Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Top Stories

 

GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

Related: Why carpet bombing email campaigns endure

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S.  Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks.  At an earlier Senate hearing,  GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may  not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised.  Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. …more

GUEST ESSAY: Supply chain vulnerabilities play out in latest Pentagon personnel records breach

By Michael Magrath

It is disheartening, but not at all surprising, that hackers continue to pull off successful breaches of well-defended U.S. government strategic systems.

Related podcast: Cyber attacks on critical systems have only just begun

On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.

The Associated Press, quoting a U.S. official familiar with the matter, reported that the breach could have happened months ago, but was only recently discovered. At this juncture, as many as 30,000 federal employees are known to have been victimized, but that number may grow as the investigation continues.

The Pentagon has since issued a statement conceding that a department cyber team informed leaders about the breach on Oct. 4. Pentagon spokesman Lt. Col. Joseph Buccino now says that DoD continues to gather information on the size and scope of the hack, and is attempting to identify the culprits.

It does appear that this is another example of attacks successfully penetrating a weak supply chain link, underscoring the importance of addressing third-party risks.

Third-party risk

Buccino disclosed that authorities are examining a “breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel. …more

MY TAKE: Cyber attacks on industrial controls, operational technology have only just begun

By Byron V. Acohido

“May you live in interesting times.” The old Chinese proverb–some consider it a blessing and others a curse–certainly describes the modern-day cyber landscape.

Related: 7 attacks that put us at the brink of cyber war

In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.

With the bulls-eye on a country’s financial Achilles heel, state-sponsored attackers are sowing chaos, disruption and fear. And the risks are multiplying as more digital devices become connected in insufficiently secured environments.

Monitoring and management of many existing industrial control systems’ (ICS) embedded devices, like pumps, valves and turbines, are ancient in technological terms. And until recently, security surrounding operational technology (OT) – the networks that run production operations – have been siloed, or air-gapped, from information technology (IT) operations, which work in the corporate space. Isolating OT operations from public networks like the internet had once been considered best practice.

Dismantling the silos

But Gartner and others now recommend merging OT and IT security. Convergence of the two in the industrial internet of things (IIoT) makes for better communication and access to online data and processes, but it also flings the door wide open for nefarious activity by cyber criminals. Espionage scenarios that once were the basis of movies and novels now have become real-life exploits.

I talked to Phil Neray, vice president of industrial security at CyberX, a company founded in 2013 that operates a platform for real-time security of the industrial internet.

Read on to learn what Neray has to say about industrial security, then hear a more in-depth discussion on the subject on the accompanying podcast:

As organizations digitize their operations and add more sensors and other devices to the production environment, …more

MY TAKE: The many ways social media is leveraged to spread malware, manipulate elections

By Byron V. Acohido

Remember how we communicated and formed our world views before Facebook, Twitter, Instagram, Reddit, CNN and Fox News?

We met for lunch, spoke on the phone and wrote letters. We got informed, factually, by trusted, honorable sources. Remember Walter Cronkite?

Today we’re bombarded by cable news and social media. And Uncle Walt has been replaced by our ‘friend circles.’

This is well-understood by those with malicious intent and hacking capabilities. And this is why they’ve adopted social media as the go-to platform for spreading malware and propaganda.

Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, has been studying this development closely. I spoke with Hahad at Black Hat USA 2018. Give a listen to our full conversation on the accompanying podcast. Here are a few takeaways:

Faked social media

It’s human nature to trust people a little more who are in your circle of friends. We’re wired to relax our judgment and click more quickly on items sent by someone we’re familiar with, be it an image, a document, a video clip or a webpage link.

It goes further than that, Hahad argues. He contends that a lot of us tend to more quickly believe the information shared by our circle of friends, and that we often fail to verify and think critically. And this is exactly what Hahad and his team of security analysts observed during the 2016 elections.

“The most publicly visible aspect is swaying voter opinion on certain questions,” he explains. “That has been happening through the fake accounts we know of, through a lot of the fake websites that have been specifically put up to promote certain views, and some of that was to mostly sway discourse.”

The second aspect was less publicized, but it is a technique regularly used in the past to compromise users and businesses. The bad actors went phishing to gain access to candidates’ inner circles, …more

Q&A: Reddit breach shows use of ‘SMS 2FA’ won’t stop privileged access pillaging

The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better —  are failing to adequately lock down their privileged accounts.

Related: 6 best practices for cloud computing

An excerpt from Reddit’s mea culpa says it all:  “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

It’s safe to assume that Reddit has poured a small fortune into security, including requiring employees to use SMS-delivered one-time passcodes in order to access sensitive company assets.

But here’s the rub: Reddit overlooked the fact that SMS 2FA systems are useful only up to a point. It turns out they can be subverted with just a modicum of effort. SIM card hijacking, for instance, is a scam in which a threat actor persuades the phone company to divert data to a new address. And then there’s SS7 hacking, which leverages known flaws in the global SMS infrastructure to intercept data in transit — including passcodes.

In fact, SMS attacks are being refined and improved daily. This is because they are useful in targeting big companies. This summer alone, in the wake of the Reddit hack, British mobile phone retailer Carphone Warehouse, ticketing giant Ticketmaster, telecom company T-Mobile and British Airways disclosed huge data compromises of similar scale and methodology. …more

MY TAKE: Here’s why we need ‘SecOps’ to help secure ‘Cloud Native’ companiess

By Byron V. Acohido

For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies.

Related: How DevOps enabled the hacking of Uber

DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.

It’s rise in popularity has helped drive a new trend for start-ups to go “Cloud Native,” erecting their entire infrastructure, from the ground up, leveraging cloud services like Amazon Web Services, Microsoft Azure and Google Cloud.

Security burden

Though DevOps-centric organizations can gain altitude quickly, they also tend to generate fresh security vulnerabilities at a rapid clip, as well. Poor configuration of cloud services can translate into gaping vulnerabilities—and low hanging fruit for hackers, the recent Tesla hack being a prime example. In that caper,  a core API was left open allowing them to exploit it and begin using Tesla’s servers to mine cryptocurrency. Rising API exposures are another big security concern, by the way.

Because Amazon, Microsoft and Google provide cloud resources under a “shared responsibility” security model, a large burden rests with the user to be aware of, and mitigate latent security weaknesses.

In fact, it’s much more accurate for organizations tapping into cloud services and utilizing DevOps to think of cloud security as a functioning under …more

MY TAKE: The no. 1 reason ransomware attacks persist: companies overlook ‘unstructured data’

By Byron V. Acohido

All too many companies lack a full appreciation of how vital it has become to proactively manage and keep secure “unstructured data.”

One reason for the enduring waves of ransomware is that unstructured data is easy for hackers to locate and simple for them to encrypt.

Related video: Why it’s high time to protect unstructured data

Ironically, many victimized companies are paying hefty ransoms to decrypt unstructured data that may not be all that sensitive or mission critical.

I talked with Jonathan Sander, Chief Technology Officer with STEALTHbits Technologies, about this at Black Hat USA 2018.

The New Jersey-based software company is focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. For a drill down on our conversation about unstructured data exposures please listen to the accompanying podcast. A few takeaways:

Outside a database

Structured data can be human- or machine-generated, and is easily searchable information usually stored in a database, including names, Social Security numbers, phone numbers, ZIP codes.

Unstructured data (also human- or machine-generated) is basically everything else. Typical unstructured data includes a long list of files—emails, Word docs, social media, text files, job applications, text messages, digital photos, audio and visual files, spreadsheets, presentations, digital surveillance, traffic and weather data, and more. In a typical day, individuals and businesses create and share a tidal wave of this information.

The main difference between the two is organization and analysis. Most of the unstructured data generated in the course of conducting digital commerce doesn’t get stored in a database or any other formal management system.

For structured data, users can run simple analysis tools, i.e., content searches, to find what they need. But with no orderly internal framework, unstructured data defies data mining tools. Most human communication is via unstructured data; it’s messy and doesn’t fit into analytical algorithms.

Ransomware target

There is a mountain of unstructured data compared to a molehill of its structured counterpart. Gartner analysts estimate that over 80 percent of enterprise data is unstructured …more