This is our 3rd Annual Holiday Like Us Campaign.
The details are simple, for every new Like on Facebook
and Follower on Twitter or LinkedIn we will GIVE $1 to Toys for Tots & You will RECEIVE exclusive content, informational videos, and insight on events and promotions.
On December 20th we will announce on Twitter, Facebook, and LinkedIn one lucky follower that will receive a $50 Amazon gift card just in time for the Holidays!
Click the icons above to follow and like us now!
I recently saw an issue of The Economist that had a pixelated nuclear explosion engulfing a city on the cover. The caption simply said “Cyberwar: The threat from the internet.” That’s a little dramatic in my opinion. But it’s nothing new. Those of us working in cyber security are often guilty of using gloom and doom to get executives to understand the importance of information security
The reason security is such a tough sell is simply because there is no return on investment. Businesses don’t make more money by investing in information security, they only lose money. This is not an attractive prospect for anyone. Our brains just aren’t wired to get excited about loss prevention. Of course, by not investing in information security, it can cost them much, much more. So, naturally, the security engineer’s sales pitch gravitates towards striking fear into the potential client.
Before arriving at a meeting with the company executive an information security salesman may come packed with an arsenal of horror stories about security breaches. Client credit cards stolen and auctioned off to the highest bidder. Company secrets exposed on the web. Up and coming businesses struck down in their prime because of one security slip up. These are common tactics. The negatives are emphasized so much that those who work in information security have earned reputations as fear-mongers.
But is pushing the negative extremes on potential clients the best way to sell information security? I don’t think so. While it is true people respond to fear, they also respond to clear, level-headed and reasonable arguments regarding their security posture.
Compliance – While it should never be the goal, compliance is a good starting point for information security. Regulations from straight from Uncle Sam require a certain level of security to be met whether the company thinks it’s a worthwhile investment or not. Here, the fear isn’t about security breaches, but an audit.
Business Impact – It’s important that a security engineer be clear when describing threats, risks, and their mitigation’s. Specificity is also key. Companies need to see how a security breach could affect their business, and not so much how it affected another company. They need to understand the likelihood, the impact, and the cost to address the issue.
Project Bundles – Since there is no ROI on information security alone, you can give it one by packaging it with other projects. For example, executives can ask for security to be included when modifying an existing product or service or developing a new one.
Are executives prioritizing information security and risk management? There’s an interesting survey that asked this question to 1,084 security pros – and the answer might surprise you. You can view the 2011 Strategic Security Survey right here.
In 2007, world-renown security professional Bruce Schneier said in an interview that the convergence of security, where it’s built in vs. bolted on, could make our industry a fad. Has the adoption of the cloud and consumerization started to make this a reality in 2012? We think so, and while we don’t recommend you hang up your security hat to become a Starbucks barista just yet, infosec pros must adapt or risk extinction.
“The primary reason the IT security industry exists is because IT products and services aren’t naturally secure,” wrote Schneier in his blog. “If computers were already secure against viruses, there wouldn’t be any need for antivirus products. If bad network traffic couldn’t be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure.”
While Schneier may have been ahead of his time in 2007, the security industry has definitely changed in the past five years. In 2011, we saw executives starting to get involved, and security has become a topic on the tongues of consumers and enterprises alike thanks to hacker groups making headlines on the evening news. In the future Schneier envisions, product manufacturers “fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later.”
Just look at the acquisitions: Intel bought McAfee, HP bought ArcSight, VMware bought PacketMotion. 2011 saw vendors begin to bake security into consumer and general IT products. The requirement for security in the cloud will accelerate this process. Here’s what you need to do to avoid extinction:
The built-in vs. bolt-on debate will continue to rage. But the fact is, more vendors will be promising built-in security, and while this will make the business decision to use certain products and services easier for management, it doesn’t mean you can let your guard down. Never assume that these products are more secure or won’t introduce risk into the organization. Rather, the risk will simply move from technical vulnerabilities to process and management—which, unfortunately, are some of the weakest areas in risk programs.
We all do it—open our email accounts and quickly fly through and delete the spam before settling in to sift through messages that have some value to us. But before you start clicking links or downloading files, are you certain that none of those seemingly valued emails is actually from a cybercriminal posing as someone else in a bid to install malicious software on your computer and steal your data and personal information?
There are some red flags that can help determine if an email is legitimate. Pass these tips on to others, so they can defend their information against cybercriminals, too.
Spelling and bad grammar: Legitimate companies employ copy editors to review content before circulation, so there should be no spelling or grammatical errors. Cybercriminals, on the other hand, tend not to worry about such niceties. Beware when you see misspellings or other grammatical inaccuracies.
Links in emails: Look before you click. Whenever an email contains a link that you want to access, before you click to open it, hover your cursor over the link to see if the addresses match. If not, refrain from clicking the link.
Threats: One sign that may indicate a phishing scheme is receiving a threat, such as, “Your account will be closed if you don’t respond by clicking the link below.” Another red flag is alerts that your security has been compromised.
Spoofing companies and websites: These are e-wolves in sheep’s clothing. Often, cybercriminals will place logos and other imagery belonging to the companies they’re impersonating into the message body, then link those images to their malicious scam sites. If you do click on an image and are brought to the supposed site, look closely at the URL. Some scammers will use an address that closely resembles the URL of the company they’re looking to imitate; an example would be http://www.applle.com. You can also use the hovering maneuver with images.
So now that you know what to be aware of, the next hurdle is determining what to do if you have been subjected to a scam. First, report it. If you’re a Microsoft Office Outlook user, attach a copy of the email to a new email and send it to firstname.lastname@example.org. Most importantly if you have been a victim, change all PIN numbers and passwords on any accounts that may have been compromised. Contact your bank or online merchant if threats were issued saying your account has been compromised. Call your financial institution and have a fraud alert placed on your credit reports. If your accounts have in fact been accessed, cancel those accounts and open new ones. Continue to closely monitor your account statements for unexplained transactions.
Passwords are a pain. The helpdesk hates resetting them. Security hates managing them. And users just plain hate them. The very term “password” reveals the fundamental flaw—we should be using pass phrases. Most modern operating systems, including Windows, OS X and Unix, support phrases with over 200 characters.
Uncle Sam has a better idea, which we’ll discuss. For now, let’s admit that security awareness trainers’ attempts to promote better passwords and our fancy policies to ensure complexity have failed. Part of the problem is that, to most organizations, a password of “Winter12” qualifies as complex. An analysis of the breached Sony accounts showed that while 93% of passwords were between six and 10 characters in length, only 1% contained an alphanumeric, and less than 1% were longer than 14 characters. The Top 3 passwords used: “seinfeld,” “password” and “winner.” Further analysis showed that 82% of passwords were found within rainbow tables.
So users make bad password decisions. We know this. But that isn’t the only reason they need to go. A problem just as significant as strength is that passwords and, for that matter, pass phrases provide authentication only once, when typed in or provided. There’s no mechanism for continuous re-authentication without interrupting user workflow. Think about the way attacks happen in the real world: ATM skimmers record PINs and reuse them later. The ATM has no way to know it was a fraudster who typed in the PIN. If a user walks away from a mobile device or PC, an attacker can jump on and take control of the session. Even metasploit, the open source exploit framework, has the ability to take control of RDP and VNC sessions from legitimate users.
This leads us to the requirement for continuous authentication in future system designs. Fortunately for enterprises, the U.S. government is putting our tax dollars behind R&D for just such a cause. The Defense Advanced Research Projects Agency (DARPA) has released a grant to promote development of “active authentication.” DARPA states: “The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.”
DARPA’s recommendation solution is to develop a “cognitive fingerprint,” which is government speak for biometric tests that will include keystroke-latency analysis, eye scans, how a user searches for information, eye tracking and the speed with which a person reads content. The key is to develop a profile of an individual so that once an authorized user is authenticated, each move can reauthenticate the person, at a frequency as great as every second. With this technique, even if someone’s password is “seinfield” and an attacker takes over a session, the cognitive fingerprint won’t match and the session can be shut down. If an action requires administrative privileges, the cognitive fingerprint can provide the authentication system with additional statistical confidence that the user is actually who he’s supposed to be.
While passwords may not be gone completely in our lifetimes, the way we use them will change dramatically as additional metrics are brought online to authenticate and then continually reauthenticate users as they access a system. As technology like that behind Microsoft’s Kinect makes it into laptops, desktops and even smartphones, be prepared for new behavioral biometric authentication frameworks to make a strong introduction.