Protecting Data from Cyber Thieves

Getting hacked is one of the most feared outcomes for anybody who is doing business on or through the Internet. The bad news is there are always people trying to hack systems and get access to sensitive, private or confidential data. The good news is that the tips a financial advisor should follow to safeguard sensitive client information are well documented and easy to accomplish.

Here are a few important tips that every financial advisor should be following:

Email is both friend and foe

  • Don’t open attachments from anybody not intimately known or attachments that seem odd
  • Even if the person is known, screen it with antivirus before opening
  • If sensitive data has to be transmitted in email, either obfuscate or encrypt the data

Backup data frequently so a system can be wiped clean to “start over” quickly

  • Backup the data to a separate device

Use encrypted file storage devices or technology so that even if a hack is successful the data is protected

Consider using secure cloud based storage instead of local system storage.

  • Allow regular system OS and software updates and patches
  • Use antivirus that scans emails and Internet URLs and looks for malware
  • Use unique passwords and change them regularly

When dealing with an advisor or other professionals that have access to sensitive information, there are a few basic questions you can ask that will determine if there are any red flags:

  1. Does the advisor share their work system or resources with other businesses or family?
  2. Are they using current systems and applications or outdated or unsupported services?
  3. Do they use public Wi-Fi Internet as part of doing work?
  4. Do they access client data remotely, if so, how is the data protected?

Teacup Tempests

A recent data breach scare highlights the importance of carefully evaluating news reports of data breaches before reacting. Reuters (followed by many others) broke a story relating how 272 million account credentials – including Gmail, Microsoft and Yahoo! Email – had been exposed. “Change your password now!” read the headlines. Time to react, right?

Or not. A closer look revealed that the breach had been reported by a little-known company named Hold Security, who had gotten the information from a young hacker who had offered to sell the list of compromised credentials for less than $1! Some sample checking of the list revealed that most of the credentials no longer worked, and were likely just an amalgamation of data from older breaches.

Responses promptly generated by Gmail and Mail.ru (one of the largest email providers in Russia) reported that more than 98% of their respective email accounts reported were bogus.

This turn of events raises the question – how does one tell the difference between a valid breach report and “much ado about nothing,” as this recent one has turned out to be? The answer, as normal in things related to security, is to be diligent, research the matter, and be wary of security stories originating from general news outlets. Well-respected sources of security information will always research new breach reports before generating headlines about them.

The best approach is to respond quickly – by carefully researching any new report of a potential threat when it comes out, but not to react (or overreact) until it has been verified via trusted sources. Sites such as SANS and ARSTechnica tend to be more sober and deliberate in their reporting. Also, unless the breach affects you directly, it’s best to wait for a couple of days to see how the security community responds. They will always either confirm the problem, or sometimes (as in this case) tear it down.

Cyber Warfare Exercise

cyberwarriorIn the next few weeks I will be participating in an intensive 15-day cyber warfare exercise hosted by the Massachusetts Army National Guard.  This exercise is conceptualized around a cyber attack affecting critical infrastructure in the Northeast with an emphasis on public and private collaboration.

I will be working on a “Red Team” of aggressors coming from various roles and organizations such as Mitre and Partners Health.

I look forward to learning about new attack and defense techniques and bringing them back to service SystemExperts and our customers. It should be interesting.  I’ll keep you posted.

The Internet of Things (IoT); what’s to worry about?

Submitted by Brad Johnson and Paul Hill

There is no doubt that the concept of the Internet of Things (IoT), a term that’s been around since 1999 from an Auto-ID Center project at MIT, is gathering huge momentum and will be stampeding into your world whether you are ready for it or not. IoT is simply the idea of a network of connected smart devices.  What is making this such a fascinating area is the huge diversity of things that could be considered a smart device: fitness bands, nanny cameras, dashcams, doorbells, door locks, TVs, lightbulbs, mirrors, coffee makers, pet feeders, personal medical actuators, home appliance sensors, transportation actuators, and weather sensors to name just few. The real hope is that these devices will work together and make our lives and the management of our lives easier and tailored to our own needs.

What makes a device part of the IoT is that it is a physical object, is connected to and interacts with a network of some type and can transmit data that it is collecting. These networks can be embedded systems for a business network, a personal area network (PAN), interact through RFID or even a more public network. The objects will likely be embedded with an RFID tag and a sensor to measure certain data.  Of course regardless of the type of network, the data usually finds its way from the local or internal location to an external network or environment via an edge device. The edge device is the bridge between where the object is and where the data needs to go and is usually the entry point to an enterprise or service provider network.

Of course one network that people are thinking about is the Internet which brings with it a whole host of issues to consider. Any device that is connected to the Internet it needs an IP address.   If it has an IP address, it can be reached by anything else on the Internet which means you need to protect it just like any other host or service on the Internet.

If you have to protect it, you need to figure out what are all the ways in which it could be compromised and what technologies can be used to ensure it is only used in the way it was intended. IoT devices are somewhat different than what we have faced in the past. They are closely bound to physical objects and this can result in unexpected side effects.

Additionally, Iot devices are often sensors that transmit data. This means someone has to think about the risks of unintended disclosure, how to protect the data on the device, the transmission of that data and also how to protect it when it gets to its destination: which in many instances is likely to be someplace within a Cloud like infrastructure.

IoT device manufacturers need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways, and what the consequences would be. Only then, can the correct controls be designed and implemented.

Unlike traditional computing devices, IoT devices have a limited user interface, and as a result they are often designed to self-configure access to the Internet. If your SmartMirror can’t find a WiFi with a DHCP server to connect to, maybe it will see if it can find a nearby SmartTV that will act as a bridge to the Internet. Or maybe it can find a nearby smartphone with a Bluetooth interface in order to “phone home” to the manufacturer.

A number of people estimate that the number of devices connected to the Internet will be between 20 and 30 billion by as early as 2020 – that is less than 4 years from now! That’s a lot of devices to protect and you don’t have to look far or hard to see how quickly people can figure out how to hack into new technology such as monitors, medical devices, automobiles, printers, wireless devices, drones and so on.  The reason this often happens is that in an effort to get ahead of the curve (or their competition), companies focus all their efforts on features and not on security.

There is a huge rush to market for IoT companies. So far they haven’t been very proactive in designing in good security practices. Days after Philips released its line of Hue light bulbs, people figured out how to compromise the hubs and control the lights from anywhere on the Internet. Major news networks have run multiple stories about vulnerabilities in nanny cams that allow people on the Internet to use them to spy on people in their homes and even talk to people.

IoT devices are also entering the workplace. In some cases they are simply brought in by employees, for example people wearing a fitness band to work. In other cases, they are being installed by departments that normally haven’t had to think about IT security. For example facilities management/physical plant departments might be installing smart thermostats in an effort to eliminate zones and give employees more control over individual work areas.

One of the general fears is that organizations will not be proactive in preparing for this onslaught of devices, the information they collect and the various ways in which this data will be disseminated and acted on. For example, when handheld devices first started making their way into mainstream use, most organizations dealt with them by assuming they were simple innocuous devices, the employee would pay for and own them and that it was her responsibility to handle properly. In other words, handhelds were entirely administered through policy and it was an asset not owned by the organization responsible for managing it. It became clear very quickly that these devices had the same processing power and networking capabilities as a desktop and that to reduce their risk to both internal networks and to the sensitive data on them when off premise, very well-defined technologies, policies and procedures had to be deployed to deal with all of the potential security risks they presented.

The same thing is going to happen with the IoT and we should use these same lessons learned to be prepared for it. A number of the security challenges that will need to be faced include device authentication and authorization, encryption of sensitive data with regards to privacy and confidentiality, secure interfaces to the mechanisms that are used to store and manipulate the data (e.g., Web and Cloud interfaces) as well as maintaining the software and the physical security of the objects.

Is the Panama Paper leak saying anything new about IT security?

The Panama Paper leak is an example of a whistleblower situation. Clearly, some of those types of situations have been seminal events that have shaped history, policies and perceptions: e.g., Daniel Ellsberg and the Vietnam War, “Deep Throat” and Watergate, and Julian Assange of WikiLeaks to name a few. The up-side of these is that it creates a degree of transparency around something that was trying to be hidden. With regards to IT security, it’s nothing really new but the scope of it magnifies the underlying IT issue: do you have controls, audit information and mechanisms in place to track where your data is, who is accessing it, and do they have permission? The reality is, it’s extremely difficult to always to be in a position to simply say “yes, I know where my data is and who is accessing it.” Clearly in the Panama Paper leak, lots of information was given out over a long period of time: information that was intended to be private.

Are hackers, inside or out of the corporation, our new heroes? Are they modern-day Thomas Paines or John Browns?

The answer to that question, as most people already know, depends on your perspective. It’s not a black and white situation.  Was the leaking of NSA information by Edward Snowden a “good thing” or  a “bad thing?” People often think that a hacker is somebody outside the organization in question – a foreign government, a technical wizard looking to make a name for themselves – but often times, like Snowden, a hacker is somebody who is inside the organization who has access to important data and decides to make it available to other people regardless of the information sharing rules he had already promised to follow. I suspect many people will be happy about the Panama Papers leak because it exposes people who were doing things they shouldn’t have and now they have to answer to those actions. Keep in mind, the goal of any hacker is to have the same access and permissions as somebody on the inside. This is why many data leaks are indeed created by people who are on the inside. Often, the leaks are accidental, but in this case it was intentional.

5 important web application security trends of the near future

by Joe Stangarone, writer, MRC’s Cup of Joe Blog, April 19, 2016

Summary: As security breaches rise, enterprise web application security is an increasingly important topic. You must stay ahead of evolving security trends in order to keep your data and applications safe. How will web application security evolve in the coming year? What web application security threats can we expect in the near future? In this article, we explore web application security trends of the near future and explain why they’re important.

Security breaches are on the rise. Sensitive data gets compromised on a seemingly daily basis. These breaches create negative publicity, and lead to huge financial losses.

Can you guess which aspect of your business systems hackers target the most? As mentioned in this  article: “According to numerous studies, the preferred method for attacking businesses’ online assets is via their Web applications.” What’s worse, a recent report found that over half of all web applications suffer from commonly known vulnerabilities.

As more data moves to the web, and businesses create more web applications, this threat is only increasing. How can you protect your business applications?

The first step: Recognize the risks, and stay ahead of the curve. Understand where web application security is now, and where it’s heading. Do you know what application security threats we can expect in the near future? Do you know how web application security evolving?

Today, let’s answer these questions. While the list could certainly be longer, here are 5 important trends in web application security to watch for in the near future.

1. Increased application demand leads to vulnerable applications

In a recent article, we examined an unsettling fact: Most business applications still suffer from commonly-known security flaws. We’re not talking about new vulnerabilities. We’re talking about commonly recognized–and easily fixable–security flaws that businesses have known about for over a decade.

What’s more, these threats can create irreparable damage to a business.

Why? We explored a few reasons in the article mentioned above, but there’s one overriding issue. There’s an increasing demand for new business applications–a trend that will only grow. More and more, the demand outpaces the organization’s ability to create them.

As a result, we’re seeing two things happen. First, we have an increased number of new developers, rushing to meet project deadlines. In the struggle to meet these deadlines, security suffers.

Second, we have more development outsourced. As explained below, this becomes a problem when the outsourcing firm doesn’t understand the organization’s security needs.

2. Unsanctioned cloud apps create a larger security risk

Another problem created by the growing application demand: Shadow IT. Now, this isn’t a new trend, but it is on the rise. As its growth continues, we can expect it to greatly impact security.

What’s happening? End users are bypassing the IT department in favor of third-party, cloud-based solutions. Rather than waiting around for a solution from IT, they can now pull out a credit card and get up and running that day.

While this sounds great from a business user perspective, it creates a problem. This practice takes company data outside of the IT department’s control. When employees purchase and use third-party solutions, IT cannot manage and secure the data. Worse yet, they cannot evaluate the solution’s security.

What can you do about it? We won’t get into all the details here, as we covered a few ways to address Shadow IT in a previous article. But, do not ignore the problem. As explained below, it’s running rampant, and will continue to grow worse.

3. Stolen credential attacks rise

As people place more and more of their information online, stolen credential attacks are on the rise. Why is this so important? Stolen credential attacks can completely nullify all of your security efforts.

How so? As you know, many users have awful security habits. They reuse their login credentials across many sites. So, if a hacker gets a hold of one of your user’s credentials for one site, chances are good that they can access other applications as well.

“For many years, attackers have employed tricks such as cross-site scripting (XSS) and SQL injection (SQLI) to attack web sites,” says Mark Huss, senior consultant at SystemExperts. “Although these still are in regular use, the landscape is changing; stolen credentials now account for over half of all web attacks. This is an understandable progression – why fight to come up with a clever injection attack when credentials and credit card information are available in mass quantity, and cheaply? In addition, web browsers are getting better at defending against scripting attacks, and long-time targets such as Adobe Flash are falling out of favor.”

4. Two-factor authentication becomes a must in the enterprise

One way to fight the stolen credential attack: Set up two-factor authentication on your business applications. What is it? I’ll briefly explain the concept here, but you can read more about two-factor authentication in this article.

In short, it adds a second level of security to an account login. Rather than identifying a user with a single factor (username/password), it adds a second identification factor to the login process–usually a pin number delivered via sms to the user’s mobile device. It’s designed to maintain security, even if a user’s login credentials are compromised.

Now, two-factor authentication is not a new trend. It’s already used in popular web services like Gmail, Twitter, Linkedin, etc… However, it’s sparsely used in the business world. But, with the rise of security breaches, two-factor authentication is quickly becoming a must-have in the business world.

5. The security skills gap drives the growth of third-party tools

Businesses often approach security with a false assumption. They assume that their developers understand security, and will build it into their applications.

Now, that’s true to an extent. A developer will understand the security basics. But, you can’t assume your developers are security experts. Their job centers around developing applications – often with a tight deadline.

Can they possibly compete with hackers who spend their days trying to attack web applications? Of course not.

The fact is, we’re facing a security skills gap. Most companies do not have the personnel in-house to create truly secure applications. As security breaches increase, we’ll see more and more businesses turn to third party tools to bridge this gap.

Summary

These are just 5 trends in web application security, but the list could certainly be much longer. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.

What’s Ethical Hacking?

Often in social situations, when people ask what I do for living, I have to pause for a moment.  If I want to deflect the conversation, I just say “computer security” and their eyes usually glaze over and we move on to other topics.  However, if I’m honest and say “ethical hacking,” this invariably arouses more interest. People are alternately confused by the implied oxymoron and intrigued by the implications of the phrase, which requires me to explain a bit more.  

In a nutshell, ethical hacking is “hacking with permission.” An ethical hacker tries to find security problems and vulnerabilities for a client before the bad guys do. Although the word “hacker” bears negative connotations in many people’s minds, a hacker is really just someone who tries to find unexpected ways to use something. In our business, we’re trying to use – and abuse – the web applications and interfaces of our clients in ways they never expected, looking for opportunities to gain information or control that we should not, as outsiders, have.

It may sound exciting, but ethical hacking is really just a process of taking a painstaking look at the software we’re testing and searching for problems. It often involves repetitive and monotonous tasks, trying several different ways to find a way in. The job also usually involves running automated scanners that test for problems, carefully reviewing the output of the scans, and identifying genuine problems, possible problems, and false positives (non-problems that fooled the scanner). Doing all of the above carefully and thoroughly is key to performing the job well.

An effective ethical hacker also has to be imaginative, perpetually looking for alternative ways to break the system being tested. As security testing becomes more commonplace, the “low-hanging fruit” found by the scanners becomes less and less common, and finding new issues sometimes requires new approaches. It is certain that the clever miscreants looking to exploit the apps we test will not give up after trying the obvious ways in.  This is why manual and scripted testing remains important.

In summary, ethical hacking is an interesting and challenging job. It can be tedious at times, but this is offset by the occasional new discovery. Explaining how the vulnerabilities work is also rewarding, as you see the light go on in the client’s eyes, and as developers learn why basic things like filtering input and encoding output are so important. The testers at SystemExperts take their jobs and the security of our clients very seriously, and treat each engagement as if it were our own security at stake. Our reputation depends on it.

How Shadow IT Fits in Today’s IT Organizations

For those old enough to remember, the controversy surrounding shadow IT in the cloud computing world recalls a time when personal computers and spreadsheets first threatened the IT mini and mainframe priesthood. The motivations seem very much the same: business users want solutions quickly, and want to try different tools and methods now instead of going through the red tape of writing IT proposals and business cases, getting money for budgets, etc.

The motivations may be similar, but the threat and regulatory landscape is very different than it was thirty years ago. In particular, if your business handles credit card or medical information, the audit and oversight requirements from both industry groups and government regulations can be formidable.

Developing an adversarial relationship does neither side any good. If IT blocks Dropbox, creative users will find a more obscure (and likely less secure) alternative. Whitelisting at the perimeter is the ultimate means of control, but no list can anticipate all user’s needs, and will certainly annoy the user base to no end.

The best solution is for in-house IT to “embrace the shadow” as much as possible. Require vetting of cloud solutions, but make the vetting as easy and painless as possible. “Painless” includes quick turnaround – part of the current problem is user’s impatience with what seems to them glacially slow responses to requests. Depending on the size of the company, this may mean personnel dedicated to this function, or at minimum an allocated  block of someone’s time. If a requested tool is inappropriate, have a reasonable explanation to present to the requestor, and have a similar alternative suggestion if possible.

The vast expanse of possibility that is the growing world of cloud computing brings new challenges to IT support, and IT must rise to the challenge and adapt to the new reality.

Encryption Implementation: Is It the Cure-all for Cybersecurity Woes?

Based on the science of cryptography, encryption is the process of coding and decoding messages to keep them secure, and is often touted as the silver bullet for cybersecurity woes. But is it really the cure-all?

The classic model of information security starts with the triad of Confidentiality, Integrity, and Availability. Cryptography is critical to providing confidentiality and integrity to all modern computer systems.

When performing online purchasing or online banking, cryptography is used to prevent network eavesdroppers from viewing the transaction, to prevent tampering with, or modifying, the transaction, and also to allow the  user and browser to verify that the server actually belongs to the intended bank or merchant.

Cryptography is also used in many other scenarios. When a Windows user receives a security update from Microsoft, cryptography is used to validate that the server providing the update really is a Microsoft server, and once the update is downloaded to the machine, cryptography is used once again to verify that the code was written by Microsoft.

Merchants that you provide your credit card number to are supposed to use cryptography to encrypt the credit card number while it is stored in the merchants database. This is done with the intent that even if an attacker can gain access to the server, the attacker should not be able to decrypt and recover the credit card numbers and associated data.

Best practices also mandate the use of encrypted backups, so that if an attacker obtains a copy of a backup, no information is disclosed. 

However, cryptography is not a magic bullet for securing computer systems. Many other controls are needed, including limiting communications between computers to their intended and authorized uses, configuring systems securely, and patching systems for all known vulnerabilities.

Firewalls are a common method for limiting inter-computer communications to their intended and authorized uses.  However, one side effect of firewalls, is that many software applications are now designed to run on ports 80 and 443, the same ports used by web servers browsers, in order to easily traverse the firewall.  Attackers quickly learned that their tools should be written to use the same ports, so that they could easily get through a firewall. One of the responses to that threat, is the use of deep packet inspection. 

Deep packet inspection is used to examine and analyze the data traversing the network.  It attempts to  determine what traffic is legitimate, and what traffic contains malware, intrusions, unauthorized file transfers, and other undesirable activities. Of course, if the transmission is encrypted, deep packet inspection doesn’t work very well;  instead access to unencrypted data is required.  Many companies will architect their networks in such a manner that encryption is terminated near the perimeter, so that deep packet inspection or analysis tools can examine the unencrypted data transmissions. The downside is that in a poorly designed or implemented system an attacker might gain access to the deep packet inspection system, thereby invalidating the confidentiality of the data. 

There are many ways that cryptographic controls can be defeated. For example, using the wrong type of  encryption for a given use case can cause the data to be less secure than intended.  Proper key management is critical; if an attacker can gain access to the cryptographic keys then the confidentiality and integrity of the data can no longer be guaranteed. 

When using encrypted drives, a simple drive failure can lead to complete loss of the data.  Tools designed to recover data from damaged disks typically cannot recover encrypted data.  Cryptography can also interfere with other types of data recovery operations and this can be viewed as either a positive or negative consequence depending on one’s perspective.

Encryption can also impact performance.  This is less critical on current systems, but was a leading reason for not using strong encryption in past decades.  However, while cryptography will usually account for less than one percent of overhead on modern systems,  using redundant encryption can still lead to performance problems.  It is important to architects systems and application to use cryptography where appropriate, but avoid using encryption at every layer, creating unnecessary redundancies and poor performance. 

In short, cryptography is fundamental to cybersecurity.  Placing backdoors into systems to bypass security for “legitimate” uses is a bad strategy can be exploited by attackers as well as authorized users.  Implementing and deploying cryptography to maintain confidentiality and integrity without creating performance bottlenecks or impeding other security and operational efforts is not trivial.

Who Should Be Able to Opt Out of Security Awareness training – and How

by Ian Palmer, researcher for InfoSec Institute, March 9, 2016

Brad Johnson is adamant that no one in an organization should be exempt from security awareness training. Not the CEO. Not the chief security officer. Nobody.

Johnson, the vice president of SystemExperts, says that making exceptions on the security awareness training front would only open companies up to a host of problems that otherwise might have been avoided.

“Who should be able to opt out of security awareness training? The simple answer is nobody,” says Johnson. “Yes, I said nobody. What about the chief security officer?  Nope. What about the director of IT management? Nope. And so on, and so on. Let’s ask this same kind of question in a different context. What NFL player should be able to opt out of practice? Should an NBA player be able to opt out of warm-ups?”

Johnson, who has participated in seminal industry initiatives including the Open Software Foundation, X/Open, and the IETF, is one of the many experts who insists on providing training without exceptions. Rather than considering who should be able to opt out of security awareness training, Johnson says that companies need to mull instead over what sort of training should be provided to employees.

While the experts believe that everyone from the top to the bottom of organizations need to take security awareness training, some believe that the trainers who lead out in such programs can potentially be exempted on account of their extensive knowledge base and expertise.

Background Stats

According to the 2015 US State of Cybercrime Survey, cyber security incidents are both increasing in number and becoming more and more destructive. Moreover, adversaries behind the attacks are investing not only in technologies but also in training their crews to attack with greater efficiency. If the bad actors believe in training, then so, too, should the companies that often find themselves on the receiving end of cyber attacks.

The study notes that businesses that invest in and implement new technologies to safeguard against cyber attacks, without updating processes and giving workers training, will probably fail to get the full value out of their spending. And while security awareness training is critical, only 50% of survey respondents acknowledge that they run periodic security awareness and training programs, and only 50% of respondents admit that they provide security awareness training to new hires.

To read the entire article in INFOSEC Institute, click here.