Social Engineering: Life Blood of Data Exploitation (Phishing)

What do Jeffrey Dahmer, Ted Bundy, Wayne Gacy, Dennis Rader, and Frank Abigail all have in common, aside from the obvious fact that they are all criminals?  They are also all master manipulators that utilize the art of social engineering to outwit their unsuspecting victims into providing them with the object or objects that they desire.  They appear as angels of light but are no more than ravenous wolves in sheep’s clothing. There are six components of an information system: Humans, Hardware, Software, Data, Network Communication, and Policies; with the human being the weakest link of the six.

By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group
Social engineering is the art of utilizing deception to manipulate a subject into providing the manipulator with the object or objects they are seeking to obtain. Pretexting is often used in order to present a false perception of having creditability via sources universally known to be valid. It is a dangerous combination to be gullible and greedy. Social engineers prey on the gullible and greedy using the full range of human emotions to exploit their weaknesses via various scams, of which the most popular being phishing.  They have the uncanny ability to influence their victim to comply with their demands.

Phishing is an age-old process of scamming a victim out of something by utilizing bait that appears to be legitimate. Prior to the age of computing, phishing was conducted mainly through chain mail but has evolved over the years in cyberspace via electronic mail. One of the most popular phishing scams is the Nigerian 419 scam, which is named after the Nigerian criminal code that addresses the crime.

Information security professionals normally eliminate the idea of social norms when investigating cybercrime.  Otherwise, you will be led into morose mole tunnels going nowhere. They understand that the social engineering cybercriminal capitalizes on unsuspecting targets of opportunity. Implicit biases can lead to the demise of the possessor. Human behavior can work to your disadvantage if left unchecked. You profile one while unwittingly becoming a victim of the transgressions of another. These inherent and natural tendencies can lead to breaches of security. The most successful cybersecurity investigators have a thorough understanding of the sophisticated criminal mind.

Victims of social engineering often feel sad and embarrassed. They are reluctant to report the crime depending on its magnitude. And the CISO to comes the rescue! In order to get to the root cause of the to determine the damage caused to the enterprise, the CISO must put the victim at ease by letting them know that they are not alone in their unwitting entanglement.

These are some tips that can assist you with an anti-social engineering strategy for your enterprise: Employ Sociological education tools by developing a comprehensive Information Security Awareness and Training program addressing all six basic components that make up the information system. The majority of security threats that exist on the network are a direct result of insider threats caused by humans, no matter if they are unintentional or deliberate. The most effective way an organization can mitigate the damaged caused by insider threats is to develop effective security awareness and training program that is ongoing and mandatory.

Deploy enterprise technological tools that protect your human capital against themselves.

Digital Rights Management (DRM) and Data Loss Prevention (DLP) serve as effective defensive tools that protect from the exfiltration enterprise data in the event that it falls into the wrong hands...[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

How to find weak passwords in your organization’s Active Directory

Introduction

Confidentiality is a fundamental information security principle. According to ISO 27001, it is defined as ensuring that information is not made available or disclosed to unauthorized individuals, entities or processes. There are several security controls designed specifically to enforce confidentiality requirements, but one of the oldest and best known is the use of passwords.

In fact, aside from being used since ancient times by the military, passwords were adopted quite early in the world of electronic information. The first recorded case dates to the early 1960s by an operating system created at MIT. Today, the use of passwords is commonplace in most people’s daily lives, either to protect personal devices such as computers and smartphones or to prevent unwanted access to corporate systems.

With such an ancient security control, it’s only natural to expect it has evolved to the point where passwords are a completely effective and secure practice. The hard truth is that even today, the practice of stealing passwords as a way to gain illegitimate access is one of the main techniques used by cybercriminals. Recent statistics, such as Verizon’s 2020 Data Breach Investigations Report leave no space to doubt: 37% of hacking-related breaches are tied to passwords that were either stolen or used in gaining unauthorized access.

For instance, in a quite recent case, Nippon Telegraph & Telephone (NTT) — a Fortune 500 company — disclosed a security breach in its internal network, where cybercriminals stole data on at least 621 customers. According to NTT, crackers breached several layers of its IT infrastructure and reached an internal Active Directory (AD) to steal data, including legitimate accounts and passwords. This lead to unauthorized access to a construction information management server.

Figure 1: Diagram of the NTT breach (source: NTT)

As with other directory services, Microsoft Active Directory remains a prime target for cybercriminals, since it is used by many businesses to centralize accounts and passwords for both users and administrators. Well, there’s no point in making cybercrime any easier, so today we are going to discuss how to find weak passwords in Microsoft Active Directory.

Active Directory: Password policy versus weak passwords

First, there is a point that needs to be clear: Active Directory indeed allows the implementation of a GPO (Group Policy Object) defining rules for password complexity, including items such as minimum number of characters, mandatory use of specials characters, uppercase and lowercase letters, maximum password age and even preventing a user from reusing previous passwords. Even so, it is still important to know how to find weak passwords, since the GPO may (for example) not have been applied to all Organizational Units (OUs).

But this is not the only problem. Even with the implementation of a good password policy, the rules apply only to items such as size, complexity and history, which is not a guarantee of strong passwords. For example, users tend to use passwords that are easy to memorize, such as Password2020! — which, although it technically meets the rules described above, cannot be considered safe and can be easily guessed by a cybercriminal.

Finding weak passwords in Active Directory can be simpler than you think. The first step is to know what you are looking for when auditing password quality. For this example, we will look for weak, duplicate, default or even empty passwords using the DSInternals PowerShell Module, which can be downloaded for free here.

DSInternals is an extremely interesting tool for Microsoft Administrators and has specific functionality for password auditing in Active Directory. It has the ability to discover accounts that share the same passwords or that have passwords available in public databases (such as the famous HaveIBeenPwned) or in a custom dictionary that you can create yourself to include terms more closely related to your organization.

Once installed, the password audit module in DSInternals Active Directory is quite simple to use. Just follow the syntax below:

Test-PasswordQuality [-Account] <DSAccount> [-SkipDuplicatePasswordTest] [-IncludeDisabledAccounts] 

[-WeakPasswords <String[]>] [-WeakPasswordsFile <String>] [-WeakPasswordHashesFile <String>] [-WeakPasswordHashesSortedFile <String>] [<CommonParameters>]

The Test-PasswordQuality cmdlet receives the output from the Get-ADDBAccount and Get-ADReplAccount cmdlets, so that offline (ntds.dit) and online (DCSync) password analyses can be done. A good option to obtain a list of leaked passwords is to use the ones provided by HaveIBeenPwned, which are fully supported in DSInternals. In this case, be sure to download the list marked “NTLM (sorted by hash)”..[…] Read more »….

 

How Object Storage Is Taking Storage Virtualization to the Next Level

We live in an increasingly virtual world. Because of that, many organizations not only virtualize their servers, they also explore the benefits of virtualized storage.

Gaining popularity 10-15 years ago, storage virtualization is the process of sharing storage resources by bringing physical storage from different devices together in a centralized pool of available storage capacity. The strategy is designed to help organizations improve agility and performance while reducing hardware and resource costs. However, this effort, at least to date, has not been as seamless or effective as server virtualization.

That is starting to change with the rise of object storage – an increasingly popular approach that manages data storage by arranging it into discrete and unique units, called objects. These objects are managed within a single pool of storage instead of a legacy LUN/volume block store structure. The objects are also bundled with associated metadata to form a centralized storage pool.

Object storage truly takes storage virtualization to the next level. I like to call it storage virtualization 2.0 because it makes it easier to deploy increased storage capacity through inline deduplication, compression, and encryption. It also enables enterprises to effortlessly reallocate storage where needed while eliminating the layers of management complexity inherent in storage virtualization. As a result, administrators do not need to worry about allocating a given capacity to a given server with object storage. Why? Because all servers have equal access to the object storage pool.

One key benefit is that organizations no longer need a crystal ball to predict their utilization requirements. Instead, they can add the exact amount of storage they need, anytime and in any granularity, to meet their storage requirements. And they can continue to grow their storage pool with zero disruption and no application downtime.

Greater security

Perhaps the most significant benefit of storage virtualization 2.0 is that it can do a much better job of protecting and securing your data than legacy iterations of storage virtualization.

Yes, with legacy storage solutions, you can take snapshots of your data. But the problem is that these snapshots are not immutable. And that fact should have you concerned. Why? Because, although you may have a snapshot when data changes or is overwritten, there is no way to recapture the original.

So, once you do any kind of update, you have no way to return to the original data. Quite simply, you are losing the old data snapshots in favor of the new. While there are some exceptions, this is the case with the majority of legacy storage solutions.

With object storage, however, your data snapshots are indeed immutable. Because of that, organizations can now capture and back up their data in near real-time—and do it cost-effectively. An immutable storage snapshot protects your information continuously by taking snapshots every 90 seconds so that even in the case of data loss or a cyber breach, you will always have a backup. All your data will be protected.

Taming the data deluge

Storage virtualization 2.0 is also more effective than the original storage virtualization when it comes to taming the data tsunami. Specifically, it can help manage the massive volumes of data—such as digital content, connected services, and cloud-based apps—that companies must now deal with. Most of this new content and data is unstructured, and organizations are discovering that their traditional storage solutions are not up to managing it all.

It’s a real problem. Unstructured data eats up a vast amount of a typical organization’s storage capacity. IDC estimates that 80% of data will be unstructured in five years. For the most part, this data takes up primary, tier-one storage on virtual machines, which can be a very costly proposition.

It doesn’t have to be this way. Organizations can offload much of this unstructured data via storage virtualization 2.0, with immutable snapshots and centralized pooling capabilities.

The net effect is that by moving the unstructured data to object storage, organizations won’t have it stored on VMs and won’t need to backup in a traditional sense. With object storage taking immutable snaps and replicating to another offsite cluster, it will eliminate 80% of an organization’s backup requirements/window.

This dramatically lowers costs. Because instead of having 80% of storage in primary, tier-one environments, everything is now stored and protected on object storage.

All of this also dramatically reduces the recovery time of both unstructured data from days and weeks to less than a minute, regardless of whether it’s TB or PB of data. And because the network no longer moves the data around from point to point, it’s much less congested. What’s more, the probability of having failed data backups goes away, because there are no more backups in the traditional sense.

The need for a new approach

As storage needs increase, organizations need more than just virtualization..[…] Read more »

 

“To be successful, CISOs must have intentionality and focus”

Most of today’s CISOs got into the role accidentally. Yet tomorrow’s CISO will have chosen this role by intent. It will be a chosen vocation. Therefore, CISOs will need to focus on the role and start cultivating the skills required to become a security leader. This was a key message from a presentation on The Future CISO by Jeff Pollard, Principal Analyst, Forrester Research.  Speaking at the Forrester Security & Risk Global 2020 Live Virtual Experience on September 22, Pollard urged CISOs to check if they are “Company Fit” and to prepare for what’s next. He also outlined the six different types of CISOs: transformational, post-breach, tactical/operational, compliance guru, steady-state, and customer-facing evangelist. Pollard showed how CISOs can build a roadmap for transitioning from one type to another and explore strategies for obtaining future CISO and related roles.

By Brian Pereira, Principal Editor, CISO MAG

“CISOs do an insanely challenging job under challenging circumstances. They have to worry about their company, adversaries who attack, insider threats, and also employee and customer experience. This is not easy. That’s why intent matters,” said Pollard.

He advised CISOs to plan for the role and make a meaningful contribution at the C-Level. Skills enhancement, both for the CISO and the security teams is also crucial.

Pollard alluded to the example of Pixar Animation Studios, which achieved immense success and bagged many awards because it has intent and focus.

“Pixar is a company that matches this intent. They know exactly what they want to do. They have a specific methodology for stories, how they think about content. Technology drives the stories that they tell. They are an incredibly innovative company. There is a secret history of Pixar that ties in with the CISO role,” said Pollard.

Pixar earned 16 Academy awards, 11 Grammys, and 10 Golden Globes.

“They earned all these awards because they operate with intent and focus. When you operate without intent and focus, and when you don’t plan for this role, and when you don’t actively cultivate all of the skills that you need, then this happens,” said Pollard.

By “this” he meant that CISOs lose focus and find their role challenging, which could even lead to burn out.

He urged security leaders to start writing their own stories and to think about their stories with intent, discipline, and rigor.

Why CISOs lose focus

The CISO was never a “No” department. In saying “Yes” to everyone and trying to do everything for everyone, CISOs lost their focus.

CISOs juggle many tasks like product security concerns, compliance concerns, regulatory issues, legal issues, beaches and attackers, and incident response. And then, there are new priorities that come up.

“0% of CISOs are great at everything. And that’s what most security leaders have had to do. You can’t do all of that and be effective. It’s not possible. But that’s what happened to the role — priority after priority and trade-off after trade-off. None of it results in the success that we want,” said Pollard.

He added, “CISOs haven’t operated with constraints, which lead to focus. And focus leads to innovation. We are just doing too much and not succeeding. We are too tactical. We say yes to a lot. The CISO is not the department of No.”

How many are C-level?

While most security leaders aspire for a seat at the table in the board room, very few make the cut.

A 2020 study by Forrester Research shows that just 13% of all security leaders are actual C-level titles or CISO.

The Forrester study considered those with an SVP or an EVP title and compared that to those with a VP, Director, or another title — across Fortune 500 companies. The other data point from this study is that the average tenure of the CISO is 4.2 years and not two or three years.

“Even those who got a seat at the table are not treated like a true C-level executive. They do not have the same access for authority that those others have. And most of the 13% are on their third or fourth CISO role. After the second one, they don’t take that laying down anymore. They demand to be an actual C-level,” said Pollard.

What CISOs need to do

CISOs need to plan for a four-year stay, and they can take some inspiration from Pixar by writing their own stories.

“The reason why this is so important is because you are looking at a four-year stay. It’s going to be hard for CISOs because they are going to do all their tasks for four years with all these limitations. They can make mistakes if they do not operate with intentionality and if they don’t fight for what they deserve. The good news is that CISOs can get this right and write their own story. It’s just about thinking about it in terms of intent and our own story,” advised Pollard.

Going back to the Pixar example, he urged CISOs to simplify and focus. Like Pixar, they should combine characters (or tasks) and hop over detours.

“You will feel like you are losing valuable stuff, but it is actually freeing you. Fire yourself. find a way to replace yourself. Get rid of activities that you don’t need to do. And don’t be afraid to empower the direct reports that work for you,” he said.

Reproduced with permission from Forrester Research 

The 6 types of CISOs

Forrester Research began thinking about the future or the CISO two years ago and came up with a concept that there were 6 types of CISOs. The roles could overlap, and one could have the attributes of other types as well.

Pollard said the CISO should consider these 6 types when thinking about their intent and focus. These types give one the opportunity to think about their roles and future careers —  and even life after being a CISO.

We started thinking about this concept of the future CISO two years ago. We figured out there were 6 types of CISOs out there.

1. The Transformational CISO

This is a more strategic type of CISO who thinks about customers and business outcomes. They focus on turn around and transformation of the security program. They take it from one that may be too insular and too internally focused to one that focusses on the outside of the organization. They do this to make the security program more relevant to the rest of the business.

2. The Post-breed CISO

This CISOs comes in after the organization has been breached. There is intense media and board speculation. Add to that, litigation, regulatory investigations, and potential fines. There is a lot of chaos and they must remediate the situation and lead through the turbulence.

3. Tactical / Operational expert

This is the action-oriented CISO who gets things done. They are adept at sorting out technical issues and building out cybersecurity programs for the company.

4. Compliance Guru

They have a thorough knowledge of compliance requirements and they operate in a heavily regulated industry. They help the company to figure out how to navigate international issues and wars as well as oversight from the FTC, PCI, HIPPAA, and other regulatory bodies. For them, Security is always a risk management conversation.

5. The Steady-State CISO

The minimalist who doesn’t rock the boat and change the status quo overnight. They maintain a balance between minimal change and keeping up. Maybe things are just fine at the company right now and security is working for them.

6. Customer Facing Evangelist 

This type is common at the tech and product companies. They evangelize the company’s products and services with a commitment to cybersecurity. And they speak about how security and privacy help customers.

CISO Company Fit

Forrester defines “CISO Company Fit” as the degree to which the CISO type at the company matches the type the company needs to maximize the success of both parties.

“If the company fit is not suitable, then security leaders have to deal with burn-out and angst.  And part of that burn-out comes from the fact that they may not have CISO Company fit,” said Pollard..[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Security theatrics or strategy? Optimizing security budget efficiency and effectiveness

Introduction

I am a staunch advocate of the consideration of human behavior in cybersecurity threat mitigation. The discipline of behavioral ecology is a good place to start. This subset of evolutionary biology observes how individuals and groups react to given environmental conditions — including the interplay between people and an environment.

The digital world is also a type of environment that we have all ended up playing in as computing and digital transactions become ever-present in our lives. By understanding this “digital theater,” we can determine a best-fit strategy to produce an effective cybersecurity play that optimizes security budgets.

Why having an effective strategy is important

I’ll offer up an example from nature to show the importance of an effective strategy. You may read this and wonder what it has to do with cybersecurity, but bear with me.

Starlings feed their chicks with leatherjackets and other insect larvae. During nesting season, the starlings work hard finding food and relaying it back and forth to the nest of chicks. If you’ve ever observed any bird during this season, you might have noticed by the end of it, they have lost feathers and look pretty beat up. But the sacrifice is important: effective feeding of chicks will produce fledglings that then go on to reproduce. Reproduction is seen as a success in evolutionary terms.

However, starlings are capable of carrying more than one leatherjacket in their beak. The more they can carry, the fewer trips they need to make. Fewer trips mean the parent starling is less likely to fall foul of bad health or predators. However, there is a tradeoff. To find the leatherjackets, the starling has to forage. Too many leatherjackets in the beak and it becomes harder to forage. The optimum number of leatherjackets is a trade-off between the number of trips and foraging efficiency.

Any strategy that plays out in the real world is a balance: a trade-off between what seems to be optimal and what is strategically efficient. The starling could try to cram lots of larvae into its beak and this might seem to be a show of capability and a great strategy, but in the end, it would just be a piece of theater.

In evolutionary biology, this balance is known as an Evolutionary Stable Strategy, or ESS. In nature, this would be a strategy that confers “fitness” so an organism can reproduce at an optimal rate. The concept behind an ESS also applies in cybersecurity, where fitness is also about finding a best-fit strategy for a given environment.

Security, like feeding chicks, is about knowing how to use the right tools for the job in an optimal manner and not just for show. This creates a fine balance that can help optimize a security budget.

Security and trade-offs: A complex equation

Enough of the biology lesson! Back to cybersecurity. The security industry, like most industries, has a culture. This culture has informants, people in your company who influence decisions and people outside such as vendors who sell security products. The result can be an overwhelming cascade of information. This can lead to decisions that are based on less-than-optimal input.

Back in 2008, security man extraordinaire Bruce Schneier wrote a treatise entitled “The Psychology of Security”. In this, Bruce talks about how security is a tradeoff. He goes on to explain how these trade-offs, which often come down to finding a balance between cost and outcome, are actually much more nuanced. Bruce says that asking “Is this effective against the threat?” is the wrong question to ask. Instead, you should ask “Is it a good trade-off?”

Security teams can be put under enormous pressure to “do the right thing.” An example is the recent ransomware attack on Garmin. If you are being effectively held hostage by malicious software that prevents your business from running, you have to do something and quickly. Garmin is reported to have paid the ransom of $10 million.

But was this a shrewd move? Was the trade-off between business disruption and hope of a decryption key a balanced one? When making that decision, there are multiple considerations. Can the company offset the cost of the ransomware? Will the decryption key end the attack or have the hackers installed other malware into the company’s IT system?

Security systems, like biological ones, are reliant on making good trade-off decisions to move the needle of security towards your company’s safety.

Back to basics to optimize security trade-offs

Security can be a costly business. Solutions, services and platforms all need to be costed and maintenance and upgrades factored in. And the choice is astounding. In terms of just startups in the cybersecurity sector, there were around 21,729 at last count. The amount of spending on cloud security tools alone is expected to be around $12.6 billion by 2023.

Getting the balance right is important. An organization must cut through the trees to see the wood. In doing so, the balance of financial burden against cyber-threat mitigation can be made.

Going back to basics is the starting point. There is little point in putting on a security show with the latest in machine learning-based tech if you misconfigure a crucial element so the data becomes worthless. At this point in history, machines are nothing without their human operators. We have to get back to basics, build a strong strategy and culture of security before layering on the technology.

The basics, human factors and a great security ESS

Weaving this together we can ensure optimization of a security budget through an awareness of strategic security considerations, e.g.:

The basics

The fundamentals of security are covered by several frameworks and general knowledge of Operations Security (OPSEC). Frameworks such as Center for Internet Security (CIS) and NIST-CSF set out basics for a robust cybersecurity approach. These include knowing what assets (both digital and physical) you have and how to control access.

The human factors

Cybercriminals place a focus on using humans to perpetrate a cyberattack. This is inherent in the popular tactics of social engineering, phishing and other human-activated cybercrimes. Employees, non-employees (e.g., contractors), supply chain members and so on all need to be evaluated for risk. Mitigation of the risk levels can be alleviated using several techniques:

  • Security awareness training for all: Teaching the fundamentals of security is an essential tool in a cybersecurity landscape that focuses on human touchpoints. But security awareness needs to be performed effectively. Some training sessions feel more like those old-school lessons that ended up with snoozing students. Modern security awareness is engaging, interactive and often gamified.
  • The issue of misconfiguration: It isn’t just employees clicking on a malicious link in a phishing email that is cause for concern. Loss of data due to misconfiguration of IT components cost companies around $5 trillion in 2018 – 2019. Security awareness training needs to extend to system administrators and others who take care of databases, web servers and so on.
  • Patch management. Like misconfiguration, ensuring that IT systems are up to date can be the difference between exposed data and safe data. This process has been complicated by the increase in home working. But this fundamental piece of security hygiene is as vital as it ever was.
Never trust, always verify

The concept of zero-trust security has highlighted the importance of robust identity and access management (IAM). The idea behind this tactic is to always check the identity of any individual or device attempting to access corporate resources. Zero trust defines an architecture that puts data as a central commodity and trust as a rule to determine access rights..[…] Read more »….

 

How Video Analytics Help Security Drive Awareness and Insight

In diverse industries, video analytics help security to get a clearer view.

As a rule, there is a lot that video analytics can do to bolster security – whether that’s motion detection for perimeter security; facial recognition for access control; or artificial intelligence (AI) for object classification, to name a few of the possibilities.

As we consider the promise of video analytics in seven key sectors, a common theme emerges. Analytics don’t just enhance the security mission, acting as a force multiplier and driving new levels of awareness and insight. They also boost the position of the security professional, enabling security to leverage its investment in video as a means to drive new levels of efficiency across all levels of the operation.

K-12 Schools

In a K-12 school, where a security officer may need to watch over a large and complex facility, analytics and AI can expand that guard’s reach. “There is the security component from something simple: Was a child left on the playground when everyone returned from recess?” says Forrester Senior Analyst Nick Barber. “AI could be trained to tell the difference between a child and an adult, so that it isn’t falsely triggered if there is a teacher on the playground versus a student.”

“Or, is there an active shooter on campus and should 911 be contacted?” Barber says. AI, as applied to video, could be trained to recognize what a gun looks or sounds like and could automatically alert authorities, while simultaneously relaying the related video. Analytics could support simpler tasks as well, such as taking attendance as students enter the school or classroom.

Universities

The security challenge for universities and college campuses rests with sheer acreage. Universities may have a large security footprint, with their own police departments supported by cameras and a monitoring center. But they also have a lot of ground to cover. Analytics can provide a force multiplier.

Facial recognition, for instance, can offer a ‘be on the lookout’ mechanism to help security identify persons of interest. “If there’s a stalker, the analytics can pick up on those individuals,” says Scott Vogel, CEO of Incyte Security, a data analytics consultancy. Geofencing and other analytic tools can likewise help secure a sprawling perimeter. “You may have people hopping the fence at night to avoid the security gate, and analytics can provide a virtual barrier.”

Healthcare

In the healthcare environment, video is of greatest use in helping to secure entry and exit points, whether that is aimed at keeping unwanted individuals out of an emergency-care situation, or at keeping dementia patients in and on-premise at a senior care facility. “Analytics solutions can alert operators when people either enter or exit secure areas without proper identification procedures, such as swiping a badge, or they can utilize some facial recognition features to be sure that the person on camera who has earned entrance to a secure area is the person they are claiming to be,” says Danielle VanZandt, industry analyst for security, aerospace, defense and security at Frost & Sullivan.

Analytics can also be used to identify potential threats that might otherwise be overlooked by security personnel. Left objects or ‘loitering’ analytics will aid hospital security teams to identify either suspicious packages or behaviors, particularly if these alerts are generated in areas that should not have significant amounts of foot-traffic.

Cannabis

Video analytics can help cannabis growers to identify possible threats to the safety of their crop, says Ryan Douglas, founder of consulting firm Ryan Douglas Cultivation LLC. “High-tech greenhouses install mobile cameras that constantly run along tracks mounted to the ceiling. Analyzing this video can help with the early identification of pest or disease outbreaks, nutritional deficiencies and undesirable growth patterns before they negatively affect a crop,” Douglas says. It’s a way for security to leverage its video investment in support of enhanced operational efficiency.

Security could also utilize analytics to help ensure cannabis retailers comply with regulations, if, for instance, the system was programmed to monitor quantities of product changing hands at the point of sale. “It could ensure that during the purchase transaction, buyers don’t exceed the amount of product that they are legally allowed to purchase,” Barber says.

At grow sites, analytics can also be applied to remote video surveillance systems to help secure the perimeter.  Motion-detection capabilities and geofencing can likewise be leveraged to extend the eyes of the security force over the growing and production operations.

Property Management

For security on a commercial property, video alone can’t cover all the bases. Property management requires a combination of broad vision and deep insights. Beyond mere images, analytics can deliver the intelligence to help security professionals make best use of their time and cover ground more effectively.

“You might have teenagers climbing on the roof of the building. Beyond the general liability problem, they are damaging the roof,” Vogel says. “With analytics, you can identify the places where people go up on that roof and notify security. Within seconds you get notification and hopefully can deter that incident.”

Analytics can detect patterns of behavior, noting when a parking lot is filling up. This helps to ensure adequate security coverage when and where it is needed. Video analytic tools can help security to deter theft from commercial properties, by highlighting common traffic-flow patterns and sending out a notification to security officers when those patterns are disrupted. This helps security to see when products may potentially be walking out the back door and, with the help of automated notifications, to respond in real time.

Critical Infrastructure

Consider all the luminous dials in a hydroelectric plant or an oil refinery: Constant reminders that pressure and temperature are key determinants of safety. Security personnel can use analytics to monitor a vast array of analog sensors more effectively and in real time. Point a camera at an analog gauge, program the analytics to watch for threshold levels, “and an alert can get triggered if the pressure rises above a certain point as seen on the dial,” Barber says.

Video can also be used to understand how specific elements of the facility are operating and can signal when key components need replacement. Security thus pushes critical infrastructure closer to an IoT-enabled enterprise, Barber says.

Security personnel also are charged with tracking workers, vendors and others who  at critical infrastructure facilities. Video analytics capabilities, when paired with surveillance systems that provide facial recognition, will help critical infrastructure to improve access control, maintain security logs for entry and exits in specialized areas and better manage visitors or contractors, VanZandt says.

Manufacturing

Access control is a key issue in manufacturing, with security tasked to ensure that only the right people can get to certain places, especially sensitive production areas and inventory stores..[…] Read more »….

 

 

How the COVID-19 Pandemic Reinforced Hackers’ Revenue Models

The industrious and criminal-minded threat actors behind the majority of cyberattacks have reinvented their attack approaches during the ongoing COVID-19 pandemic. Since the advent of the outbreak, cybercriminals are developing new phishing tools, hacking strategies, and exploring different attack avenues to benefit from the crisis and eventually prove their cyber prowess.

By Rudra Srinivas, Feature Writer, CISO MAG

Several new cybersecurity scams and malicious activities have risen during the pandemic.  According to a survey the key cause for the emergence of these new threats is likely due to social distancing norms and malware authors being bored and stuck at home due to the lockdown.

COVID-19 has certainly reshaped the way darknet forums operate. CISO MAG learned four intriguing ways cybercriminals are trying to cash in on public fears.

1. Fake Products in Darknet Markets

Since the beginning of 2020, Coronavirus-related vaccines, virus testing kits, and other fake products are being peddled on the deep web and darknet markets. Hackers are taking advantage of panic as people look for safeguards against the disease. Several security experts warned that the products selling in these hacking forums are in no way real, and buyers are sure to be scammed. For instance, there are fake “vaccines” being sold on the darknet.

2. New Phishing Strategies

COVID-19-related phishing lures, scams, disinformation campaigns, weaponized websites, and malware infections have become widespread across the internet. Recently, a hacker group targeted the World Health Organization (WHO) via a sophisticated phishing attack, which involved an email hosted on a phishing domain that tried to trick the employees into entering their credentials. Researchers are noticing new types of phishing campaigns that pretend to be from authenticate sources, trying to trick users into downloading malicious attachments or entering sensitive data in fake forms.

Recently, a security firm discovered that threat actors distributed malware disguised as “Coronavirus Map” to steal personal information that is stored in the user’s browser. Attackers designed multiple websites related to Coronavirus information to prompt users to click/download an application to keep themselves updated on the situation. The website displays a map (a lookalike of a genuine one) representing the COVID-19 spread. The map generates a malicious binary file and installs it on victims’ devices.

3. Demand for Ransom Soars

With organizations working remotely, the security of the remote employees’ devices becomes a major concern for companies across the globe. Several industry experts stated that remote work increased the risks of cyberthreats like never before. Ransomware attacks on remote workers have become an additional threat level to organizations, especially for health care providers and businesses in financial, federal, and state agencies that deal with sensitive data. The ransomware operators are forcing enterprises to pay high ransom in order to get decryption keys. The average enterprise ransom payments increased 33% ($111,605) in Q1 of 2020 from Q4 of 2019, a survey revealed.

Information technology services provider Cognizant admitted that it is a recent victim of a ransomware attack. The IT giant stated that it was hit by Maze ransomware that caused service disruptions for some of its clients.

4. Income from Selling Credentials

Stolen user credentials and financial information have long been prevalent commodities on hacking forums. But with large swaths of remote workers depending on video conferencing apps and other virtual private networks, hackers are refocusing on these attack surfaces. As endpoint security at home is not as secure as it is in the office, attackers are trying to exploit loopholes.

Over 500,000 account credentials of video conference platform Zoom are being sold on the darknet. According to a recent investigation by IntSights’ researchers, hackers have shared a database containing more than 2,300 usernames and passwords to Zoom accounts on dark web forums. The exposed database contains usernames and passwords of personal Zoom accounts, including corporate accounts belonging to banks, consultancy companies, educational facilities, software vendors, and healthcare providers. Researchers also highlighted that they’ve found various posts and threads of dark web forum members discussing different approaches of targeting Zoom’s conferencing services…[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Here Come 5G IoT Devices: What Is “Reasonable Security”?

After years of waiting for 5G technology to transform industry and consumer devices, developments at this year’s Consumer Electronics Show suggest that 2020 may finally be the year when US companies make the leap.  Early signs show the healthcare and manufacturing sectors will lead the way this year in incorporating 5G and connected devices into their operations.

If the prognosticators are correct, our smart watches will soon talk to our refrigerators and order healthy groceries online.  And our doctors may receive real-time health updates from our workout equipment, pharmacies, and implanted medical devices.

The combination of 5G and the projected explosion in the number of IoT devices has industry excited, and the government focused on data security.  5G will allow massive evolution of products and services; leading to autonomous vehicles, remote surgery, and greater connectivity, automation, and precision in industrial manufacturing.  This coming integration and reliance on connected devices—the Internet of Things (IoT)—raises myriad new privacy and security concerns, and lawmakers and regulators are ready to take action.

The New Year brought new state laws in California and Oregon focusing specifically on security requirements for connected devices.  The laws are the first in the nation, and portend a coming wave of laws, lawsuits, and regulatory actions focused specifically on data security.  Lawmakers are wrestling with how to keep consumers safe in the face of rapid technological advancement, and are falling back on the concept of “reasonable security” to bridge the gap.  But reasonable security may not be an easy standard for engineers to implement.

The California and Oregon laws require manufacturers of connected devices to integrate reasonable security measures that (1) are appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure.

This may seem like a simple threshold, but these laws’ definition of “connected devices” is expansive, potentially expanding the scope to include security cameras, household assistants, vehicles, and in the case of California, industrial manufacturing equipment.  Each different category of device is going to have a different level of sophistication, different uses, different interaction with data, and different manufacturing requirements.  What may be reasonable for a wifi-enabled juicer is not going to be reasonable for a connected vehicle.

The increasing inability of laws and policies to keep pace with advancements in technology means that efforts to address these issues are going to be crafted in an overly broad and flexible manner.  The California and Oregon laws, as well as similar efforts at the federal level, reflect a struggle to empower the government to address problems, the exact contours of which are not completely known or understood.  Rather than be behind the curve of a particular problem, these laws impose broad requirements that will evolve over time.

At the same time, laws run the risk of codifying standards that may be inapt or quickly become obsolete.  The California and Oregon laws provide that “reasonable security” can be satisfied by equipping a device with a unique preprogrammed password or a requirement that the user generate a new means of authentication before gaining access to the device for the first time.  This may be reasonable for some devices, but the law also covers devices where a compromise in security could result in significant physical harm, and where more stringent security requirements would be appropriate.

As security and encryption approaches continue to advance, the password requirements codified in the laws may actually be disincentives to the adoption of more effective—and reasonable—security practices.  So this is leaving engineers asking the question, what is reasonable security?

Unfortunately, “it depends” is the answer right now. Until regulators offer guidance on how they are going to interpret the requirements or, develop those standards through various enforcement actions, it will be up to manufacturers to develop industry-wide standards for what constitutes “reasonable security.”  This may be particularly challenging in light of the expansive scope of these laws.  The California Attorney General, at least, has previously endorsed the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security.  And some industries, like the automotive industry, already have good track records and mechanisms to establish industry standards.  Emerging industries and existing companies unfamiliar with IoT and 5G, may not be in such an advantageous position..[…] Read more »

 

 

Engaging Young Women and Girls in STEM to Bridge the Cybersecurity Job Gap

As the proliferation of digital technologies continues, cybersecurity’s importance will only increase – there’s a direct correlation between our use of devices and the deployment of digital technologies and the need for improved security.

This increased need for cybersecurity translates directly to the need for cybersecurity-focused professionals, as numerous reports over the past few years have highlighted that several million positions will need to be filled in the not-too-distant future.

To more effectively bridge the cybersecurity job gap, we should look towards a particularly underrepresented group in STEM – young women and girls.

The Cybersecurity Pros of Tomorrow

Today’s youth are the most digital native generation in the history of humanity. However, despite this, younger individuals comprise one of the most vulnerable demographics of users due to their practices, such as having a tendency to be freer in terms of what they share about themselves with strangers, making them prime targets for criminals to attempt to exploit.

Engaging young women and girls in cybersecurity-focused disciplines not only serves address this problem directly by helping educate them to enable them to protect themselves, but it also presents an opportunity to harness their experiences and unique perspectives to understand possible scenarios criminals are capitalizing on. It’s this diversity of thought that will help us as a means of deterring bad actors by anticipating their behavior and by placing individuals who have had relevant personal experiences with bad actors in positions to protect other individuals from future attacks.

Beyond this, women and young girls are predominantly attracted to disciplines that help people and our society.

By educating this demographic on how cyberattacks can cause harm, educators will be able to more effectively encourage young women and girls to envision themselves as protectors and enlist them to become cybersecurity superheroes.

By seeing the immediate impact they and their peers can have on the world and other individuals by using security technology, more young women girls will want to pursue careers in these areas – and, in turn, these individuals have the capacity to wind up as future advocates for additional diversity and inclusion in STEM, having had positive experiences in relevant fields themselves.

The Keys to Engagement

To better engage young women and girls in STEM to bridge the job gap in cybersecurity, educators should utilize the following strategies:

  • Find new and unique ways of connecting students to the larger societal issues they care about. More specifically, make a concerted effort to continuously stress the impact young women and girls can have on issues that they’re personally invested in by using and developing security-focused technologies.
  • Explore topics from students’ perspectives as opposed to introducing and approaching problems from a theoretical bottom-up approach, which can be confusing – this approach will enable educators to better engage students, resulting in a deeper understanding of technological concepts that might be otherwise hard to gras..[…] Read more »….

 

 

 

Cybersecurity Weekly: Colorado BEC scam, CyrusOne ransomware, new California privacy law

A town in Colorado loses over $1 million to BEC scammers. Data center provider CyrusOne suffers a ransomware attack. California adopts the strictest privacy law in the United States. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. California adopts strictest privacy law in U.S.

A new privacy rights bill took effect on January 1, 2020 that governs the way businesses collect and store Californian consumer data. The California Consumer Privacy Act mandates strict requirements for companies to notify consumers about how their data will be used and monetized, along with offering them a hassle-free opt-out process.
Read more »

2. Starbucks API key exposed online

Developers at Starbucks recently left an API key exposed that could be used by an attacker to access the company’s internal systems. This issue could allow attackers to execute commands on systems, add/remove users and potentially take over the AWS instance. The security researcher who reported the incident to Starbucks was awarded a $4,000 bounty.
Read more »

3. Cybercriminals filling up on gas pump transaction scams

Gas stations will become liable for card-skimming at their pay-at-the-pump stations starting in October. In the meantime, cybercriminals are targeting these stations with a vengeance, according to security researchers. This is because pay-at-the-pump stations are one of the only PoS systems that don’t yet comply with PCI DSS regulations.
Read more »

4. Travelex currency exchange suspends services after malware attack

On New Year’s Eve, the U.K.-based currency exchange Travelex was forced to shut down its services as a “precautionary measure” in response to a malware attack. The company is manually processing customer requests while the network stays down during the incident response and recovery process.
Read more »

5. Xiaomi cameras connected to Google Nest expose video feeds from others

Google temporarily banned Xiaomi devices from its Nest Hub following a security incident with the Chinese camera manufacturer. Several posts on social media over the past week have showcased users gaining access to other random security cameras. Google warned users to unlink their cameras from their Nest Hub until a patch arrives.
Read more »

6. Colorado town wires over $1 million to BEC scammers

Colorado Town of Erie recently lost more than $1 million to a business email compromise attack after scammers used an electronic payment information form on the town’s own website. They requested a change to the payment information on the building contract for a nearby bridge construction project.
Read more »

7. Maze ransomware sued for publishing victim’s stolen data

The anonymous hackers behind the Maze ransomware are being sued for illegally accessing a victim’s network, stealing data, encrypting computers and publishing the stolen data after a ransom was not paid. Lawyers claim the lawsuit may be to reserve their spot for monetary damages if money is recovered by the government.
Read more »

8. Landry’s restaurant chain suffers payment card theft via PoS malware

A malware attack struck point of sale systems at Landry’s restaurant chain that allowed cybercriminals to steal customers’ credit card information. Due to end-to-end encryption technology used by the company, attackers were only able to steal payment data “in rare circumstances.”..[…] Read more »….