Throughout this program I have learned there are many aspects to protecting information. One of the main keys to protecting information begins with employees. When employees understand the importance of their actions and why the company has created security policies this will help to create an environment that is aware of potential consequences.
This means that companies have to create a culture of security. By creating a culture of security all employees are taught to understand the importance of following security protocols. They should be aware that company security is more than just the information online, it is also the trash they throw away, the caller on the telephone who asks questions about the company's software or other seemingly innocent questions and the unannounced copy repair man. Anything out of the ordinary employees should report to the supervisor or head of security immediately.
One of the most difficult aspects of cybersecurity is convincing a company why the protection is necessary. Unfortunately, many organizations see cybersecurity as a black hole for spending company funds that they feel would better benefit other areas. The reason for this is because having adequately protected companies means there are no or few attacks. Without any attack it seems as though it is not necessary. When a cyberattack does occur, the first to get blamed is the security team; even when they had presented the information as to why increased security was necessary to prevent this type of attack, but they were told it was not necessary. Those presenting their findings for security necessities must use data from other, similar organizations who suffered such an attack and present how the company was affected by the attack as well as how much it cost the company.
During this term for Cybersecurity 650, I learned the necessary steps to identify security threats/vulnerabilities as well as making recommendations to mitigate these issues. The security assessment needs to be thorough, focusing on critical assets and potential threats or vulnerabilities they may face. When determining these it is important to focus on protecting the critical assets from realistic threats. These could include cyberattacks, weather events relevant to the area such as tornadoes, floods, hurricanes, etc., and attacks on areas that may vary from company to company. These factors are important to keep in mind when evaluating a company's security. For healthcare organizations they not only have to secure patient data, but also have to be in compliance with state and federal laws by how they are securing the information. At the end of the recommendations it is up to the company to do what is in the best interest for their customers, shareholders, and company as stated in their mission statement.
Thursday, August 7, 2014
Increased Security Threats to Power Grids
Companies need to keep evolving as technology keeps changing. Sometimes they can keep up with the technological advances and other times they cannot. When it comes to America's energy providers, people often think they have been able to keep up with the technological advancements and are adequately keeping the energy sectors secure. Unfortunately, this is not the case for many of America's energy providers.
Many of our electrical grids are not prepared to stop a hacker from gaining access to them and creating chaos for major cities. If the electrical grid is shut down it will affect more than just the power to a city. Should it be a national city like DC that becomes attacked, it could affect national security. Due to the significant nature of such an attack, congress has proposed to increase security measures for critical infrastructures. In addition to this they want increased sharing from all government agencies as well as the public sectors about cyber security threats and attacks that were stopped.
This information sharing is in the best interest for all involved as it can help prevent attacks. It is most beneficial to the public sector as they do not have the financial resources that the private sectors have to research and stop cyber security threats. The problem with information sharing is that many businesses are afraid they will be violating privacy laws by disclosing customer information when they are sharing their information with the government. In April the Federal Trade Commission and the Justice Department announced that companies would not be violating antitrust laws by sharing cyber threat information.
Causing chaos by attack the power grid in the United States could be a low cost attack by a foreign country or a state sponsored hacker. Cyber attacks can leverage the playing field for countries who do not have the resources to wage a different type of attack. Cyber attacks also offer the attacker some anonymity until the origination of the cyber attack can be determined. This makes the matter become increasingly important as it is no longer just a matter of someone physically shutting down power at the power grid, but attackers from anywhere in the world being able to shut it down.
Harris, S. (2014, July 15). U.S. Electrical Grid
Vulnerable to Cyberthreats and Physical Attack, Study Finds. Retrieved Aug
3, 2014, from Foreign Policy:
http://complex.foreignpolicy.com/posts/2014/07/15/us_electrical_grid_vulnerable_to_cyber_threats_and_physical_attack_study_finds
Friday, July 25, 2014
Data Analysis Shortcomings
The increasing amounts of data available on the Internet for analysis are presenting challenges for analysts. Government agencies collect enormous amounts of data daily. There are consistently new methods presented to store and manage all of the data until it can be analyzed. Unfortunately, it is impossible for analysts to review all of this data. This is where data tools become necessary.
Data analysis tools have limitations. One of the biggest limitations is not with the tools themselves, but rather the user. This becomes clear if users do not know how to get the most out of a tool or are not using them as they were designed simply because they do not know any better. Analysts may not want to use these tools to assist them with their data analysis because they may focus only on the tools limitations, view them as them as threats to their jobs or they do not have the necessary skills to use the tools. The marketing hype of analysis tools can also lead organizations to choose the wrong tools.
In the article Shiny, Shiny Data: The Thrill of the Chase, the author Leetaru points out that many are distracted by the shiny new object syndrome. They believe the hype that the new data tools will change how they analyze their data and blindly use the new tools simply because they are easy to use. The fault with only using tools because they are easy is that they are most likely using the wrong tools and this is evident specifically by their desire for an easy tool, not an accurate one. Leetaru gives an eye opening example of this fault after he sat in on a presentation about the Syrian regime. The presentation did not offer any sources for their data, but that it was based on billions of observations. Leetrau asked how could it be possible to obtain that much open source, street level data on the rebels. They disclosed that the information was obtained from Twitter. They had scanned Twitter for English language tweets that originated in Syria, even though they knew that the software used to codify the tweets warned that the results may be invalid. The better option would have been to monitor Facebook posts in Arabic language because that is how the rebels were communicating. Twitter was used simply because the data was easier to access, easier to use and no one on the team spoke Arabic.
While there are many good tools available for analysts there seems to be a failure for Silicon Valley to develop applications specific to Washington's needs and Washington fails to recognize which tools would be most beneficial for their needs. Leetaru recommends that Washington needs to increase their data literacy and Silicon Valley needs to increase their application literacy. This is necessary to bring the two together to pursue data driven intelligence and policy making. In order for organizations to be choosing the appropriate tools for their data analysis they need to be working more closely with those that are developing the software.
Reference:
Data analysis tools have limitations. One of the biggest limitations is not with the tools themselves, but rather the user. This becomes clear if users do not know how to get the most out of a tool or are not using them as they were designed simply because they do not know any better. Analysts may not want to use these tools to assist them with their data analysis because they may focus only on the tools limitations, view them as them as threats to their jobs or they do not have the necessary skills to use the tools. The marketing hype of analysis tools can also lead organizations to choose the wrong tools.
In the article Shiny, Shiny Data: The Thrill of the Chase, the author Leetaru points out that many are distracted by the shiny new object syndrome. They believe the hype that the new data tools will change how they analyze their data and blindly use the new tools simply because they are easy to use. The fault with only using tools because they are easy is that they are most likely using the wrong tools and this is evident specifically by their desire for an easy tool, not an accurate one. Leetaru gives an eye opening example of this fault after he sat in on a presentation about the Syrian regime. The presentation did not offer any sources for their data, but that it was based on billions of observations. Leetrau asked how could it be possible to obtain that much open source, street level data on the rebels. They disclosed that the information was obtained from Twitter. They had scanned Twitter for English language tweets that originated in Syria, even though they knew that the software used to codify the tweets warned that the results may be invalid. The better option would have been to monitor Facebook posts in Arabic language because that is how the rebels were communicating. Twitter was used simply because the data was easier to access, easier to use and no one on the team spoke Arabic.
While there are many good tools available for analysts there seems to be a failure for Silicon Valley to develop applications specific to Washington's needs and Washington fails to recognize which tools would be most beneficial for their needs. Leetaru recommends that Washington needs to increase their data literacy and Silicon Valley needs to increase their application literacy. This is necessary to bring the two together to pursue data driven intelligence and policy making. In order for organizations to be choosing the appropriate tools for their data analysis they need to be working more closely with those that are developing the software.
Reference:
Leetaru, K. (2014, May 14). Shiny, Shiny Data: The
Thrill of the Chase. Retrieved July 22, 2014, from Foreign Policy:
http://www.foreignpolicy.com/articles/2014/05/14/nsa_intelligence_big_data_tradecraft_silicon_valley
Sunday, July 20, 2014
Project Zero
Google just announced their new project that will help combat cybercrime. It is called Project Zero and is comprised of a highly skilled researchers. The scale of this project is setting the stage for the rest of the cybercommunity. This of course is no small feat as there is a seemingly endless amount of vulnerabilities and cyberthreats on the Internet. Instead of waiting for cyberthreats to takeover the Internet, Google is trying to find and stop them before they become massive attacks.
The goal for Google is to make the Internet safe for everyone to use. The secondary goal behind Project Zero is to drive best practices and to create a greater awareness of security vulnerabilities. All software will be scoured by the team for potential threat, not just those that are found within Google's software. After they discover any threats or vulnerabilities they will notify the vendor and then file a bug report in the public database. Hopefully this large initiative by Google will cause others to follow their lead and work on seeking out and fixing threats promptly. Currently there are venders who are aware of security vulnerabilities and do not fix them in a timely manner. These vendors will often take months or even years to fix the vulnerabilities in their software.
The research team is not complete yet, but already contains some very impressive talent. George Hotz discovered how to crack a locked iPhone in 2007, reversed engineered the PlayStation 3, and exposed the weaknesses in Google Chrome. Unlike the other companies who ignored him or made a deal for him to never hack their products again, Google paid him $150,000 to help fix the security flaw he uncovered in Google Chrome. He was then offered a job to join Project Zero. Chris Evans was also chosen to be a part of the team after his work on the Google Chrome project. Ben Hawkes has found dozens of software bugs. Another reputable bug hunter to join the team is Tavis Ormaandy. He proved that zero day vulnerabilities are possible in antivirus software. With this type of talent and even more to be added, it appears that Google will be successful in uncovering cyberthreats and help vendors to be more proactive in correcting the threats.
The goal for Google is to make the Internet safe for everyone to use. The secondary goal behind Project Zero is to drive best practices and to create a greater awareness of security vulnerabilities. All software will be scoured by the team for potential threat, not just those that are found within Google's software. After they discover any threats or vulnerabilities they will notify the vendor and then file a bug report in the public database. Hopefully this large initiative by Google will cause others to follow their lead and work on seeking out and fixing threats promptly. Currently there are venders who are aware of security vulnerabilities and do not fix them in a timely manner. These vendors will often take months or even years to fix the vulnerabilities in their software.
The research team is not complete yet, but already contains some very impressive talent. George Hotz discovered how to crack a locked iPhone in 2007, reversed engineered the PlayStation 3, and exposed the weaknesses in Google Chrome. Unlike the other companies who ignored him or made a deal for him to never hack their products again, Google paid him $150,000 to help fix the security flaw he uncovered in Google Chrome. He was then offered a job to join Project Zero. Chris Evans was also chosen to be a part of the team after his work on the Google Chrome project. Ben Hawkes has found dozens of software bugs. Another reputable bug hunter to join the team is Tavis Ormaandy. He proved that zero day vulnerabilities are possible in antivirus software. With this type of talent and even more to be added, it appears that Google will be successful in uncovering cyberthreats and help vendors to be more proactive in correcting the threats.
Adhikari, R. (2014, July 15). Google's Project Zero
Cybersecurity Watch: No Excuses. Retrieved July 19, 2014, from
TechNewsWorld: http://www.technewsworld.com/story/80738.html
Greenberg, A. (2014,
July 15). Meet 'Project Zero,' Google's Bug0Hunting Hackers. Retrieved
July 19, 2014, from WIRED: http://www.wired.com/2014/07/google-project-zero/
Friday, July 11, 2014
Wi-Fi Security Flaws
Wireless Internet use has helped to make accessing the Internet easier. The trend of WiFi based products has been steadily increasing. The ease of WiFi use has carried in to everyday products designed to make people's lives easier. Smart homes are becoming more common and the majority of the home can be controlled remotely through WiFi based products. This of course can leave the person's network vulnerable to new wireless attacks.
LIFX Smart LED light bulbs can be controlled remotely by mobile devices. This convenience means a person can turn on or off all of the lights or selected lights in their home from their mobile device. There was discovered to be a security flaw in the light bulbs WiFi that allowed an attacker to steal WiFi passwords. The attacker could begin the hack once they discovered which bulb was the master bulb. From there they were able to expose the user's network configuration. LIFX utilizes a meshed network and researchers were able to inject packets into the network without any authentication. Being able to accomplish this without authentication enables them to capture WiFi details and decrypt the credentials. All of this occurs without ever being detected. The researchers did conclude that a widespread attack would not be possible because the attacker would have to be located within 30 meters of wireless range. While this is the case with LIFX, there are other wireless products on the market that have no range restrictions.
When companies are developing new products that can be used with WiFi they need to consider security vulnerabilities such as the ones that occurred with the LIFX light bulbs. As Smart homes are dubbed with being more energy efficient and this technology trend will likely continue. By doing so companies may be putting consumers at risk with such vulnerabilities.
LIFX Smart LED light bulbs can be controlled remotely by mobile devices. This convenience means a person can turn on or off all of the lights or selected lights in their home from their mobile device. There was discovered to be a security flaw in the light bulbs WiFi that allowed an attacker to steal WiFi passwords. The attacker could begin the hack once they discovered which bulb was the master bulb. From there they were able to expose the user's network configuration. LIFX utilizes a meshed network and researchers were able to inject packets into the network without any authentication. Being able to accomplish this without authentication enables them to capture WiFi details and decrypt the credentials. All of this occurs without ever being detected. The researchers did conclude that a widespread attack would not be possible because the attacker would have to be located within 30 meters of wireless range. While this is the case with LIFX, there are other wireless products on the market that have no range restrictions.
When companies are developing new products that can be used with WiFi they need to consider security vulnerabilities such as the ones that occurred with the LIFX light bulbs. As Smart homes are dubbed with being more energy efficient and this technology trend will likely continue. By doing so companies may be putting consumers at risk with such vulnerabilities.
Paganini, P. (2014, July 9). Hacking LIFX Smart LED
Light Bulbs to Steal WiFi Passwords. Retrieved July 10, 2014, from Security
Affairs:
http://securityaffairs.co/wordpress/26475/hacking/hacking-lifx-smart-led-light-bulbs-steal-wifi-passwords.html
Saturday, July 5, 2014
Threat Intelligence Sharing - Week 5
There are numerous threats that businesses face everyday. After the Target security breach occurred there has been greater discussion about threat intelligence sharing between organizations. It also encouraged retailers to create a formal response to manage threat intelligence information. This process also paved the way as a means for businesses to share the threats as well as the actions they took.
Threat information sharing is beneficial to businesses for several reasons. It makes retailers aware of emerging security threats. Becoming aware of threats other businesses have encountered allows them to better prepare themselves against the same type of threats. By working together companies are helping to eliminate these threats from becoming more widespread. This unity prevents attackers from achieving the goal they set out to reach.
To create a trusted communication point for retailers to share threat information, collaboration was needed. In June 2014, the National Retail Federation established "a Retail Information Sharing and Analysis Center (ISAC), which includes participants from the Department of Homeland Security and the Secret Service, which investigates large-scale credit and debit card breaches" (Westervelt, 2014). This will be a good platform for threat information sharing, but initially it will take time for trust to be established amongst the retailers.
In order for retailers to be better prepared to respond to threats they must establish better incident response plans as well as regularly testing them. This will not only help retailers with their threat mitigation and response, but it will also help other retails to develop better response plans as well. Some retailers may not have the correct tools to properly identify the threats that are occurring. The ISAC may also provide a good resource for retailers to relay the correct and necessary tools that others should be using to properly detect threats. This is because those involved in ISAC will have built a relationship of trust amongst one another.
While this is a step in the right direction, it does not eliminate all of the potential problems that currently exist with threat information sharing between public and private sectors. Often private sectors are at an advantage because they are more financially secure and can afford the necessary tools to detect the threats. To provide better threat information sharing automation is needed. MITRE Corporation is a nonprofit organization that is working on Structure Threat Information eXpression (STIX). STIX is a standardized language that represents structured cyberthreat information, which allows security incidents to be properly described in a formal manner that creates a better resource for threat sharing. It does seem that with enough cooperation threat information sharing will become extremely beneficial to those involved.
Threat information sharing is beneficial to businesses for several reasons. It makes retailers aware of emerging security threats. Becoming aware of threats other businesses have encountered allows them to better prepare themselves against the same type of threats. By working together companies are helping to eliminate these threats from becoming more widespread. This unity prevents attackers from achieving the goal they set out to reach.
To create a trusted communication point for retailers to share threat information, collaboration was needed. In June 2014, the National Retail Federation established "a Retail Information Sharing and Analysis Center (ISAC), which includes participants from the Department of Homeland Security and the Secret Service, which investigates large-scale credit and debit card breaches" (Westervelt, 2014). This will be a good platform for threat information sharing, but initially it will take time for trust to be established amongst the retailers.
In order for retailers to be better prepared to respond to threats they must establish better incident response plans as well as regularly testing them. This will not only help retailers with their threat mitigation and response, but it will also help other retails to develop better response plans as well. Some retailers may not have the correct tools to properly identify the threats that are occurring. The ISAC may also provide a good resource for retailers to relay the correct and necessary tools that others should be using to properly detect threats. This is because those involved in ISAC will have built a relationship of trust amongst one another.
While this is a step in the right direction, it does not eliminate all of the potential problems that currently exist with threat information sharing between public and private sectors. Often private sectors are at an advantage because they are more financially secure and can afford the necessary tools to detect the threats. To provide better threat information sharing automation is needed. MITRE Corporation is a nonprofit organization that is working on Structure Threat Information eXpression (STIX). STIX is a standardized language that represents structured cyberthreat information, which allows security incidents to be properly described in a formal manner that creates a better resource for threat sharing. It does seem that with enough cooperation threat information sharing will become extremely beneficial to those involved.
Westervelt, R. (2014, July 3). The Rise of Threat
Intelligence Sharing. Retrieved July 4, 2014, from CRN:
http://www.crn.com/news/security/300073317/the-rise-of-threat-intelligence-sharing.htm
Sunday, June 29, 2014
How Secure is Your Email Address?
Over the years I have had many different email accounts. The deciding factors to make me change accounts was how much junk email or spam I received and if there were any security concerns with my current email provider. Recently Gmail was discovered to have a new security vulnerability. This vulnerability put an indefinite number of Gmail addresses as well as business emails at risk. Why is gaining an unlimited amount of Gmail addresses so valuable? The
reason this vulnerability is important is because it allows the attacker
to send phishing campaigns and targeted attacks to an unlimited amount
of users. This guarantees that the attacker will have a higher amount of victims.
The vulnerability allows an attacker to gain access to a list of Gmail addresses. This discovery was made by Oren Hafif, a researcher at Trustwave's SpiderLabs. He reported the vulnerability to Google, who has since fixed it. One may ask how was this vulnerability even possible? Hafif found a token exposed in a URL and was able to expose every Gmail address. The URL token was found when using Gmail's delegation feature. When an account user delegates that account to allow another person to access it, the delegated party has to accept or decline the delegation via an embedded URL link. These links were nearly identical, the only difference was one link included /mdd (mail delegation deny servlet) while the other included /mda (mail delegation accept servlet). He then researched URLs that Google used and determined that the sequence which followed mda and mdd was being used as an authentication token.
With the authentication token Hafif started running a brute force attack and was able to gain so many email addresses that every tool he used to conduct the brute force crashed from the overload. To overcome this problem he wrote his own multi-threaded script in Ruby. In addition to Gmail addresses, he discovered he was also obtaining non-Gmail addresses. These were most likely businesses who were using Google Apps such as a mail service. Hafif commented on the potential security threats that companies may face when considering if they should move their information to the cloud as many companies have done by choosing Gmail as their organization email manager. When vulnerabilities like this exist it creates additional potential threats such as spear phishing attacks, advance persistent threats as well as other targeted attacks. It is important to keep this possible vulnerability in mind when planning security threat mitigation for not only your personal email accounts, but also your company's email accounts.
The vulnerability allows an attacker to gain access to a list of Gmail addresses. This discovery was made by Oren Hafif, a researcher at Trustwave's SpiderLabs. He reported the vulnerability to Google, who has since fixed it. One may ask how was this vulnerability even possible? Hafif found a token exposed in a URL and was able to expose every Gmail address. The URL token was found when using Gmail's delegation feature. When an account user delegates that account to allow another person to access it, the delegated party has to accept or decline the delegation via an embedded URL link. These links were nearly identical, the only difference was one link included /mdd (mail delegation deny servlet) while the other included /mda (mail delegation accept servlet). He then researched URLs that Google used and determined that the sequence which followed mda and mdd was being used as an authentication token.
With the authentication token Hafif started running a brute force attack and was able to gain so many email addresses that every tool he used to conduct the brute force crashed from the overload. To overcome this problem he wrote his own multi-threaded script in Ruby. In addition to Gmail addresses, he discovered he was also obtaining non-Gmail addresses. These were most likely businesses who were using Google Apps such as a mail service. Hafif commented on the potential security threats that companies may face when considering if they should move their information to the cloud as many companies have done by choosing Gmail as their organization email manager. When vulnerabilities like this exist it creates additional potential threats such as spear phishing attacks, advance persistent threats as well as other targeted attacks. It is important to keep this possible vulnerability in mind when planning security threat mitigation for not only your personal email accounts, but also your company's email accounts.
Paganini, P. (2014, June 12). Gmail hacking, a mine
of data for phishing and spam attacks. Retrieved June 23, 2014, from
Security Affairs:
http://securityaffairs.co/wordpress/25676/hacking/gmail-hacking.html
Subscribe to:
Posts (Atom)