Tuesday, June 24, 2014

Social Engineering as relevant as ever!

Anything Cyber Community,

Although I've studied social engineering on plenty occasions during my career in Cyber security, I did not realize how much damage can be caused by a good social engineer on a victim company. Mandiant a few months ago reported over 90% of attacks involve spear-phishing e-mails. Based on what I see on a day to day basis, spear-phishing has matured significantly since a few years ago when the bogus emails were laden with broken English and misspelled words. Now social engineers use a combination of phone calls and well-crafted emails to influence personnel at companies with access to the corporate bank account to transfer large sums of money. The transfers will be necessary for a big deal to be completed. Yet, in reality, the big deal is making the Cyber criminals rich.

While a company may have above average network and data security in place, it is important not to take for granted the human element. Annual security awareness training is a must for all personnel. Also, so that the training has a chance to be absorbed by personnel, make the training interesting and interactive to keep the attention of employees. Don't allow employees to simply plow through the training without absorbing anything. Also, make sure employees are fully aware not to click on links from unknown or untrusted email senders. Last, make sure employees with access to the corporate bank account have well documented and visible protocols for the approval of bank transfers or wires. One person, not even the owner of the company, should have sole authority to transfer sums of money over a corporate-defined threshold.

And remember, if you receive an email or any other offer that emphasizes you must act today and you cannot tell anyone else, 99.9% of the time it's a scam. Don't buy it.

Jimmie Walker, CISSP-ISSMP

Tuesday, April 29, 2014

The importance of Pen Tests

Hi Anything Cyber community,

Since I just finished a week long course in Penetration Testing (Pen Testing) hosted by SANS, I was inspired to discuss the importance of having a professional Pen Test performed on corporate networks and computers periodically. During the course, I was exposed to and practiced many techniques used by hackers to crack passwords and gain access to sensitive data (i.e. PII). Companies cannot with confidence say that  they have performed due diligence in regards to network security unless a professional Pen Test is performed periodically against their network. The Pen Test will reveal the vulnerabilities of a network and also make recommendations to the corporation that will strengthen their defenses to mitigate the likelihood of sensitive data compromise.

While performing a Pen Test is great, the corporation must take the resulting Pen Test report and apply the recommendations of the Pen Testers. It's hard to say which is worst: not having a Pen Test or having one and not doing anything to remedy the findings.

Jimmie Walker

Wednesday, March 26, 2014

Unravelling Cybersecurity Myths

Hello AnythingCyber community,

Today I'd like to discuss a few of the major myths regarding Cybersecurity. Myths are what keep many people and companies from taking Cybersecurity serious which leads to not having the appropriate level of defense to protect computer systems and networks from external and internal Cyber threats.

A prevalent myth is that top management is not involved in Cybersecurity. However, if buy-in is not achieved by top management, who will allocate the funds to pay for Cybersecurity defense? As well, top management should not only preach proper Cybersecurity but also practice it. If the CEO is allowing administrative assistants and others in their circle to logon to their account on their behalf unattended, lower-level employees will follow suit and allow the same Cyber insecurity at their level.

The next myth is that investing in Cybersecurity yields no return on investment (ROI). The recent Target data breach cost impacted financial institutions over $200 million. It has also cost tens of millions of dollars and a significant drop in profits for Target. Having a sound Cybersecurity architecture in place that could quickly react and mitigate a security breach would have cost Target a small fraction of the losses incurred. ROI is definitely there for those who take Cybersecurity serious and implement a sound multi-layer defense.

Last, many view Cybersecurity as a one time project like upgrading a kitchen. While it may take years or decades for an updated kitchen to become dated, a Cybersecurity defense can become a trivial annoyance to a Cyber criminal in days if the defense is not maintained and updated frequently. The maintenance of a Cybersecurity defense does require ongoing funds but remember myth two and it should be a much smoother conversation with the C-level when it comes time to fund Cybersecurity.

Jimmie Walker, CISSP-ISSMP


Reference:

Kosutic, Dejan; 6 greatest cybersecurity myths and why you should not trust them; Defense Systems; March 17, 2014

d'Innocenzio, Anne; Cost of Target data breach for banks tops $200M; http://finance.yahoo.com/news/cost-target-data-breach-banks-212848285.html

Monday, February 24, 2014

Federal Cyber hiring unfrozen

After months and some cases years of  hiring freezes, the federal government is now hiring again including Cyber security positions. With recent Cyber breaches at major retailers such as Target and Neiman Marcus, it is clear that more emphasis needs to be placed on Cyber security in both the board rooms and government. Lip service is not enough. Action and allocation of funds is necessary to mitigate the Cyber criminal threat. The hiring of Cyber security professionals within the government can only help in combating the daunting task of fortifying the defenses against Cyber attacks originating both domestic and abroad.


Monday, January 20, 2014

Attribution is key to deterring Cyber attacks

Hi Anything Cyber community,

   Since today is a special day in which I reflect on all of the blessings in my life, I would also like to thank the late Dr. Martin Luther King Jr. for playing a critical role in advancing civil rights for all. With his diligent efforts to fight inequality at every turn, opportunities were made available for me that would not have been without the Civil Rights movement.

Now for the topic of discussion: attribution. During my first course in Cyber security I was asked to discuss the concept of attribution in regards to Cyber attacks. To start, I had to find out what was meant by the term attribution. In regards to Cyber attacks, attribution can be defined as determining which individual, group, or nation-state is responsible for the attack. Unfortunately, this is not an easy task. Advanced hackers use the following techniques to remain anonymous and avoid attribution: route their attacks through victim systems in various countries so that the attacker's IP address cannot be determined; use sophisticated technologies such as TOR to randomly route traffic through three random systems prior to the malicious traffic landing on the victim system or network; and modify the log files on a victim computer to erase their digital fingerprints.

Although the United States has very sophisticated Cyber exploits that can be used in retaliation for a Cyber attack directed at U.S. critical infrastructure and corporations, without a sound and reliable means to attribute the attack to the perpetrator(s) a response will not be warranted. That's why federal agencies such as the FBI have shifted their strategy to focus on Cyber attack attribution. If Cyber perpetrators do not fear being caught or paying a price for their actions, there's little reason for them not to continue to commit Cyber attacks.

Reference

The Attribution Problem in Cyber Attacks, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks

Tuesday, December 24, 2013

40 million credit card accounts is right on TARGET for Hackers

In my last post, I discussed how big targets attract big hacker interest. The recent cyber breach of 40 million credit accounts at Target was a prime example. While some may react to the attack by temporarily suspending business with Target, paying with cash or credit virtually eliminates the risk. If a credit card is used, the cardholder has 100% fraud protection meaning the bank issuing the card assumes the financial liability for fraud. Since it took over 2 weeks for Target to discover the attack, I question whether or not payment card industry data security standards (PCI DSS) were followed.

An overview of the key tenets of version 3 PCI DSS are: build and maintain a secure network and systems; protect card holder data; maintain a vulnerability management; implement strong access control standards; regularly monitor and test networks; and maintain an Information Security Policy. Target most likely needs improvement on multiple PCI DSS tenets such as protection of cardholder data, vulnerability management, strong access control standards, and monitoring networks regularly.

Since investigations by the Secret Service and potentially the Justice Department are ongoing, one can only predict the root cause of the cyber breach. However, over two weeks to detect an ongoing cyber breach is not sufficient on the surface. In reality, 2 weeks to detect is actually pretty responsive based on earlier reports by Mandiant that cyber breaches typically take months to detect and in many cases are detected by third parties.

AnythingCyber community, don't lose faith in Target due to this recent Cyber breach. A breach can occur at any corporation and 100% fraud protection removes the financial risk from the consumer.

Jimmie Walker, CISSP-ISSMP

Reference:
PCI DSS V 3.0 Requirements and Security Assessment Procedures, November 2013

Saturday, November 16, 2013

Big Targets Equal Big Hacker Interest

Hi Anything Cyber community,

As a followup to my last blog post, I came across an article a few days ago detailing how the Department of Homeland Security (DHS) reported at least 16 recent cyber attack attempts against healthcare.gov website. Although it was reported that none of the attacks were successful, sophisticated hackers are very adept at hiding their actions so there is always the possibility that one of the attacks could have been successful but not detected.

When a site such as healthcare.gov goes public, it is crucial to incorporate and consider cyber security measures from the start of the web development effort. Waiting to tack on security once the site is fully operational is both costly and much less effective. Since healthcare.gov had the potential to attack millions of users, cyber criminals definitely have the website on their radar due to the potential to steal a wealth of sensitive information belonging to website users.

The article mentioned that one of the attacks was a denial of service (DoS) attempt. A DoS attack against the website opens up the possibility of politically motivated cyber disruption. For example, someone or a group of people who oppose the Affordable Care Act (ACA) could buy or develop distributed denial of service (DDoS) malware that could be distributed to fellow ACA opposition and used to overwhelm healthcare.gov servers so that legitimate users are unable to sign-up for healthcare.

Those legitimate users unable to sign-up would voice their difficulties which would make it to the media. The media would in turn report that the healthcare.gov site is continuing to malfunction since users are unable to sign-up. Politicians and political parties who oppose ACA will use the fact that healthcare.gov is not accessible as ammunition to denounce ACA and champion immediate repeal or revision.

Jimmie Walker

Reference:

"HealthCare.gov targeted 'about 16 times' by cyberattacks, DHS official says", Michael Isikoff, 13 November 2013.