Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about?
Continue Reading If you teach a man to phish …

Last Piece of PuzzleWhew – we’ve survived yet another round of states enacting or amending their PII breach notification laws.  If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do:
Continue Reading With PII breach notification statutes, the rules keep changing

Ignorant DoctorIf you had a choice between doctors to perform surgery on you, which would you pick:  a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?

The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.”  It’s a check-the-box response to regulatory compliance or client demands.   Sign everyone up for an on-line phishing exercise and you’re done.  Yet the consequences of ineffective training can be dire.  You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.

This is not to say that awareness is unimportant.  But raising awareness is just the first step in effective cybersecurity defense.  Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them.  In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets.
Continue Reading How to gain assurance against human security vulnerabilities

Hacker at work with Russian flag on backgroundThe indictment filed last Friday by Special Counsel Robert Mueller explains how Russian military intelligence officers hacked into computer systems of the DNC, the DCCC, and Clinton Campaign employees during the 2016 presidential race.  With sweeping, specific details that have compelled unanimous confidence among Americans (except apparently our President), the 29-page indictment is a textbook on sources and methods.  No, not intelligence-gathering sources and methods, which are of course highly classified.  Instead, the indictment catalogs the sources of data that were stolen, and the methods used by the GRU intelligence units to methodically hack into the targeted systems, exfiltrate the data, evade detection, and weaponize the data through publications timed to inflict maximum impact.

The lessons to be learned from the indictment’s allegations, summarized below, are useful to any organization serious about data security and prevention, detection, and response to hacking, whether state-sponsored or otherwise.Continue Reading The latest Mueller indictment – what we all can learn about sources and methods

Security dial turned to highest settingHow time flies.  Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc.   Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com.  Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.

Lots has changed since then.  New technologies, expanded data sources and media types, and more raw data have flooded consumer and business marketplaces alike.  We’ve all seen the scary statistics on increasing information volumes and the security risks that follow.  Unfortunately, our controls for the creation, management, retention, and disposition of those data have not kept pace.  Yet how we manage our data on a day-to-day basis goes also to the heart of how we protect our data and ensure that our information assets are secure from theft or compromise.

During my years at CFI and since, I’ve found myself pondering “what if?” questions.  What if we only had to protect 20% of our information?  What if clients could take dollars earmarked for e-discovery and increased storage and spend them instead on better systems and operational improvements?  What if a client faced with the reality of a data breach didn’t have to wonder how many unnecessary skeletons were now visible?  The promise of information governance is that we can answer these questions affirmatively.  This is good news, and more importantly, news you can use.
Continue Reading Information governance – the foundation for information security

Angry BossIt’s 4:20 p.m. on Friday.  You’re looking forward to meeting your friends soon for happy hour at the local bar.  Your boss is on vacation, and you’re caught up for the week.  All is well.  As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT.  The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account.  They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution.  They helpfully provide the correct bank routing information and demand the payment be made today.  Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change.   The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.

Of course, you—the reader—already know the ending of this story.  The email was fraudulent, the company is now out a quarter of a million dollars, and you may be out of a job.  Yet this and similar scenarios play out every day, representing a 2,370% increase in the last 18 months in identified exposed losses resulting from business e-mail compromise targeting small, medium, and large businesses.
Continue Reading It’s time to annoy your boss

The aftermath of the Equifax breach continues.  First, the Ugly:

Music Major?  Really?

The hoi polloi apparently find it offensive that Equifax’s Chief Security Officer, fired in the breach’s wake, had a music degree. The implication is that someone formally trained long ago in music is clearly incompetent to have a career in IT or Infosec, much less to be a CSO. That must be a surprise to Jennifer Widom (data management researcher, computer science professor, and Dean of Stanford University’s School of Engineering), who somehow, despite her undergraduate music degree, managed to help lay the foundations for active database systems architecture, crucial for such uses as security monitoring.  Or to countless others who came to Infosec after formal education in other disciplines – check out #unqualifiedfortech on Twitter.

Yesterday’s thoughtful Washington Post piece was well-titled: Equifax’s security chief had some big problems. Being a music major wasn’t one of them. And if your ironic sensibility remains unsated, see the 10/20/2016 article Musicians May Be the Key to the Cybersecurity Talent Shortage.

Next, the Bad:
Continue Reading Equifax breach – the good, the bad, and the ugly

Worried couple checking credit account onlineThe grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers.  I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank!  And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.

But as post-announcement events have unfolded, some of the initial criticism appears to have legs:
Continue Reading Equifax breach – hot mess, or simply the world we live in?

Young woman who's forgot her passwordAt last!!!  A good reason not to create dozens of hard-to-remember passwords!  The updated National Institute for Standards and Technology guidance on creating passwords has been out for a while now, but the word has been slow in trickling down to end users.  It’s time to pay attention, because the recommendations represent a huge departure from standard practice.  First, the good news:

The good

NIST is part of the US Department of Commerce and an authoritative standards-making body.  It is the entity that wrote the primer on how to create all those complex and hard-to-remember passwords in the first place. You know, passwords like *Pa$$w)rd3!  NIST now acknowledges through this publication that the old rules affected usability negatively. It also turns out that passwords composed of a few common words strung together are far stronger than upper-lower-numbers-characters passwords, so the old way was less secure than we thought.

It’s big news then that NIST has seen the error of its ways and now recommends creating passwords we can remember.  Even more important, it also now recommends that a password not be changed unless there is an indicator it has been compromised or forgotten by the user.  Of course, being the government, calling a password a password is just too hard.  The term in NIST SP800-63B 2017 is “Memorized Secret Authenticator.”  Whatever you choose to call it, user guidance is simple:
Continue Reading dyktthctgohtcp?