Jul 22 2013
Your employees arenât the only threat to InfoSec and Compliance
July 22nd, 2013 by Lewis MorganÂ
I overheard a conversation the other day, one which left me so stunned that Iâve decided to write about itâŠ.
Two men having dinner behind me (I got the impression they were both directors) were discussing the ÂŁ200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I wonât go into all the details but one of them said, âWe donât particularly focus on cyber security, itâs always large organisations which are in the news about getting hacked and being a small company, weâre not under threatâ. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, letâs say DELL, were hacked â whoâd make it into the news? DELL would, why? Because itâs likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.
I never see stories in the news of someone being hit by a bus in my local town, but it doesnât mean Iâll walk in front of one holding a sign saying âhit meâ. Thatâs effectively what this director is doing, turning a blind eye to a large threat just because heâs not seen an example of a small organisation being hacked â chances are he doesnât even read the publications which cover those stories.
Ignorance
Itâs a strong word, isnât it? Personally I hate calling people ignorant, Iâd rather use a more constructive word such as âunawareâ, but I feel that using the word ignorance will raise some eyebrows.
As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.
You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? Itâs all good and well having a 5 year plan which seeâs 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?
2 years into your plan and youâre hitting your targets â but youâve just discovered that thereâs been a data breach and your customers credit card details have been sold online.
Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between ÂŁ35 â 65K (and thatâs not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.
Letâs say that the breach happened because a new member of staff was unaware that they shouldnât open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for ÂŁ45. But instead, you chose to ignore your IT Manager whoâs been raising spam issues at each monthly meeting but all you chose to hear is âweâve not been hackedâ and âinvestâ which is enough for you to move on.
What your IT Manager is really telling you is âWeâve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, itâs not happened yet but thereâs a chance it will.â
Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:
Inability to perceive cyber threats
Grey areas in appropriate knowledge
Naivety
Overhead cost restrictions
Refusal to listen to something you donât understand
Absent mindedness
No interest in the customerâs best interests
Careless decisions
Eventual disaster
Cyber security threats are real, so why are you ignoring them?
To save money? Tell that to a judge
You donât understand the threats? Read this book
Related articles
Jun 29 2011
The weakest link in computer hacking?
The weakest link in computer hacking? Human error
By Cliff Edwards, Olga Kharif,Michael Riley, Bloomberg News
The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.
Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.
“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Va.’s Computer Sciences Corp.
The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cybercrimes.
In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.
It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara computer security company.
Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.
“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”
A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.
Tactics such as spear-phishing – sending a limited number of rigged e-mails to a select group of recipients – rely on human weaknesses like trust, laziness or even hubris.
That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA – the company that provides network-access tokens using random secondary passwords – was in a hiring campaign.
Two small groups of employees received e-mails with attached Excel spreadsheets titled “2011 Recruitment Plan,” the company said in April. The e-mails were caught by the junk-mail screen. Even so, one employee went into the folder, retrieved the file and opened it.
The spreadsheet contained an embedded Adobe Systems Inc. Flash file that exploited a bug, then unknown to San Jose’s Adobe, that allowed hackers to commandeer the employee’s PC. RSA said information related to its two-factor SecurID authentication process was taken.
Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst.
“The team that hacked us is very organized and had a lot of practice,” Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. “I can compare them to the Navy Seals Team Six, which hit Osama bin Laden.”
The FBI began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust.
Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp.’s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month.
Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers.
Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they’re better protected from computer hackers than their employees, Rasch said.
Hackers research decision makers by browsing social networks, reading up on news about the company, and creating e-mails and links that appear to be genuine and come from people that the targets know.
“Phishing is on a different trajectory than it’s been in the past,” said Malcolm Harkins, Intel’s chief information-security officer.
This article appeared on page D – 2 of the San Francisco Chronicle on June 28, 2011
Hacking: The Art of Exploitation
Related articles
- Phishing emerges as major corporate security threat (deurainfosec.com)
- Spear phishing (charlotte.news14.com)
Oct 13 2008
World Bank security breach and financial crisis
The World Bank controls the Worldâs banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.
Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumersâ data during these crisis might not be the first priority for many suffering financial institutions.
World Bank Under Siege in âUnprecedented Crisisâ
âIt is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.â
âIn total, at least six major intrusions â two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. â
The World Bankâs technology and security expert states that the incident is an âunprecedented crisis.â Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.
Alan Calder wrote about âData protection and financial chaosâ and mentioned that âWhen financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?â
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutionsâ demise if they let their guards down now and do not make a priority to protect customersâ data.
During this turmoil, some financial institutionsâ upper management doesnât have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.
Glassner âI donât know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the shipâ [quoted in âWachoviaâs Golden Parachutesâ story in S.F. Chronicle of 10/10/08 pg. C1].
Bill Gates âI’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.â
Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related
(Free Two-Day Shipping from Amazon Prime). Great books