Monday, December 30, 2013

XSS For Managers

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a type of vulnerability which is very widespread and allows an attacker to insert malicious code (JavaScript) into your web browser via the use of a vulnerable web application. The attacker can deliver their malicious code in a number of different ways.

They can trick you into clicking on a link (Reflected XSS), or wait for you to visit a page which already has the malicious code embedded into it (Stored or Persistent XSS).

That annoying pop-up box with the number 1 in it? That's just a way that some people visually prove that their JavaScript (XSS) has been run. But don't let that lousy pop-up box fool you, there is a lot more to XSS than that!

What can hackers do with XSS?

  • A hacker may be able to steal your 'cookies' and login to the application as if they were you!
  • They may be able to redirect you to a malicious web site without you knowing in an attempt to trick you into giving away sensitive information such as your bank details.
  • They could add fake login pages to the vulnerable application to trick you into giving them your username and password.
  • They could even use XSS to bypass other security measures which are built into the application and your web browser to protect you.
  • The possibilities are almost limitless. Take over your webcam? Yep! Listen in on your computer's microphone?

For advanced attacks see the The Browser Exploitation Framework (BeEF) tool.

Who's been hacked using XSS?

  • The Apache Foundation, the creators and maintainers of one of the most popular web server software on the Internet had their servers compromised by an initial XSS attack.
  • An XSS attack on the official forum of the popular Linux Operating System, Ubuntu, allowed the attackers to download the usernames, email addresses and passwords for 1.82 million of their users.
  • XSS attacks typically target the application's users and their local networks; however, as seen in the examples above, when those users are administrative users the application's web servers are also at risk.
  • XSS vulnerabilities are discovered within Facebook, Yahoo, Google, Twitter and other high profile websites on a daily basis by independent security researchers participating in bug bounties.
Here is a list of other hacks using XSS -

What can I do to protect myself against XSS?

  • Make sure that your web browser is kept up to date and that it has all of its security features enabled, such as Cross-Site Scripting (XSS) filtering. If your particular browser does not have an XSS filter, like Firefox, then you can download an XSS filter add-on called NoScript.
  • Be careful about what links you click on. A link may look harmless enough, but may contain malicious XSS payloads.
  • Log out of web sites when you are finished with them, this makes it harder for hackers to steal your 'cookies'.

The technical bit! What can I do to protect my web application against XSS?

  • Cross-Site Scripting occurs when untrusted input is output to a page without first being sanitised and/or properly encoded. For example, if a user supplies their username to login and then you display that username without sanitising and/or encoding it, what happens if the username contains HTML characters?

    The web browser will not be able to tell the difference between the user's username and what is the page's valid HTML. Data (the username) is being mixed with code (the HTML)! This could allow a user to login with a username that contains malicious JavaScript and have it execute in the browser within the context of your web application.
  • Make sure that you sanitise the username before using it, for example, if users should only have alpha numeric characters in their usernames then enforce this with input sanitisation. Use a whitelist! Compare the username against known goods instead of known bads.
  • Use the right encoding! If the username is going to be used within HTML, then HTML encode all of the username's characters.

    This way the browser will know what is meant to be rendered as HTML and what is not. It's not all about HTML encoding though! You must encode for the right output 'context'. See the links below for further information.
  • Scan your applications for XSS issues. There are many automated web application security scanners which can detect XSS issues in web applications. You could try giving the Open Source OWASP ZAP a go.
  • Set your session cookies with the HttpOnly flag. This tells the browser that the cookie should not be accessed by JavaScript, helping protect your users from having their sessions stolen.
  • A HTTP header called Content Security Policy (CSP) can be set by the web server to tell the web browser what and where JavaScript is allowed to be executed from. It uses a whitelist!
  • Finally, why not install a Web Application Firewall (WAF) such as the Open Source mod_security! A WAF will give your application that extra layer of defence to defend against those attackers but should be used in a defense in depth scenario and not as the only solution as bypasses are found often.

Where can I find further information?

The two types of XSS mentioned on this page (Reflected and Stored) are not the only two! We have only touched upon the subject here. Want to find out more?

The Open Web Application Security Project (OWASP) is a great resource for all things related to the security of web applications. Check out their wiki article on XSS or their XSS Prevention Cheat Sheet. For information on other types of web application vulnerabilities take a look at the OWASP Top 10.

Friday, December 13, 2013

PhishMe: Popular holiday-themed phishing attacks

Most common Holiday-Themed Phishing Attacks

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns. However, which tactics should you train your employees look out for?

Below, PhishMe has pulled together a list of the most common holiday-themed phishing attacks:

Holiday e-card: Who doesn’t love to receive a nice holiday greeting? But is that link to an e-card actually from your co-worker, manager, HR department, etc. or is it something sinister? Emails that appear to be holiday e-cards are a simple and effective phishing tactic every holiday season.

Holiday party info/registration: The company holiday party is always a much anticipated event, and The Wall Street Journal estimates 9 out of 10 companies will throw some kind of holiday party this year. That means lots of organizations will send out email invitations, so spoofed invitations present another great holiday-themed opportunity for attackers crafting phishing emails.

Travel notifications: AAA estimated that 93.3 million people traveled more than 50 miles from home during the end of December last year, and that means airlines will be sending out plenty of flight change/confirmation emails. We have seen some pretty realistic phishing emails that spoof the types of emails airlines commonly send to passengers, and an email warning of major itinerary changes will certainly grab the attention of an employee eager to get home for the holidays.

The view the full post and the rest of the holiday phishing scams please click here.

Tuesday, December 10, 2013

Information Security Forum (ISF) Identifies 6 Major Threats for 2014

ISF report states top six security threats global business will face in 2014 include the cloud, "BYO" trends and cyber-crime

A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.

The six threats identified as major concerns headed into 2014, ISF emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.

Six: BYO

Trends Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Five: Data Privacy In the Cloud

The cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated. While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications.

Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Four: Reputational Damage

There are two types of companies—those that have been hacked and those that are going to be. What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?. When the situation is something that could send stock prices plummeting, the reality of it sets in.

Three: Privacy and Regulation

Organizations need to treat privacy as both a compliance and a business risk, according to the ISF. "Furthermore," the report added, "we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input."

Two: Cyber-Crime

ISF emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army's hack into The New York Times was offered as an example. The bad guys are really great at collaboration, because there's a lot in it for them.

Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts,. "Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

One: The Internet of Things 

High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won't make it to the airport in time for his flight—and so contact the airport to change the flight. That level of information, in the wrong hands, is concerning.

Businesses can't avoid every serious incident, and few have a "mature, structured approach for analyzing what went wrong.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately." 

Sunday, December 8, 2013

PCI DSS 3.0 – What's New?

Infographic - Summary of the Changes from PCI DSS 2.0 to 3.0

Last month, the PCI Security Standards Council (PCI SSC) officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and auditors will understand how the new mandates will impact organizations.

The effective date of the version 3.0 of the standard will be on January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to move to the new standard, and some of the changes will continue to be best practices for several more months (until June 1, 2015).

Here’s what has changed:

Monday, December 2, 2013

10 defenses against smartphone theft

Thieves see mobile phones as easy cash. Take these 10 steps to defend yourself

10) Use security applications

Android phones and iPhones both come with security software. But that doesn't mean the software is active, or that third-party software might not help even more. If you have an Android phone, make sure you're using Android Device Manager or a third-party security software such as Lookout Security & Antivirus. If you have an iPhone, make sure Find My iPhone has been set up and activated.

9) Use a strong password

Too many people just give up when it comes to passwords, access codes, and PINs. They pick something such as "password" or "qwerty" or "1234." Raise the level of your game: Come up with a functional password generation recipe, then apply it to your devices and websites. You don't need a password manager. This is not rocket science.

8) Keep phone data handy

Write down your phone model number, serial number, and International Mobile Equipment Identifier (IMEI). If your phone gets stolen, you'll want these numbers (along with your mobile carrier's support phone number) to help your carrier place your IMEI number on the GSMA IMEI blacklist. You can find your IMEI number in most phone settings menus by dialing *#06#, or by checking the battery compartment, if accessible.

7) Be aware of your surroundings

We've all seen them. People who meander down the sidewalk, staring at their phones, forcing others to take evasive action to avoid a collision. People chatting on phones oblivious to those nearby. People who set their phones down on cafe tables or on public transit seats. People who let their phones dangle from purse or pocket. Don't be one of these people.

6) React quickly if your phone is stolen

Report the theft to the local police. This will allow police to check websites that might be trying to unload your stolen phone and will provide you with a police report in case you want to make an insurance claim. Report the theft to your mobile carrier, so your phone service can be suspended and the phone's identifier can be blacklisted. Activate any applicable security software such as Find My iPhone or Lookout. You might also want to change your phone and app passwords, in case the thief was able to login and access some of the services you use through stored passwords. If you're really lucky, your phone's security software will help you recover your device.

5) Choose your phone to match your security expertise

Google executive chairman Eric Schmidt recently insisted that Android phones are more secure than Apple's iPhone. That might be true if you're talking about recent-model Android phones with the Android 4.4 "KitKat" operating system. But security experts scoff at Schmidt's claim. The reality is that the majority of mobile malware affects Android devices.

In August, the FBI and DHS issued a report that found 79 percent of mobile malware affected Android devices, 19 percent affected Symbian devices, and less than 1 percent affected BlackBerry, iOS, or Windows Phone devices. Android's troubles largely arise from the fact that as many as 44 percent of Android users worldwide rely on Android versions 2.3.3 to 2.3.7, which have known vulnerabilities.

So although it's possible to run Android securely, it requires more diligence. Choose BlackBerry, iOS, or Windows Phone if you don't want to be proactive about security. Choose Android if you require the flexibility of a more-open ecosystem and are comfortable with the responsibility.

4) Choose your WiFi network carefully

Just because a WiFi network is visible and accessible doesn't mean it's safe. Use secure WiFi networks when possible. When there's no other option, avoid doing anything that involves authentication if you can. You never know who might be listening or intercepting unprotected network traffic.

3) Choose your apps and websites carefully

User behavior represents a major source of insecurity. If you can avoid downloading sketchy apps and visiting suspect websites, you will reduce your chances of acquiring malware. Security firm Trend Micro says it has analyzed 3.7 million Android apps and updates, and found 18 percent to be malicious, with an additional 13 percent categorized as high risk. Almost half of the malicious apps (46 percent) were acquired from Google Play, the company says.

2) Don't buy phone insurance

If the mobile carriers really are fighting pre-installed security software to sustain revenue from insurance premiums, you can fight back by refusing to participate. Carrying your expensive smartphone without an insurance net should also encourage you to guard your phone more carefully. Of course, you'll be wishing you had insurance when your phone slips from your pocket and fracture lines spread across the touchscreen.

1) Leave your phone at home

It's easier said than done. But you can't lose what you don't have. Shocking though it may be, people used to get by without mobile phones. Try it once in while, if only to highlight your device addiction.

Monday, November 25, 2013

4 Easy Steps To Protect Your Identity

Four major areas of your daily life that are frequently used as gateways into your private data, Protect those areas!

It's no secret that the damage caused by a single identity fraud event can take years to fix. Many consumers don't even discover they have been affected until months after the attack occurs. In fact, identity fraud is the fastest growing crime in the world, costing billions of dollars annually.

So what should we do? The ubiquity and anonymity of the Internet, coupled with old-fashioned method of stealing identity via "dumpster-diving" makes this problem unmanageable for average folks, right? Wrong. 

There are four major areas of your daily life that are frequently used as gateways into your private data. Paying attention to them can help you stay safe from the bad guys. 

Tactic #1: Guard Your Mail. 

Pay attention to your physical mailbox to reduce the chance of being victimized. The mail system has been vulnerable since the days of wagon trains and stage-coaches.

Action Steps:

1) Never use the red flag on your mailbox. It notifies potential thieves that there may be something of value left unattended in the box.

2) Lock your mailbox if possible. Fraudsters look for checks, parcels and other valuables in unattended mailboxes.

3) Place your outgoing mail in a mailbox inside post offices whenever possible. Outdoor mailboxes are magnets for mail thieves and mischief-makers.

Tactic #2: Guard Your Unique Personal Information. 

Your personal data points are often referred to by the acronym SNAPD, which stands for SSN, Name, Address, Phone, and Date of birth. Our SNAPD elements are the "coins of the realm" in the financial underworld and your Social Security Number (SSN) is the Holy Grail.

Action Steps:

1) Never share your SSN, name, address, phone numbers, or date of birth with others unless absolutely necessary.

2) Only share your SNAPD information when it is mandatory. Healthcare, government and financial services organizations will often require these details, but you would be amazed how little NPPI (Non-Public Personal Information) you can share without causing a fuss.

3) Paper shredders are crucial. All SNAPD info (at home and in the office) should be disposed of in a nice cross-cut shredder.

Tactic #3: Guard Your Payment Tools. 

You would never think of leaving any significant amount of cash out in the open and unguarded, so why leave your checks, credit or debit cards exposed? Check fraud is an old yet extremely prevalent practice. Credit and debit cards look similar but are governed by different laws, responsibilities, and remedies. It should be obvious that your debit card puts your immediate personal assets at risk as opposed to the risks associated with credit card fraud. 

Action Steps: 

1) Guard your checkbook, credit, and debit cards and closely examine your monthly statement for unauthorized charges (even tiny ones). By promptly reporting any discrepancies, your financial institution can help investigate, minimize or correct any damage done.

2) Regularly review your credit report.

Tactic #4: Protect Your Computer(s). 

Apply protection controls to not only your desktop, notebook or tablet device, but also your smartphone. According to a study from the Pew Research Center's Internet & American Life Project, 56% of Americans now own a smartphone, a new demographic referred to as "The Mobile Majority". 

Action Steps: 

1) Install and frequently update anti-virus, anti-malware protection for all devices including smartphones.

2) Create passwords with at least 9 alphanumeric digits, and change them every 6 months. Consider using encryption on all your devices.

3) Exercise good data privacy habits by locking your devices, surfing and downloading safely, and guarding the physical security of each machine.

Thursday, November 21, 2013

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute

Industrial control systems continue to draw scrutiny as the risks involved in preserving aging IT infrastructures continue to escalate. Mission-critical systems in everything from manufacturing facilities to public utilities have shown to be easily breached and highly vulnerable.

A new Ponemon Institute survey, however, found that security efforts in the sector are ramping up: 51% use formal risk assessments to identify security risks – which is higher than the broader enterprise average.

Also, the survey found a majority (86%) believe that minimizing noncompliance with laws and regulations helps meet certain business objectives – and that’s also 5% higher than the average.

Risk-based security is coming onto the radar screen too: 43% measure the reduction in unplanned system downtime to assess the effectiveness of cost-containment management efforts, differing from survey average of 38%. And about half (52%) listed the “flow of upstream communications” as one of the top three features most critical to the success of a risk-based security management approach – an 8% increase over the survey average of 46%.

Even so, this is not enough to protect ICS systems against determined attackers. For instance, only 56% listed an “openness to challenge assumptions” as one of the top three features most critical to the success of a risk-based security management approach – and this is 6% lower than the survey average of 62%.

Further, It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability. But in this regard though, the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security.

Only 40% have fully or partially deployed security configuration management, differing from the survey average of 49%, and 75% have fully or partially deployed system hardening, which is 5% lower than the survey average of 80%.

When it comes to organizational culture, security still has a long way to go to permeating the business.
Most ICS respondents (69%) said security communications are contained in only one department or line of business, differing from the survey average of 63%. And 67% said security communications occur at too low a level, differing from the survey average of 62% – indicating needed oversight from the C-level is generally lacking.
Even though industrial sector organizations are actively considering security risks, they must also improve their willingness to elevate key risks to the executive level. Security risks must be considered in context with overall business risk or the entire organization’s success will be in jeopardy.

Friday, November 8, 2013

Kaspersky Lab 2013 Global Corporate IT Security Risks

34% of respondents ranked protection from incidents as the top priority

Kaspersky Lab, in partnership with research company B2B International, conducts regular surveys focusing on the key IT security issues and cyber threats which worry businesses.

The survey aimed to find out what representatives of these companies thought of corporate security solutions, to ascertain their level of knowledge about cyber threats, what cyber security related problems they most often face, how they address these problems and what they expect in the future.

2013 Kaspersky Lab and B2B International survey results provided below reflect the opinions of companies on key issues related to the security of the corporate IT infrastructure.

They also reflect the changes that have taken place since the previous two studies. Comparing current and historical data helps to identify and analyze existing trends in this area, ultimately creating a complete and, we believe, objective picture of the threat landscape, as well as future problems and trends affecting corporate IT security.

Main Findings

According to the survey results, one of the major problems facing businesses is the creation of a clear IT infrastructure development strategy with an information security strategy at its heart.

Companies are increasingly determined to secure their IT infrastructure in the light of increasing numbers of incidents – and significant financial losses associated with them. The main findings of the survey are:

  • Maintaining information security is the main issue faced by a company’s IT management.
  • In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents.
  • A serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000.
  • A successful targeted attack on a large company can cost it $2.4 million in direct financial losses and additional costs.
  • For a medium-sized or small company, a targeted attack can mean about $92,000 in damages – almost twice as much as an average attack.
  • A significant proportion of incidents resulting in the loss of valuable data were internal, caused by issues such as unclosed vulnerabilities in software used by the company, intentional or negligent actions of employees or the loss or theft of mobile devices.
  • Personal mobile devices used for work-related purposes remain one of the main hazards for businesses: 65% of those surveyed saw a threat in the Bring Your Own Device policy.
  • Information leaks committed using mobile devices – intentionally or accidentally – constitute the main internal threat that companies are concerned about for the future.

For the full report in PDF format, click here.

Wednesday, November 6, 2013

Take Time To Understand Free Tools Before You Use Them

Free tools and technologies can deliver real value, Yet they also can present risks!

URL shortening services, for example, are fantastic, especially for those of us who love to share our knowledge and findings inside social networks. Yet they can very easily, and often do, hide a nefarious attack.

Another Free Tool to Use with Caution

Be sure to check the security of shortened URLs before clicking them. One service you may consider is

Monday, November 4, 2013

How To Stop Your Face From Appearing in Ads?

Imagine Your Face in Google Ads

When it comes to developers of popular free tools, Google is king. Yet the tradeoffs for using tools like YouTube, Gmail and Google+ are becoming clearer. For instance, starting November 11, Google will be able to include Google+ users' faces, names and comments in ads. Configured as a default, the policy is one that users must opt out of if they do not want their images projected in marketing messages.

Here's exactly how to stop your face from appearing in what are being called "adver-dorsements" (at least for now, until Google+ changes again):

  • Navigate to Shared Endorsements in Google+ settings.
  • Uncheck the box next to "Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads."

Understand that this will not stop your network from being able to see those companies and brands that you have liked (or in Google+ language, plus-one'd).

If this makes you uncomfortable, simply stop hitting +1 and do not leave any reviews on Google products.  

Wednesday, October 30, 2013

How and why the Chief Information Security Officer role is evolving?

A new standard for security leadership

How can security leaders help achieve business objectives?

Am I doing enough to protect our enterprise?

How can I measure success?

These questions come up time and time again for Chief Information Security Officers (CISOs) and other security leaders. Just as technology constantly evolves and threats shift, the needs of the business change with regards to security and risk. Security leaders have to constantly reassess, adjust, and improve their skills. Those with the right combination of business practices, technology maturity and measurement capabilities are evolving into more versatile security leaders.

Download full graphic version from here.

Monday, October 28, 2013

Collaboration among various sectors is must for protection against cyber-attacks

Information sharing can facilitate, the more effective fighting efforts against cyber-attacks

Sharing information about cyber-attacks is making a difference in the banking sector, helping bring criminals to justice and curbing fraud losses. And other sectors should learn from banking's example.

It's important for information security professionals to continue their efforts to get senior executives to buy in to the need for cross-industry collaboration. Informal sharing of cyber-intelligence has for years been a common practice among cybersecurity warriors in the trenches.

This type of information sharing, however, often has gone on in the background without the knowledge of upper management. That's because many executives are fearful of revealing too much or sharing with competitors their security vulnerabilities. But that attitude is, slowing but surely, changing.

What's more, the intelligence the financial industry has gathered over the last 12 months about al-Qassam and other attackers was shared with law enforcement, government and others. In fact, much of the information federal investigators gather about cyber-espionage and cyber-attacks comes from the financial sector first.

Those kind of partnerships are needed in other industry sectors as well. Cyber-attacks affect numerous industries, from hospitality and retail to healthcare and government. The more information sharing these sectors can facilitate, the more effective fraud-fighting efforts will be.

Wednesday, October 23, 2013

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.


Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.

Tuesday, October 22, 2013

How Would People React and Deal with an Attack on the Electrical Grid?

Could a cyber attack destroy the electrical grid and leave the nation powerless and in the dark for days, weeks or even months? Would we be prepared, or would chaos ensue?

On Oct. 27, National Geographic will premiere “American Blackout,” a movie that tells the story of a national power failure in the U.S. caused by a cyber attack. The film is told in real time, over the span of 10 days, by the characters depicted in the film who kept filming on their cameras and phones. It will air on the National Geographic Channel.

According to Richard Andres, a consultant for the film, the threat isn’t all that far-fetched. “This was a dramatization of something that is not unrealistic. We don’t need to be this vulnerable. But the first step is people need to be aware that this is a problem”.

The film depicts a nationwide power outage caused by a cyber attack. It takes a point-of-view look by different characters affected by the blackout. Some of the characters depicted include a doomsday prepper family, a family awaiting the birth of their second child, and a group of college students stranded in an elevator.

As depicted in the movie, ATMs would not work and neither would credit cards. Andres said that 20 years ago people were more reliant on cash, which would be able to keep commerce going. But now people are more reliant on virtual money, which would stop commerce.

Andres consulted the film and reviewed the script for elements of realism. He told the creators what scenarios he believed were realistic and said he thought that the movie put the experience into terms that the average viewer could relate to. Although many families are not prepared for an event like this, the doomsday preppers in the film had enough food to last them two years. And although he wouldn’t say if that was extreme or not, Andres said food and water are essential and he would advise people to have more than three days worth on hand at any given time.

Sunday, October 20, 2013

Basic Tips To Protect Mobile Device

Mobile owners should pay attention to mobile device safety!

Mobile communication has never been this cool, from the traditional SMS and call features, we can now enjoy desktop experience via smartphones and tablets. However, aside from the health risks associated with excessive use of cell phones, the advent of mobile internet has raised the risks too.

It is common that most of us protect the hardware and exterior of our phones, but do not exert enough effort to protect the OS and contents of our phone from hackers, and strangers who can get hold of our misplaced or stolen smartphones.

Allow me to share with you some tips I thought will give basic protection so private photos or videos, debit/credit card credentials, and other private information will not be at the mercy of other people.

  • Use password to open your phone, make a purchase and open a file (if available). The inconvenience it’ll bring is nothing compared to the risk involved.
  • If available, activate the “find my phone feature” of your phone.
  • If available, activate the feature that can remotely erase contents, or reset of your phone.
  • If available, activate a “kids safety feature” of your phone- this will prevent your kids from accessing apps that are not kid appropriate, or accidentally altering the configuration of your phone or erase some data.
  • If available, use an anti-virus solution for your phone
  • Take precaution when connecting to public hotspots.
  • Do not click links attached to an email, direct messages, or status updates in your timeline. Verify first w/ the sender. These links normally downloads a malware or give permission to hackers.

As a general safety reminder, do remember that the currency we use to pay for the “free” apps and games we download are the information associated w/ our account- these may include our location and contacts. Please read carefully the privacy policy and terms of service for each app.

Thursday, October 10, 2013

Creepy Way Facebook Advertisers Use You!

How Facebook Is Using Your Photos in Ads?

Gmail isn't the only online platform guilty of repurposing your photos. Facebook and its advertisers, too, have become really good at using your image to inspire your friends' confidence in the products they are pushing.

A friend who recently experienced this said, "I did not realize that 'friending' [a company on Facebook] to get coupons probably means I've agreed to be used in their ads. Seeing a friend's picture [used this way] makes me suspicious my picture is doing the same thing on other people's Facebook pages."

What I find particularly interesting is the way Facebook explains away its practices with this statement, (which you can see for yourself if you follow the prevention steps below): "Everyone wants to know what their friends like. That's why we pair ads and friends."

Fortunately, there is a way to stop Facebook from using your profile picture in advertisements.

1) Go to "Privacy Settings"
2) Click on the "Ads" tab on the left hand side.
3) In the Third Party Sites section click on "Edit"
4) In the drop down menu, click "No one" and then "Save Changes"
5) In the Ads & Friends section click "Edit"
6) In the drop down menu, click "No one" and then "Save Changes"

NOTE: You cannot opt out of receiving Sponsored Stories, which are essentially another type of ad. If you like a story on a brand page or share that you engaged with a brand, that brand can pay Facebook to ensure that it shows up in yours and your friends' timeline feeds.

Tuesday, October 8, 2013

How Much Information You Are Leaving Online?

Do you ever feel like you're being followed?

Perhaps that's because you are. While it may not be the boogeyman who's hot on your trail, there are many groups of watchers who have made it their business to know as much about you as possible.

Each day, we are tracked by the 'smart' systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail).

How comprehensive profiles Google is capable of building based on all the information we voluntarily share?

How valuable your online information is to burglars?

Notice all they can get off of *your* social network sites...and those of your friends, family and co-workers. Be aware of what you put out there!

For those of you in charge of or influencing your company privacy policies, consider how you are gathering and sharing your customers' data. Are you doing so in a manner that is transparent and compliant?

Monday, September 30, 2013

Beta Bot: A New Trend in Cyber-Attacks

Beta Bot Malware Blocks Users Anti-Virus Programs

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat. The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords.

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3. "This is a good demonstration of how fraudsters' methods are evolving constantly. They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so.

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI.

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack. If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

Monday, September 23, 2013

How To Reduce Application Security Risk?

Survey shows serious misalignment between IT Executives & Engineers

Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the respondents are employed by organizations of more than 5,000 employees.

Based on the responses, the primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.

This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities.

Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

  • Application Security Standards
  • Regular Security Assessments for measurement
  • Training for each role in the SDLC

The mature organizations share common characteristics by:

  • Writing and adopting security architecture and development standards.
  • Training their development teams on application security topics based on role, platform, and technology used.
  • Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
  • Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

Saturday, September 21, 2013

iPhone 5S: A Biometrics Turning Point?

Future: Mobile Devices Will Boost Interest in Advanced Authentication

Apple's decision to include a fingerprint scanner in its new iPhone 5S is an important step toward bringing biometrics-based authentication into the mainstream. But there's still a long way to go before biometrics supplant usernames and passwords at the enterprise level.

Owners of the new phone can use a fingerprint to physically unlock their devices instead of using a numeric passcode. Apple will also let users confirm purchases from the iTunes store by swiping a finger on the sensor.

Apple have not yet revealed whether they will allow third-party developers to take advantage of the new TouchID fingerprint technology to build biometrics-based authentication into their apps. While TouchID is an important milestone toward getting users comfortable with using biometrics as an authentication credential, the technology has to expand beyond the Apple universe before it can truly be considered a game-changer or a significant security breakthrough.

Biometrics authentication is not new to the mobile space. Some laptop vendors, including Lenovo, have included fingerprint readers in their devices for several years. Plus, a number of smart phones and tablets already incorporate biometrics to authenticate users. And security vendor McAfee recently introduced an online file storage service that relies on voice recognition to authenticate users. But all of these vendors use closed, proprietary models, which has made it difficult for biometrics to gain traction in the marketplace.

Market penetration for PCs and laptops with fingerprint sensors is about 20 percent, according to the FIDO Alliance, an industry group focused on open standards for authentication. Even if a majority of iPhone users opt for the iPhone 5S, overall smart phone market penetration for fingerprint scanners will remain low, considering that research firm IDC estimates Apple has about 17 percent smart phone market share.

The iPhone's popularity and its reputation as a trendsetter could help more consumers feel comfortable with the idea of using fingerprint scanners on a regular basis. And once they are used to the idea of fingerprint scanners, other types of biometrics won't be far behind. TouchID is the "first example of the potential for large-scale mass-market mobile biometric authentication.

Tuesday, September 17, 2013

Scam Of The Week: Ransomware Uses Child Porn Threat

Cybercriminals have cooked up a new way to blackmail people!

Getting caught viewing child porn is a huge deal and instantly makes you an outcast in most western countries. Cybercriminals have cooked up a new way to blackmail people out of their money, both inside and outside the office.

The ransomware family is called Revoyem (aka Dirty Decrypt) and uses the worst possible strategy to get people to pay up. It starts at a porn site that you have landed on, either on purpose or by accident. Then you are redirected by a malicious ad to an actual child porn themed page with very disturbing images. But while you are there, your PC gets infected with the Styx malware dropper which downloads ransomware and your computer gets locked.

The lock screen again shows disturbing images and now accuses you of watching child porn and what the penalties are. However, here comes your friendly ransomware to the rescue. Just pay the fine and you will not be prosecuted. They tell you to use either MoneyPak or PaysafeCard.

The attack is seen in the U.S., Canada and several Western European countries, is translated for each territory and uses the correct government law enforcement agency as a threat. This looks very much like an Eastern European Cybermafia operation.

WHAT TO DO: In an office environment, call the helpdesk and they will treat this as malware and remove it. At the house, call the police and file a complaint. It is likely the Police already know about it. 

Also take the PC to an expert and get the malware removed. And stay away from unsafe areas on the Internet like gambling and porn sites! Here is how the lock screen looks:

Sunday, September 15, 2013

BYOD, Corporate-Owned or Hybrid Environments?

BYOD: Problem in the reality is smaller than it seems!

Companies nowadays wrestle with the decision of whether to give employees the freedom to use personal mobile devices to access corporate data, or issue secure, mobile devices.

The main issue of the BYOD concept is to deal with corporate control and user privacy and usually at the end of the day this concept can cost to the company more than buying corporate-owned mobile devices. You also have to deal with different OS versions, installed applications, rooted devices, etc. They are some great MDM out there, but no one can deal with the diversity world of mobile devices.

BYOD, Corporate-Owned or Hybrid Environments? That depends of the “type” of business you do, but the best way to start is to limit the access to the resources from mobile devices to those who they really need them. In this way at the end of the day you will find out, that the problem in the reality is smaller than it seem at the moment.

An interesting article about the cost, efficiency, productivity, risk and security implications of BYOD, Corporate-Owned and Hybrid Environments can be found on the following link

Friday, September 13, 2013

How To Develop Security Awareness?

Six Steps To Successful Security Awareness Training

If you would schedule an event to teach people about Internet Security, and make it optional to attend, only about 5% of your entire office population will show up. And guess what, those 5% are probably the people that need it least.

Here are the six elements of a successful Internet Security Awareness Training Program

  • Formulate, and make easily available a written Security Policy.
  • Each employee needs to read the document and sign it as an acknowledgment they understand the policy and will apply it.
  • Give all employees a mandatory (online) Security Awareness Course, with a clearly stated deadline. It is highly recommended to explain to them in some detail why this is necessary.
  • Make this Security Awareness Course part of the onboarding process of each new employee.
  • Keep all employees on their toes with security top of mind, by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert.
  • Never publicly identify an employee that fails a simulated attack, let their supervisor or HR take this up privately. Give a quarterly prize for the three employees with the lowest ‘fail-rate’.
  • If you use posters, stickers and or screensavers, change the pictures or messages monthly. After a few weeks people simple don’t ‘see’ them anymore. It’s more effective to send them regular ‘Security Hints & Tips’ via email.

Wednesday, September 11, 2013

Five Generations Of Cybercrime

Now that cybercrime is in its fifth generation, prevent a security nightmare from happening on your watch

It helps to understand more about the history of hacking, when you need to defend yourself against cyber criminals. Early hacking started when guys like Kevin Mitnick became ‘digital delinquents’ and broke into the phone company networks.

That was to a large degree to see how far they could get with social engineering, and it got them way further than expected. Actual financial damage to hundreds of thousands of businesses started only in the nineties, but has moved at rocket speed these last 20 years.

Generation ONE

Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it. Relatively harmless, no more than a pain in the neck to a large extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another with a floppy disk to transfer the virus.

Generation TWO

These early day ‘sneaker-net’ viruses were followed by a much more malicious type of super-fast spreading worms (we are talking a few minutes) like Sasser and NetSky that started to cause multi-million dollar losses. These were still more or less created to get notoriety, and teenagers showing off their “elite skills”.

Generation THREE

Here the motive moved from recognition to remuneration. These guys were in it for easy money. This is where botnets came in, thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to find and easy to disinfect.

Generation FOUR

Here is where cybercrime goes professional. The malware starts to hide itself, and they get better organized. They are mostly in eastern European countries, and use more mature coders which results in much higher quality malware, which is reflected by the first rootkit flavors showing up. They are going for larger targets where more money can be stolen. This is also the time where traditional mafias muscle into the game, and rackets like extortion of online bookmakers starts to show its ugly face.

Generation FIVE

The main event that created the fifth and current generation is that an active underground economy has formed, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Cybercrime now specializes in different markets (you can call them criminal segments), that taken all together form the full criminal supply-chain. Note that because of this, cybercrime develops at a much faster rate. All the tools are for sale now, and relatively inexperienced criminals can get to work quickly. Some examples of this specialization are:

  • Cybercrime has their own social networks with escrow services
  • Malware can now be licensed and gets tech support
  • You can now rent botnets by the hour, for your own crime spree
  • Pay-for-play malware infection services that quickly create botnets
  • A lively market for zero-day exploits (unknown vulnerabilities)

The problem with this is that it both increases the malware quality, speeds up the criminal ‘supply chain’ and at the same time spreads the risk among these thieves, meaning it gets harder to catch the culprits. We are in this for the long haul, and we need to step up our game, just like the miscreants have done the last 10 years!

Saturday, September 7, 2013

5 Quick Lessons on Privacy

Privacy Matters - How Easily Someone Could Hack Into Your Life?

Being diligent about your personal privacy is a learned behavior. Often the best way to practice is to take a closer look at the every-day activities in which you and your friends, colleagues and family members take part. 

Below are some quick-hit resources that serve as good reminders of the privacy threats we are exposed to each day.

Thursday, September 5, 2013

Successful Digital Strategy: Bridge the gap between CIO and CMO

CIO & CMO doesn't trust each other, IT doesn't provide fast turn-around!

Business is largely about competition and, even within organizations, a healthy dose of rivalry between colleagues can be a good thing. However, a survey just conducted by Accenture Interactive (see The CMO-CIO Disconnect) points to a downright unhealthy relationship in many C-Suites which can do nothing but damage to firms. 

At a time when many executives say that improving digital reach will be a significant differentiator for their companies, research shows that two of the most important digital leaders — the Chief Marketing Officer (CMO) and the Chief Information Officer (CIO) — do not trust each other, understand each other, or collaborate with each other.

That is very bad news for their businesses and, not incidentally, for their own careers. When IT and marketing departments work at cross-purposes, the results are inefficiencies and mishaps and it is customers who suffer. Potential buyers simply don't have the time or energy to do business with a company that makes things harder for them.

To begin to mend the CMO-CIO relationship, it's important to understand the source of each side's frustrations. CMOs' answers to survey questions make it clear that they view IT as an "execution and delivery" provider, instead of as a strategic partner. CMOs do not believe they are getting fast enough turnaround on projects and adequate quality from the IT departments. Because many CMOs do not believe they are getting the service they want from their IT departments, many bypass the IT department and work with outside vendors. Forty-five percent of marketing executives say they would prefer to enable marketing employees to operate data and content without IT intervention.

For their part, IT executives believe marketers make promises they can't keep and do not provide them with adequate information on business requirements. The CIOs believe the marketing teams often do not understand — or appreciate — data integration or IT standards. Nearly half (49 percent) of CIOs say marketing pulls in technologies without consideration for IT standards. Forty-seven percent say the marketing team lacks understanding of data integration.

CEOs and others in the C-suite should not turn a blind eye to this tension, hoping for it to resolve itself. It is crucial for companies to instill more collaboration and understanding across the functions.

Here are five suggestions for supporting a CMO-CIO relationship that will ultimately benefit customer experience and drive sales:

Identify the CMO as the "Chief Experience Officer."
This is more than simply a change in nomenclature It is a constant reminder to the CMO that the job doesn't end with branding and advertising. The CMO must design and drive a customer experience that is consistently first-rate, at every touch point within the company — a goal that lays more emphasis on the role of IT and the need to reach a deeper understanding.

Signal that IT is the strategic partner to marketing
The CIO cannot be viewed as only the chief technology platform provider; the role must be elevated to a strategic member of the C-suite.

Get the two leaders working from the same playbook
Already, CIOs and CMOs spend more than 30 percent of their respective budgets on technology. It is time for them to agree on key business levers for marketing and IT integration, such as access to customer data and speed to market along with security, privacy, and standardization.

Change the skill mixes
Make sure the marketing department becomes more tech savvy and the IT department better understands marketing. Again, coming together around the consumer and customers will help to breakdown internal silos and align agendas. Upgrading their skills will help both departments make better decisions about technology and understand its impact on business outcomes.

Develop trust by trusting
It is time for leaders in organizations to extend their trust to — and accept it from — business units beyond their own.