Author Archives: Security Experts

State Department Data Breach

Rich Campagna, CMO at Bitglass:

“All organizations have a responsibility to keep their employee data safe – there is no room for error. This is particularly true of governmental groups that are supposed to be serving citizens and protecting their personal information. Unfortunately, despite the amount and type of data that these organizations handle, many are unprepared when it comes to cybersecurity. The State Department’s recent authentication debacle serves as an example of this.

These kinds of breaches can have lasting consequences for all parties involved. Institutions that expose data lose the trust of employees and consumers, while individuals who have their information stolen may be forced to grapple with the long-term effects of identity theft. As such, governmental organizations must adopt modern security technologies. Dynamic identity management solutions, for instance, can verify users’ identities, detect potential intrusions, and enforce multi-factor authentication in a real-time, step-up fashion.”

Ruchika Mishra, Director of Products and Solutions at Balbix:

“It has become increasingly difficult for large organizations to watch over the ever-growing volume of end-users, devices and applications, which has accelerated with the proliferation of IoT and Industrial Control Systems (ICS) in the workplace.

Further challenges appear as organizations commonly allow employees to access their work from their own devices (BYOD), whether it is managed by their IT department or not. Government organizations, in particular, need to have full visibility into all of their IT assets and the devices accessing their network.

A proactive approach to breach avoidance starts with putting the right tools in place. While only a small percentage of State Department employees were impacted and the breach did not appear to put classified information at risk, it is clear that a number of government departments must do more to identify potential breach risk scenarios and proactively take the necessary steps to avoid future breaches.”

The ISBuzz Post: This Post State Department Data Breach appeared first on Information Security Buzz.

Mirai Authors Avoid Prison

In response to the news that the authors of the Mirai botnet have avoided prison sentences after cooperating with the FBI and providing substantial assistance in other complex cybercrime investigations, IT security experts commented below.

Nadav Avital, Threat Analytics Manager at Imperva:

“Assuming that the justice system in cases of cybercrimes works in the same way as in other type of crimes, it is a common practice to cut a deal with the state to get a reduced sentence.

I trust that the justice system carefully weighed the consequences in this case and can only guess that the benefits from the defendant’s assistance was substantial.

The silver lining here, in my opinion, is that the Mirai authors were brought to justice. Unfortunately, the attribution problem, in the cybercrime world, is very difficult and consequently not enough criminals are apprehended.”

Jake Moore, Security Specialist at ESET:

“The idea of the FBI employing convicted criminal hackers sounds like a perfect tagline for a movie yet it’s not too farfetched when it comes as a way of injecting young hacker knowledge and enthusiasm into an arguably behind the times law enforcement body. Putting hackers inside the government seems at first a wildly unorthodox idea but when it is broken down, it could be argued as a far cheaper option on public money. Although law enforcement lacks money and young blood, it does need updating with ethical hacking techniques that could be time consuming to train the older generations, not to mention it is a far more inviting and romanticized option than jail time for the criminals.

There is always a threat that fresh faced hackers would desire being placed on the payroll after an attack but this can’t be the majority. Being vetted to work in highly confidential areas of law enforcement is a serious procedure and can be highly intrusive. In my previous role investigating highly confidential computer forensics for the police even put me and my loved ones in interviews to talk aspects such as finances in fear of corruption. So when hiring potentially unknowns purely down to their skills, there will always be a risk attached – but like anything in cyber security, it’s about weighing up that risk.”

Sean Newman, Director Product Management at Corero Network Security:

“It’s interesting to hear reports of the Mirai botnet authors now helping law enforcement agencies.  However, with their original code in the public domain for almost two years now, and so many derivative botnets created since, it’s hard to see that this is going to make too much of an impact on the level of IoT device abuse that is now occurring and, hence, result in any reduction in the damaging DDoS attacks they have been the source of.”

.

.

Ben Herzberg, Director of Threat Research at Imperva:

By being involved in Mirai and such activities, these people may have been exposed to more details of other criminal cyber activity. If by cutting a deal with them, the law enforcement agencies got concrete evidence about more severe criminals, they got my ‘like’.”

The ISBuzz Post: This Post Mirai Authors Avoid Prison appeared first on Information Security Buzz.

State Department Email Breach

Last night, it was reported that the State Department has suffered a data breach. According to reports, some employees had their personal information exposed by a breach of an unclassified email system. Other reports stated that a report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges.

Pleas see below for commentary from cybersecurity experts.

Sam Curry, Chief Security Officer at Cybereason:

“In the past, the State Department has turned down help from other agencies to help them identify problems and improve. There are a lot of reasons for this such as they don’t want national security agencies snooping through their networks, can’t afford any down time, etc. However, considering the immense target that the Department represents, it is not a very compelling case. One of the other challenges they face is the government procurement process. It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue. It’s no more or no less, and how it is handled, the context of it as an incident, the PII exposed, the response and the future readiness by the State Department and other agencies is what matters.”

Gary McGraw, Vice President of Security Technology at Synopsys:

“Sadly, many important departments in the US government continue to lag when it comes to computer security.  If the State Department has trouble rolling out two factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector.”

Ryan Wilk, VP of Customer Success at NuData Security:

“Governments and online companies that provide services online, must secure all the links in their security chain. Bad actors look for the weakest point to access information, so companies have to be extra diligent in keeping their security up to date on all placements. Additionally, companies that identify users online need to devalue the data that bad actors steal and use to misrepresent legitimate users – like they do in account takeover attacks. By creating a new authentication framework that identifies customers by their online behavior instead of relying on credentials, personally identifiable information such as names and passwords become valueless to cybercriminals. New authentication technologies which incorporate passive biometrics and behavioral analytics can identify consumers by thousands of online authenticators. This way, if credentials or devices are stolen, entities can still recognize the person behind the device or block transactions altogether when fraud is detected.”

The ISBuzz Post: This Post State Department Email Breach appeared first on Information Security Buzz.

US Government Payment Service Leaks

It’s been reported this morning that a payment website – Government Payment Service Inc.-  used to process US government payments for traffic citations, court-ordered fines, bail payments and more has leaked more than 14 million customer records. The leak included names, addresses. phone numbers and sections of the credit card number used. IT security experts commented below.

Andy Norton, Director of Threat Intelligence at Lastline:

“Another day another breach. An abundance of caution has become the default cyber notification, philosophy or cyber risk culture advocated by legal counsel following a data breach. Unfortunately we need organisations to be abundantly cautious before, not after a data breach occurs. We need organisations to Adopt AI and behavioural intelligence to reduce the risk from malicious encounters. Every organisation has a responsibility to protect our sciences, culture and freedoms. We have unpredictable opponents with obscured intentions whose constant changes suppress our awareness to the actual dangers we face. Notifications out of an abundance of caution, are really just admissions of, “too little too late”. This is because we have not created a culture that addresses the asynchronous nature of cyber conflict, of unprepared defenders constantly underestimating and failing to resist the intentions of a more sophisticated attacker.”

James Hadley, CEO & Founder at Immersive Labs:

“While the article highlighted that the fix for these types of breaches is simple and incidents are preventable, these organisations should already know better and hold the security of their data to higher standards. With the ever-increasing cyber skills shortage, getting the right people to ensure these errors aren’t overlooked has proven to be increasingly difficult. One solution would be to provide better all-round cyber training on a continuous cycle to ensure cyber teams are kept up with the latest best practice. This could ensure that even non-cyber security professionals learn to be more security conscious and provide a bigger barrier when it comes to cyber criminals carrying out these easily preventable attacks.”

Lillian Tsang, Senior Data Protection and Consultant at Falanx Group:

“If we put it into context along  the GDPR (albeit this news is US driven), the breach has resulted in a high risk to the rights and freedom of individuals. There is the potential for identity theft and fraud even to cloning depending on the full scale of the type of information leaked. The mastery held by hackers and the “trades” in personal information in the murky underworld is limitless.

Although the data has been leaked – this in itself is somewhere in the murky lands of it being potentially exchanged, manipulated and cloned. This part cannot be controlled. However, what can be controlled is the frequency of periodic reviews of systems and controls. GovPayNet acknowledges, “it did not adequately restrict access to authorised recipients”. This could have been picked up during a Data Protection By Design and Default approach or the use of DPIAs particular for projects such as an online portal in this instance where the velocity and volume of personal data is incredibly high. Even where Data Protection by Design and Default has not been mandated in a country – its equivalent or standard risk assessments used in industry or specific sectors would be a good start for  product and service development that processes personal data.

Whether there has been a leak of login details – naturally customers should be advised to change login and password with advice on strength of passwords.  “Cat” as a password may not cut it. “Cat2Twinkles6Liberty$” may.  Reciprocal approach – Entities serves customers. Customers get informed as well.  Banks and relevant institutions ought to be notified. Several communications should be used, as opposed to a single contact channel and not part of a by-line with marketing material and general newsletters. Direct emails and SMS good examples. Banners on corporate website and advertisement in print media may also be an avenue to explore.”

The ISBuzz Post: This Post US Government Payment Service Leaks appeared first on Information Security Buzz.

Amazon Investigation

Amazon is investigating allegations that some employees may have sold customer data to third-party companies that Amazon did business with particularly in China. IT security experts commented below.

Niles Rowland, Director of Product Development at The Media Trust:

“Most threats are internal and they can cause the most significant damage. These threats include those related to third parties with whom organizations have become increasingly dependent. And, when you transplant operations to geographies where legal infrastructures are weaker, these threats can escalate. The growing number of consumer data protection laws like GDPR that are sweeping across the world will require companies to be more vigilant about how they and their third parties collect, process, share, and store personally identifiable information. These laws should be a top management and board issue because they can have an impact on how businesses perform and are evaluated. Lack of preparation for these laws can result not only in penalties tied to infringement of such laws, but also shareholder lawsuits if the lack of preparedness impacts shareholder value.”

Matt West, CRO at Feefo: 

“Deleting negative reviews is counter-intuitive. Not only does it falsely distort the image of the product or services a company like Amazon is selling, but it also causes doubt in the consumers mind that the reviews are even real in the first place, a wholly positive picture is too good to be true,” said Matt West, CRO at Feefo.

“It’s rare to buy something online without seeing some negative sentiment, and in most cases it’s not even about the product but poor delivery, for example. Businesses need to realise that consumers value trust and transparency above all else, our research indicates that 89% of UK consumers agree with this.

“This demonstrates the need for retailers to become more transparent. Retailers must ensure their customers are basing decisions from real opinions of other customers rather than cherry-picked, positive reviews that suit the retailer, in order for customers to trust them. A direct result will be customers sticking with that brand for the long-term.”

The ISBuzz Post: This Post Amazon Investigation appeared first on Information Security Buzz.

UK Business Leaders Warned About Cybersecurity

British business leaders need to extend their cyber security defences beyond the threat posed by Russia to other states and criminal syndicates, one of the UK’s leading spymasters has warned.

In an interview with the Financial Times, Ciaran Martin, chief executive of the UK’s National Cyber Security Centre, which is part of the communications intelligence agency GCHQ, said that while Russia remained a serious threat to businesses, Iran and North Korea, as well as international cyber criminals, presented equal if not greater risks. IT security expetrs commented below.

Andy Norton, Director of Threat Intelligence at Lastline:

“Unfortunately the advice given is not actionable. How can businesses protect themselves from Russian national interests, when in actual fact they don’t know how to protect themselves from Russian inspired cyber attacks in the first place?

The UK needs a “cyber home front” initiative. It is in an Asynchronous Warfare situation, and the attackers constantly obscure their real intentions with a mosaic of apparently unstructured intrusions against any and all economic and political targets. This serves to dull our awareness to the overarching strategic goal of reducing western economic power, constricting political alliances and isolating individual nations.

The question that needs to be asked is “in a state of cyber warfare, what should we do differently?” and the answer to that question needs to be delivered to business leaders. Then, we might stop the death of a thousand cuts.”

Tim Helming, Director of Product Management at DomainTools:

“While it’s a sad fact that these measures are needed in the current geopolitical climate, it is a fact nonetheless. Threat actors from a number of hostile states are engaging in campaigns of cyber disruption and warfare in order to destabilise and damage political process in the West and further their own political aims: This is evident on both sides of the Atlantic. Detailed threat intelligence on the context and sources of these campaigns are necessary, but increasingly more difficulty to carry out in the current legislative climate. Much has been said of the dangers of cyber threats to physical infrastructure, but the threats to our political infrastructure can affect something even more critical; Our democracies.”

Josef Williamson, Threat Intelligence Analyst at EclecticIQ:

“Today’s five question guide for boards by the NCSC is a welcome initiative in light of recent incidents like the British Airways breach. It’s vital that cyber strategy is discussed at board-level and that organisations begin to take a more proactive approach to their cyber defences, considering their responses to the key questions outlined this morning. Providing organisations with best practice with a formal toolkit later this year will ensure UKbusinesses have the best chance in defending against any potential threats.

“The next step from there is that businesses become more open in their intelligence sharing, putting collaboration at the centre of the fight against the evolving threat landscape. Standards are maturing, technology is maturing, and there is a big push from government to set up collaborative initiatives to ensure the public and private sectors are sharing insight on threats. Transparency is vital to success in business and embracing a stance of openness cannot only improve a business’s view of cyber threats, but can also fuel a wider cyber intelligence revolution.”

The ISBuzz Post: This Post UK Business Leaders Warned About Cybersecurity appeared first on Information Security Buzz.