Social Engineering

 

 

https://sm.asisonline.org/Pages/Book-Review---Social-Media-Risk-and-Governance.aspxBook Review: Social Media Risk and GovernanceGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652016-11-01T04:00:00Z<p>​Kogan Page; koganpage.com; 232 pages; $37.95.</p><p>Phil Mennie is an international expert on social media, risk management, and information technology governance. His latest publication, <em>Social Media Risk and Governance</em>, is a must-read for the intermediate to advanced risk management security practitioner. It is a captivating book depicting the importance of identifying social media and information technology risks in an organization, outlining ways to address each of these risks immediately and to the benefit of an organization.</p><p>Governing the safety of social media inside and outside of the workplace is a challenging task. Mennie articulates a clear and concise social media strategy that can be adopted by risk management professionals both domestically and internationally, with specific protocols and tools. He uses example from real-world companies—like MasterCard—to support his points. Diagrams, matrixes, case studies, images, graphs, flowcharts, procedure assessment methods, and other forms of multimedia further support the text. </p><p>One shortcoming in the book is its lack of information on cloud computing. Many organizations are migrating to cloud-based storage options, such as OneDrive, Dropbox, and Google Drive. Research indicates that organizations should be very cautious about storing sensitive data in the cloud. The author reflects on the importance of data privacy, but does not expand on specific steps for properly uploading and transferring data to the cloud safely. </p><p>Also in the text, the author notes that certain legislation is being considered by several states and jurisdictions. However, the description is vague and does not contain specific pieces of legislation for reference.</p><p>The book urges technology professionals, compliance regulators, and risk management leaders to ask difficult questions: Is our organization embracing the power of social media? Are we keeping both internal and external stakeholders safe? What governance protocols do we have in place? How are we measuring the success of our protocols?</p><p>In sum, this book will benefit security professionals, social media experts, search engine optimization professionals, and risk managers. It is a true asset to the security management and information technology sector.</p><p>--</p><p><em>Reviewer: Thomas Rzemyk, Ed.D., <strong>is a professor of criminal justice at Columbia Southern University and director of technology and cybersecurity instructor at Mount </strong>Michael Benedictine School. He is a criminology discipline reviewer in the Fulbright Scholar Program, and he is a member of ASIS.</em></p>

Social Engineering

 

 

https://sm.asisonline.org/Pages/Book-Review---Social-Media-Risk-and-Governance.aspx2016-11-01T04:00:00ZBook Review: Social Media Risk and Governance
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO
https://sm.asisonline.org/Pages/Book-Review---Cybervetting.aspx2016-05-01T04:00:00ZBook Review: Cybervetting
https://sm.asisonline.org/Pages/How-to-Protect-PII.aspx2016-02-16T05:00:00ZHow to Protect PII
https://sm.asisonline.org/Pages/Smart-and-Secure.aspx2016-01-19T05:00:00ZSmart and Secure
https://sm.asisonline.org/Pages/Book-Review---Social-Crime.aspx2016-01-04T05:00:00ZBook Review: Social Crime
https://sm.asisonline.org/Pages/Book-Review---Online-Risk.aspx2015-12-01T05:00:00ZBook Review: Online Risk
https://sm.asisonline.org/Pages/La-Revolución-del-Internet-de-las-Cosas.aspx2015-11-12T05:00:00ZLa Revolución del Internet de las Cosas
https://sm.asisonline.org/Pages/The-IOT-Revolution.aspx2015-10-26T04:00:00ZThe IOT Revolution
https://sm.asisonline.org/Pages/Teach-a-Man-to-Phish.aspx2015-09-09T04:00:00ZTeach a Man to Phish
https://sm.asisonline.org/Pages/Communication-in-Crisis.aspx2015-09-01T04:00:00ZCommunication in Crisis
https://sm.asisonline.org/Pages/Ediscovery-and-the-Security-Implications-of-the-Internet-of-Things.aspx2015-04-13T04:00:00ZEdiscovery and the Security Implications of the Internet of Things
https://sm.asisonline.org/Pages/The-New-Recruits.aspx2015-04-01T04:00:00ZThe New Recruits
https://sm.asisonline.org/Pages/The-Lone-Terrorist.aspx2015-03-01T05:00:00ZThe Lone Terrorist
https://sm.asisonline.org/Pages/Big-Answers.aspx2014-12-01T05:00:00ZBig Answers
https://sm.asisonline.org/Pages/Analytics-for-Everyone.aspx2014-11-01T04:00:00ZAnalytics for Everyone
https://sm.asisonline.org/Pages/A-Face-in-the-Crowd.aspx2014-10-01T04:00:00ZA Face in the Crowd
https://sm.asisonline.org/Pages/Next-Generation-Security-Awareness.aspx2012-09-01T04:00:00ZNext Generation Security Awareness
https://sm.asisonline.org/Pages/Avoiding-the-Spearphishers-Barb.aspx2011-10-01T04:00:00ZAvoiding the Spearphisher's Barb

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-New-Recruits.aspxThe New Recruits<p>​<span style="line-height:1.5em;">“Leave our children alone!” That’s the message a Bolingbrook, Illinois, mother wants Islamic State (ISIS) leaders and recruiters to hear. In January, Zarine Khan’s oldest son, 19-year-old Mohammed Khan, tried to travel with his 17-year-old sister and 16-year-old brother to Istanbul to join ISIS. The three were stopped at Chicago O’Hare International Airport, and Mohammed Khan, an American citizen, is now being charged with attempting to provide material support to ISIS militants.</span></p><p>Zarine Khan told news outlets she believes her children were recruited over social media and secretly saved money to purchase passports and airline tickets. “We condemn this violence in the strongest possible terms,” she said after her son’s courthouse appearance. “We condemn the brutal tactics of ISIS and groups like it. And we condemn the brainwashing and the recruiting of children through the use of social media and Internet.”</p><p>If Mohammed Khan is found guilty of providing material support to a terrorist organization—a provision of the U.S. Patriot Act—he will face up to 15 years in prison. </p><p>Unfortunately, this is not an isolated incident. A new report by the International Centre for the Study of Radicalization and Political Violence (ICSR) found that some 20,000 foreign fighters from 50 countries have traveled to Iraq and Syria to join terrorist organizations since 2012, and more than 4,000 of those are from Western nations.</p><p>Disturbing reports seem to surface every month of Westerners—many of whom are teenagers or young adults—attempting to travel to join ISIS as fighters or brides, often after being recruited over the Internet. </p><p>Another increasingly prevalent issue is the return of radicalized Westerners to their home countries. Governments are struggling to address the issue in the absence of proof that the returning citizen actually committed a crime.</p><p>“The propaganda of the Islamic State, the ability to communicate in message, is better than any I have seen to date since we had the development of Al Qaeda in the early ’90s,” says Charlie Allen, who has served with the CIA and the U.S. Department of Homeland Security (DHS). “It is a very interesting thing—we’re going to have people self-radicalized, and it’s hard to stop traffic and travel to and from Europe.”</p><p>The exodus of American and European citizens to the Middle East—mainly Syria or Iraq—began in 2012 during the height of the Syrian civil war after ISIS urged Muslims to fulfill their religious duty to wage a holy war against the enemies of Islam. Although some foreigners took up arms with other terrorist organizations, such as Al Qaeda and Jabhat al-Nusra, most are flocking to aid ISIS, which is considered to be the dominant force of Syrian opposition and currently controls about a third of Syria. </p><p>More than 100 Americans have traveled to the region to fight, but experts are more concerned about jihadists from European countries, where thousands of citizens—mainly from Belgium, France, Germany, and the United Kingdom—have crossed through Turkey’s porous border into Syria and Iraq.</p><p>Veryan Khan, editorial director for the Terrorism Research and Analysis Consortium (TRAC), a political violence database, says that in terms of modern global jihad movements, the current exodus is the third and the most popular call to jihad. ICSR, which has kept track of the global jihad to Iraq and Syria since 2012, notes that the current numbers surpass those of the Afghanistan conflict in the 1980s and the 2006 flight from Somalia, making the conflict in Syria and Iraq the largest mobilization of foreign fighters in Muslim-majority countries since 1945.</p><p>Veryan Khan says a large percentage of foreign fighters are young men and women—some not even out of their teens. The Bipartisan Policy Center’s 2014: Jihadist Terrorism and Other Unconventional Threats points out that many young adults who attempt to join ISIS “are far from threatening.” At least eight 18- to 20-year-old Americans have been apprehended attempting to join ISIS over the past two years, one of them admitting in court that “concerning my fighting skills, to be honest, I do not have any.” </p><p>Other cases are more serious. One high-profile Western jihadist is 22-year-old Maxime Hauchard, a Frenchman identified as one of the executioners in an ISIS video depicting the decapitated body of American aid worker Peter Kassig. Hauchard converted to Islam when he was 17 and was recruited online to ISIS, according to media outlets. </p><p>Veryan Khan explains that young jihadists may be looking to belong because they do not feel at home in Western culture. “There are many other reasons for radicalization: the need for redemption, the perceived obligation to one’s motherland, the guilt of living a good life in the West while others suffer, a personal retribution for the death of a family member or friend, the list goes on and on,” he explains.</p><p>Europe has taken a step to curb the relentless—and effective—online propaganda by ISIS. Last summer, nine European nations endorsed an initiative to work with Internet providers to take down the hundreds of ISIS recruitment websites and messages. But the biggest online draw may come from radicalized Westerners themselves.</p><p>Foreign fighters who have made the journey to Iraq or Syria have told their stories via Twitter, Facebook, and other blogging websites, encouraging their peers to join them. The posters speak of the friendships they have made with their brothers and sisters of the Islamic State, or the pride they feel in answering the call to jihad.</p><p>“Allahu Akbar, there’s no way to describe the feeling of sitting with the Akhawat [sisters] waiting on news of whose Husband has attained Shahadah [martyrdom],” tweeted one British woman who traveled to Syria and married a fighter. </p><p>The call to join ISIS in the Middle East is not the only trend that concerns experts. Many foreign fighters are returning to their home countries after fighting alongside ISIS in the Middle East, and Allen points out that having trained, radicalized fighters traveling back to their homes in the West is a potentially dangerous situation.</p><p>“We have the worst possible storms that are now erupting in the Middle East, and the foreign fighters, those from North America and Europe, are likely to return,” Allen explains. “Some have been martyred, including Americans, but some will continue their extremist ways and proselytize to get other Americans to join them.”</p><p>Individual governments are left trying to figure out what to do with returning fighters. Turkey, considered the main passageway from Europe to Syria and Iraq, announced at the end of January that it is beefing up security along its borders to stem the flow of potential jihadists to the battlefield. The country is also constantly updating a database of more than 10,000 individuals suspected of traveling through to aid ISIS.</p><p>The problem that Turkey and many other countries face is that they cannot indict individuals for aiding a terrorist organization without proof. Traveling to and from the region alone does not hold enough weight for law enforcement to intercept an individual.</p><p>Some countries have passed laws that make it easier to detain potential jihadists. In Austria, Belgium, Britain, France, and Germany, authorities hastily passed legislation allowing governments to detain individuals suspected of involvement in a terrorist organization abroad. </p><p>Other countries, such as Denmark, are taking a soft-handed approach in handling returning fighters by offering free counseling services, as well as assistance in finding jobs or enrolling in school.</p><p>U.S. lawmakers are worried that foreign fighters coming to America may be able to slip through the cracks—under the Visa Waiver Program, residents of 38 European countries can travel to the United States without a visa. Former Senate Intelligence Committee Chairwoman Dianne Feinstein has announced plans for legislation that would tighten the program.  </p><p>Allen says that most foreign fighters aren’t secretive about their involvement in Syria and can be easily tracked, so the threat of a jihadist slipping into the United States unseen is small.</p><p>“I believe we have good legislation, good tools, and a good understanding of who may be in Syria, and we’re very careful to ensure when they return that we know who they are and what they’re doing,” Allen explains. “The Customs and Border Patrol does an excellent job of sorting through these people as they return. It’s hard to charge them if you don’t know whether they’ve committed crimes, but I think the collaboration between DHS and the FBI is improving.”</p><p>TRAC’s Khan speculates on the bigger picture—why are these young fighters, coming back home? He says the list of grievances from foreign fighters is critical to combatting radicalization efforts. </p><p>“They get to their perceived holy war only to find out that they are just killing other Muslims, which is haram (forbidden),” Veryan Khan explains. “There’s this perceived hypocrisy within the movement, as well as the realization that they are not merely fighting against the Assad regime to create a heavenly Caliphate but more than likely fighting other opposition groups.”</p><p>There are a number of firsthand accounts explaining the grievances, Veryan Khan explains, but they’re not as prevalent as the propaganda-filled tweets and blogs convincing young people to join ISIS in the first place.</p><p>“Using those firsthand accounts to our advantage is the best tool to curb the momentum,” Veryan Khan says. </p><p><em>To read in Spanish, <a href="/Pages/Los-Nuevos-Reclutados.aspx">click here.​</a></em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Cyber-Trends.aspxCyber Trends<p>​<span style="line-height:1.5em;">The security industry changes daily. And it’s fair to say that cybersecurity is changing even more rapidly as new threats, new attack methods, and new technologies continuously emerge. This means that cybersecurity professionals need to stay up to date as the threat landscape rapidly evolves to ensure that they are ready to meet the challenges of modern- day data security. Here, we look at some of the major issues that these professionals will be tasked with over the course of the remaining year and heading into 2017.</span></p><p>Brexit. In a historic decision in June, the United Kingdom voted to leave the European Union (EU)—a decision commonly known as Brexit. Approximately 52 percent of the population voted to leave the EU, while 48 percent voted to remain—including all of Scotland and a large portion of the population in Northern Ireland.</p><p>While immediate concerns were focused on the economic upheaval, Brexit will also have an impact on data sharing and data privacy agreements that the United Kingdom was previously part of as a member of the EU and its digital single market.</p><p>One major area of regulation that will need to be ironed out is around the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect in 2018. It creates new privacy rights for EU citizens and requirements for businesses that handle EU citizens’ data (for more on this, read “Cybersecurity” from our August issue).</p><p>When the United Kingdom exits the EU, Britain may no longer be subject to the GDPR and may have to adopt its own framework. </p><p>Furthermore, the EU and the United States had negotiated for months to create the Privacy Shield program, which was designed to replace the Safe Harbor agreement that was previously ruled invalid by the EU. The United Kingdom’s exit from the EU, however, means that it may not be covered by Privacy Shield—which went into effect earlier this year.</p><p>Brexit could also be the catalyst to create a different framework altogether, says Yorgen Edholm, CEO of Accellion, a private cloud solutions company based in the United States.</p><p>“The one EU effort we have looked at very carefully is the new Safe Harbor agreement—Privacy Shield,” Edholm says. “I think the United Kingdom can say, ‘We have two options; we’re going to piggyback off of what the EU is doing, or we’re going to do something else with the United States.’”</p><p><strong>Talent shortage</strong>. Another major concern related to Brexit is whether the United Kingdom will be able to recruit talented cybersecurity workers. A recent study highlighted the lack of “digital skills” among people in Britain, which has looked to the EU to recruit employees to fill the void, according to a report by the Science and Technology Committee that was presented to the House of Commons earlier this year.</p><p>“Removing a flow of talent and expertise from Europe could deprive U.K. tech companies of an essential ingredient for sustained growth,” the International Business Times reported before the Brexit referendum. “Additionally, given that Britain’s tech scene—especially in London—is quite multicultural, start-up founders worry that leaving the European Union will make it much harder to hire the best employees.”</p><p>And this is not just a U.K. problem. Globally, 94 percent of executives reported that they are having trouble finding skilled candidates for cybersecurity jobs, according to a recent survey by the Information Systems Audit and Control Association (ISACA). </p><p>This problem, which is not a new one, is unlikely to go away anytime soon. The 2015 (ISC)² Global Information Security Workforce Study projected that by 2020, there will be 1.5 million unfilled information security positions. </p><p>“Signs of strain within security operations due to workforce shortage are materializing,” the report explained. “Configuration mistakes and oversights, for example, were identified by the survey respondents as a material concern. Also, remediation time following system or data compromises is steadily getting longer.”</p><p>This, in turn, results in IT security professionals increasingly cornered into a reactionary role of identifying compromises and addressing security concerns as they arise, instead of proactively mitigating the contributing factors, according to the report.</p><p>To combat this, many information security departments are increasing expenditures on security tools and technologies, and for managed and professional security service providers to augment existing staff.</p><p>However, more needs to be done to attract qualified workers to the cybersecurity industry. One new effort to do this was announced by Cisco earlier this year. The company will invest $10 million in a Global Security Scholarship and make enhancements to its security certification portfolio to help close the industry skills gap. </p><p>“Many CEOs across the globe tell us their ability to innovate is hampered by their security concerns in the digital world,” said Jeanne Beliveau-Dunn, vice president and general manager of Cisco Services in a statement. “This creates a big future demand for skill sets that don’t exist at scale today. We developed this scholarship program to help jump-start the development of new talent.”</p><p>The scholarship is a two-year program that is designed in partnership with Cisco Authorized Learning Partners to address the critical skills deficit and provide on-the-job readiness needed to meet current and future challenges of network security, according to a press release. As part of the scholarship program, Cisco also plans to offer training, mentoring, and certifications that align with the job of an analyst in a security operations center.</p><p>Scholarship awards became available on August 1 and are available to applicants who meet certain qualifications until the end of July 2017. To be considered for a scholarship, applicants must be at least 18, proficient in English, and have basic competency in one area, such as three years of combined experience in approved U.S. military job roles or Windows expertise.</p><p>Part of Cisco’s efforts will also concentrate on diversifying the IT security workforce so it includes veterans, women, and those just at the start of their careers. Reaching this audience is critically important, says David Shearer, CEO of (ISC)².</p><p>“New young people are not coming into the workforce,” Shearer explains. “That’s not a one- or two-year fix. Only 6 percent of the industry is below the age of 30. That’s a train wreck.”</p><p>Instead, the median age for information security professionals is 42, and workers are 90 percent male. These individuals are working longer hours, which can create problems with burnout and may cause many to move into a different career path “because the grind of the pace of the work is too much.”</p><p><strong>Accountability. </strong>The talent shortage, paired with the rise of cyber incidents, is also placing additional pressure on IT and security executives to communicate actionable data to their boards of directors—or risk termination, a new report says.</p><p>Research of U.S. corporations by Bay Dynamics, a cyber risk analytics company, found that “59 percent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.”</p><p>This may be because boards are placing an ever-higher value on cybersecurity, with 89 percent of board members reporting that they are very involved in making cyber risk decisions for their organizations. </p><p>Twenty-six percent of board members also reported that cyber risks were their highest priority, while other risks, like financial, legal, regulatory, and competitive risks were termed “highest priority” by only 16 to 22 percent of surveyed members.</p><p>Coupled with that, the report found that 34 percent of board members indicated that they would provide warnings that improvements in reporting would need to be made before firing <span style="line-height:1.5em;">a</span><span style="line-height:1.5em;">n executive.</span></p><p>But the report also highlighted “significant contradictions, such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.”</p><p>Overall, however, the report shows that boards are engaged and holding IT and security executives accountable for reducing risk, said Ryan Stolte, chief technology officer at Bay Dynamics, in a statement.</p><p>“Companies are headed in the right direction when it comes to managing their cyber risk,” Stolte explained. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbooks and making decisions based on the same set of requirements.”</p><p><strong>Encryption. </strong>By the end of this year, 65 to 70 percent of Internet traffic will be encrypted in most markets, according to a report by Sandvine, an intelligent broadband networks company. This year, 2016, was a major milestone in the life of encryption as companies from Apple to Facebook to Twitter to cloud service providers to WhatsApp embraced encryption across the board.</p><p>However, this move has ramifications for corporate security, which can’t always see what’s happening in its network due to encrypted traffic, and for law enforcement as it loses its ability to gather certain kinds of digital evidence—an issue the FBI terms “Going Dark.”</p><p>“The issue for us is the inability to get access to digital evidence,” says Sasha Cohen O’Connell, the FBI chief policy advisor for science and technology. “This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.”</p><p>To combat this, the FBI has gone to court against private companies to demand access to encrypted data, such as when it filed suit against Apple to gain access to an iPhone 5c used by one of the San Bernardino, California, shooters.</p><p>It has also been encouraging companies to use a form of encryption it terms provider access—where, for example, the data is encrypted on a smartphone but the smartphone’s manufacturer has the key to decrypt that data if it’s served with a court order to do so.</p><p>This approach, however, has been met with criticism by technical experts who say that introducing that access point into encrypted data is making it vulnerable. </p><p>“Academically, they are correct,” O’Connell says. “Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that make sense to us, we’re still within a reasonable risk or what the market has accepted as a risk.”</p><p>For more on the FBI’s stance on encryption and Going Dark, visit Security Management’s website for an exclusive interview with O’Connell.  </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review---Cybervetting.aspxBook Review: Cybervetting<p>​<span style="line-height:1.5em;">CRC Press. Crcpress.com. 322 pages. $79.95.</span></p><p>In today’s world where Big Data has become much more than a buzzword, security leaders may need a guide to navigate the information available to them. In the second edition of his book, <em>Cybervetting: Internet Searches for Vetting, Investigations, and Open-Source Intelligence</em>, Edward J. Appel provides that guidance. </p><p>Appel brings an impressive pedigree to his work. Since retiring from the FBI where he specialized in counterintelligence and terrorism, he has held executive roles in corporate security and operated his own investigation firm. In this book, he provides a thoughtful tour of the Internet and explains how it can benefit today’s professional investigator. The tour culminates with a guide to the groundwork that a reader needs to build a Web-based intelligence program, including resources, pitfalls, and search methods.</p><p>If there is any criticism, it is that readers may find descriptions of concepts such as the Internet, blogs, and Google too basic. Although the work includes basic information for the neophyte, it also offers solid resources, original research, and recent case law, so even seasoned investigators will gain useful nuggets of knowledge. Heavy annotation and comprehensive indexing make this book highly searchable, providing not just a good initial read but also a go-to reference.</p><p>--</p><p>Reviewer: Drew Neckar, CPP, CHPA, is a member of the ASIS Healthcare Security Council, and has extensive experience in threat assessment and investigations.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465