Social Engineering

 

 

https://sm.asisonline.org/Pages/The-Internet-And-The-Future-of-Online-Trust.aspxThe Internet And The Future of Online TrustGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-08-11T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​How will online trust change over the next decade? That was the focus of a new<a href="http://www.pewinternet.org/2017/08/10/the-fate-of-online-trust-in-the-next-decade/#vinton-cerf" target="_blank"> nonscientific canvassing of 1,233 individuals</a> by the Pew Research Center and Elon University’s Imagining the Internet Center, which found that most experts think “lack of trust” won’t be a barrier to society’s reliance on the Internet.​</p><p>The survey partners asked 1,233 individuals, including technologists, scholars, practitioners, strategic thinkers, and other leaders: “Will people’s trust in their online interactions, their work, shopping, social connections, pursuit of knowledge, and other activities be strengthened or diminished over the next 10 years?”</p><p>Forty-eight percent of respondents said they think online trust will be strengthened, 28 percent reported that trust will remain the same, and just 24 percent said trust will be diminished. </p><p>“Many of these respondents made references to changes now being implemented or being considered to enhance the online trust environment,” according to Pew. “They mentioned the spread of encryption, better online identity-verification systems, tighter security standards in Internet protocols, new laws and regulations, new techno-social systems like crowdsourcing and up-voting/down-voting, or challenging online content.”</p><p>For instance, Adrian Hope-Bailie, standards officer at blockchain solution provider Ripple, participated in the survey and said technology advancements are bringing together disparate but related fields, like finance, health care, education, and politics.</p><p>“It’s only a matter of time before some standards emerge that bind the ideas of identity and personal information with these verticals such that it becomes possible to share and exchange key information, as required, and with consent to facilitate much stronger trusted relationships between users and their service providers,” Hope-Bailie explained.</p><p>One technology that respondents were asked about in particular was blockchain and the role it might play in fostering trust on the Internet. Blockchain is a digital ledger system that is encryption-protected and used to facilitate validated transactions and interactions that cannot be edited.</p><p>Other experts, however, were less optimistic about the future of trust in online interactions. Vinton Cerf, vice president and chief Internet evangelist at Google, and co-inventor of the Internet Protocol, participated in the survey and said that trust is “leaking” out of the Internet.</p><p>“Unless we strengthen the ability of content and service suppliers to protect users and their information, trust will continue to erode,” he explained. “Strong authentication to counter hijacking of accounts is vital.”</p><p>Overall, the survey found six major themes on the future of trust in online interactions:</p><div><ol><li><p>Trust will strengthen because systems will improve and people will adapt to them and more broadly embrace them.<br></p></li><li><p>The nature of trust will become more fluid​ as technology embeds itself into human and organizational relationships.<br></p></li><li><p>Trust will not grow, but technology usage will continue to rise, as a “new normal” sets in.<br></p></li><li><p>Some say blockchain could help; some expect its value might be limited.<br></p></li><li><p>The less-than-satisfying current situation will not change much in the next decade.<br></p></li><li><p>Trust will diminish because the Internet is not secure, and powerful forces threaten individuals’ rights.<br></p></li></ol></div><p><br></p>

Social Engineering

 

 

https://sm.asisonline.org/Pages/The-Internet-And-The-Future-of-Online-Trust.aspx2017-08-11T04:00:00ZThe Internet And The Future of Online Trust
https://sm.asisonline.org/Pages/DHS-Official-Says-Russia-Tried-to-Hack-21-States-in-2016-Election.aspx2017-06-21T04:00:00ZDHS Official Says Russia Tried to Hack 21 States in 2016 Election
https://sm.asisonline.org/Pages/Most-U.S.-Hospitals-Have-Not-Deployed-DMARC-To-Protect-Their-Email-Systems.aspx2017-06-16T04:00:00ZMost U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems
https://sm.asisonline.org/Pages/Book-Review---Social-Media-Risk-and-Governance.aspx2016-11-01T04:00:00ZBook Review: Social Media Risk and Governance
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO
https://sm.asisonline.org/Pages/Book-Review---Cybervetting.aspx2016-05-01T04:00:00ZBook Review: Cybervetting
https://sm.asisonline.org/Pages/How-to-Protect-PII.aspx2016-02-16T05:00:00ZHow to Protect PII
https://sm.asisonline.org/Pages/Smart-and-Secure.aspx2016-01-19T05:00:00ZSmart and Secure
https://sm.asisonline.org/Pages/Book-Review---Social-Crime.aspx2016-01-04T05:00:00ZBook Review: Social Crime
https://sm.asisonline.org/Pages/Book-Review---Online-Risk.aspx2015-12-01T05:00:00ZBook Review: Online Risk
https://sm.asisonline.org/Pages/La-Revolución-del-Internet-de-las-Cosas.aspx2015-11-12T05:00:00ZLa Revolución del Internet de las Cosas
https://sm.asisonline.org/Pages/The-IOT-Revolution.aspx2015-10-26T04:00:00ZThe IOT Revolution
https://sm.asisonline.org/Pages/Teach-a-Man-to-Phish.aspx2015-09-09T04:00:00ZTeach a Man to Phish
https://sm.asisonline.org/Pages/Communication-in-Crisis.aspx2015-09-01T04:00:00ZCommunication in Crisis
https://sm.asisonline.org/Pages/Ediscovery-and-the-Security-Implications-of-the-Internet-of-Things.aspx2015-04-13T04:00:00ZEdiscovery and the Security Implications of the Internet of Things
https://sm.asisonline.org/Pages/The-New-Recruits.aspx2015-04-01T04:00:00ZThe New Recruits
https://sm.asisonline.org/Pages/The-Lone-Terrorist.aspx2015-03-01T05:00:00ZThe Lone Terrorist
https://sm.asisonline.org/Pages/Big-Answers.aspx2014-12-01T05:00:00ZBig Answers
https://sm.asisonline.org/Pages/Analytics-for-Everyone.aspx2014-11-01T04:00:00ZAnalytics for Everyone

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/How-to-Protect-PII.aspxHow to Protect PII<p>​<span style="line-height:1.5em;">If you are an employee, a student, a patient, or a client, your personally identifiable information (PII) is out there—and prime for hacking. In October, the U.S. Government Accountability Office (GAO) added protecting the privacy of PII to its list of high-risk issues affecting organizations across the country. All organizations, from large federal agencies to universities, hospitals, and small businesses, store PII about their employees, clients, members, or contracto</span><span style="line-height:1.5em;">rs. And, as seen in recent large-scale cyberattacks, PII is a hot commodity for malicious attackers. </span></p><p>According to the U.S. Office of Management and Budget, PII is any information that can be used alone or with other sources to uniquely identify, contact, or locate an individual. However, the definition of PII can depend on the context in which the information is used, according to Angel Hueca, information systems security officer with IT consulting company VariQ. For example, a name by itself is innocuous, but that name combined with a personal e-mail address, a Social Security number, or an online screenname or alias could give bad actors all they need to wreak havoc on a person or company.</p><p>And it appears that no one is immune to the risk of compromised PII. According to research by the GAO, 87 percent of Americans can be uniquely identified using only three common types of information: gender, date of birth, and ZIP code. </p><p>If PII is leaked, the consequences for both affected individuals and organizations can be damaging, says Hueca. Companies may face large fines or legal action if the PII they hold is breached, especially if the organization didn’t comply with outlined customer agreements or federal regulations, or if the breach violates the Health Insurance Portability and Accountability Act. A breach can also be reputation-damaging and cost the company employees and clients, Hueca notes. </p><p>Hueca stresses the importance of educating all employees, regardless of whether they have access to the company’s PII, about cybersecurity awareness and online behavior. Even using a personal e-mail at work or posting an image of their workspace on their social media account could lead to the leak of PII—there may be confidential information inadvertently documented in the photo, Hueca points out.</p><p>A more common occurrence is someone with access to an organization’s PII database inadvertently forwarding an e-mail with sensitive information, such as a client’s case number or an employee’s personal contact information. For example, in 2014, a Goldman Sachs contractor accidentally sent an e-mail with confidential brokerage account information to a Google e-mail address instead of to the contractor’s personal e-mail. Goldman Sachs went to the New York State Supreme Court to ask Google to block the recipient from accessing the e-mail to prevent a “needless and massive” data breach. The court didn’t rule on the case, because Google voluntarily blocked access to the e-mail.</p><p>Hueca says that segregating duties and tightly controlling who has access to certain information can help with this issue. Often, HR or administrative employees may need access to some PII, but not all of it—isolating potentially sensitive information can prevent harmful leaks. </p><p>How an organization’s network is set up can help prevent the accidental or malicious transfer of PII. Hueca suggests keeping sensitive information segregated from the rest of the network environment—if there is a breach, hackers will have to break through a second firewall to access the information. Organizations should also take advantage of standard content tracking software to spot suspicious activity.</p><p>“Fortunately, many organizations have something called content filtering, which are tools that are able to filter information as it comes in and out of the organization,” Hueca explains. “If there’s something that looks like a Social Security number, with nine digits, being sent out, the tool will alert an administrator that this activity is happening, which could be accidental or malicious.” </p><p>The U.S. Department of Homeland Security’s (DHS) handbook for safeguarding PII says only secure, organization-issued electronic devices should be used to view sensitive information. If an employee must access PII on a portable device, such as a laptop, USB, or external hard drive, the data should be encrypted. And if PII must be e-mailed within the office, DHS strongly recommends password-protecting the data within the e-mail. </p><p>Lastly, Hueca recommends that all companies have an incident response plan in place specifically for the malicious theft of PII. </p><p>“This is something that most organizations don’t think about, having an incident response plan specifically for a PII breach,” Hueca says. “What happens if you do get breached? What are the steps? Talk about what-ifs. Once you have a notification in place, you get alerted, what do you do? Try to segregate it from other sensitive data and figure out what happened.” </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review---Physical-Security-and-Safety.aspxBook Review: Physical Security and Safety<p>​​<span style="line-height:1.5em;">Physical Security and Safety: A Field Guide for the Practitioner. By Truett A. Ricks, Bobby E. Ricks, and Jeffrey Dingle. Published by CRC Press; crcpress.com; 179 pages; $89.95.</span></p><p>This comprehensive, yet simple to use, overview of basic concepts relating to physical security and safety covers security fundamentals such as CCTV, lighting, security surveys, and risk assessments. The first part of the book covers the theory and concepts of security, including identification of security threats and vulnerabilities, protection, and risk assessment. The second half examines physical protection, including access and perimeter control, alarm systems, and IT issues.</p><p> The format of the book allows the security professional to quickly glance at a chapter on an area of interest and find the salient information. For example, while working on a lighting survey, the reader can find an overview of the types of lighting as they relate to a security project, as well as a foot-candle chart indicating what is appropriate for a particular setting. </p><p>Beyond its role as a field guide, the text provides such a vast overview of security concepts, it could also serve well as a study guide for many industry certifications. A brief, practical chapter on writing effective policies and procedures is clear and concise and outlines the goals and the requirements of policies and procedures. In this area, simple is often better, and the guidance here is excellent.</p><p><em>Physical Security and Safety</em> dedicates a useful amount of space to regulatory bodies (OSHA, NIOSH, NFPA, for example) and their impact on security and safety. While the book does not claim to be an all-encompassing guide to industry standards and regulations, it can serve as a quick reference so the practitioner will know if a particular regulation must be further researched.</p><p> The book’s appendix includes a practical and flexible security survey (security checklist) that can serve as the foundation for reports and assessments the reader may find the need to develop. </p><p><em><strong>Reviewer: Michael D'Angelo, CPP</strong>, is the security manager for Baptist Health South Florida. He is a retired police captain from the South Miami, Florida Police Department where he served for 20 years. He is an ASIS member who serves on both the Healthcare Security Council and the ASIS Transitions Ad Hoc Council.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Analytics-for-Everyone.aspxAnalytics for Everyone<p> It’s ubiquitous. From targeted ads on Facebook to customer loyalty cards to Gmail cookies, companies are hungry for information about you. Business intelligence—the gathering and analyzing of information for purposes of commerce—is rapidly advancing, on several fronts, not least in security. The amount of information available to organizations and employees is ever increasing. Big Data keeps getting bigger, analytical methods grow more and more sophisticated, and the number of tools available to extract meaning from that information multiply. </p><p>The most prevalent trend in business intelligence, some experts say, is the democratization of data crunching. The use of sophisticated analytical tools is no longer the exclusive province of one or two specialized analysts in the organization. Instead, these tools are being made available to employees on the front lines, whether they be members of a sales team or security officers working at a remote location. Mobile applications and cloud computing are making access to these tools easier.</p><p>Here, Security Management takes a look at few examples of cutting-edge business intelligence practices and how they apply to security, such as a solution derived from creative analysis of social media data and the mobile use of integrated analytics for crisis management situations. We then look at the big picture and survey some broader trends in business intelligence and their relationship to security, and take a peek at a few challenges the future may hold. </p><p>Social Media </p><p>Social media monitoring is becoming a popular practice in the business community. Whether it be for a reputation management program or for obtaining feedback on a particular service or product, more organizations are monitoring channels like Twitter and Facebook. </p><p>For example, international security expert Hart Brown has developed a business intelligence tool that goes beyond monitoring. Brown, who sits on the ASIS International Crisis Management and Business Continuity Council, is an intelligence veteran who has worked at both the U.S. Department of Defense and the U.S. State Department. A few years ago, Brown was international security manager for a company that was highly active in various regions of Mexico. Given its engagement, the firm needed timely news coverage of all the regional markets in Mexico that it was involved in. </p><p>But this proved hard to come by. In regions outside of major cities, there was often sparse coverage; CNN-type breaking news reports did not exist. And sometimes, when sufficient media were present, news agencies were pressured by criminal cartels not to report certain developments. “In that country, news is very complicated, and in many cases censored,” Brown says. “We just could not get reliable information about what was going on.” Twitter, however, had the reach that traditional media did not. </p><div><p>As Brown describes it, he was in need of a system that would accomplish two main objectives. First, he needed an early warning or alert system that the stability of a particular town or region was being threatened. Be it a fire, earthquake, gunfight, kidnapping, or some other event, he wanted to know as soon as the incident started happening.</p><p>Second, he wanted to be able to gauge the event’s severity—specifically, how disruptive it would be, and whether its impact was increasing or diminishing over time. This included an ability to assess how much stability had returned the day after an event, which would help the company decide if it had to alter its operations on the ground. A straightforward social media monitoring system would not be sufficient to achieve these two objectives, according to Hart: “It certainly wasn’t enough for me. We had to put some analytics to it,” he says. </p><p>So Brown built a solution through the use of Netvibes, a program popular in the advertising and marketing fields for social media and news tracking. First, he had to ensure that he knew the language spoken by the local community. Whatever the event, he learned the various phrasings used to describe it, including colloquialisms that locals might use on Twitter. He did this by combing through volumes of reports of traditional media and identifying keywords to use in the algorithm. </p><p>He then established baselines for the keywords, which represented how many times they would occur in normal everyday Twitter discourse. Brown could then measure the rate of change when an event occurred and usage of the keyword shot up. For example, on a normal day without incident, the Spanish word for gunfight may occur 10 times—in innocent contexts, such as in a movie description. When a real gunfight occurs, the usage number may spike to 100, or a rate of change of 10 times the baseline.</p><p>Brown arranged for the system to send out an e-mail alert when the spike reached a certain level–signifying a noteworthy event was under way. Typically, such an alert would go out less than hour after the actual start of the event—a testament to the real-time power of Twitter.</p><p>Once the tool saw frequent use, it became evident that the steepness in the keyword usage spike correlated to the severity of the incident in question. For example, in April, the city of Tampico “turned into a war zone” due to violence from drug cartels and gangs. “We were able to see the war was starting within an hour,” Brown says. The spike was roughly 40 times above the normality baseline, and from that steep spike Brown could tell that the local reaction was serious enough to drive many residents and businesses into lockdown mode. “As far as the initial shock—there’s absolutely a correlation,” Brown says. </p><p>The correlation is so solid that it helps Brown make real-life operations decisions. For example, after one violent event, Brown was unsure whether the company’s equipment trucks could drive through the area. Brown gauged the level of chatter, and made the assessment: “There’s a lot of checkpoints and it’s going to be slow, but there’s not violence.” The trucks were sent forward; the assessment held true. <br><br></p><p>Crisis Intelligence </p><p>Brown’s intelligence tool, in essence, uses social media data to analyze the extent of an event’s destabilizing force. Some businesses, however, use intelligence tools that deploy analytics on the fly, and in equally challenging situations.</p><p>Imagine, for example, that you are a chief of security for a large company that has a strong presence in Colombia. There is an earthquake in Bogota, where your company has several offices and many employees. The city is engulfed in chaos, and your employees have no idea who might be affected, or if anyone is in distress and needs assistance.</p><p>Such a situation demands a rapid analysis of all available information, so that some sort of response can be taken. However, “you can’t act if you don’t have good information, and you don’t know where your people are,” says Dan Richards, CEO of Global Rescue, an emergency evacuation and field rescue firm. </p><p>During these challenging situations, some firms use a type of business intelligence tool that consolidates different platforms within crisis management and response environments into a mobile application, Richards says. These types of systems combine and correlate different data sets, such as the firm’s enterprise footprint and the parameters of the event, to give each user a quick and clear picture of where employees and assets are and what areas of the city have been affected. </p><p>These tools also integrate with a communication component that allows for messages to be sent to selected employees or to everyone. The system tracks who received and replied to messages and who did not, analyzes this information, and then continually updates each employee’s status.</p><p>“When you look at any major crisis when there’s a lot of people involved, a lot of time is wasted in trying to confirm that people who may be in distress are actually hurt,” Richards says. The system also keeps track of all operational responses that the company has taken in real time and automatically informs employees who need to know such updates. </p><p>In addition, these systems can be set up to periodically ping a staffer’s smartphone, so that the return ping “leaves a breadcrumb trail” as to the employee’s location, Richards says. In this way, if an event like an earthquake or flood disables a staffer’s device, the last location before the device stopped working can be ascertained.</p><div><p>In Richard’s view, the use of such business intelligence systems for crisis management is growing, in part because “there’s relatively lean staffing in security.” A company of 10,000 employees, for example, may have only six crisis management executives. “That’s not an advantageous ratio,” Richards says. “You need to have a set of tools that will be extraordinarily effective.” <br><br></p><p>Data Analysis</p><p>A tool such as the one Richards describes, which tracks the whereabouts and status of employees in the field, may also be used in noncrisis situations by a company with a highly mobile work force. “With more people working at home, and off site, keeping track of this decentralized work force has become an increasing challenge,” Richards says.</p><p>But whether it is used in chaotic or calm times, it can be used by any employee who needs to know the status of workers in the field. And that’s reflective of a current trend discussed in a report, The Top Ten Business Intelligence Trends for 2014, recently issued by Tableau Software.</p><p>The report finds that the practice of data science is moving from the high-level specialist to the employee in the business community. Data analysis is becoming part of the skill set of ordinary business users, not just a few experts. “We’re starting to see a mass adoption of data tools,” says Ellie Fields, a vice president at Tableau, which specializes in business intelligence. </p><p>Part of this trend is what Fields calls “embedded analytics.” More firms are making analytical tools available to employees on the front lines, such as members of a traveling sales force or security guards patrolling a site. By way of explanation, Fields offers a hypothetical scenario: “Wouldn’t it be great if security guards knew that between 1 and 3 is the time when most threats happen, and that they usually happen on this side of the perimeter?”  </p><p>And that security officer who uses a mobile application for a crime data analysis may also be representative of another business intelligence trend—the increased use of predictive analytics. “We’re collecting data on things we didn’t used to have,” Fields says, and that means there is more raw material to analyze and construct sophisticated performance prediction models. “Now people are saying, ‘Let’s see if we can predict when we will have machine failure, based on past results,’” she says.  </p><p>The increased use of business analytical tools has intersected with the rise of cloud computing, and this combination has spawned another recent trend: cloud analytics. So far, this has not occurred on a wide scale, as some organizations still have security concerns about moving sensitive data to the cloud. “I don’t think the three-letter agencies are adopting the cloud anytime soon,” Fields says. </p><p>But other organizations have become comfortable with cloud security and have embraced the concept. Cloud storage can make data access from mobile devices easier; the same advantages apply to analytical programs in the cloud, which can be accessed from mobile devices, like an iPad, and make for more agile, self-serve intelligence, Fields explains. <br><br></p><p>Big Data</p><p>Overload is not the only challenge when it comes to the advance of business intelligence and the growing reliance on Big Data. The increased use of intelligence tools will likely also increase privacy concerns. Take, for example, the crisis intelligence tool that pings smartphones to track the recipient’s whereabouts. Such knowledge could be abused. “Some humans don’t want to be found,” Richards says. “As a society, we will have to grapple with those issues.” </p><p>Data collection itself, even for business purposes, can also be viewed as intrusive. To take just one example, Amazon is now offering brick-and-mortar stores a payment-processing device, called Local Register, which will allow the online giant to track a consumer’s offline purchases. Such technologies will spur more discussion about letting people opt out of some data collection processes. </p><p>Moreover, while business intelligence tools are indeed becoming much more common, the skills needed to use those tools to best advantage are less widespread, Brown says. </p><p>This is particularly true for analytic tools that require queries to obtain information. “Everyone wants a piece of the Big Data scene, but what you find is that it becomes very, very complicated and the queries that you are using become very sensitive,” Brown says. “We have a lot of people using analytics that may not really understand what it is they are querying. Every minor change in the query can have a significant impact on findings,” Brown said.  </p><p>Overall, the proper use of intelligence tools is an “art meets science” proposition, and collectively the business community “still has a ways to go” before analytical data skills become commonplace among company staff, Brown says. “I don’t think we’ve reached the point now where we can fully migrate from analysts.” <br></p></div></div>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465