Thursday, February 18, 2016

Hackers Hold a California Hospital’s Network Hostage for $3.6 million. Are You Next?

As we have been seeing over the past few years, cyber criminals continue to breach their targets and demand ransom. Most recently, hackers held a California hospital’s network hostage for $3.6 million. Are you or is your organization next? How can you avoid being a victim?

The adversary knows no boundary. Face it, whether you are a tiny organization with one (1) computer or a very large enterprise with 250,000 computers, hackers want you! If you have what they need, they will come after you.

Based upon my real-world experience in network exploitation exercises and data breach investigations, some data breaches have been possible because basic security primitives have not been implemented. What good does it do if a network has layered security at the perimeter with a robust Threat Operations Center (staffed to the gill) if one or few systems that contain sensitive PII/PHI records is not fortified? For example, I have seen scenarios whereby no one in the target organization knows (all the locations) where sensitive data is stored, who has access to the data, who logs into the system, what trust relationship exists between these “sensitive data containers” and the rest of the network. The list of problems goes on and on. Passing HIPAA, PCI, SOX, or other compliance/audit does not necessarily demonstrate good security, in my opinion. Not able to exploit a network during a penetration testing exercise does not necessarily demonstrate that your network has not already been breached.

To avoid being a victim of data breach or to reduce the likelihood of a breach, every system from time to time needs to be combed (breach assessment/readiness) to determine whether or not attackers’ campaign, behavior, indicators, tools and tactics, are active on the target system or enterprise. Once we have a clean slate, we can then fix the pumpkins, like my friend, Ray Vazquez always say, and develop some sort of security roadmap. For any cyber security program to be successful, internal politics must be removed and the most senior leadership (not just the CSO, but CFO, CEO, and COO) should be held culpable for security liability. I believe that if the head of Security reports directly to the CEO or Legal, majority of the security breaches will go away.

Saturday, February 19, 2011

Security Epidemic in Online Social Media Websites

Computer hacking and intrusions are getting to an epidemic level, fueled by free flow of information in cyber space.  A computer that is loaded with the latest anti-virus, anti-malware, operating system patches and hot fixes, and running on a well “protected” network can still be easily compromised through web surfing or emails. This statement isn't meant to scare you from using computers, mobile devices, or Internet (after all, our lives depend on these technologies), but to share with you that the security threats posed by online media is high.

It's worthy to suggest, though, that a computer or Internet user must thread cautiously in this thorny Internet battleground. Read any blog, tweet, or other posting on a social website and you would notice that some of these posts may have web links to other websites or links to files that are laced with malware. An attacker could tweet, blog, or post their thoughts or information on a page which awaits an innocent or curious visitor. Trusting the author, the visitor may naively click on the link and land on an infected website. While some of these URLs can be detected to be bogus, many more are difficult to detect.

In summary, here are some ideas for safely surfing the Internet:

1. Make sure you trust a link before you click on it; resist the urge to click
2. Make sure you don't install or download software, even if it looks too good
3. Make sure you have anti-virus software loaded on your system with the latest signatures
4. Make sure your computer and network is secure and well protected
5. Make sure your personal or corporate data are encrypted and backed up to an external media
6. Avoid visiting any website whose integrity or authenticity you question
7. Use a browser that warns you if you visit a malicious website

Conducting your online activities through a virtualized system (virtual machine) or sandboxing browsers may add some protection by preventing malicious software and downloads obtained through your web browser from compromising your system. Once you exit the browser, the malicious software would not make any change to your system. For example, Sandboxie is a good “quarantine” solution – see: http://www.sandboxie.com for details).

Although the above link is legitimate, did you click on the link? If so, did you think twice before clicking on the link? What about this one?

Sunday, December 19, 2010

Cyber Security Tips for Online Shoppers

Safety Tips for Cyber Shopping

Now that the holiday shopping season is in full throttle, cyber shoppers are heading to online malls in search for a great bargain. Online bargain hunters need to take precaution to ensure that they are not victim of identity theft or other cyber attacks. I contributed to a story ("Cyber Security: Pay Close Attention When Shopping Online This Holiday Season") back in 2007.

Below are some precautionary measures that you can take, not just during the holiday shopping season, but in any online ecommerce transaction:

Make sure that the computer from which you are doing your shopping is adequately protected. This can be accomplished by ensuring that the system is kept up to date with operating system’s patches, hot-fixes, and relevant patches. Patches should also be applied to user applications such as document editors, Microsoft Office, Adobe Readers, Internet browsers, and so forth. If there are multiple users sharing the same computer, make sure that an account is created for each user. By patching, I do not mean simply focusing on Windows system but Mac OS and Linux operating systems as well. Part of securing your computer involves using anti-virus software, updating the virus signatures, and scanning your computer frequently for virus and malicious software. Protection also includes enabling a firewall and intrusion detection system to alert you if your system is attempted to be compromised.

Make sure your Internet browser is protected. The Internet browser as well as email applications are the main attack vectors used in most sophisticated attacks. To this end, the cyber shopper needs to ensure that the respective software are heavily guarded. Update your browsers and apply patches to them proactively. Ensure that the browser cache and temporary Internet files are erased (“emptied”) and the browser is closed when finished. Is the computer you are using a shared one (family members, library, hotel lobby, etc)? Securing your computer ensures that attackers and cyber crook can’t easily steal your data.

Make sure that network from which you are connecting is protected. If you are one of those that thinks you can tap into your neighbor’s wireless network for your Internet access, think twice. Make sure you have a good assurance that the network that you are using to transmit your data will not compromise your data.

Know the merchant from whom you are purchasing. While a well-known brand may not necessarily have a more secure website or backend servers than an unknown brand, a well-established and known company may be more willing to work with you than an unknown store, which may well be a fly-by-night operation.

Consider opening and using an account with Ecommerce payment services, such as Paypal, Google Checkout, as Google Checkout, or Wirecard.  Through this type of service, you store your credit card, banking information, and shipping address information with one of these service providers. You can then pay any online shop that “accepts” these payment methods for the exchange of goods or services. This mechanism ensures that your payment data is not provided to all online shops from which you purchase merchandize or service.

Protect Your Privacy: Ensure that your personal and confidential information is not published online in emails, social media and forums. Combined with other data, cyber crime may be able to steal a persons’ identity when they are not stored or transmitted securely. Avoid providing your confidential information (social security number, PIN, password, etc) to anyone claiming to be from the “Technical Support” department. Resist sending these information in emails or texting them! Beware of phishing emails, which may contain malicious Internet links or attachments, which may only get you to visit hostile sites that may compromise your data.

Other tips to consider include:

Educate yourself on cyber security and online safety.

Change your password with each cyber store often -- at least once in six months. Do this on your computer and other online accounts that you may have as well.

Ensure your personal and confidential information is not stored on your computer, or if it is stored, make sure it is encrypted.

Trust No One, except your unborn child! People you trust may deliberately, inadvertently, or innocently compromise data under their control.

In summary, while the precautionary items mentioned above may help protect your online experience, they are not panacea. Although a determined attacker can still compromise a users’ data even with a lot of protective mechanism, hackers generally would be more interested in going after easier targets.

Have a happy and safe cyber shopping!


Cheers,

--

Cyber View Points

After much contemplations, I've decided to start writing about things that are thought provoking and offer alternate view points on cyber-related matters. I will try to use this blog -- Cyber View Points -- to dig deep into issues that are not often talked about in any medium -- print or online.

I will try to address and offer my opinion on events, news, and topics in the areas of online privacy, identity theft, cyber crime, cyber security, digital forensics investigations, physical security, and training.

I encourage you to share your thoughts in a manner that does not hurt other individuals or businesses but cause people to do their best in securing the cyber space.