2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
Read More »
Tags: access control, data breaches, phishing, security, social engineering
An enterprise can pay hundreds of thousands of dollars or more for the latest security software and imagine itself protected from targeted attacks that come in via the network. But if the threat is a real-live person who walks in the front door of an office or server farm, what good can the network edge software do?
Clever criminals are seeing bigger payoffs in showing up on-site to physically plug into a network rather than crafting phishing emails with links that lead to compromised websites. (Not to say that spam and other online social engineering campaigns have gone away; see the Cisco 2014 Midyear Security Report for more.) Simply being able to plug into an Ethernet connection or unplug an IP phone and use that cable to access network information can have serious consequences. Social engineering is the act of hacking people. Therefore, people—your employees—become the weakest link in your digital and physical security posture.
Criminals use similar tactics for social engineering an in-person visit as they do with emails and compromised websites. The point is to build trust (albeit misplaced) with someone who can grant access to company premises.
By researching a targeted employee on LinkedIn—for instance, discovering everything from the tasks they perform on the job to where they went to college and which sports teams they like—the criminal can present himself or herself as someone the target might know or have reason to trust. Thanks to the popularity of social networking, especially among professionals, there is a wealth of information and photos easily available to anyone who needs to get a literal foot in the door.
Armed with background information gleaned from online searches, a criminal can pretend to be a journalist and request an interview or claim to be a potential partner or customer and ask for an in-person visit. The criminal might also wear a fake badge to provide the illusion of authority.
Criminals have also figured out that they do not need to launch such scams at the front door of the organization they are targeting. Instead, they will target a weaker link: that is, a less secure business partner or supplier that has access or connectivity to their real target, which is the network. This is an especially effective technique to use when the security of a target is high, but the security of a trusted business partner of your target is not. Hackers will always try to find the easiest route in.
A mitigation approach for social engineering-based security breaches that involve gaining physical network access is to make sure network access ports enforce authentication and authorization before granting network access.
In addition, organizations can build “dynamic security domains” per user, per device, per user and device, or any other configuration needed. These dynamic security domains can use technology such as 802.1x, port access-control lists (ACLs), VPN, and host posture assessment.
For more security trends from the first half of 2014, download the Cisco 2014 Midyear Security Report.
Tags: 2014 MSR, midyear security report, security, social engineering
Hi there and welcome to today’s U.S. National Cyber Security Awareness Month tip, courtesy of those of us involved in administering and/or contributing to Cisco Security Intelligence Operations!!
For all of you savvy technologists and those well versed in the security realm many of these tips may be old hat but, based on many of my discussions with both personal and professional peers, I know that most, if not all, of these Best Common Practices (BCPs) are not exactly “common.”
- Use non-trivial passwords – While most sites and applications now dictate requirements (lower/upper alphabetical, numerical, symbols, minimum length) for passwords, there are still those that rely on the user to utilize complex passwords. Password selection brings with it a challenging dichotomy – on one hand we are being told (and sometimes forced!) to use complex not-so-easy-to-guess passwords and on the other hand we are expected to be able to remember all of these passwords without writing them down and sticking them on our laptop! Check out Numeric Password Follies and Keep passwords safe and secure with password management for some information from previous Cisco Security Blog posts that may help you choose and manage your passwords more effectively.
- And now that we have finally chosen an acceptable complex password, and we have been able to commit it to memory!, we now have to make sure we Change Our Passwords Regularly! You will find that many of your “more secure” sites implement a specific time frame, e.g., 30 or 60 days, after which time you _must_ change your password. For all those sites, applications, and situations in which this is not the case, it is HIGHLY recommended that you take the proactive approach and manually change your password regularly. It shouldn’t be that hard – just create a repeating reminder in your daily calendar to help you remember to change your passwords!
- And while on the subject of passwords, here’s another recommended best practice! Don’t use the same password everywhere!!! Again, our minds can only contain so many passwords (in addition to everything we need to remember on a daily basis) and things like passwords probably fall to the bottom of our priorities, so use a password manager tool. Because we often take the easy way out and, once we’ve developed that very complex, non-trivial password that we discussed in our first tip, we hang on to it for dear life and use it EVERYWHERE! Bad move! There are few days that go by in the security world where we don’t come across a hack or data breach that was helped along the way by the fact that so many people use the same passwords for both personal and professional sites and applications. Several examples of these breaches can be found in these previous Cisco Security Blog posts: July, a Busy Month for Breaches, Compromised Accounts, Stepping Stones, and 6.5 million password hashes suggest a possible breach at LinkedIn.
- If it looks like phish and “smells” like phish it probably is phish – Do NOT open emails that appear “phishy” – go directly to the known website of the supposed sender of the email. You should also be careful clicking links in emails from known contacts that do not have human-looking text from your friend. For example, be leery of emails which contain nothing but one URL/link or emails that start out with text such as “open this, it is funny.” Agree with your friend to send something he knows that will identify him when he sends a single link. For example ask him her to put in “I was born in XXX, July 1934″ or what team he supports.
- Keep your operating system (OS) and application software up to date. Many OS vendors, e.g., Microsoft, provide automated means of updating software on a regular basis, so take advantage of this offering if your vendor provides it. It is certainly understandable that probably a great many of you have important devices and simply cannot take the chance with automated updates, but for those with less mission-critical concerns it is a worthwhile practice to use automatic software updates. The Cisco Security Intelligence Operations portal includes a section devoted to security alerts affecting both Cisco and non-Cisco products.
- Have your “social engineering” guard up at all times. For many of us, the combination of our personalities and lack of time causes us to become more trustworthy and accepting all invitations – whether by email, phone call, or text – on their surface. What we need to do when working online is put on our “tinfoil hat” and simply not trust anyone! So, when you get that next email soliciting you to “click on the link” to resolve a banking dispute think twice, do NOT click on that link, and then log in directly to the website of your bank (or call them) and resolve that “issue” the proper way. Clicking on links sent to you via email or text could cause you to inadvertently and unknowingly provide login credentials and Personally Identifiable Information (PII) to the bad guys. Check out Levi Gundert’s recent post on how the loss (or theft) of PII can impact you.
- While Anti Virus (AV) Software is certainly not a silver bullet and probably won’t stop some of today’s more complex threats, it is still a useful tool to have in our security toolbox both for our corporate and personal devices. Although most corporate IT departments push out updates regularly to our professional devices, we need to also ensure that the AV Software running on our home and personal devices is kept current and is regularly updated.
- Understand the security measures that are available (and not available!) for social networking sites and applications. Many of you and your peers use some form of social networking – e.g., Twitter, Facebook, LinkedIn, etc. – and it is imperative that you are aware of what information gets shared and what mechanisms are available to you to restrict access to the data you want shared to only those people with whom you wish to share! You would probably be surprised to find out that the data that gets shared, both freely and inadvertently, is often leveraged for malfeasance such as phishing emails!
- Who you gonna call? Know who and how to report any suspect network security incidents, i.e., phishing, spam, malware, DoS, etc. This recommendation may border on the nebulous but it is really important, whether you are on your personal device at home or on a corporate device, that you know that there are resources available should you come across activity, e.g., phishing emails, evidence of DDoS attack activities, etc., that you can contact to get assistance. This could be your ISP, your corporate IT department, Help Desk, Information Security (InfoSec) department, or even a friend or coworker.
- Be vigilant and stay abreast of cyber security news! Regardless of your role and your technical acumen, find at least one source of security intelligence to monitor via RSS, email, Twitter, or by just directly visiting websites. Please visit the Cisco SIO portal, which includes a variety of information such as security alerts, blog posts, technical white papers, best common practices, and upcoming security conferences. Some additional recommended sources of this information include CERT, NANOG, Full Disclosure, Bugtraq, SANS Internet Storm Center (ISC), and Krebs on Security…..to name a few.
My call to action to all of you is to go out there and work together to make our cyber world just a little bit safer – one byte, one email, one phish, and one website at a time!
Tags: antivirus, Cisco Security, cisco sio, cyber security, NCSAM, ncsam-2013, passwords, security, social engineering
The Cyber Risk Report for November 7 through 13 covered the second consecutive Social Engineering Capture the Flag event that was organized by Defcon 19 (a prominent industry “underground” security conference). The event proposes a challenge to competitors with the focus of leveraging social engineering tactics to successfully obtain key company information from a list of prospective companies, with the ultimate goal (based on the past two years) of raising awareness of the threat impact social engineering has on organizations. Furthermore, the competition highlights the common tactics and aspects that social engineers employ. As this year’s competition drew to a close, the Social Engineering CTF Results Report (which provides a debrief of the event, outcomes, and lessons learned) puts an emphasis on the techniques utilized, and the reasons why the respective techniques ultimately succeeded or failed.
Read More »
Tags: security, social engineering
Today’s NCSAM Tip is on recognizing and avoiding the most commonly used social engineering techniques. The root of the problem is simple enough: people are too trusting of content on the Internet. There is a long promoted perception of community, information sharing, free items, help, and friendliness on the Internet that has lulled many into a false sense of safety or security. Unfortunately, the reality is that just about every “con, scam, grift, hustle, bunko, swindle, flim flam, gaffle, sting or bamboozle” known is alive and well on the Internet. When you more closely examine the social engineering techniques that are used by criminals on the Internet, you see they are often the same or variations of con games and scams that go way back, and that many people are familiar with. This too gives people a false sense of security in that many believe they can identify these malicious attempts to exploit them. But, many tests of these beliefs have shown that most fail.
Instead of looking at the complicated technical details or various techniques themselves, it is easier to see the human factors they are attempting to exploit. Cisco SIO did some research of those human factors commonly exploited in 2010, and included the findings in the Cisco 2010 Annual Security Report. What we found was that regardless of the technical details or specific techniques and variations, the attackers commonly attempted to exploit a short list of human weaknesses:
Read More »
Tags: 2010 annual security report, cyber-security-month-2011, social engineering, social networking, spam