by Hal Noble | May 31, 2016 | Managed Security Services
Just like the paste that you liked to eat in kindergarten, pasting directly from web pages may be bad for you too.
In short, don’t trust copy and paste from web pages, it’s no longer safe. Malware attacks are getting trickier and trickier with more methods of infection appearing every day. Some of the latest in the growing attack trends are “pastejacking” attacks.
Pastejacking is a technical variation of the old bait and switch. You copy one thing from web page but when you paste it you get something else. That ‘something else’ includes not only your desired web contents, but also a malware installer. From there on, your machine is infected and ickines ensues. There are two major variants of this type of attack; Pastejacking with Javascript, and Pastejacking with CSS.
Pastejacking with Javascript
Javascript is used in a large portion of the webpages on the Net. It is used to do all sorts of things like slideshows, drop down menus, flying-this and floating-that. It is so popular that it is hard to find pages these days that do not use Javascript.
When you copy things from a web page you can either use the highlight-then-right-click-and-choose-copy method, or you can use highlight-then-press-Ctrl+C. Either of these methods places whatever you highlighted into your workstation’s clipboard for you to paste wherever you want. Pastejacking with Javascript, uses a malicious Javascript to watch for a copy event to copy to your clipboard, then the Javascript substitutes the contents of your clipboard for the same contents plus some malware installer code. The attack doesn’t actually take place until you paste the clipboard contents into an application, like Word or Excel, that allows the malware installer code to run. Once the malware installer runs, your workstation will likely become infected.
You can thwart this attack by turning off the loading of Javascript with a browser plugin like NoScript, but that rather drastic move breaks a lot of webpages from displaying correctly for you. Even then, you can still be hit by a Pastejacking with CSS exploit.
Pastejacking with CSS
Like Javascript, almost every webpage that exists now uses Cascading Style Sheets (CSS). These are sets of browser commands that format the webpage to look and act nicely for you. CSS chooses what fonts to use, where to place certain page sections, how to display images and more. CSS can also be used to position a part of the webpage to ‘appear’ behind something else, or even outside of the visible browser window where you can’t see it. Yes, CSS can do that. Something malicious may be hidden by CSS behind the text that you copy. Again, you have to copy and then paste the offending part of the webpage in order for this to happen, so it’s the pasting that kicks off the downloaded code that infects your machine.
The Pasting Prophylactic
The simplest way to protect yourself is to ‘cleanse’ your clipboard material using a program that strips away any excess code and pastes only the text that you wanted. Fortunately, every Windows machine comes with this cleansing program. It’s called Notepad. Notepad strips away formatting and any hidden code, including scripts, so that only text is pasted into Notepad. It doesn’t have to be Notepad, of course, any text editor will do. I like Notepad++.
Once you have pasted your web text into your text editor you can copy it from there and then and paste it to the final destination. This does mean that you will have to download any images separately since the text editor strips them out of the paste operation too, but I consider it a small price to pay for safety.
Naked Security did an excellent write-up of this if you want more info.
by Hal Noble | May 31, 2016 | Managed Security Services
Microsoft has started implementing a password filter that prevents you from choosing a password that is too simple. Hoorah, mostly. After years of allowing you to pick ‘123456’ the Redmond Giant is now implementing some tough password love for online services such as Xbox Live and OneDrive Azure. If you have recently tried to set up a too commonly used password, you may have already witnessed Microsoft’s banning in action, which tells you:
“Choose a password that’s harder for people to guess.”
The new program is currently in the preview phase for Azure Active Directory and will be phased into all Azure AD tenants in the months to come.
Microsoft’s system is fed by lists of usernames and passwords that have been stolen from other companies and organizations and leaked online or offered for sale. Microsoft also is using the usernames and passwords compiled from the over 10 million daily credential attacks with which their identity systems are hit. That list that is constantly updated. When you go to choose, or change, your password, the system compares your password entry with the lists, or passwords similar to the ones in the lists, and then reminds you of your simplicity and forces you to choose again. Fortunately, for the password fatigued (and unfortunately for the security minded individual) choosing a password that is not on the big MS list is not too hard. Here are the minimum requirements:
- Passwords must have at least 8 characters and contain at least two of the following:
- Uppercase letters
- Lowercase letters
- Numbers
- Symbols
Which means that passwords such as “Pa$$word“, “Pa$$w0rd1!” and “123456h!” will fit the bill.
Microsoft chose not to set a longer length or complexity requirement, because their research found that people react in predictable ways when passwords get tougher. Their research shows:
- Longer password requirements usually result in people repeating patterns (e.g. passwordpassword), opting for writing their passwords down (oh, those sticky notes), or reusing them.
- Password complexity requirements result in passwords that use similar patterns (e.g. capital letter in the first position, a symbol in the last, and a number in the last two), which makes them easier to discover through dictionary attacks.
- Mandatory periodic password resets result in users choosing passwords closely related to the previous ones (i.e. they “update” an older one), which results in easily guessable passwords. Ex. “Pa$$word1!”, becomes “Pa$$word2!”, and then “Pa$$word3!”
Microsoft does recommend that company account administrators turn on risk-based multi-factor authentication and educate users, which we are all for, but some of their other advice to admins seems counterproductive and even counter to their own password requirements. From their password guidance paper:
Azure Active Directory and Active Directory allow you to support the recommendations in this paper:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to re-use their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk based multi-factor authentication challenges.
Yet in that same paper they state their own “character-composition” requirements. Granted, Microsoft does have other security mechanisms in place, such as limiting the number of password attempts in a certain period, blocking IP addresses that try too many times, and enforcing two-factor authentication after too many failed attempts, so they can afford to recommend shorter passwords. To some extent. Additionally, since hackers now know what simple passwords will no longer work they will not even try those passwords and concentrate on guessing the harder ones from the get go. This just shifts the hackers’ starting point to begin cracking passwords at eight characters long.
For more info:
http://research.microsoft.com/pubs/265143/Microsoft_Password_Guidance.pdf
https://www.helpnetsecurity.com/2016/05/26/microsoft-bans-common-passwords/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29
by Hal Noble | May 16, 2016 | Managed Security Services
With a password manager to remember all of your passwords, all you have to do is remember the single master password for your password manager. This alleviates password fatigue and allows you to use secure, complex, randomly generated passwords for sites and applications, but this also leads you back to square one: all of your security now depends on one Master password. So, how do you create a secure, easy to use Master password? One simple, and surprisingly effective, way to generate a solid master password is to use a technique called Diceware. Diceware is low tech, yet creates secure passwords that are easy to memorize because they are based on English words.
Dungeons and Dragons players will like this. With Diceware, you start with a pre-compiled wordlist and then roll five six-sided die to choose words from the list. Each roll will correspond to a word in the wordlist. The goal is to ‘generate’ at least six words and then combine these words into one passphrase. The wordlist is pre-compiled and contains over 7700 words. Here are the basic steps:
- Download the Diceware wordlist (http://world.std.com/~reinhold/diceware.wordlist.asc)
- Roll five six-sided die
- Line up the dice to create a five-digit number
- Look up the number in the wordlist and then write down the word that it corresponds to
- Do this five more times for a total of six words (or more)
- Memorize this and use it as your Master password for your password management system
Here is an example:
- Die rolls: 45625, 63555, 51513, 64312, 21113, and 56312
- These rolls correspond to these words in the word list:
45625 pk
63555 webb
51513 refer
64312 witt
21113 cliff
56312 sy
- So your password becomes:
pk webb refer witt cliff sy
- or, if your password manager does not allow spaces in passwords you can use something else to separate the words:
pk_webb_refer_witt_cliff_sy
pk.webb.refer.witt.cliff.sy
Yes, I know that some of the ‘words’ are not really words at all, but this adds to the randomness of the password. A fellow named Arnold G. Reinhold has done quite a bit of work on the math and the security of this simple password generator. Reinhold even goes so far as to suggest how you go through this process (and I love the security focus here, even though it is a bit paranoid):
“For maximum security make sure you are alone and close the curtains. Write on a hard surface — not on a pad of paper. After you memorize your passphrase, burn your notes, pulverize the ashes and flush them down the toilet.”
I know it seems nerdy and overkill to generate passwords that are six words long, but if you only have one password to memorize then it’s easier than memorizing many different passwords.
More info here: http://world.std.com/~reinhold/diceware.html
Word list here: http://world.std.com/~reinhold/diceware.wordlist.asc
by Hal Noble | May 16, 2016 | Managed Security Services
Security industry experts are predicting the death of passwords within the next few years as more systems shift to biometric methods (fingerprint, facial recognition, voice recognition, etc.) for authenticating users. However, these biometric systems are still in their early-days of development and adoption. Additionally, simpler systems (standalone applications like QuickBooks) may not adopt, or be able to adopt, biometric authentication. My own suspicion is that we will still need passwords for years to come. With that in mind, we will still need strong passwords to keep our data safe.
The rule that is being drilled into the public is that you need a long, randomly generated password on each website for which you have an account. However, research now shows that remembering all of those passwords is near impossible and people become fatigued. Instead, people pick a single password – one they assume is secure – and use it everywhere. Using the same password across multiple websites, or a variation of the same password, does not work well because once one account is compromised all of the others are at risk of easy cracking. Since we also now know that password fatigue also leads people to use the same passwords for personal use and work use, this means that a cracked personal password can allow bad actors to access company systems.
To combat password fatigue, more users and companies are turning to password managers. Password managers remove the requirement to remember those long strings of random characters and will fill in login fields for you. They even remove the problems with randomness during the creation step because they’ll create proper random passwords for you – passwords that are long enough to satisfy corporate requirements. There are wonderful password managers available today that allow you to keep track of all your passwords and even provide you with password management tools such as:
- Fast password search
- Mobile Apps (for field use)
- Active Directory Integration
- Password Generator
- Automatic Form Fill for web forms
- Compliance Reporting
- Multiple User Access and Sharing (teams!)
- Encrypted File Storage
- Two-Factor Authentication
- Password Auditing
- Automated Password Rotation/Change
- Automated Password Sync Across All Devices
- Digital Wallets
- Password Sharing with Individual Users
- Web Access
- Easy On-Boarding and Off-Boarding of Users
- Folder Restrictions for Different User Roles
I highly recommend password managers to clients who currently keep track of credentials in insecure ways (Excel spreadsheets, Word documents, paper). There are many password managers available and there is something out there that meets the needs for any client.
by Hal Noble | May 16, 2016 | Managed Security Services
According to a new FireEye report where 5,500 people were interviewed during April 2016 in Europe and the US:
- 90 % of respondents would expect to be informed within 24 hours if their service provider had suffered a data breach which could have compromised their data.
- 76 % of respondents would likely take their business elsewhere due to negligent data handling practices
- 75 % of consumers stated they were likely to stop purchasing from a company if a data breach was found to be linked to the board failing to prioritize cyber security.
- 72 % of consumers also reported that they will now share fewer personal details with companies
- 59 % of consumers warning they would take legal action against companies if a data breach resulted in their personal details being used for criminal purposes.
- 52 % of consumers said security is an important or main consideration when buying products and services.
We can communicate this information to our clients as an incentive to focus more on securing client data and their own internal security. Loss of business due to a data breach makes up a large part of the estimated $217 per breached record in Oregon. For those in the healthcare field the estimated cost of a breached record is $363. It only takes one data breach to make a significant difference to the bottom line, or to run a small firm out of business.
by Hal Noble | May 16, 2016 | Managed Security Services
A recent study by the Université du Luxembourg has emphasized how the efficiency of social engineering attacks can be increased with the help of rewards. Which rewards? Well, chocolate, of course.
Social engineering is the use of storytelling and lies to get someone to do something for you, or to give you something like sensitive or confidential information. The study of 1,208 people was co-authored by Dr André Melzer who describes in the paper how criminals can increase the results of social engineering attacks by using the sense of obligation we feel after receiving a small gift, or after doing something that makes us feel good:
“When someone does something nice for us, we automatically feel obliged to return the favour. This principle is universal and important for the way we function as a society. However, this internal pressure can also be exploited to achieve certain purposes, such as encouraging someone to divulge a password.’
The study used undercover researchers carrying University of Luxembourg bags who asked passing pedestrians about their attitude towards computer security. Then the researchers asked them for their password. During the interview the researchers gave the interviewees gifts, including chocolate. The research showed that this small gift greatly increased the likelihood of participants giving away their password. The gift that had the most effect was chocolate and the study shows that even the timing of the gift can affect the results:
- If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords.
- If the chocolate was received generally beforehand, a total of 43.5% of the respondents shared their password with the interviewer
The researchers did not test any of the passwords so there is no knowing if the participants were lying or not, but the fact that people actually gave an answer was significant. So, beware of geeks bearing gifts as they may steal the keys to your kingdom.
Alternatively, we can also combat this form of bribery by giving ourselves and our clients more chocolate, thus reducing the importance of the reward.
by Hal Noble | May 9, 2016 | Managed Security Services
Simply put, the IoT is the concept of connecting any device with an on and off switch to the Internet, and/or to each other. This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig. If it has an on and off switch then chances are it can be made a part of the IoT. Because this subject is so wide-ranging this Security Tidbits is chock full of
The Rosy Picture
IoT devices are enabled to sense and transmit information online, offering consumers greater information and influence over their environment. Previously unconnected objects can now be accessed digitally and controlled from anywhere on a variety of devices, including mobile, desktop and tablets. Businesses are also seeing the benefits of IoT in manufacturing but also in office environments. Cisco’s Digital Ceiling initiative was created for connecting and managing IoT devices such as building lights, door locks, HVAC (heating and cooling) and environmental sensors. Management of IoT devices is already leading to cost savings in energy. Here are some numbers:
- 60% of UK businesses are increasing their investments in IoT projects, by an average of 42%
- 68% of business leaders are expecting to reap actual benefits from their IoT investments in 2016
- IoT connected devices in 2015 number 25 billion
- IoT will consist of 50 billion devices by 2020
- Endpoint spending will be dominated by connected cars, as well as other complex machines and vehicles, such as heavy trucks, commercial aircraft, farming and construction equipment
- According to a new report from Tractica, by 2021 a cumulative total of 171.9 million wearables will be shipped for use in enterprise and industrial environments
The Money
Security spending for all PCs and mobile devices:
- A new report forecasts $655 billion will be spent on securing PCs, IoT and mobile devices between now and 2020.
- $386 billion will be spent on securing just PCs between now and 2020
- $113 billion will be spent on securing all mobile devices between now and 2020
Security just for IoT:
- Worldwide spending on IoT security will reach $348 million in 2016, a 23.7 percent increase from 2015 spending of $281.5 million
- Spending on just IoT security is expected to reach $547 million in 2018
- $172 billion will be spent on securing IoT devices between now and 2020
The Problems
The downside of IoT is that devices are being added to networks by companies that have little to no network security experience and little to no software security. The result is that large numbers of IoT devices have security vulnerabilities, making them risky to put on company networks. The 2014 security report by HP showed that 70% of IoT devices contain vulnerabilities. Add to that, since many IoT devices are oriented towards consumers they are being purchased and added to company networks without the knowledge of the company IT department. This “Shadow IT” is untracked by almost all firms. Only 8% of organizations can track Shadow IT.
The biggest IoT risks to consider are as follows:
- Disruption and denial-of-service attacks
2. Understanding the complexity of vulnerabilities
3. IoT vulnerability management
4. Identifying, implementing security controls
5. Fulfilling the need for security analytics capabilities
6. Modular hardware and software components
7. Rapid demand in bandwidth requirement
Add to the vulnerabilities of IoT devices there is a shortage of security professionals. The Cisco 2014 Annual Security Report estimated a shortage of 1 million information security professionals worldwide. According to a Symantec 2014 report, cybersecurity is projected to rise to 6 million jobs by 2019 with a 1.5 million person shortfall in the US alone. This is already worrying existing security professionals. According to a quick survey done at the 2015 Black Hat Security Conference, security professionals were asked about their biggest concerns:
Question: “Which do you believe will be of the greatest concern two years from now?”
Answer: “Digital attacks on non-computer devices and systems – the Internet of Things”
Question: “Does your organization have enough security staff to defend itself against current threats?”
Answers: 51% – “No, we could use a little help”
17% – “No, we are completely underwater”
05% – “What staff?”
Additional info:
- Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.
- “It is clear that IoT systems and software are not being developed with a hostile operating environment in mind. In Veracode and IDC’s 2016 research into the security of connected cars, the manufacturers that were interviewed told IDC that it will be one to three years before connected car systems are implemented with full consideration of security concerns,” John Smith, Principal Solution Architect at Veracode.
- Cybercrime propels security spending. Juniper Research recently predicted that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.
The Cure – What This Means to End Users
All of this means that security providers will have their hands full responding to the security needs of existing clients as well as future clients. Educating clients to the risks of IoT devices is the first big step in helping them to secure their networks. Beyond that basic step here are additional steps that we can follow:
- Connect Only What You Need – If it does not need to be connected to a network and does not bring business value then don’t connect it.
- Separate Wi-Fi network for IoT devices – Separate IoT devices from secure company devices and also from guest devices by creating separate wired and wireless networks. This will require a good firewall and switches.
- Update When Possible – Update firmware and software as soon as updates become available. This will mean that you have to know about these devices and then monitor manufacturer websites for news of updates.
- Use Strong Passwords and Change Factory Default Options – Many vulnerabilities are due to using factory default usernames and passwords, or security options. Factory defaults are often available on the Internet and could be used by anyone. Going through all of the options when installing an IoT device can save the client from these easy-to-fix vulnerabilities.
- Use Any Privacy Options – Set privacy options to be their most restrictive where possible.
- Consider Replacement and Budget For It At Time of Installation – If the IoT device manufacturer is new to the networking world then consider that they might not update their firmware or software fast enough and that the only cure for some vulnerabilities is to replace the IoT device with one that is more secure. You can help the client anticipate this possibility when considering IoT devices. Adding this possible replacement cost into the initial cost evaluation may cause the client to wait until more secure IoT alternatives appear.
References
“The Internet of Things:Risks in the Connected Home” – http://download.bitdefender.com/resources/files/News/CaseStudies/study/87/Bitdefender-2016-IoT-A4-en-EN-web.pdf
by Hal Noble | Apr 29, 2016 | Managed Security Services
According to the 2016 Verizon Data Breach Investigations Report (DBIR), now in its ninth year and one of the largest reports, the number of breaches resulting from insider threats accounts for about 15% of all breaches. Per Verizon, “While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house may be there are more folks outside it than there are inside it.”
That being said, 15% is still 15%, and Insider Threats are usually easier to prevent than External Threats. Low hanging fruit, so to speak. Following are some facts about Insider Threats, their cause and prevention.
Insider Threat Sources
According to a report from the 260,000+ member Information Security Community on LinkedIn and Crowd Research Partners, 3.8 is the average number of insider network attacks per business each year. These attacks come from the following sources and in the following forms:
Launch Points for Insider Attacks:
- 56% – Endpoints
- 43% – Network
- 42% – Mobile Devices
Top Insider Threats:
- 63% – Data Leaks
- 57% – Inadvertent Data Breach
- 53% – Malicious Data Breach
- 36% – Fraud
- 29% – IP Theft
- 23% – Espionage
- 20% – Sabotage
Most Risky Users:
- 59% – Privileged users, such as managers with access to sensitive information
- 48% -Contractors/consultants and temporary workers
- 46% – Regular, full/part-time employees
Vulnerable Apps:
Collaboration & communication apps, such as email, are most vulnerable to insider attacks, followed by cloud storage and file sharing apps. Finance and accounting apps come in third.
- Collaboration & Communication 44%
- Cloud Storage & File Sharing 43%
- Finance & Accounting 38%
- Social Media 33%
- Sales & Marketing 29%
What about non-employees? Another alarming number: 89 – The number of different third-party vendors that access an average company network every week (https://www.bomgar.com/vendorvulnerability) No data was given in this report as to how many Insider Attacks came through third-party vendors, and that number reflects very large networks as well as small ones, but still that is a bit of a surprise. More on this in a later Tidbits.
The Insider Threat can come from current employees or vendors, or guests, but what about ex-employees? It turns out that, yes, even though they no longer show up to drink the company coffee, ex-employees can still take a drink from the company data cup. A shocking (and I thought that I could no longer be shocked) 89% of ex-employees still have a valid login and password to at least one business application after they’re let go (“The ex-employee menace” – 2014 – https://www.intermedia.net/Reports/RogueAccess ). That’s most of an organization’s ex-employees with access to company data, of some sort.
How This Affects End Users
Good user management practices is an area where Managed Services can help our clients to reduce risk. We already have employee de-provisioning checklists for some clients and should develop a customized checklist for each Managed Services client. This may be a T&M project, so check with Melody and Aaron before launching on it. The same should go for vendors who are given access to servers, network devices, or the company Secure WiFi network (see below). Secure WiFi network passphrases should be changed periodically, or, in the case of Active Directory-coupled WiFi networks (using RADIUS), the authorized users group should be reviewed on a regular basis.
More Info here: “Insider Threat Spotlight Report” – http://www.veriato.com/docs/default-source/infographics/insider-threat-spotlight-report.pdf
“Hey, It’s MY Phone, I Can Do What I Want With It”
According to surveys from RiskIQ, which specializes in external threat management, information was gathered regarding how many people pirate content online using their personal devices and whether or not they believe that using the same devices in the office poses a security threat. Here is what they found:
- 59% of UK employees are putting their businesses at risk of malware infection by using their personal devices to access corporate networks and illegal pirated content
- 80% of those accessing the content considered the personal security risks of doing so, but only 60% consider the security implications for their employers
- Individuals who stream or download pirated content online are 28 times more likely to get malware than those who use legitimate services to obtain content
- 33% of the piracy sites that were studied during the survey suffered from at least one malware related incident
- 20 of the piracy sites exposed 3 out of 4 of their visitors to malware
- 55% of the malware that was detected infected users through fake prompts to download Flash or other anti-virus updates
- 45% of malware came directly as a result of downloading pirated content
- The top reasons for downloading or streaming pirate content are because it is free (23%), it is available before paid content (13%), the belief that all content should be free (12%) and the content people are trying to access is not available in any other way in the region (10%)
While the study was of UK residents, I think it reasonable to assume that similar attitudes prevail in the U.S.
How This Affects End Users
This is something of which we can make our clients aware and provide solutions. The easiest solution, that employees will accept, is the separation of Guest WiFi traffic, used for personal devices, from Secure traffic that runs on the same network as company workstations and servers. This means two WiFi networks, like we have in the Eugene office, and is nothing terribly new to most people these days. While this does not take care of the legal implications of downloading pirated material, it mitigates the risk of infection for company machines. We already have separate WiFi networks in place for some clients, but can still push this idea out to the rest of them.
More Info can be had here: http://www.itproportal.com/2016/04/19/pirating-content-personal-devices-risks-work-security/
And here: http://www.computerweekly.com/news/450281592/Employees-use-of-personal-devices-puts-firms-at-risk-of-malware-infection-says-report
Breach Fatigue
Part of the reason that Insider Threats are still prevalent is that fact that people get tired of being on their guard all of the time. Combine that with the number of news articles spreading FUD (Fear, Uncertainty and Doubt) and vigilance begins to wane. The Rand Corporation conducted a survey, using a nationally representative sample of 2,038 adults, about data breaches and extrapolated the results to find…:
- Higher-income and better-educated respondents were more likely to remember experiencing a breach; younger adults (ages 18–34) and senior citizens (ages 65+) were less likely.
- 51%, or an estimated 36 million individuals, received two or more notifications in the year preceding the survey.
- 44% of those who received a notification in their lifetime were already aware of the breach from a source other than the affected company; typically media reports or notifications from a third party.
- 62% of respondents accepted offers of free credit monitoring.
- According to respondents, three main factors influenced their decision: (1) time and effort required, (2) quality perception and trust (both of the affected company and of the breach notification service), and (3) whether the offer duplicated other services the victim had.
- 11% of respondents stopped dealing with the affected company following a breach.
- 32% of respondents reported no costs of the breach and any inconvenience it garnered; among those reporting some cost, the median cost was $500. Median dollar values were higher if health information ($1,000), social security numbers ($1,000), or other financial information ($864) was compromised.
- 6% said that the inconvenience cost them $10,000 or more. For these, the breach typically involved credit card or health information.
- 77% of respondents were highly satisfied with the company’s post-breach response.
- The steps that would highly satisfy most respondents were (1) take measures to ensure that a similar breach cannot occur in the future (68 percent), (2) offer free credit monitoring or similar services to ensure that lost data is not misused (64 percent), and (3) notify consumers immediately (63 percent). All three of these actions were valued more highly than receiving financial compensation for the inconvenience.
How This Affects End Users
How do we convince people that security is still important even though it seems like so much old news? The answer seems to be to incorporate security awareness as a part of every project and as part of the company culture. Short term awareness campaigns seem to work for short periods of time before fatigue sets in again. Convincing the top business shareholders (owners, leadership and managers) of the value of their data and the cost of its loss is the start. After that, it has to be reinforced from the top folks at each client. If security is important to the company leadership it will take on a greater importance to all staff. This culture of awareness will take on different forms for each client and is something that we can help them to develop and to reinforce with each client interaction.
More Info can be had here: http://www.rand.org/pubs/research_reports/RR1187.html
And here: https://www.helpnetsecurity.com/2016/04/14/us-consumers-data-breach/
by Hal Noble | Apr 22, 2016 | Managed Security Services
This year, at Mobile World Congress, Avast Software carried out an experiment on attendees. Researchers set up three open Wi-Fi networks near the exhibition entrance. These WiFi spots were given innocent-looking names such as “Starbucks,” “MWC Free WiFi,” and “Airport_Free_Wifi_AENA.” In just four hours more than 2,000 attendees connected to these hotspots based solely on their name (SSID), abandoning all security practices for the sake of free Internet access. Just like kids being offered free candy (yikes!). Details about each connecting device were visible as was the user’s identity in 63.5% of all the traffic.
Among the detailed findings were these:
- 7% of all users searched the Web via Google or accessed their Gmail account
- 5% of users had the Facebook app installed
- 9% accessed a Yahoo! Site
- 4% used the Twitter app
- 2% listened to music via Spotify
- 1% browsed a dating app, such as Tinder or Badoo
About the devices themselves, researchers noticed that 50.1% of people used Apple devices, 43.4% used Androids, while Windows Phone was found on 6.5% of all devices.
How This Affects End Users
People love free WiFi and seem to think of it like electricity – just plug in! – without thinking about the consequences. Most of our clients have WiFi networks of some kind and allow their staff, or even friends and vendors/visitors, to connect using their personal devices. Few of our clients have WiFi networks that separate company-only network access from guest Internet-only access. The same devices that folks allow to connect to random free WiFi networks (hello Starbucks) are also connecting to company networks that have company data and resources attached to them. How do we help them? We can lovingly and consistently inform and remind our customers of these risks and recommend that they create (with our help) separate WiFi networks. Our clients will also need to create a policy, and this is the hard part, to only allow wireless devices on the company network that require access to shared resources (file servers, printers, etc.). All others will use the Guest wireless network that access to the Internet only. This will greatly increase customer security and it will also give Nate something to do since he really isn’t busy with Jerry’s at all. ;-)
Because I believe that this is so important, and because this is really not too tough, here is the basic project process:
- Segment wireless network into a Guest wireless and a Staff wireless SSIDs
- Provide ONLY Internet access for the Guest wireless network
- Force password changes on both wireless networks
- Inform all staff that personal wireless devices should only go on the Guest wireless network
- Provide Guest wireless password to all staff
- Manually link corporate laptops and wireless devices to the Staff wireless network, not giving the password only to key personnel
More Info can be had here: http://news.softpedia.com/news/airport-experiment-shows-that-people-randomly-connect-to-any-open-wifi-hotspot-500808.shtml
by Hal Noble | Apr 8, 2016 | Managed Security Services
Social engineering attacks, tricking people into revealing information or granting access, have been around for a long time. We have all heard stories about, or actually received, e-mails from some Nigerian prince who desperately needs your help to get money out of his country. Those primitive attempts seem so quaint now. Today’s phishing attacks are much craftier, use graphics and links from real companies in their e-mails, and are more targeted towards getting business data than getting your personal bank information. Because they are more targeted they are known as Spear Phishing attacks.
PhishLabs, providers of employee training and fraud prevention services, comes out with an annual report that details the state of phishing. Just phishing. The subject is now big enough to warrant its’ own report. Several annual security reports name employee error as one of the largest sources of data loss and phishing attacks are the largest contributor to those losses. Here are the highlights of what this years’ PhishLabs report shows.
- Spear phishing remains the primary initial attack vector used by Advanced Persistent Threat (APT) actors
- The number of organizations targeted with Business Email Compromise (BEC) spear phishing attacks grew tremendously in 2015 as threat actors refined BEC techniques and sought new victims
- 90% of consumer-focused phishing attacks targeted financial institutions, cloud storage/file hosting sites, webmail and online services, ecommerce sites, and payment services
- financial institutions and payment services continue to be the most highly targeted organizations
- Gmail is used for more than half of all drop email accounts, making it the top webmail service used by attackers to receive credentials stolen via phishing
- Social media is a primary promotion and distribution channel for consumer-focused phishing kits and related goods or services
While the percentages show most of the phishing targeted at a few business sectors, what gets glossed over is that phishing overall is growing fast for all areas. Social media phishing attacks are up 150%. And why? Well, because, as we have seen from previous Tidbits, people tend to use the same passwords for home and work. Crack a Facebook password, know where that person works and, viola!, you are in. I plan to focus more on phishing and social engineering attacks in the near future. It is a subject all to its own.
More Info here: https://pages.phishlabs.com/2016-Phishing-Trends-and-Intelligence-Report-Hacking-the-Human_PTI.html
