Should hacking back be legalized?

Companies of all sizes are losing millions of dollars each year to cyber criminals, according to a study by Ponemon Institute (http://www.informationweek.com/security/management/cybercrime-costs-skyrocket/240162379) which found that the average cost of cybercrime is $11.6M/year, up $2.6M from 2012. Unless something is done to deter criminals, this trend will continue to rise.

There has been talk of allowing companies to take matters into their own hands and hack back against perpetrators to regain what was stolen from them. Police aren’t equipped to deal with the sheer amount of cybercrime, so should companies be allowed to take matters into their own hands? We’ve seen a few high profile arrests, but these only reflect a small dent towards solving the problem. On the other hand, we don’t condone vigilantes breaking into houses to regain stolen goods, and hacking back is essentially the same thing. If law enforcement began allowing organizations to “hack back,” an argument could be made that breaking into a physical structure to take back stolen goods should be legal as well. Retaliatory crimes are a slippery slope.

The question is not only should it be legal, but is it even worthwhile for an organization to try it? 

Here are a few pros and cons:

Pros

1. Gives organizations the ability to potentially stop cyber-attacks as they happen, whereas waiting for a response from police would most likely be too late and result in data being successfully stolen.

2. Shows attackers that we aren’t sitting ducks, possibly deterring further crime.

Cons

1. Could become a game to attackers, resulting in further and more destructive attempts.

2. Would take time and effort, and there’s no guarantee of a successful mission. 

What are your thoughts?

Malware probably isn’t on your Christmas list, so here’s how to avoid it while shopping online this holiday season

This holiday season, millions of shoppers will take to the web in an attempt to avoid the craziness that is the mall at Christmas time. However, while shopping at the mall may result in a claustrophobic reaction as you wade through the sea of people or heightened levels of stress as you wait in a 30 minute line to checkout, it most certainly will not result in a Trojan, bot-net or some other form of Malware taking over your computer. So for those doing their shopping online this year, keep your computer and your data safe from viruses and scams by following the tips below, provided by Ronnie Flathers, an associate security consultant for security and risk management company Neohapsis.

1. Use Good Password Practices – No surprise here – it seems to be on the top of every list of this kind, but some still don’t follow it. Passwords are still (and will continue to be) the weakest form of authentication. The two main rules for passwords are: (1) Make them complex; and (2) Make them unique. Complex doesn’t necessarily mean you need thirty random character monstrosities that only a savant could remember, but avoid dictionary words and don’t think that you’re safe by just adding numbers or special characters (“password1989!” is just as insecure as “password”). Lastly, passwords should be unique to each site.
2. Store Sensitive Data in Secure Locations – Hopefully, you’ve followed the first rule and have unique, complex passwords for every site you visit. Now, how to remember them all? This is where I love to recommend password managers. Password managers securely store all your log-in information in an easily accessible location. I emphasize “securely” here, because I see far too many people with word documents called “My Passwords” or the like sitting on their desktops. This is a goldmine for any attacker who has access to it! With password managers, you encrypt your “wallet” of passwords with one very secure password (the only one you ever need to remember), and can even additionally encrypt them with a private key. A private key works just like a physical key – you need a copy of it to access the file. Keep it on a USB stick on your keychain and a backup in a fire-proof safe.
3. Use HTTP(S) – Ever notice how some sites start with https:// as opposed to http://? That little ‘s’ at the end makes a whole world of difference. When it’s present it means you’ve established a trusted and encrypted connection with the website. Its security purpose is two-fold: (1) All data between you and the site is encrypted and cannot be eavesdropped; and (2) You have established through a chain of trust that the website you are visiting is, in fact, who it says it is.
4. Install Those Nagging Updates – Microsoft actually does an excellent job of patching vulnerabilities when they arise — the problem is most people don’t install them. Every other Tuesday, new patches and updates are released to the public. Microsoft will also release patches out-of-bounds, meaning as needed and not waiting for the next Tuesday, for serious vulnerabilities. These patches are a great way to fix security holes but also offer a nasty catch: Attackers use these patches to see where the holes were. Every “Patch Tuesday” attackers will reverse engineer the Windows updates to discover new vulnerabilities and then attempt to target machines that have not applied the update yet. This is why it’s imperative to keep your computer up-to-date. So the next time your computer asks you to restart to install updates, go grab a cup of coffee and let it do its thing. It’ll save you in the long run. (Note: Mac users are not exempt! Install those updates from Apple as well!)
5. It’s Okay to Be a Little Paranoid – My last tip is more of a paradigm shift than a tip: It’s okay to be a little paranoid. The old mantra “if it’s too good to be true, it probably is” has never been more applicable when it comes to common phishing schemes. I’m sure most people know by now to not trust a pop-up that reads “You’ve won an iPad – click here!” – but modern phishing techniques are much more subtle, and much more dangerous. It’s okay to mistrust emails and links. If something seems phishy (pun intended) then exit out. Services like Paypal and online banks will never ask for personal information over email, chat, or any avenue besides their main website. Your bank account information won’t be deleted and nothing bad will happen if you don’t immediately update your password, so take a second to make sure what you’re doing is actually legit.

Some arguments For and Against NSA surveillance

There has been much debate over whether or not the NSA’s surveillance programs are helping or hurting the United States of America. In this post, we explore some of the arguments that support these programs and those that do not. After reading each argument, we’d love to hear your thoughts on this.

Note: These arguments do not reflect the opinions of the owner of this blog and are simply a collection of arguments from online communities.

For

1. The programs are legal and they contain checks and balances so as not to let the NSA run completely free with them. They may have the ability to collect mass amounts of data, but that’s just it… collection, not eavesdropping. In order to take a peek at these records they need reasonable cause and approval.

2. Terrorism is the real threat to civil liberties. Another attack like 9/11 could cause the public to give the government free reign to do whatever they need to do to stop the bad guys. This could result in an even greater loss of privacy if the government took these programs to the next level. Better to sacrifice a little privacy now rather than all of it later. Not to mention that stopping a terrorist attack would save countless lives depending on the size of the attack.

Against

1. Surveillance of this level threatens the very democracy that this country was built upon. Giving this amount of information to the government puts our freedom of speech and association at risk. It wouldn’t be hard to put a stop to a possible Tea Party rally or other political meeting, before it began, by figuring out the details beforehand.

2. This massive collection of data could come back to haunt you someday, even if you do not think you are doing anything wrong. With all of the data they have on you, even if you are completely innocent, it would not be hard to add pieces of data together to portray you as being guilty of a crime you didn’t commit. Or if you decide to run for office someday, the “dirt” that could be dug up on you would all be right there waiting to be used.

So what do you think about all of this? Are you pro or con NSA surveillance and why?

Crafting a cloud security policy… are you asking the right questions?

Has your organization created a cloud security policy? Crafting one can be tricky. You have to be thinking about the right questions, and it’s a good idea to first determine what (and why) you’re moving certain information assets to the cloud. It’s also important to find a good fit in a cloud provider, one that understands your organization’s culture. Consulting with peers and reviewing existing cloud policies and standards is a helpful first step. And Neohapsis’ Scott Hazdra shares his advice about questions to ask:

1. First, what do we want to put in the cloud? Data, applications, both? Based on this, you will be able to identify important criteria that will help lead you to determine the best cloud provider and also services required such as IaaS, PaaS or SaaS.
2. Do we have a good data classification policy and procedure? And what type of data will we allow in the cloud– sensitive corporate data, data that should be privacy-protected per compliance regulations (PII, SSNs, etc.), day-to-day operational data? If you don’t already have a good data classification policy, create one so that you don’t end up inadvertently transmitting and storing the wrong data in a cloud environment.
3. What existing policies do we have have may also apply to what we want to do in the cloud?
4. What have others in our industry done that we can borrow from? This is a good way to learn what works, what doesn’t, and what unexpected issues can come up. Take a look at what standards bodies, like ISO, NIST or the CSA, have created as well to discover policy areas that you may not have considered.
5. Who within our organization is allowed to enter into agreements with cloud providers? And who has the authority to negotiate SLA’s? Be certain to involve those with the proper authority and approval levels.
6. Finally, if you have just created your policy, allow the stakeholders in your organization to weigh in and comment on it.

If you follow these guidelines, you’ll be better prepared when the first packet of data moves from your servers and into your provider’s trusted cloud!

For more information and advice, see the full article in SecurityWeek: http://goo.gl/3U6dw

NSA Leak: Did Snowden take the “Security” out of National Security Agency?

From Wikileaks to Whistleblowers, for example todays’ NSA PRISM story, we keep seeing new ways that private or sensitive data can be breached.

In this instance, an I.T. contractor working for Booz Allen, Edward Snowden, released details of a NSA domestic surveillance program. How did he get access to this [probably classified] information, you ask?

Said Snowden: “When you’re in positions of privileged access like a systems administrator … you’re exposed to a lot more information in a larger scale than the average employee … Anybody in positions of access with the technical capabilities that I had could suck out secrets and pass them on the open market to Russia … I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world … If I had just wanted to harm the U.S. … you could shut down the surveillance system in an afternoon.”

Is that shocking to you? It should be. How does a low level IT admin get access to virtually everything – internal confidential documents, secret data…? The mere act of managing these systems allows administrative access to “privileged” accounts.

In virtualized or cloud environments, this situation is exacerbated. But, companies like HyTrust provide the security and controls necessary to address this issue. Clearly, solutions are available to address the problem . . . so why weren’t they being used?

Snowden indicated that he revealed what he knew about the NSA because he felt the public had a right to know about wrongs being committed. A modern day Robin Hood, he may have done what he did for the common good. But whether someone breaches sensitive information for good or evil (Sheriff of Nottingham, Benedict Arnold), the same breach can have devastating consequences for businesses.

This is something every business can learn from, said Eric Chiu, president of HyTrust. Wired Magazine recently published this article on the topic- Brand Damage Through Information Access, written by Chiu.

“Without implementing adequate role-based access controls based on least-privileged access, organizations are granting systems administrators god-like access to every piece of data that runs on every system,” Chiu advises.

In a recent Dark Reading article, Scott Hazdra, principal security consultant for Neohapsis states: “Authorized users are authorized users,” meaning that if someone has authorized access to data, then it may be near impossible to know if that person has malicious intent when accessing it. He advises: “You need to set aside a little time to see who has access to what and actually identify specific access controls.”

Lingering questions remain in the PRISM issue: Is Snowden a traitor or a hero? What other information might he be able to leak? Will he receive asylum? What do you think?

Knowledge is power. . . who has your personal information?

The Department of Health and Human Services (HHS) recently fined Idaho State University (ISU) half a million dollars for HIPAA violations.

Data on 17,500 patients of ISU’s medical clinic was exposed during, at minimum, a 10 month period, during which the university had disabled a firewall. More on that here: http://healthitsecurity.com/2013/05/22/hhs-fines-idaho-state-university-400k-for-data-breach/

We’ve been noticing this spate of attacks on education institutions and healthcare organizations, and a recent USA Today article points out that universities are tightening security in the wake of so many attacks.

Negligence like this is surprising but, sadly, common. Lax security measures are often cited as the cause of data breaches. Things like incorrect access settings, misconfigurations, unencrypted sensitive data on stolen laptops, lost tapes, data emailed to a personal account and more. . . all these issues are unacceptable and avoidable, yet they continue to happen. Is no one paying attention?

Another thing that may come as a surprise is that very often there’s little (or no) security in place. Yet it should come as no surprise that as systems are increasingly connected to the internet, they become much more vulnerable to exploits.

Educational and healthcare institutions need to seriously step up their game.

In the meantime, students and patients should do a better job of taking their own personal privacy into their own hands, and asking about security measures their providers are taking. For example, when asked to fill out forms, don’t simply include personal information like your social security number, driver’s license, mother’s maiden name and other obvious private information that can fall into the wrong hands. If they ask for it, you’re entitled to ask why they need it, why it’s on paper rather than entered into a system and immediately encrypted so that even the workers cannot access it. Demand to know how they plan to protect your privacy. You have a right to know. More than that, no one should care as much about you and your personal privacy. And you’re the only one that’s going to have to face the music if your data or identity is breached. Law enforcement and the government simply don’t have the resources to investigate every issue, and it’s often difficult to tell how and from where breaches originate.

Teachers and medical practitioners tell us “Knowledge is power.” Meanwhile the very institutions they work for are practically handing over knowledge about us over to attackers. Shouldn’t they have a duty to protect and secure?

Bottom line: Don’t give your personal power and identity away.

Guccifer Strikes Again! Just having fun for now, but what if that changes?

Guccifer, a hacker known for targeting high profile political figures and celebrities is at it again, and this time his victim is Candace Bushnell, author of “Sex and the City.” Guccifer gained access to Bushnell’s email account and took screenshots of her latest unfinished novel; then he proceeded to hack her twitter account and posted those screenshots.

Past attacks from Guccifer, like this one, have not been for personal gain. It’s hard to imagine financially benefiting from leaking a “sneak peak” at a novel. . . unless, of course, someone paid them to carry out such an attack. The motivation behind these attacks is probably just plain mischief. Remember the old “script kiddies” of the past? Same deal.

However, should the attacker’s motives change, he or she can probably do a lot of damage. As we saw in the Syrian Electronic Army attacks, hacking a high profile and trusted Twitter account affected the stock market, which shows just how much damage one can do.

Even though you may not be the direct target of an attack, you might still be affected by it. A stock you own may drop if that company’s twitter account falsely declares bankruptcy for the company. Even worse, details of national security could be leaked from the Attorney General’s email account and we could find ourselves vulnerable to attack. It’s hard to prevent the second scenario from taking its toll, but the first one is certainly avoidable.

Moral of the story: Don’t believe everything you read online! Checking it against multiple trusted or valid news sources. A hacker’s word is only as good as those who believe it, so don’t be too trusting or naïve. Stay in observation mode and continue to gather information.

Verizon Data Breach Investigation Report Points to Financial Motives for Hackers

The Verizon data breach investigation report is out, and, as always, it does not disappoint. Filled with a treasure trove of stats and insight into the past year’s breaches, there’s much to take away from this report. Just one point of interest is that 75% of attacks were driven by financial interest, with 37% of breaches affecting a financial organization. When you first download the report, you see a quote under the cover page that says “some organization will be a target regardless of what they do, but most become a target because of what they do,” and the stats certainly verify that. It used to be that attackers hacked because they could, but as of late they are looking to get something out of it.

And with 66% of breaches not being discovered for months or longer, these attackers seem to have all the time in the world to do their dirty business. So what needs to be done to detect these breaches early-on?

Eric Chiu, president and founder of HyTrust suggests that “with the majority of computing now moved to cloud environments, we need to turn our security paradigm around from an ‘outside in’ threat perspective, which has proven inefficient and largely ineffective, to an ‘inside out’ view that addresses both insider and outsider advanced threats.”

Attackers are also using a wider range of attacks than ever before, making it more difficult to prevent all types of attacks. There were 4X as many attacks through social media in 2012 compared to 2011 and there were 3.5X as many physical attacks. In 2011 most attacks came from hacking or malware, but now the attack surface playing field is evening out.

Nathaniel Couper-Noles, senior security consultant at Neohapsis says that “the breadth of successful attacks in the report shows that technological innovations can benefit attackers as well as defenders. The security margin between theoretical vulnerabilities and real exploitation is shrinking.”

As a consumer, it’s not comforting to know that my financial data is priority numero uno for attackers and that they are pulling off attacks that were once thought to be impossible. There will always be innovation on both sides of the table, and the question is whether security vendors can find a way to pull ahead of the bad guys and stop their theoretical attacks before they become possible to carry out. However, with 78% of initial intrusions for these attacks considered as low difficulty, there’s still much to be done to make it harder for attackers to get their foot in the door.