Vietnam's Tien Phong Bank came forward claiming to be the second bank that was attacked with a fake message sent through The Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system.Might be cash under the mattress time, or should I use an old coffee can and bury it out back? Do they still sell coffee in cans?
According to CNBC, Tien Phong said in a statement Sunday it had identified and stopped a suspicious request made through SWIFT to transfer $1.1 million. The bank said the transfer request came through a third-party vendor it uses to connect to the SWIFT system. While the vendor was not named, Tien Phong said it is has switched to another company.
SWIFT announced last week that a second bank had been targeted, but did not identify the institution. In February hackers breached The Bangladesh Central Bank, stealing credentials needed to authorize payment transfers via the SWIFT messaging system from the country's monetary reserves in the Federal Reserve Bank of New York to fraudulent accounts based in the Philippines and Sri Lanka. (from SC Magazine)
Tuesday, May 17, 2016
Money Money Money Money
More banking goodness. The first (that we know of) exploit of SWIFT was on the Bank of Bangladesh, and supposedly involved 3 separate exploits, according to SANS. This one is newish and just as disturbing.
Friday, May 06, 2016
Are you down with ransomware?
The third largest Utility in Michigan, Lansing BWL,was hit by ransomware and their corporate systems have been down for a week. Not their facility controls, thank you, just their central business and outage reporting system.
If only there was some sort of warning! It's not like this has been in the media or federal organizations have been warning us:https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise
http://www.cbsnews.com/news/warning-issued-over-new-strain-of-ransomware/
http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/
So down for a week is insane. They should have had regular backups on their corporate systems. Let me repeat that in all caps. THEY SHOULD HAVE HAD REGULAR BACKUPS ON THEIR CORPORATE SYSTEMS.
Here is an article from Naked Security, "8 tips for preventing ransomware". Notice tip #1:
If you do get infected with ransomware, unless you’ve got back-ups, or the crooks made some kind of cryptographic mistake, you’re left with either paying or losing your locked up files forever.
Prevention is far better than a cure. So here are 8 tips to protect yourself against ransomware.
1. Back up your files regularly and keep a recent backup off-site.The only backup you’ll ever regret is one you left for “another day.” Backups can protect your data against more than just ransomware: theft, fire, flood or accidental deletion all have the same effect. Make sure you encrypt the backed up data so only you can restore it.Like the hospital in California that was down for a week, there is no way that they were anyway compliant with any standards, as every security standard from HIPAA to FERPA requires regular backup.
Wednesday, May 04, 2016
Fake Ransom Ware?
The latest from the “are there no depths” crowd: fake ransom ware.
Another thing to be aware of.
The only solution is to train yourself and your people so that they are not caught by real or fake ransom ware demands.
I think that finally there is something that would suck more than paying the ransom to get your files decrypted: paying the ransom to get your files decrypted when they were never encrypted at all.
Another thing to be aware of.
“There are a number of examples where true encryption doesn’t occur. Instead, cyber criminals rely on the social engineering edge of the attack to convince people to pay,” warns Grayson Milbourne, director of security intelligence at Webroot.So yet another reason to hate these guys.
Is it real or fake?
It takes only a few seconds to confirm whether it’s a real infection or a social engineering scam.
If the ransom demand includes the name of the ransomware, then there’s no mystery, and you're in trouble. Ransomware families that identify themselves include Linux.Encoder -- the first Linux-based ransomware -- which clearly says “Encrypted by Linux.Encoder.” CoinVault identifies itself by listing the support email address. TeslaCrypt and CTB-Locker are also among the well-known ransomware families that tell you who is holding your files hostage.. "
The only solution is to train yourself and your people so that they are not caught by real or fake ransom ware demands.
I think that finally there is something that would suck more than paying the ransom to get your files decrypted: paying the ransom to get your files decrypted when they were never encrypted at all.
Monday, May 02, 2016
Preventing Cybercrime
In the cyber crime world, there is no such thing as a bullet-proof defense. However, the risk of data-loss, unauthorized access, or other undesirable intrusions can be reduced or nearly eliminated by taking some basic precautions. Among them:
1. Ensure that all accounts have unique passwords. All passwords should be difficult to guess. A strong policy is like having a good lock on the front door. Passwords should not be a word found in the dictionary or a given name. Instead, passwords should be made of random upper- and lower-case letters, numbers and symbols. Each password should contain at least 3 of the four, and should be no shorter than eight characters. Passwords should be changed every three months, or if there is any reason to believe that a password has been compromised.
2. Update the network configuration as soon as vulnerabilities become known. Leaving a known vulnerability open is very foolish. Any incorrect or compromised network configuration needs to be corrected immediately, and care taken that new ones don’t arise. Proper change management procedures can mitigate this.
3. Apply upgrades and patches promptly. Applications and operating systems may contain hundreds of thousands, even million of lines of code. Vulnerabilities are discovered all the times. Even a mature, stable, tested and well-written application like QuickBooks 2010 had 13 revisions after its release. Operating systems may be released with hundreds of vulnerabilities that are not discovered until after release. Upgrades and patches must be applied as soon as the vulnerability is discovered and a patch for it released.
4. Check log files regularly to detect and trace intruders. Log files are useful for finding and patching holes, as well as detecting intrusion attempts and unauthorized use escalation. They can be used for mapping problems between account names and security IDs, finding incorrect permissions for performing tasks, problems with trust relationship between the primary domain and trusted domains and errors that may be caused by a number of different problems.
5. Train all employees to identify and avoid cyber crime attacks. Train all users to report any suspected phishing attempts or potential security beaches. Proper training in cyber crime prevention can help users to counter viruses, phishing attacks and computer-based identity theft. Nearly all fraud and identity theft happens at the user level. Proper training makes users aware and prepared.
Training, awareness and preparation can make an enormous difference in avoiding and preventing cyber crime.
1. Ensure that all accounts have unique passwords. All passwords should be difficult to guess. A strong policy is like having a good lock on the front door. Passwords should not be a word found in the dictionary or a given name. Instead, passwords should be made of random upper- and lower-case letters, numbers and symbols. Each password should contain at least 3 of the four, and should be no shorter than eight characters. Passwords should be changed every three months, or if there is any reason to believe that a password has been compromised.
2. Update the network configuration as soon as vulnerabilities become known. Leaving a known vulnerability open is very foolish. Any incorrect or compromised network configuration needs to be corrected immediately, and care taken that new ones don’t arise. Proper change management procedures can mitigate this.
3. Apply upgrades and patches promptly. Applications and operating systems may contain hundreds of thousands, even million of lines of code. Vulnerabilities are discovered all the times. Even a mature, stable, tested and well-written application like QuickBooks 2010 had 13 revisions after its release. Operating systems may be released with hundreds of vulnerabilities that are not discovered until after release. Upgrades and patches must be applied as soon as the vulnerability is discovered and a patch for it released.
4. Check log files regularly to detect and trace intruders. Log files are useful for finding and patching holes, as well as detecting intrusion attempts and unauthorized use escalation. They can be used for mapping problems between account names and security IDs, finding incorrect permissions for performing tasks, problems with trust relationship between the primary domain and trusted domains and errors that may be caused by a number of different problems.
5. Train all employees to identify and avoid cyber crime attacks. Train all users to report any suspected phishing attempts or potential security beaches. Proper training in cyber crime prevention can help users to counter viruses, phishing attacks and computer-based identity theft. Nearly all fraud and identity theft happens at the user level. Proper training makes users aware and prepared.
Training, awareness and preparation can make an enormous difference in avoiding and preventing cyber crime.
Friday, April 29, 2016
Jesus is on the Mainline
Earlier this year, the Fed let us know that it had misplaced 81 million dollars. This was the bad news. The good news is, that due to a misspelled bank transfer document, they had adverted a loss of nearly a billion. Dollars. Billion with a "b".
Now for more bad news (from Reuters):
Now for more bad news (from Reuters):
The disclosure came as law enforcement authorities in Bangladesh and elsewhere investigated the February cyber theft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank. SWIFT has acknowledged that the scheme involved altering SWIFT software on Bangladesh Bank's computers to hide evidence of fraudulent transfers.At the time, I told an associate that they would find that access was gained through social engineering. This does nothing to lessen this suspicion:
BAE's evidence suggested that hackers manipulated SWIFT's Alliance Access server software, which banks use to interface with SWIFT's messaging platform, to cover their tracks.BAE said it could not explain how the fraudulent orders were created and pushed through the system. Bit SWIFT provided some evidence about how that happened in its note to customers, saying that in most cases the modus operandi was similar. It said that the attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people.Yes there are entirely technical means to accomplish this, but why pick the lock when you can kick down the door?
"Whaling"
Last month the IRS issued a warning that CEO's were being either targeted or spoofed to obtain employee information. This isn't exactly new, but the more focused phishing attacks (known as "Whaling") show the increasing sophistication of this new generation of social engineers. Of course your CEO, CFO, or COO is going to be a juicier target because, as Willie Sutton put it, "That's were the money is."
Remind your C level people that they are targets too. They need the training you are no doubt providing to the rest of the company just as much or more than the intern who is right now propping up the water cooler.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”This follows the trend of more closely targeted phishing attempts, where a few minutes of Googling can produce an "in" that is much less risky than traditional social engineering ploys.
Remind your C level people that they are targets too. They need the training you are no doubt providing to the rest of the company just as much or more than the intern who is right now propping up the water cooler.
Wednesday, April 27, 2016
Pay Me
There is a lot of news lately about a specific form of malware called "ransom ware". Some experts say that it may have replaced credit card heisting as the popular way to earn an elicit buck on the web. Since 2014, when figures were first compiled, it has risen from a paltry 30 million dollar a year enterprise to such a level that one magazine has called 2016 the Year of Ransom Ware. I'm guessing that means considerably more than 30 million bucks this year.
The problem is that as far as I know there is only two ways to combat this. One is white listing, which interferes with the malware being able to phone home to the Command and Control server (usually some unwitting third party's less than secured server) and therefore start the insidious process that eventually leads to a pleasant message like "Say, nice data you got dere. Shame if somtin' was to happen to it. Send me Bitcoin and nosbody gets hurt." But white listing is going to be extremely unpopular with your users, as well as a giant pain in the butt to administer. I, for one, am unwilling to be put in the position of In-House Internet Hall Monitor.
The other is regular backup. This is the thermonuclear option, as you end up losing the data that was generated post ransom ware, but hey, at least you aren't paying off the pirates that have hijacked your excel files.
There are some precautions. You can lock down your systems to make it difficult for .exes to run. This is probably the strongest protective measure. Unfortunately you pretty much have to exclude your admins from this, and admins are just as human as the rest of us, all evidence to the contrary. Someone in a hurry, or distracted will click on the "Are you sure?" button eventually, and you will be cursing Russian cyber mobsters just the same as in the old days.
Kapersky and a few others have some of the signatures to some versions of Cryptoyouarescrewed et. al., but of course this beast is polymorphic, so they can't fully protect you.
As always, the best defense is education. Almost all of these ransom wares propagate through email attachments or "water holes", so keeping your users up to date on the latest ways of reaching them and reinforcing training like a knowledge jackhammer is your main option. I suggest monthly 15 minute training sessions, reinforced by posters, screen savers and emails.
Or I guess you could just pay up.
The problem is that as far as I know there is only two ways to combat this. One is white listing, which interferes with the malware being able to phone home to the Command and Control server (usually some unwitting third party's less than secured server) and therefore start the insidious process that eventually leads to a pleasant message like "Say, nice data you got dere. Shame if somtin' was to happen to it. Send me Bitcoin and nosbody gets hurt." But white listing is going to be extremely unpopular with your users, as well as a giant pain in the butt to administer. I, for one, am unwilling to be put in the position of In-House Internet Hall Monitor.
The other is regular backup. This is the thermonuclear option, as you end up losing the data that was generated post ransom ware, but hey, at least you aren't paying off the pirates that have hijacked your excel files.
There are some precautions. You can lock down your systems to make it difficult for .exes to run. This is probably the strongest protective measure. Unfortunately you pretty much have to exclude your admins from this, and admins are just as human as the rest of us, all evidence to the contrary. Someone in a hurry, or distracted will click on the "Are you sure?" button eventually, and you will be cursing Russian cyber mobsters just the same as in the old days.
Kapersky and a few others have some of the signatures to some versions of Cryptoyouarescrewed et. al., but of course this beast is polymorphic, so they can't fully protect you.
As always, the best defense is education. Almost all of these ransom wares propagate through email attachments or "water holes", so keeping your users up to date on the latest ways of reaching them and reinforcing training like a knowledge jackhammer is your main option. I suggest monthly 15 minute training sessions, reinforced by posters, screen savers and emails.
Or I guess you could just pay up.
Wednesday, April 13, 2016
Blue Suit, Red Cape and Red Boots
No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line
At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?
The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.
Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.
New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.
At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?
The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.
Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.
New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.
Tuesday, April 12, 2016
There's a Kind of Hush
I just received, from a major training company, an offer for their latest product--- a computer-based training on security for end users. It seems reasonably priced, at a little less than 50 bucks per user---- which is much more than most companies are willing to spend on something like this, reasonable or not, at least until they have a major expensive data breach and then the perspective changes. But the money phrase was hidden in the littl clip below:
Six hours? I can hardly get users to sit still for 15 minutes, once a quarter, and I am a pretty dynamic speaker. The whole point of training is to cause the trainee to, you know... learn something. Six butt-numbing hours of computer-based training for users who resent anything concerning that blinking box that interferes with their actual job is somehow a good idea?
Wow. Just wow.
Business owners and IT departments beware: your users are the weakest link of your computer and information security plan. Show all your users this training, plus make it a part of new user orientation, and you'll see benefits and cost savings across the board...
...Every company with a computer needs this series. These 6 hours of training videos can be invaluable in strenghtening your security's weakest link.
Six hours? I can hardly get users to sit still for 15 minutes, once a quarter, and I am a pretty dynamic speaker. The whole point of training is to cause the trainee to, you know... learn something. Six butt-numbing hours of computer-based training for users who resent anything concerning that blinking box that interferes with their actual job is somehow a good idea?
Wow. Just wow.
Thursday, April 07, 2016
3 I's
The last few years have been full enough of regulatory landmines for the unsuspecting IT department. At the same time though, enforcement has been lax. For example, under HIPAA, which has a complaint-driven enforcement process, there have been over 32,000 complaints over the last five years, but fewer than a dozen prosecutions. In fact, according to Inspector General of HHS, the Center for Medicare and Medicaid, an enforcement entity, "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions."
Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.
So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.
Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.
Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.
Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.
Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.
Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.
So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.
Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.
Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.
Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.
Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.
Wednesday, April 06, 2016
Back to the Basics
There has been a rash of reporting of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft, including PHI, is undetectable, and unprosecutable, because unlike physical theft, the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night googles, and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder, and no painting. The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.So what do you do to keep your data secure?
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.
*First posted several years ago, but danggg! All that was old is new and biting us on the tender side.
Tuesday, April 05, 2016
A Blast from the Past
From 2005....
Outstanding article from TechWorld on the conflict between IT security and regulatory compliance:
Regulations, by their nature, are static, while IT security is dynamic, reacting to new threats, anticipating future attacks, working to shore up previous weaknesses and new vulnerabilities. HIPAA tried to address this dichotomy by making the regulations non-technology specific, and to some extent it worked. But there is still that dynamic tension between the 97 pound weakling of your IT budget and the bully who is kicking regulatory sand in his face.
This is the biggest flaw in compliance – that a network that has been audited as meeting its legal obligations is seen as somehow acceptably secure. No network ever will be secure in this sense. Procedures can be laid down in black and white but they will never be followed correctly at all times. Mistakes will be made and unforeseen threats will emerge.No matter how much things change, they stay the same.
You Really Got Me
Late last week, in an almost unprecedented joint warning by the US and Canadian Governments, we were treated to an almost apocalyptic notice about the latest scourge of the internet, ransomware.
You know what? It is about time. The threat of someone holding your data encrypted and only giving it back if you send them money is thuggery at its lowest. "Nice data youse got there. It would be a shame it sometin' was to happen to it, eh?"
The simple truth is that the entire vector of this particularly venal form of malware is through social engineering, better known as the junction between poor training and simple human error. Nearly every reported instance of ransomware has been invited in by someone clicking on a email attachment. Every one.
Here's the recommendation from the very smart guys at US-CERT:
What this leaves out is that very important protection: user training. It is vitally important that your personnel be trained regularly in security awareness and the many, many methods of social engineering. Once a year, to check off some compliance form is not enough. To be truly effective, there needs to be at least quarterly, interesting, and really scary training that keeps how important maintaining constant vigilance is at the forefront of your users' attention. Supplement this with reminders like calendars, screen savers and posters. Make it a part of the fabric of everyday work flow. Have everyone repeating the mantra that Security is Everyone's Responsibility. Because it is, and it is past time that we stop relying on technical controls and blaming the poor security guy (if we even have one!) when things go seriously south, and some Romanian asshat has locked us out of our system and wants $6000.00 to free us from our own stupidity.US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits andSafeguarding Your Data for additional details.
- Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
Tuesday, March 29, 2016
Risky Business
So to kick this off, what do suppose is the weakest kink in any security system? If you said anything other than you, you are sadly mistaken. Estimates of the percentage of successful hacks perpetrated by simple social engineering are as high as 80%!
So what is social engineering? Simply put, it is attacking using the tool of human fraility. A guy with a clipboard is 5 times more dangerous to your security than any thug with a ski mask.
Check this out:
So what is social engineering? Simply put, it is attacking using the tool of human fraility. A guy with a clipboard is 5 times more dangerous to your security than any thug with a ski mask.
Check this out:
We all know the basics—strong passwords, two-factor authentication, and so on. However, the most recent security and privacy breaches have had less to do with bad passwords and more to do with social engineering. Let's look at what that is, why it can happen without you knowing, and how you can protect yourself.From the always excellent Lifehacker.
At its heart, social engineering is an essential form of hacking—it works around or outside existing systems to obtain a desired result. And just as it can be used for innocent fun, it can also be used to steal identities, violate people's privacy, and cause serious harm. Just ask Mat Honan, who had his identity stolen a few years ago thanks to a little clever social engineering of support reps at Apple and Amazon. Now, we're seeing it again, no thanks to the celebrity photos leaked and lurking around the internet, obtained by social engineering, not brute force cracking or sloppy security. In this case, the intruders likely used known information to defeat security prompts, reset passwords, and obtain access to otherwise secured information. And the most interesting (and scariest) part is that this kind of social engineering is relatively easy given a little research into your target.If you are going to keep any form of security or compliance, you need to have an aggressive policy and training program, because, in the immortal words of Pogo, "We have met the enemy and it is us."
Subscribe to:
Posts (Atom)