Category Archives: Security

Protecting Your Company Against Ransomware Attacks

Ransomware attacks are the latest security breach incidents grabbing the headlines these days. Last month, major companies including Britain’s National Health Services, Spain’s Telefónica, and FedEx were victims of the WannaCry ransomware attacks. Ransomware infects your computer by encrypting your important documents, and the attackers then ask for ransom to decrypt your data in order to become usable again.

Ransomware attack operations have become more sophisticated, in some cases functioning with a full helpdesk support.

While the latest Operating System patches and anti-malware programs can defend these attacks to a point, they are usually reactive and ineffective. For instance, the WannyCry malware relied heavily on social engineering (phishing) to spread, and relying on end users to open malicious email or to click on malicious websites.

The best defense for ransomware attacks is a good data protection strategy in the area of backup and disaster recovery. When ransomware hits, you can simply remove the infected encrypted files, and restore the good copies. It’s surprising to know that a lot of companies and end users do not properly backup their data. There are tons of backup software and services in the cloud to backup data. A periodic disaster recovery test is also necessary to make sure you can restore data when needed.

A sound backup and disaster recovery plan will help mitigate attacks against ransomware.

Securing Your Apps on Amazon AWS

One thing to keep in mind when putting your company’s applications in the cloud, specifically on Amazon AWS, is that you are still largely responsible for securing them. Amazon AWS has solid security in place, but you do not entrust the security aspect to Amazon thinking that your applications are totally secure because they are hosted there. In fact, Amazon AWS has a shared security responsibility model depicted by this diagram:

Source:  Amazon AWS

Amazon AWS is responsible for the physical and infrastructure security, including hypervisor, compute, storage, and network security; and the customer is responsible for application security, data security, Operating System (OS) patching and hardening, network and firewall configuration, identity and access management, and client and server-side data encryption.

However, Amazon AWS provides a slew of security services to make your applications more secure. They provide the AWS IAM for identity and access management, Security Groups to shield EC2 instances (or servers), Network ACLs that act as firewall for your subnets, SSL encryption for data transmission, and user activity logging for auditing. As a customer, you need to understand, design, and configure these security settings to make your applications secure.

In addition, there are advance security services that Amazon AWS provides, so that you don’t have to build them, including the AWS Directory Service for authentication, AWS KMS for Security Key Management, AWS WAF Web Application Firewall for deep packet inspection, and DDOS mitigation.

There is really no perfect security, but securing your infrastructure at every layer tremendously improves the security of your data and applications in the cloud.

Mitigating Insider Threats

With all the news about security breaches, we often hear about external cyber attacks, but internal attacks are widely unreported. Studies show that between 45% to 60% of all attacks were carried out by insiders. In addition, it is harder to detect and prevent insider attacks because access and activities are coming from trusted systems.

Why is this so common and why is this so hard to mitigate? The following reasons have been cited to explain why there are more incidents of internal security breaches:

1. Companies don’t employ data protection, don’t apply patches on time, or don’t enforce any security policies/standards (such as using complex passwords). Some companies wrongly assume that installing a firewall can protect them from inside intruders.

2. Data is outside of the control of IT security such as when the data is in the cloud.

3. The greatest reason for security breach is also the weakest link in the security chain – the people. There are two types of people in this weak security chain:

a. People who are vulnerable such as careless users who use USB, send sensitive data using public email services, or sacrifice security in favor of convenience. Most of the time, users are not aware that their account has already been compromised via malware, phishing attacks, or stolen credentials gleaned from social networks.

b. People who have their own agenda or what we call malicious users. These individuals want to steal and sell competitive data or intellectual properties to gain money, or they probably have personal vendetta against the organization.

There are however proven measures to lessen the gravity of insider threats:

1. Monitor the users, especially those who hold the potential for greatest damage – top executives, contractors, vendors, at-risk employees, and IT administrators.

2. Learn the way they access the data, create a baseline and detect any anomalous behavior.

3. When a divergent behavior is detected such as unauthorized download or server log-ins, perform an action such as block or quarantine user.

It should be noted that when an individual is caught compromising security, more often than not, damage has already been done. The challenge is to be proactive in order for the breach to not happen in the first place.

An article in Harvard Business Review has argued that psychology is the key to detecting internal cyber threats.

In essence, companies should focus on understanding and anticipating human behavior such as analyzing employee language (in their email, chat, and text) continuously and in real time. The author contends that “certain negative emotions, stressors, and conflicts have long been associated with incidents of workplace aggression, employee turnover, absenteeism, accidents, fraud, sabotage, and espionage”

Applying big data analytics and artificial intelligence on employees language in email, chat, voice, text logs and other digital communication may uncover worrisome content, meaning, language pattern, and deviation in behavior, that may make it easier to spot indications that a user is a security risk or may perform malicious activity in the future.

(ISC)2 Security Congress 2016

I recently attended the (ISC)2 Annual Security Congress (in conjunction with ASIS International) in Orlando, Florida. (ISC)2 Security Congress is a premier 4-day conference attended by hundreds of IT security professionals from around the world. This year featured a line-up of excellent speakers including keynote speeches from journalist Ted Koppel and foreign policy expert Elliott Abrams.

Here are the top IT security topics I gathered from the conference:

  1. Cloud security. As more and more companies are migrating to the cloud, IT security professionals are seeking the best practices for securing applications and data in the cloud.
  2. IoT (Internet of Things) security. It’s still a wild west out there. Manufacturers are making IOT devices (sensors, cameras, appliances, etc) that are insecure. There is a lack of standardization. People are putting devices on the Internet with default settings and passwords which make them vulnerable. Inside most companies, there is usually no process of putting these IOT devices on the network.
  3. Ransomware. They are getting more prevalent and sophisticated. Some perpetrators have a solid business model around this, including a call center/ help desk to help victims pay the ransom and recover their data.
  4. Resiliency. It’s better to build your network for resiliency. Every company will be a victim of an attack at some point, even with the best defenses in place. Resilient networks are those that can recover quickly after a breach.
  5. Common sense security. There are plenty of discussions on using time-tested security practices such as hardening of devices (replacing default passwords for instance), patching on time, and constant security awareness for users.
  6. Cyberwar.  There’s a mounting occurrence of cyber incidents and the next big threat to our civilization is cyberwar. Bad actors (state-sponsored hackers, hacktivists, criminals, etc.) may be able to hack into our industrial systems that are controlling our electrical and water supply, and be able to disrupt or destroy them.
  7. Shortage of cybersecurity experts.  The industry is predicting a shortage of cybersecurity professionals in the near future.

Data-centric Security

Data is one of the most important assets of an organization; hence, it must be secured and protected. Data typically goes in and out of an organization’s internal network in order to conduct business and do valuable work. These days, data reside in the cloud, go to employees’ mobile devices or to business partners’ networks. Laptops and USB drives containing sensitive information sometimes get lost or stolen.

In order to protect the data, security must travel with the data. For a long time, the focus of security is on the network and on the devices where the data resides. Infrastructure security such as firewalls, intrusion prevention systems, etc. are not enough anymore. The focus should now shift to protecting the data itself.

Data-centric security is very useful in dealing with data breaches, especially with data containing sensitive information such as personally identifiable information, financial information and credit card numbers, health information and intellectual property data.

The key to data-centric security is strong encryption because if the public or hackers get ahold of sensitive data, it will show up as garbled information which is pretty much useless to them. To implement a robust data-centric security, the following should be considered:

1. Strong data at rest encryption on the server/storage side, applications and databases.
2. Strong in-transit encryption using public key infrastructure (PKI).
3. Effective management of encryption keys.
4. Centralized control of security policy which enforce standards and protection on data stored on the devices at the endpoints or on the central servers and storage.

Cybersecurity Insurance

I recently attended the SC Security Congress in NY. One of the hot topics was cybersecurity insurance. As we’ve seen in the news, many companies are suffering from cyber attacks, and one of the mitigating solutions for these companies is to transfer the financial risk of a security breach to insurers.

There is a growing number of insurance companies offering this financial service. But is there really a need for it? I believe there is. Being hacked is no longer a matter of “if” but “when”. Every company will suffer a security breach in some form or another. Cybersecurity insurance will give a company an incentive to tighten up or better its security measures. While it cannot reduce the damage to a company’s reputation nor cover intellectual property theft and business downturn caused by an attack, it will lessen the financial damage to a company when hackers attack its site.

The Importance of Threat Intelligence to Your Company’s Information Security

One of the tools that helps identify and combat information security threats to your company is “threat intelligence.” Some companies are building their own threat intelligence plans, and some are buying services from providers offering threat intelligence services. Threat intelligence is information that has been analyzed to discover informative insights – high quality information that will help your company make decisions. It is like an early warning system that will help your company prioritize vulnerabilities, predict threats, and prevent the next attack to your systems.

Threat information can come from different sources:

1. Internal sources such as information coming from internal employees, organizational behaviors and activities
2. External sources such as government agencies, websites, blogs, tweets, and news feeds
3. Logs from network equipment, both from your own network, from Internet Service Providers, and from telecoms
4. Logs from security equipment (firewalls, IPS, etc), servers, and applications
5. Managed security providers that aggregate data and crowd-source information

The challenge of threat intelligence is how to put the pieces together that have been gathered from these different sources. A tool that is able to digest all these data (Hadoop and Mapreduce tools for Big Data comes to mind) is necessary to produce meaningful information. Security data analysts are also key in producing actionable threat intelligence from these wide variety of data.

Data At Rest Encryption

When the Internet was invented several decades ago, security was not in the minds of the pioneers. TCP/IP, the protocol used to send data from one point to the next was inherently insecure. Data are being sent over the wire in clear text. Today, advances in encryption technologies enabled the data to be secure while in transit. When you shop at reputable websites, for instance, you can be sure that the credit card number you send over the Internet is encrypted (You will see https on the URL instead of http). Most web applications now (such as gmail, facebook, etc) are encrypted.

However, most of these data, when stored on the servers (data at rest) are still not encrypted. That’s why hackers are still able to get hold of these precious data, such as personally identifiable information (PII) – credit card numbers, social security numbers, etc. as well as trade secrets and other company proprietary information. There are a lot of ways to secure data at rest without encrypting them (such as using better authentication, better physical security, firewalls, using secured applications, better deterrent to social engineering attacks, etc.), but encrypting data at rest is another layer of security to make sure data is not readable when hackers get a hold of them.

The demand for encrypting data at rest is growing, especially now that more data are being moved to the cloud. Enterprise data centers are also being required to encrypt data on their storage systems, either by business or compliance need.

Luckily, IT storage companies such as EMC, NetApp, and many others are now offering encryption for data at rest on their appliances. However, encrypting data is still expensive. Encrypting and decrypting data need a lot of processing power. Moreover, adding encryption to the process may slow down the access of data. Better key management system is also needed. For instance, when using the cloud for storage, data owners (as opposed to service providers) should solely possess the keys and should be able to manage the keys easily.

The Internet will be more secure if data is encrypted not only during transit but also during storage.

Information Security Conference

I recently attended the 2013 (ISC)2 Annual Security Congress held at Chicago, IL on Sept 23 to 27. The conference was held in conjunction with the ASIS International Security conference. It was one of the premier conference attended by security professionals from all over the world. The conference was a huge success.

I attended the conference to primarily obtain CPE (Continuing Professional Education) points for my CISSP (Certified Information Systems Security Professional) certification, to learn from experts on the latest technologies and trends in information security, and to network with information security professionals.

The keynote speeches were informative, entertaining, and inspirational. Steve Wozniak (co-founder of Apple computers) talked about how he got into the world of computing and that hacking – for the sake of learning, inventing, and developing programs – should be fun. Former Prime Minister of Australia, Hon. John Howard, talked about the qualities of a great leader and the state of the world economy. Mike Ditka (an NFL legend), delivered an inspirational speech on attitude and success.

The sessions on information security varied widely from governance to technical deep-dive on security tools. Hot topics included cloud security, mobile security, hackers, privacy, and end user awareness. What struck me most was that the reason why there are still a lot of security breaches despite the advances in technologies is that security is often an afterthought for most companies – defence-in-depth is not properly implemented, programmers write insecure programs (for instance, they don’t write programs that checks for SQL injections), and users are not properly trained on security (such as how to use a good passwords, not to click phishing site sent via email, etc).

The world of information security is expanding. As more and more people are using the Internet and more companies are doing business online, the need for security becomes even more important.

Security Done Right

During my job-related trip to Israel a couple of months ago, I was subjected to a thorough security check at the airport. I learned later on that everybody goes through the same process. It was a little inconvenient, but in the end, I felt safe.

With all the advance technologies in security, nothing beats the old way of conducting security – thorough checks on individuals. I also noticed the defense in depth strategy at the Israel airport – the several layers of security people have to pass to get to their destinations. No wonder some of the greatest IT security companies come from Israel (e.g. Checkpoint Firewall).

As an IT security professional (I’m a CISSP certified), I can totally relate to the security measures Israel has to implement. And companies need to learn from them. Not a day goes by that we learn companies being hacked, shamed, and extorted by hackers around the world.

Sadly, some companies only take security seriously when it’s too late – when their data has been stolen, their systems have been compromised, and their twitter account has been taken over. It will be a never ending battle with hackers, but it’s a great idea to start securing your systems now.