2016 Information Security Predictions

No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off…

4WWearable Devices

Cyber crooks don’t care what kind of data is in that little device strapped around your upper arm while you exercise, but they’ll want to target it as a passageway to your smartphone. Think of wearables as conduits to your personal life.

Firmware/Hardware

No doubt, assaults on firmware and hardware are sure to happen.

Ransomware

Not only will this kind of attack continue, but an offshoot of it—“I will infect someone’s device with ransomware for you for a reasonable price”—will likely expand.

The Cloud

Let’s not forget about cloud services, which are protected by security structures that cyber thieves will want to attack. The result could mean wide-scale disruption for a business.

The Weak Links

A company’s weakest links are often their employees when it comes to cybersecurity. Companies will try harder than ever to put in place the best security systems and hire the best security personnel in their never-ending quest for fending off attacks—but the weak links will remain, and cyber crooks know this. You can bet that many attacks will be driven towards employees’ home systems as portals to the company’s network.

Linked Stolen Data

The black market for stolen data will be even more inviting to crooks because the data will be in sets linked together.

Cars, et al

Let’s hope that 2016 (or any year, actually) won’t be the year that a cyber punk deliberately crashes an Internet connected van carrying a junior high school’s soccer team. Security experts, working with automakers, will crack down on protection strategies to keep cyber attacks at bay.

Threat Intelligence Sharing

Businesses and security vendors will do more sharing of threat intelligence. In time, it may be feasible for the government to get involved with sharing this intelligence. Best practices will need hardcore revisions.

Transaction Interception

It’s possible: Your paycheck, that’s been directly deposited into your bank for years, suddenly starts getting deposited into a different account—that belonging to a cyber thief. Snatching control of a transaction (“integrity attack”) means that the thief will be able to steal your money or a big business’s money.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to shop securely with a Mobile Phone

“You can buy things with your phone!” No kidding! But imagine what the response would have been had you made this statement in 1984: “Off your meds, eh?”

7WPurchasing via the smartphone may very well eclipse the popularity of shopping via laptop. And cyber thieves know this. They’re counting on you to slip up.

  • Never click a link inside an e-mail, even if the subject line is a warning or alert to a fabulous sale. Cyber crooks know that the small screens on mobiles can easily hide tell-tale signs of scam e-mails, people are especially vulnerable to subject lines blaring great deals.
  • If you’re too tempted to ignore the great deal, then visit the merchant’s site by typing their name into the search engine rather than clicking the link inside the e-mail! That link could lead to a virus download.
  • Never use public Wi-Fi (e.g., at the airport or hotel) to shop. Stick to your phone’s mobile broadband network or at a minimum use a virtual private network (VPN).
  • When shopping with your phone, use a credit card, never a debit.
  • When using your phone, make sure nobody is spying. This really happens; it’s called visual hacking. It can even be done with the crook’s phone—capturing on video the sensitive information you’re entering on your phone.
  • You accidentally mis-type the URL of a major retailer (but don’t know it), and you end up on their site. It’s called typo squatting. How is this possible? The site is the crook’s. He knows people will commit typos and he takes advantage of this: owning a website that mocks the real one, and you’re lured into “buying” off of it—entering your credit card or PayPal information—which he then has. And he knows you won’t pick up that the site is an imposter because your phone’s screen is so small.
  • Keep the phone’s software updated.
  • Deactivate autosave logins.
  • Your phone contains so much sensitive information about you and your family, financial data, maybe medical history, etc. What if a crook gets ahold of it? Set up a personal identification number (PIN) for login.

Download only from official app stores: Apple App Store, Google Play and Amazon. Don’t download from third-party vendors.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Nineways to shop safely on Cyber Monday

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

2DHow can you avoid these predators?

  • You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
  • Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
  • Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
  • If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
  • Make sure you understand the online merchant’s shipping options.
  • When buying online, read up on the retailer’s privacy policy.
  • When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
  • Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Do you know what your Kids are doing online?

Your child is active online. Did it ever occur to you that he or she uses a fake name so that they can’t be identified by you? Chances are, you, the parent, also uses a pseudonym. It’s very common.

12DCyberspace is full of obvious pseudonyms, but a phony name can also be a regular name that many people have. Your child will be lost in a sea of David Johnsons or Amanda Millers.

Intel Security did a study and found that 40 percent of kids use aliases or alternate accounts. Intel Security also found:

  • Many kids fessed up to cyberbullying, including making threats.
  • Far fewer parents in the survey, however, believed their kids were capable of cyberbullying.
  • Over 25 percent of the kids admitted they’d meet someone in person after first meeting them online.

Wayne State also conducted a study:

  • Over 50 percent of juvenile respondents admitted to tracking or stalking a romance partner or harassing/bullying them.

Parents really need to monitor their kids’ cyber lives. However, there are obstacles facing parents such as being intimidated by technology and feeling awkward requesting their kids’ passwords.

However, parental involvement, such as knowing the passwords, correlates to lower incidents of cyberbullying. So contrary to myth, parents are not overstepping boundaries by monitoring their kids’ online habits—within reason, of course.

But parents need to do more than just cyber-hover. Kids need to learn from the inside out how to cyber-behave in a smart, safe way. They need to learn how to think for themselves and understand how predators prey on kids. If they’re old enough to use social media, they’re old enough to be told all the dirt on what kinds of creeps are out there.

Parents must ask themselves, “Is my child’s life so empty that they can easily be lured by an online predator to meet him in a secluded place?” Or how about, “Why is my kid obsessed with adding friends? He already has over 3,000 and that’s not enough.”

Computers and social media, in and of themselves, do not turn kids wayward, into bullies or into victims. Predisposing family dynamics are already present, and they simply manifest themselves online. For example, a teenager who spends six hours a day creating fake Facebook accounts, stealing photos off of blogs, then adding these phony accounts as friends to her actual Facebook account, has pre-existing psychological issues.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

5 In-Demand Cybersecurity Specialties

There are numerous subspecialties within the booming cybersecurity field[i]. Here are some of the most in-demand professions:

Cybersecurity Engineer: This is the all-around, jack-of-all-trades, go-to guy or gal of cybersecurity. For all intents and purposes, a cybersecurity engineer is a hacker – but a good one. Using their advanced knowledge of malware, viruses, theft, DDoS attacks and other digital threats, cybersecurity engineers defend organizations against crime online. Personality traits required for this role include being flexible, nimble and a do-it-yourselfer. Candidates also must have:

  • A good background in penetration testing.
  • Experience with additional online security measures.
  • On-the-job experience, which is an absolute must for this position.

Malware Analyst: If you choose to specialize, working as a malware analyst is like being an oncologist fighting cancer. There’s research, removal or treatment, and it’s up to you to decide how to apply your training.

With millions of types of malware on PCs, Macs and even mobile devices there’s a significant shortage of experts in this highly in-demand field. Responsibilities include:

  • Identifying and fighting viruses, worms and Trojan attacks.
  • Educating companies about malicious software.
  • Analyzing malware inside and out.
  • Developing tactics to help prevent future attacks.

Application Security Administrator: Back in the days of desktop computing, the only means of compromising data were to insert a contaminated floppy disk into a PC or open an infected email attachment. We’ll call this the “anti-virus era.”

Next came the “network security era.” The need for cybersecurity evolved with the Internet as more companies developed internal and external networks.

Information security has evolved yet again. Today, we live in the “application security era.” The demand for application security administrators is nearly limitless. The job includes:

  • Performing application security reviews, looking for potential weaknesses.
  • Writing testing code for applications.
  • Ensuring a company’s applications comply with the minimum standards for security.
  • Ensuring that any applications that the company uses conform to the minimum standards for privacy.

Chief Information Security Officer (CISO): CISO is the top position managers in the field of cybersecurity work toward achieving. Prospective candidates should take a multifaceted approach to cyber education with courses in business fundamentals. Responsibilities might include:

  • Monitoring the efficacy of security operations.
  • Preparing a company to fight cyber attacks.
  • Designing strategies to oppose imminent threats as well as threats in their early stages.
  • Looking for cyber intrusions.
  • Analyzing the company for possible holes in its network.
  • Managing other security personnel.

Security Consultant: It’s tough to land a 9-5 job as a security consultant, but this is one of the most gratifying positions one can pursue when engaged in the diverse and rapidly changing world of cybersecurity.

Consultants come in two flavors: they have a knack for solving problems in a particular niche, or they have accumulated knowledge of multiple systems over the course of their career. Security consultants are expected to:

  • Work with companies to come up with security tactics that align with the company’s particular needs.
  • Possess knowledge about security standards, systems, etc.
  • Have superb communication and management skills, as the security consultant will need to interface with management and know the company’s corporate policies.
  • Test security measures that they’ve recommended.

When choosing a specialty keep a few things in mind. Try to choose one that can compliment another in the event you decide to make a change. Research how much training and education in time and money might be needed. Are there certifications that need to be re-qualified for and how often? Consider the dynamics of the specialty such as will you be working with individuals, teams, or by yourself. Will there be travel involved? Does it require overtime or is it a straight 40 hour a week job?

No matter what you choose, follow your heart.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

Sales Staff Targeted by Cyber Criminals

Companies that cut corners by giving cybersecurity training only to their technical staff and the “big wigs” are throwing out the welcome mat to hackers. Cyber criminals know that the ripe fruit to pick is a company’s sales staff. Often, the sales personnel are clueless about the No. 1 way that hackers “get in”: the phishing e-mail. Salespeople are also vulnerable to falling for other lures generated by master hackers.

11DIn a recent study, Intel Security urges businesses to train non-technical (including sales) employees. Sales personnel are at highest risk of making that wrong click because they have such frequent contact in cyberspace with non-employees of their company.

Next in line for the riskiest positions are call center and customer service personnel. People tend to think that the company’s executives are at greatest risk, but look no further than sales, call center and customer service departments as the employees who are most prone to social engineering.

It’s not unheard of for businesses to overlook the training of sales employees and other non-technical staff in cybersecurity. Saving costs explains this in some cases, but so does the myth that non-technical employees don’t need much cybersecurity training.

Intel Security’s report says that the most common methods of hackers is the browser attack, stealth attack, SSL attack, network abuse and evasive technologies.

In particular, the stealth attack is a beast. Intel Security has uncovered 387 new such threats per minute. IT teams have their work cut out for them, struggling to keep pace with these minute-by-minute evolving threats. This doesn’t make it any easier to train non-technical staff in cybersecurity, but it makes it all the more crucial.

Training non-technical staff, particularly those who have frequent online correspondence and have the gift of cyber gab, is the meat and potatoes of company security.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Dept. of Homeland Security Computers Vulnerable

There’s a problem on the home front: security lapses in the computers of the Secret Service and Immigration and Customs Enforcement, says a report on townhall.com. These departments were recently audited, and weaknesses were revealed.

1DRecently, hackers got into the White House, State Department and the Office of Personnel Management, among other entities. And this has caused the public to wonder about just how strong cybersecurity is for the U.S. government. So thus, the audit was carried out.

The root of the problem may be inadequate training of the investigators and analysts for the Department of Homeland Security. This seems to have stemmed from Congress cutting corners with the training budget. The internal websites for the Secret Service and ICE were shown to be deficient.

How many employees are in the Department of Homeland Security? 240,000. That’s a lot of potential for inadequate training to result in the accidental opening of a back door for hackers.

The audit made nine recommendations to the DHS. The DHS has reported that it’s been making efforts to address these recommendations.

  • The Secret Service and ICE are responsible for coming down on financial fraud, money laundering, identity theft and fraud involving banks and credit cards.
  • The National Protection and Programs Directorate (NPPD) was also audited, and this entity is responsible for the security of government computers.
  • ICE, the Secret Service and the NPPD blame Congress for the security lapses. They point out that Congress has a stop-and-go style of funding for cybersecurity, because Congress will not authorize ongoing funding throughout the year.
  • In fact, an ICE analyst revealed that he had to pay out of pocket for cybersecurity training, and thanks to the limited budget for this, was not able to attend formal training in four years.

The report states that employees may not be able to perform assigned incident responses to a cyber attack, nor efficiently investigate such an incident, as long as training was come-and-go and only peppered throughout the DHS instead of being department-wide.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

State sponsored Attacks big Problem

The U.S. Office of Personnel Management, an identity database, was attacked by hackers rather recently, and they hit the jackpot: More than 21 million federal workers are at risk of identity theft for perhaps the rest of their lives, reports an article on forbes.com.

1DThe hackers from overseas now have security clearance documents for these employees that contain some very sensitive personal information. And nobody can take these documents away from the hackers.

That’s the problem with these centralized identity databases. It’s like all the loot is in one location, so that when the thieves strike, they get it all. And as the forbes.com article points out, not too many governments care to invest the money and energy in optimizing the security of these huge central databases. And it’s not just the U.S. with this problem. Other countries have also had either cyber attacks or big issues with their national ID systems.

On the security evolution clock of 24 hours, cybersecurity comes in in the last few seconds. Governments for eons have been very staunch about issuing security in the physical form, such as constructing walls and other barricades near borders.

But protecting a computer database from harm? It’s just not as prioritized as it should be. The forbes.com article notes that the cybersecurity of a country’s citizens makes up the whole of the nation’s security.

Seems like things will be getting way more out of hand before things start getting under control, if ever. In line with this trend is that hackers have, in their possession for all time, fingerprint data of more than one million U.S. security clearance holders.

Governments need to start focusing on protecting the cyber safety of all the millions and millions of ants that make up its nation, or else one day, the empire just might crumble.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

Trolls: How to deal

Cartoonist Ben Garrison posted something “about the Fed” online, says an article at www.vice.com, and this created a firestorm, leading to his billing as the “most trolled cartoonist in the world.” You see, his other cartoons were altered in an offensive way, fooling people into thinking these alterations were his original creations.

11DHow can Garrison climb out of the hole others dug for him? First identify the type of trolling.The vice.com article describes several forms of trolling:

  • Hate speech. This targets anyone other than a white straight man who’s not transgender.
  • Cyberbullying. Targets are often known by the cyberbullies, though I’d like to point out that in this day and age, if you disagree with someone’s comment on an article, you might be called a bully.
  • Trolling. Like cyberbullying, trolling has developed an incredibly broad encompassment, but in its truest form, it refers to anonymous harassing. The basic difference between cyberbullying and trolling is that the target has no way of responding directly to the troller.
  • Griefing. Many people do something little, like send a nasty tweet. The act itself is minor, but when multiplied by all the people repeating it, it creates a huge effect.

After you identify the type of trolling, report it to the social media platform it occurred on.

  • Facebook doesn’t permit online harassment, but this doesn’t mean it can’t be done. If a FB user allows anyone to post on the page, then gee, a hateful message can easily be posted (though the FB user could take it down and block that person after that point).
  • Twitter doesn’t like hateful messages either, but admits that in the past, they stunk at regulating it, though they’ve gotten better, and in fact, will suspend a violator.
  • The Online Hate Prevention Institute runs Fight Against Hate. Report hateful content, then log the report to FAH, and OHPI will track how long it takes the platform to respond. If the platform is lifeless, then FAH can take action.

The third step is to watch for Phoenix pages. The vice.com article defines a Phoenix page as follows: “…a hate speech fanpage or harassing user is removed from Facebook and then immediately creates a new page or account.”

A Phoenix page can pick up steam much faster than the time it takes to remove it. In fact, Facebook was lax at taking down Garrison’s troll pages. Garrison spent “countless hours” trying to get libel removed from Facebook and Twitter. If you’ve been harassed, be on the lookout for if the harasser has been removed—the appearance of re-created pages and users. Report this promptly.

Next step: Report the problem to the police if it’s interfering with your daily life, though I need to point out that I’ve heard of people becoming unraveled simply because someone kept insulting them in some thread.

Also, the police can’t do anything if the harasser is in a different country. In fact, when writer Amanda Hess reported online harassment to the police, he asked her what Twitter was.

It’s best maybe to bypass the local cops and just give the report to the FBI. You can do this through the Internet Crime Complaint Center. Don’t even think about hiring an attorney; you’ll sink time and money. And trying to get money out of the harasser could be like trying to get blood out of a rock.

Rebuilding your tainted reputation is the final step. One way is to put a disclaimer on your site stating that you’re ignoring the trolls. Admit you’ve been trolled. Let people know what’s happening. This approach might make some of the trolls vanish. In other words, don’t “feed the trolls,” as the saying goes.

If you’re able to contact a troller, then do so with the idea of trying to reason with that person. Though this won’t stop all the other trolls, it might help you see them in a different light if you connect with just one of them.

What happened to Garrison and many others was true harassment that marred their reputation. It can affect your business. It can be very serious stuff. But I urge you also not to become overly sensitive to what really amounts to nothing more than name-calling and someone with too much time on their hands spewing nasty comments to you. Don’t get all shaken up just because someone disagrees with your post or even posts the proverbial “your an idiot” (lack of contraction is intended).

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.