While some cyber security attacks focus on destruction and damage to reputation, more common in this decade has been the widespread and rampant theft of data creating challenges in maintaining appropriate levels secrecy and data protection. To complete the theft once the data has been compromised, a successful attack will need to exfiltrate the data to the attacker for further exploitation. Here are the 5 scenarios of data exfiltration.
While there has been much written on the perils of the current talent gap, not nearly as much focus has been spent on the skills gap. Nearly 1 in 4 candidates are not qualified for the positions they seek in cyber security, and the higher education systems as well as in house development practices are often obsolete or at least ineffective. Basic writing and persuasive communications are severely lacking, imperative cognitive thinking skills can be non existent, and scripting tends to be rudimentary at best. Mid-way through my own masters degree journey, I have a unique perspective as both a hiring manager and a student as to how to begin addressing this growing issue.
Our culture has become increasingly dependent on software for automation, productivity, and quality of life; the interconnectivity of nearly everything, market-labeled “the Internet of Things,” has only increased this dependency. The software that delivers these services exists on a wide variety of platforms from traditional computers to handhelds to game machines and even appliances such as alarm clocks. Application developers are driven to deliver increasingly complex innovative features and functionality faster. Today, system and software vulnerabilities are being revealed and exploited in those applications at a disastrous pace, and the need for identifying application layer vulnerabilities before the malicious user community does has become increasingly more dire. Bug bounty programs are a crowd-sourced collective with a large and potentially well-motivated force, they can be difficult to run and potentially empower the very bad actors they mean to prevent. There is no substitute for strong security by design and robust testing through a Systems Development Life Cycle (SDLC); together, these programs are essential to a safe Internet, offering more cyber security benefits than traditional testing, are more effective at uncovering security flaws quickly, and are generally less expensive.
The difference between an audit and an assessment essentially is the objective of each. An assessment analyzes the potential for things to happen in the future, while an audit reacts to how things were done in the past. One is no more or less important than the other, and people react to them very differently.
In an audit, there is a specific process or control “standard,” and an explanation of how activity should be performed to prove effective, essentially validating things are being done as they should be done. The primary objectives are to check whether described processes effectively conform to the stated standards, and whether the operators are following the described processes accurately.
In an assessment, there is no “standard;” they identify the current reality without the constraints of pre-defined problems. It accounts for emerging risks and reveals new insight. The primary objective is to provide direction for improvement efforts towards the goal of an ideal state within an organization’s risk tolerance.
After the major data breach at Sony this December, the Houston Chronicle published an article “Imagine If a Major Oil Company Got Hacked.” They proceeded to report “For example, can you imagine reading emails from Exxon Mobil’s top management about relations with Russian President Vladimir Putin? Imagine the documents that hackers could obtain if they broke into the servers at BP, Chevron or Royal Dutch Shell? What would happen to one of these companies’ stock price if suddenly a good portion of their emails became public? What would happen to the sector? Hackers could probably find something embarrassing enough to try to blackmail these companies. Sony has shown that if pressed hard enough, and long enough, a major corporation will crack… most major corporations say they maintain strict cyber-security standards. The problem is that professional, determined hackers tend to stay a step ahead.” The Houston Chronicle got most of it right, except that we don’t have to “imagine” a major oil company getting hacked. It’s happened already.
Recently, I was asked for an Internet Safety presentation for a scout troop. It occurred to me that the approach for an Internet Safety Presentation for children can be a bit daunting in a world where it’s possible, if not probable, that the audience is more tech savvy than the presenters. The Internet today is different even for younger families who must be aware that “online” is much more than spending time on the computer and traditional PC controls and monitors are not sufficient; online can be game machines, phones, or even an alarm clock (anyone else remember the Chumby?) A check on my own home router showed over 2 dozen internet connected devices! Much like a large metropolitan city, the Internet is an amazing place with some of the finest examples of our culture, available at the click of a button or swipe of a few gestures. It is also home to a plethora of material that is not appropriate for all ages, creeds, or cultures. One would likely never drop their child off in a big city and expect them to explore it unprotected and remain safe.
Bilateral education and communication is key; continual conversations about what is appropriate, what is not appropriate, and what dangers to look out for should be mixed with a genuine understanding of the technology and applications that are being used. Just like the real world, educate children on how there are bad people in the world while taking the time to understand from them what the real world influences are that are impacting their safety. Ensure they are comfortable talking to you about risks and that you are comfortable asking them to explain to you about the technologies they are using. There are many resources available for Internet Safety, some are better than others. Here is a short list of some useful resources that are particularly helpful:
- Protect your home. It’s not enough to simply protect the home computer anymore, protecting your network at the router helps protect all of the devices in your home. Open DNS (http://www.opendns.com) is a great free service that is simple to set up and use; it is excellent for filtering and protecting against malicious interweb (website) activity and other internet services. Secure The Human (http://securethehuman.org) has a great infographic with a lot of helpful tips for securing the home:
- Educate each other. McAfee (yes, the anti-virus guys) has a service, InternetSafety.com (http://www.internetsafety.com/internet-safety-presentations.php) with a good Internet Safety presentation that is age-appropriate for teens and tweens. Use this to present to a group of children or young adults and couple it with this presentation from (ISC^2), an organization focused on educating security professionals, for their parents:https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/top-ten-tips.pdf
- Get professional help. Safe and Secure Online (https://www.isc2cares.org/safe-and-secure/) is a partnership with Childnet International and is a valuable collection of resources that can be tapped to bring certified, accredited, and screened information security experts into classrooms or groups. It’s a volunteer program where professional security volunteers visit school classrooms or community organizations as guest speakers, teaching children ages 7-14 about online safety and responsibility. You can get an information security expert by signing up at their website who will spend about an hour at no charge to teach students and their parents how to be “educated, responsible digital citizens.” The (ISC)² Safe and Secure Online (SSO) program can gear their instruction to groups of children ages 7-10, 11-14, or even their parents.
Although a lot has not been made clear yet about the recent announcement that a Russian crime ring had amassed 1.2 billion user identities (a combination of user names and passwords), one thing that should be clear is that protecting your online identity with simply a password is not good enough. This type of identity theft activity has been going on for years and is why major social and email Internet sites offer multi-factor authentication to their users. Even computer social gaming sites like Steam and Blizzard offer multi-factor authentication to their players.
Multi-factor authentication is the use of two of the three established ways to identify a person’s identity, what you know (like a password), what you have (physical token or even your cell phone), and what you are (DNA or fingerprints). Using multi-factor authentication is the best way currently available to ensure your accounts don’t get abused. Multifactor authentication increases security by adding another barrier to entry; it requires something you’ve committed to memory (like your password) and something you have in your pocket (your phone or FOB). By adding this additional authentication to access an account, you are requiring yourself, and also the bad guys, to have two forms of identification.
Enabling multi-factor authentication is an extra step initially; however, most service providers will make this easier for users by allowing users to trust certain mobile devices or computers, essentially establishing a registered personal device as ‘something you have.’ Wherever possible, it is a good idea to leverage any multi-factor authentication that your favorite service offers; if it’s not obvious how to do it or if its offered, contact their support service. Here is a list of some popular Internet sites and how you can set up multi factor authentication to protect yourself:
- Apple: Apple’s two-factor authentication sends you a 4-digit code via text message or Find My iPhone notifications when you attempt to log in from a new machine.
- Bank of America: They use a feature called “SafePass.” It lets a user authorize transactions using one-time, 6-digit passcodes.
- Chase.com: To activate, their users need to request an “Identification Code,” which gets delivered by email or text message. Users can then enter their secure mobile site, https://m.chase.com.
- Dropbox: Dropbox’s two-factor authentication sends you a 6-digit text message code; it also will let you set up Google Authenticator. Dropbox will also allow a user to trust a device.
- EBay: EBay’s Secure KeyFob supports a hardware FOB with a tumbling key on a keychain.
- Evernote: Evernote users can use the Google authenticator app Google Authenticator, premium users can also receive a code via text message. Evernote will also allow a user to trust a device.
- Facebook: Facebook uses a feature embedded into their mobile app called “Code Generator.” Facebook will also allow a user to trust a device.
- Google/Gmail/YouTube: Google uses a smartphone app to enable two-factor authentication which sends you a 6-digit code called Google Authenticator and is for Android, iOS, and BlackBerry. Google will also allow a user to trust a device.
- LinkedIn: LinkedIn’s two-factor authentication sends a 6-digit code via SMS. LinkedIn will also allow a user to trust a device.
- Microsoft Accounts (including Office 365): Microsoft’s two-factor authentication sends you a code via text message or email; they also support other authenticator apps like their own authenticator app or Google Authenticator. Microsoft will also allow a user to trust a device.
- PayPal: PayPal’s two-factor authentication sends you a 6-digit code via text message. Paypal will also allow a user to trust a device and also support their secure Key FOB.
- Twitter: Twitter will enable two-factor authentication by sending a 6-digit text message. Twitter will also allow a user to trust a device.
- Yahoo! Mail: Yahoo’s two-factor authentication sends you a 6-digit code via text message. They will also allow a user to trust a device. NOTE: As of this writing, AT&T’s version of Yahoo mail did not seem to support the multi factor authentication.
Hello. This blog was offline for a bit, but will be back shortly.