics is a solution that provides an
effective alternative to standard authentication measures. It requires no user enrollment or
involvement, while running “behind the scenes” comparing a user’s active behavioral
parameters with those exhibited in previous sessions.
It records the general behavioral patterns of an online user while they interact with a website
or mobile application. This includes hundreds of metrics, such as the speed with which
somebody types and clicks, how the device is held, how the cursor is moved, etc.
Cognitive biometrics offers an additional security measure with invisible challenges that are
inserted to test how a user responds to them. These test alterations are so slight that users
do not consciously register them. For example, the system will add a slight sideways motion
to the mouse movement when the user moves towards the "Submit" button. The user
spontaneously reacts, adjusting his/her movement and offsetting the alteration.
32
Each user has a slightly different way in which he/she subconsciously responds to this
challenge. Invisible challenges measure multiple response attributes, including the pressure
applied to the smartphone, which hand is used, response time, correction path, correction
patterns, and speed and trajectory of the mouse or finger movements.
In addition to authentication, cognitive biometrics is also used to detect behavior consistent
with known threats and fraudsters. The concept is the same. First, the known threat behavior
is profiled. Then, each user session is compared against a list of known criminal behaviors,
such as Automated Scripts, Malware/Bot/Man-in-the-Browser attacks and Remote Access
Attacks (RATs).
Since cognitive biometrics doesn’t depend on user responses like traditional authentication
measures, each person has a distinct biometric signature which cannot be matched by
anyone else or by an automated process, and it is nearly impossible to duplicate. While no
individual cognitive response can identify a user alone, when piled together it creates a
unique user profile.
Beyond improving end-user experience and the obvious monetary savings, using this type of
authentication can help banks achieve a much greater goal – expand business and drive
revenue. To maintain a competitive edge, banks and eCommerce sites need to continually
introduce new products and services, in particular, in their Web and mobile applications.
However, adding new service and functionality (e.g. mobile wallets, peer-to-peer payments)
to the online channels exposes the organization to new risks that cannot be mitigated with
existing security controls without significant impact on user experience. By layering
cognitive biometric analysis on top of existing security controls, organizations can generate
more business without accepting more risk.
As the inefficiencies of traditional authentication methods continue to be highlighted with
major breaches and continued friction for end-users, costing businesses millions of dollars a
year, we are seeing a significant shift towards cognitive biometrics which better protects
companies online and offers a more user-friendly experience for customers.
About the Author
Oren Kedem is the VP of Product Management at BioCatch. He brings over 15 years of
experience in product management in the areas of Web Fraud Detection and Enterprise
Security. Prior to joining BioCatch, Oren served as Director of Product Marketing at Trusteer
(now part of IBM) and led the Anti-fraud eCommerce solution at RSA (now part of EMC). He
also served at various product marketing and management positions at BMC covering the
Identify and Access Management and System's Management solutions. Oren can be
reached online at [email protected] and at our company website
www.biocatch.com.
33
Dynamic Cryptography and Why it Matters?
Milica Djekic, an Online Marketing Coordinator at Dejan SEO and the Editor-in-Chief at
Australian Science Magazine
As it is known, we live in a very dynamic and constantly changing world, where new
information and ideas are coming and leaving at a really fast pace. Indeed, we should notice
that data protection and critical information security play a crucial role in maintaining our
everyday’s lives. For that reason, invoking the technique of dynamic encryption could be
strategically important in this digital era. In this article we should attempt to provide the
answer to the following question – Why the concept of dynamic encryption matters? Well,
let’s begin.
Introduction
With the widespread use of different network services and applications, security becomes a
major concern. From security perspectives, data integrity and confidentiality are vital
problems for information systems. Confidentiality is concerned with resources being only
accessed by authorized users, while integrity refers to protection against unauthorized
modification. Integrity and confidentiality are often related to authentication, authorization
and cryptography. In fact, authentication utilizes strong cryptographic systems in order to
secure itself. In other words, cryptography plays a crucial part of any security system.
There are two basic techniques in cryptography: symmetric and asymmetric cryptography. In
symmetric cryptography, encrypted and decrypted keys are the same. In contrast,
cryptography using different encrypted keys from decrypted keys is called asymmetric
cryptography. Each of them has its pluses and minuses. Because of its characteristics,
asymmetric cryptography is more secure than symmetric in key distribution and exchange.
However, symmetric cryptography is significantly faster than asymmetric cryptography.
In security systems, based on their advantages, symmetric and asymmetric cryptography
are often combined together to protect information systems. By capturing communication
messages, an adversary might be able to detect patterns in the encrypted messages to
crack the ciphers. The compromise of one session key exposes all communication data in
the session. Furthermore, key exchange protocols rely on permanent asymmetric keys. The
more that asymmetric keys are reused to create sessions, the more cryptographic systems
become vulnerable to cryptanalysis attacks. When these keys are compromised, the whole
security system becomes vulnerable to adversaries.
Dynamic Cryptography
Imagine a typical hacker’s attack to some valuable communication lines or an information
system. Suppose that a cryptanalyst or an attacker is trying to identify a function transferred
throughout the certain communication channel by using a table of corresponding pairs of
34
input and output. For special functions used, for example linear functions, this problem may
be solved efficiently. On the other hand, that can not be the case for general functions,
because then we deal with much complex mathematical functions and operations.
It is clear that no finite number of experiments will suffice for the cryptanalyst to separate the
given functions from each other, as the arbitrary number may have been set to any value.
That’s why we must invoke the following theorem:
Theorem: There can not exist an algorithm that can identify a general computational
process based upon the input/output relation.
We conclude that if we use a cipher that includes a general computational process, and
keep all construction parameters of that process secret, the cryptanalyst will face a problem
which he will be unable to solve. We must however carefully get familiar with the
inconvenience which should occur if the system falls into the hands of the enemy. We see
specifically that simply using an optimal encryption algorithm, that is kept secret, will not be a
solution.
For that reasons, we invoke the concept of the specific universal machine. The specific
universal machine that we will make use of here must have a few specific properties. It
should be designed into accepting any binary string as valid input, i.e. no input string shall be
rejected as having wrong syntax. This requirement is equivalent to that the set of operations,
of the universal machine, is devised such that an operation will be selected in response to
any possible input information stream. This modification is of no difficulty, and can be
implemented without restricting the set of possible computations.
The input stream must further be kept secret, as knowledge of this would essentially be
equivalent to knowing the key of the system. This choice will not pose any difficulties, as the
universal machine may use any binary string as input. We see that the secret input stream
and the internal memory of the universal machine, may easily be protected during encryption
or decryption, and can be erased afterwards.
Why Dynamic Encryption Matters?
The modern world is a very dynamic place. We are going very digital and the information are
getting a normal part of our lives. Everything changes very fast and sometimes it’s quite
challenging to follow all those changes. If our world is going dynamic, the logical question
should be as follows: “Do we need the protection that will go dynamic as well?” The answer
is simple – yes.
What do we use to secure our so valuable information? An encryption, indeed. So, what we
need at this stage is a dynamic form of an encryption. It is well-known that modern
encryption systems are based on very strong mathematics and can appear in a form of both
– hardware and software. What is typical for many dynamic cryptographic systems is that
they are based not only on logical circuits, but include memory elements as well. Digital
science classifies these systems as sequential. The characteristic of sequential circuits is
that they go from one logical state to another. Basically, they make a cycle. Imagine how
these could be useful in terms of binary information permutation. For example, a logical part
35
of the circuit does the information transformation and a memory element is responsible for
the information permutation.
It is obvious that, in such a case, we are getting a constantly changing and quite smart
system that can offer us a dynamic protection. In programming, these could be resolved
using an adaptive algorithm. At this stage, these would be all regarding dynamic
cryptography.
Conclusion
At the end, we could simply ask the question as follows: “Is the future of our digital reality so
dynamic, indeed, or do we need to concentrate to somewhat brighter solutions?” Well, since
our environment is so dynamic and constantly changing, it appear we should try to adapt to
those changes somehow. At the moment, a dynamic encryption seems as a quite good
choice. But, what we would like to mention here the most is that the special attention should
be paid to solution that can assure a perfect secrecy. Why is that important? Well, as it is
known, the key-based options are not that reliable, because there are always ways for a
cryptanalyst to get an information about the cryptosystem’s key and easily break in such a
communication. There are a dozen of very attractive cryptographic softwares available on
the web and they all are normally a key-based. From our perspective, these are the quite
risky and concerning problems. So, that’s how we should think in the future… Yes. We are
dynamic and we need a dynamic protection! But, is that all?
About The Author
Milica Djekic is a graduate of Control Engineering and the current Editorin-Chief of Australian Science Magazine, where she writes about her
explorations in the world of cryptography, online security, and wireless
systems. Currently based in Serbia, she works as an Online Marketing
Coordinator for Dejan SEO.
36
Why is password creation so hard? (Part 3)
by Josephine Rosenburgh
If you're trying to create a 256-bit encryption algorithm you need to ensure that there is
absolutely no chance of anyone every cracking it, not just a small chance or a very small
chance. No chance. You cannot afford to make a single mistake anywhere in the design
which is why you need it at the correct efficiency.
Do you want the world's top cryptographers to run out of ideas in the middle of a 256-bit
encryption algorithm? They're expecting you to use their algorithms. Therefore, you have
every right to question them.
The great problem is an algorithm which is too inefficiently slow or too inefficiently fast. It is
no good being nearly good enough. I do not think it is not safe to run out of ideas when
you're in the middle of creating a 256-bit encryption algorithm. That's 10^77 permutations,
which you're trying to protect.
(And one day there will be that computer that will be powerful enough to crack Eternity 2.
Even if you cannot program it there are plenty of mathematicians at Cambridge University, or
any other university, who can.)
I think the world owes a big amount of gratitude to the Twofish people. They were the only
team who correctly assessed how efficient an algorithm is supposed to be, given that there
are no clues in the universe. They correctly realized they would have to create those clues
literally out of thin air, which is just what I did. You create, request, the clues yourself rather
than expect the universe to do it all for you.
The Twofish team mentioned that it is easy to create an algorithm which is secure but totally
ignores the amount of time taken. It is also easy to create an algorithm which is very quick
but isn't secure at all. The hard part is getting both of them together.
The Twofish team did try to crack Rijndael (which is set at 14 rounds of encryption). They
knew what it lacked but still could not crack it in the time they had. Others have attempted
too without success but that doesn't mean anything. No one can predict if or when it will
successfully occur.
I will say that an algorithm can only be secure if every one of the 2^256 combinations is fully
protected. What if 999 of those are exposed? Those 999 are always hidden to the
cryptographer(s) that created it. Its creators may not see them but someone else easily
could.
With 2^256 combinations every single one is being tested all the time, not just part of the
time but all of the time. A competent algorithm creator can see all of them and they should all
flow beautifully exactly as the inventor intended. (I will take the word "cryptographer" as
meaning someone who studies algorithms whereas an algorithm creator is someone who
creates them.)
37
When I formed my infinite algorithm and my password encryption algorithm I was constantly
doing calculations. I had to know exactly how efficient something was.
For Rijndael to reach Twofish's level of security the Twofish team calculated that 24 rounds
would be needed, which makes it less efficient than Twofish.
When you pick an algorithm do you choose one from someone who is in the top 10 of the
world's best or someone only in the top 20 to 30? Certain people did take Twofish to be the
correct algorithm.
The Twofish team still felt uneasy about Rijndael (set at 14 rounds) and recommended 18
rounds to increase its level of security. This advice was ignored.
If you don't know how efficient an algorithm is supposed to be then you will not know how
efficient your algorithm is and, therefore, you will not know how secure it is. You will think it's
more secure than what it actually is. As a result your algorithm could have too few
calculations and, BANGGGGGg, your algorithm could be blown wide open and you wouldn't
even know it. If, however, there had been too many calculations then that would just be by
pure, pure, pure luck.
Fourteen teams failed, one succeeded.
If you're programming a computer to perform a super, super, super, super complex algorithm
then you really, really need to make sure that you know exactly what is going on at all times.
You cannot afford any mistakes.
Here's how it works: the better the algorithm creator the better they will be at understanding
where they went wrong and, obviously, the worse the algorithm creator the worse they will
be at understanding where they went wrong. I constantly recognised where I went wrong
and I'm sure the Twofish team will have done the same. The best algorithm creators will
make mistakes but will correct them very quickly so that they make the correct progress. It
won't happen as often for other algorithm creators and that's exactly what you will have seen
in the AES contest.
If you're staring a giant 256-bit encryption algorithm in the face how many of those
permutations would you expect to be protected? 2^254? 2^248 perhaps? Or maybe maybe
maybe 2^230?
Which of the 15 algorithms would you have picked? The one with the most technicalsounding name perhaps? Have you ever heard of the Teknotranic 256-bit encryption
algorithm before? Or maybe you could opt for the Compucell-Ramdac?
It could have been that all 15 teams failed to produce a correct 256-bit encryption algorithm,
in which case we would never have known.
That is as much as I can say on the subject (since I don't specialize in those types of
algorithms).
38
So there must be connections between standard cryptographers (algorithm creators) and
specialist cryptographers (algorithm creators) and either one could succeed or fail.
NIST can pick whatever algorithms they want. That's their choice. I'm not here to change
their mind. I just compared algorithm efficiencies so that others will learn something from it.
The algorithms are all available for everyone to use. You pick whatever one you think is best
for you. Besides, we can all have our own opinions about the five that made it to stage 2.
When NIST set up the challenge they asked for an algorithm that no five people on the
planet were capable of meeting. They assumed it was going to be very easy.
What is encryption? What actually is it? I will use an analogy. Imagine you have been buried
in the desert. You have a limited amount of time to escape. To escape you have to guess
the number of sand particles in the desert. The total number is not random but is derived
from an algorithm. You have to guess, exactly, what the algorithm is before your time runs
out. The algorithm is a very, very efficient one. It is unbelievably efficient.
And you're wondering why 14 teams failed?
When an encryption algorithm is introduced it is always being tested, every day. It is tested
by nature, the universe, which is why it has to be perfectly secure and correctly efficient.
If the algorithm isn't correctly efficient and there aren't enough steps then it's just a numbers
game as to when it will break. Does it matter whether it is 23, 33, 43 or 53 years' time? What
if a dam has a very slight crack? The water is testing the dam every day. How can you say
when it will break? It doesn't matter when. The water appears not to be moving but it can
only be that way if the dam was perfect in the first place. You have to be solving all of the
problems at a faster rate than nature is putting them there. Once the dam has been built
then it is too late to do anything about it.
Only the best algorithm creators will know exactly where the correct efficiency levels are.
There are cryptographers who spend all day testing the weaknesses of algorithms.
Why is it so hard to create an encryption algorithm? Because it is so deceptive and no one
knows what such a thing would ever be. You are being asked to create something when you
don't even know what the end result is supposed to be. It is constantly like that throughout
the whole process and yet you are always lead to thinking the opposite. It is virtually
impossible for an algorithm creator to know when they have reached the final formula
successfully. What in the universe will tell that algorithm creator when they have got there?
There is literally nothing. It is the worse jigsaw puzzle in the universe and no one even
knows of its existence.
The people who created Twofish wouldn't be able to answer the question and I'm sure that
none of them would ever say that encryption is easy. Can you guess what other encryption
algorithms I have yet to create? I can't even do that. I would never say it was easy.
And now you know why password creation (and password encryption) is so so so hard.
39
I also want to say something to computer programmers who incorporate encryption
algorithms within their software. I know exactly what you were thinking: "I'll just use whatever
algorithm NIST chose. They must know more than me. They're the experts."
Obviously, you have absolutely no idea about the creation of advanced encryption systems.
It is clear to everyone that you didn't even bother reading any of the reports about the
algorithms or you did but you still couldn't understand anything written in them.
Have you ever thought about joining NIST?
Perhaps you could make a change to your choice of algorithm and kindly offer your clients a
free upgrade to the new version of your software? Who knows what someone will be able to
do in 20 or 50 years' time?
"What about software which creates, encrypts and saves all your passwords?"
Do you need a password to use such software? Why should you know how to create all of
your own passwords? Some word processors encrypt your files but only if you provide a
password. Trying is get away from using passwords is impossible. Encryption always
involves passwords somewhere. And what if someone loses their laptop or tablet?
What is such software doing? It is treating passwords like known data (which it is not) and
encrypting it.
Will the people who create such software provide a password encryption system for
everyone to use? Are they going to show the world's best cryptographers and
mathematicians how to encrypt all their passwords? Whilst they're programming their
computers are they using the very algorithms that were seen submitted for AES? Surely, the
people who submitted AES algorithms are all perfectly capable of programming their own
computers with their own algorithms to encrypt all of their own passwords?
We all know that computers are far faster than people at performing numerical calculations. I
have now highlighted Twofish as being the most efficient of all the algorithms. Can you
guess what I'm going to ask next?
How does Twofish compare with my infinite encryption algorithm?
Which is more efficient? That's what the average football supporter is asking.
My efficient infinite algorithm is going to have to be more efficient for an average human to
use than Twofish is for a computer to use. Did I do everything absolutely correctly?
Twofish has 2^256 permutations. Mine has infinitely many. Which is more efficient?
And guess what? My password encryption algorithm is going to have to be more efficient
than my infinite encryption algorithm. That's how difficult it is to do.
What does this mean? My password encryption algorithm is going to have to be the most
efficient encryption algorithm in the world as it will have to comfortably protect all of your
passwords.
40
The password encryption algorithm has to be perfect in every way, with absolutely no flaws
in encryption. An infinite encryption algorithm, however, does not have to be so perfect but it
has to be reasonably close enough so that it is easy to find the password encryption
algorithm as a result of finding the efficient infinite algorithm. Of course, there are an infinite
number of efficient infinite algorithms but which ones are close enough to being perfect? I
could have found a reasonably efficient one which wasn't quite efficient enough. However, to
get there a totally flawless efficient infinite algorithm is required.
And cryptographers have never even heard of a password encryption algorithm until now.
You have seen flowers before. So what? Everyone has seen flowers before.
It was harder for me to write this article than it was to find the password encryption algorithm.
So here we have it: on my left are the world's leading cryptographers. On my right are the
world's leading mathematicians and physicists. I quickly turned and faced the right direction
to walk to the one correct door which lead to the world's most succinct, efficient encryption
algorithm. Opening it and looking in was like seeing a golden new world.
I saw several flowers out of an infinite number hidden in the unlit background. The only
flowers in there come from an infinite number of permutations and they are all designed by
supreme cryptographers.
Whatever is designing these flowers is far better at cryptography than I am. Whichever
direction you look at you will see amazing flowers.
The next amazing algorithm will be even harder to find.
Expect people without basic maths skills to purchase the book and complain that the author
is a liar.
I now know that my mathematics skills are better than those who cannot do basic maths. (As
a matter of fact, try and avoid telling those with below average intelligence about this article.)
There is one more calculation that I should show you. If I don't then someone else probably
will so I might as well show it.
What is the consequence of finding these two special super-efficient algorithms? I've said
countless times that my infinite algorithm is super, super efficient. What does that mean in
the real world? How big is 10^77 or 10^38? Let me give you some kind of a physical
perspective.
I now want to talk about cruise ships. What on Earth do cruise ships have to do with
cryptography, you ask? Good question. Let me continue. The world's largest cruise ship is
the "Oasis of the Seas" (along with the "Allure of the Seas"). Its (gross tonnage) volume is
225,000 tons. Its weight (displacement) is 100,000 tons.
Suppose that someone wishes to steal all those 100 billion (10^11) booklets. They can't run
very quickly so everyone in Germany has agreed that all of the booklets will be thrown into a
container.
41
After completion everyone is now standing around waiting for something to happen.
Minus the weight of the container, the approximate weight of the whole thing is 2 million
tons. This is equivalent to 20 "Oasis of the Seas" ships.
Never mind UFOs landing in your street. You have now read this article.
I will finish with one last message. I remember one man (who works for a very very famous
software company) complain about the number of passwords he had to use. The answer is
simple: use a search engine. Type in "password tips".
I tried it and got 2,500,000 results. My advice to him: stick to your current method rather than
view all of the results.
Which result came top? The one from his employer.
About The Author
From California this young author spends most of her time working in a computer store. An
avid fanatic of sudoku and crosswords, reading several articles on cryptography lead her to
the inspiration she needed for her first ebook.
Married to her husband, John, a sales rep, she also spends her spare time writing and
dancing. Prior to the launch of her first ebook she was unsuccessful in her attempts to get
another book into print and still continues to pursue this objective.
Josephine's book can be found at https://www.smashwords.com/books/view/429052 She
can be reached online at https://twitter.com/jrosenburgh
42
Secure your code with analysis and scanning
by Art Dahnert, Security Product Manager, Klocwork, a Rogue Wave Company
More and more development teams are standardizing on static code analysis and open
source scanning to reduce their risk of encountering security breaches in the field. These
tools find the vulnerabilities for you, so you don’t have to spend time, money, and skill sets
worrying about them. It boils down to three things: knowing where your risks are, checking in
more secure code, and reducing the probability of attack.
What does static code analysis do?
Static code analysis (SCA) is the automated identification of programmatic, semantic, and
security errors in code. There are simple analysis tools out there, no more than glorified
compilers, but more sophisticated tools take into account all the control and data flow
interactions within the application and check for compliance against common industry
standards.
Consider a function that dereferences a pointer set by another function. Manual unit testing
of either function in isolation may not reveal that the pointer being dereferenced could be
NULL. Static code analysis, on the other hand, would find the problem. Going further,
consider the same situation but having the two functions developed by two different teams.
The chances of the NULL pointer dereference reaching the customer becomes higher if the
test coverage isn’t there.
It’s not surprising, then, that Capers Jones of Namcook Analytics found that, without tools
and processes like static code analysis, developers are less than 50 percent efficient at
finding bugs in their own software.
What does open source scanning do?
Developers have nearly limitless options when it comes to finding and downloading open
source code and they often include this code in any number of ways and amounts.
Understanding and tracking open source use isn’t usually a priority for developers when their
primary focus is on delivering features.
Scanning tools offer an automated and repeatable method for understanding the scope and
depth of open source use within a company. Not only do they free up time to focus on other
development efforts, they also remove any element of human error. Given that open source
packages can contain other open source packages and that even just a few lines of reused
code can contain risks, scanning tools are the only reliable choice to know exactly what’s
going on within your code base. Sophisticated open source scanning also comes with open
source support, to help you understand the software packages better.
How do these tools reduce security risks?
Static analysis helps developers deal with well-known but hard to understand security
vulnerabilities. Take a buffer overflow as an example: when a buffer of insufficient or
untrusted size is used to copy into memory, the application is potentially vulnerable. Buffer
43
overflows cover so many different forms of exploits (such as the well-known Heartbleed flaw)
that it’s almost impossible to quantify. The issue isn’t necessarily that developers don’t
understand what a buffer overflow is, rather it’s the size and complexity of the code base that
makes it extremely difficult to find. SCA, on the other hand, uses a detailed model of the
code base to identify and explains these issues in a way that helps developers fix them early
in the development process.
The power of SCA isn’t limited to finding code vulnerabilities, it’s also an effective method for
determining how compliant your code is to common security standards, like CWE or
OWASP.
Open source software is used by over 50 percent of enterprise organizations today (from the
2014 Future of Open Source survey) yet it’s not surprising that most of them don’t know the
extent of where and how open source is used. If open source isn’t tested to the same
technical and performance requirements as the rest of your software, including security
vulnerabilities, any product or service that includes it is potentially compromised (this issue is
now number 9 on OWASP’s list of Top 10 Application Security Concerns). Open source
scanning and support does two things:
It gives you a comprehensive picture of where open source is used throughout the
organization, giving you the information you need to plan and execute security testing
It provides up-to-date reports on known security vulnerabilities, patch levels, and versions.
Armed with the knowledge provided by open source scanning, your team is better positioned
to combat security threats.
The perfect combination
Static code analysis finds flaws before check-in and open source scanning finds flaws for
code that you’re bringing in from the outside. Put the two together and you’ll not only have a
complete picture of the potential weaknesses in your code, you’ll also be able to fix flaws
earlier and faster than if you tried to do it manually.
About The Author
Art Dahnert is the Security Product Manager of Klocwork, a Rogue
Wave Company. He is a distinguished software security engineer
with over 17 years of security experience within the development
process. Before joining Klocwork, Art performed numerous
application security assessments while working at Trustwave Spider
Labs, Symantec, Overwatch, Schlumberger, and BMC Software.
44
45
Email Threats: A thing of the past?
By Fred Touchette, AppRiver
There is no doubt cyber criminals continue to use personal and rented botnets to pump the
Internet full of unwanted advertisements for fake or knock-off products, but its effectiveness
as a money-making device is dwindling. Now in the cyber underbelly, email has turned from
mischievous to outright malicious with campaigns once utilizing trickery to fool recipients into
spending money to simply taking it.
Delivery Methods
Today’s cyber criminals employ many email methods to steal money. And since so many
people maintain and rely on email accounts, what better place for cyber criminals to target?
Email-borne attacks come in the form of phishing, spear-phishing, Trojans, malicious
attachments, and hidden scripts. Attack techniques are ever-evolving and adapt with
technology in an effort to stay ahead of security professionals. This constant game of “cat
and mouse” has driven malware authors to become very good at what they do, and has
resulted in some very sophisticated code.
In the beginning, cyber criminals wishing to lure victims to a malicious site would first
manually set up the site and then attract enough people to that site before it was shut down.
Later, cybercriminals sent Trojan horse viruses that pretended to be something of interest to
the receiving party. It was often the attacker’s job to write the malicious code, send out
emails, and maintain compromised sites. While the Trojan approach still lives on, the need
for one person to maintain the prerequisite skill set and personal resources is no longer
necessary thanks to underground outsourcing. Today, just about anyone with the desire and
wherewithal can assemble an entire cybercrime team and be ready to go within days.
Threat Variants
We have seen millions of variants of email-borne malware, including “Melissa” from 1999.
Melissa was dubbed after the author’s love affair with; you guessed it, a woman named
Melissa. Purporting to be a Microsoft Word document, Melissa was actually a worm that
spread so quickly it caused a massive shut down - the largest the world had ever seen up
until that point.
Fast forward a few years and a massive surge of email-delivered viruses ran rampant with
help from Blaster Worm, Sasser, Slammer, and an even more destructive and hearty strain
named Storm Worm, which had a team of people maintaining its code and its subsequent
botnet. Storm Worm’s code was so strong that it became one the most prevalent threats
from 2007 to 2010.
46
In recent years, SpyEye, Zeus and mega botnet Cutwail have also wreaked serious havoc.
The point is that the landscape is constantly changing in order to meet the needs of the
attackers as well as respond to the obstacles the security pros put in their way.
Introducing the Malware Kit
A decade ago, personal gratification may have been realized when spammers successfully
executed a mass email attack. But today’s objective is much more sinister and involves
money- your money.
Unfortunately, today’s cyber attackers need little training to initiate malicious threats. Once
upon a time, technical knowledge was required to create and run malware operations. But
today, malware toolkits (‘kits’) are easy to find and use on underground forums.
Malware authors make malware kits in order to make money. Kits are sold to individuals
who have the desire to commit cybercrime, but lack the ability to do so.
Most malware kits are affordable, sometimes hitting the black market for a few thousand
dollars each and then drop down to a couple hundred dollars once the newness of a
particular brand fades. Some kits even come with the added benefit of a support feature that
grants the purchaser access to the kit author so that any questions related to the kit and its
proper function can be answered in a timely manner. What’s more, some authors offer
upgrade versions so that their payloads attached to email campaigns can remain undetected
by even the most current anti-virus solution, guaranteed.
Kits are often made with novice users in mind. One simply needs to input data (such as a
victim’s email address), compose a generic email body, and give it a destination to report
back to. After that, the user clicks, “Go” and the kit will do everything by exploiting
vulnerabilities in other websites on which to host malicious code and a place to store their
newly obtained stolen private personal information.
Enter the Breach
Targeted user threats like the ones discussed above have become almost passé to cyber
criminals who are anxious for a quick score of private personal information in one fell swoop.
It appears that some of the most sought-after targets today are those that house millions of
pieces of stored data in one place. Such targets include large department stores, ecommerce warehouses or any large entity that has credit card, password and/or other data
stored on servers that potentially lack proper storage security procedures.
The general public is quickly learning the importance of data security. Still, many
organizations fail to take heed and find themselves in the middle of a media blitz when
consumers discover that their data has been handled in less than savory manners. Such
data breaches cost much more in disaster recovery than they would have if proper security
protocol was in place in the first place.
47
Vigilance is Key
It may be true that spam is on the decline, but email and the Internet itself has not become
less dangerous because of it.
Due to demand and enhanced security, cyber criminals are getting more creative with
advanced techniques and are unleashing greater threats. That’s why education and
awareness of cyber dangers are needed. After all, the complacent individual will often find
themselves the next victim.
About the Author
Fred Touchette, CCNA, GSEC, GREM, GPEN, Security+, is a Senior
Security Analyst at AppRiver. Touchette is primarily responsible for
evaluating security controls and identifying potential risks. He provides
advice, research support, project management services, and information
security expertise to assist in designing security solutions for new and
existing applications.
48
Dodging disaster: Cybersecurity and business continuity
By Stephen Cobb, senior security researcher at ESET
You know your company runs on data, and you’ve installed firewalls and antivirus to protect
your systems, but could your business keep going if the power went out? Or your Internet
connection went down for a day? Or your office was inaccessible due to flooding or if some
other disruptive incident occurred? For many organizations the honest answer is: That would
depend on the exact nature of the “incident” and how long it lasted.
Some companies do go out of business when they are hit with a disaster for which they have
not adequately prepared, which is unfortunate because the path to preparedness is welldocumented. Any company of any size can improve its chances of coming through a
disruptive event in one piece—with its brand intact and its revenue undiminished—by
following some tried and trusted strategies collectively known as Business Continuity
Management (BCM).
What is business continuity? Business continuity is the ability of an organization to continue
to deliver its product and services at acceptable predefined levels after disruptive incidents
have occurred.
Identify and rank the threats
•
List potentially disruptive incidents that are most likely to threaten your business. For
example, in San Diego, where ESET is based, there is a relatively high level of
earthquake and wildfire awareness. But what about a data breach or IT outage?
What if a toxic chemical spill puts your premises off limits for several days?
•
A good technique at this stage is to include people from all departments in a
brainstorming session. The goal is a list of scenarios ranked by probability of
occurrence and potential for negative impact.
Perform a business impact analysis
You need to figure out which parts of your business are most critical to its survival.
•
Begin by detailing the functions, processes, personnel, places and systems that are
critical to the functioning of your organization. The BCM project leader can do this by
interviewing employees in each department and laying the results out in a table that
lists functions and key person(s) and alternate person(s).
•
You then determine the number of Survival Days for each function. How long can
your business endure without that function causing serious impact?
49
•
Next you rank the impact of that function not being available. For example, disaster
recovery expert Michael Miora suggests using a scale of 1 to 4, where 1 = critical
operational impact or fiscal loss, and 4 = no short term impacts.
•
If you then multiply Impact x Survival Days you can see which functions are most
critical. Top of the table will be functions with major impact and just one survival day.
Create the response and recovery plan
This is where you catalog key data about the assets involved in performing critical functions,
including IT systems, personnel, facilities, suppliers, and customers.
•
Catalog equipment serial numbers, licensing agreements, leases, warranties, contact
details.
•
You will need to determine “who to call” for each category of incident and create a
calling tree so the right calls get made, in the right order.
•
You also need a “who can say what” list to control interaction with the media during
an incident.
•
Any arrangements you have in place for transitioning to temporary locations and IT
facilities should be documented.
•
Don’t forget to document an “all-hands” notification process and a customer advisory
procedure.
•
The steps to recover key operations should be laid out in a sequence that accounts
for functional inter-dependencies.
•
When the plan is ready, make sure you train managers and their reports on the
details relevant to each department and the importance of the plan to surviving an
incident.
Test the plan and refine the analysis
•
Test your plan at least once a year, with exercises, walk-throughs or simulations.
•
If a task seems too daunting to undertake on a company-wide basis, consider
beginning with a few departments, or one office if you have several.
•
Apply learnings more broadly to your company as you progress through the test.
•
Avoid thinking bad things won’t happen, because they do. But being prepared with a
plan is a step in the right direction.
50
About The Author
Stephen Cobb is a senior security researcher at ESET. Cobb has been
researching information assurance and data privacy for more than 20 years,
advising government agencies and some of the world's largest companies
on information security strategy. Cobb also co-founded two successful IT
security firms that were acquired by publicly-traded companies and is the
author of several books and hundreds of articles on information assurance.
He has been a Certified Information System Security Professional since
1996 and is based in San Diego as part of the ESET global research team. Cobb can be
reached on Twitter @zcobb. For more information about business continuity management,
please visit www.eset.com/bcm.
51
Consumers Need to Know About Corporate Data Breaches in a
Timely Fashion
Breach notification laws & regulations are necessary
By Tom Feige ,CEO of idRADAR
Consumers everywhere strongly expect their personal data will be valued and protected no
matter where the merchant is located. Unfortunately, this is not often the case given the
recent rash of so-called “mega’ breaches that are besieging our area, the country and the
world like the eBAY breach just a few weeks ago. Consistent laws and regulations on data
security need to be formulated and followed nationwide.
idRADAR’s own research indicates that nearly 80 percent of people who have had personal
data exposed, ignore the threat while those companies that have been breached often mask
the data theft by making announcements only in two states which require immediate public
awareness. Without a national breach notification law, millions of Americans don’t know of
their risk of exposed personal information nor can the appropriately protect themselves.
Corporate data breaches and personal identity thefts are now global phenomena that are
imperiling the financial integrity of our entire society and culture. Believe you’re safe? Think
again. No one is 100 percent safe from the best efforts of the best hackers representing
some of the world’s worst criminal organizations.
The truth is many of the leading corporations, retailers and government organizations are
only now beginning to understand the depth of these threats and the unwavering
commitment of these perpetrators to attain wealth achieved through the theft of your most
intimate personal information and financial records.
Another complication involves the crazy quilt of data breach notification procedures that lack
definitive federal standards and constitute a mish mash of varying state laws and US
territorial regulations. In addition to making it tough for consumers to learn their data has
been compromised, this landscape also presents a massive challenge to companies and
organizations as they attempt to understand their legal obligations.
This creates complication and delays even for those organizations with the greatest intent to
alert customers immediately after identifying threats and their potential damaging effects.
Then again, there are the actions of retailers such as Michaels Stores that make the case for
stiffer and mandated regulatory practices when breaches occur. Michaels announced it
might have a problem on January 25, 2014 but did not confirm the details until April 17,
2014—a 12 week delay.
In fact, the company only announced an investigation was in the works after news of the
problem leaked to the media. In all, three million payment cards were compromised—some
of them a full year ago.
52
In comparison, Target Corp. took four days to go from first suspicions to initial disclosure. In
the days immediately following its pre-Christmas announcement, Target stumbled and
struggled with everything from overwhelmed hotlines for incoming calls and glitches in its
credit monitoring sign up to its testimony before Congress.
While most corporations would choose the Michaels route of carefully crafting a response
plan down to the smallest detail to ensure smooth implementation, the truth is customers are
rarely served by such tactics. Even when law enforcement investigators ask a merchant to
hold off on public disclosure, they are not usually anticipating several months of delays.
For customers, such lengthy timeframes can create complex damages especially if the
payments were made with debit cards. Take the case of the Raley’s grocery chain breach
disclosed last June. Even when the banks promised to absorb the fraudulent charges,
shoppers suffered in other ways. One idRADAR customer spelled out how his life was
turned upside down when the hackers emptied his bank account.
“I was given a refund by the bank but only after two weeks, and being late on bills and
running out of money to put gas in my car, and then another week before I even had another
debit card to use. Shameful, the way they make it sound like it is no big deal!” wrote the
individual.
Customers who have the foresight to put comprehensive identity monitoring services in
place before a breach—daily checks of three credit bureau files, criminal court records, the
dark web a.k.a. Internet Black Market and other public records checks—are then in a far
better position to detect the theft of credit card numbers before their sale to criminals, protect
bank accounts and identify safeguards well in advance of companies like Michaels publicly
owning up to the problem.
Yet few individuals have this level of complete protection. For the average Michaels Stores,
Target or Raley’s shopper, speed in disclosure is essential for limiting damages.
Realistically, a two-week window should be ample for hacked companies to line up strong
responses provided their risk management plans and strategies are in place long before the
breach. Asking customers to wait any longer pushes the boundaries of reason. Delays are
even less acceptable when Social Security numbers have been compromised.
Not all companies will comply with such a timeline---some will still try to avoid any sort of
breach news dissemination--but the federal enforcement agency could levy fines for longer
delays that are judged to be unreasonable.
While all the details may not be clear in 14 days, a federal law should also require that
companies disclose the exact types of data lost and the total number of victims.
Recent reports in The Washington Post put the data breach at Harbor Freight Tools at close
to 200 million compromised cards, which if accurate could make it even larger that the
Target or Adobe Systems breaches. However, Harbor Freight has steadfastly refused to
disclose numbers.
How and when breaches are detected can no longer be governed by our current puzzle of
state laws. The strength or weakness of a state statute should not determine how much
53
residents in that state learn about the loss of their own personal data. It’s time to steadfastly
remove the blinders so that America can see this problem -- its full size and impact— and
not just the slices that are revealed piecemeal state by state. Perhaps if the country realizes
the true magnitude of the problem, we can finally shift the focus from breach reaction to
where it should have been all along—proactive breach prevention.
About the author
Tom Feige co-founded Denver-based idRADAR (www.idradar.com ) to
provide security solutions for individuals and corporations that protect and
monitor identity data, credit information, Internet use, and digital
communications. For more information please call 888-949-4245.
54
55
Cyber Warnings E-Magazine – January 2014 Edition
Improve Your Computer’s Security in 5 Simple Steps
Whether you have a laptop, a netbook or a high-end PC it is incredibly likely that you do more
than just check your emails on it. With the recent development of online technologies to include
shopping online and even online banking, it is incredibly important that you ensure the safety
and security of your computer. Plus if you have a business PC, and store any client files in your
documents it is important to ensure that these are secure. A breach of client privacy is a huge
issue within any business.
Because of the anonymity provided for hackers online it has become more dangerous to share
information online and even offline on your PC. This is why it is important to make sure you
have the right security measures in place to stop any potential hackers or data-thieves in their
tracks. There are a number of precautions you can take to reduce the risk of becoming a victim
to hacking, however as with any security measure these are not fail safe methods, so it is
important to continue to update your security in accordance with your privacy needs and budget.
1. Password Protection and Changing Passwords
Password protection is essential for any level of security. Whether you have a PC or a tablet,
even if you only use it while at home, it is important to at least use a password on the login
screen. Although it doesn’t provide a huge level of protection it is still one extra barrier for
potential thieves to cross. All online accounts created require you to have a username and
password and it is vastly recommended that you have several different passwords to use as
opposed to a single password for every account.
If you have trouble remembering passwords, don’t write them down in a document on the
computer! This is a rookie mistake. Try writing it on a piece of paper to keep in your wallet or in
your diary, but don’t make it obvious that it is a password! People often keep nonsensical notes
in their diaries and wallets and you should recognise it when you see it.
Setting up password policies within a business is also essential if you are handling sensitive
client information. Password policies often have a set of requirements that the password needs
to fulfil before it is accepted as the user password. For example some requirements may be that
a password is a minimum of 8 characters and it contains one numeric figure and a capital letter.
You can also make sure that passwords are changed every 30 days or every month to reduce
the chances of a password being used for nefarious means. It may seem annoying but it is a
good security measure.
There have even been some companies who state that a password cannot be the same as 24
previous passwords. Imagine having to think up 24 passwords that meet the requirements! But
it greatly improves security.
56
2. Consider an Alternative Browser
If you happen to be less than savvy about IT and the internet in general, the chances are that
the browser you’re using is Internet Explorer. It is generally recommended to change to Firefox
or Google Chrome as these browsers have applications and features that you can add to the
browser to increase security while browsing online.
Changing your browser is not the end of the world! There will be a few noticeable differences
but both Firefox and Chrome are incredibly easy to use once you’ve gotten used to them and
applications such as Adblocker and Pop up Blocker are incredibly useful as they help to filter out
some of the Spam you come across when browsing normally.
Adblocker works wonders as most websites will run adverts in the background or on the side of
the main website to generate revenue. In most cases these adverts are harmless if you don’t
click on them. However there is the occasional advert that will ‘pop up’ or start playing
automatically and these can be both dangerous and annoying. Adblocker helps to disable these
adverts so that you simply don’t see them.
3. Use ONE Guaranteed Antivirus Program
“I can’t choose one Antivirus program? Isn’t it better if I just install them all?” While in theory this
may work a treat, in reality the antivirus programs actually cancel each other out. Many
programs are trained to detect other antivirus programs and to see them as threats, as some
malware is coded to look like an antivirus program (the perfect disguise).
If you install two or more antivirus program, the two programs will spend so much time trying to
fight each other and contain the other program that your computer is left off more vulnerable
than it was before.
Read reviews, look at statistics and do your research before choosing an Antivirus program.
Surprisingly some of the best programs out there are actually free, so make sure you’re not
getting ripped off before choosing!
4. Data Backup
In the case of a complete system shut down where there is no way to recover data lost, having
a backup disk or memory stick with all your files duplicated onto it can be an incredibly useful
thing to have. It is essential to regularly back up your system in the case of a PC wipe as then
you can quickly restore your PC back into working order with minimal effort and without having
to spend hundreds of pounds on an IT technician who would normally have to find and restore
all the files.
Make sure to keep your backup in a safe place and try to backup your files once every few
months, more so if you feel the need to. It could save you a lot in the long run!
57
5. Stay Cautious and Stay Smart!
A major part of increasing computer security is learning to be e-streetwise. Don’t click on
suspicious looking links, don’t open any emails whereby you don’t know or don’t recognise the
sender and try to only visit registered and trustworthy websites. If you are using a shared
computer, never leave yourself logged into any accounts and always close all sessions on the
browser you are currently using after logging out.
Think of a PC as your wallet and personal ID. Keep them close to your person and in a safe
place when you’re not using them. By using these five techniques you can significantly reduce
the chances of your personal details – or those of your clients’ if you happen to run a business coming under attack. Remember to stay vigilant and to regularly update both your passwords
and your antivirus program and keep backing up those files!
About the author
Mike James is a tech geek and gaming addict based in Sussex, UK. He
takes an interest in new MMORPGs often writes about this and new tech
findings for Technology Means Business, an IT support provider with offices
in Hampshire, Essex and Kent.
58
Combat Advanced Cyberattacks with Shared Security
Intelligence
By V Bala, Marketing Manager, ManageEngine
In this information age, even the mightiest of enterprises and governments across the globe are
worried about cyberattacks. Not a single day passes by without a story about a hack or a
compromise or an identity theft involving data related to a large number of users. Cybersecurity
is increasingly becoming complex, and cyberattacks have truly emerged as a global crisis.
An analysis of some of the recent high profile breaches reveals that the threat landscape is
rapidly evolving into a more dangerous ground with highly targeted attacks and advanced
persistent threats (APTs) leading the way.
Traditionally, enterprises have depended primarily on perimeter security software and traffic
analysis solutions, which help only in combating traditional attack vectors. But hackers today are
becoming highly creative, and traditional defenses are not effective against advanced threats.
Combating modern cyberattacks demands a multi-pronged strategy incorporating a complex set
of activities. These include deploying security devices, enforcing security policies, controlling
access to resources, monitoring events, analyzing logs, detecting vulnerabilities, managing
patches, tracking changes, meeting compliance regulations, monitoring traffic and more.
But even all these measures are proving insufficient to effectively tackle the sophisticated APTs
and targeted attacks. Organizations are required to turn toward advanced analytics, which
involves analyzing all the data that enters the network, all the time. Though the market is
flooded with various types of IT security analytics solutions, the harsh reality is that no single
solution could offer effective protection against all emerging threats.
Despite having a sound security arsenal, organizations encounter embarrassing breaches as
cybercriminals often stay ahead of all defenses. Organizations are required to not just analyze
internal data but also to gain threat intelligence from external sources to obtain real-time
visibility. The battle against evolving cybercrimes calls for close coordination and collaboration
among security solution vendors, industry groups, government agencies, and security analysts.
The need for sharing security data and intelligence is pressing and clear.
Already, a good number of public and private collaborative communities and information sharing
groups are playing a pioneering role in creating and disseminating threat intelligence.
Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), Anti-Phishing Working
Group (APWG), Emerging Threats, Malware Domain List, SANS ISC, and Spam and Open
Relay Blocking System (SORBS) are some of the popular communities. Other communities like
Information Sharing and Analysis Centers (ISACs) specialize in verticals, such as IT, financial,
healthcare or banking, and they offer highly focused feeds relevant to specific verticals.
59
However, the vendors in the information security space, especially those in the log management
and SIEM domains, are not liberal in exposing their data to third-party applications and threat
intelligence tools. Of course, the SIEM solutions have been offering provisions to import data
from varied sources, including threat intelligence solutions. But such integrations are fraught
with many limitations. In the absence of proper correlation and data processing, feeding
terabytes of data to the SIEM solution will not offer the required protection.
Even when the SIEM solution proves to be powerful, with the capability of analyzing and
correlating big data from internal and external sources, most organizations cannot afford huge
investment in big data analytics.
SIEM and log management solutions like ManageEngine’s EventLog Analyzer shatter all these
limitations when they open up their database for integration with any third-party application. The
solution’s API can let security administrators feed reams of normalized log data into any thirdparty application, including crowd-sourced threat intelligence solutions, vulnerability assessment
platforms, business intelligence tools or even custom applications for advanced security
intelligence and threat protection.
The solution’s rich database can serve as the centralized warehouse of security-sensitive data,
and a Thrift IDL-based API enables administrators to pull the required data.
Security administrators can leverage this integration to bolster their security framework in such
use cases as:
Advanced threat mitigation – The normalized data from the SIEM software could be fed into
crowd-sourced advanced threat intelligence services, sandbox solutions or sophisticated
vulnerability assessment platforms. These tools can associate the SIEM solution’s security data
with the information they already possess and help mitigate emerging attacks, botnets, zero-day
threats, phishing attacks, malware attacks and APTs.
Location-based threat analysis – Integration with geolocation services could help enterprises
gain geographic context to any event. This, in turn, helps pinpoint the country of origin and
physical location of an application involved in an event. If the origin matches the countries
commonly associated with APTs, suspicious traffic could be isolated for deeper analysis.
Customized security views – Security managers could even create their own web applications
and dashboards by extracting the data critical to their needs.
Application performance tuning – Normalized data from the SIEM software could be fed into
modern business intelligence tools, which could help organizations understand the evolving
threat landscape, assess risks, and prepare mitigation strategies and an emergency response
plan in the event of attack. The data could also help drill down to overall application
performance issues and assess product usability and quality.
60
The SIEM solution collects, normalizes, analyzes, correlates and stores voluminous logs from
heterogeneous sources. Now, the API can provide actionable intelligence and help security
admins trace, thwart and combat evolving threats.
It is high time information security solution vendors came together and worked toward shared
intelligence. By opening up the normalized log database to third-party applications,
ManageEngine has taken the first modest step in that direction.
About the author
V Bala is marketing manager with ManageEngine, a division of Zoho Corp.
During the past 13 years with Zoho, he has performed a variety of technical,
marketing and product management roles. He is now focusing on marketing
ManageEngine's IT security solutions, including Privileged Identity and Access
Management, Network Configuration Management, and Vulnerability
Management. He completed his studies in Mechanical Engineering before
pursuing a PG certificate in Marketing from Indian Institute of Management,
Calcutta. Bala has published many white papers and articles on IT security, compliance and
automation in leading IT magazines. He can be reached at [email protected] and via
LinkedIn and Twitter.
61
Phishing Attacks aren’t a Passing Threat
In 2013 there were nearly 450,000 phishing attacks and record estimated losses of over USD $5.9 billion.
Phishing remains an ominous threat to consumers and businesses around the world.
The costs of phishing
According to the Ponemon Institute, US companies have the second most costly data breaches
at $188 per record (Germany comes in first at $199/record), with a total cost per US company at
$5.4 million. 3 These costs were calculated using both direct and indirect expenses incurred by
the organization. Direct expenses include engaging forensic experts, outsourcing hotline
support and providing free credit monitoring subscriptions and discounts for future products and
services. Indirect costs include in-house investigations and communication, as well as the
extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
The risk of data breaches and the financial damages associated with breaches is significant for
companies of all sizes. While smaller organizations may believe that they are not a target they
are actually at risk because they do not prioritize appropriately defending themselves from
attack. 57% of small businesses suffered staff related security breaches in the last year (up from
45% a year ago).
While 57% may seem like a high number, the same study found that 84% of large organizations
had staff related breaches.
What is the best way to combat phishing attacks?
According to Deloitte, over 70% of companies surveyed in a recent study, rated lack of
employee security awareness as an average or high vulnerability.4 There’s a good reason for
this rating. Security technology, the first approach to protecting a corporate IT infrastructure, is
not effective in protecting against social engineering or phishing attacks. It takes a human to
identify that “something doesn’t seem quite right about this” to avoid an attack and report it. Of
course employees can only do this if they have the right knowledge to spot an attack in progress
and practice safe behaviors to avoid opening themselves or their employer to attacks.
Sadly, even with the profound statistics listed above with regard to percentage of companies
that have had staff related breaches, 42% of organizations don’t provide any ongoing security
awareness training to their staff.
According to a PWC survey, organizations with a security awareness program in place were
50% less likely to have staff-related security breaches.
Enabling the Phishers
62
What many people don’t realize is that consumers are giving cybercriminals everything they
need to launch very successful and sophisticated attacks. Uneducated consumer use of social
networking sites is feeding the phishing problem. Here are some examples of risky behaviors
that enable phishers to create increasingly effective attacks.
First and foremost everyone is oversharing information. This gives new meaning to the phrase
“TMI” (Too much information). We are sharing too much information in social networking sites,
everything from our birthday and anniversary to our kid’s names, our friend’s names, our
employer and co-workers and their names. All of this information can be used to create very
targeted and believable phishing attacks.
In addition to the oversharing there are other risky behaviors in social media.
39% of users don’t log out after each session
25% share their passwords
31% connect with people they don’t know
As a result, 15% of social media users have had their profile hacked and impersonated.8 On the
surface 15% of social media users being compromised doesn’t seem like many. But consider
that right now there 1.4 billion people on Facebook alone. That equates to 210 million people
who have had their profile hacked and impersonated and who have given phishers great
information to form targeted attacks on a large percentage of the population.
Here are some of the more sophisticated attacks that phishers have been using successfully.
Recent Sophisticated Attacks
Recent phishing attacks are not the “easy-to-spot
Nigerian Prince” attacks. These attacks are well
disguised and require an educated computer use to
identify them. What both of these phishing attacks have
in common is that they use common tools, Google
Docs, and text messages, to catch “victims” by surprise.
A Google Docs phishing attack used an email with the
subject line of “Documents” and had content urging the
recipient to open a document via an embedded URL.
The link looks like a pretty legitimate link because it is
pointing to a Google page hosted on Google servers.
Unfortunately the login form, shown here, was a fake
Google login and enabled the criminals to collect the
Google credentials for every person who attempted to login to access the document.
63
Another recent attack utilized another common communication tactic, a text message from your
mobile phone provider. The bait of the message was an account credit or a discount on the
recipient’s next bill. Following the link in the text message took the victim to a mobile landing
page and then a data entry page that requested the last four digits of their social security
number, their User ID and their Password.
Here’s the tricky part about this attack. Users could only visit the fraudulent web page via mobile
phone. Going to the same page from a PC caused a 404 error. This made it harder to detect the
fraudulent site and take it down.
In both of these cases the “victims” should not have responded to communications they were
not expecting to receive. Fake login pages can be especially dangerous because sharing
credentials can make it easy for cyber criminals to access these accounts and potentially other
accounts if users don’t vary their passwords from web app to web app. These are risky
behaviors that can be changed with the right educational approach.
How should you teach your
employees to avoid phishing
attacks?
In order for security education
programs to be effective they
need to be continuous because
the threats are continuous and ever changing as evidenced by the
examples earlier in this article. Research and industry results have
shown that the current methods of classroom and video training once a year is not effective in
the battle against cyber-attack. To be most effective, cyber security awareness and training
must be ongoing to maximize learning and lengthen retention of the learned topics. The
methodology outlined below should be approached as an evolving program that strives towards
continuous improvement. A continuous cycle of assessment, education, and evaluation has
been proven to provide reduced vulnerability and it ensures that users retain training content
delivered.
64
There are 3 simple steps to effectively educate your users to recognize and avoid phishing
attacks.
Step 1 – Assess knowledge and motivate learning and behavior change through mock
attacks
Mock attacks enable organizations to assess organizational vulnerability to attack and motivate
employees to complete training. Because trainees who fall for mock attacks are humbled and
aware of their risky behaviors they are more likely to complete training. Training completion
rates following mock attacks can be over 90%.
Step 2 – Assign in-depth training for topics of greatest weakness
This in-depth training doesn’t have to be long to be effective. In fact brief training (10 minutes or
less) that enables trainees to practice what they’re learning during the training session
lengthens their retention of learned concepts.
Step 3 – Analyze Results
Review detailed reports about who fell for attacks and completed training to determine which
simulated phishing attack to send next and in what topics users need more training.
This anti-phishing training cycle can be completed every other month to maintain trainee
vigilance in their defense against real attacks.
A Phishing Education Success Story
The employees at a Fortune 50 company were over 80% less susceptible to phishing-attacks
after combining education modules and mock phishing attacks.
65
The Company sent a “your package has been delivered” phishing email. Those that fell for the
attack were automatically assigned to complete interactive training modules that taught end
users how to spot traps in emails and how to identify fraudulent URLs. Then the Company sent
another phishing email to the same group of employees.
Almost 35% of the recipients fell for the first mock phishing attack but less than 6% fell for the
second phishing attack, which shows an 84% decrease in susceptibility in less than 60 days.
Summary
Phishing attacks aren’t going away any time soon. The mindset that eventually someone will
find a technology that prevents these attacks is too passive for the increasingly sophisticated
threats at hand. Information security officers have a responsibility to their organizations and to
the general public to effectively teach people how to recognize and avoid these attacks both at
work and at home. The right approach to change user behavior is not difficult to implement.
About the author
Joe Ferrara is CEO of Wombat Security Technologies, a provider of information
security awareness and training software to help organizations teach their
employees secure behavior. Joe Ferrara has recently been named as “CEO of
the Year” by the CEO Awards and is an EY Entrepreneur Of The Year™ 2014
Award finalist in Western Pennsylvania and West Virginia.
66
67
Why Security Incidents are different — and more dangerous —
than IT Incidents
by Ivo Wiens, Seccuris Inc.
Imagine that, for some odd reason, you decide to build a house in an area that gets slammed by
tornados on a regular basis. The smart thing to do is design and build your home to withstand
the onslaught of a tornado’s force. That way, you, your family, and your valuable belongings are
protected. You’ll also devise an emergency response plan, like an underground shelter, just in
case the tornado manages to find a weakness in the structure around you.
Now imagine your house is your organization’s network system, and the land that surrounds it is
the internet. That land is fraught with tornados in the guise of malware, viruses, hackers,
criminals, and other formidable threats trying to penetrate your structure. Like a house in
tornado alley, it makes sense to fortify your network so it shields your valuable data and
information from unknown dangers, right? You’d also have an emergency response plan just in
case something pierces your defenses. Right?
Yet, there are still organizations that don’t do either.
According to The Online Trust Alliance (OTA), data breaches spiked to record levels in 2013.
The OTA states that over 740 million online records were exposed. Most of those breaches
were avoidable, but many organizations, including major retailers, didn't have the right security
controls in place. Offense is always the best defense. Developing and implementing an
integrated security program is the most effective way to avoid security incidents. But even the
most comprehensive security isn’t 100%. Incidents may still occur. And if they do, you must
have a security response team and plan ready to react at a moment’s notice.
Your team must be able to recognize a security incident, evaluate the associated risks, and
determine the most effective approach before, during, and after an attack. One of the key
factors of recognizing a security incident is being able to differentiate between it and other IT
incidents. While the two may share common problems, their potential levels of threats and
consequences are vastly different. Knowing the difference can protect your organization and
customers from a loss of critical information, stolen revenue, and even legal actions.
Basically, an IT incident is usually a technical issue that, in many cases, can be handled within a
short period. On the other hand, security incidents risk a higher likelihood of long-lasting
collateral damage. Your e-commerce site crashing is an example of an IT incident, while a
security incident would be a hacker breaching your network and stealing credit card numbers.
Your e-commerce site going down can disrupt your business, but it will rarely have long-term
consequences. But losing credit card data can result in potentially disastrous financial
ramifications and legal actions that affect not only your company and reputation, but also your
customers.
68
The following are other factors to help you determine how security incidents are different — and
potentially more dangerous — than IT incidents.
Threat Agents:
Security incidents always have a threat agent. Threats can be non-target specific like viruses,
worms, and Trojans, or even acts of nature. They can also be intentional attacks from hackers,
terrorists, or insiders; international and domestic criminals; other corporations or foreign
governments seeking to steal competitive company, product or financial information; and
unauthorized acts by employees that may expose or threaten critical data. Basically it’s anything
and everything that affects the state of your entire organization’s security. These events should
be treated as if they are being performed by an enemy, even if that enemy is just lines of code.
Containment:
When an IT Incident occurs, immediate response can be important, but not always essential.
With a security incident, instant reaction is critical in order to shut down the attack and contain
further potential loss and damage. Also, unlike most IT staffs, security incidents don’t work on
an eight-hour schedule. They can happen at any time, and the longer it takes you to react, the
more damage your company may suffer. So you need a response team and plan ready to go 24
hours a day.
Impact Not Readily Known:
When you suffer an IT problem, like a computer crashing or losing an internet connection, you
know right away. But with so much information contained in a complex IT infrastructure,
detecting whether a security incident has occurred can sometimes be challenging. With copious
amounts of processing power and memory, malware can exist in a system for the duration of its
lifespan without a user noticing any impact at all — until it’s too late. You could continue to lose
data that won’t be missed until an internal audit weeks later, or even worse, when your own
customers notify you that someone has stolen private information they trusted you to protect.
Communication:
An IT incident response will normally involve the IT staff and the department or departments the
issue affects. A problem occurs, someone contacts IT, a staff member repairs it, and life is back
to normal. But since it may threaten multiple departments, including IT, or even the entire
company, a security incident must involve communications with key stakeholders, management,
and affected parties throughout your organization. How quickly and effectively people share
information determines how swiftly they can take the appropriate course of action to neutralize
the threat and curtail widespread harm.
What is the most effective way to detect security incidents? Technology, people and processes.
Design and implement a system that will warn you the moment an incident occurs. Build a team
of IT and security people who understand your technology and systems, but also the criticality of
your business. The right approach to security incident response enables you to position your
organization a step ahead of any incident. Aligning with this methodology and enabling the
69 Cyber Warnings E-Magazine – July 2014 Edition
appropriate team and procedures demonstrates due care and a comprehensive framework for
dealing with and recovering from incidents.
You must have a security incident handling methodology, even if you have to go outside your
company to do it. If you’re one of the many organizations that lacks the staff or budget to
develop an in-house security response team, consider seeking the help of a Managed Security
Services Provider. By outsourcing your incident handling and other security needs, it not only
allows your IT staff to concentrate on other activities, it also helps you avoid the cost and time of
hiring and training security personnel. But most of all, it provides an effective and efficient
means of dealing with the situation in a manner that reduces the potential far-reaching impact to
your organization.
About the Author
Ivo Wiens (CISSP, SCF, VCP) has several years in IT Information Security
with a focus on security service delivery. Ivo’s knowledge, experience and
business-driven approach to the information security and operational
assurance fields allows him to understand and address the issues facing
both security analysts and executives today. Currently, Ivo is the Manager of
Security Engineering for Seccuris, a leading security consulting, risk
management, and managed security services firm. Contact him through LinkedIn at
http://linkd.in/1mWWV0i or at the Seccuris website: www.seccuris.com.
70
The cinch of Hacking: Social Engineering
By Hitansh Kataria, Co-Founder & CEO, H2K Cyber Experts and CreativeTabs
Cybercrime, just like all other crimes, appears in variety of forms, as Cross Site Scripting,
Cookie Stealing, Session Hijacking and many more... but Social Engineering being the most
facile and prominent way of Hacking every time. Right from 1980’s till today Social Engineering
attacks are most frequent and worth working just because there is no patch for Human
Stupidity.
According to the key terminology, Social Engineering in context of information security, is a
technique to manipulate people into blabbing their confidential data to the hacker. A hacker
gains trust of the victim and grab all the confidential information viz. Bank Account information,
Credit Card info etc. Actually Internet is just like a fertile ground for social engineers looking to
harvest passwords. It is a perfect blend of Science, Psychology and Art. Hackers usually adapt
this method to get into someone’s network as it is easier to exploit the natural inclination to trust.
Apart from all other cyber attacks, the success rate of Social Engineering is the highest one and
is also been listed as one of the most crucial and perilous attack, just because many security
professionals assert that the weakest link in the security chain is human itself.
In confer to a survey transpired in 2003, 90% of the employees of an IT company gave their
secret passwords in lure of cheap pens or chocolates. Often bank accounts, social network’s
accounts are been compromised by Social Engineering only. As Cyber Security landscape is
evolving constantly, therefore social engineering techniques provide ample opportunities to the
hackers to steal information. As the increasing number of internet users and notably social
networking users viz. Facebook, Twitter, LinkedIn etc, social engineering is sure to become
more favoured attack among the hackers. Due to this obvious reason, internet frauds are the
daily’s news.
In realm, hackers use various techniques to deploy their social engineering attack on to a victim,
and victims also get into the bait and usually reveal their confidential data to the attacker.
These following methods are broadly used for attempting this attack:
1. Phishing Attack
This approach of attacking is generally used for getting passwords of online banking and social
networking sites. Commonly, attacker sends a fake mail to the victim and asks for verification
providing with a so-called authentic web link (URL) making it so authentic that victim believes
that it is actually from the real source and the link redirects victim to a web page which is
actually has been developed as replicate of the real website. As victim login into it, hacker got
the password and username without even known to the victim that he/she has been hacked.
71
With the latest report in 2014, 27 websites in Hong Kong reported to be bogus and having
phishing scripts implied on them. Therefore whenever, we login for our online banking account,
we always have been encountered by a webpage showing “Beware of Phishing”, just because
72% bank accounts are compromised due to Phishing or Social Engineering.
2. Vishing Attack
It comprises of the words “Voice and Phishing”, in this attack hacker gains access to the victim’s
data just by having a telephonic conversation and intimating to be called up from a trustworthy
person and due to human biases, victim rely on him and shares all the confidential data with the
hacker. This attack only needs two things, confidence and soft spoken personality.
Mostly, hackers spoof their caller id with the authentic caller id, in order to seem a call from a
legitimate source using VoIP or IVR so that their work should also be bit easier.
A case in New Delhi, India is been most prominent where a person called 57 persons in the
local region having bank accounts in common branch and gain their net-banking passwords
posing them, that he is being calling from bank’s side and get away with approx. 49 crore
rupees.
3. SmiShing
This term is introduced with the combination of SMS Phishing, where attacker spoofs an SMS
sender’s id and sends it to the victim in order to claim the passwords, ATM pins and many more.
Usually attackers send a message “Your Net Banking account has been used from an unknown
location and Rs. 1,00,000/- has been transacted, for details call #2222221118888*** (any
number) immediately.”
Actually these attacks are bit rare but they have the highest success rate and 9 out of 10 SMS
phishing attacks are successful. In 2012, walmart has also issued a Fraud Alert as someone
baiting of $1000 gifts.
4. Baiting Attack
This attack is having high success rate due to one reason i.e. Human nature of greediness.
Baiting attack is actually when a hacker uses some physical media dangling something that an
attacker wants to entice. Generally, we all having a nature that if something alluring seems to
us, we just need to have it and that is where attacker actually attacks.
Usually, attackers binds their malwares, virus, trojans with some important files or implanted in
USBs or CDs and as the victim insert it to PC, these malwares automatically gets installed into it
in the background process not even been known to the victim and they got hacked even without
72
their knowledge. All the data available there in the PC like data in Hard Disk, Browsing History,
and Saved Passwords etc. They all get compromised with the attacker within just minutes.
5. On-Line Attack
This attack involves spamming emails to thousands of people with malicious code inside the
attachment and as the user open up the mail, these attachments pop out and gets installed in
the victim’s PC without any knowledge and gives a backtrack record to the attacker timely.
These attachments can be keyloggers, viruses, malwares, worms etc, sometimes, attacker
sends a registration form lobbing to create an account and as mostly users have common or
same passwords to almost every account, attacker tries the same password to get access.
If there are Cyber Criminals who attacks and makes the web unsecure so in the counter there
are Cyber Security Experts who are working as an Army to secure everything. Ethical Hackers
are working day and night to cope up with cyber crime but in Social Engineering they are also
helpless, as this attack doesn’t beach any technical security, it rifts the human mind and takes
up the benefit of human nature.
In order to cope up with this most dangerous attack of Social Engineering, there is a need to
learn what the countermeasures for this attack are.
Countermeasures for Social Engineering Attacks
I.
Everyone should know the basic of social engineering and should be aware of its
counter effects.
II.
Every company should have training sessions by Cyber Security Experts on aftermath of
social engineering.
III.
Employees need to have proper authentication of other before handling over any
confidential data.
IV.
In case of any doubt, employee should be trained or prepared to politely refuse to share
data.
V.
Proper security protocols, policies and procedures should be there in any company.
VI.
Individuals should never reply for the mails, SMSs or phone calls which ask for your
personal information or passwords of your bank instead always contact your branch
head in this regard.
VII.
Always be aware of URLs or Web Links while working on internet, it should not be a
phishing page.
73
VIII.
Never access your confidential data at any Cyber Cafe or Public Network, there can be
data sniffers or keyloggers.
IX.
Install and always maintain anti-viruses, anti-malwares, anti-spywares and firewalls.
X.
Never have same passwords of different accounts. Always choose different passwords
for all the accounts and should be the combination of alphabets (uppercase as well as
lowercase), numerals and special characters.
XI.
And most importantly, never get be fooled by anyone, you never know who he is;
otherwise you are at risk...
Always remember be smart and secure and get in touch with the latest information and security
issues if you want safe working on Internet, otherwise you never know you can be hacked the
next moment and lost your everything within seconds.
About the Author
Hitansh Kataria is the Co-Founder & CEO of H2K Cyber Experts and
CreativeTabs. Both of the companies deal with the IT solutions and Cyber
Security Auditing. Producing a Number of products as well as a securing
the web is the major concern for us. Hitansh is responsible for company’s
vision and product’s security. He has gained an image of a beetling speaker
on various verticals of Cyber Security and Entrepreneurship. He has also
been concerned by many companies as a Cyber Security Consultant.
Contact him at [email protected] or www.hitanshkataria.com
74
75
Enterprise Security and the Machine Data Tsunami
The changing landscape of security data in an age of decentralized computing
by Joan Pepin, VP of Security and CISO, Sumo Logic
As the proliferation of devices and hardware continues, machine data volumes are now a
tsunami. A few years ago, the cost of maintaining PCI (Payment Card Industry) compliance was
counted around $200,000. As the mass quantities of data to be monitored as part of maintaining
this and other compliance standards grow, enterprises are not only facing fines for letting
compliance lapse, but the real risk of a malicious threat is rising in this era of the “mega-breach.”
Recently Ponemon Institute pegged the average cost to a company as a result of a security
breach at $3.5 million. The estimated annual cost of cybercrime as reported by the Center for
Strategic and International Studies has hit over $400 billlion. Put those two numbers together
and that equates to a lot of high-priced security breaches. Let’s try to add some context around
this problem.
The source of machine data is much more complex than it was 10 years ago. BYOD, cloud
computing, and de-centralized IT infrastructures are increasing the source and quantity of
devices and data traversing the network. But with more devices accessing the network, the
storage and analysis of this Big Data is growing even more critical for enterprises to understand
and evaluate their security posture. Cisco predicts that the Internet of Things-related devices will
balloon to between 15 and 25 billion by 2015. More devices equals more machine data. And the
effect is non-linear. More devices, running more applications, each interacting with more
services (cloud storage, cloud authentication, and cloud-based exception tracking are often all
used by a single application) equals an exponential increase in interfaces. Industry analyst firm
IDC quantifies what we can expect: the volume of machine data will grow 15 times by 2020. For
an enterprise looking for the needle in the haystack – the alert or warning that a malicious threat
might be in play – this is a significant obstacle as neither IT budgets nor staffing will match this
rate of growth.
Consider how an enterprise that shifted from on-premise to cloud-based services and software
might view their compliance landscape. When most, if not all, software and systems resided onpremise, the IT organization can specifically monitor the performance of their onsite
infrastructure – hardware, software, networks and storage. Once some of this storage and
compute capacity is transitioned to the cloud, an organization must negotiate SLAs (service
level agreements) with the cloud provider to ensure data is available when it’s needed and all
security protocols promised to their customers remain in place. Multiply that process across
dozens of software and solution providers that also leverage the cloud, and you can see how
the picture gets complicated quickly.
As the quantity and severity of security breaches continue, maintaining compliance is a key first
step in ensuring that customer and business-critical data is properly managed. As lives become
increasingly digitized – though it’s difficult to imagine them more than they are now – the stakes
76
grow even higher. Between medical health records, to identity and credit information, the risk of
negative impact to customers should data fall into the wrong hands is real. Cyber crime has
become a large business and cyber criminals have become better and better at monetizing the
data they exfiltrated. Javelin Strategy & Research has found that the likelihood that a victim of a
security breach will also become the victim of fraud has grown from a one in nine chance in
2010 to a one in three chance as of 2013. So although meeting HIPAA, PCI or other compliance
standards and SLAs are critical to keeping your organization out of risk for fines, just
maintaining compliance will not protect you from all malicious threats.
Exceeding compliance standards and building confidence, both internally and externally, in your
security posture requires consistent, proactive monitoring of your end-to-end IT infrastructure.
With the availability of mass quantities of machine data comes responsibility for organizations to
actually utilize it. But it won’t be your IT or security organization alone that can handle it. CISOs
must remain vigilant, identifying the consistent patterns of threats and adjusting their team and
skillsets available to ensure that they are prepared and able to address the issues your
company faces. The increasing use of machine-learning to analyze and distill petabytes of data
into actionable alerts and insights will assist in the process, but no amount of data can replace a
security team’s holistic understanding of the enterprise infrastructure. If the rising tide of
cybercrime continues, we might see organizations become more transparent and sharing
information about consistent threats and challenges with each other. Until then, CISOs must
realize that with fundamental changes to the network come fundamental changes to the way
they must address compliance and enterprise-wide security. In a world increasingly driven by
data, the enterprises that successfully integrate and evolve analytics, processes and strategy
will be in the best position to maintain a strong security posture.
About The Author
Joan Pepin is VP of Security and CISO at Sumo Logic, the next generation machine data
intelligence company. Joan has more than 15 years experience in information security in a
variety of industries, including healthcare, manufacturing, defense, ISPs and MSSPs. Her
experience spans technical, operational and management level of security, allowing her to bring
highly technical research expertise to her role in security management, marketing and strategy.
A recognized expert in security policy and lifecycle management, Joan is the inventor of
SecureWorks’ Anomaly Detection Engine and Event Linking technologies. Joan can be reached
online at [email protected] and at our company website http://www.sumologic.com/.
77
Top 5 breaches in the financial sector
WHAT WE CAN LEARN FROM THE TOP TARGET OF CYBER ATTACKS
by Dan Virgillito, Director of Media & Communications, Massive
Let’s not pussyfoot around it: security breaches are a serious issue.
Just ask any bank that has been a victim of a data breach. In addition to customer churn,
negative headlines, and regulatory penalties associated with data breaches, the financial loss
can add up quickly.
Despite attackers focusing on other industries, the financial sector continues to be a top target
for sophisticated attacks, caused by malicious insiders, hacks, card scams, and loss of portable
devices containing sensitive data.
The recent state of data breaches illustrates the pinch felt by banks, hedge funds, insurers and
credit unions from the recent growth in cybercriminal activity. The US CBA (Consumer Bankers
Association) revealed that the cost of replacing credit cards after the data breach at Target was
over $200 million. The report merges the CBA’s $172 million figure, with additional $30.6 million
quotes by the CUNA (Credit Union National Association).
Smaller financial institutions are facing the effects even more. According to ICBA (Independent
Bankers of America), which represents local banks and smaller financial institutions, its
members have to shell $40 million for replacing 4 million cards since the recent retail breaches,
including those at Neiman Marcus and Target.
Apart from outside breaches affecting the financial sector, the Insider Threat study informs that
malicious insiders are also the cause of data breaches at financial services organizations. The
report also cited cloud computing technology as a big concern, with several financial
organizations finding malicious insiders because of increasing use of the cloud.
The details of these data breaches are downright ingenious, but the financial sector has more to
worry about. Here are the top 5 security breaches in the sector, and what we can learn from
them:
1. DDOS attacks
In 2012, an increasing number of financial institutions had to face sophisticated DDoS attacks
against politically motivated groups. These attacks increased in sophisticated and caused slow
response times on banking websites, preventing customers from accessing their accounts, and
affecting bank-office operations adversely. DDoS continues to spell danger, for the banking
industry and the world in general.
78
Key lesson: The traditional DDoS protection, including firewalls and internal intrusion detection,
proved to be ineffective in repelling the attacks. When systems got socked with abnormal HTTP
traffic, firewalls may have fought to a point but tuned into bottlenecks. Enormous amounts of
bad DNS killed the game. External cyber monitoring platforms may ensure better chance of
success against such attacks.
2. Spear phishing
BAE system director of product Paul Henninger revealed how a spear phishing attack technique
was used to steal sensitive data from an unnamed hedge fund in the US. Speaking to CNBC, he
informed that there was a slight lag between the issuance and execution of the trade, which
may have provided competitive advantage in trading to another firm. The unnamed victim lost
millions of dollars.
Key lesson: the loophole here was the lack of employee training against spear phishing attacks.
Financial institutions should make employees wary of unsolicited emails and messages on
social networks. Internal security teams can only do as much as to locate threats, so financial
firms should provide adequate employee training against these kind of cyber threats.
3. Insider threats
A prime example of this attack is Bank of America’s employee who leaked customer data to an
identity theft group. The hackers obtained Social Security Numbers, driver’s license numbers,
bank accounts numbers, addresses, phone numbers, and customer names; more than $10
million was the financial loss. The group of thieves used the information to modify customer
account information while hiding fake accounts they were creating under the names of victims.
Key lesson: Bank of America didn’t have technology in place to detect the losses over a long
period of time, or processes to identify malicious insiders. Financial institutions should look at
concerning behaviors to prevent insider threats. Warning signs could include resignation and
termination of staff members, as malicious insiders strike shortly before departing with the firm.
4. Cyber eavesdropping
Not all data breaches massive quantities of customer information stored by financial institutions.
Notably, hackers used a web monitoring tool to eavesdrop on Directors Desk, a Nasdaq
platform for facilitating communications for 10,000 company directors and executives. By
eavesdropping, attackers may have gained access to inside information, which could have been
sold on the black market.
79
Key lesson: Nasdaq’s security was criticized for running outdated security software and
improperly configuring firewalls. They could have been better off with cyber security solutions
that allow to trace the root source of attacks – malicious monitoring in this case.
5. Identity theft
Citibank and JP Morgan Chase disclosed an NY resident obtaining the personal information of
their customers back in 2011, reveals privacyrights.org. The woman used the information to
steal $30,000 from Citibank and $300,000 from Chase. Forged driver’s licenses were used to
make fraudulent withdrawals.
Key lesson: The security systems in place failed to protect customer data, and there was no
forensic analysis post-identity theft. Banks should be backed by an incident response team that
is able to use the widely utilized forensic tools for preservation and collection of digital evidence
for analysis and future theft prevention. Forensic analysis helps in analyzing what information
lead to the compromise, and how the breach occurred, as well as how to repair the damage.
It’s a long, hard slog for financial institutions when it comes to mitigating and preventing cyber
threats, but the lessons point the route towards better security practices.
About The Author
Dan Virgillito is a freelance content strategist and the Director of Media &
Communications at Massive, a cyber intelligence firm specialising in early
threat prevention.
80
Is It Time to Outsource Your Security Education?
It has happened again. Although Jean has led half-day training sessions and sent repeated
emails about how her colleagues can better protect themselves and their company from cyber
attacks, another employee just clicked on a link in an email and launched a phishing attack.
What's wrong with Jean's approach to security training? After all, as her company's chief
information security officer (CISO), she's already doing her part to educate employees about
their vulnerability to attacks such as phishing and malware. But is she providing the right content
with the right message to the right employees in the right format? Probably not, and that's where
many internal security training initiatives fall short.
She has the right idea: Companies must have security training programs that teach their
employees to protect themselves from all types of threats, both cyber and physical. Jean's
problem, however, is that the imperative for training at her company is greater than her
resources, and because of that, she's treating security education as a one-size-fits-all process.
The solution: Outsource the training program to a third-party security education partner to take
advantage of industry expertise, on-target and cutting-edge training tools, and methodologies
that measure and deliver results.
Many companies like to keep security education in-house, to maintain control over training. After
all, businesses struggle to understand how outsourcing companies could possibly be a better fit
than an internal team that knows the company and its employees inside and out. Yet oftentimes
programs developed in-house don't engage employees in a manner that's causing a change in
their dangerous behavior. A different approach is needed.
Outsourcing Benefits are Huge
The global risk of cyber attacks is a real and growing threat, and could carry a whopping price
tag in the future, according to a report from McKinsey and Co. The cost—the material effect of
slowing the pace of technology and innovation due to a lack of cyber resiliency—could be as
high as $3 trillion by 2020.
These figures prove that companies need security education—and quickly. For most
businesses, outsourcing security education makes a lot of sense. Here's why:
Expertise is Key
In an outsourced security training program, content is developed by security experts who are
trained educators. On the other hand, internal teams may make mistakes, such as
inadvertently using examples of real-life attacks on the company, potentially embarrassing the
impacted employees. Your IT team may be up to date on the latest issues, but not always able
81
to relate this information back to employees in a way they can easily comprehend—and retain—
with the end goal always being a change in behavior.
External Resources are Used
Your staff's valuable time is freed from developing and maintaining comprehensive training
materials. New types of security threats emerge every day. While your IT and security teams
are likely aware of many threats, do they have time to constantly review and update training
materials to make sure they are protected against new types of attacks?
Outsourcing is an opportunity cost—that is, what else could your IT and security teams be
doing if this responsibility was assigned to another source? Outsourced programs address
existing threats as well as those that are emerging, such as clicking on a link in a text message
on a smartphone.
Content and Context are Both Considered
Security training done in-house is usually conducted in a classroom setting using a series of
PowerPoint slides or videos. As you may remember from personal experience with the platform,
while inexpensive, PowerPoint might not be the best way to engage users or change behavior.
For starters, the trainer has no idea if every employee is giving the presentation their full
attention and only knows if the training is failing when another attack against the company
occurs. Because it's a classroom setting that involves their peers, employees may be afraid to
ask questions or contribute to the discussion.
Informative mass emails and PDFs are also relatively inexpensive and easy-to-produce, but
again fail to engage the user or change behavior. They are too easy to ignore and there's no
way to know if the employee did anything except open the email.
When training is outsourced to a trusted provider, it is not a one-off event but rather a series of
interrelated exercises and lessons that can be completed at an employee's desktop.
Awareness is tested frequently and follow-up sessions can be scheduled with employees who
do not seem to be grasping training concepts.
When you outsource training, sessions are short, interactive and engaging. Employees are
not pulled away from their desk for hour-long, half-day or even full-day sessions. Security
training is best-addressed in short bursts for maximum retention and, ultimately, behavioral
change.
82
Results are Measurable
Even the best internal programs stumble in one key area: measurement. If you can't accurately
measure and analyze results, you have no way of knowing:
•
How the company is improving overall in its security awareness
•
How individuals are changing their behaviors
•
Which employees are still the weakest link from a security perspective and need to be
enrolled in follow-up training programs.
•
Where the company is still most vulnerable in terms of type of attack (email, bad URLs,
smartphones, physical security, etc.)
Reporting capabilities from an outsourced partner provide both aggregate and individual data to
gauge effectiveness, guide follow-up training programs and show improved results over time.
Each day you put off implementing a security education program is a day when your company is
vulnerable to all types of cyber attacks. Training programs available from a trusted partner can
be rolled out companywide immediately, so as new threats become known, training is
available.
Effective Training is Outsourced Training
To be effective, security training needs to be more than a simple PowerPoint that warns people
of the dangers facing them or an email blast with the same message that goes unopened. A
comprehensive security education program includes:
•
Broad assessments, which provide baseline information about employee knowledge on
several cyber security threat vectors and helps the security officer prioritize the training
rollout.
•
Mock attacks, which allow companies to assess employees' initial susceptibility to
schemes such as phishing and malware, and provide motivation for employees to
complete training. Mock attacks can lead to training completion rates as high as 90
percent.
•
Short, interactive training modules, that cover a variety of cyber threats, designed to
show employees what the threats are, how to best avoid different types of attacks, and
an opportunity to practice what they’ve been taught. This can help to ensure the right
employee behavior when they are faced with real attacks.
83
•
Awareness materials such as posters, screen savers and digital sign boards that
remind users about the importance of staying alert and that reinforce methods used in
training.
Whether you decide to keep things internal or partner with a security training expert, it's time to
act. Managers need to find or create a program they can roll out immediately, rather than leave
employees uninformed while potential attackers hone in on security weaknesses in your
infrastructure.
About the author
Joe Ferrara is CEO of Wombat Security Technologies, a provider of information
security awareness and training software to help organizations teach their
employees secure behavior. Joe Ferrara has recently been named as “CEO of
the Year” by the CEO Awards and is an EY Entrepreneur Of The Year™ 2014
Award finalist in Western Pennsylvania and West Virginia.
84
Top 3 Myths About Antivirus Software
by AntivirusTruth.org
85
NSA Spying Concerns? Learn Counterveillance
Free Online Course Replay at www.snoopwall.com/free
"NSA Spying Concerns? Learn Counterveillance" is a 60-minute recorded online instructor-led
course for beginners who will learn how easily we are all being spied upon - not just by the NSA
but by cyber criminals, malicious insiders and even online predators who watch our children;
then you will learn the basics in the art of Counterveillance and how you can use new tools and
techniques to defend against this next generation threat of data theft and data leakage.
The course has been developed for IT and IT security professionals including Network
Administrators, Data Security Analysts, System and Network Security Administrators, Network
Security Engineers and Security Professionals.
After you take the class, you'll have newfound knowledge and understanding of:
1. How you are being Spied upon.
2. Why Counterveillance is so important.
3. What You can do to protect private information.
Course Overview:
How long has the NSA been spying on you?
What tools and techniques have they been using?
Who else has been spying on you?
What tools and techniques they have been using?
What is Counterveillance?
Why is Counterveillance the most important missing piece of your security posture?
How hard is Counterveillance?
What are the best tools and techniques for Counterveillance?
Your Enrollment includes :
1. A certificate for one free personal usage copy of the Preview Release of SnoopWall for
Android
2. A worksheet listing the best open and commercial tools for Counterveillance
3. Email access to the industry leading Counterveillance expert, Gary S. Miliefsky, our educator.
4. A certificate of achievement for passing the Concise-Courses Counterveillance 101 course.
Visit this course online, sponsored by Concise-Courses.com and SnoopWall.com at
http://www.snoopwall.com/free
86
Top Twenty INFOSEC Open Sources
Our Editor Picks His Favorite Open Sources You Can Put to Work Today
There are so many projects at sourceforge it’s hard to keep up with them. However, that’s not
where we are going to find our growing list of the top twenty infosec open sources. Some of
them have been around for a long time and continue to evolve, others are fairly new. These are
the Editor favorites that you can use at work and some at home to increase your security
posture, reduce your risk and harden your systems. While there are many great free tools out
there, these are open sources which means they comply with a GPL license of some sort that
you should read and feel comfortable with before deploying. For example, typically, if you
improve the code in any of these open sources, you are required to share your tweaks with the
entire community – nothing proprietary here.
Here they are:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
TrueCrypt.org – The Best Open Encryption Suite Available
OpenSSL.org – The Industry Standard for Web Encryption
OpenVAS.org – The Most Advance Open Source Vulnerability Scanner
NMAP.org – The World’s Most Powerful Network Fingerprint Engine
WireShark.org – The World’s Foremost Network Protocol Analyser
Metasploit.org – The Best Suite for Penetration Testing and Exploitation
OpenCA.org – The Leading Open Source Certificate and PKI Management Stunnel.org – The First Open Source SSL VPN Tunneling Project
NetFilter.org – The First Open Source Firewall Based Upon IPTables
ClamAV – The Industry Standard Open Source Antivirus Scanner
PFSense.org – The Very Powerful Open Source Firewall and Router
OSSIM – Open Source Security Information Event Management (SIEM)
OpenSwan.org – The Open Source IPSEC VPN for Linux
DansGuardian.org – The Award Winning Open Source Content Filter
OSSTMM.org – Open Source Security Test Methodology
CVE.MITRE.org – The World’s Most Open Vulnerability Definitions
OVAL.MITRE.org – The World’s Standard for Host-based Vulnerabilities
WiKiD Community Edition – The Best Open Two Factor Authentication
Suricata – Next Generation Open Source IDS/IPS Technology
CryptoCat – The Open Source Encrypted Instant Messaging Platform
Please do enjoy and share your comments with us – if you know of others you think should
make our list of the Top Twenty Open Sources for Information Security, do let us know at
[email protected].
(Source: CDM)
87
National Information Security Group Offers FREE Techtips
Have a tough INFOSEC Question – Ask for an answer and ‘YE Shall Receive
Here’s a wonderful non-profit
organization. You can join for free,
start your own local chapter and so
much more.
The best service of NAISG are
their free Techtips. It works like
this, you join the Techtips mailing
list.
Then of course you’ll start to see a stream of emails with
questions and ideas about any area of INFOSEC. Let’s say
you just bought an application layer firewall and can’t figure
out a best-practices model for ‘firewall log storage’, you
could ask thousands of INFOSEC experts in a single email
by posting your question to the Techtips newsgroup.
Next thing you know, a discussion ensues and you’ll have
more than one great answer. It’s the NAISG.org’s best kept
secret.
So use it by going here:
http://www.naisg.org/techtips.asp
SOURCES: CDM and NAISG.ORG
SIDENOTE: Don’t forget to tell your friends to
register for Cyber Defense Magazine at:
http://register.cyberdefensemagazine.com
where they (like you) will be entered into a monthly drawing
for the Award winning Lavasoft Ad-Aware Pro, Emsisoft Anti-malware and
our new favorite system ‘cleaner’ from East-Tec called Eraser 2013.
88
Job Opportunities
Send us your list and we’ll post it in the magazine for free, subject to editorial approval
and layout. Email us at [email protected]
Free Monthly Cyber Warnings Via Email
Enjoy our monthly electronic editions of our Magazines for FREE.
This magazine is by and for ethical information security professionals with a twist on innovative
consumer products and privacy issues on top of best practices for IT security and Regulatory
Compliance.
Our mission is to share cutting edge knowledge, real world stories and
independent lab reviews on the best ideas, products and services in the information technology
industry. Our monthly Cyber Warnings e-Magazines will also keep you up to speed on what’s
happening in the cyber crime and cyber
warfare arena plus we’ll inform you as next
generation
and
innovative
technology
vendors have news worthy of sharing with
you – so enjoy.
You get all of this for FREE, always, for our
electronic editions.
Click here to signup today and within
moments, you’ll receive your first email from
us with an archive of our newsletters along
with this month’s newsletter.
By signing up, you’ll always be in the loop
with CDM.
89
Cyber Warnings E-Magazine July 2014
Sample Sponsors:
To learn more about us, visit us online at http://www.cyberdefensemagazine.com/
90
Don’t Miss Out on a Great Advertising Opportunity.
Join the INFOSEC INNOVATORS MARKETPLACE:
First-come-first-serve pre-paid placement
One Year Commitment starting at only $199
Five Year Commitment starting at only $499
http://www.cyberdefensemagazine.com/infosec-innovators-marketplace
Now Includes:
Your Graphic or Logo
Page-over Popup with More Information
Hyperlink to your website
BEST HIGH TRAFFIC OPPORTUNITY FOR INFOSEC INNOVATORS
Email: [email protected] for more information.
91
Cyber Warnings Newsflash for July
2014
Highlights of CYBER CRIME and CYBER
WARFARE Global News Clippings
Get ready to read on and click the titles below to read the
full stories – this has been one of the busiest months in
Cyber Crime and Cyber Warfare that we’ve tracked so far.
Even though these titles are in BLACK, they are active
hyperlinks to the stories, so find those of interest to you
and read on through your favorite web browser…
POS Vendor Warns of Restaurant Breach - BankInfoSecurity
07/01/2014 09:22 (Bankinfosecurity)
...remote access credentials were somehow compromised, possibly through a phishing attack. Since learning of the
breach, which LogMeIn discovered,
Cybercrooks are Zeroing in on "Candy Stores" - Affluent Consumers and Their Advisors
07/01/2014 09:05 (Morningstar)
NSA Director: Snowden Leaks 'Manageable'
07/01/2014 08:42 (The Takeaway)
...is falling." Sanger joins to discuss the new director's views on Snowden, the phone-data surveillance
program, cyber security, and much more.
Prepare yourself for high-stakes cyber ransom
07/01/2014 06:09 (Security - InfoWorld)
...cloud | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice
from InfoWorld's expert...
92
Energy sector faces attacks from hackers in Russia
07/01/2014 03:11 (CNBC)
...Moscow working hours. A report released Monday by Symantec, a computer security company based in Mountain View,
Calif., detailed similar conclusions...
Female Cyber Sleuths Hack Into Silicon Valley’s Boys Club
07/01/2014 00:40 (Bloomberg)
said Rad, who speaks regularly at security events and has worked for top cyber-security firms. Now I meet many more
women doing the same. Over...
NCA charges 17-year-old London man for role in massive Spamhaus DDoS attack
06/30/2014 15:39 (SC Magazine)
...16-year-old attacker was taken into custody secretly by the National Cyber Crime Unit, but reports on the arrest did not
start coming out until...
Google Glass privacy – hack lets attackers ‘see through victim’s eyes’
06/30/2014 13:29 (We Live Security)
...headset but works so quickly that researchers at Deloitte s computer security division and Dutch security company
Masc told newspaper Volkskrant,
Could NSA gain more access to private information under new cyber bill?
06/30/2014 09:26 (BizBeat - Washington Business Journal)
Could NSA gain more access to private information under new cyber bill? The National Security Agency could gain access
to even more private data...
New malware program targets banking data
06/30/2014 08:57 (Computerworld)
...information is much harder to detect by users than those involving phishing or rogue form fields injected into pages, the
Trend Micro researchers...
93
No perfect way to protect data, NSA chief says
06/30/2014 06:36 (PilotOnline.com)
...contractor, can t be stolen again. But the Defense Department, of which the security agency and Cyber Command are a
part, made the same vow in 2010, after...
Bug in WordPress plugin allows unauthorized file upload
07/02/2014 07:29 (Help Net Security)
...website." The bug can be exploited to use vulnerable websites for phishing lures, sending spam, host malware, infecting
other customers (on a...
The 5 Biggest Cybersecurity Myths, Debunked
07/02/2014 06:47 (Wired)
...still fictionalized dangers on the cyber side. Myth #4: The Best (Cyber) Defense Is a Good (Cyber) Offense Senior
Pentagon leaders talk about how...
US privacy board says NSA Internet spying program is effective but worrying
07/02/2014 06:27 (Bangor Daily News)
...collection program has been an effective tool to enhance the country s security but some elements of the cyber-spying
raises privacy concerns,
Hackers Find Open Back Door to Power Grid With Renewables: Tech
07/02/2014 05:23 (Washington Post - Bloomberg)
...distribution system opens additional portals through which hackers can attack the grid, according
to computer security experts advising governments...
Legitimate No-IP users still affected by Microsoft's domain takeover
...by dynamic DNS service No-IP on Monday, it disrupted malware networks used by cybercriminals to infect victims with
NJrat and NJw0rm backdoors,
Hackers hit more businesses through remote access accounts
94
LogMeIn username and password, but surmised it might have been via a phishing attack. Prior to the intrusion, ISS used a
common password to access...
Hacked Companies Face SEC Scrutiny Over Disclosure
07/02/2014 00:20 (Bloomberg)
...shares. In guidance issued three years ago, the SEC said a cyber-attack could be material if it causes a company to
significantly increase what...
Data Breaches: Not Learning from History
07/01/2014 18:19 (Isssource.com)
...to security. It is great that recent breaches have increased cyber security awareness and internal dialogue, said Dwayne
Melancon, chief technology...
Big data security analytics mantra: Collect and analyze everything
07/01/2014 08:18 (Network World)
...security professionals to identify the most important type of data for use in malware detection and analysis (note: I am an
employee of ESG).
New Apple patent will let iPhone 'feel safe' based on location and unlock itself
07/07/2014 08:36 (Tech Times)
...its patent application. "It can be desirable to have decreased security requirements when the mobile device is at a
secure location. Conversely,
Students Who Push Tech Boundaries Should Be Encouraged, Not Punished
07/07/2014 06:50 (Wired)
...and subject to serious prosecution under existing federal and state level computer crime laws. Armed with
the Computer Fraud and Abuse Act (CFAA)
MiniDuke hackers attack governments, hunt drug dealers
07/07/2014 03:55 (Tech Times)
MiniDuke hackers attack governments, hunt drug dealers With cyber criminals looming large, security in the World Wide
Web is becoming a growing...
95
Computer forensics key in hot car child death case
07/07/2014 03:30 (Wusa9)
Computer forensics key in hot car child death case COBB COUNTY, Ga. Attention has shifted to the mother of a 22month-old child who died after...
Australian teen accepts police caution to avoid hacking charge
07/07/2014 01:40 (Network World)
...that period.Rogers case illustrates the fine line that computer security researchers tread when hunting for software
vulnerabilities on public...
Encrypted instant messaging project seeks to obscure metadata
07/06/2014 21:35 (ComputerWorld)
...aims to allow people to have online chats but leave little digital forensic evidence Security researchers have a working
prototype of an instant...
North Korea has doubled number of elite cyber warriors and established overseas bases for
hacking
07/06/2014 04:15 (The Raw Story)
...established overseas bases for hacking attacks, a report said Sunday. The North s cyber war unit now has 5,900
personnel, compared with 3,000 two...
NSA dragnet ensnares mostly ordinary users
07/06/2014 00:09 (The Boston Globe)
...legally targeted foreigners in the communications intercepted by the National Security Agency from US digital networks,
according to a four-month...
The Ex-Google Hacker Taking on the World’s Spy Agencies
07/08/2014 06:51 (Wired)
...as Morgan Mayhem spent his nights and weekends hunting down the malware used to spy on vulnerable targets like
human rights activists and political...
96
Cyber spying, maritime disputes loom large in U.S.-China talks
07/08/2014 06:33 (Yahoo! News)
...the School of International Studies at Peking University who has advised the government on diplomatic issues. "I don't
foresee many tangible...
Studies show a car’s computer system vulnerable to hacking Special
07/08/2014 04:07 (Digital Journal)
Banks Dreading Computer Hacks Call for Cyber War Council
07/08/2014 00:21 (Bloomberg)
Banks Dreading Computer Hacks Call for Cyber War Council Wall Street s biggest trade group has proposed a
government-industry cyber war council...
Chinese Attackers Targeting U.S. Think Tanks, Researchers Say
07/07/2014 18:30 (Dark Reading)
...national security policy research organizations, CrowdStrike says The Chinese cyber attack group Deep Panda late last
month compromised "several"
Advanced attack group Deep Panda uses PowerShell to breach think tanks
07/07/2014 17:46 (SC Magazine)
Less skilled or funded attackers have made use of PowerShell to spread malware to unsuspecting victims. Last month, a
new variant of ransomware...
Senate should demand electric grid reliability and security
07/07/2014 16:00 (The Hill - Blogs)
...Northeast Blackout. In November 2013, FERC approved an NERC-drafted cyber security standard. In its ruling, FERC
called out deficiencies in the...
Google Glass Lets You Figure Out Passwords From User Keystrokes
07/07/2014 15:40 (ValueWalk)
...looking over your shoulder. It was announced today that computer forensics experts at the University of Massachusetts
in Lowell have discovered...
97
Payment Card Data Isn't The Only Lucrative Loot In A Data Breach
07/07/2014 14:29 (Forbes.com)
...extortion. For example, the primary function of the Zeus malware family is to steal bank credentials. Criminals
surreptitiously install the malware...
Data Breach Bulletin: Brazilian Banks Lose $3.75 Billion Because Of Boleto Malware
07/07/2014 12:46 (Forbes.com)
...May 2014. The investigation is still ongoing through third-party computer forensics experts, but the school has
determined that names, birth...
Android bug lets apps make rogue phone calls
07/07/2014 08:25 (Network World)
...Key) several times. The new vulnerability might be exploited by malware for some time to come, especially since the
patching rate of Android...
Senate intelligence committee approves cyber security bill
07/09/2014 08:47 (1070 WINA)
Senate intelligence committee approves cyber security bill (Reuters) The U.S. Senate Intelligence Committee approved a
bill on Tuesday to encourage...
Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee
07/09/2014 06:55 (Forbes.com)
...establishment of a portal managed by the Department of Homeland Security through which electronic cyber information
will enter the government and...
Anonymous Norway claim massive cyber-attack on Norwegian banks
How the Target Breach Has Affected Small Business Data Security
07/09/2014 04:10 (Network World)
...puzzle." Hackers used credentials from Target's HVAC company to upload malware into the security and payment's
system. Target's malware detection...
98
China, U.S. say committed to managing differences
07/09/2014 01:28 (Yahoo! News)
would definitely be a disaster," he told the opening ceremony at a government guesthouse in the west of the city. "We
should mutually respect and...
US nabs alleged Russian hacker – and Kremlin cries foul
07/08/2014 20:42 (Yahoo! News)
...in the face, say psychologists. Why hedge funds are under attack by cyber-criminals Ukraine election narrowly avoided
'wanton destruction' from...
E-ZPass Warns Of Phishing Scam E-Mails About Unpaid Tolls
07/08/2014 19:43 (CBS New York)
E-ZPass Warns Of Phishing Scam E-Mails About Unpaid Tolls NEW YORK (CBSNewYork) The Port Authority of New York
and New Jersey is cautioning the...
Nude pics, other data, recovered from 'wiped' Android phones purchased on eBay
07/08/2014 16:36 (SC Magazine)
No business data or company information was recovered, Jaromír Hořejší, malware analyst with AVAST,
told SCMagazine.com in a Tuesday email correspondence.
Facebook Helps Cripple Greek Botnet
07/08/2014 16:25 (Dark Reading)
...this one, which hails from Greece, working with Greece's Cyber Crime Division. Disrupting a botnet's infrastructure is
typically a temporary...
Security Firm Says Chinese Hackers Targeting U.S. Experts on Iraq
07/08/2014 15:28 (Nextgov)
...Hackers Targeting U.S. Experts on Iraq A private cyber security firm has discovered evidence that a suspected Chinese
government hacker group...
99
Air Force base finalist for agency relocation
07/08/2014 15:16 (AdVantage News)
...facility. Scott is the ideal location for NGA, Enyart said. Scott s cyber-security work combined with the NGA s natural fit
with our military make the...
Rogers: Cybersecurity is the 'ultimate team sport'
07/08/2014 14:58 (Federal Times)
...importance to us as a nation: this idea of how do we maintain security in a cyber arena in a world where cyber continues
to grow in importance...
Electronic Frontier Foundation Sues NSA, Director of National Intelligence
07/08/2014 14:22 (Dark Reading)
...Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization,
identity management,
Gameover Zeus Trojan Returns
07/11/2014 09:06 (GovInfoSecurity)
...give up because of the Gameover Zeus takedown," says independent computer security analyst Graham Cluley. "With
their criminal income disrupted,
DSC Cyber Camp impresses teens
07/11/2014 06:10 (Hometown News)
...computer security techniques, involving digital forensics, browser security, malware handling and virtualization. The
consortium's goal is to...
Norway's massive cyber-attack the work of one lone teenager
CryptoLocker is temporarily disabled, users still at risk
Adobe Reader or Flash should be deployed as soon as they become available. The use of an anti-malware solution would
also be highly recommended.
100
Shipping companies' computers compromised by malware-infected Chinese scanners
07/11/2014 05:00 (Network World)
...go into critical systems. [DOJ throws down the gauntlet with cyber crime charges against Chinese military] While steps
can be taken to reduce...
Exploring the BYOD security dynamic
...devices. Over 60% of employers indicated they seek employee input on mobile device security policies, but over 60%
also said employee preference has...
Germany demands the expulsion of top U.S. intelligence official
07/11/2014 00:00 (Pittsburgh Post-Gazette)
...since last summer, when it was reported that the National Security Agency had been monitoring
the digital communications of millions of Germans.
No likely data breach from reported Chinese hacking: US
07/10/2014 21:35 (Yahoo! News)
...US government workers was not compromised in a recently reported cyber attack, officials said Thursday amid fresh
allegations that Chinese hackers...
Study: Most Critical Infrastructure Firms Have Been Breached
07/10/2014 17:15 (Dark Reading)
...companies have been hit by security breaches in the last year, but cyber security programs are still a low priority. A new
Ponemon Institute study...
Hacking Gets Physical: Utilities At Risk For Cyber Attacks
07/10/2014 15:22 (Forbes.com)
...in the real world. The most well-known example of a cyber attack on a physical infrastructure is the Stuxnet malware,
which was allegedly built...
Global action targeting Shylock malware
101
Global action targeting Shylock malware On 8 and 9 July 2014, an alliance of law enforcement and industry undertook
measures against the Internet...
US signs off US$1m for electric grid security study
07/14/2014 06:48 (Metering.com)
and make the electric sector more efficient overall. Threat of grid cyber attack The study will look at ways to make the grid
more resilient...
Cyberwar council plan offered
07/14/2014 03:00 (The Journal Gazette)
...the electric grid, which is also vulnerable to physical and cyber attack. The systemic consequences could well be
devastating for the economy...
How to promote data security in the workplace? A roundtable report
07/14/2014 02:31 (The Guardian)
...acknowledge that they are vulnerable to attack. According to Charlie McMurdie, senior cyber crime adviser at PwC and
former head of the e-crime unit at...
FBI cyber expert is ex-discount furniture salesman
07/14/2014 00:50 (Yahoo! News)
...replacing all the cards he stole. "This was all just really organized crime with a computer," Mularski said. "It's traditional
sleuthing but...
To be secure, AWS users must mind their keys and cues
07/13/2014 11:00 (GigaOM)
...and can see them logging into accounts, Prendergast said. If that phishing victim has admin rights, then well, yikes. Read
the best practices...
Chinese man accused of nicking data on C-17 U.S. military cargo plane
07/13/2014 00:13 (Nextgov)
...appreciate that the government brought its concerns about a potential compromise of our protected computer systems to
our attention, Boeing officials...
102
Scott Air Force Base poised for military cybersecurity boom
07/12/2014 12:16 (Belleville News Democrat)
...just don't understand," said Charles Tendell, the CEO of Azorian Cyber Security, of Colorado Springs, Colo. The nature
of this war came to light...
The Gameover Trojan program is back, with some modifications
07/11/2014 08:05 (Network World)
...by law enforcement agencies at the beginning of June. The Gameover Zeus malware is designed to steal log-in
credentials, as well as personal...
Meet ‘Project Zero,’ Google’s Secret Team of Bug-Hunting Hackers
07/15/2014 06:31 (Wired)
...that s meant to limit an application s access to the rest of the computer. On certain attack surfaces, we re optimistic we
can fix the bugs faster...
Say goodbye to desktop phones
07/15/2014 03:00 (Network World)
...to AirWave. Aruba s ClearPass handles network access control, security, guest access and other authentication services.
For mobile devicemanagement,
CyberCamp reaches out to girls
07/15/2014 00:40 (Denton Record Chronicle (AP))
...cybersecurity, and throughout the week they will work in computer simulations of networks with security breaches and
weaknesses that they must...
Air Force will cut 3,500 over five years
07/14/2014 18:36 (Quad-Cities Online)
Air Force will cut 3,500 over five years NORFOLK, Va. (AP) The Air Force said Monday it will eliminate nearly 3,500
positions over the next five...
Snowden and NSA: A Boon to the Privacy Business
07/14/2014 17:45 (Yahoo! News)
103
...of the market, Michela Menting, ABI Research s senior analyst in cyber security, said in a statement. Companies have
been quickly rolling out...
Cryptolocker neutralized, says Justice Department
07/14/2014 17:05 (SC Magazine)
...existence, can no longer communicate with the infrastructure used to control the malware, according to a Friday release.
As a result, Cryptolocker is...
Washington Post: Cyber security
07/14/2014 14:58 (The Salt Lake Tribune)
Washington Post: Cyber security The internet security company Symantec revealed recently that a group of hackers
known as Dragonfly infiltrated...
Capitol Hill joins business leaders in cybersecurity progress
07/14/2014 14:00 (The Hill - Blogs)
...consumers all over the world, and if they or any corporation were to suffer a cyber-attack, the repercussions would be farreaching, as we ve seen in...
WANTED - Special Agents: CID launches online application portal
07/14/2014 13:50 (Fort Lee Traveller)
...master's degree in Forensic Science or a master's degree in Digital Forensics from George Mason University. A unique
aspect of these programs for CID...
New banking malware 'Kronos' advertised on underground forums
07/14/2014 11:50 (Network World)
...said. It remains to be seen how popular Kronos will be within the cyber crime community, he said. The premium price
suggests that Kronos is aimed...
Agencies reset after missing the mark on cybersecurity goals
07/14/2014 10:52 (FederalNewsRadio.com)
...information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for
2015, according to...
104
ATM Cash-Out Strikes Red Cross Accounts
...victims. After the hackers penetrated the payment processor's computer network and compromised the Red Cross
prepaid card accounts, they allegedly...
Why The World Needs Google Project Zero To Be More Than A 'Marketing Ploy'
07/16/2014 06:38 (Forbes.com)
...campaign from Google corporation, nothing new under the sun from a cyber security perspective . What Google did not
understand is that killing a...
65 challenges that cloud computing poses to forensics investigators
...cloud computing environments. Even if they seize a tablet or laptop computer at a crime scene, digital crime fighters
could come up empty handed...
‘Smart’ technology could make utilities more vulnerable to hackers
07/16/2014 02:31 (The Raw Story)
...IT security company, said. Fortunately for residents, Lindner s cyber attack on its energy utility, Stadtwerke Ettlingen, was
simulated. But...
Why password managers are not as secure as you think
07/16/2014 01:27 (Computerworld Malaysia)
...user's credentials with a bogus account, while others made users of some of the password managers vulnerable
to phishing attacks. Antone Gonsalves
Feds: We beat down Cryptolocker malware, but creator remains at large
07/15/2014 19:28 (Tech Times)
Feds: We beat down Cryptolocker malware, but creator remains at large The Department of Justice reports that the
Cryptolocker ransomware virus...
Massive Malware Campaign Steals Everybody's Passwords
07/15/2014 12:58 (Yahoo! News)
105
NightHunter's preferred method of infecting target computers appears to be via phishing emails, Navaraj says. These
emails are sent to personnel in the...
U.S. malware share rising, Amazon service No.1 in hosting it
07/15/2014 12:11 (Network World)
U.S. malware share rising, Amazon service No.1 in hosting it Solutionary s Top 10 list also includes Google and Akamai. In
its quarterly report...
Fake Flash Player steals credit card information
...targeting Android users, warn antivirus experts from Dr. Web. The malware is currently targeting Russian users, but it can
easily be modified to...
Are endpoints the most vulnerable part of the network?
...protections in place even though 74% consider endpoints to be most vulnerable to a cyber-attack, and 76% say the
number of endpoints is rising. Only...
Russian espionage malware adapted for ransomware scams
07/17/2014 16:57 (SC Magazine)
...that researchers saw the malware being spread via drive-by download and phishing schemes. The firm has yet to link the
malware to a specific...
Civil service reform: Start with IT/cyber
07/17/2014 16:56 (Federal Times)
...to NSA, it leaves their Central Maryland neighbors, DISA and the Defense Cyber Crimes Center, on the outside looking
in. That s problematic.
Government-Grade Stealth Malware In Hands Of Criminals
07/17/2014 16:52 (Dark Reading)
...Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization,
identity management,
106
Edward Snowden urges professionals to encrypt client communications
07/17/2014 10:00 (The Guardian)
...revealing interview with the Guardian in Moscow. The former National Security Agency and CIA computer specialist,
wanted by the US under the...
NIST Review Report: NSA Has 'Undeniable Incentive' to Defeat Security of NIST Standards; NIST
'Negligent' in Security of Cryptographic Standard
07/17/2014 08:57 (Technology News)
...software and technology products, in order to protect our privacy and cyber security. NIST's Visiting Committee on
Advanced Technology (VCAT)
Botnets gain 18 infected systems per second
...holistic look at the entire cyber underground ecosystem and all facilitators of a computer intrusion," he shared. "Just last
month, the FBI Cyber...
Google bug-hunting Project Zero could face software developer troubles
07/17/2014 04:29 (Network World)
...bugs. But if the initiative is handled right, it could help. [Phishing attack uses data URI to target Google accounts] "What
they may do is shine...
Ground commanders with cyber skills
07/16/2014 17:38 (Army Times)
...opposition throws a wide range of threats at the brigade, including phishing scams that install network-crashing malware.
The red team s goal...
Artist mails NSA ‘uncrackable’ mixtape
07/16/2014 14:23 (We Live Security)
...to highlight the fact that while government organizations can compromise computer systems and devices, the actual
cryptography connecting those...
No money, no problem: Building a security awareness program on a shoestring budget
107
...cost of the awareness program. So for example, as every successful phishing attack has a cost associated with it, if you
are reducing phishing...
Can New York’s BitLicense Prevent Another Mt. Gox Catastrophe?
07/21/2014 09:35 (BayPay Members Blogs)
...outlines: Each Licensee shall establish and maintain an effective cyber security program to ensure the availability and
functionality of the...
Significant Deficiencies Found in Treasury’s Computer Security
07/21/2014 09:13 (Nextgov)
Significant Deficiencies Found in Treasury s Computer Security Weaknesses in Treasury Department computer systems
that track federal debt are...
Funny Facebook video scam leaves unamusing Trojan
...wake on users computers, according to research by Bitdefender. The malware, believed to originate from Albania, can
access a large amount of...
Wanted: hackers to help the EFF make Wi-Fi routers more secure
07/21/2014 07:03 (The Guardian)
...firewall is switched on as this will prevent users visiting any untrusted, dangerous websites. How to protect yourself
from phishing Tom Brewster
News: The dangers of social media
07/20/2014 21:18 (DVIDS)
...want their information (made public), said Cureton, the cyber security chief for Marine Corps Installations Pacific-Marine
Corps Base Camp Butler.
Indentifying cyber-criminals is No. 1 challenge, high-profile lawyer says
07/19/2014 21:00 (Tribune-Review (AP))
108
27, of Odessa, Ukraine, who is charged with providing the computer servers for a crime ring that stole 160 million credit
card numbers from retailers...
German NSA Inquiry Chief Proposes Ultimate Cybersecurity Move... Use A Typewriter
07/19/2014 07:04 (Forbes.com)
...Germany. In what could be considered one of the more surprising cyber security admissions of recent times, Patrick
Sensburg said on German television...
Overcoming the Cloud Forensic Challenge
...face in the cloud is detecting a malicious act. A typical computer attack occurs through sequences of incremental steps
where each step in an...
Modern electric grid fighting cyber vulnerabilities
07/22/2014 08:00 (Pittsburgh - Post-Gazette)
...the grid vulnerable. Utility companies are spending millions annually in cyber security costs, and the trend will continue
with investments in...
We must end cyber warfare: RSA's Arthur Coviello
07/22/2014 02:43 (Computer World Australia)
...offensive," he told delegates. "The Chinese complain about the National Security Agency [NSA s] digital intelligence
gathering. The US complains about...
Your iPhone May Be Rigged to Spy on You
07/21/2014 18:39 (Yahoo! News)
...device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that
establish a trusted relationship...
Researcher: Cryptolocker Not Dead Yet
...May 30 disruption it launched against the Gameover Zeus Trojan malware and Cryptolocker ransomware campaigns
continued to be successful. "The...
109
Security researcher: iOS security has been intentionally compromised by Apple
07/21/2014 16:33 (Yahoo! News)
...obvious reasons), he says. In addition to revealing that invisible malware installation is possible in iOS 7, Zdziarski
revealed a way of at...
DHS 'dos and don'ts' on cybersecurity
07/21/2014 16:00 (The Hill - Blogs)
DHS 'dos and don'ts' on cybersecurity Is a cyber-attack on America s electric grid imminent? Is a cyber-attack on America
s electric grid imminent?
Malware Analysis | Part 1
07/21/2014 11:53 (Linux)
...remote systems memory using dc3dd which was developed by Jesse Komblum at the DoD Cyber Crime Center. Dc3dd
is similar to dd but allows us to...
9/11 Commission's New Cyberthreat Focus
07/23/2014 09:21 (Blogs - HealthcareInfoSecurity)
...10th anniversary report, cautions Americans and the U.S. government to treat cyberthreats more seriously than they did
terrorist threats in the...
Hackers steal data from 1,000 StubHub accounts
07/23/2014 09:20 (CNBC)
...at other websites and retailers or from key-loggers or other malware on the customers' computers. Bank hackers go
phishing The company detected...
iOS 'backdoor' entry is real, says Jonathan Zdziarski. Not for NSA, says Apple
07/23/2014 07:55 (Tech Times)
...connected to a computer via USB. The iOS device and the computer swap security certificates with each other to
establish a secure relationship,
Dianne Feinstein: Cybersecurity Information Sharing Act Will Help Protect Us
07/23/2014 07:34 (Technology News)
110
issued the following op-ed: Every week, millions of computer networks come under attack by hackers, cyber criminals and
hostile foreign nations.
Preparing for cyber warfare
07/23/2014 05:36 (The Wickenburg Sun)
the question is being raised is America prepped to handle a contemporary cyber war? While there may be no definitive
answer to that question...
Facebook scams now lead to exploit kits
...the following links or they may be shared automatically if the victim s computer has been compromised," the researchers
noted. If a scam such...
Online fingerprinting: The next privacy battle
07/23/2014 04:31 (GlobeAdvisor.com)
The psychology of phishing
...three years there has been a dramatic increase in the volume of targeted spear-phishing and long-lining fake emails,
which are so sophisticated...
Hackers inside Chinese military steal U.S. corporate trade secrets
...release. After much preparation, the attackers launched very specially tailored spear phishing email attacks. CSOs,
CISOs, and IT and security...
Hacking experts build device to protect cars from cyber attacks
07/22/2014 21:18 (Yahoo! News)
...identify and mitigate potential cybersecurity risks over the past few years. Cyber security is a global concern and it is a
growing threat for...
111
DHS cyber executive to retire
...the private sector. In 2013, DHS launched the Enhanced Cybersecurity Services initiative to increase classified
information sharing. DHS recently...
Wounded special-ops veterans take on new enemy: child porn
07/25/2014 07:02 (News.Gnom.es)
...which has Zepeda setting his sights on a new enemy, and using computer forensics in the battle against child
pornography. From my first case,
Hackers only need to get it right once, we need to get it right every time
07/25/2014 03:31 (SC Magazine)
...of the law. This certainly holds true in the world of cyber security, where the criminals are faceless and motivated by large
financial rewards.
New type of ransomware bucks established trends
...recently spotted a new ransomware family they detect as "Onion." The malware itself is called CTB-Locker, and analysis
of its code revealed that,
Hackers exploiting Internet Explorer to expose security flaws on a huge scale
07/24/2014 21:00 (The Guardian)
...the techniques, told the Guardian. That way they will only attack a computer they know is vulnerable and avoid alerting
security companies to...
Cyber Command tests gov't collaboration in wake of attacks
07/24/2014 17:46 (SC Magazine)
...U.S. Cyber Command (USCYBERCOM) recently oversaw a two-week exercise in attack readiness called Cyber Guard
14-1. The U.S. Cyber Command (USCYBERCOM)
Hackers steal user data from the European Central Bank website, ask for money
07/24/2014 05:50 (Network World)
112
The affected individuals could be at a higher risk of fraud and phishing attacks following this security breach, said Jon
French, a security...
Global Survey: NSA, Retail Breaches Influenced Corporate Security Strategies the Most
07/28/2014 09:39 (Fort Mill Times)
Many organizations face daily perimeter-oriented attacks, such as phishing, designed to give attackers a foothold to steal
the privileged credentials...
'Masquerading': New Wire Fraud Scheme - BankInfoSecurity
...bank's commercial customers, not the bank itself. And they differ from spear-phishing attacks in that they don't just target
specific employees,
The Top 5 Most Brutal Cyber Attacks Of 2014 So Far
07/28/2014 08:33 (Forbes.com)
and the extent of the damage done, still unclear. The state government said that it is notifying 1.3 million people including
current and former...
Collateral damage of Snowden leaks being felt in cyber, public trust
Collateral damage of Snowden leaks being felt in cyber, public trust The National Security Agency's top lawyer said the
disclosures from former...
A new cyber exercise: Test your security team's incident response capabilities
07/27/2014 09:10 (Lohrmann On Cybersecurity - Government Technology)
A new cyber exercise: Test your security team's incident response capabilities The Michigan's Cyber Civilian Corps, state
and local government...
NSA director: Cyber attacks need international norms
07/27/2014 06:09 (Aspen Daily News Online)
...NSA has seen dozens of terrorists use published information to change their cyber attack tactics, Ledgett said. When
people say there are no...
113
Toddler dad case hinges on digital sleuthing
07/25/2014 20:35 (AJC.com)
showing the stakes of getting it right or wrong. And only on myajc.com, delve into the world of digital forensics by clicking
here. By Ariel Hart
New backdoor 'Baccamun' spreads through ActiveX exploit
07/25/2014 15:45 (SC Magazine)
...newly discovered backdoor program, called Baccamun, are spreading the malware via an ActiveX exploit, researchers
revealed. Attackers using a...
Canadian spy agency says Chinese hacked into NRC computers, network shut down
07/29/2014 09:29 (The Guardian)
Banks as Cybercrime Fighters? - BankInfoSecurity
...comment about reports that SIFMA is pushing for the formation of a cyber war council, which would bring together a
committee of financial industry...
Android 'Fake ID' flaw could leave millions open to attack
07/29/2014 08:00 (The Guardian)
...them run malicious code on the device and infect the Android phone with malware. They could do the same using the
signature of the Android Near...
Personal Privacy Is Only One of the Costs of NSA Surveillance
07/29/2014 06:46 (Wired)
...Obama administration s stated goal of securing the internet and critical infrastructure and undermine global trust in the
internet and the safety...
NRC Hack Attack Forces It To Shut Down Computers; Could Take A Year To Recover
07/29/2014 04:40 (Huffington Post Canada)
114
AV engines are riddled with exploitable bugs
...could lead to man-in-the-middle attacks that deliver malware instead of updates. "Exploiting AV engines is not different to
exploiting other...
Georgia Tech launches early warning system for cyberthreats
07/29/2014 03:43 (Network World)
...called BlackForest, which will complement the institute's malware and spear-phishing intelligence systems. [Georgia
Tech warns of emerging threats...
Mystery 'Onion/Critroni' ransom Trojan evolves to use more sophisticated encryption
...with the program that kicked off the peak of the ransom malware age now largely neutered thanks to police intervention
the criminals have already...
Chinese hackers steal Israel’s Iron Dome missile data
07/29/2014 02:05 (The Guardian)
...occurred between 10 October 2011 and 13 August 2012, according to security firm Cyber Engineering Services (CES),
talking to independent security...
The CIA Fears the Internet of Things
07/28/2014 14:16 (Nextgov)
...Agency s directorate of science and technology, said today s concerns about cyber war don t address the looming geosecurity threats posed by the...
CyberPatriot Having Big Impact on STEM Education and Career Choices, Data Shows
07/30/2014 09:26 (KAIT ABC-8)
...or comments about this page please contact [email protected].
SOURCE Air Force Association ARLINGTON, Va., July 30, 2014 /PRNewswire-USNewswire/
UAB students help fight hackers in new 'Facebook suite'
07/30/2014 08:37 (MyFoxAL.com)
115
...next big computer hack. UAB has actually had a reputation for its cyber security expertise for a number of years. One of
the bigger examples...
This Is Why Ex-NSA Chief Keith Alexander Can Charge $1 Million A Month For Cyber-Security
07/30/2014 00:16 (Yahoo! News)
...Ex-NSA Chief Keith Alexander Can Charge $1 Million A Month For Cyber-Security Former U.S. Cyber Command and
National Security Agency head Gen.
Report: Hackers stole data from Israeli defense firms
07/29/2014 17:37 (SC Magazine)
...(UAVs) and ballistic rockets. Columbia, Md.-based security firm Cyber Engineering Services shared the details of the
breach with Krebs, telling...
Scan Shows Possible Heartbleed Fix Failures
07/29/2014 17:07 (Dark Reading)
...failing to revoke the old cert, an attacker could use it in phishing attacks, according to the July 2014 status report by
Venafi. "Heartbleed...
Keylogger Malware in Hotel Business Centers
07/29/2014 16:53 (US-CERT)
Keylogger Malware in Hotel Business Centers Overview The United States Secret Service (USSS) has investigated
incidents where malicious actors...
IG scolds NOAA on security deficiencies, recommends fixes
07/29/2014 16:23 (SC Magazine)
...implementation of mobile device protections boosted the probability of malware infection, primarily because unauthorized
devices had been connected...
Homeland Security wants corporate board of directors more involved in cyber-security
07/29/2014 16:06 (Computer World Australia)
Homeland Security wants corporate board of directors more involved in cyber-security Setting corporate cybersecurity policy and taking actions...
116
House passes DHS cyber bills
07/29/2014 15:39 (Federal Times)
...procedures to DHS in order to gain liability protections in the event of an attack. RELATED For cyber-defense,
automation alone is not enough DHS eyes...
Canada blames China for cyber intrusion at National Research Council
07/29/2014 11:43 (ComputerWorld)
...carried out by highly sophisticated state-sponsored hackers, the government of Canada said The IT infrastructure of the
National Research Council...
117
Copyright (C) 2014, Cyber Defense Magazine, a division of STEVEN G. SAMUELS
LLC. 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS#
078358935. All rights reserved worldwide. [email protected]
Cyber Warnings Published by Cyber Defense Magazine, a division of STEVEN G.
SAMUELS LLC.Cyber Defense Magazine, CDM, Cyber Warnings, Cyber Defense Test
Labs and CDTL are Registered Trademarks of STEVEN G. SAMUELS LLC. All rights
reserved worldwide. Copyright © 2014, Cyber Defense Magazine. All rights reserved.
No part of this newsletter may be used or reproduced by any means, graphic,
electronic, or mechanical, including photocopying, recording, taping or by any
information storage retrieval system without the written permission of the publisher
except in the case of brief quotations embodied in critical articles and reviews. Because
of the dynamic nature of the Internet, any Web addresses or links contained in this
newsletter may have changed since publication and may no longer be valid. The views
expressed in this work are solely those of the author and do not necessarily reflect the
views of the publisher, and the publisher hereby disclaims any responsibility for them.
Cyber Defense Magazine
848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107.
EIN: 454-18-8465, DUNS# 078358935.
All rights reserved worldwide.
[email protected]
www.cyberdefensemagazine.com
Cyber Defense Magazine - Cyber Warnings rev. date: 07/30/2014
118
119

How a Hacker can Attack a Mobile Application

Transcription

Similar documents

VOITTAVA KYBERSTRATEGIA Jarno Limnéll

Cyber Crimes in India

Staying Ahead in the Cyber Security Game

2013November22ndNewsletter

Cyber Extortion Risk Report

Exploring the Internet The Dark Side of the Internet - 91-113-F10

Ci News Letter 1.indd

NORTH KOREAN STRATEGIC STRATEGY

NATIONAL GEOGRAPHIC MAGAZINE APRIL 2015