As if information security isn’t hard enough already to deter the cyber-criminal – hell bent on stealing our critical data, our bank and credit card details, our intellectual property and client information – it seems that to encourage users to apply some degree of complexity (or should that read common sense?) to their password selection is a whole different ball game altogether, despite the warnings.
A study to find the top 25 leaked passwords of 2012 has revealed too many people are still using “password”, “123456″ and “12345678″ for their login credentials. The table was compiled from plain-text passwords and weak unsalted password hashes lifted from compromised databases and dumped online by Anonymous hacktivists and other miscreants. The new entries in this year’s list of common passwords are “welcome”, “jesus”, “ninja”, “mustang” and “password1″.
This year the dataset was boosted by several high-profile password security breaches at major websites including Yahoo!, LinkedIn, eHarmony and Last.fm.
Here’s the table of the top 25 most common leaked web passwords, with the change in position from last year in brackets:
- password (unchanged)
- 123456 (unchanged)
- 12345678 (unchanged)
- abc123 (up one)
- qwerty (down one)
- monkey (unchanged)
- letmein (up one)
- dragon (up two)
- 111111 (up three)
- baseball (up one)
- iloveyou (up two)
- trustno1 (down three)
- 1234567 (down six)
- sunshine (up one)
- master (down one)
- 123123 (up four)
- welcome (new entry!)
- shadow (up one)
- ashley (down three)
- football (up five)
- jesus (new entry!)
- michael (up two)
- ninja (new entry!)
- mustang (new entry!)
- password1 (new entry!)
The roundup, produced by password app biz SplashData, put “123456″ in the number two slot for 2012; the same sequence was used by 37 per cent of all user accounts at the Anonymous-hacked Greek finance ministry.
This really is the first rung of the security ladder to climb. So what is a secure password? Opinions vary, however at least choose a word or phrase hard to guess but easy to remember. Here’s Bruce Schneier’s advice (and he knows a thing or two about security) so why not follow it?
- DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven’t visited in long time. Don’t reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.
- DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.
- No matter how much you may trust your friends or colleagues, you can’t trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.
- DON’T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don’t use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.
- DON’T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.
- DON’T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
- DON’T use the “remember me” or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
- DON’T enter passwords on a computer you don’t control — such as a friend’s computer — because you don’t know what spyware or keyloggers might be on that machine.
- DON’T access password-protected accounts over open Wi-Fi networks — or any other network you don’t trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian “Gizmo” Richards’ Dec. 11, 2008, Best Software column, “Connect safely over open Wi-Fi networks,” for Wi-Fi security tips.)
- DON’T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.
Still, some people haven’t caught on to that yet. Kaspersky Labs lists six of the worst ideas for creating passwords.
- Simple, successive: It might be easy for you to remember ‘123456,’ or ‘qwerty,’ but guess what: Anyone who has ever seen a keyboard will be in your email in about 30 seconds. Making your password the same as, or related to, your login is also a serious mistake. Remember, when it comes to creating passwords, simplicity is bad, and complexity is your friend.
- The name of a loved one: You might love your mom to pieces, but using her name as the key to all things dear to you is easy pickings for an attacker. Your favorite niece’s name or your dog’s name isn’t any better, especially when that information might be posted on your Facebook page for all to see.
- Getting cute: Yes, the goal of a password is to keep people out. But using that theme as your password – ‘password,’ ‘keepout,’ ‘letmein,’ ‘stayaway’ – will have exactly the opposite result of what you’re looking for.
- Cool words: Some words are cool and easy to remember. That also means that they aren’t just always on the tip of your tongue – they’re on the tip of hackers’ tongues too. Stay away from words like ‘dragon,’ ‘mustang’ and ‘ninja.’
- Sports!: Everybody loves sports, right? Well, hackers do too. If you’re inclined to pick your favorite sport as your password – don’t. Words like ‘football,’ ‘baseball,’ or ‘soccer’ aren’t worth the digital pixels that created them.
- Simple fixes: Taking passwords that are simple and adding the slightest of curveballs won’t work either. Just because you added a numeral or an exclamation mark – ‘passw0rd,’ ‘basebalL’ ‘mother!’ – to your easily decodable entry key doesn’t mean your accounts are secure. They aren’t. It’s important to mix lower case letters, upper case letters, numerals and special characters into your password, but don’t be predictable about it.
What you can do: Develop complex passwords with a mix of lower and upper case letters, numbers and special characters and ensure you use a different password for each site, according to Dmitry Bestuzhev, a Kaspersky Lab researcher. “Remember, you can’t stop your service provider being hacked, but you can avoid a bigger disaster when all of your accounts get compromised at once just because you used the same password,” he said.
Take heed, and Happy New Year!
I wanted to share with you an article I came across recently written by a fellow Certified Security Professional, Corey Nachreiner of Watchguard, which was published in the UK’s Business Computing World. It reinforces everything I have been saying to small business owners, particularly those in the professional industries who have an awful lot more to lose than a few sales records. I’m pretty certain I don’t need to remind all of you of the potential penalties for Data Protection breaches (up to £500,000), as well as unlimited penalties imposed by your regulatory body. Yet few organisations seem to take these threats seriously. I had an accountant recently argue that most of the research carried out into threats, vulnerabilities and breach disclosure is pure hype and should not be heeded. I told him I let someone else do my books…………………
Anyway, I hope the sensible majority of you take note.
All too often SMEs plan their IT security under the misconception that their networks and data are already pretty safe because they don’t have anything that would interest cyber attackers. Surely, organized criminals or “hackivists” are going to be far more interested in going for the big targets that we read about in the news all the time such as Sony, HMRC, Subway and the University of Cambridge?
But the truth is that in recent years, cyber attackers have increased their focus on compromising small and medium enterprises (SMEs). A recent PwC report on security breaches showed that 76% of small businesses in the UK suffered a breach last year, with the average cost of their worst incident coming in at £15-30k.
There are two main classes of attack. First, the automated opportunistic attack, where a wide net is cast using mass emails, automated SQL injection, or automated network attacks to trap any victim. Everyone is the target of this attack – it’s just a numbers game. The second are specifically targeted attacks where a single organization or group of organizations is targeted, such as a group of companies in the same vertical market or public sector departments.
These attacks will usually consist of very targeted ‘spear-phishing’ emails attempting to lure victims to a malware site. What SMEs don’t realize is that attackers have been opportunistically going after them for years, but now they are increasingly targeting them more specifically.
It is clear that SMEs have been victims of the first type of attack for years now, whether they know it or not. Bot herders use automated techniques to try to ‘zombie-fy’ as many Internet connected victims as possible, without caring who they are, and they often end up infecting hundreds of small businesses this way. They then use these bot-infected SME machines as a stepping stone to gain control of the network and its sensitive, often valuable, data.
In its 2011 Data Breach Report, Verizon noted that although the number of stolen records may have dropped in 2011, the number of breeches actually increased over 5-fold, suggesting that the attacks were affecting smaller organizations.
However, it is the more recent increase in targeted attacks on SMEs that is even more concerning. Recently, my company has seen an increase in more targeted phishing emails that focus on very specific SME organizations. For instance, one recent email appeared to come from ADP, a company that helps SME manage payroll, among other things.
This spear-phishing email was designed to target accounting and HR people, with the aim of gaining access to payroll systems. Other research organizations and experts are also seeing the rise in targeted attacks against SMEs. Recently, Symantec released its latest Security Intelligence Report for 2012, which confirmed that targeted attacks against SMEs doubled during the first half of the year.
Why target SMEs?
There are a number of reasons why attackers might want to focus on SMEs. Certainly, in general an SME will have weaker defences than a larger organization. This is in a large part due to the fact most SMEs still don’t think attackers target them, despite evidence to the contrary. A study done by The Hanford found that 85% of small business owners think a data breach is unlikely; thus they often don’t implement simple security controls. In the last few years, larger enterprises have been hammered with some big and very public breaches, and as a result, have beefed up their defences, making SMEs a much easier target.
An attack on an SME may even be just the gateway to bigger targets. Small and large businesses will often have many partners and these partners in turn will also have partnerships and connections with other, perhaps even smaller, companies. Attackers know they may not be able to storm the well-protected “castle,” but if they can get into one of the “guard’s” houses, they can use that to sneak in through a backdoor, metaphorically speaking.
SME breaches are also likely to pose less risk to the attacker. If you try to attack and steal millions from Google, you will quickly get onto the authority’s radar. However, if you attack small, lesser-known businesses and only steal a few thousand at a time, it may not even get reported. If you use automation to repeat this small theft many times, you can still make millions.
Finally, SMEs will still have very valuable information including customer financial data or commercially sensitive IP information. Don’t think anonymity protects you. If you are a small business, you are still a target.
New generation of phishing
SMEs need to be aware that the most common attacks impacting small businesses at the moment are well-crafted and targeted spear-phishing campaigns, which link to drive-by download sites. These targeted phishing campaigns have three things going for them:
- They are well-crafted compared to malicious emails of the past. They often look very legitimate and don’t have all the spelling and grammar mistakes old phishing emails had. Sometimes they will even inject HTML content from the company they are masquerading, to make them look very legitimate
- They target a very specific group or individual. By writing them specifically for a certain target at the organisation, that individual is more likely to interact with the message
- They contain a web link rather than an attachment. While even small business employees realize they should be careful with email attachments, many users still don’t realize that attackers can hijack your computer from a malicious website. They feel safe clicking web links in emails, making this far more effective than having an attachment.
Protection for the SME
There is no silver bullet to keep safe from cyber-attacks, but defence is not as hard or as expensive as some SMEs assume. The only real way to protect yourself is to implement ‘Defence in Depth.’ This is the act of layering multiple security controls together to give the enterprise the best chance of protecting itself from the many types of attacks hackers leverage.
Unfortunately, today’s threat is very much blended; the hook may arrive via email, IM, or a social network, but the true attack may happen over the web. Then, the follow-up attacks in your network may happen over a number of network services. So you need different security controls like a next-generation firewall, IPS, antivirus, reputational services, and so on, to protect yourself from various aspects of these attacks.
Don’t let your small size lure you into a false sense of security. Instead, leverage today’s technology to implement many layers of defence, and keep yourself out of tomorrow’s cyber-attack headlines.
I am always interested to hear what precautionary measures you guys are putting in place. Security does not need to cost the earth, and convenience is no excuse for poor security.
Once again a public sector organisation has fallen foul of the Information Commissioner and received a hefty monetary penalty for Data Protection Act breaches.
The UK regulator has fined Greater Manchester Police after officers were found to be regularly using unencrypted memory sticks to store personal data. The poor data security practices came to the ICO’s attention following the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which also had no password protection, contained details of more than a thousand people with links to serious crime investigations. Despite similar security breaches in the past, the police force had not put restrictions on downloading information and staff were not sufficiently trained in data protection. The police force paid £120,000 because it took advantage of an early payment discount.
The reason for my post today is not to castigate the Chief Constable of Greater Manchester Police for ineffective security policy – that ignominy has already been suffered – but to highlight the dangers to every organisation, large or small, who may have to comply with the Data Protection Act, and the risks of negligence. Ask yourself if you hold a Data Protection license, and why.
If you are the data controller – defined in section 1 of the Act as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed” – you can be held liable should you suffer a data breach which potentially exposes personally identifiable information (PII). This can also be defined as “information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual”. That liability can extend to £500,000.
You need to review your policies and procedures – are they really adequate? You also need to consider whether or not you have taken the necessary technological measures to protect that data. Portable devices including laptops and memory sticks have to be encrypted. Ignorance is no excuse – if the Data Controller “knew or ought to have known there was a risk of the contravention occurring, or that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention” the penalties are significant, and possibly threatening to the future of the business.
This is not just a big business or public sector legislature. It applies to all of us, potentially.
Don’t get caught out. It doesn’t cost the earth to protect yourself, or the interests of innocent others.
I wanted to share this with you all, courtesy of David Cartright at CloudPro, as further justification that “Cloud”, the current buzzword and trend, is not for everyone, and if not managed correctly will not deliver the economies of scale originally intended.
The 10 biggest mistakes made when moving (or considering a move!) to the cloud.
There are some compelling reasons to move to the cloud but it’s easy to make mistakes too. Here’s ten of the most common…
Cloud computing can, of course, be a hugely satisfying thing to do. It can be cost-effective and straightforward whilst at the same time de-risking your organisation through the sheer reliability and high-end support of the remote infrastructure. This doesn’t mean that it’s a trivial thing to do, however, and it’s easy to make simple mistakes. Let’s look at the top ten.
1. Making the wrong decision to use the cloud
The first mistake that one can make is to choose the cloud when it doesn’t really suit the application or your organisation (or both).
Of course as we all know, cloud services can bring vast benefits to an organisation’s computing capability, but as with any technology there are times when it just doesn’t fit no matter how hard you try to persuade yourself it’s a good idea. Particularly if you’re a small company with no need for super-resilience, no knowledge of managing vendors and/or very simple requirements, you can spend more time and money administering a cloud infrastructure than you would if you had a handful of inexpensive servers in house.
2. Choosing the wrong machine for the job
In the cloud it’s just as easy to choose the wrong tool for the job as it is in an in-house application. Just because you use, say, Windows Server 2008 R2 for your in-house finance system, this doesn’t mean you should just map it onto a Windows installation in the cloud. Perhaps you chose a Windows platform internally because that’s the skillset you have; in the cloud someone else will manage the OS for you so why not consider, say, Linux? And of course if you take it a step further you can even decide to go for a fully managed application: given the choice of, say, a fully managed Oracle app on a fully managed Linux box, why wouldn’t you go for that if it’s faster than a Windows installation?
3. Bodging your user access
When you run applications in the cloud, user access can be easy or hard. And if it’s hard, the chances are because you made it that way. What’s one of the key difficulties with in-house systems? Maintaining a collection of disparate user databases is one of the world’s greatest pains in the backside, and with a cloud setup there’s nothing different. Yes, it can take a little bit of effort to integrate the cloud service with your own directory service; and yes, it might take you a few minutes to persuade the higher-ups in the company that to do so isn’t a hideous security risk from Hell. But properly integrated user access is an absolute god-send – not least because it’s the only way you can be sure that when staff leave the organisation and you want to be sure their access has been properly curtailed.
4. Disregarding geography
As we all know, putting an application in the cloud doesn’t mean that it’ll end up on arbitrary servers in random locations. The thing is, though, we don’t necessarily all know this – many newcomers to the concept think that you have to place your application at the mercy of the supplier’s load balancing and auto-failover engines. Consider your geography carefully, and consider the legalities of where your data sits and the logic of how close the app and the data are to the users.
5. Losing control of costs
It can’t be denied that the economics of cloud computing are compelling. When you look at the cost of a powerful server in the cloud and compare it with the price of buying the physical hardware, the argument for outsourcing is compelling.
It’s very easy, however, to lose track of the virtual machines, storage, IP addresses, load balancing and applications that you’ve set up (a fact which isn’t helped by the less-than-great user interfaces on some services). This can become very expensive, because although you don’t pay very much for each component, it soon adds up when you have several of each and you’re not careful to keep track and decommission unused entities.
6. Thinking the service manages itself
In a cloud service the servers, storage, networking and such like are all managed for you – unlike an in-house application that you need to employ people to look after. It’s easy to forget, however, that managed services can go wrong – so you’ll still want to monitor the service even though it’s not necessarily your problem to fix it. Fair enough, if you’re using a managed application service then the management task is minimal, but even then you’ll want to look at things like log file growth, database transaction file growth and such like because otherwise the cost of your back-end storage will quickly begin to approach infinity.
7. Running up too many virtual machines
When you have to buy physical equipment, you tend to be a bit sparing when it comes to doing so. The moment you start virtualising, however, that concept goes out of the window – even in an in-house virtual farm let alone a cloud one.
But why is that? Fair enough, the kit isn’t costing you anything, but you’re paying for an extra OS and even though the virtualisation layer lets you oversubscribe your RAM, disk and CPU you still have the overhead of context-switching between the various VMs. Oh, and more servers equals more stuff to manage. Back in the old days of physical kit one would run multiple applications on a single server – and there’s no reason you shouldn’t do so in a cloud world.
8. Thinking you don’t need backups
Cloud services tend to be multiply resilient – dual identical systems that can invisibly fail over in many cases, plus a third machine with similar configuration that’s used for seamless software upgrades. This doesn’t mean that you don’t want to back up your data and configuration from time to time, though.
While it’s likely that the service will never die and your world will be infinitely reliable, can you really put your hand on your heart and say it’s 100 percent certain? And don’t forget, although the big providers are unlikely to go pear-shaped in a hurry, you absolutely need to mitigate the risk of a smaller provider going to the wall and taking your crown jewels with it.
9. Missing the skills change requirement
The skills required for managing a cloud installation are radically different from handling an in-house setup. One of the big culture shocks of moving to the cloud is that the hands-on technical requirement will reduce and the vendor management aspect will ramp up noticeably.
You’ll also have something of a learning curve with regard to understanding the various technical offerings from the provider (RAM, CPU and disk are easy but when you get into virtual IP addresses and load balancing that ceases to be true) and the user interface will be a new discovery for you. It’s an easy mistake to think it’ll be easy, when actually it certainly isn’t.
10. Not cleaning up after yourself
Just as we told you to think about how many virtual machines you run, you also need to revisit this resource consideration frequently. Idle virtual machines and unused IP addresses cost money for no tangible benefit, so why pour money into a black hole by leaving them doing nothing? Just as you should employ the right combination of virtual hardware in the first place, so you should also ensure that you give up resources – even temporarily – if they’re likely to be unused for more than a modest period.
I am not a Cloud sceptic – far from it. However I am somewhat more pragmatic than the current crop of “Cloud Evangelists” who are completely indiscriminate when promoting their solutions. Think very carefully before making a costly and possibly irreversible mistake. As I’ve said before it’s not for everyone.
Business leaders need to take note quickly, and learn to recognize that information security risks are real risks to their success.
I read this article on SecurityWeek’s website, courtesy of its author Oliver-Christopher Rochford a writer and Security Consultant from Germany. I found it so compellingly close to my real world experiences I wanted to share it accordingly. Clearly there is a place for security people despite their apparent “lack” of business sense. I mean what do we really know?
Security professionals are often seen as being difficult to deal with. They can be perceived as throwing a spanner in many a good idea, and their incessant demands and the restrictions they try to impose can seem like an artificial bottleneck on getting something to market or into production rapidly. Often, we are accused of not being “business-minded”, or something to that effect. Let us take a little time to gloat and at the same time throw that ill-conceived misconception on to the bonfire of myths and old wives tales.
Some estimates had put the total cost of the infamous Sony attack to be upwards of $24 billion. More difficult to quantify is the accompanying brand damage. Sony announced a 2011 annual loss of $4 Billion, which admittedly cannot be entirely blamed on that security catastrophe, but without a doubt did play its part in contributing towards the total loss. This breach came at a time when Sony has already been struggling to compete against newer market participants in other areas, and needed its entertainment arm to perform strongly to offset this more than ever.
Recently, Global Payments, Inc. was removed from Visa’s PCI compliant service providers and saw a 9% drop in its stock price after it suffered a data breach in March 2012. This happened to a company that earns its bread and butter primarily with card processing, and still did not do what was necessary to protect its core business.
VASCO Data Security managed to lose the $13 million it paid to acquire DigiNotar, after it went bankrupt in 2011 and had to wind down to the tune of a further $5 Million after a cyber attack forced it out of business.
Nortel Networks was the victim of decade long industrial espionage targeted at its actual Intellectual Property rights and development data. Nortel now does not exist. In its day, it was one of the largest suppliers of telecommunications and network equipment in the world.
I am a layperson when it comes to business, but to me it seems like bad security is really, really bad business.
Looking at the average cost of a data breach, who is more business minded? The security professionals that may have prevented these high-cost, brand and capital destroying disasters; Or the business professionals that made the bad business decisions that ultimately prepared the stage for these breaches?
If that is being business minded, I will take the accusation of not being business-minded as a well-intended compliment. I may be naïve, being only a security guy, but I have always worked under the impression that practicing good business means that you create something that is scalable, that is sustainable, that avoids making unnecessary huge losses and if possible, tries not to gamble with the good data and thus the brand love and loyalty of its customers. That sounds like bad business in a nutshell to me.
The problem, as most problems of this nature usually are, is based on history, tradition and of course ignorance. Business thinking has not yet evolved to be aware and take into account the new challenges and demands on strategy and operations that these wide-sweeping changes in how we communicate and use technology have ushered in, even while the consequences of the failures to adapt are visible in plain sight for all to see.
Business schools barely touch on Information Security or Information Risks. That is a fatal shortcoming in this new world of ours, where so much business is now conducted digitally and virtually that the economy would grind to a standstill if the net was unavailable even for a short while. The world has evolved and progressed. Commercial interests have been quick to jump on the possibilities this has opened, stamping out and saturating entire new markets out of thin air that a decade before were just the ravings or fanciful notions of some hardcore geek. Yet businesses are still struggling with the other consequences of this evolution and have yet to acknowledge that we are not in Kansas anymore.
There is much talk of the modern CISO having to be more business savvy, and how the role should be focused on being business-enabling. I say that is 20th century thinking at its worst, and it stems from a complete lack of understanding of where we are and especially of where we are actually going.
I don’t buy into the argument that the aim or intended task of security is to enable business. It is meant to ensure that your data, your IP, your communications, your assets, are adequately protected, that stockholder value is sufficiently guarded, and that the business can thrive for many years to come.
Nor is it really just up to the CIO or other security staff to make a company secure. Security has to be in the fabric of an organization, or it will never be holistic, and thus effective. Any other approach will lead to a business with security; but not to a secure business. The successful business leader of the future will have to be more security aware, and will have to be more mindful, considerate and respectful of information security and its implications than ever before.
This is not a matter of a lack of training or insufficient time either. Security awareness is not a skill. It is a mindset. A mindset born out of an understanding of the risks and problems involved and the resulting “informed paranoia” that develops when you do so. And that mindset is now a business requirement in and of itself, if you want to run a business in this day and age, and even more so in the future.
We are on the precipice of a new age that will fundamentally change the way the world functions, communicates and organizes itself. We are currently only seeing the shadow of it, but it already provides a glimpse of the outline of what is to come, and boy, it is a major cataclysmic paradigm-breaking game changer. Businesses will have to evolve quickly to adapt to this new era, because failure to do so will spell the end for any organization that does not, be that with a big bang or with a whimper.
In that light, the outlook for many companies based on recent events and current attitudes is not particularly good. Security is considered an extra cost without measurable benefit, an afterthought or something to implement to be compliant.
A good analogy is the Dodo. That the Dodo is extinct is well known, but less discussed is how it came to be that way. Its habitat was the Island of Mauritius, where for many millennia it lived a carefree life without fear of predators or much competition aside from other Dodos. Life was simple, life was good, leaving the Dodo to live carefree and concentrate on finding food. Then times changed drastically, and in disaster for the poor, carefree, oversized bird. Man found Mauritius, and with Man came dogs, pigs, rats, and a variety of other threats and competition that the Dodo was not suited to come to terms with.
There are stories that it was possible to walk up to the Dodo holding a club, and it would watch you beat it to death, not knowing any danger or sense of risk. Much like most victims of an SQL Injection attack really. Roughly a century after the first recorded accounts of the Dodo, it ceased to be; extinction left only some bones and few plaster casts to wonder about. And that despite the fact, that their meat was described as rather badly tasting.
We are in a similar situation. Barely 20 years ago, there were no mobile phones in day-to-day use, offices still did almost everything on paper, and networks were usually intended to carry faxes and print jobs. Now we are not isolated anymore, and left in peace to live our carefree little lives with no outside pressures.
No stockholder, customer or voter wants someone in charge who is unable to understand and assess risk and security, as a hapless and incredibly misguided UK Minister recently had to be reminded of, so it will not take long before the same will come to apply to executives, and business overall by extension.
And when you have enough people, especially ones in the know acknowledge that current business practices in regards to security are unsustainable, you know that someone is already staring at that kind looking, smiling man walking towards him with a club in the hand, wondering whether he may be bringing something to eat.
Cybercrime, cyberterrorism, cyberespionage and cyberwarfare. These are now a permanent feature in the threat landscape, making them actual business issues, with all that that implies.
With security ecosystem predators like Anonymous, Chinese hackers, and Iranian Cyberarmies, foreign intelligence agencies, corporate spies and other less obvious hunters such as the media (as in the case of the UK Newspaper hacking scandals) circling the old, weak and lame in the herd, natural selection will kick in with a vengeance. As in nature, when a new eco niche is introduced, the food chain soon begins to establish itself and finds equilibrium, with those players not able to adapt quick enough, providing easy prey for the others.
Management and business leaders will have to take note quickly, and learn to recognize information security risks as real risks to their success, or they will go the way of the Dodo.
Social engineering is possibly the most effective hacking exploit we may face today – and possibly the easiest to perpetrate. Why?
Because it is human nature to want to help. This is an extract from a recent publication that I found illuminating, and essential for anyone concerned about such threats. Education, education, education.
So, what is Social Engineering?
Social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees.
Famous hacker Kevin Mitnick helped popularize the term “social engineering” in the ‘90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages.
What Social Engineers Want:
The goal for many social engineers is to obtain personal information that can either directly lead them to financial or identity theft or prepare them for a more targeted attack. They also look for ways to install malware that gives them better access to personal data, computer systems or accounts, themselves. In other cases, social engineers are looking for information that leads to competitive advantage.
Items that scammers find valuable include the following:
- Account numbers
- Any personal information
- Access cards and identity badges
- Phone lists
- Details of your computer system
- The name of someone with access privileges
- Information about servers, networks, non-public URLs, intranet
How Social Engineers Work:
There are an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that gives him access to your corporate network.
Typical ploys include the following:
Stealing passwords: In this common manoeuver, the hacker uses information from a social networking profile to guess a victim’s password reminder question. This technique was used to hack Twitter and break into Sarah Palin’s e-mail.
Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system.
For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he’s thinking of buying.
Impersonation/social network squatting: In this case, the hacker tweets you, friends you or otherwise contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending him a spreadsheet or giving him data from “the office”. “Anything you see on a computer system can be spoofed or manipulated or augmented by a hacker,” says Desautels.
Posing as an insider: In many cases, the scammer poses as an IT help desk worker or contractor to extract information such as a passwords from an unknowing employee.
“Roughly 90% of the people we’ve successfully exploited during [vulnerability assessments for clients] trusted us because they thought we worked for the same company as them,” Desautels says. In one case, a Netragard worker posed as a contractor, befriended a group of the client’s workers and set up a successful phishing scheme through which he gleaned employee credentials, eventually gaining entry to the entire corporate infrastructure.
State of the State:
Social engineering attacks are widespread, frequent and cost organizations thousands of dollars annually, according to research from security firm Check Point Software Technologies. Its survey of 850 IT and security professionals located in the U.S., Canada, U.K., Germany, Australia and New Zealand found almost half (48%) had been victims of social engineering and had experienced 25 or more attacks in the past two years. Social engineering attacks cost victims an average of $25,000 – $100,000 per security incident, the report states.
“Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information,” according to a statement from Check Point on the survey. “Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization.”
Among those surveyed, 86% recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The most common attack vectors for social engineering attacks were phishing emails, which accounted for 47% of incidents, followed by social networking sites at 39%. New employees are the most susceptible to social engineering, according to the report, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). However, almost one-third of organizations said they do not have a social engineering prevention and awareness program in place. Among those polled, 34% do not have any employee training or security policies in place to prevent social engineering techniques, although 19% h have plans to implement one, according to Check Point.
For the full guide to social engineering click here: Social Engineering-Ultimate Guide
I was recently commissioned, on behalf of a compliance adviser practice, to carry out an information security review of a 30 user financial services organisation located in the Midlands. Obviously fully aware of the likely penalties the FSA can administer, as well as the threat of the Information Commissioners Office imposing a fine of up to £500,000 for Data Protection breaches, the firm’s directors had taken a hugely responsible approach to this very serious matter.
Despite already implementing a variety of security controls under the guidance of their IT service provider, it was considered important enough to perform a review to re-assure clients and stakeholders that they do take information security seriously – a philosophy that is often overlooked in favour of so called “higher priorities”.
What did it involve?
To minimise costs and the time it takes to carry out a full security audit, I gave them an initial questionnaire to fill out. It was developed primarily around the FSA’s best practices guidelines, as detailed in their scathing report titled “Data Security in Financial Services – Firms’ controls to prevent data loss by their employees and third-party suppliers”.
After looking at the results, I carried out an interview with the practice manager (although it can be a partner / director responsible for IT and security), and the contracted IT service provider. Sometimes it’s considered inappropriate to include the IT service provider due to a lack of technical expertise, although it certainly wasn’t in this case.
I was then able provide them with a report outlining the good and bad practices within the organisation and highlighting areas of concern that need addressing according to their priority. From start to finish, the whole thing took two days.
This was a high level system security review intended to establish the risk appetite of the business in general, and not a thorough interrogation of the systems internally or externally through penetration testing. But, what it does do, is help the senior management focus their attentions and help mitigate the threats the financial sector faces. It is, after all, the most targeted industry sector for the cyber criminal.
Feel free to contact me directly if you believe your organisation could benefit from a similar review.