Risk, Recrimination, and Reporting: Detecting and Handling Breaches

I read Ericka Chickowski’s article on empowering employees to detect outside attacks earlier this month and I made some notes that have finally found their way into a blog…three weeks later.

Well, better late than never—especially when it comes to the importance of teaching effective employee behaviors. There is always something good to say about it. Here’s my sum-up of this article: Chickowski is 100% right, and she has some particularly notable quotes here.

Wasted Energy: How Info Purges and a Third-Party Test Could Have Helped the DOE

There’s been a lot of online chatter this week about last summer’s Department of Energy breach—and rightly so. 150,000 affected employees is nothing to sneeze at. The worst part? All the affected employees may not even know yet.

The Real Cost of Data Breach Cleanup

In our experience, there is not a deep enough respect in the market for how difficult and expensive the notification requirements for data breaches can be. Not only can this cause public embarrassment, but it can also put the organization at serious legal and financial risk. Many organizations are mostly worried mostly about the intrinsic dangers of losing the actual data but do not demonstrate fear or motivation to invest in preventing the process of notification and remediation.

Picture Yourself Secure: Passwords, Phrases, and the Future

In 1492, Columbus sailed the ocean blue…

Every Good Boy Does Fine….

Thirty days hath September….

Ah yes…mnemonic devices. Those performance-enhancing tools used successfully by middle schoolers and beginner-level music students all over the country for…well, for forever, it seems.

Enter any 7th grade classroom on test day and you’ll see small, strained faces searching their memory banks for that rhyme or song that will bring to mind the order of taxonomy (“King Phillip Opens Five Green Snakes”) or the five Great Lakes (HOMES).

Depending on your college degree, you might have carried this technique into college. But most of us probably gave up these memory aids along with No-Doze and an actual Spring Break after tossing our grad cap in the air.

But why? The human brain loves association and repetition at any age and for any reason—and that’s why researchers at Carnegie Mellon think we should keep it up when it comes to security.

Phishing Infographic: Don't Get Hooked!

By now, most folks are aware of phishing emails—or at the very least, that social engineers use email to steal average people's sensitive information. Yet, we are continually surprised that the how and why of phishing still eludes many average folks. What do phishing emails look like? How would someone get information from me through an email? What could a social engineer do with that information?

Some folks just respond better to pictures and diagrams. So...voila! Our first foray into the world of infographics, and what is hopefully the first of many.

Share this Image On Your Site

<p><strong>Please include attribution to SightTraining.com with this graphic.</strong><br /> <br /> <a href='http://sighttraining.com/Training/Infographic.aspx'><img src='http://sighttraining.com/portals/0/phishing_email.jpg' alt='Don't Get Hooked' width='660px' border='0' /></a></p>

Employee Training: Out of the Box

As a training company, this is just one more way for Sight Training to encourage folks to do their homework—and by homework, we mean doing a little extra checking before you hand over sensitive information through a phishing email. Your credit card number, SSN, and bank information are yours and no one else's. Guard them at all cost. 

And remember: emails are just digital versions of the in-the-flesh thieves who are behind them. They can dress up and look impressive. They can be cool, casual, and persuasive. And they can pull off an official posture with approved logos and embedded links that mimic real websites. Here are a few more tips:

1. Remember: stranger danger! Don't know who sent it? Don't open it.
2. Be wary of attachments. 
3. Ignore commands and requests for action—no matter how urgent they may seem.
4. Use the phone. Try contacting the sender by telephone. If the email is from your “bank,” then you should be able to get the truth pretty quickly. And if you cannot get in touch with the sender, then delete the email and forget about it.

Slow down, take a deep breath, and think about what you are doing before you offer it up to a social engineer on a silver platter.

More About Phishing

Oh, The Humanity: The Danger of Anonymity

And now for something a little different. Throughout our “Oh, the Humanity!” series, we want to demonstrate some of the most dangerous ways social engineers can infiltrate a company—and pretty often, that involves the phone or email. But every now and then, it’s a simple (and downright silly) move that gives a thief access to very sensitive information.

Security Breach: Signed, Sealed, Delivered

Here's the story. When we begin a project with any company, one of things we most want to demonstrate is how easily we can get access to their network as outsiders. While social engineers are frequently insiders, we often attempt to replicate that level of access from our “basement.”

In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.

Open Letter to IT Departments: People are Important to Your Security Plan.

Read a Dark Reading article this morning that I really enjoyed. First of all, any article on information security that can work in the zombie apocalypse is A-OK in my book. Nicely done, Glenn Phillips.

And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).

Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”

I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.

Oh, the Humanity! Train Employees to Say "No" to Social Engineers

Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.

After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.

When Identity Theft Hits Home

My office was quieter than usual when my cell phone buzzed. It was my mother. While it was no surprise for her to call, a mid-morning Thursday call was unusual.

"Hey, Mom. How's it going?"

"Well…" she said, voice cracking. "Not too good."

Oh, The Humanity! Another Pretexting Success Story.

And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...

A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.

Here were the ground rules:

Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.

Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.

Frontline Employees: Stop Being Polite and Start Getting Suspicious

Back in the late 90’s, I began a career path in college administration. I started slow, worked my way around a few schools, and tried out lots of positions: lowly student intern, undergrad admissions officer, International student admissions coordinator, marketing and creative officer. At one school, I even took over admissions for a while.

And I loved it, most of the time. There is something exciting about growing a department from the inside; creating policies and procedures that improve life for everyone, helping young people realize their dreams. I worked at some outstanding institutions.

But every institution I attended, visited, or worked for struggled with a common issue: low-level security awareness among frontline employees.

Employees and Social Media: If You Can’t Beat ‘Em, Then Train ‘Em.

With the exception of few stodgy holdouts, pretty much everyone has a social media account or two—or maybe five. I mean, why share everything on Facebook? Why not open up the fascinating details of your suburban, middle-class life to a wider audience? There are life-changing food photos to post to Instagram, quippy thoughts to share on Twitter, and that hilarious meme you whipped up last week that’s begging to get posted on Reddit. More exposure! More, more, more!

An awful lot of us have this attitude now—and if your supervisors are aware of your tendency to tweet first and apologize later, then they may be freaking out. In fact, according to a Javelin Research report from earlier this year, 69% of companies are concerned about employees’ social media use. While a half hour here or there may not seem like much, even on the company clock, it can add up to a lot of lost revenue, thousands of security threats, and plenty of potential bad press if you can’t keep it in check.

Fortunately, according to CSIdentity, businesses have two good options to keep their employees’ social media usage from causing harm to the business: create clear policies and keep employees educated.

Cute-Girl Voice: A Social Engineer's Secret Weapon

This just in: a highly informal study of a teeny tiny group of people suggests that men may be more likely to give up sensitive information over the phone if they think they’re speaking with a cute girl.

Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.

Working Together: Technology and Education Necessary to Prevent Phishing

I've been in the education business for a long time. I was a public school teacher first, and spent a good deal of effort educating middle school and high school students. Then, years ago, I made a career shift into the information security business and made a career out of teaching employees how to avoid opening their businesses up to the threat of social engineering, phishing, and pretexting.

In both cases, education is necessary for success, and I'm always interested in the ongoing argument in the information security world: Tech or Teaching? Recently, Robert Lemos asked the same question on Dark Reading. Here are some takeaway points from that article.

Information Security in 2013: Are Passwords Really Dead?

According to Heather Adkins, Google’s information security manager, “the game is over” if your company is still relying on passwords as a primary form of information security protection.

Adkins laid it all out when speaking at a recent tech panel. Apparently, Google’s done with passwords and we should be too. She went on to describe a new means of authentication that could require physical tokens embedded in clothing. And who’s behind this world changing, space-age technology? You guessed it—Google.

Sex, Money, and Friendship: Phishing Bait that Works

In a recent study by TNS Global, 30% of the 1000 polled said they would open a general phishing email even if they thought it had a virus. And if the phishing emails are crafted to be especially enticing, then the percentage is even higher.

Wait...what?

Evidently, a simple email click is still awfully hard to protect against. Even though we all know what to do (and what not to do) a compelling email can throw good sense out the window and even the most educated people can fall for it. According to the study, this is especially true if the email tempts women with social networking invites (interesting) or tempts men with money, power and sex (yeah, no kidding).

Spearphishing: Scamming the Tired, the Stressed, and the Downright Distracted

Another day, another phishing story—but this one made me really mad.

Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, cited a very narrow spearphishing attack in a recent interview about the dangers of phishing in internal networks: a single employee working the night shift, monitoring his company’s SCADA systems.

According to CIO.com, “the attacker researched the worker's background on the Internet and used the fact he had four children to craft a bogus email from the company's human resources department with a special health insurance offer for families with three or more kids. The employee clicked a malicious link in the message and infected his company's network with malware.”

Why Medical Identity Theft Might Be The Next Big Thing

By now you’ve heard of identity theft – we get it…we shouldn’t share our bank account number with the Minister of Finance from Nigeria. But how many of you have heard of medical identity theft? According to surveys, very few…but the number of medical identity theft incidents are rising at an alarming rate.

So What Does the Dropbox Hack Mean for You?

So, a couple of months ago, two developers decided to hack Dropbox. Just because. You know what this world needs less of? VOLUNTEER hackers.

Mobile Device Security: More than Software

When it comes to mobile security, everyone is still a little bit in the dark. After all, everyone and their grandma has a Smartphone or tablet right now, but the general public’s information about the true threats to their devices is probably limited to computer viruses or bugs—little things that are automatically corrected with anti-virus software.

Confidential Data and Mobile Devices

According to a recent article at CIO.com, “more than half of employees admit to storing, sharing and working on corporate documents on their personal devices—and this number is growing.”

This is concerning for a number of reasons, not the least of which is the fact that confidential work information is being stored on devices where far fewer security measures are available and that receive much less security attention.

Choose Your Vendors Wisely

Just a couple weeks ago, the New York Times and Twitter domains were hacked—and not through a DoS (Denial-of-Service) attack or network port sniffing.

The Syrian Electronic Army (SEA) is taking credit for the attack, and they carried it out through targeting phishing emails. They obtained usernames and passwords from employees of Melbourne IT, who is the registrar for NYTimes.com and Twitter.com and used that information to access the registrar system and make fraudulent changes to the DNS for NYT and Twitter, pointing their site to another server. And then, just to rub salt in the wound, they taunted everyone with their Syrian logo and a pretty sarcastic message – “Hacked by SEA, Your servers security is very weak.”

Now, in this case, it looks like nothing was stolen. Whatever their motive, the culprits seem more interested in belittling the company than in damaging the company or stealing identities (so far). But the lesson here is the same: be very aware of who you trust with your private information. Even if you secure your local data well, you may store information on servers or cloud services that are managed by untrustworthy people. 

You cannot trust your secure information to companies that do not take security very seriously. If hackers can infiltrate your hosting company or your online cloud storage company or your domain registrar or even your photo storage service, then they are just as exposed as if you personally used poor security methods. 

Read more here: http://gizmodo.com/sea-hacks-continue-with-takeover-of-nyt-twitter-regist-1214252446/1216857595 

IRS Exposes Social Security Numbers

Well, this one’s a real comedy of errors. An audit on July 1 by independent transparency and public-domain group Public.Resource.org indicates that the IRS may have accidentally exposed some social security numbers.

Actually, it might have been as many as 2319 Social Security numbers...attached to highly sensitive non-profit political groups…which sat exposed on the Internet for 24 hours.

Here’s just one more example of how easy it is to let really sensitive information slip through the cracks. The IRS are professionals at keeping people’s most private financial information under wraps, and breaches even happen to them.

Read more here: http://www.nationaljournal.com/tech/the-irs-mistakenly-exposed-thousands-of-social-security-numbers-20130708

California Releases First Data Breach Report

The State of California just released its first data-breach report for 2012 last week. Some of the report’s key findings include:

• Reports of 131 data breaches affecting more than 500 Californians.
• The breaches exposed 2.5 million Californians’ personal data.
• More than half of the breaches (56 percent) involved Social Security numbers.
• The use of encryption could have protected 1.4 million Californians’ data.

Yet, one of the most striking quotes was that “more than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.”

That says to me that breaches are all about people—whether they are social engineers or hackers intent on fraud, or regular hard-working employees who aren’t adequately protecting the information they access.

In either case, it’s obvious that California can’t really blame the computers. These breaches are a people problem, and can also be solved with people—people who are adequately trained to ward off hackers and social engineers and take steps to safeguard data or devices that contain sensitive information.

California Attorney General Kamala D. Harris opened the report by reminding readers of California’s strong consumer privacy laws and required data breach notification. If our “strongest” state still has data leaks to plug, then I wonder how the other 49 are faring.

http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf

It's The Human Side of Security

Information security is everywhere these days. Just turn on the TV and flip channels for a minute or two. Or click around on some news websites. From government spying to rampant identity theft, this subject has got everyone up in arms—even when they don’t have the whole story.

It’s about time for someone to demystify information security and shine a light through that fog of threats and fears. And it's time for everyone to get a firmer grasp on personal, Internet, and information security threats.

Welcome to the Sight Training blog! We are determined to make the truth about information security accessible to everyone.

Who Are We?

Be aware: we are not computer nerds, and this is not an IT blog for programmers. We are a team of professional security consultants, ethical hackers, and project managers with a background in security awareness and social engineering. The primary risk to businesses is no longer technical hacking, but slick, clever conmen and identity thieves who use regular people to get sensitive information. This is today’s threat, and you need to know how to defend against it.

Our consulting and white-hat social engineering experiences have given us unique insight into information privacy, security, and protection that we want to share with companies, managers, and employees in every sector. Each week, we’ll use this forum to cover the security information that really matters to you, day to day.

We hope to:

• Provide practical ways to protect yourself, your organization, or the folks you employ.
• Use the security breaches that make the news as valuable lessons.
• Inform you about the latest security threats and tactics, and how they really impact businesses and individuals.
• Give you a place to share, ask questions, and provide insights from your own corporate experience.

We want to bring things down to earth and give people something they can use. Real risks. Real-world scenarios. Real language.

It's the human side of security.

SightTraining.com