Wednesday, March 26, 2014

Unravelling Cybersecurity Myths

Hello AnythingCyber community,

Today I'd like to discuss a few of the major myths regarding Cybersecurity. Myths are what keep many people and companies from taking Cybersecurity serious which leads to not having the appropriate level of defense to protect computer systems and networks from external and internal Cyber threats.

A prevalent myth is that top management is not involved in Cybersecurity. However, if buy-in is not achieved by top management, who will allocate the funds to pay for Cybersecurity defense? As well, top management should not only preach proper Cybersecurity but also practice it. If the CEO is allowing administrative assistants and others in their circle to logon to their account on their behalf unattended, lower-level employees will follow suit and allow the same Cyber insecurity at their level.

The next myth is that investing in Cybersecurity yields no return on investment (ROI). The recent Target data breach cost impacted financial institutions over $200 million. It has also cost tens of millions of dollars and a significant drop in profits for Target. Having a sound Cybersecurity architecture in place that could quickly react and mitigate a security breach would have cost Target a small fraction of the losses incurred. ROI is definitely there for those who take Cybersecurity serious and implement a sound multi-layer defense.

Last, many view Cybersecurity as a one time project like upgrading a kitchen. While it may take years or decades for an updated kitchen to become dated, a Cybersecurity defense can become a trivial annoyance to a Cyber criminal in days if the defense is not maintained and updated frequently. The maintenance of a Cybersecurity defense does require ongoing funds but remember myth two and it should be a much smoother conversation with the C-level when it comes time to fund Cybersecurity.

Jimmie Walker, CISSP-ISSMP


Reference:

Kosutic, Dejan; 6 greatest cybersecurity myths and why you should not trust them; Defense Systems; March 17, 2014

d'Innocenzio, Anne; Cost of Target data breach for banks tops $200M; http://finance.yahoo.com/news/cost-target-data-breach-banks-212848285.html

Monday, February 24, 2014

Federal Cyber hiring unfrozen

After months and some cases years of  hiring freezes, the federal government is now hiring again including Cyber security positions. With recent Cyber breaches at major retailers such as Target and Neiman Marcus, it is clear that more emphasis needs to be placed on Cyber security in both the board rooms and government. Lip service is not enough. Action and allocation of funds is necessary to mitigate the Cyber criminal threat. The hiring of Cyber security professionals within the government can only help in combating the daunting task of fortifying the defenses against Cyber attacks originating both domestic and abroad.


Monday, January 20, 2014

Attribution is key to deterring Cyber attacks

Hi Anything Cyber community,

   Since today is a special day in which I reflect on all of the blessings in my life, I would also like to thank the late Dr. Martin Luther King Jr. for playing a critical role in advancing civil rights for all. With his diligent efforts to fight inequality at every turn, opportunities were made available for me that would not have been without the Civil Rights movement.

Now for the topic of discussion: attribution. During my first course in Cyber security I was asked to discuss the concept of attribution in regards to Cyber attacks. To start, I had to find out what was meant by the term attribution. In regards to Cyber attacks, attribution can be defined as determining which individual, group, or nation-state is responsible for the attack. Unfortunately, this is not an easy task. Advanced hackers use the following techniques to remain anonymous and avoid attribution: route their attacks through victim systems in various countries so that the attacker's IP address cannot be determined; use sophisticated technologies such as TOR to randomly route traffic through three random systems prior to the malicious traffic landing on the victim system or network; and modify the log files on a victim computer to erase their digital fingerprints.

Although the United States has very sophisticated Cyber exploits that can be used in retaliation for a Cyber attack directed at U.S. critical infrastructure and corporations, without a sound and reliable means to attribute the attack to the perpetrator(s) a response will not be warranted. That's why federal agencies such as the FBI have shifted their strategy to focus on Cyber attack attribution. If Cyber perpetrators do not fear being caught or paying a price for their actions, there's little reason for them not to continue to commit Cyber attacks.

Reference

The Attribution Problem in Cyber Attacks, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks

Tuesday, December 24, 2013

40 million credit card accounts is right on TARGET for Hackers

In my last post, I discussed how big targets attract big hacker interest. The recent cyber breach of 40 million credit accounts at Target was a prime example. While some may react to the attack by temporarily suspending business with Target, paying with cash or credit virtually eliminates the risk. If a credit card is used, the cardholder has 100% fraud protection meaning the bank issuing the card assumes the financial liability for fraud. Since it took over 2 weeks for Target to discover the attack, I question whether or not payment card industry data security standards (PCI DSS) were followed.

An overview of the key tenets of version 3 PCI DSS are: build and maintain a secure network and systems; protect card holder data; maintain a vulnerability management; implement strong access control standards; regularly monitor and test networks; and maintain an Information Security Policy. Target most likely needs improvement on multiple PCI DSS tenets such as protection of cardholder data, vulnerability management, strong access control standards, and monitoring networks regularly.

Since investigations by the Secret Service and potentially the Justice Department are ongoing, one can only predict the root cause of the cyber breach. However, over two weeks to detect an ongoing cyber breach is not sufficient on the surface. In reality, 2 weeks to detect is actually pretty responsive based on earlier reports by Mandiant that cyber breaches typically take months to detect and in many cases are detected by third parties.

AnythingCyber community, don't lose faith in Target due to this recent Cyber breach. A breach can occur at any corporation and 100% fraud protection removes the financial risk from the consumer.

Jimmie Walker, CISSP-ISSMP

Reference:
PCI DSS V 3.0 Requirements and Security Assessment Procedures, November 2013

Saturday, November 16, 2013

Big Targets Equal Big Hacker Interest

Hi Anything Cyber community,

As a followup to my last blog post, I came across an article a few days ago detailing how the Department of Homeland Security (DHS) reported at least 16 recent cyber attack attempts against healthcare.gov website. Although it was reported that none of the attacks were successful, sophisticated hackers are very adept at hiding their actions so there is always the possibility that one of the attacks could have been successful but not detected.

When a site such as healthcare.gov goes public, it is crucial to incorporate and consider cyber security measures from the start of the web development effort. Waiting to tack on security once the site is fully operational is both costly and much less effective. Since healthcare.gov had the potential to attack millions of users, cyber criminals definitely have the website on their radar due to the potential to steal a wealth of sensitive information belonging to website users.

The article mentioned that one of the attacks was a denial of service (DoS) attempt. A DoS attack against the website opens up the possibility of politically motivated cyber disruption. For example, someone or a group of people who oppose the Affordable Care Act (ACA) could buy or develop distributed denial of service (DDoS) malware that could be distributed to fellow ACA opposition and used to overwhelm healthcare.gov servers so that legitimate users are unable to sign-up for healthcare.

Those legitimate users unable to sign-up would voice their difficulties which would make it to the media. The media would in turn report that the healthcare.gov site is continuing to malfunction since users are unable to sign-up. Politicians and political parties who oppose ACA will use the fact that healthcare.gov is not accessible as ammunition to denounce ACA and champion immediate repeal or revision.

Jimmie Walker

Reference:

"HealthCare.gov targeted 'about 16 times' by cyberattacks, DHS official says", Michael Isikoff, 13 November 2013. 
 

Thursday, October 31, 2013

The contractors working to fix Heathcare.gov need to ensure Cybersecurity is addressed

Hi Anything Cyber followers,

Keeping track of the back and forth rhetoric of how healthcare.gov has been a failure thus far, the one thing that concerns me the most is the security of PII data submitted by U.S. citizens on healthcare.gov . I read an article recently regarding how it was fairly easy to obtain a registered users email address by performing some low-tech hacking. Once the email address was obtained, a perpetrator could use that information to scour social media sites looking for answers to the secret
questions required to reset the password of a registered user.

For the contractors that have been recently hired such as Verizon and potentially Microsoft, while priority one might be to make sure the healthcare.gov website is available virtually 24/7 to register U.S. citizens for healthcare, a close second priority is to ensure that the website provides the appropriate level of security for registered user data. Just imagine the severe impact to users and the embarassment of the White House if the healthcare.gov website is hacked on a level that the Sony Playstation store was hacked a few years ago. The government would have to compensate the impacted users with free credit report monitoring at minimum. All expenses incurred by a massive security breach of healthcare.gov would be the burden of the tax payer.

Let me know your thoughts regarding this topic which keeps me up at night.

Jimmie Walker

Wednesday, September 25, 2013

The trials and tribulations of landing a Cyber Warrior position

Hi Anything Cyber community,

Please let me take this opportunity to vent. While I currently work as a federal government data security specialist, I would like to expand my horizions and work as a Cyber Security professional and be on the front lines of bringing those to justice who commit computer and network intrusions against United States crtical infrastructure and corporations. In order to pursue my goals in the public sector, many hurdles must be crossed.

Although I already possess a clearance due to my current position, to serve as a Cyber Warrior I need to obtain the top level of clearance to have access to ultra-sensitive data that could cause grave damage to national security if leaked to unauthorized individuals. To gain a top clearance, you must: complete a long form asking for your life story and any illegal doings in your past; consent to an interrogation via a polygraph session; complete an interview to be considered for the position; obtain final approval that you're qualified for a top level clearance; and wait at least 9-12 months for a start date. Ok, so security clearance achieved and now is the time to start performing Cyber Warrior work. Not so fast. This thing called a government "hiring freeze" is preventing people qualified for Cyber Warrior positions like myself from getting a start date. Of course, an exemption request can be submitted so that a government agency can hire despite the hiring freeze but of course that can take months to get approved or disapproved.

When you sum it all up, to get a Cyber Warrior position with the government can easily consume a year or more of your life from submitting your application to starting the new position. That's a year of your family members, your current employer, and all the people who are interviewed (to vouch for whether or not you can be trusted) asking when will you start your new position. The Cyber Warrior position better be worth it!

Regards,

Jimmie