Cybercrime

 

 

https://sm.asisonline.org/Pages/Avoiding-Breaches.aspxAvoiding BreachesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-12-01T05:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​Three days after detecting a breach of its network that impacted almost 50 million accounts, Facebook notified users of the incident and explained how it acted to prevent the breach from spreading.</p><p>“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else,” wrote Facebook Vice President of Product Management Guy Rosen in a post on the social media company’s website. ​</p><div>“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” Rosen explained. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”</div><div><br></div><div>In response to the breach that took place on September 25, Facebook fixed the “View As” vulnerability, informed law enforcement, conducted a force logout for affected accounts, and displayed a notification for affected users when they logged back on. Rosen also said Facebook would conduct a full security review of the “View As” function.</div><div><br></div><div>“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen said in his post. “We also don’t know who’s behind these attacks or where they’re based.”</div><div><br></div><div>After its initial investigation, Facebook determined that only 30 million accounts were impacted by the breach; almost half of those accounts had their names and contact information stolen from their Facebook profiles.</div><div><br></div><div>Facebook is not alone in experiencing a cyber breach in 2018. In the first 203 days of the year, there were 668 publicly disclosed U.S. data breaches—meaning that at that rate, more than 1,200 breaches will have occurred in 2018.</div><div><br></div><div>There are roughly 18,000 companies in the United States. By the end of the year, nearly 17,000 of them will have avoided a data breach, according to a recent white paper from the SANS Institute, <em>Breach Avoidance: It Can Be Done, It Needs to Be Done.</em></div><div><br></div><div>“The bottom line is that breaches are not inevitable,” the white paper said. “There are proven techniques in use today by large and small companies with limited staff and budgets that can fend off or avoid most attacks and dramatically reduce the damage of attacks that do succeed.”</div><div><br></div><div>John Pescatore—director of emerging security trends at SANS and former lead security analyst at Gartner—says he was inspired to write the paper after NotPetya ransomware hit FedEx and Maersk, and caused $1 billion in damage between them. </div><div>Other competitors in their respective industries, Pescatore says, did not see similar damages because they were prepared for the possibility of a ransomware attack.</div><div><br></div><div>Focusing on these examples of organizations taking the right steps to be prepared is helpful for industry as a whole, he adds.</div><div>“There’s no shortage of coverage in the press when the planes crash or when the breaches happen, but we never get to hear: what are those people doing right to escape these things?” Pescatore says. “In particular, with breach avoidance, how did the people who succeeded in minimizing their damage or totally avoiding damage from these breaches that made the press, what were the common things they were doing?”</div><div><br></div><div>To find out, Pescatore spoke with CISOs and security directors around the globe that have avoided data breaches to learn about how they’re doing it. His research found that “organizations that emphasize proactive security efforts to reduce vulnerabilities in critical business assets are less likely to suffer major business damage than organizations that don’t have the skills and tools to prioritize and focus security efforts.”</div><div><br></div><div>The first step that organizations are taking to avoid data breaches is taking action in the first place—proactive actions to be specific.</div><div>As Pescatore wrote, people and software will always have vulnerabilities. But security professionals and their teams can take action through several best practices to reduce the risk of those vulnerabilities.</div><div><br></div><div>“By developing situational awareness (timely and accurate knowledge of what we need to protect, what vulnerabilities exist, and what real threats are active against those targets), and combining it with tools and techniques for prioritizing prevention and mitigation actions, security teams can quickly take actions to avoid the most damaging incidents and to exponentially reduce the business damage of unavoidable incidents,” the white paper explained.</div><div><br></div><div>However, this doesn’t mean that organizations should just purchase a bunch of security products to complete these actions because there is limited correlation between the amount spent on security and the level of damage caused by a security incident.</div><div><br></div><div>“Simply adding layers of security products increases complexity, requires security staff skills that are hard to find, and often results in more disruption to business operations than to attackers,” Pescatore wrote.</div><div><br></div><div>In an interview, he tells <em>Security Management</em> that the real differentiator for organizations that have avoided a security breach is that the people they did have were working on the most important things first—“which tended to mean they were ahead of the curve when the attacks actually happened.”</div><div><br></div><div>Helping organizations determine what actions to take to prevent and avoid breaches is using a cybersecurity framework designed to prioritize protecting the business, as opposed to focusing on compliance.</div><div><br></div><div>“Simply achieving compliance can avoid some level of fines, but it does not assure actual protection of business and customer information, nor has it even been shown to provide any legal cover or liability reduction if incidents do occur,” according to the white paper.</div><div><br></div><div>Instead, SANS recommends that organizations use cybersecurity frameworks to support business protection and risk reduction, such as the National Institute of Standards and Technology Cyber Security Framework, Center for Internet Security Critical Security Controls, PCI Data Security Standards Prioritization Guidelines, or the Health Information Trust Alliance Common Security Framework.</div><div><br></div><div>“The use of a cybersecurity framework that prioritizes actions and controls by business risk is key to focusing on what security processes and controls are the most important to avoid incidents that would disrupt business operations or expose customer information,” Pescatore wrote.</div><div><br></div><div>In addition to a framework, organizations that are successfully avoiding breaches are also instituting complete, accurate, and prioritized continuous monitoring of their systems. This also requires working with the business side of the organization to ensure that nothing is falling between the cracks. </div><div><br></div><div>“Security professionals need similarly fresh knowledge of business operations mapped to IT assets to ensure that current and accurate risk assessments cover all critical systems,” the white paper explained. </div><div><br></div><div>Once continuous monitoring is implemented, it’s likely to produce a high number of vulnerability alerts for security personnel to address. However, organizations that are avoiding breaches are prioritizing what alerts they address first based on the risk to the business that alert poses. </div><div><br></div><div>By doing this, security professionals can get more support across the organization for addressing vulnerabilities and taking action because the impact to the business is made clear. </div><div><br></div><div>“When vulnerabilities are mapped first against active threats that exploit those vulnerabilities and then by criticality to business operations, security teams have been able to justify the need to take immediate patching, reconfiguration, or shielding actions,” the white paper explained.</div><div><br></div><div>Additionally, organizations that are avoiding breaches are using playbooks to address incidents—much like physical security professionals use playbooks to walk through response to a fire in the facility or an active shooter.</div><div><br></div><div>These playbooks should recommend “mitigation and shielding steps based on asset criticality and threat classification” so that any security analyst can follow the instructions to reduce risk to the organization, the white paper said.</div><div><br></div><div>Playbooks should also be updated regularly to address changes in IT systems and software that the organization is using.</div><div><br></div><div>After organizations avoiding breaches have implemented these steps, they’re also keeping track of their security posture using metrics to communicate to the CIO, the CEO, and the board what the current risk landscape looks like and how the security team is poised to address it.</div><div><br></div><div>“The most effective security programs develop processes and methodologies to provide high-level views of risk that are understood by management even though they are derived from data that is used by both security and IT operations for tactical decision making,” according to the white paper.</div><div><br></div><div>To do this, SANS recommends security professionals track three main metrics: time to detect, time to respond, and time to restore.</div><div>“The three ‘time to’ metrics discussed above have proven critical to measuring and increasing the efficiency and effectiveness of a security operations center,” the white paper said. “Higher level metrics and measurements are needed to manage the overall security program, and for effective presentation to the C-suite and the board of directors.”</div><div><br></div><div>Effective communication with the board has been a priority for CISOs over the past year, Pescatore explains, because boards are looking for CISOs to bring them strategies to deal with risks to the business—not just what the risks are.</div><div><br></div><div>“Part of this is for CISOs to think through the business side of it—what possible risks have the biggest impact to the business and what are the strategies for removing those risks,” Pescatore says.</div><div><br></div><div>Examples of this in action that the white paper detailed include showing a decline in risk due to faster patching or shielding, improved cybersecurity hygiene, and improved focus on avoiding software vulnerabilities. </div><div><br></div><div>“Trend analysis of threats, vulnerabilities, and business impact allow CISOs to demonstrate success, as well as document lessons learned from failures, and support justification for the overall strategic cybersecurity approach and any necessary tactical actions,” the white paper said.</div><div><br></div><div>All of these factors coming together help organizations avoid cybersecurity  breaches, or—when they do occur—respond to them in a timely manner to reduce the overall impact to the business.</div><div><br></div><div>“What we always say in security is everybody who succeeds has found a way to mix people, processes, and technology,” Pescatore says. “People, processes, and technology, and being able to prioritize—it’s easy to say those things but to have that focus and the prioritization built in is the difference maker.”​</div><div><br></div>

Cybercrime

 

 

https://sm.asisonline.org/Pages/Book-Review-IT-Policies.aspx2018-12-01T05:00:00ZBook Review: IT Policies
https://sm.asisonline.org/Pages/Cyberthreats-Innovation-and-the-Future-of-AI.aspx2018-12-01T05:00:00ZCyberthreats, Innovation, And The Future Of AI
https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspx2018-12-01T05:00:00ZTop Five Challenges for Managing Cybersecurity Risk
https://sm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://sm.asisonline.org/Pages/Book-Review---Credit-Card-Fraud.aspx2018-07-01T04:00:00ZBook Review: Credit Card Fraud
https://sm.asisonline.org/Pages/Artificial-Adversaries.aspx2018-06-01T04:00:00ZArtificial Adversaries
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspx2018-04-01T04:00:00ZThe Problem with Bots
https://sm.asisonline.org/Pages/Global-Cyber-Awareness.aspx2018-01-01T05:00:00ZGlobal Cyber Awareness
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage
https://sm.asisonline.org/Pages/An-Identity-Crisis.aspx2017-12-01T05:00:00ZAn Identity Crisis
https://sm.asisonline.org/Pages/Cutting-Edge-Criminals.aspx2017-12-01T05:00:00ZCutting-Edge Criminals
https://sm.asisonline.org/Pages/Driving-the-Business.aspx2017-10-01T04:00:00ZDriving the Business
https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspx2017-09-27T04:00:00ZKlososky Opines on the Future of Technology
https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data
https://sm.asisonline.org/Pages/Data-Breach-Trends.aspx2017-08-01T04:00:00ZData Breach Trends
https://sm.asisonline.org/Pages/Book-Review---Data-Hiding.aspx2017-08-01T04:00:00ZBook Review: Data Hiding
https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspx2017-07-21T04:00:00ZVulnerability Rediscovery Occurs At More Than Twice The Previously Reported Rate
https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Survey-Of-InfoSec-Professionals-Paints-A-Dark-Picture-Of-Cyber-Defenses.aspx2017-07-07T04:00:00ZSurvey Of InfoSec Professionals Paints A Dark Picture Of Cyber Defenses

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Book-Review---Emergency-Planning-for-Nuclear-Power-Plants-.aspxBook Review: Emergency Planning for Nuclear Power Plants <p>​Published by Routledge; crcpress.com; 362 pages; $105.</p><p>Starting with a sound historical platform, <em>Emergency Planning for Nuclear Power Plants </em>prepares the reader to understand the complex nature and evolution of emergency preparedness requirements for nuclear power plants. The author focuses on the technical basis for nuclear emergency planning and provides the reader with a good understanding of issues and risks from a radiological dose perspective. He also leaves room to apply emergency management principles, such as fire and security, that also play a role in response planning. </p><p>The book explains how certain directions taken by the U.S. Nuclear Regulatory Commission have helped shape the industry abroad. A key example is a discussion on reactor consequence analysis and the probabilistic risk assessment that is used widely across the industry. The author's focus is on U.S. regulations, although one could argue that difference in regulation today across countries is not significant, thus increasing the relevance of the book to industry emergency managers around the world. </p><p>The discussion centers on emergency planning considerations that address the issues associated with two reactor types—pressurized water reactors and boiling water reactors—that are prevalent in the United States. Some risks attributed to other reactor types are not fully addressed in the book.</p><p>By effectively deploying mitigation strategies developed since the Fukushima nuclear accident in 2011, the expected radiological dose from large-scale nuclear accidents can be significantly reduced. The author provides good explanations of all aspects of emergency planning. However, too much detail in some sections might confuse the reader. Still, this book is a must-read for all nuclear industry emergency planning managers.</p><p><em>Reviewer: Dan McArthur has more than 30 years of experience in the nuclear industry and now serves as senior strategist at Bruce Power, where he focuses on regulatory and government affairs pertaining to emergency management policy. He is a member of the Canadian Standards Association providing technical input and guidance on emergency preparedness requirements for nuclear power plants in Canada.</em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Space-Jam.aspxSpace Jam<p>​Much of the western United States was put on notice earlier this year when the U.S. Air Force announced that it would be blocking GPS signals on its base south of Las Vegas, Nevada. The tactic—which occurred during an annual month-long military training exercise—could cause air traffic disruption and potentially require flight rerouting due to inconsistent GPS, the notice stated. While the Air Force would not confirm that the GPS disruption was a part of its yearly exercises, experts believe that the military is training its pilots to fly in conditions where GPS signals are inaccurate or nonexistent—a scenario that has become increasingly common.</p><p>Thirty-one satellites currently orbiting the earth transmit signals to civilian and military terrestrial receivers, essentially using time signals to run location-based devices and activities and syncing networks around the world. The satellites—called the GPS constellation—are owned by the United States and operated by the Air Force. Since 1978, the satellites have provided location, navigation, and timing capabilities to the military, and an unencrypted version became available for public use in the 1980s. Over the years, the signals from the GPS constellation have become critical for a variety of applications, including communications, precise time measurements, and critical infrastructure technologies—in addition to its military uses of navigation, target tracking, and missile guidance. </p><p>However, the signal—which is inherently weak—is susce​ptible to outside interference. Anything from space weather to malfunctioning machinery to malicious actors can cause problems with GPS, including blocking the signal—called jamming—and sending false signals, known as spoofing. Even small interferences can cause big headaches.<img src="/ASIS%20SM%20Callout%20Images/0518%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /> </p><p>For example, a man who drove a company car purchased a GPS jammer to keep his boss from knowing his whereabouts, but when he passed near Newark airport in New Jersey, the jammer blocked signals from reaching the air traffic controller system. Although the sale and use of jammers is illegal in the United States, they can be purchased online for less than $50 and can successfully hide a vehicle's location.</p><p>In January 2016, a routine equipment switch caused a series of 13-microsecond timing errors in half of the GPS constellation satellites, which triggered about 12 hours of confusion for computers, networks, and timing devices around the world. </p><p>The U.S. government has referred to GPS as a single point of failure for critical infrastructure and, in 2004, called for the U.S. Department of Transportation to acquire a backup capability for GPS. However, an alternative has never come to fruition. </p><p>U.S. President Donald Trump reemphasized the need for redundancy by including a section in the 2018 National Defense Authorization Act that requires the U.S. Departments of Defense, Transportation, and Homeland Security to demonstrate a GPS backup capability within the next 18 months.</p><p>"We were concerned that the federal government was not doing all of the things it said it would do in order to protect GPS signals, which are being interfered with on a regular basis," says Dana Goward, the president of the Resilient Navigation and Timing Foundation (RNTF). He established the nonprofit in 2013 to protect, toughen, and augment GPS signals. "Since we started, over the last five years, GPS has been interfered with more and more," he notes.</p><p>Goward and other members of RNTF are also members of the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board, which has existed since the call for a GPS backup capability was issued in 2004. </p><p>It's hard to tell exactly how big an impact a widespread GPS outage would have on critical infrastructure sectors around the world, but Goward notes that glitches such as the January 2016 blip can foreshadow what systems might be affected. "The implementation and use of GPS signals is so widely spread for so many different things it was never intended to be used for that it's really impossible to outline all the bad things that would happen and the sequence in which they would occur," he says. "But there are some things we do know." </p><p>Say a terrorist plants a high-powered GPS jammer hidden in a suitcase in the middle of a city. Transportation will probably be the first system visibly affected, which could quickly impact an entire metropolitan area, Goward says. Traffic lights will become desynchronized and GPS-based apps will no longer function, creating distracted and dangerous driving conditions. Airplanes and other forms of mass transportation will have to slow down or alter routes to stay in contact with people who can keep them on course. Package delivery routes as well as land, sea, and air-based supply chain operations will be disrupted. "All forms of transportation will be forced to carry less capacity in the area," Goward notes.</p><p>Countless systems that rely on GPS's perfectly synchronized timing—including data networks, financial activities, the electric grid, and other utilities—will slowly become out of sync, causing system failures. </p><p>"When the networks start to fall apart, it's hard to tell how much of a cascading failure you're going to see," Goward notes. "Networks depend on each other. It's really such a vast and hyper complex system, the structures of which are not known and may not be knowable."</p><p>Preventing GPS glitches is a multifaceted challenge. The GPS satellites themselves are fairly resilient—they are replaced on a rotating basis depending on their estimated operational life. Still, mechanical glitches like the one that caused the January 2016 blip are possible. The signals transmitted from the satellites are even weaker than cosmic background noise, and Goward notes that even upgraded equipment won't substantially change the strength.</p><p>"The basic problem is fundamental physics," Goward says. "Satellites are 12,500 miles up in space and powered by solar panels and transmitting all the time—unlike other satellites that can store up their solar power, GPS satellites have to transmit all the time. They will always be really weak and easy to interfere with."</p><p>An inherent area of weakness is the equipment used to receive the GPS signal sent by the satellites—anything from cell phones to networks to military ground stations that encrypt the signal.</p><p>"Most GPS receivers in use right now are very vulnerable to jamming and spoofing," Goward notes. "The technology in terms of antennas and software is available to make them much less susceptible to jamming and spoofing, but it costs a little extra and users don't feel motivated to incorporate anti-jamming and spoofing technology into their receivers and systems, even when they involve and support critical infrastructure like phone and IT networks."</p><p>RNTF is working with the government to establish guidance or best practices to improve GPS receiver security.While a fix is relatively simple, Goward says he doubts most companies will make the upgrade unless they are told to do so or they experience a GPS-induced crisis. "We think that for critical infrastructure applications there's a government role there to advocate for, encourage, and perhaps require users to have the latest anti-jamming and spoofing technology."</p><p>Military-level encrypted GPS signals aren't exempt from jamming or spoofing, either. While the use of a secured ground system to control the broadcast of an encrypted signal, along with military-grade receivers, provides an inherent level of protection, it's not foolproof—and it only works when it's used properly.</p><p>"Because of the encryption, that makes military receivers as a practical matter more difficult to use, so we had seen any number of photographs of military folks in the field with GPS receivers they bought at Walmart strapped to their arms and using them instead of military receivers," Goward notes. Encrypted equipment tends to be stored under lock and key—and is usually unwieldy—making it more cumbersome to use. </p><p>It's suspected that the infamous straying of a U.S. naval ship into Iranian waters in 2016 was a result of the sailors using unencrypted receivers that allowed Iran to spoof the signal and direct them into the country's territory. And headlines were made when the movements of U.S. military personnel at several overseas bases could be tracked via a GPS-based fitness app—no jamming or spoofing required.  </p><p>The U.S. Department of Defense (DoD) is in the middle of upgrading the military ground systems and replacing the current GPS constellation—which is near the end of its intended operational life—but the efforts have faced a series of setbacks. The new generation of satellites, called GPS III, are expected to provide a stronger signal that is more resistant to spoofing and jamming and will permit interoperability with other global navigation systems. But, according to the U.S. Government Accountability Office (GAO), the acquisition and timeline of deploying the new satellites has run into several roadblocks, delaying the launch of the new equipment. </p><p>For example, the first GPS III satellite built, which is slated to become operational in 2019, includes energy storage devices that had not been appropriately tested by the subcontractor. When the Air Force discovered the failure to test the equipment, it made the subcontractor remove the devices from the second and third satellites currently being built, but "decided to accept the first satellite and launch it 'as is' with the questionable capacitors installed," the GAO reports. The rest of the GPS III satellites are expected to be launched and operational—replacing the current devices—by 2021.</p><p>Three components of the upgrade—the new ground control systems, GPS III satellites, and contingency operations programs—are expected to face "numerous challenges" over the next 18 months, GAO notes. "If any of the three programs cannot resolve their challenges, the operation of the first GPS III satellite—and constellation sustainment—may be delayed."</p><p>Meanwhile, Goward and the RNTF are continuing to encourage the government to promote more secure GPS receiver technology and build a backup capability when—not if—the GPS signal fails. </p><p>"We are concerned that the federal government does not have a central point of accountability for protecting GPS," Goward explains. "It's possible that this lack of responsibility and governance will mean that nothing is going to happen until the nation has suffered substantial damage because of the failure to protect, toughen, and augment GPS." ​</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked Again<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465