Subscribe to RSS - Cybersecurity

Cybersecurity

TSA’s quest to merge cybersecurity and information technology

 - 
Wednesday, January 15, 2020

We’re about two weeks into the new year, and suffice to say, gearing up for travel is top of mind for security professionals. The “big” industry shows always seem so far away at this point, but before we know it, ISC West will be here in March, followed by ESX in June; GSX in September; ISC East in partnership with ASIS NYC in November; and more. In addition to these, are the smaller, boutique-type events, such as our SecurityNext conference in February (It’s not too late to register, btw!), not to mention all the companies that host events throughout the year. This puts you and your personal data in quite a few airports’ computer systems, screening technologies, etc., which can be a hacker’s paradise. 

Fortunately, while you’re on your yearly security quests, TSA is on a “quest” of its own: “to merge cybersecurity and information technology,” according to a special notice issued on January 7, 2020. And, they aren’t going at it alone. The agency has the support of America’s airport facilities, working together to create a cybersecurity culture by adopting the requirement “cybersecurity by design” to ensure cybersecurity is at for forefront, as opposed to being an add-on or afterthought. 

In addition to merging cyber and information technology, there are other “requirements for the information security and security screening technologies industry to ensure everyone is working towards a common goal,” it said in the notice. Other requirements include: 

  • Implementation of adequate access control and account management practices by enabling multi-level access to equipment sources and the ability to restrict users;
  • The ability for airport operators to change system level passwords;
  • Use of unique identification of individuals, activity and access to security equipment; 
  • Protection of screening algorithms form compromise, modification and rendering equipment inoperable, and provide immediate alert when algorithms have been accessed;
  • Covering USB ports are covered and access to ports, cables and other peripherals are protected from unauthorized use;
  • Employing automated measures to maintain baseline configurations and ensure systems protections;
  • Proper management of internal and external interfaces and encryption of ingress and egress traffic;
  • Implementing methods to update security equipment affected by software flaws; 
  • Running security assessment tools on devices to ensure appropriate configuration and patch levels, and that no indicators of compromise are present; 
  • Full support to ensure security equipment hardware, software and operating system vulnerabilities are identified and remediated; 
  • Use of an approved encryption method to ensure integrity of all data at rest on security equipment; 
  • Providing comprehensive list of all software and hardware that compromise security equipment; 
  • Demonstrating the ability to update equipment design and capabilities to align with changing cyber intelligence and threat reporting; and 
  • Vetting all local or remote maintenance personnel with the inclusion of background checks. 

TSA hopes that these requirements will “increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirement.”

Sounds like a win for anyone involved in travel. 

 

The state of ransomware ...

 - 
Wednesday, January 8, 2020

The recent cyberattack on the city of New Orleans is another sobering example of how vulnerable we are as a nation to cyber criminals. Even for cities like New Orleans, which was prepared for such an attack, there is an incredible amount of time and effort and cost that goes into getting a city back up on its feet after such an incident.

Following the New Orleans attack, a report on the State of Ransomware in the U.S., created by cybersecurity research firm Emsisoft, was rushed to be released ahead of its original Jan. 1 2020 release date because, as researchers pointed out, the New Orleans incident “elevates the ransomware threat to crisis level. Governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.”

By releasing the report early, the company hopes it will help “kickstart discussions and enable solutions to be found sooner rather than later. Those solutions are desperately needed.”

Looking at the numbers on ransomware, they are pretty mind numbing, as in 2019 the U.S. was hit by “an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion,” according to Emsisoft.

The impacted organizations included:
•    113 state and municipal governments and agencies;
•    764 healthcare providers; and
•    89 universities, colleges and school districts, with operations at up to 1,233 individual schools potentially affected.

The incidents were not simply expensive inconveniences, according to the report, which noted that the disruption they caused put people’s health, safety and lives at risk. For example:
•    Emergency patients had to be redirected to other hospitals;
•    Medical records were inaccessible and, in some cases, permanently lost;
•    Surgical procedures were canceled, tests were postponed and admissions halted;
•    911 services were interrupted;
•    Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field;
•    Police were locked out of background check systems and unable to access details about criminal histories or active warrants;
•    Surveillance systems went offline;
•    Badge scanners and building access systems ceased to work;
•    Jail doors could not be remotely opened; and
•    Schools could not access data about students’ medications or allergies.

“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020,” Emsisoft CTO Fabian Wosar said in the report. “Governments and the health and education sectors must do better. ”

Other effects of the incidents included:
•    Property transactions were halted;
•    Utility bills could not be issued;
•    Grants to nonprofits were delayed by months;
•    Websites went offline;
•    Online payment portals were inaccessible;
•    Email and phone systems ceased to work;
•    Driver’s licenses could not be issued or renewed;
•    Payments to vendors were delayed;
•    Schools closed;
•    Students’ grades were lost; and
•    Tax payment deadlines had to be extended.

In looking at how unprepared local governments are, a 2019 University of Maryland, Baltimore County research report based on data from a nationwide survey of cybersecurity in U.S. local governments, stated that, “Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and funding for it,” and that “Local governments as a whole do a poor job of managing their cybersecurity.”

The issues identified included:
•    Just over one-third did not know how frequently security incidents occurred, and nearly two-thirds did not know how often their systems were breached;
•    Only minorities of local governments reported having a very good or excellent ability to detect, prevent, and recover from events that could adversely affect their systems; and
•    Fewer than half of respondents said that they cataloged or counted attacks.

In some cases, governments failed to implement even the most basic of IT best practices, the report noted. For example, Baltimore experienced data loss because data resided only on end-user systems for which there was no backup mechanism in place.

According to the University of Maryland, Baltimore County's research, more than 50 percent of governments identified “lack of funding” as a barrier to cybersecurity and this is almost certainly an issue in the education and healthcare sectors, too. “Resolving the problem may simply require that organizations reallocate their existing budgets, or it may require that additional funding be provided either by federal or state government. In either case, it is an issue that must be addressed,” researchers concluded.
   
While 966 government agencies, educational establishments and healthcare providers were impacted by ransomware in 2019, the report noted that not a single bank disclosed a ransomware incident.

“This is not because banks are not targeted,” researchers noted. “It is because they have better security and so attacks against them are less likely to be successful. If government agencies were simply to adhere to industry-standard best practices — such as ensuring all data is backed up and using multi-factor authentication everywhere that it should be used — that alone would be sufficient to reduce the number of successful attacks, their severity and the disruption that they cause.”
 
As Wosar pointed out, “2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”
 

Hanwha’s top five video surveillance trends for 2020

 - 
12/20/2019

TEANECK, N.J.—Hanwha Techwin, a global supplier of IP and analog video surveillance solutions announced its top five key trend predictions for the security industry in 2020. 

Proactively going head-to-head with cyber threats

 - 
Wednesday, December 18, 2019

I recently read an article stating that the biggest cyberattack of 2020 has already happened. Needless to say, this sparked my attention, plunging my mind into thoughts of sophisticated cybercriminals who have already hatched a plan attack that’s just sitting in wait, ready to emerge when prompted. While I don’t promote, condone or encourage using scare tactics as a way to educate others and prompt them to take action, this does sound a bit scary; so, I reached out to some cybersecurity experts and members of SIA’s Cybersecurity Advisory Board to better understand and learn what you and I can do to protect ourselves going forward. 

“The most successful cybercriminals are the ones you don’t even know are there,” Tiffany Pressler, senior manager, HID Global, said. 

Min Kyriannis, head, Technology Business Development, Jaros, Baum & Bolles further explained: “Typically, hackers will remain dormant in someone’s network until a sequence or signal is sent to initiate the attack.”

To better understand a cyberattack, Pressler explained the Cyber Kill Chain, eight recognized phases that most cyberattacks go through. The phases are: 

  1. Reconnaissance
  2. Intrusion
  3. Exploitation
  4. Privilege escalation
  5. Lateral movement
  6. Obfuscation/anti-forensics
  7. Denial of service
  8. Exfiltration

“Each phase offers an opportunity to stop the attack, but most aren’t aware that a breach has happened at any of these phases until months or years after the breach has occurred,” Pressler explained. “Based upon that logic, any breach impending in 2020 is probably already significantly down the list of phase stages.” 

This doesn't mean doom and gloom, but rather, a sort of "heads up" to take action now to protect yourself for what you already know is coming.

One of the biggest complaints people talk about is identity theft, so Kyriannis advised to see what services are available. “Following the Equifax data breach, there are free services provided to lock your credit report, for example TrueIdentity,” she said. “Always ask questions about how companies your working with are security the information you’re providing them. I set alerts on my credit cards so that when I use them, a text message is sent to my cell phone.”

Pressler also offers some simple, proactive actions to take now: 

  • Turn on multi-factor authentication for any and all applications and devices. 
  • Use a password manager to help you remember and not reuse passwords. 
  • Always use complex passwords consisting of letters, upper- and lowercase, numbers and symbols. It’s best when your password does not equate to a readable word, sentence or name. 
  • Never click on links in emails or text messages. 
  • Hover over links to reveal the full URL to see if it goes to a legitimate domain, owned by a company.
  • Secure links with a link scanner, such as Norton SafeWeb or ScanURL.
  • Never give out information through webpages launched from a link. Always go to a company’s homepage and log in there.

“If you’re proactive about setting these measures, you’re making it harder for the cybercriminals, but you’re also giving yourself a chance to recover quickly,” Kyriannis encouraged.

How companies can fight against cyber threats

Cyber experts identify top cyber threats for 2020 and offer strategies of defense
 - 
12/16/2019

YARMOUTH, Maine—As 2019 closes, 2020 is full of new possibilities and opportunities. While it’s a time for growth, change and newness, cyber criminals are lurking in the background ready to strike.

Nearly 4 in 10 cameras at cyber-risk

New Genetec research shows most firmware is out of date
 - 
12/11/2019

MONTRÉAL— As many as 68.4 percent ­— or almost 7 out of 10 — cameras are currently running out-of-date firmware, according to a new report by Genetec.

100 Women in 100 Days Cybersecurity Career Accelerator announces next class

 - 
11/21/2019

SACRAMENTO, Calif.—The free cybersecurity training and accreditation program, 100 Women in 100 Days (100w100d), founded and managed by Sacramento-based cyber risk consulting firm, Inteligenca, will help another 100 students reboot their careers at Japan’s Saya University.

What images and color(s) represent the word ‘cybersecurity’?

 - 
Tuesday, November 19, 2019

Some studies have found that the human brain actually processes words by recognizing each word heard through the ears and seen with the eyes as an individual picture. I know when I’m listening to a podcast or lecture, the radio, reading something, etc. and I hear or see a word that is delightful to me, my mind engages, blooming a series of images that represent that word. In other words, I see pictures in my mind related to what I heard or saw.

Let’s say, for example, you just heard the word ‘cybersecurity.” What images popped into your mind? For me, it’s images of hooded people in basements crouched over a laptop, padlocks, computers with data flying out of it as if it’s being stolen, etc. 

Believe it or not, how people “see” the word cybersecurity is a big deal, as images can conjure up false realities of what it actually is and encompasses. And, with digital being such a major part of our lives, pictures/images provide the visual communication we are accustomed to.

The Daylight Security Research Lab, part of the Center for Long-Term Cybersecurity at U.C. Berkeley, compiled a dataset of the most common cybersecurity-related images used on the Internet during a two-year period of Google Image Search results for 28 terms related to privacy and cyber security. Every week for two years, the research team entered terms, such as cybersecurity, camera surveillance, camera privacy and more (you can see all 28 here) into a custom Google Search Engine (Google CSE). For each term searched, 100 images were scraped using a script, resulting in three sets of search terms each aimed at the following: 

  • Set 1: general technologies, technical themes or topics;
  • Set 2: representations of abstract ideas or practices; and
  • Set 3: Dave Eggar’s book, “The Circle,” which at the time of the study was a best-seller and represented topics of interest related to this study. 

Though the Berkeley researchers are continuing to analyze the seven gigabytes of collected imagery data, preliminary analyzations found that the most common colors used in cybersecurity imagery online are blue, grey, black and red, while padlocks and abstract network diagrams are the most common images. 

In my opinion, fear should not be the driver that encourages people to take action to stay safe. Yet, this research shows that the majority of images and colors related to cybersecurity do just that. Dark colors, in this case, blue, grey and black, are frequently associated with evil, mystery and fear. Red is often associated with danger. Just these four colors alone can communicate and evoke fear, and when used along with padlocks and images of computer networks, the message is clear: cybersecurity = fear. 

People should know the truth about cybersecurity —in words and in pictures — so that they can make educated decisions on how to best protect themselves, not fear mongered into it. Therefore, it’s important to create and use realistic imagery and pictures when it comes to discussing and presenting cybersecurity online. 

Do you agree or disagree? Why or why not?

Are you and your company ready for a cyberattack or data breach?

 - 
Wednesday, November 6, 2019

Kind of like the once elusive sound of a car alarm in a packed parking lot in the 80s to the flooded number of parked cars with car alarms today, as is the discussion of cyberattacks, cybercrimes, data breaches and such. 

I remember being around seven years old and in our local K-Mart parking lot with my mom, when a sound emerged from somewhere among the parked cars. That’s the first time I had ever heard a car alarm. Today, a car alarm is an annoyance at best and not really “heard” by many people anymore. 

Likening that to the cyber world, I remember becoming so intrigued with cybersecurity, cyberattacks, cybercrimes and such about 10 years ago, when I became heavily involved in social media. It was something exciting and different than had ever been seen before in true crime stories that intrigue and whet the public’s palates. Fast-forward to today, and it’s become common-place to see these types of stories throughout all aspects of media reporting — online articles and blogs; social media platforms; TV news stories; documentaries; radio reporting; etc., so much so, that people are already or becoming numb to it, passing it off as just “one of those things we have to deal with in life.” However, especially as a security professional, cyberattacks and data breaches not only shouldn’t be taken lightly, they absolutely cannot be, as they have literally ruined business and people. So, I ask you: “Are you ready and prepared?” 

Sad to say, but if you’re like the majority of the over 800 CISOs and other senior executives across North America, Europe and Asia, surveyed (commissioned by FireEye and delivered by Kantar, an independent market research organization), the answer is unfortunately, “no.” The study found that: 

  • 51 percent of surveyed organizations don’t believe they are ready or would respond appropriately to a cyberattack or data breach; 
  • 29 percent of these organizations with response plans in place haven’t tested or updated them in the last 12 months or more; and
  • 76 percent of the organizations plan to increase their cyber security budget in 2020. 

The survey also highlighted varying global viewpoints. In Asia, Japan plans to prioritize detection capabilities in 2020 and expresses concerns regarding cloud security, while Korea believes nation states are the most likely source of cyberattacks. The U.S. is leading the transition to cloud; Germany is concerned about cloud security and France believes employee training to be a top protection measure. 

I urge you, don’t become a parked car in a sea of cyberattacks and data breaches with your alarm going off and people just walking by like nothing is wrong. Prepare by creating a plan and know/understand exactly how to execute that plan before, during and after a cyberattack or data breach. This is a must. Think about it – it can’t be underestimated just how smart cybercriminals really are; it’s all they focus on day in and day out. They are experts at their craft and we must know how to prevent as must as possible and reciprocate, when necessary, to stay safe.

Formjacking, a newer way of stealing personal data online

 - 
Wednesday, October 16, 2019

Cyber Security Awareness Month is in full swing; social media is buzzing with extremely helpful content and resources, mostly of which is free to help businesses and individuals gain and stay in control of their digital worlds. As the saying goes, “you learn something new every day,” or you should. Through social media related to #NCSAM, #cybersecurityawarenessmonth and #BeCyberAware, I heard about a newer way hackers are stealing data – formjacking.

I knew the term “jacking” meant stealing, but combing it with the word “form,” it could mean a variety of things, so I reached out to my friends at the Security Industry Association (SIA) for some guidance. 

“Formjacking is the injection of malicious code into a seemingly trustworthy website form that relays a copy of the field inputs to an attacker,” Joe Gittens, director of standards, SIA, explained. “In these cases, the victim’s transaction with the trust source is not interrupted; however, information from the from, which could include sensitive data, is relayed to the attacker.” 

That literally gave me chills. I can’t speak for you, but I know I have filled out at least hundreds of forms in my digital life; reflecting back over my past 20 years, there’s no telling what data I’ve shared. And, with formjacking, here’s the kicker – there are no red flags for the average online user to look for. 

“Unlike with spoofing and phishing, there are very few tell-tale signs that a form has been compromised,” Min Kyriannis, head, technology business development, Jaros, Baum & Bolles and member of SIA’s Cybersecurity Advisory Board. In fact, the only way to detect formjacking is looking at the code, “and, unless you’re trained, it’s hard to detect,” Gittens said. 

It looks like the regular, every day Joe who is going online and filling out forms has absolutely no way of knowing his data could be at risk, although end users can self-sabotage through installing browser plug-ins, Gittens said. Therefore, it’s mainly up to the company behind the online form to ensure people and their data are protected. 

“Companies need to ensure that all software, plug-ins and any third-party applications or extensions have been vetted and check for vulnerabilities,” Kyriannis advised. “These need to be continuously checked, since software is constantly being updated.” 

It amazes me how smart cybercriminals/hackers truly are, and it’s important to never underestimate them. Think about it in these terms: once a threat is recognized and identified by the “good guys,” the “bad guys” have already moved on “looking for more covert ways to harvest data,” Gittens said, in a way that’s the “easiest to hide and what’s most lucrative” for them,” added Kyriannis.

Gittens identified partner trust as key and noted that formjacking can and has affected large and mom-and-pop institutions. “Just like with other attacks, understanding exactly what type of privileges a third-party service has on your website or your browser and only allowing the most trusted services into your ecosystem can help protect you and your business. Also, be careful about what types of information you are collecting in forms in case you are attacked. If you don’t have to collect sensitive data, don’t do it – contract a trusted third party to perform the transaction for you who has better security protocols in place and can provide you and your customers with assurances. The SIA Cybersecurity Advisory Board will soon look to provide guidance on how security stakeholders can foster more trust within the device and application ecosystem.”

Kyriannis concurs that trust is key, but “people with malicious intent will always find new ways to sneak under the radar. The industry must lead in bringing awareness to their clients, customers, etc., and self-awareness is critical – for end users, that means setting up security parameters for themselves,” such as tagging credit cards to constantly monitor charges. 

Formjacking Key Takeways

  1. Any and all information shared via an online form is at risk of being stolen. 
  2. The only way to detect formjacking is to look at the code. 
  3. Ensure software, plug-ins and any third-party applications or extensions have been vetted and regularly check for vulnerabilities.
  4. Understand the exact privileges a third-party service has on your website/browser. 
  5. If you don’t have to collect sensitive data, don’t. 
  6. Set up security parameters for yourself.

Pages