Safety First: Cyber Security Facts Every Business Owner Should Know!

It seems almost every week we hear about another hack affecting a large retailer or online service. Why are these happening more and more often, even with the heightened focus on security we should be seeing? It turns out there are a number of causes, and not all are under our control. This is a short introduction to the world of online attack and defense for the uninitiated.

Follow the Money
The primary reason online crime exists is — of course — money. Organized crime syndicates around the world have discovered that not only is cybercrime very profitable, but it is also much easier and less risky than running the standard drug and prostitution trades. You can pay a handful of young, bright individuals a lot of money to find ways to attack online businesses and still come out far ahead compared to the cost of running traditional rackets.

In addition, there are no geographical limitations. There are a large number of very sharp but unemployed computer science engineers in Eastern Europe or Southeast Asia, and they are typically underpaid compared to a lot of the Western world. All one has to do is recruit a number of these people, pay them fabulously (by local standards) to ease any ethical hesitation on their part, and go to work.

Once attacks have been created and planned, you need servers to work from. Unfortunately, it is trivial to find server hosting firms willing to look the other way in countries with little or no Internet regulation or oversight. Now, the world is your oyster. No matter where the attacks originate, they can reach anywhere in the world.

The Attacker Always Has the Advantage
Software is complex, and there are billions of lines of code running the world’s computers, networks and infrastructure. Statistically speaking, this means there are more bugs and vulnerabilities then you can imagine hidden in the software you and your vendors and e-commerce sites and credit card processors (and so on) are using every day. The attackers are typically not on any hard time schedule; they can take all the time they need to find the next major bug that you or your software vendor has yet to discover.

There are tools called fuzzers that send hundreds of thousands of different malformed input into applications looking for an unhandled error or evidence of a new vulnerability and password crackers that can try millions of combinations every second.

Even if you patch regularly, use Microsoft/Apple/Red Hat update, run antivirus, use firewalls and detectors, somewhere there will always be another vulnerability that no one has planned for. That’s not to say that these measures are useless – like locks on the door, they will at least keep the casual criminal at bay. But like the locks, they only decrease risk, they do not eliminate it.

Many recent big compromises have come from perhaps unexpected angles – an electronic cash register running Windows XP, or a network login used by the HVAC vendor to check the status of the AC system.

Successful attackers are creative, and like the thief, do not usually attack via the front door. As a defender, it is difficult or impossible to think of every possible avenue of attack. Even if these weaknesses are known, it may not be possible to update software provided by a third-party vendor and it is not realistic to cut off all access to the world.

Speaking of Money
Companies can and should implement a defense in depth strategy, implementing an aggressive update and patching policy, deploying network and application firewalls, reviewing code from a security as well as functional point of view during the development process, and ensure that security testing is performed on external and internal websites and networks. However, like everything else, this costs money.

Security is not sexy, and does not in and of itself attract customers. When budget dollars are being allocated, it is always tempting to spend money developing the next release or feature. These days, money is always tight, and security (hardware, software, and personnel) is always a tempting target for benign neglect. In one recent hack, the internal sensors deployed had been alarming for weeks, but no one was paying attention! In certain large corporations, data hacks are just another form of business and reputational risk, and are sorted and prioritized along with everything else.

What Can One Do?
We are all at the mercy of companies we have no control over and no visibility into. Businesses such as large banks and online retailers have a high reputational risk and tend to be conscientious about their security. Smaller sites and businesses are largely an unknown. In addition, many large businesses do not do their own credit card processing, but rather delegate it to a third party processor that you know nothing about.

1. As a consumer, deal with large, reputable companies online whenever possible. Visible third party payment services such as PayPal are generally safe to use even from small business sites.

Use a credit card for online transactions – do not use a debit card as these have weaker consumer protections in the case of fraud. Check your credit card statement regularly and carefully. Fortunately, credit card companies are amazingly good at detecting fraud and will usually contact you if they notice anything funny.

2. As a smaller online presence, update, update, update! This includes server processors such as PHP and blogging or other software you may use. Regularly monitor the server logs for any sign of unusual or unexpected activity.

3. As a company with a website see (B) above. Deploy firewalls and network sensors to detect suspicious activity (or ensure your hosting vendor does). Make sure your website gets audited and tested regularly for security issues by a firm that specializes in this.

After Being Hacked
Computer forensics is a deep and complicated subject, and next steps depend on the systems involved and the nature of the hack. For all but trivial installations, it is best to contract the services of specialists for this. The only 100% safe solution is to wipe out everything and reinstall from the operating system on up, but this will not reveal how the attackers got in in the first place. You may well still be vulnerable.

Depressing Prospects?
The Internet is a gateway to the world, and to all the good and evil in it. If one is going to be on the Internet, one has to expect bad things may happen. Unlike a geographical “bad neighborhood,” any address on the Internet is easily reachable from any other place, so your Internet site is always just around the corner from bad actors. Just like a business in a bad neighborhood, if one is going to do a business in this environment, one has to erect reasonable defenses, knowing full well that these defenses are not impregnable. However, the store with no bars and a glass door will certainly get broken into a lot quicker than the one next store that is properly defended.

Make your best efforts at digital defense in depth, patch as often as possible, monitor continuously. Get audited by professionals and implement their recommendations. These steps will not make you bulletproof, but will minimize the chances of successful attack, and will ensure any attack that does get through will be detected as soon as possible.

What Happens When You Click on a Bad Link

When you click on link to open a web page you are inviting the server on the
other end of the connection to make queries of your machine and executing code
on your machine. While it is true that not every web page makes queries about
your machine or downloads code to your machine the potential is always there.

Nearly every month there are new revelations about security flaws in browsers,
or browser plugins, that a new method of compromising a machine by getting a
user to visit a malicious web page has been found. Often the public
announcement comes at the same time that a security patch or update is
available. But sometimes the public announcement comes before a patch is
available, sometimes with the caution that exploits are already being observed
on the Internet. And of course, we all have to worry about what hasn’t been
announced yet.

As recently as June 10, 2014 there were announcements from both Microsoft and
Adobe about recently discovered flaws that could lead to attackers being able
to remotely execute code when a user opens a malicious web page or opens a
file sent to the user. The flaws appeared in Adobe Flash, Adobe Air, Internet
Explorer, Windows, and Microsoft Office including Word. Some of the Adobe
issue affect Macintosh, Android, and Linux as well.

Every time a user visits a web page an agent string is sent by the user’s
browser to the web server. An example user agent string is “User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0.”
This reveals to the web server information about the operating system being
used, the web browser, and the versions.

The browser will also tell the web server what types of content and encoding
it will accept, for example:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate

If the browser allows Javascript to run, and most configurations allow this by
default, the web server can also learn about installed plugins, installed
fonts, the screen resolution, color depth, and timezone. This information may
enable a web site to determine what code it could send to your browser that
would lead to a successful exploit. You may not think that a list of installed
fonts reveals much, but in some cases a combination of installed fonts might
reveal that a specific application has previously been installed on the
system.

The EFF Panopticlick web site <https://panopticlick.eff.org/> focuses on the
issues privacy and how web sites can identify users and track them even if the
user has limited or disabled cookies. Links provided on the provide some
information about what information the site gathers and the techniques it
uses.

Keeping your system up to date with all of the most recent security patches is
a good practice. However, keep in mind that your system is still susceptible
to vulnerabilities that vendors have not yet patched, or may not even be aware
of yet.

How to know your software vendor is serious about security

by Sue Poremba, Central Desktop, June 2014

According to a recent survey by Bitglass, more than half of large companies and a third of SMBs are avoiding cloud adoption. The reason is simple: companies of all sizes are not convinced the cloud is secure.

“Concerns about security are not only not decreasing; they’re increasing. A previous report from October 2011 indicated 25 percent of businesses expressed some concern over cloud security, but that figure increased to 42 percent in July 2013,” Chris Talbot wrote in a Talkin’ Cloud article.

Searching for cloud security

No matter how users feel about security, cloud computing is only going to grow. Gartner predicts that cloud computing will be the bulk of new IT-related spending by 2016, which follows the growth of mobile technologies and the rise of the global workforce. Cloud adoption will be inevitable for most companies, so the time has come to face the security questions head on.

Nothing connected to the Internet will ever be 100 percent secure. However, when IT departments and management work closely with software vendors, they can develop solutions that add layers of protection for data stored in cloud formats. That starts with knowing whether or not your software vendor is on the same page as you when it comes to cloud security.

Establishing an evaluation process

Businesses should have an established process for evaluating risk, evaluating vendors, and performing due diligence before signing a contract with a cloud vendor, says Paul Hill, senior consultant with SystemExperts, a network security consulting firm specializing in IT security and compliance. “If the business does not have experience doing this, it should consider engaging an experienced third party to assist in the process.”

There needs to be transparency in the process, Hill adds. The vendor needs to forthcoming when it comes to its security practices and procedures. That includes how often it conducts security audits.

“Some vendors will only provide a copy of an annual certification or compliance letter, while other vendors are willing to share detailed reports performed by a third party assessor,” Hill says. “Unfortunately, a willingness to share details is not always an indicator of how secure the vendor actually is. It can also reveal overconfidence, or a lack of understanding how sensitive the information contained in an assessment may actually be.”

Questions to ask

Software vendors who take security seriously want clients to ask questions about security practices. But not everyone is familiar enough with security basics to know what those questions should be. According to Peter Lipa, regional director for Sticky Password, an encrypted password management company, here are some concerns that should be addressed:

  • Encryption: What algorithms are used for backend data storage?
  • Does the vendor have access to my data? If so, which vendor employees have access? What is the vendor’s screening policy for those employees?
  • How will my data be stored and protected?
  • Authentication: what type of authentication is required (i.e., single factor or two factor)? If the authentication system involves passwords, then how does the vendor handle passwords (are passwords sent to users in plain text, etc.)?
  • Access control: How are the various levels of access granted and controlled?
  • Basic vendor network security, such as firewalls and antivirus software
  • Data center physical security
  • Compliance with various regulations if needed – Sarbanes-Oxley Act (SOX), Health Insurance Portability. If your company uses credit cards, is the vendor PCI compliant?

Multiple vendors may give similar answers. If that’s the case, Lipa suggests asking a few more questions:

  • Do the vendors have experience in providing the specific solution they are proposing? Can the SMB afford to be the test case?
  • Is the vendor able to provide the support plan that you need? Even an SMB can have requirements for 24/7 support for five 9s reliability. For others, a next business day response is more than enough.
  • Does the vendor meet any/all necessary regulations, compliance or certifications the customer needs?
  • Is the vendor able to provide multiple services, thereby saving the SMB from the trouble of having to contract with various providers?

Finally, don’t be afraid to ask for recommendations from other business owners and IT professionals. In the end, you have to be able to trust the vendor to provide a level of cloud security your company needs.

 

10 ways to strengthen web application security

Joe Stangarone, writer,  MRCs Cup of Joe Blog, June 17, 2014

Summary: A recent study find that 96% of all web applications contain at least one ‘serious vulnerability.’ As cyber attacks rise, how can your company better protect your web applications and confidential data from a security breach?

Target. . . . Ebay. . . . Monsanto.

What do those companies have in common? Each one suffered a massive security breach in the last few months. They’re not alone. Cyber attacks are on the rise, and will only get worse. The bigger problem: Most web applications are still vulnerable. This study from last year estimates that 96% of all web application contain at least one ‘serious vulnerability.’

Security is a problem that will keep growing if not made a priority. It’s a problem that can compromise your customer’s sensitive data. It’s a problem that can cause irreparable damage to your company’s reputation. Today, let’s focus on security from a web application standpoint. How can you strengthen your web application security, and minimize your risk of a data breach? Here is one tip from SystemExperts (to see nine additional tips click here):

Use the principle of least privilege

Oftentimes, a business worries so much about outside attackers, they completely forget about inside risks. Namely, uneducated users with too many privileges. An uninformed user can potentially cause just as much (if not more) damage as a hacker if given free reign over a system.

“If an application is protected by login, each user should have a role in the system that defines what they are allowed to do, and more importantly what they are not allowed to do,” says Mark Huss, Senior Consultant with SystemExperts. “Each user should only have sufficient privileges to perform tasks they need to do – and no more. This principle is called least privilege, and is very important to embrace in order to keep your application and infrastructure secure. At minimum, a normal role and a supervisor or administrator role should be defined and enforced, so that normal users cannot accidentally or intentionally view, change or delete data they should not have access to.”

 

Tips for Recent College Grads Looking to Go into IT

With graduation season coming to a close, I have been fielding calls from friends and relatives about job opportunities in the IT sector.  While overall this is a difficult job market, those with the right credentials and contacts have a good chance of landing a solid entry level position. Here are a few tips I’d like to share with those still in school – because you really need to start thinking about that first job way before you march down the aisle with your classmates in your cap and gown.

Tip #1 — BE ACTIVE in the community of your field of study, whether online through forums and social media or in person by attending conferences and local gatherings. Being active in the IT community will help create professional connections. These connections are vital to finding the best job. In addition to being a great source for job leads and possibly interviews, your connections can offer advice on how to succeed during the interview and land the job.

Tip #2 — GO TO THE SOURCE. When an employer is hiring, it is hard to stand out among hundreds of other applicants, even if you are the best candidate. My advice is to go directly to the position’s manager and skip the hiring department initially. This will require some research; however, going directly to the manager will yield better results, as he/she is the final decision maker. Reaching out directly to the manager will show you are willing to go the extra mile to research the position and that you are motivated to get the job.

Tip #3 — RESEARCH THE COMPANY you are applying to. Understand the company’s business and how your area of study fits into the larger picture of the business. You have a better chance of standing out among the applicants if your cover letter talks about the company and how your skills can help them solve a problem.

And just know that finding a job after graduation is one of the toughest jobs you’ll ever have!

Common Points of PCI Compliance Failure

With all the security issues facing businesses today, there has been an increase in articles offering advice on how to maintain security in this very challenging environment. The Payment Card Data Security Standard, a set of compliance regulations applying to every business that accepts, processes, stores or transmits credit card data, can be confusing. Daniel Humphries, managing editor of IT security at Software Advice, a company that reviews IT security software,  interviewed me recently for his article on “How to Avoid the Seven Deadly Sins of PCI DSS Failure.” Daniel did an outstanding job identifying where businesses most often fail a PCI audit and goes on to offer advice as to how to avoid those mistakes. Here’s the list:

Seven Deadly Sins
1. No Network Segmentation
2. Inadequate Access Controls
3. Sloppy Logging and Monitoring
4. Feeble Firewalls and Rotten Routers
5. Errors of Encryption
6. Really Dumb Passwords
7. Dubious Drafts of Documents

I recommend that anyone dealing with implementing PCI compliance regulations to read the entire article.

How to Avoid the Seven Deadly Sins of PCI DSS Failure

by Daniel Humphries, Managing Editor IT Security at Software AdviceMay 30, 2014

If you’re reading this, then you probably already know that PCI DSS stands for the Payment Card Industry Data Security Standard: a set of compliance regulations applying to every business that accepts, processes, stores or transmits credit card data.

PCI compliance regulations (mandated by the Payment Card Security Standards Council) are so detailed that fulfilling them is a challenge for many businesses.

SystemExperts’ Jeff VanSickel was recently featured in an article by Software Advice Managing Editor, Daniel Humphries, on the Seven Deadly Sins of PCI. In the article, Jeff, along with other thought leaders in the IT Security community, help describe the ways in which businesses tend to fail when it comes to PCI compliance, as well as the ways in which each failure can be solved. Click here for full article.

 

Heartbleed Bug

Education is Key to Securing Online Identity

In the wake of yet another major hack announcement (this week it is Lowe’s, last week it was eBay), it is important to understand that you can have a secure online identity, but it takes work.

It starts with education:

  • Understanding that email is clear text (which means that it is not encrypted) and can be intercepted.
  • Appreciating the danger of using weak passwords.
  • Being mindful of how ubiquitous web and Internet technology works.
  • Understanding that once your private information is on the Internet, you have lost control of it. (Remember your late-night Facebook post from last weekend?)

Next, you need to put aside the idea that you have to trust organizations on the Internet to protect your sensitive data (banks, retailers, etc.). Here are some suggestions on how you can be proactive and protect your online identity:

Start with the basics. Don’t click through links from untrusted parties or in unsolicited email. Don’t download software while browsing – your computer already has the software it needs; avoid “sketchy” sites (e.g. gambling or porn).

Use strong passwords and some common sense. Think twice when filling out a profile on one site, and then using the same information as secret questions to recover a password on another site. Use a different username and password for different sites – think about work vs. personal and always think about the sensitivity of the data. For example, your password for Facebook and your bank should not be the same.

Control your online destiny. Keep your digital life organized and think about the data you post online. For example, if your banking website is compromised and you have a different username and password for your online banking than you do for your eBay account, which is different that your Amazon account, you can survive the compromise.

The bottom line with protecting your online identity is to be vigilant and educated on the steps you can take to keep yourself and your family secure. You can never be too careful when it comes to your personal information.

What is the next Heartbleed in IT?

As IT security consultants, we are constantly surveying the landscape to see what the next threat will be for our clients. What made Heartbleed so dangerous is that it existed in a piece of software that most Internet users depend on (infrastructure) and that the exploit itself yielded immediately consumable security data (payload) like certificate keys, user names and passwords, and other sensitive information. In other words, the more dependent you are on the type of infrastructure that is exploited, the larger the potential audience will be.

Most people depend on the same types of infrastructure whether they know it or not like the operating system that runs on their desktop, laptop, tablet or smart phone, DNS servers, mail servers, browsers, and all sorts of software libraries that these and other applications/devices use all of the time.

In all likelihood, there are two vectors where the next kind of Heartbleed-like problem will come from:

1)an exploit with a specific fundamental service/device like DNS – which allows people to use names like www.google.com instead of IP addresses like 192.168.1.100) – or a Cisco router

2)an exploit with a common software library function like OpenSSL – which many websites and services use to provide communication security and privacy – that many other systems, services and devices depend on

Obviously, the latter is much more egregious in that like Heartbleed the common software would be used by many different vendors, operating systems, devices and applications which makes resolving the problem significantly more complex and unpredictable. To be specific, it’s likely to be some type of Open Source software just like OpenSSL was.