Wednesday, July 31, 2013

The Biggest Threat To Enterprise Is The Thumb Drive

How did Iranian nuclear facilities was destroyed? With a thumb drive. And how did Snowden allegedly smuggle out the blueprints to the NSA? With a thumb drive.

No, it wasn't by some ultra secretive means of super-complex cyber code writing and cloud encryption by which good ol' Eddy breached America's security in arguably the most secure compound on the planet — nope — he simply walked in with a thumb drive, downloaded the NSA, and walked out.

Carl Weinschenk of IT Business Times breaks down how bad a threat flash drives can be:
The U.S. Department of Homeland Security ran a test in which staffers dropped flash drives in the parking lot of government and contractor buildings. Sixty percent of folks who picked them up simply plugged them into networked computers. That percentage jumped to 90 percent if the drive had an official logo.
The Washington Times breaks down the threat further by reminding everyone that a "number of commercially available programs can switch off the USB port of every computer on the network."

NSA officials “were laying down on their job if they didn’t disable the USB port,” an unnamed government IT the specialist told the Washington Times, referring to the small socket on the side of a computer where thumb drives are plugged in.

Organizations, whether they're public or private, have had difficulty enforcing Bring Your Own Device security measures now for a number of years. Certainly there are places in government buildings where there are NO recording devices or storage devices allowed under ANY circumstances.

Regardless, Snowden managed to get one in and get one out.

Monday, July 29, 2013

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloudsponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

  • Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  • Only 19% said their organization knew how much regulated data was on mobile devices.
  • Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  • 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  • Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  • In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

  1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
  2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
  3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
  4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
  5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

  1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
  2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
  3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
  4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Friday, July 26, 2013

Beware of Gumtree Scam: Scammer Targeted More Than 300 People on the Gumtree

Reports have emerged of series of scams, affecting people across Australia with similar scams on Gumtree

A male scam artist searches the wanted advertisements on site and then contacts the poster to say he has the item they are seeking.

The man then asks where the buyer lives and states he also lives nearby, but is working interstate so is unable to drop the goods off in person. Once the money is transferred to his account he ceases contact.

The scams have involved the attempted purchase of goods including mobile phones, iPads, electronic tablets and gift cards from stores including Coles, Myer and JB Hifi.

Reports of online scams can be made to the Australian Competition and Consumer Commission via www.scamwatch.gov.au or your specific country scamwatch website.

Monday, July 22, 2013

Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Saturday, July 20, 2013

Cyber Threats: Trends in Phishing and Spear Phishing

Phishing is a global problem for businesses as well as individuals, targeting 37.3 billion people globally in the past year

Most of us have wisened up to basic scams and know better than to accept a Nigerian prince's offer of money, or a miraculous win on a Spanish lottery that you can't quite remember entering. But cyber criminals are raising their game and have evolved their tactics to target the more cyber-aware for greater returns.

Sophisticated 'spear phishing' attacks can be hard to spot by the experts; even the largest of organisations is not immune. What chance does this provide the average company or employee, let alone those who use computers infrequently?

Spear phishing is not random – cyber criminals identify employees within a target organisation and use social engineering tactics to construct a legitimate looking email. The FBI have warned business to be more aware of spear phishing tactics, as hackers target employees with administrative rights or access to critical systems.

91% of APTs (advanced persistent threats) start with phishing attacks and success could give cyber criminals the 'keys' to bypass security and initiate further attacks. Clicking a link doesn't mean that you are immediately compromised; phishing is part of a larger attack.

Hackers need to expose a system vulnerability and be able to install software quickly and quietly. However, cyber criminals use advanced tactics to disguise malicious attachments and sites to trick users into further action.

This infographic by Via Resource highlights trends and targets in phishing attacks.



Thursday, July 18, 2013

Forecast on Top Trends in Data Breach, Privacy and Security

12 trends in privacy and security

First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. Data breaches have evolved from credit card fraud with financial consequences to medical identity theft with life-threatening implications.

According to leading experts, the frequency, severity, and impact of data breaches are expected to escalate. Industry experts :

1. Global criminals: Criminals are now globally connected and increasingly part of organized crime rings.

2. Advanced persistent threat (APT): APT is the biggest threat to organizations, whereby hackers gain access to a network and remain there undetected for a long period of time.

3. Malicious attackers: Hacktivists and national states have an advantage over today’s defenders of corporate data and IT infrastructure.

4. Breaches affect everyone and everything: Breaches affect large and small businesses of all kinds, regardless of sophistication, and high- and low-tech information.

5. Information can be infinitely distributed, causing limitless damage: The electronic health information privacy breach epidemic is an unanticipated “game changer” in that health information can be stolen from anywhere in the world, distributed to an infinite number of locations for an infinite period of time and can cause limitless damage.

6. Increased enforcement risk: Regulators at both the federal and state levels in many foreign countries have become, and will continue to be, increasingly aggressive in investigating security breaches and obtaining substantial monetary settlements or penalties from responsible organizations.

7. Identity theft will not go away, until the issue of identity is solved: "Identity-proofing" consumers involves verifying and authenticating with numerous technologies, and the flexibility of consumers to recognize a slight trade-off of privacy for security.

8. Real-time prevention: The rate of exposure for personally identifiable information is now so great, we must concede that the data itself is no longer able to be protected. Our defensive strategy must now shift to real-time prevention of the abuse of this sensitive information by criminal elements.

9. More digital devices and technologies, to digitize personal data: Drones, utility smart meters, automated license plate readers, and more powerful facial recognition software - all used to collect and digitize consumers' sensitive personal data - will provide more opportunities for government to resell consumer data, forcing consumers to demand better privacy protections and read/approve/decline company privacy statements.

10. Many data breaches are avoidable if commonsense security practices are in place: In recent cases where companies experienced data breaches, the companies' security practices did not protect against even readily foreseeable threats. Companies need to use “reasonable and appropriate security measures” for handling consumers’ personal information.

11. Long-term monitoring: Data obtained by hacking, theft or unauthorized access, isn't always used immediately by the perpetrators. Organizations need to develop a tactical plan for incident response that includes persistent, long-term diligence and monitoring, due to the possibility of lag time that can occur between the time of the breach and the fraudulent use of consumer information.

12. Continued business naiveté: Corporations continue their delusional belief that data security and cyber privacy are a byproduct of purchasing better technology. It helps, but it's the human beings using the technology correctly (or not, in the case of most breaches) that actually delivers results. Forward-thinking companies will focus assets on training the stewards of their valuable data.

Sunday, July 14, 2013

Five Ways To Plump Your Security Program Without Going Broke

Some are quick, cheap and often free! Others require a little more time and critical thinking

Addressing cyber-attacks is not just a technology issue. It requires a holistic view from the entire organization. Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach.

It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve. Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff. 

The hard stuff is in the next 30 percent." Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.

Security experts offer five tips for enhancing security that don't cost a lot of cash — and sometimes no money at all — so companies can spend their security dollars on the hard stuff.

1. Patch security holes and identify vulnerabilities

Three of the top 10 botnets reported in February 2013 were more than 8 years old, according to Fortiguard Labs, the threat-researching arm of network security firm Fortinet Inc. in Sunnyvale, Calif. In the most successful attacks, the majority of those threats had been identified and fixed by vendors years earlier, said Derek Manky, global security strategist.

Companies need to keep patches up to date.

2. Install your free firewall and antivirus upgrades

A lot of people don't realize their basic support contracts with most vendors for support, firewalls and antivirus include free upgrades. If you don't have a strategy to revisit what the available technology is that you've already paid for, then you're missing out on a lot of new features and enhancements" that could prevent a security breach. 

Call your vendor and revisit our firewall and antivirus solution contracts.

3. Keep up with BYOD

Personal devices in the business environment are here to stay. Yet 79 percent of businesses had a mobile security incident in the past year, ranging from malicious apps downloaded to a mobile device to unsecure Wi-Fi connections to lack of security patches from services providers, according to a June mobile security report by Check Point Software Technologies.

These mobile security incidents cost companies between $100,000 and $500,000 in staff time, legal fees and resolution processes.

Organizations can improve mobile device security through BYOD agreements with users to ensure they take security precautions. The checklist should include installing available upgrades and patches; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed, according to the Computer Security Division of the National Institute of Standards and Technology.

4. Define a enterprise-wide security strategy

Nine out of 10 big companies lacked defined security strategy and security plans, or they re not tied with business goals and business objectives. There's no way to know if you're supporting business objectives unless you take the time to develop the security strategy and make they're sure they're doing the most important things for overall risk reduction. 

5. Educate Employees

Successful attacks are usually ones that exploit the human mind. Humans are always the weakest link in the chain.

Education can help stop employees from falling victim to phishing attacks or pretexting schemes or careless use of login credentials, which accounted for 3 of the top 10 threat actions performed against large companies, according to Verizon's 2012 data breach investigations report.

Tuesday, July 9, 2013

10 Principles To Guide Companies in Creating and Implementing Incident Response Plans

It's common that many companies have response plans but don't truly operationalize them!

With cyber criminals successfully targeting organizations of all sizes across all industry sectors, organizations need to be prepared to respond to the inevitable data breach.

A response should be guided by a response plan that aims to manage a cyber security incident in such a way as to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs.

Here are 10 principles to guide companies in creating and implementing incident-response plans:
  1. Assign an executive to take on responsibility for the plan and for integrating incident-response efforts across business units and geographies.
  2. Develop a taxonomy of risks, threats, and potential failure modes. Refresh them continually on the basis of changes in the threat environment.
  3. Develop easily accessible quick-response guides for likely scenarios.
  4. Establish processes for making major decisions, such as when to isolate compromised areas of the network.
  5. Maintain relationships with key external stakeholders, such as law enforcement.
  6. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
  7. Ensure that documentation of response plans is available to the entire organization and is routinely refreshed.
  8. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
  9. Identify the individuals who are critical to incident response and ensure redundancy.
  10. Train, practice, and run simulated breaches to develop response "muscle memory." The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers' awareness and fine-tuning their response capabilities.

An effective incident response plan ultimately relies on executive sponsorship. Given the impact of recent breaches, we expect incident response to move higher on the executive agenda. Putting the development of a robust plan on the fast track is imperative for companies.

When a successful cyber attack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, "What did this institution do to prepare?"

Sunday, July 7, 2013

Hackers can control almost all Android phones

NINETY-nine per cent of all Android devices are vulnerable to hacking or being completely taken over remotely by cyber criminals

This is the claim of a study by BlueBox security, a mobile security company which claims it has discovered a flaw in the operating system of almost all Google phones and tablets (which runs on the operating system Android) that allows hackers to modify its code in a way that "turns any legitimate application into a malicious Trojan" virus.

The company claims this vulnerability exists on any Android phone or tablet released over the last four years, affecting approximately 900 million devices.

According to the researchers the issue is central to Google's open source operating system and so far only one device has been patched.

The way it works:

Rather than creating a malicious app, cyber criminals wait for legitimate apps to be approved for sale and then go in and modify the code after and create an exploit that allows them to take over people's phones via the app.

This flaw would allow hackers to access your passwords, credit card information, emails, any information you store on your phone.

So what can I do about this?

  • Do not allow apps from unkown sources. To do this go to Settings, Security and untick "allow unknown sources".
  • It's recommended that users update their operating system to the latest version.
  • if you have any apps which store your personal information such as credit card or PayPal information (like eBay, Amazon or Etsy), you should remove this information immediately.
  • Remove any personal information from your phone (do you have your credit card pin stored in your notes?

Friday, July 5, 2013

Why Security Teams Fail PCI Audits?

5 Key Challenges in the way of successful auditing!

For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance - which offers comprehensive standards to enhance payment card data security - is an absolute must.

But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. 

The 5 'C's

Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five 'C's:

Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.

  • Change - hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
  • Connectivity - configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
  • Compliance - audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
  • Communication - poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.

PCI DSS auditing doesn't always need to be a costly and thankless task. While compliance will always be essential for most enterprises, automation solutions can make it a much more efficient process - by slashing time spent on repetitive, manual work so that security teams can focus on strategic tasks such as security architecture, research and education.

Thursday, July 4, 2013

New Targets for Hackers - Plane Cockpit/Voice Hijacking?

Criminal hackers can generally be divided into two groups - thieves and showboats

They breach secure systems either to steal or simply to demonstrate that it can be done. A few recent hacking incidents indicate the showboat sector may be picking up steam.

Smartphone used to hack into a plane cockpit

The power and rapid evolution of technology is exposed by a security researcher armed with an Android.

"By using a Samsung Galaxy handset, Teso demonstrated how to use ACARS to redirect an aircraft's navigation systems to different map coordinates. He was able to insert code into a virtual aircraft's Flight Management System, and by passing the code between the aircraft's computer unit and the pilot's display, Teso was able to take total control of what the aircrew would see in the cockpit.

Scientist's voice hijacked during high-profile presentation

Hackers accessed the computer synthesizer controlling Stephen Hawking's voice during a public speak he was making to a large audience, overriding his control and forcing him to make statements against his will.

"It wasn't until hours later when the Syrian Electronic Army - a group of hackers working in support of Bashar al-Assad - claimed responsibility for the attack, breaking into Stephen Hawking's voicebox one last time to announce "the Syrian Electronic Army was here" just as the scientist was leaving the stage."

Tuesday, July 2, 2013

Privacy: Did You Know?

Here's a quick round-up of some of the technologies and products collecting your information.