Thursday, April 2, 2015

Good Cyber Security Can't Be Bought at Wal-Mart

By Sue Poremba

Cyber security is a top concern in the IT industry today. In this series, we will look at various threats to cyber security--and what steps businesses can take to meet those threats head on in order to get good cyber security. 

If the solution to the problem of how to get good cyber security was packaged in a box and sold at Wal-Mart, IT professionals would have nothing to worry about. They could arrange fro employees to pick up their security package when activating their new smartphones.

Unfortunately, getting good cyber security isn't that simple. Good cyber security practices aren't purchased in a store: they have to be taught.

And the sad reality is, most employees aren't receiving a solid cyber security education. In fact, according to a survey commissioned by Sungard Availability Services, IT professionals believe that employee behavior is one of the biggest threats to company cyber security efforts. The biggest security-related concerns are employees who are careless with their mobile devices and employees who have poor password hygiene.

"The weakest link in security is between the keyboard and the seat," said Kevin Epstein, Vice President of Advanced Security and Governance with Proofpoint. "There are few security systems that can withstand the efforts of a user with a mouse who's determined to click. Many if not most of the major breaches in the last twelve months have been initiated by a user clicking a link in a phishing email. Education can reduce--though not eliminate--such behavior."

There are several reasons why it is important to educate employees on cyber security. The first is to protect organizational data (e.g. new and current designs) and information related to customers or suppliers, said Gary Griffith, Faculty Member with the School of Information Systems and Technology at Walden University. The second reason is to prevent downtime or loss of productivity due to attacks on the company's technical equipment. "Employees should understand or know about the harm these attacks can cause, including shutting down facilities for days while the IT staff tries to remove the malware and bring all the systems back online," Griffith explained.

Griffith likes to mix real-life examples along with the different types of cyber-attacks in his cyber security education strategy. This allows users to see what those attacks are doing to gather information and how they can affect a business. "I also like to include why it is important that employees understand the consequences of their actions," he added. "For example, if it was reported in the news that customer data had been stolen, what would happen to the company's ability to attract new customers or to keep current customers? What would happen to employees' jobs and careers if leadership had to pay fines for the loss of customer data? It is important to let employees know that what they do daily matters, because they are ultimately the ones that can prevent most cyber-attacks."

Teaching the basics about what a cyber security threat is and how it does damage shouldn't be done in a passive manner. Security education should be hands-on and targeted, Epstein said. "Too many organizations apply a blanket policy or standard training--which bores the sophisticated users and fails to assist the less-technical users. The best education often involves and IT organization understanding which users are most prone to clicking on what lures, then creating focused education around those areas--for example, 'phishing' their own organization."

Overall, the best security practices come down to common sense, not sophisticated technology, according to Ashley Schwartau, Creative Director with The Security Awareness Company. Schwartau uses the following best practices in her security education:

1. Incident response: knowing how and whom to report potential security incidents to.
2. Passwords: knowing how to make strong ones, and change them regularly.
3. Malware: understanding the main types of threats and how they can be avoided.
4. Safe surfing: remembering that you are what stands between the outside world and the inside of the company, and that you represent your organization when online.
5. Phishing and Social Engineering: recognizing phishing attempts and social engineering attacks.
6. Mobile and the Cloud: treating mobile devices as you would any computer and understanding that just because files are stored in the cloud doesn't make them immune to security threats.
7. Preventative Care: backing up regularly, installing anti-virus software, and patching software and operating systems as soon as prompted.
8. Non-Technical and Physical Security: shredding sensitive documents when no longer needed, requiring identification badges for employees and guests, and keeping track of all devices.
9. Privacy:  understanding how identity theft happens and how you can protect against it.
10. Policy: knowing and understanding security policy as well as the consequences of not following policy, and how to quickly find policy when in doubt.

In the end, the best security education is something that employees will regularly practice. The more simple and straightforward it is, the more likely they'll remember to be safer on their computers.

Read full post »

Wednesday, March 18, 2015

Why some emails are so easy for scammers to fake

By Gary Stoller
Published March 16, 2015

Emails purportedly sent by health insurance companies and large banks are more likely to be fraudulent than those claiming to be from social media companies, a new research study reveals.

An email that appears to come from a health insurance company is four times more likely to be fraudulent--or two times more likely from a large US bank--than an email ostensibly from a social media company like Facebook, according to Agari's 2015 study.

Agari, which provides solutions to detect and prevent cyberattacks, analyzed 6.5 billion emails daily last year in nine industries for the study.

The study should make consumers and organizations more aware of the security of their email and data and "how they can protect themselves from fraud," says Patrick Peterson, Agari's CEO.

The health care industry, which has been hit with massive cybersecurity attacks, has the worst average TrustScore of all industries surveyed, the study says. A TrustScore, based on a zero to 100 scale, indicates how well organizations protect their consumers from email cyberthreats.

The poor TrustScores of health care companies are in line with an FBI warning last year. According to Reuters, the agency warned health care providers that their cybersecurity systems are lax compared to to other sectors, making them vulnerable to hackers targeting American citizens' medical records and health insurance data.

In February, Anthem, the nation's No. 2 health insurance carrier, was struck by a cyberattack that exposesed the sensitive data of up to 80 million customers in all 50 states.

Last July, Community Health Systems, the nation's second-largest-for-profit health system, confirmed that information about 4.5 million patients was stolen in a cyberattack believed to have originated in China.

Agari's study reports that six of 14 major health insurance companies surveyed had a TrustScore of zero. Aetna, though, is an exception. It had a 100 TrustScore in last year's third and fourth quarters--"remarkable for a company in any sector," the study says.

Banks Ranked Low

Email attackers targeted banks and other financial institutions more than any other types of company in 2014, but every category of bank surveyed had a low average TrustScore, the study says. The study looked at large and mega banks in the USA and mega banks in Europe.

"European megabanks, whose customers are some of malicious emailers' most common targets, fared especially poorly," the study says. They had a TrustScore of 33, the second-lowest of nine industries surveyed.

Large American banks had the third-lowest TrustScore, 36, and American megabanks scored 46. Two US banks--Chase and Capital One--had perfect 100 scores.

Most companies haven't implemented technology to prevent "cyber criminals from sending messages that appear to come from their domains--a failure that leaves customers vulnerable to phishing attacks," the study concludes.

The emails from cyber criminals trick people into sharing sensitive information, "leading to identity theft and other crimes," the study says. "Because victims of phishing attacks often blame the companies they thought sent the forged emails, the attacks also erode the trust companies spend years building with customers."
Read full post »

Wednesday, March 4, 2015

Why health hacks are worse than credit card hacks

By Erin Griffith
February 5, 2015

Companies in the health care industry have richer data and fewer defenses than those in other industries, making them especially susceptible to attacks.

In the largest-ever security breach of a health insurance company, Anthem revealed on Thursday that the personal data of 80 million customers may have been exposed to hackers.

It's likely that hackers will continue to target health care companies. For one thing, health data is a richer source of personal information than credit card data. Among the bounty; social security numbers, email addresses, birthdays, street addresses, policy numbers, diagnosis codes, billing information, and the names of family members--the sort of information used in security questions for online accounts.

Malicious hackers can use that information for what's sometimes called a "soft hack," or unauthorized entry without the use of sophisticated software. Identity thieves can gain access to a person's account by guessing the right answers to security questions and resetting a password. With the right combination of family and personal information, a thief can also use fake identities to score drugs from pharmacies. This is the major reason why stolen health credentials are worth 10 times more than credit cards on the black market, according to Reuters.

Secondly, health care companies haven't focused on security as much as other industries have, and have been known to rely on outdated software. "Healthcare organizations have invested less in IT, including security technologies and services than other industries," says Lynne Dunbrack, a vice president at market research firm IDC.

That's true for insurers in part because they aren't incentivized to make security a priority. Their end customers often have little choice as to which provider they use, since that choice is typically made my employers. Insurers are not likely to lose as much business over a data breach as, say, a retailer. For example, it is much easier for a shopper to choose Walmart over Target after the latter suffered a massive security breach last year.

In general, companies that administer their data in servers located on-premise are often less secure than companies that rely on major cloud computing vendors, according to Kevin Spain, a general partner at Emergence Capital. "The most vulnerable systems tend not to be cloud-based because security is what they do," he says. A hack like this may not ruin a health insurance company like Anthem, but it could destroy a cloud software company like Salesforce, Spain says: "That's why there is a different level of priority."
Read full post »

Tuesday, February 24, 2015

Sometimes hackers just want to embarrass you

February 2, 2015 7:00pm

Cyber attacks can have detrimental impacts on customer relations, revenue, intellectual property and the overall health and welfare of an organization. But one significant impact, which can cost a company considerable time and money to repair, is the area of public relations. 

This was the case recently when Amy Pascal, Sony's co-chairman and chief of its film division, came under intense criticism for her remarks about President Barack Obama and less than flattering statements about high-profile actors, including Angelina Jolie, Kevin Hart and Adam Sandler. 

The comments were leaked by hackers who infiltrated the company's emails and then leaked her exchange with movie producer Scott Rudin. Despite her quick apology, some in the industry initially speculated whether Pascal would be forced to resign. 

Other damages certainly occurred from the attack. The group claiming to have carried out the cybertheft also took terabytes of Sony's financial information, budgets, payroll data, internal emails and films. Yet the longest lasting impact of the incident may very well be the buzz now permeating through social media and other gossip media pages about the salacious views expressed by the company's top brass.

And that will be the aspect that the public will remember first for some time to come. Although there are many victims of cyber attacks, Sony's name may become synonymous with corporate losses and embarrassment from careless emails and protection of data as was the case for Target. 

The reality is that these embarrassing moments can have as big of an impact on an organization's bottom line as the attacks aimed at uncovering trade secrets or bank accounts. The time and money spent to respond to awkward statements could be extremely costly and the upheaval that can result from shifts in a management team can slow down or even derail mission-critical initiatives. 

Any good incident response policy should include a public-relations plan that specifically addresses the potential fallout from stolen emails, letters or other information that could have a negative result if publicly released. Corporate managers need to have an understanding and anticipation of the information in their computing networks that could result in a public-relations debacle. 

Let this serve as a visible warning to corporate managers: You may certainly have regrettable slips of the tongue or articulated comments out of frustration--ones that, at your core, you abhor and wish you could take back. And when written in text, the fallout can become magnified when shared in a public forum--the digital realm. 

Every email, text, social media post or communique leaves a trail that can be accessed and exploited by someone with the right training and sophistication. Treat correspondence through such venues as ultimately open to anyone. 

So be mindful of what you share on digital platforms. Count to 10, take a deep breath and ask yourself if you want what you have typed, texted or posted to appear in a broad forum. If the answer is no, then don't share it electronically. 

I recommend that if you need a place to vent the stresses of the day, work out regularly. Trust me: the time will be spent far more beneficially. 
Read full post »

Tuesday, January 13, 2015

Obama proposal: Hacked companies have 30 days to fess up

By Jose Pagliery 
January 12 2015

In a State of the Union preview, President Obama on Monday demanded quicker confessions from companies that lose your data as well as better privacy for students.

One proposed law would give a company 30 days to let you know if your personal information--such as your address or Social Security number--has been exposed by hackers or careless employees.

The Personal Data Notification & Protection Act is an attempt at a nationwide, uniform rule. Right now, there are 47 different state laws that govern data breaches. Depending on the situation, people in some states get notified, while others are left in the dark. It's a mess.

Data breaches are increasingly common. Last year, hackers broke in to Home Depot, Albertson's and so many others that CNN developed it's own tool: What hackers know about you

The president's other proposed law, the Student Digital Privacy Act, is meant to stop the sale of sensitive student data for non-education purposes. Now that students routinely use laptops, tablets, and computer programs at school, lots of that data is being collected--and sometimes sold to advertisers and financial companies.

The fear? That information might be used by money lenders to prey on students--or by colleges or future employers to judge students unfairly. 

"Parents have a legitimate concern about these kinds of practices," Obama said at a midday speech Monday before the Federal Trade Commission. "Our children are growing up in cyberspace."

The president also endorsed the "student privacy pledge", already signed by 75 firms including Apple and Microsoft. It's a promise by companies to only use student data collected at school for education purposes, not observe behavior to target advertisements and not keep data for long. 

Obama said any companies that provide school services and don't sign the pledge will be singled out and censured. 

The president also called for a "consumer privacy bill of rights" that gives consumers the ability to decide what personal data is collected and how it's used. He tried this in 2012, but the idea failed to take off. 

"This should not be a partisan issue. It's one of those new challenges our modern society and crosses our old divides," he said. "We pioneered the Internet, but we also pioneered the Bill of Rights and the sense that each of us as individuals have a sphere of privacy around us that should not be breached."
The administration cited a recent poll that showed 91% of Americans feel they've lost control of their personal information. Last year was so riddled with cyber break-ins that, early on, half of American adults had their personal information exposed.
"The more we protect consumer data, the harder it is for hackers to damage our businesses and hurt our economy," Obama said.
Other privacy and security bills
The national consciousness for cybersecurity peaked with the Sony hack over the holidays.
As a result, expect to hear a lot more about privacy and cybersecurity from politicians in 2015. Some in Congress are trying to revive a controversial cybersecurity bill that increases information sharing between companies and government to stop hackers.
The nameless bill, H.R. 234, was introduced to the House of Representatives on Friday by C. A. Dutch Ruppersberger, a Democrat from Maryland.
It's essentially another go at the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House in 2012, but got knocked down in the Senate.
The idea is to provide basic rules to develop closer bonds between law enforcement and all types of companies: banks, energy providers, retailers, etc.
When hackers attack an industry, companies already share some information. But they often hold back data, afraid to give competitors an edge or admit they were hacked. Also, the tips they get from the FBI and Department of Homeland Security are late and vague, because few companies have permission to know "classified" government secrets.
This proposed law would protect firms from lawsuits related to this kind of data sharing and make them government insiders. But these ideas scare privacy advocates, because they could be used as a blanket excuse for snooping on your personal life. That's why President Obama threatened to veto it the first time around.
Read full post »

Tuesday, December 30, 2014

What caused Sony hack: What we now know

By Jose Pagliery
December 29, 2014

What we now know about the Sony Pictures hack shows this cybermystery isn't over yet.

The FBI presented evidence that North Korea was behind the hack. Upon closer examination, security experts, hackers, and people familiar with Sony's computer networks are uniting with this disheartening reality: Anyone could have pulled this off.

It could have been a disgruntled Sony employee, profit-seeking hackers, North Korea--or a combination of the three.

Here's the facts about the hack that we do know:

  • Hackers used computer servers in Bolivia, Cypress, Italy, Poland, Singapore, Thailand and the United States to attack Sony. 
  • The IP addresses associated with those servers have "previously [been] linked to North Korea" by the FBI
  • The malware used against Sony had what the FBI calls "lines of code" and "data deletion" methods similar to malware "North Korean actors previously developed."
  • The computer-wiping software used against Sony was also used in a 2013 attack against South Korean banks and news outlets, which the FBI attributed to North Korea. 
  • The malware was built on computers set to Korean language--unusual in the hacking world. 
  • Hackers demanded Sony Pictures pull "The Interview" to avoid starting a war over a movie.
These facts are why the Obama administration has accused North Korea of hacking Sony Pictures and has vowed to retaliate.

But security experts aren't 100% ready to point their fingers at North Korea--not yet, anyway.

Technical evidence shows anyone can tap servers for hacking and spamming. Hackers routinely borrow and share computer code. Computer wiping software can be bought legally by anyone. A computer's language settings can be changed on a whim. And this hack actually started as an extortion attempt on Nov. 21 when Sony executives got emails saying "The compensation for it, monetary compensation we want."

Robert Graham, a researcher with Errata Security, stresses that anyone can hire hackers on the black market. These cybersoldiers of fortune might work on behalf of a country or an ex-Sony employee--and not even know it. 

He's also wary of how quickly the US government blamed North Korea. Hacking investigations typically take months, including the FBI's takedown of online drug bazaar Silk Road and hunting down members of LulzSec. 

"Even if its true that is was North Korea, I don't think the FBI would do it in three weeks," Graham said. "Maybe six months."

This year's major hacks are a perfect example. Law enforcement still hasn't publicly identified--or arrested--those who broke in to Target, Home Depot, and JPMorgan and stole millions of credit cards and lots of personal data. 

Robert M. Lee, co-founder of consulting and software firm Dragos Security, puts it this way: There might be evidence against North Korea, but what the FBI presented doesn't cut it. 

Lee, until recently a U.S. Air Force intelligence officer specializing in cyber warfare, also worries about how quickly North Korea was blamed. Lee said intelligence agencies and law enforcement don't typically work together at this kind of breakneck speed--and when they do, they often rely on outdated or inaccurate information, because there are so many conflicting intelligence reports. 

For its part, North Korea's government says it was framed. Take that for what you will.

Adding to the fog: Lots of Sony employees with critical access to the computer network were laid off by the company earlier this year, according to ex-employees. And early on, the hackers talked about seeking "equality" at Sony.

A simple explanation points to North Korea. But those who understand hacking worry its just too simple. 

Read full post »

Tuesday, December 9, 2014

Scam of the Week: "Shipping Problem"

Posted by Stu Sjouwerman

We have Black Friday and Cyber Monday behind us. After losing ground to online competitors, brick-and-mortar retailers have struck back with incredible online deals. Wal-Mart said Thanksgiving was its second biggest day ever for online sales and Target's online buying was up 40% over last year.

This is the time of year that people buy new smartphones, TVs, and new game consoles because they are able to get killer deals and they are dying to get their hands on these new goodies.

What you may not know is that similar to a magazine's editorial calendar, hackers have a "scam calendar" which focuses on events exactly like this. They have them planned and ready to roll starting TODAY for the rest of the month.

These malware campaigns do not discriminate between the home and the office, and use social engineering to trick users. A billion of these criminals emails are sent each day. So, I strongly recommend you send this to your users today. Feel free to edit in any way you like:

"Scammers are preying on people that have just made a lot of online purchases on Black Friday and Cyber Monday. There are several scam campaigns being sent right now.

1) Be on the lookout of "Shipping Problem" emails from FedEx, UPS, or the US Mail, where the email claims they tried to deliver a package from (for instance Apple Computer) but could not deliver due to an incomplete address. "Please click on the link to correct your address and you will get your package." If you do, your computer is likely to get infected with malware. Warn everyone in the family, especially teenagers.

2) Watch out of alerts via a TEXT to your smartphone that "confirm delivery" from FedEx, UPS, or the US Mail, and then asks you for some personal information. Do not enter anything. Think before you click!

3) And to reiterate a warning we sent out a few weeks ago, there is a fake refund scam going on that could come from a big retailer. It claims there was a "wrong transaction" and wants you to "click for a refund" but instead, your device may be infected with ransomware.
Read full post »