Thursday, August 7, 2014

Possible relief from CryptoLocker

Hi Anything Cyber community,

For those of you familiar with CryptoLocker (ransom ware that encrypts a victim's hard drive and requests hundreds of dollars to decrypt), you might have heard in early June that the FBI shutdown the CryptoLocker operation headed by a Russian hacker called Slavik. At that time, victims of CryptoLocker who had not paid the ransom to get their files decrypted had no avenue for reclaiming their files. Since the CryptoLocker servers had been taken off line by the FBI, there was no way to pay the ransom.

For those of you who still have files encrypted by CryptoLocker, there's hope. You can go to https://decryptcryptolocker.com and enter one encrypted file. FireEye and Fox IT have teamed up to determine the master decryption key based off the one file you submit. The master decryption key can be used to decrypt all other files on the CryptoLocker infected hard drive. Since a unique master decryption key exists for each infected system, you'll have to submit an encrypted file for each system. When choosing a file to submit, do not submit a file containing sensitive information since FireEye and Fox IT will have access to the file contents once decrypted.

Hopefully a service like this will come about for variants of CryptoLocker such as CryptoWall which is currently causing havoc and encrypting victim hard drives. The typical attack vector for CryptoLocker, CryptoWall, and other malware is via spear phishing e-mails. Be very weary of e-mails from people you don't know especially if the e-mail contains a link or attachment. Also scrutinize e-mails from people you do know if the content of the e-mail seems out of character. Perpetrators are also using e-mail addresses that look very similar to a person you know and trust except for 1 or 2 characters of the address are different.

Stay safe in the digital world!

Jimmie Walker

Tuesday, July 29, 2014

GPEN Certified!!!

Hi Anything Cyber community,

Although I'm usually modest, I have to brag a little today. Months of studying paid off when I passed the GIAC Penetration Tester exam earlier this month to earn the GPEN credential. To pass the exam, I had to become proficient in numerous ethical hacking and penetration testing topics such as: password cracking, pass-the-hash techniques, wireless hacking, SQL injections, XSS attacks, Metasploit, Wireshark, tcpdump, user enumeration, Nmap, etc. Prior to the months of study, I completed a week long SANS 560 course to gain hands-on experience identifying computer vulnerabilities and exploiting them to gain unauthorized access.

While I already had the CISSP and ISSMP credentials, the GPEN credential was very hands-on versus just reading a book and completing practice exams. I now have an arsenal of software tools and the know-how to perform penetration testing. The GPEN certification furthered my computer security knowledge and I highly recommend learning the concepts taught in SANS 560.

Jimmie Walker

Tuesday, June 24, 2014

Social Engineering as relevant as ever!

Anything Cyber Community,

Although I've studied social engineering on plenty occasions during my career in Cyber security, I did not realize how much damage can be caused by a good social engineer on a victim company. Mandiant a few months ago reported over 90% of attacks involve spear-phishing e-mails. Based on what I see on a day to day basis, spear-phishing has matured significantly since a few years ago when the bogus emails were laden with broken English and misspelled words. Now social engineers use a combination of phone calls and well-crafted emails to influence personnel at companies with access to the corporate bank account to transfer large sums of money. The transfers will be necessary for a big deal to be completed. Yet, in reality, the big deal is making the Cyber criminals rich.

While a company may have above average network and data security in place, it is important not to take for granted the human element. Annual security awareness training is a must for all personnel. Also, so that the training has a chance to be absorbed by personnel, make the training interesting and interactive to keep the attention of employees. Don't allow employees to simply plow through the training without absorbing anything. Also, make sure employees are fully aware not to click on links from unknown or untrusted email senders. Last, make sure employees with access to the corporate bank account have well documented and visible protocols for the approval of bank transfers or wires. One person, not even the owner of the company, should have sole authority to transfer sums of money over a corporate-defined threshold.

And remember, if you receive an email or any other offer that emphasizes you must act today and you cannot tell anyone else, 99.9% of the time it's a scam. Don't buy it.

Jimmie Walker, CISSP-ISSMP

Tuesday, April 29, 2014

The importance of Pen Tests

Hi Anything Cyber community,

Since I just finished a week long course in Penetration Testing (Pen Testing) hosted by SANS, I was inspired to discuss the importance of having a professional Pen Test performed on corporate networks and computers periodically. During the course, I was exposed to and practiced many techniques used by hackers to crack passwords and gain access to sensitive data (i.e. PII). Companies cannot with confidence say that  they have performed due diligence in regards to network security unless a professional Pen Test is performed periodically against their network. The Pen Test will reveal the vulnerabilities of a network and also make recommendations to the corporation that will strengthen their defenses to mitigate the likelihood of sensitive data compromise.

While performing a Pen Test is great, the corporation must take the resulting Pen Test report and apply the recommendations of the Pen Testers. It's hard to say which is worst: not having a Pen Test or having one and not doing anything to remedy the findings.

Jimmie Walker

Wednesday, March 26, 2014

Unravelling Cybersecurity Myths

Hello AnythingCyber community,

Today I'd like to discuss a few of the major myths regarding Cybersecurity. Myths are what keep many people and companies from taking Cybersecurity serious which leads to not having the appropriate level of defense to protect computer systems and networks from external and internal Cyber threats.

A prevalent myth is that top management is not involved in Cybersecurity. However, if buy-in is not achieved by top management, who will allocate the funds to pay for Cybersecurity defense? As well, top management should not only preach proper Cybersecurity but also practice it. If the CEO is allowing administrative assistants and others in their circle to logon to their account on their behalf unattended, lower-level employees will follow suit and allow the same Cyber insecurity at their level.

The next myth is that investing in Cybersecurity yields no return on investment (ROI). The recent Target data breach cost impacted financial institutions over $200 million. It has also cost tens of millions of dollars and a significant drop in profits for Target. Having a sound Cybersecurity architecture in place that could quickly react and mitigate a security breach would have cost Target a small fraction of the losses incurred. ROI is definitely there for those who take Cybersecurity serious and implement a sound multi-layer defense.

Last, many view Cybersecurity as a one time project like upgrading a kitchen. While it may take years or decades for an updated kitchen to become dated, a Cybersecurity defense can become a trivial annoyance to a Cyber criminal in days if the defense is not maintained and updated frequently. The maintenance of a Cybersecurity defense does require ongoing funds but remember myth two and it should be a much smoother conversation with the C-level when it comes time to fund Cybersecurity.

Jimmie Walker, CISSP-ISSMP


Reference:

Kosutic, Dejan; 6 greatest cybersecurity myths and why you should not trust them; Defense Systems; March 17, 2014

d'Innocenzio, Anne; Cost of Target data breach for banks tops $200M; http://finance.yahoo.com/news/cost-target-data-breach-banks-212848285.html

Monday, February 24, 2014

Federal Cyber hiring unfrozen

After months and some cases years of  hiring freezes, the federal government is now hiring again including Cyber security positions. With recent Cyber breaches at major retailers such as Target and Neiman Marcus, it is clear that more emphasis needs to be placed on Cyber security in both the board rooms and government. Lip service is not enough. Action and allocation of funds is necessary to mitigate the Cyber criminal threat. The hiring of Cyber security professionals within the government can only help in combating the daunting task of fortifying the defenses against Cyber attacks originating both domestic and abroad.


Monday, January 20, 2014

Attribution is key to deterring Cyber attacks

Hi Anything Cyber community,

   Since today is a special day in which I reflect on all of the blessings in my life, I would also like to thank the late Dr. Martin Luther King Jr. for playing a critical role in advancing civil rights for all. With his diligent efforts to fight inequality at every turn, opportunities were made available for me that would not have been without the Civil Rights movement.

Now for the topic of discussion: attribution. During my first course in Cyber security I was asked to discuss the concept of attribution in regards to Cyber attacks. To start, I had to find out what was meant by the term attribution. In regards to Cyber attacks, attribution can be defined as determining which individual, group, or nation-state is responsible for the attack. Unfortunately, this is not an easy task. Advanced hackers use the following techniques to remain anonymous and avoid attribution: route their attacks through victim systems in various countries so that the attacker's IP address cannot be determined; use sophisticated technologies such as TOR to randomly route traffic through three random systems prior to the malicious traffic landing on the victim system or network; and modify the log files on a victim computer to erase their digital fingerprints.

Although the United States has very sophisticated Cyber exploits that can be used in retaliation for a Cyber attack directed at U.S. critical infrastructure and corporations, without a sound and reliable means to attribute the attack to the perpetrator(s) a response will not be warranted. That's why federal agencies such as the FBI have shifted their strategy to focus on Cyber attack attribution. If Cyber perpetrators do not fear being caught or paying a price for their actions, there's little reason for them not to continue to commit Cyber attacks.

Reference

The Attribution Problem in Cyber Attacks, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks