Security through obscurity still does not work in the long term. The hope with this camouflage is that the attackers won't notice you. That does not exactly work in reality. Granted there are higher value targets, and some lower value targets for the attackers. There is the case however where you are noticed by the attackers. It could be by accident, they saw one of your trucks, or this is a disgruntled ex-employee or customer.
It is always better to have a security plan in place. You never know when the business will be targeted. Although hindsight is 20/20, the foresight is not.
Tuesday, October 20, 2015
Wednesday, August 26, 2015
A Breach is a Symptom
A Breach is a Symptom
I was listening to a cybersecurity podcast recently and the guest made the statement "A breach is a symptom of the deeper problem." Too often we focus on the outwardly visible and notable aspects of an issue versus the underlying problem.
Without addressing the real problem driving the symptom, these issues will continue to percolate and show themselves, too often at inopportune times. This may take more time, energy, and effort in the short run, but will often pay the dividends many times over through the future.
It is time to put the effort into fixing the issue, versus placing a temporary Band-Aid on it.
Tuesday, August 18, 2015
Data Leakage
Attackers generally are looking to disrupt your business and/or breach your system to steal the protected health information (PHI) and personal identifiable information (PII). This may be done via a DDoS or other methods to stop persons from visiting your website. Breaching your system may take a more advanced route, however still creates a massive issue.
The persons attempting to compromise the system are looking for weak points in your information/cyber security posture. This includes, depending on the circumstances, your employees, updates to the computer system, points where the information is being transferred, wireless access, and other points of interest to them. Data can be transferred via Wi-Fi, email, thumb drives and other avenues. Each of these represent a point of potential weakness that could be breached. These and other areas should be tested to ensure compliance with HIPAA, HITECH, PCI, GLBA, or other relevant to your industry regulation.
Call us for additional information and personalized quote.
www.mielinfosec.blogspot.com
It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.
The persons attempting to compromise the system are looking for weak points in your information/cyber security posture. This includes, depending on the circumstances, your employees, updates to the computer system, points where the information is being transferred, wireless access, and other points of interest to them. Data can be transferred via Wi-Fi, email, thumb drives and other avenues. Each of these represent a point of potential weakness that could be breached. These and other areas should be tested to ensure compliance with HIPAA, HITECH, PCI, GLBA, or other relevant to your industry regulation.
Call us for additional information and personalized quote.
Miel, LLC Infosec Consulting
Penetration Testing and Vulnerability Assessment
810-701-5511
It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.
Tuesday, July 21, 2015
“Are smart meters the end-all?” or “How I learned to love the IoT”
It seems as though technology continually is making further inroads into our lives, step by step. Beginning from the 1980’s to our current time, the computer in theory was supposed to make our existence easier and less stressful. There was supposed to be a four day work week, as we would become so efficient that is all we would need to get all of the work done. What this did instead was make us work more, as we could get more work done now. We were supposed to be paperless, as we could scan everything into the system, so there would not be a need for paper to be used. Here the attorneys got involved stating that we could not prove the digital signature was used by the person alleged to have used the signature, and the paper could not go to the wayside.
On other fronts, technology has paid off for the users. All we have to do is look to our smart phone, USB, and improved satellites. If we want to know exactly where we are standing on the planet, there is an app for that.
The current hardware innovations are part of the internet of things (IoT). An entertaining example of this as of late is the light bulbs that flash different colors based on the user’s parameters. For instance, if the Detroit Lions win their football game, this may bet set to flash blue. This is in the pipeline to become yet more mainstream. The latest iteration involves energy meters. We are all familiar with the usual meter on the side of the house or on the apartment building with the glass globe (looking like Robot from Lost in Space on its side), with the dials spinning. In the late summer, the spinning dials appear to be moving near the speed of light as our air conditioners are running.
Hardware
Visually and physically the meter is still in a round-ish housing and attached to the dwelling. The prior meters required the energy worker to walk around once a month and read the numbers. The new smart meters are digital and automatically gather the data and transmits this to the electric company. There would be no person walking around your property leaving footprints in the snow. The structure and housing itself does have a few variants in size, but these are moderately the same. The fundamental, pertinent change involves the software. This allows the meter to communicate and send various data to the electric company.
Benefits
Clearly there is a benefit to someone or some entity. Otherwise the expense would not have been incurred for the R&D. Big business does not need to spend the funds on a shiny new toy. The primary beneficiary is the electric company. They no longer will have to employ the people to walk around and read the meters for everyone. This would cut the expenses for labor and the associated overhead. The new meters monitor the usage per household, and subsequently per neighborhood, county, etc. Big data would be so happy with this. With the quicker monitoring comes the ability to react to geographic power needs faster. If an area has a higher need for power, the situation can be monitored so other areas where the consumption is less can have this transferred. This is much like loan balancing on the servers.
Not so Beneficial
This prima facie sounds great. Allegedly this benefits the electric company and society, and the electricity should be less costly. Everything comes at a cost. There still is no free lunch. All of the attributes are not good for the consumers. A primary concern has been its security and privacy. The hardware itself is hack-able with little effort. This is unnerving at best. Also the information on the personal usage for the residence and by extension other information can be accessed by others. A thief could monitor your usage and if it appears the usage is well below the baseline for two or three days, could believe you are on vacation and break into your residence.
Hack-able
The hardware is attached to you home, condo, duplex, apartment building on the outside of the structure. Anyone could simply walk up and look at the different access points to hack on the hardware. If it is during the day during the work week, no one would probably even notice. If someone were to walk up to this person, it would not be that difficult to social engineer your way out of this. The trespasser could not only get the raw usage data, but also any other data the hardware holds (e.g. account number).
This sounds a bit far-fetched. It does not seem likely that a piece of equipment that records your electrical usage would be that much of a detriment. Well it happened. Beginning in 2009 there were power thefts throughout Puerto Rico. This became a significant issue and the FBI began investigating the thefts. The FBI believed this was due to the “new and improved” smart meters being deployed. It appeared, from the investigation, that people previously employed by the company that manufactured the meters and current employees of the utility company were involved with the theft.
The people were charging for the unlawful services $300-$1,000 for residential customers and $3,000 for the commercial meters. Some of the estimates were the utility company lost millions in revenue due to this. This was done by using an optical converter device attached to a laptop and software downloaded from the internet. There are several tools that can do this. One open source tool to do this is the Termineter. This also uses as the access point the optical interface. The hardware for this costs $300-$400. To fully implement this does not take a significant capital outlay. In essence the tool merely changes the ratio of how the meter records the electricity used.
The person did not have to open the meter, cut the metal band, or anything physical. They just had to walk to this with their laptop and an optical converter device. These is not complicated or even a two-step process.
In short…
Overall, technology is our friend. This may give us a temporary headache, but in the long run this makes our life easier. The smart meter is one such item. It makes sense to use this item. The more data the electric company has access to, the better they can plan for the usage. This improves their operations, which translates into electrical savings for the consumer. With the good comes the bad. The software written to manipulate the smart meter was coded more with the focus being on how to operate and record the electrical usage, versus security. The level of security with this has already proven to be disastrous financially for at least one utility. With the promulgation of the open source software and relatively low cost of the hardware to hack the smart meter, there will be issues until there are patches written to rid the system openings for anyone to get into.
For further thoughts
Geib, A. (July 15, 2012). How privacy-conscious consumers are fooling, hacking smart meters. Retrieved 9/8/14 from http://www.naturalnews.com/036476_smart_meters_hacking_priv….
Kumar, M. (July 22, 2012). Open source smart meter hacking framework can hack into the power grid. Retrieved 9/8/14 from http://thehackernews.com/…/open-source-smart-meter-hacking.….
Protalinski, E. (July 22, 2012). Smart meter hacking tool released. Retrieved 9/8/14 from http://www.zdnet.com/smart-meter-hacking-tool-released-700…/.
Sunshine, W.L. (n.d.). Pros and cons of smart meters. Retrieved 9/8/14 from http://energy.about.comp/…/Pros-And-Cons-of-Smart-Meters.htm.
Tweed, K. (April 10, 2012). FBI finds smart meter hacking surprisingly easy. Retrieved 9/8/14 from http://www.greentechmedia.com/…/fbi-finds-smart-meter-hacki….
Beware of Insider Threats
We all want to believe in the good of people. We want to believe most people want to do the right thing. This sounds great, but in practice there are issues, as there always are with the staff. We all remember Snowden and others. Regardless of your view on Snowden’s acts and rationale, the confidential documents were leaked from a private source to third parties outside of the business. This has not only been present with private emails and memos, but also with business intellectual property and proprietary information. This can be just as damaging to the business, if not more, to its longevity.
This can be a significant problem for your business or clients, unless a monitoring process is put into place.
Digital Media
The mode of the information and data being removed from the business has changed significantly over the years. This technology began with the 5 ¼” large removable floppy discs, which advanced to 3.5” smaller discs with the hard plastic exterior. These mediums, while an improvement over the cassette tape drives (for those who remember this), were still very limited as to the amount of available storage.
Presently there are thumb drives with upwards of 32GB of data availability. This would hold easily the entirety of the customer data (names, addresses, SSN, account numbers, balances, etc.) for a small bank. This being taken by an insider and sold or given to a competitor would be a significant detriment. Another avenue of theft may also be the Google Glass. In a data or call center, the employees are heavily monitored via innumerable cameras posted throughout the floor, mounted on the ceiling. Their usage of the services is also reviewed regularly. One of the “stellar” employees wearing their Google Glass could record personally identifiable information (“PII”) of the people calling in while sitting at his desk. As an alternative, a mechanical engineer sitting at the desk, taking images of the schematics for a new fixture on a tank is also another source of data leakage. These examples are of relatively inconspicuous people simply sitting at their desk working.
Advances in our technology will only make this more of an issue. The storage devices will only increase in the amount of data they are able to comfortably and stably hold. There will also be other devices created that will cause the CISO a headache.
Prior SOP
Management in year’s past did not have this on the forefront of their worries and thoughts. This was not significantly discussed at the IT Business Continuity Plan (“BCP”) meeting. The issue of data storage and manipulation probably held more weight in the management meetings from years gone past.
The management team knew information theft occurred on some level in the business, but were not able to quantify its extent. Occasionally there would be an obvious spike in activity when an employee would leave to work at a competitor, and the competitor mysteriously would suddenly have the advanced research or the competitor would take three steps in the R&D process versus one.
InfoSec Defense
It is not that management does not trust the staff, but the business does not want to be a victim. Monitoring it’s assets and processes is not a crime. All is not lost! InfoSec models can be implemented to mitigate the risks. These involve log review and analysis. These will show who is using the services at a much higher rate than the baseline and show as an anomaly.
Due to the mass amount of data involved with this, programs are used to parse through the data for the pertinent and important information. If you are the CTO or CISO of a medium business, there will be stacks of log files. There is no way to reasonably review these manually due to the pure mass amount of data. The programs available that complete this task do a reasonable job of this.
The SysAdmin can monitor the staff’s accessing of files, review the folders and files accessed, the frequency of this activity, and if this data would be saved to the USB or emailed. The email usage can also be monitored. If suddenly there were to be a large spike above the baseline level of activity, this is probably an issue waiting to happen, especially with the data or attachments being sent out to the third party.
In short, this is not trying to make everyone’s life difficult. The IT department is not merely snooping in everything the employee does. This level of micro-management or oversight does not work and only manages to push people away. The business can’t be a victim and needs to protect itself. A recent case involved a software engineer that had been working on Wall Street on an algorithm that was meant to predict the ups and downs of the market. The firm would then recommend the clients purchase the stock with the price was significant lower. There was a mass expense involved with this, as the engineer had been working on this for a year. This was clearly proprietary in nature. The application was liberated by the then employee, soon ex-employee, as he moved to a new employer. This could have been disastrous for the firm, but was resolved. To minimize the risk, the insider threat issue needs to be monitored-unfortunately
We all want to believe in the good of people. We want to believe most people want to do the right thing. This sounds great, but in practice there are issues, as there always are with the staff. We all remember Snowden and others. Regardless of your view on Snowden’s acts and rationale, the confidential documents were leaked from a private source to third parties outside of the business. This has not only been present with private emails and memos, but also with business intellectual property and proprietary information. This can be just as damaging to the business, if not more, to its longevity.
This can be a significant problem for your business or clients, unless a monitoring process is put into place.
Digital Media
The mode of the information and data being removed from the business has changed significantly over the years. This technology began with the 5 ¼” large removable floppy discs, which advanced to 3.5” smaller discs with the hard plastic exterior. These mediums, while an improvement over the cassette tape drives (for those who remember this), were still very limited as to the amount of available storage.
Presently there are thumb drives with upwards of 32GB of data availability. This would hold easily the entirety of the customer data (names, addresses, SSN, account numbers, balances, etc.) for a small bank. This being taken by an insider and sold or given to a competitor would be a significant detriment. Another avenue of theft may also be the Google Glass. In a data or call center, the employees are heavily monitored via innumerable cameras posted throughout the floor, mounted on the ceiling. Their usage of the services is also reviewed regularly. One of the “stellar” employees wearing their Google Glass could record personally identifiable information (“PII”) of the people calling in while sitting at his desk. As an alternative, a mechanical engineer sitting at the desk, taking images of the schematics for a new fixture on a tank is also another source of data leakage. These examples are of relatively inconspicuous people simply sitting at their desk working.
Advances in our technology will only make this more of an issue. The storage devices will only increase in the amount of data they are able to comfortably and stably hold. There will also be other devices created that will cause the CISO a headache.
Prior SOP
Management in year’s past did not have this on the forefront of their worries and thoughts. This was not significantly discussed at the IT Business Continuity Plan (“BCP”) meeting. The issue of data storage and manipulation probably held more weight in the management meetings from years gone past.
The management team knew information theft occurred on some level in the business, but were not able to quantify its extent. Occasionally there would be an obvious spike in activity when an employee would leave to work at a competitor, and the competitor mysteriously would suddenly have the advanced research or the competitor would take three steps in the R&D process versus one.
InfoSec Defense
It is not that management does not trust the staff, but the business does not want to be a victim. Monitoring it’s assets and processes is not a crime. All is not lost! InfoSec models can be implemented to mitigate the risks. These involve log review and analysis. These will show who is using the services at a much higher rate than the baseline and show as an anomaly.
Due to the mass amount of data involved with this, programs are used to parse through the data for the pertinent and important information. If you are the CTO or CISO of a medium business, there will be stacks of log files. There is no way to reasonably review these manually due to the pure mass amount of data. The programs available that complete this task do a reasonable job of this.
The SysAdmin can monitor the staff’s accessing of files, review the folders and files accessed, the frequency of this activity, and if this data would be saved to the USB or emailed. The email usage can also be monitored. If suddenly there were to be a large spike above the baseline level of activity, this is probably an issue waiting to happen, especially with the data or attachments being sent out to the third party.
In short, this is not trying to make everyone’s life difficult. The IT department is not merely snooping in everything the employee does. This level of micro-management or oversight does not work and only manages to push people away. The business can’t be a victim and needs to protect itself. A recent case involved a software engineer that had been working on Wall Street on an algorithm that was meant to predict the ups and downs of the market. The firm would then recommend the clients purchase the stock with the price was significant lower. There was a mass expense involved with this, as the engineer had been working on this for a year. This was clearly proprietary in nature. The application was liberated by the then employee, soon ex-employee, as he moved to a new employer. This could have been disastrous for the firm, but was resolved. To minimize the risk, the insider threat issue needs to be monitored-unfortunately
The frequency and depth of security breaches continue to increase. There are still a number of breaches fresh in our memory-Target, Home Depot, The UPS Store, and many others. After the breach, the inevitable announcement is made to the public. The cost of these is not only the financial but also a significant decrease in trust and rapport with the community in which each location resides.
A constant question that arises after a breach is “What took so long for them to announce this?” In the interim, the affected person’s information could have been sold to others. The companies are monitoring their systems for any suspicious activity, however the fraudsters are actively updating their skills and tools so their activities won’t be noticed. The company unfortunately may be using still a default password or not regularly patching the systems. Once the fraudsters are in, the logs may be altered and tracks covered.
A constant question that arises after a breach is “What took so long for them to announce this?” In the interim, the affected person’s information could have been sold to others. The companies are monitoring their systems for any suspicious activity, however the fraudsters are actively updating their skills and tools so their activities won’t be noticed. The company unfortunately may be using still a default password or not regularly patching the systems. Once the fraudsters are in, the logs may be altered and tracks covered.
The targets are not only the massive retail operators. SMB are also being targeted. They may not be able to steal large amounts of money, but with these entities the smaller amounts may be easier to steal. To protect the business assets, its future, and clients, cyber- and information security should be a constant goal on varying levels. InfoSec cannot be a once a year thought and placing a checkmark in the box.
DigiCert's Seven Common Vulnerabilities was released in September 2014. These included SSL Certificate and Endpoint Vulnerabilities (this is the OpenSSL issue with Heartbleed), out of date servers (a secure and patched server from two years ago is not secure today), inadequately trained or overworked staff (can be IT or otherwise), unsecured intranet and mail servers (merely because these are behind your firewall does not mean these are 100% safe), self-signed certificates (although these are free, many still don't trust them), unsecuired file transfer protocal, and failure to conduct penetration testing (these on a continued basis are pertinent; contact me for a quote).
Cybersecurity/infosec is much like driving a motorcycle. You can purchase the best helmet in the market, providing the most thorough protection for your brain. If you get in an accident, your brain may be fine, hwoever the rest of your body is in bad condition.
Infosec needs to be globally applied. If you are only protecting one portion of the system, there are many others areas that can be breached and damaged by an attack.
Infosec needs to be globally applied. If you are only protecting one portion of the system, there are many others areas that can be breached and damaged by an attack.
Subscribe to:
Posts (Atom)