Category Archives: Education

Seeing the Light of Security…

A recent article in DFI News discusses some interesting research. The article discusses research by physicists at Heriot-Watt Univ. and Univ. of Strathclyde. They are working with tiny particles of light to create a new way of verifying electronic messages and transactions as authentic, helping address the huge cost of e-crime and avoiding potentially catastrophic fraud, online hacking and theft of digital data.

According to the article discusses how the research shows how photons can be used to verify security and authenticity of any transaction or communication with a “digital signature.” The article specifically states it does the following:

Quantum-based secure signatures mean that an “eavesdropper” — a malevolent third party listening in — cannot fake a signed message which is being sent to multiple recipients.

  • The sender writes the signature with encoded light particles and sends it to the receiver
  • The receiver cannot yet read the signature. However, it can be sure it received an authentic signature
  • To confirm a message is authentic and to also read it, the receiver has to receive both the message (the “signature”) plus additional information required to decipher it
  • The multiple receivers confirm that they have received identical signatures – only then does the sender provide the additional information required to read the signature
  • This process takes place without the user (e.g. a shopper) being required to do anything differently to current security methods

When physicist begin looking at how they can impact and improve e-commerce, you know there is a big amount of money at stake. It will be interesting to see how this can be implemented in the real-world and also how it will be circumvented…

 

Tagged , , , , , , , , , , , , , ,

South Carolinas’s Majority of Social Security Numbers Exposed…

In an article in Dark reading, South Carolina officials announced that more than three-quarters of the states social security numbers were exposed in a recent hack. The data included debit and credit card information for the states residents as well. The most concerning issue was that the database that was compromised was not encrypted. As a state agency, it should have been an example to follow rather than one to avoid. The state’s Department of Revenue should have been held to not only federal regulatory requirements, but also PCI. This type of failure is not acceptable.

While not everything has been released as to the cause other than the database was breached and not encrypted, the article states the following:

Although state officials referred to the hack as a “database” breach, they didn’t specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. “That’s the simplest way in,” he says.

It is easy to make conjecture about how the breach occurred, but it would seem that the necessary due diligence was not followed. Security should be more than a check-box. States and Federal governments should be setting the examples for the rest of business…Another instance where measure twice and cut once should have been put in place…

Tagged , , , , , , , , , , , , ,

Weather To Have Security or Not…

Millions of people are feeling the effects of Hurricane Sandy along the East Coast of the United States. Natural disasters occur all the time all of over the world, but many times some of the basic precautions do not get addressed in advance. Many will ask how this topic deals with technology or security, but the answer is simple…it just does. Most businesses will have a process or procedures if a server crashes or the phone system or Internet goes out for a couple of hours, but how many businesses address the longer term impacts of flooding or the fact that your cloud provider lost one or more of its data centers.

The reality is that business continuity planning and disaster recovery planning should include these types of scenarios. Scenarios and planning for short and long-term outages. Whether it is an earthquake, tornado/hurricane, or flooding, the planning needs to be there and how it could impact your business from a safety and financial stand point. If you take this recent storm as an example, many businesses lost power and will be flooded for days potentially having a strong negative impact for their customers. In fact, the NYSE closed for multiple days as a result of the storm and that has not occurred for weather related issues since the early 1900s.

The bottom line is to plan. Make business continuity and disaster recovery a part of your process and then also test those processes. The last thing your business needs during an outage is to go to a process that does not work or has never been tested. Now we know that security and business has to evaluate risk. If not being prepared is an acceptable risk, then that is the business decision you will need to make…

Tagged , , , , , , , , , , , , , , , ,

Are You Satisfied With Nothing…

Are you a small business? Are you satisfied with your customer and business data security? According to a recent survey of small businesses by Symantec and National Cyber Security Alliance, 86% state that they are. In an article in SC Magazine published 10/22, some of the interesting details of the survey are discussed.

According to the article, even those 86% are satisfied with the level of security protecting the customer and business data of their businesses. In addition, 77% of those small businesses surveyed believe that their business is safe from any breach. According to the article about the survey, the following is what is most concerning:

However, 87 percent of respondents have not written a formal security policy for employees, 83 percent lack any security blueprint at all and 59 percent have no plan in place to respond to a security incident.

These statistics are very concerning. If you take this survey of 1,015 small businesses (250 employees or less) as a reasonable grouping of all small businesses this survey is frightening. Even if you take it with a grain of salt, it is scary that no planning is being put in place for most. One can only assume why a business would not put a plan, even one that is basic, in place. Is it the cost of security or the thought that “this business is too small to be hit” mindset? What ever the rationale used to make the decision, it was a decision to accept that risk of compromise and breach, but as more and more businesses begin to use cloud services and other mechanism on the Internet, they are turning from an obscure local “mom and pop” business to one with a larger footprint that can span the globe.

Preparation is always a wise decision. Regardless if you document that you buy the top of the line next-gen firewall and intrusion protection system or just change the Linksys encryption from WEP to WPA-2 and change the default admin password, the documented plan is a step in the right direction. Remember it is important to measure twice and cut once.

In closing the following quote is something for everyone to consider:

“Invincibility lies in the defence; the possibility of victory in the attack.” — Sun Tzu

Tagged , , , , , , , , , , , , , ,

Phishing for HTML 5…

The blog, Feross.org, posted a good article on using HTML5 for phishing on Oct 8th. Now, to most security professionals, this type of attack will be easily bypassed, but this type of attack is meant for the same group fo people who help feed the African Prince that is trying to pay you by transferring his money through your bank account. In addition, this also targets those people who do not validate the websites they go to or allow scripting on all sites.

This article could be used to help educate, although in a highly technical way, users in how to look for and prevent the success of this type of attack. It is important that all the technical defenses applied to a network or system can be circumvented by uneducated or unaware users that do not practice proper security principles.

Tagged , , , , , , , , , , , , , , , , ,

Taking the Hacker and Heading Home…

Many may have heard of the ongoing dispute between England and the United States about the pending extradition of British hacker Gary McKinnon. Well the wait is over, the British Home Secretary Theresa May in an announcement yesterday before Parliament stated that she would block the extradition of Gary McKinnon. She based her decision on the several medical examinations and his Asperger’s Syndrome diagnosis. He has been charged by the United Stated for hacking into highly classified Pentagon computer systems, for what McKinnon alleges in search of proof of extraterrestrial evidence.  USAToday.com has a good article on the coverage.

According to the article:

Officials in Washington expressed disappointment at the outcome, and State Department spokeswoman Victoria Nuland said the decision meant McKinnon would not “face long overdue justice in the United States.”

British prosecutors will now decide if he should face charges in the U.K.

There has also been discussion that England will also renegotiate the extradition treaty to make it harder for British citizens to be extradited to the United States.

Tagged , , , , , , , , , ,

The Cost of Monitoring Saves You Money…

In an article in Dark Reading, they discuss a recent study that shows the costs of cybercrime are reduced through intelligence, which included monitoring. The study by the Ponemon Institute was a survey tallying the cost of cybercrime. The study surveyed 56 companies and these companies lost on average, $8.9 million due to cyberattacks each year. Based on the survey, companies that detected attacks slowly incurred greater costs. In the 2012 survey, that is to say the companies needed 24 days, on average, to resolve a cyberattack, which in turn created a hefty bill of more than $590,000 per incident — 42 percent more than the previous year.

While many businesses see information technology and especially information security as a cost center, there has always been a hard sell when it comes to proving or showing that the security controls, including network and security monitoring, help in saving money. Most of this is because of the usual hefty price tag that occurs with the implementation and ongoing maintenance of these systems.

According to the article and study:

“Some organizations seem to experience a lower cost, but not a zero cost, if they do certain things,” says Larry Ponemon, chairman and founder of the survey firm. Security intelligence “is really important and helpful — not only in the detection of the cybercrime — but in the containment and ultimately remediation of the crime.”

Companies that had deployed security information and event management systems or intrusion detection systems had, on average, $1.7 million less in cybercrime costs, according to the Ponemon survey. Companies that had implemented access and identity management tools saved $1.6 million, and the deployment of tools to help with governance, regulation, and compliance trimmed $1.5 million.

It is easy to understand that technologies for monitoring and gaining intelligence on threats, “security intelligence” within the report, correlated the most with a reduction in cybercrime costs. As mentioned above, while the costs were not reduced to zero, the reduction provides a good basis for the implementation or continuation of these functions within business.

Tagged , , , , , , , , , , ,

October is Cyber Security Awareness Month…

It is Columbus Day, October 12th, and it is also Cyber Security Awareness Month. While Columbus Day is targeted at the general public in America, meant to remind people of the man who was initially considered to find the “New World.” Likewise, Cyber Security Awareness Month is generally directed at the general user and consumers to remind them about security.

Are you really learning or aware about the “New World” and changing world of cyber security? While Columbus is now known to not have been the real finder of the new world (evidence shows it was the Vikings or even the ancient Egyptians) and brought a great amount of disease to the region, you and your company can be the first to help make your staff, family, and friends aware about the need to be more steadfast on security. You can help prevent the damage and affects around bad security practices or the effects of stolen identities and breached accesses. While some people may have heard it before and follow decent security practices, we all need to be reminded and some people may not have heard something before.

SANS has been providing a good deal of “Awareness” material for those that are technical and nubes alike. The one thing to remember is that like muscle, even security practices and information needs to be exercised and re-enforced to keep up the strength and awareness. It is the same reason periodic training by specialists, whether a doctor, soldier or other professional – training and education is still important to keep up the skills that protect and help…

The main Cyber Security Awareness Website – http://www.staysafeonline.org

Tagged , , , , , , , ,

Academics and Security Are Not Always Hand-in-Hand…

In two separate articles in SC Magazine, there seems to be a slew of issues with universities maintaining privacy and security.

In the first article, the University of Chicago sent out post cards to their 9,100 employees reminding them of their benefits open season. They added the extra bonus of including the employees social security number on the cards as well. The school stated:

A school official said there is no reason to believe outsiders had misused any of the information. The university also recommended that employees securely get rid of the postcards.

The problem is that it only takes one “outsider” to misuse the information once to potentially ruin someones life.

In the second article, the anonymous hacktivist group GhostShell posted data from multiple universities recently. The leader of the group tweeted about the hack and a link to the pastebin data.

In the Pastebin message, GhostShell said that the recent attacks were launched to bring attention to various grievances the group holds toward the educational systems in the United States, Europe and Asia. The hackers cited growing tuition fees, frequently changing laws and heavily regulated teaching.

Furthermore, the group also noted that many of the systems targeted had already been infected with malware. Since these universities are meant to educate the future in various fields, one of them computer science and technology, it would make sense for these universities to apply the concepts and principles of security within the systems they use.

While governments and other organizations make mistakes, it is understandable that similar things would occur in academia, but regardless of where it happens, the old saying “measure twice, cut once” needs to be driven home in everything we do. If it is sending out a mail merge or a network, good security practices need to be a part of the thought process and the routine.

Tagged , , , , ,
%d bloggers like this: