Friday, April 29, 2016

Jesus is on the Mainline

Earlier this year, the Fed let us know that it had misplaced 81 million dollars. This was the bad news. The good news is, that due to a misspelled bank transfer document, they had adverted a loss of nearly a billion. Dollars. Billion with a "b".
Now for more bad news (from Reuters):
The disclosure came as law enforcement authorities in Bangladesh and elsewhere investigated the February cyber theft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank. SWIFT has acknowledged that the scheme involved altering SWIFT software on Bangladesh Bank's computers to hide evidence of fraudulent transfers.
 At the time, I told an associate that they would find that access was gained through social engineering. This does nothing to lessen this suspicion:

BAE's evidence suggested that hackers manipulated SWIFT's Alliance Access server software, which banks use to interface with SWIFT's messaging platform, to cover their tracks.BAE said it could not explain how the fraudulent orders were created and pushed through the system. Bit SWIFT provided some evidence about how that happened in its note to customers, saying that in most cases the modus operandi was similar. It said that the attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people.
Yes there are entirely technical means to accomplish this, but why pick the lock when you can kick down the door?


Last month the IRS issued a warning that CEO's were being either targeted or spoofed to obtain employee information. This isn't exactly new, but the more focused phishing attacks (known as "Whaling") show the increasing sophistication of this new generation of social engineers. Of course your CEO, CFO, or COO is going to be a juicier target because, as Willie Sutton put it, "That's were the money is."
This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
This follows the trend of more closely targeted phishing attempts, where a few minutes of Googling can produce an "in" that is much less risky than traditional social engineering ploys.

Remind your C level people that they are targets too. They need the training you are no doubt providing to the rest of the company just as much or more than the intern who is right now propping up the water cooler.

Wednesday, April 27, 2016

Pay Me

There is a lot of news lately about a specific form of malware called "ransom ware". Some experts say that it may have replaced credit card heisting as the popular way to earn an elicit buck on the web. Since 2014, when figures were first compiled, it has risen from a paltry 30 million dollar a year enterprise to such a level that one magazine has called 2016 the Year of Ransom Ware. I'm guessing that means considerably more than 30 million bucks this year.
The problem is that as far as I know there is only two ways to combat this. One is white listing, which interferes with the malware being able to phone home to the Command and Control server (usually some unwitting third party's less than secured server) and therefore start the insidious process that eventually leads to a pleasant message like "Say, nice data you got dere. Shame if somtin' was to happen to it. Send me Bitcoin and nosbody gets hurt." But white listing is going to be extremely unpopular with your users, as well as a giant pain in the butt to administer. I, for one, am unwilling to be put in the position of In-House Internet Hall Monitor.
The other is regular backup. This is the thermonuclear option, as you end up losing the data that was generated post ransom ware, but hey, at least you aren't paying off the pirates that have hijacked your excel files.
There are some precautions. You can lock down your systems to make it difficult for .exes to run. This is probably the strongest protective measure. Unfortunately you pretty much have to exclude your admins from this, and admins are just as human as the rest of us, all evidence to the contrary. Someone in a hurry, or distracted will click on the "Are you sure?" button eventually, and you will be cursing Russian cyber mobsters just the same as in the old days.
Kapersky and a few others have some of the signatures to some versions of Cryptoyouarescrewed et. al., but of course this beast is polymorphic, so they can't fully protect you.
As always, the best defense is education. Almost all of these ransom wares propagate through email attachments or "water holes", so keeping your users up to date on the latest ways of reaching them and reinforcing training like a knowledge jackhammer is your main option. I suggest monthly 15 minute training sessions, reinforced by posters, screen savers and emails.
Or I guess you could just pay up.

Wednesday, April 13, 2016

Blue Suit, Red Cape and Red Boots

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line

At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?

The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.

Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.

New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.

Tuesday, April 12, 2016

There's a Kind of Hush

I just received, from a major training company, an offer for their latest product--- a computer-based training on security for end users. It seems reasonably priced, at a little less than 50 bucks per user---- which is much more than most companies are willing to spend on something like this, reasonable or not, at least until they have a major expensive data breach and then the perspective changes. But the money phrase was hidden in the littl clip below:

Business owners and IT departments beware: your users are the weakest link of your computer and information security plan. Show all your users this training, plus make it a part of new user orientation, and you'll see benefits and cost savings across the board...

...Every company with a computer needs this series. These 6 hours of training videos can be invaluable in strenghtening your security's weakest link.

Six hours? I can hardly get users to sit still for 15 minutes, once a quarter, and I am a pretty dynamic speaker. The whole point of training is to cause the trainee to, you know... learn something. Six butt-numbing hours of computer-based training for users who resent anything concerning that blinking box that interferes with their actual job is somehow a good idea?
Wow. Just wow.

Thursday, April 07, 2016

3 I's

The last few years have been full enough of regulatory landmines for the unsuspecting IT department. At the same time though, enforcement has been lax. For example, under HIPAA, which has a complaint-driven enforcement process, there have been over 32,000 complaints over the last five years, but fewer than a dozen prosecutions. In fact, according to Inspector General of HHS, the Center for Medicare and Medicaid, an enforcement entity, "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions."

Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.

So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.

Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.

Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.

Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.

Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.

Wednesday, April 06, 2016

Back to the Basics

There has been a rash of reporting of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft, including PHI, is undetectable, and unprosecutable, because unlike physical theft, the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night googles, and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder, and no painting. The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.So what do you do to keep your data secure?
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.
*First posted several years ago, but danggg! All that was old is new and biting us on the tender side.

Tuesday, April 05, 2016

A Blast from the Past

From 2005....

Outstanding article from TechWorld on the conflict between IT security and regulatory compliance:

Regulations, by their nature, are static, while IT security is dynamic, reacting to new threats, anticipating future attacks, working to shore up previous weaknesses and new vulnerabilities. HIPAA tried to address this dichotomy by making the regulations non-technology specific, and to some extent it worked. But there is still that dynamic tension between the 97 pound weakling of your IT budget and the bully who is kicking regulatory sand in his face.
This is the biggest flaw in compliance – that a network that has been audited as meeting its legal obligations is seen as somehow acceptably secure. No network ever will be secure in this sense. Procedures can be laid down in black and white but they will never be followed correctly at all times. Mistakes will be made and unforeseen threats will emerge.
No matter how much things change, they stay the same.

You Really Got Me

Late last week, in an almost unprecedented joint warning by the US and Canadian Governments, we were treated to an almost apocalyptic notice about the latest scourge of the internet, ransomware.
You know what? It is about time. The threat of someone holding your data encrypted and only giving it back if you send them money is thuggery at its lowest. "Nice data youse got there. It would be a shame it sometin' was to happen to it, eh?"
The simple truth is that the entire vector of this particularly venal form of malware is through social engineering, better known as the junction between poor training and simple human error. Nearly every reported instance of ransomware has been invited in by someone clicking on a email attachment. Every one.
Here's the recommendation from the very smart guys at US-CERT:
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits andSafeguarding Your Data for additional details.
What this leaves out is that very important protection: user training. It is vitally important that your personnel be trained regularly in security awareness and the many, many methods of social engineering. Once a year, to check off some compliance form is not enough. To be truly effective, there needs to be at least quarterly, interesting, and really scary training that keeps how important maintaining constant vigilance is at the forefront of your users' attention. Supplement this with reminders like calendars, screen savers and posters. Make it a part of the fabric of everyday work flow. Have everyone repeating the mantra that Security is Everyone's Responsibility. Because it is, and it is past time that we stop relying on technical controls and blaming the poor security guy (if we even have one!) when things go seriously south, and some Romanian asshat has locked us out of our system and wants $6000.00 to free us from our own stupidity.