Cybersecurity

 

 

https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspxHackers Hit Equifax, Compromising 143 Million Americans’ DataGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-09-08T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​Hackers breached a crown jewel of the U.S. financial institution this summer, potentially compromising 143 million Americans’ personally identifiable information (PII). </p><p><a href="http://www.equifax.com/about-equifax/" target="_blank">Consumer credit reporting agency Equifax</a> confirmed in a statement released late Thursday that hackers gained access to its systems and compromised consumer data, including Social Security numbers and driver’s license numbers. <br></p><p>“Criminals exploited a U.S. website application vulnerability to gain access to certain files,”<a href="https://www.equifaxsecurity2017.com/"> the statement said.</a> “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”<br></p><p>Along with consumers’ names, Social Security numbers, birth dates, and addresses, the hackers also stole 209,000 consumers’ credit card numbers and 128,000 consumers’ dispute documents.<br></p><p>“As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” the statement said. “Equifax will work with UK and Canadian regulators to determine appropriate next steps.”<br></p><p>Equifax became aware of the hackers’ intrusion on July 29, acted to stop the intrusion, and hired a cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion. It also reported the intrusion to law enforcement. <br></p><p>“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Chairman and CEO Richard F. Smith in a statement. “I apologize to consumers and our business customers for their concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”<br></p><p>To help consumers determine if they have been impacted by the breach, Equifax created a website--<a href="http://www.equifaxsecurity2017/" target="_blank">www.equifaxsecurity2017</a>--to check their status and sign up for credit file monitoring and identity theft protection.<br></p><p>Critics, however, have cautioned consumers about checking their status with Equifax as doing so might waive any rights they have to sue the agency. <br></p><p>This is because in a disclaimer on the dedicated website includes the following statement: “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claim where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”<br></p><p>New York Attorney General Eric Schneiderman tweeted that this language is “unacceptable and unenforceable,” and that his staff has contacted Equifax to demand it be removed. He also announced that he’s launching an investigation into how the breach occurred.<br></p><p>“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” <a href="https://twitter.com/AGSchneiderman/status/906197644841766912" target="_blank">Schneiderman said in a statement.</a> “I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves.”<br></p><p>While investigators work to determine the cause of the breach and who was responsible, it’s likely to have widespread ramifications given the number of consumers compromised and the data involved. <br></p><p>In a<a href="https://www.digitalshadows.com/blog-and-research/equifax-breach-the-impact-for-enterprises-and-consumers/" target="_blank"> blog post</a> for cybersecurity firm Digital Shadows, Vice President of Strategy Rick Holland detailed what’s most likely to happen next, including tax return fraud, benefits and medical care fraud, carding, resale of data, and enablement of nation state and hacktivist campaigns.<br></p><p>“There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion,” Holland wrote. “Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.”​<br></p>

 

 

https://sm.asisonline.org/Pages/An-Education-Connection.aspx2017-09-01T04:00:00ZAn Education Connection
https://sm.asisonline.org/Pages/Book-Review---Network-Interview.aspx2017-08-01T04:00:00ZBook Review: Network Video
https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts

 

 

https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data
https://sm.asisonline.org/Pages/Book-Review---Weakest-Link.aspx2017-09-01T04:00:00ZBook Review: Weakest Link
https://sm.asisonline.org/Pages/Uber-Agrees-To-20-Years-Of-Audits-To-Settle-Deceptive-Privacy-Charges.aspx2017-08-15T04:00:00ZUber Agrees To 20 Years Of Audits To Settle Deceptive Privacy Charges

 

 

https://sm.asisonline.org/Pages/The-Internet-And-The-Future-of-Online-Trust.aspx2017-08-11T04:00:00ZThe Internet And The Future of Online Trust
https://sm.asisonline.org/Pages/DHS-Official-Says-Russia-Tried-to-Hack-21-States-in-2016-Election.aspx2017-06-21T04:00:00ZDHS Official Says Russia Tried to Hack 21 States in 2016 Election
https://sm.asisonline.org/Pages/Most-U.S.-Hospitals-Have-Not-Deployed-DMARC-To-Protect-Their-Email-Systems.aspx2017-06-16T04:00:00ZMost U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems

 

 

https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data
https://sm.asisonline.org/Pages/Data-Breach-Trends.aspx2017-08-01T04:00:00ZData Breach Trends
https://sm.asisonline.org/Pages/Book-Review---Data-Hiding.aspx2017-08-01T04:00:00ZBook Review: Data Hiding

 

 

https://sm.asisonline.org/Pages/AI-The-Force-Multiplier.aspx2017-09-01T04:00:00ZAI: The Force Multiplier
https://sm.asisonline.org/Pages/Security-Incidents-Caused-By-IoT-Devices-Could-Be-‘Catastrophic,’-Survey-Finds.aspx2017-05-31T04:00:00ZSecurity Incidents Caused By IoT Devices Could Be ‘Catastrophic,’ Survey Finds
https://sm.asisonline.org/Pages/DHS-Warns-Congress-Of-Security-Threats-to-Government-Mobile-Devices.aspx2017-05-05T04:00:00ZDHS Warns Congress Of Security Threats to Government Mobile Devices

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Hiding-Body-Art-During-Interviews-Then-Revealing-It-on-the-Job.aspxIs Hiding Body Art During Interviews, Then Revealing It on the Job, Deceptive?<p><em>Security Management </em>has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Michele Poacell​i​ discusse​s how organizations should approach communicating body modification expectations with potential employees.<br></p><p>--</p><p>​What should a company do if, after s​he is hired, an employee alters her physical presentation in such a way that the employer worries clients or customers might find it offensive? Is it misleading for an applicant to hide tattoos or piercings during a job interview, then reveal them on the job? What recourse does an employer have?</p><p>Body art is ubiquitous. According to a February 2016 survey from The Harris Poll, tattoos are especially prevalent among younger Americans, with nearly one-half of Millennials (47 percent) and over one-third of Generation X respondents (36 percent) saying they have at least one. People across diverse industries and regions boast colorful ink and nontraditional skin piercings.</p><p>As the popularity of tattoos and piercings has risen, has stigma in the workplace subsided?</p><p>That depends on the culture, image and values of the company.</p><p>For instance, Chase Bank's dress code states that "Appropriate dress and appearance increase the perception that Chase employees are professional, knowledgeable and capable of serving customer needs and maintaining responsible relationships." With the exception of having them for religious and certain health reasons, visible tattoos and piercings other than in the earlobes are not permitted.</p><p>When a corporate culture is built around its workers, however, there is more room for personal expression. In 2014, responding to demand from its young workforce, Starbucks began allowing employees to display their tattoos. Tattoos on the face and throat are still prohibited. Micha Solomon, a contributor to Forbes.com, suggested that the change had benefits for all parties. "Letting employees revel in their own style is a way to project how genuine you are as a brand to employees and to the customers they support," Solomon wrote.</p><h4> SHRM Members Debate Body Art</h4><p>In a recent discussion on the Society for Human Resource Management (SHRM) discussion forum—SHRM Connect—it became clear that HR professionals have different opinions on the subject.</p><p>One SHRM member wrote that the trend in body art will continue to influence corporate dress and appearance policies: "Many of our employees, including higher-ups (and myself) have tattoos and piercings," this member wrote. "Especially as you look to hire Millennials and the next generations, I think these policies [banning the display of body art] are going to quickly become outdated. We certainly removed them from our handbook."</p><p>Another HR professional wrote that "we also have customer-facing roles and do not allow visible tattoos, facial piercings or ear gauges. We are clear on this upfront, even if the person being interviewed does not show any. [A] manager needs to address this. And going forward, let your candidates know your expectations upfront."</p><p>Given that range of attitudes about tattoos and piercings in the workplace, job applicants may be uncertain about a company's position. Because many worry that their skills and abilities will be overlooked if body art is showing, they cover it up during the hiring process, some SHRM Connect commenters wrote.</p><p>Job search coach Ashley Robinson at Snagajob.com, an online job search engine based in Richmond, Va., recommends this. "Cover your tattoos as much as possible," she advises. "Wear clothing that will hide them or even use tattoo cover-up so they won't be visible. ... You want the interviewer to be focused on you and your qualifications, not your ink."</p><p>Once the job is secured, should the body art stay hidden?</p><h4>To Reveal … Or Not?​</h4><p>In the SHRM Connect discussion, one HR professional noted that a newly hired desk greeter at a medical office covered her tattoos and removed her piercings during job interviews, then displayed them once she started working there. The SHRM member who manages the office felt duped. "She hid the fact that she had tattoos up both arms and that she wears a very large tongue ring and nose ring," this member wrote. "[The tattoos and piercings] were not made [apparent] to us in any of the interviews we had with her."</p><p>Patients complained about the woman's appearance, the member wrote, but HR was worried about the ramifications of asking the woman to cover her tattoos and remove her piercings while at work.</p><p>Body modification can be considered an artistic, and in some cases religious, form of expression. Title VII of the Civil Rights Act of 1964 states that employers with 15 or more employees "must reasonably accommodate employees' sincerely held religious practices unless doing so would impose an undue hardship on the employer." Many states offer similar anti-discriminatory protections to employees working for businesses with fewer than 15 employees.</p><p>Brian Elzweig, assistant professor of business law at Texas A&M University-Corpus Christi, and Donna K. Peeples, the university's retired associate professor of management, cautioned in an e-mail that "Employers should take special care to familiarize themselves with Title VII cases, take claims of religious and other forms of discrimination seriously, know the implications of their dress code, and make employees understand the repercussions of violating the dress code."</p><p>Another HR professional participating in the SHRM Connect discussion urged proactive communication: "We need to share the policies in order for candidates and employees to know the policies. … Considering the popularity of tattoos [and other body art], it would be wise to address this with candidates during the interview process, across the board, and especially with [those occupying] a visible role."</p><p>Some companies communicate dress and appearance policies as early as the job posting. "When you have very specific job requirements or expectations, weed out non-compliance before anyone's time is wasted," one person in the SHRM Connect discussion suggested.</p><p>Tracy Perez, a benefits manager in Denver, told SHRM Online that it's best for an employer to communicate clear expectations for dress and appearance in a formal, written policy signed by the employee. "This becomes the condition for employment," Perez said. "If you can't adhere to it, you can't work here."</p><p>Perez's 16-year-old son is seeking summer employment in the restaurant industry. His hair is dyed a verdant shade of green. Perez said she thinks her son's unnatural hair color won't hurt his chances for a dishwashing or other kitchen position that's out of customers' view.</p><p>"But if he interviewed with brown hair for a maître d' position and showed up to work with green hair, there would be problems."</p><p><em>Michele Poacelli is a freelance writer based in Mercersburg, Pa. © 2017, SHRM. This article is reprinted from​ <a href="https://www.shrm.org/resourcesandtools/hr-topics/employee-relations/pages/is-hiding-body-art-during-job-interviews-deceptive.aspx">https://shrm.org </a>with permission from SHRM. All rights reserved. ​​ ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Cyber-Incident-Survival-Guide.aspxThe Cyber Incident Survival Guide<p>​<span style="line-height:1.5em;">The worst has happened. Someone hacked your company's network, stealing thousands of documents and compromising customer and employee data in the process. And you're not sure what else the hackers had access to, if they are still in your network, or who is responsible.</span></p><p>If your company hasn't prepared for a major cyber incident of this scope, this scenario can quickly become overwhelming as you attempt to work with law enforcement, deal with the media, and restore business operations.</p><p>With more than 2,100 confirmed data breaches in 2015 and almost 80,000 incidents, according to Verizon's 2015 Data Breach Investigations Report, developing an incident response plan for a cyber incident should be a top priority.</p><p>"Protecting your organization from a data breach could save your business tens of millions of dollars, and help maintain customer loyalty and shareholder confidence," the report explains. "Data security isn't something that should be left to the IT department. It's so important that it should matter to leaders, and indeed employees, from all functions."</p><p>To help security leaders plan for the worst and know what to expect in the aftermath, Security Management spoke with experts about their best practices for cyber incident response.</p><p> </p><p><strong>Before the Breach</strong></p><p>Just as a company has an incident response plan in case the building catches on fire and burns to the ground, it needs to have an incident response plan to handle a cyber incident before one actually occurs. </p><p><strong>Craft a plan.</strong> Gary Bahadur, senior director of FTI Consulting's Risk Management Practice, helps companies craft these plans on a regular basis. He suggests that organizations first think about how they are most likely to be attacked and who is most likely to be behind the attack. </p><p>For instance, banks that allow customers to conduct transactions online—say through an online banking portal—may be vulnerable to a breach through their Web applications. Or high-tech firms may be most concerned about an insider threat compromising their intellectual property. </p><p>"The first step is determining how we're going to be attacked and then figuring out what are the best controls and roadblocks to block the most likely scenarios," Bahadur explains.</p><p>From that point, companies can use the U.S. Department of Justice's (DOJ) Cybersecurity Unit's Best Practices for Victim Response and Reporting of Cyber Incidents guidance to craft an actionable incident response plan.</p><p>It suggests, at a minimum, identifying who has the lead responsibility for different elements of the company's cyber incident response, from decisions on public communications to information technology to implementation of security measures to resolving legal questions.</p><p>Companies should also determine how to contact critical personnel at any time, how to proceed if critical personnel are unreachable, and what mission-critical data, networks, or services should be prioritized for the greatest protection. </p><p>"All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident," the guidance says.</p><p>Completing this process is becoming especially important because a new legal standard is emerging as organizations develop a track record of reasonableness for assessment, planning, incident response, and recovery, says Ed McAndrew, partner in Ballard Spahr LLP's Privacy and Data Security Group and a former federal prosecutor.</p><p>"There's a new legal standard that is emerging where organizations need to employ reasonable data security standards to mitigate foreseeable risk," explains McAndrew, who is also a former DOJ national security cyber specialist. "Companies need to have appreciated the risk, attempted to manage the risk, and then have a plan for attempting to respond to these incidents."</p><p>After companies identify their low-hanging fruit and craft an incident response plan, Bahadur suggests creating a roadmap to analyze the likelihood of that particular attack and how to prevent it. Companies should also consider how they will create a long-term strategy that continues to adapt to new security challenges as new business functions are developed. </p><p>"You have to be able to grow your security organization and its functionality," he adds.</p><p><strong>Consider law enforcement.</strong> While companies are developing their incident response plans, they need to consider their relationship with local and national law enforcement.</p><p>McAndrew says there's a "real appetite in law enforcement" to develop relationships with the private sector when it comes to cybersecurity. This is because law enforcement understands that "effective investigation of cyber requires a level of trust and personal relationships between investigators and their counterparts inside organizations," he explains.</p><p>For this reason, the government has created a variety of outreach programs that target the private sector, including InfraGard, Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, and the U.S. Department of Homeland Security's new cybersecurity information sharing program.</p><p>"Joining these organizations and attending those outreach programs is a great and easy way to begin to build relationships" with law enforcement, something companies should do before a cyber incident occurs, McAndrew says. </p><p>Companies can also reach out to their local FBI office, because agents there are often willing to help companies conduct cybersecurity risk assessments, incident planning, and data security planning.</p><p>These relationships can also help companies know what to expect from their law enforcement partners, should a breach occur, says Mick Stawasz, deputy chief for computer crime and head of the DOJ Cybersecurity Unit. </p><p>"Before there's an event, we, the FBI, and other investigative agencies are trying to lay the groundwork so that there are relationships in place and an understanding of what may happen when we arrive," Stawasz explains. "We're out there doing events to try and tell people, when we show up, this is the type of information to have before an event."</p><p>For instance, he says that companies should think about what data they can share with law enforcement and what kind of access they will be willing to provide should an incident occur. This can help streamline the process of an incident investigation because companies won't be doing original legal research "while the clock is ticking," Stawasz says. "We really encourage people to think ahead of time because there are certain things we're going to want."</p><p>However, McAndrew says that while it's great to engage with law enforcement, companies should do so carefully. "You need to understand the levels of engagement, and the logistics where law enforcement can be helpful, but also where engaging them may result in an investigation," he adds. </p><p>To help companies navigate this area, McAndrew recommends relying on outside counsel with experience in cybersecurity</p><p><strong>Practice makes perfect.</strong> After companies outline their cyber incident response plans, they need to practice them to identify problem areas and ensure that they are effective.</p><p>Bahadur recommends conducting a tabletop exercise with all the key stakeholders in the room, including representatives from the C-suite, IT, public relations, legal, marketing, and even sales staff.</p><p>"People say that a cyber breach is an IT problem," he explains. "It's not...when a breach occurs we need our PR people. We need legal to discuss what the repercussions are for the industry we are in. And we need executive support, marketing, and sales because this could impact relationships with clients."</p><p>Leonard Bailey, special counsel for national security in the DOJ Computer Crime and Intellectual Property Section, agrees that practicing the incident response plan is important because it reinforces what people's roles are when an incident occurs, and allows companies to designate an alternate to fill those roles should the designated person not be available.</p><p> </p><p><strong>During the Breach</strong></p><p>Despite careful preparation and cyberattack prevention tactics, even "the best laid plans of mice and men often go awry," as Robert Burns wrote. But by remembering the following tips, companies can prevent a cyber incident from becoming a cyber crisis.</p><p><strong>Make an assessment.</strong> When companies identify a cyber incident, they should immediately make an assessment about the nature and scope of the incident, according to the DOJ guidance. </p><p>"In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch," the guidance explains. "The nature of the incident will determine the type of assistance an organization will need to address the incident and the damage and remedial efforts that may be required."</p><p>To identify the nature of an incident, companies can have systems administrators attempt to identify the affected computer systems, the origin of the incident, any malware used in connection with the incident, remote servers to which data was sent, and the identity of any other victim organizations.</p><p>The initial assessment should also document what users are currently logged on, what the current connections to the computer system are, what processes are running, and all open ports and their associated services and applications.</p><p>"Any communications (in particular, threats or extortionate demands) received by the organ­ization that might be related to the incident should also be preserved," the guidance explains. "Suspicious calls, e-mails, or other requests for information should be treated as part of the incident."</p><p><strong>Maintain evidence.</strong> Often, the first reaction when a company learns about a cyberattack is to do whatever it takes to stop the bleeding.</p><p>"The first thing companies do is unplug the device that's been hacked to stop the bleeding, potentially," Bahadur says. "But if you want to do forensic analysis—track the attack or report it—if you change the environment and erase a server that's been hacked, you're losing really valuable evidence."</p><p>To prevent evidence from being compromised, Bahadur says companies should follow good forensic practices—something most organizations struggle with. "Most companies don't handle chain of custody well," he adds. "They will literally screw up the whole process and tamper the evidence so badly."</p><p>Instead, companies should create a chain of custody for evidence and should have IT staff work with the legal department to ensure that technology is in place to maintain and preserve that evidence, says Patrick Dennis, CEO of Guidance Software.</p><p>"If you want to have an infrastructure in place that includes people, technology, and policies that can work with law enforcement and produce evidence, there has to be a program put in place beforehand to do that," he explains. "Otherwise, generally they will end up compromising some or all of that evidence."</p><p><strong>Notify law enforcement.</strong> Once an initial assessment has been made and evidence has been gathered, managers and other personnel within the organization should be notified following the protocols outlined in the cyber incident response plan. </p><p>Then, if the company suspects that criminal activity has taken place, it can consider notifying law enforcement. The FBI and the U.S. Secret Service conduct cyber investigations, and contacting law enforcement may prove beneficial for victim organizations, because law enforcement can use tools and methods typically not available to private companies.</p><p>"These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data," the DOJ guidance explains. "In addition, a cyber criminal who is successfully prosecuted will be prevented from causing further damage to the company or to others, and other would-be cyber criminals may be deterred by such a conviction."</p><p>When it comes to reaching out to the FBI, McAndrew recommends that companies use their knowledge about the bureau because some agents are "true superstars" when it comes to cybersecurity. "Not all agents are created equal, just like not all lawyers are created equal," he jokes. </p><p>And in some cases, it may be better to have someone on the corporate legal team reach out to a U.S. Attorney's Office to use a lawyer-to-lawyer relationship. </p><p>"Speaking lawyer to lawyer can sometimes be more helpful," McAndrew says. "I know that if I get them interested in the matter, I won't have to cold call an FBI office I've never dealt with." </p><p>And everyone should be on the same page about what's happening to prevent information from falling through the cracks, or being inadvertently shared. </p><p>"Is the IT department the one that has the relationship with the FBI and is legal out of the picture?" McAndrew asks. "Is IT sharing information with­out legal's knowledge? Is senior management briefed and knowledgeable about what happens next when you begin interacting with law enforcement, and are they willing to do those things?"</p><p>Asking these questions—often ahead of time—will help companies simplify decision making if an incident occurs, he adds.</p><p><strong>Avoid pitfalls.</strong> While there are many actions companies should take following a cyber incident, the DOJ guidance explicitly urges companies not to use compromised systems to communicate. </p><p>"If the victim organization must use the compromised system to communicate, it should encrypt its communications," the guidance says. "To avoid becoming the victim of a social engineering attack, employees of the victim organization should not disclose incident-specific information to unknown communities inquiring about an incident without first verifying their identity."</p><p>The DOJ guidance also says com­panies should not hack into or damage another network following </p><p>a cyber incident. </p><p>"Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability," it explains. "Furthermore, many intrusions and attacks are launched from compromised systems. Consequently, 'hacking back' can damage or impair another innocent victim's system rather than the intruder's."</p><p> </p><p><strong>After the Breach</strong></p><p>Once companies have managed to stop the bleeding of a cyberattack, they may find themselves in court if the perpetrators of a breach are prosecuted. Because of this, Bailey and Stawasz explain that companies need to keep a potential court appearance in mind.</p><p><strong>Victim status.</strong> When a cyber incident happens, it's important for companies to remember that they are a victim of a crime, and that prosecutors should treat them as such, Stawasz says. </p><p>"We really are trying to help. We will work with them in the process of an investigation, and with luck a prosecution—of somebody—for what was done," he explains.</p><p>Stawasz also says that the DOJ is trying to do a better job of keeping companies informed of how the investigation and prosecution are proceeding. Companies have a right to be informed at various stages, such as before a case is resolved, when charges are brought, if a plea deal is made, and to appear to make a sentencing statement if an individual is convicted.</p><p>"We encourage them to make a statement to highlight for the public and the court the impact a cybercrime has on a victim," Stawasz explains.</p><p><strong>Remain vigilant.</strong> After a cyber incident has been resolved and appears to be under control, it's important for companies to remain vigilant in case of future attempts to breach their systems. </p><p>"It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which an intruder illicitly accessed the network," the DOJ guidance explains. "Continue to monitor your system for anomalous activity."​​​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspxThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them<p>​Mr. Robot may be doing more to make Americans cyber aware than any official awareness campaign has so far. The popular, award-winning series focuses on Elliot Alderson, a young programmer, who works as a cybersecurity engineer and is recruited by “Mr. Robot” to join a group of hacktivists—fsociety—targeting a company, E Corp.</p><p>For Cybersecurity Awareness month,<em> Security Management </em>Cybersecurity Editor Megan Gates sat down with OneLogin Lead Product Marketing Officer Al Sargent to discuss some of the most successful Mr. Robot hacks and how they can be prevented. <br></p><p>“I think <em>Mr. Robot</em> has done a really good service for the cybersecurity community because it makes these issues…realistic and, even though it’s realistic it’s very fun to watch,” Sargent says. “So it’s a great way for people to learn more about cybersecurity issues and how they can address them.”<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read de43818f-6122-4cb2-b7dd-7fbb7fffd423" id="div_de43818f-6122-4cb2-b7dd-7fbb7fffd423"></div><div id="vid_de43818f-6122-4cb2-b7dd-7fbb7fffd423" style="display:none;"></div></div><p>​<strong>1. Password Cracking</strong></p><p>This is essentially where you guess what someone’s password is based on what you think some of their interests are. It’s a form of combining social engineering with brute force, Sargent says.<br></p><p>For example, Elliot’s psychiatrist’s password was Dylan2791, which is her favorite musical artist and the year she was born backwards. Elliot was able to crack her password in 24 seconds.<br></p><p>“What would take maybe years or centuries to crack, might take mere minutes or even seconds to crack when you put in certain terms,” Sargent explains. “And Elliot is able to pull this information off of social media profiles and using other sources.”<br></p><p>Some measures companies can take to prevent this kind of attack is by enforcing stronger password requirements, such as requiring passwords use more characters, frequent password changes, and multifactor authentication, such as using a smartphone to approve a login attempt.<br></p><p>One way to create a good password, Sargent explains, is to think of a sentence that makes sense to you. For instance, if you’re a baseball fan, it could be “itsanevenyearletsgoGiants2010.”<br></p><p>“Now, if you’re a Giants fan, that makes a lot of sense because the Giants have won the World Series on even years 2010, 2012, and 2014; unfortunately, not this year,” Sargent says. “If you write that out, it’s very easy for you to remember. But if you look at the number of combinations, it’s very hard for a computer to crack because it’s many, many characters.”<br></p><p>And because the password is rooted in a topic that you’re passionate about, it makes creating a new, strong password easier when you need to change it. <br></p><p>“In the case of baseball, you could say, ‘IwishtheCubshadntbeatentheGiantsthisyearhopewillnextyear” and when it’s time to rotate your password again next month, you could be talking about something around the players you hope the Giants can recruit next year,” Sargent adds.<br></p><p>“It’s something you’re passionate about, so it’s something you can really remember,” he says. “But it’s hard for a password cracker. And that’s the key thing; people don’t think about passwords as passions, but it really is important to combine the two to make something memorable for you and hard for a computer to guess.”<br></p><p><strong>2. Zombie accounts</strong><br></p><p>The next common type of attack uses what’s called a Zombie account, a user account that remains active even though the user should not have access to it. </p><p>For instance, E Corp fires its senior vice president of technology, Tyrell, who is very angry with what happened and could potentially use his access to E Corp’s network to do a great deal of damage.<br></p><p>“Because he was senior VP of technology, Tyrell had access to a lot of privileged information,” Sargent says. “Now the thing is, once somebody is let go from a company, especially when they’re angry—as Tyrell was—you want to be able to deprovision them very quickly.”<br></p><p>This means that human resources staff need to work closely with IT to ensure that when an individual is fired or resigns from a company, that person’s technology access is cut off—just as their access might be to a physical building.<br></p><p><strong>3. Phishing</strong><br></p><p>Nearly one in three phishing emails were opened in 2015, and about 12 percent of targets then went on to click the link or open the attachment in that email, according to Verizon’s <em><a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/" target="_blank">2016 Data Breach Investigation Report. </a></em></p><p><em>Mr. Robot</em> showcases this method of attack in Season 1 Episode 3 when Elliot hacks his girlfriend's account because he wants to know more about her, so he phishes her.</p><p>“Phishing is very much a constant worry, not just in <em>Mr. Robot</em> but in corporate environments because there are now very well constructed phishing attacks,” Sargent says. “It’s no longer the email from the Nigerian prince; it’s the email from someone who might be the CEO asking the CFO to do something and it seems like a very well-constructed email.”<br></p><p>This specific type of phishing attack is known as a Business Email Compromise (BEC) scam, which have seen a 1,300 percent increase between January 2015 and June 2016, according to the FBI.<br></p><p>For more on how to prevent BECs and phishing attempts, read Security Management’s October Cybersecurity Department <a href="/Pages/Spoofing-the-CEO.aspx" target="_blank">“Spoofing the CEO.”</a><br></p><p><strong>4. Physical Access</strong><br></p><p>Sometimes to really pull off a successful hack, you need physical access to a critical facility. <br></p><p>This is demonstrated in Season 1 Episode 5 when Elliot pretends to be a Silicon Valley billionaire asking for a tour of a Steel Mountain facility, which stores all of E Corp’s records. He gains access and uses that to install a Raspberry Pi computer into the HVAC system, which can override temperature controls and melt all of E Corp’s back-up tapes.<br></p><p>To prevent this type of attack, companies should take a look at who has physical access to the servers that support their network and try to limit that access.<br></p><p>“As Elliot said in the episode, ‘People make the best exploits,’” Sargent explains. “So, we as OneLogin employees can’t get a tour of a data center. And we don’t even know the physical machines that are running our service.”<br></p><p>Amazon has tens of thousands of machines running in its data centers, which then run virtual machines that provide OneLogin’s service. <br></p><p>“We don’t know what machines provide our service. And if we don’t know, hackers don’t know,” Sargent says. “That makes it very hard to hack and makes it basically impossible to hack by gaining physical access because A) how do you get into a facility? And B) how do you even know, out of the tens of thousands of machines, which one at any given time is running the virtual machines?” <br></p><p><strong>5. DDoS Attacks</strong><br></p><p>Distributed denial-of-service (DDoS) attacks occur when systems flood the bandwidth or resources of a targeted system. These kinds of attacks are often the result of a botnet (multiple compromised systems) being used to flood the targeted system with traffic.<br></p><p>In Season 1 of <em>Mr. Robot, </em>Elliot single-handily saves E Corp. from a DDoS that’s been propagated by fsociety. To prevent this kind of attack taking down One​Login’s service, Sargent says it houses its service in multiple Amazon Web Services (AWS) regions and in multiple AWS availability zones in multiple states within the United States, as well as in Germany and Ireland.<br></p><p>“Additionally, we have multiple active DNS providers, so that way if one DNS provider gets overloaded through a DDoS, we have another DNS provider that can help us out,” Sargent says. Domain Name Servers (DNS), work like a phone book for the Internet and facilitate requests to specific webpages.<br></p><p><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465