Category Archives: security

Creating A Culture of Security

Posted on by
Reply
chart

National Cyber Security Alliance

It’s been quite a year for Tech. And I don’t mean Windows8 or iOS8.  We’ve seen a string of data security breaches – Target, Dairy Queen, Home Depot, each one netting more unsuspecting, unprepared victims.  We’ve read about Chinese hackers letting themselves into our national security databases, like the National Research Council in July.  And the world is still trying to patch the leaks on Linux following the discovery of Bashbug, impacting almost all servers that connect us to the internet, while hackers continue to exploit those vulnerabilities with malicious code and malware.

We don’t know what the next juggernaut coming at us from around the curve is going to be. Malware, data breach, system hack. Or worse. What we do know, based on recent events, is just how unprepared we are for something bigger. There’s a lot of finger-pointing going on, because it’s easy to resort to the blame game. Nobody wants to be held responsible for a disaster.  Especially not when a class-action law suit is likely to follow.  The costs of clean up are staggering. As are the costs of damage done and customers lost.  By all accounts, this is the road that should be less travelled. So how do we make that the case? How do we stop playing catch-up and get out in front of what comes next?

banner_general (1)

One:  we need to rethink the whole concept of security in our interconnected world. Corporate Security Officers and Chief Information Officers have a vital role to play in bringing together all levels of their organizations to support and follow security procedures. We can’t keep paying lip service. We need to create a culture of security from within, working together on a common goal to effectively put up a united front. While that is the objective, a chain is only as strong as its weakest link. Which leads to the next point.

byodTwo: everyone has a role to play in managing security, and it starts with managing our own. Maybe you’ve heard the term “BYOD”? It means “Bring Your Own Device”, an increasing practice by employees in business. Laptops, mobile phones, tablets, flash drives. Portable data is how we live. It’s become how we do business.  All this extra tech finds its way into offices every day. But businesses do not secure personal devices. For the most part, they can’t track them.  The onus is on us as the owners of personal tech to ensure that we have installed adequate levels of virus and malware protection on our devices, and that we consistently perform regular security updates.  As well as following safe practices online so we don’t get phished or download more than we bargained for. If we’re going to bring our devices into work, then we risk exposing all our co-workers, and the safety and integrity of our business, to whatever we do with those devices.   That ounce of prevention we take as individuals really adds up because it’s a massive, costly undertaking to upgrade and repair systems in major organizations. Worse, any changes can take a long time to go through the approval process.  And during a disaster, that is time nobody has.

hackedThree: there is no absolute guarantee of protection. While we expect businesses and organizations to safeguard data and customers, it isn’t realistic. Human error and human fallibility will override whatever measures we put in place. Hackers work around the clock breaking through all the defensive measures currently in place, finding vulnerabilities we didn’t even know existed.  Every mistake we make, like carelessly downloading files or not using antivirus software, gives them the advantage over us and believe me when I say they are watching and waiting for those mistakes. When we commit to our shared responsibility in maintaining our defenses, we commit to building a culture of security from within.

I’m not wearing rose-coloured glasses about how easy this will be. Effecting change is hard, and cultural change is the hardest process. However, we are falling behind in the war on cybercrime, and time is a luxury we soon won’t have.  Cyber espionage is already far more sophisticated and damaging than ever, and cyber warfare may bring a fight to our door that we are not prepared to win. There are a lot of very talented people watching our backdoor, who are telling governments and businesses what they don’t want to hear. We need to listen to those voices, heed their warnings, and start taking action now. Because what we do now will most definitely determine the outcome of what happens next.

Resources: http://www.pcworld.com/article/2825032/linux-botnet-mayhem-spreads-through-shellshock-exploits.html
http://www.cio.com/article/2824268/data-breach/how-to-fend-off-data-breaches.html?utm_campaign=sflow_tweet#tk.rss_all

The Talk You Need to Have With Your Kids

Posted on by
Reply

jukim list

Yes, it’s awkward. But the time has come to have “the talk” …  the talk about “dangerous celebrities” and safe surfing with your kids.

We know there are some warped individuals out there whose idea of fun is harmful, and without boundaries.  Celebrity sites have increasingly become the target of hidden malware and online scams. Cybercrime has found a new playground where they hide their poisoned code for unsuspecting visitors, many of whom are kids. Our kids.

malware2

The lure of reading the latest scoop on a big name celeb proves irresistible.  Our kids think they’re visiting a site with pics and details about someone currently popular, someone all their friends will be talking about.  Right now, Jimmy Kimmel is at the top of the hit list with chances being one in five that a website linked to him will be laced with a nasty gift that will keep on giving: spyware, phishing, spam, adware, viruses etc.  One quick click is all it takes.

There is no turning back the clock on technology.  Our kids live in the same online, interconnected world that we do.  Protecting them means shielding them from harm but not from the truth. Not only do we need to become more aware and vigilant, but we need to teach kids the same skills to protect themselves, because we can’t always be with them. And they won’t always tell us where they’re going.

malware

McAfee has some helpful starting points parents can work with on their blog.  These include:

  • Commit to having ‘the talk’: explain how downloads of photos and videos are at high risk of containing bad stuff like viruses
  • Breaking news = red flag: don’t be tempted by the bait of some exciting new celebrity gossip. That’s what cybercriminals are banking on. Literally.
  • Protect your devices and identity: Don’t use any device online without protection. That means installing anti-virus/anti-malware programs on all computers, tablets, phones. Choose what’s right for you and your budget.
  • Stay on the main road: If you want to see something online, use YouTube or Vimeo so you don’t have to download. Because if it says “free download” beware of what else comes with it.
  • Get a sneak peek: when you hover over a link, you can see the URL appear. If the name in the URL is just a bunch of gibberish, or spelled incorrectly, walk away
  • Don’t log in or provide personal information: have a standing rule that kids ask before they open any attachment or link.  Because that click can lead straight to the lion’s den.
  • Put a PIN on it: teach your kids how to set up and use passcodes, and make sure you know what they are.

mcafee blogYou can click on the link here to read more. http://blogs.mcafee.com/consumer/dangerous-celeb.

The old saying “an ounce of prevention is worth a pound of cure” takes on new meaning when you think of just how much we love our kids, and how far we would go to protect them. Their safety is everything. While we may wait to have that “other talk”, don’t put this one off.

#Shell shocked? What You Need to Know about the #Bashbug

Posted on by
Reply

 us cert

I’ve been known to exaggerate but trust me when I say that this latest security threat is so big it’s off the charts. Literally. It was rated as a 10 out of 10 by the National Vulnerability Database. A an official advisory was issued by the Department of Homeland Security, and they don’t just hand those out freely. While this won’t ruin your life the way getting caught in a Home Depot style data breach could, it puts at risk almost every device that connects to the internet. Since our world has become the Internet of Things (see previous post for neat-o chart), that means a lot of risk. So here is what you need to know, and why.

iot

Bash stands for Bourne-Again Shell, a very common program used to run line commands in operating systems like Linux, Unix, Mac OS X.  The shell is where we interface with or control the operating systems, and these run pretty much everything we connect to or rely on for connectivity and our “smart” devices. Per trend Micro, “Linux powers over half the servers on the Internet, Android phones and the majority of devices in the IoT (Internet of things).”

bash vulnerable

The problem is a vulnerability that lets an attacker easily access and make changes to the CGI script written in Bash, those commands that are issued to the operating system. And no credentials are required. As security experts Kaspersky put it “This vulnerability is unique, because it’s extremely easy to exploit and the impact is incredibly severe.” This doesn’t just impact servers. It impacts devices connecting to these servers through the internet: wireless access points, routers, smart fridges, video cams, webcams, even light bulbs. You can patch a server. It’s not so easy to patch a fridge.

fridge

 And this is where the other shoe drops. In his article for Fast Company, Chris Gayomali explains how this vulnerability “also affects Bash versions stretching back at least 25 years, meaning, when or if a patch rolls out, there are a number of older electronics that won’t be getting a firmware update.” The obvious solution has been to issue patches, but the issue is if and when everything affected will have patches available. The problem may have the worst impact on major institutions, like banks and hospitals, where change happens slowly and systems have been laboriously put together over time. According to Patrick Thomas, a security consultant at Neophasis labs, “their most venerable systems are also their most vulnerable.”

So what do we do, now that we know? Systems experts are testing for and patching webservers as I write this. Hopefully, our Internet service providers have been successful. As have those companies who host our websites. Here is some excellent advice from Mark Nunnikhoven at Trend Micro:
1. End users should watch for patch updates or alerts for their Android phones, Macs, or other devices.
2. As a customer of a hosted service, like a website, contact the host directly and ask them if they have patched the vulnerability. If not, why not?

For those running a system that uses Linux, or an Apache webserver, this article by Kaspersky Labs recommends updating Bash and outlines helpful ways to test for the vulnerability: http://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/.

kaspersky

Truth is, there’s really not a lot you can do to fix the #bashbug. But you can find ways to stay informed, ask questions (from service providers or friendly folks like me), and follow the practical advice in my earlier posts about protecting yourself. And that is how you can be your best defence against an unexpected offence like this. Welcome to Fortress Security.