Archives for June 2017

A Phishing Hole

One of the more interesting English language colloquialisms is the phrase “fish or cut bait,” generally used to suggest a decision must be made. It derives from a time in which catching fish with bait often meant dividing responsibilities, with someone fishing while  another was cutting bait up to be used to catch the fish. In an odd way this catchy little phrase now applies to one of the most persistent cybersecurity threats in use—spear phishing.

In the face of determined efforts to educate the population about the use of spear phishing, the number of phishing attacks continues to rise dramatically. Why? Quite simply—they work really, really well.  Leading cybersecurity firm FireEye recently reported that “84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015. The average impact of a successful spear-phishing attack: $1.6 million. Victims saw their stock prices drop 15%.”

English cyber firm Sophos just released a white paper titled, “Don’t Take The Bait,” that takes a look at why phishing attacks are on the rise. They suggest that more people are successfully “phishing” because a cottage industry has grown around the cyber equivalent of cutting bait.  The paper notes that it is ever easier for cyber criminals to acquire sophisticated fishing tools. “An interesting facet of the phishing ecosystem is that there are a large number of actors committing attacks, but only a small number of phishers that are sophisticated enough to write a phishing kit from scratch. Because of this, phishing kits are now widely available for download from dark web forums and marketplaces, and give attackers all the tools they need to create profitable phishing attacks: emails, web page code images, and more.”

The white paper goes on to report that “In fact, attackers don’t even need to know how to create malware or send emails anymore. As-a-service and pay-as-you go solutions permeate most online service technologies, and phishing is no different….”  Among those services, an enterprising person who wishes to phish can use a ransomware service provider who will take a cut of each ransom paid, or a phishing service provider who will guarantee that the user will only be billed for emails actually delivered. The Postal Service should be so efficient.

It is increasingly important that businesses respond to the emphasis on phishing attacks with a countervailing emphasis on education and training, and employ rigorous internal standards to diminish the prospect that an employee might inadvertently send information or money to a cyber criminal. Don’t think more about whether to do so, it’s time to fish or cut bait.

By Tom Davis, SDI Cyber Risk Practice

June 20, 2017

Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.

It’s January 2nd and you have just finished your latest culinary blowout from the holiday season.  You look down towards your toes and you see something obstructing your view that wasn’t there just three weeks ago.  And of course, you fear walking towards the scale because you already know it’s going to be bad news.

So what do you do?

Sign up for an expensive gym membership and spend $300 on new training gear of course!

Unfortunately, neither of those will make a difference unless you put your best foot forward and start working your own butt off.  Worse, if you do not put that expensive membership and new gear to good use, you are only a few months (weeks?) away from saying, “I wish I didn’t spend all that money for nothing!”

I fear I am about to upset a few people by stating the following: good cyber health and hygiene is a lot like personal health and weight management.  It takes time, effort, and dedication to keep in top form and it is also very easy to go off the rails if you do not watch what you’re doing.  Furthermore, each time you go off the rails it becomes harder and harder to get back to the good form.  And the only real difference between your health and cyberspace is that you can at least upgrade your device or operating system, whereas when it comes to our personal health, we are stuck with the same body and brain for our entire lives.

Wasting your time and money on the latest fad exercise machine or diet will be just that, a waste of time and money, especially if you are not ready to put yourself through the daily grind.  Same goes for cyber tools that promise you a path to the mythical place known as CybersecureLand, a place where you can click on any link without any fear because the magical Fairy Cybermother will protect you and whisk any malicious code back to the depths of Maldorware.

This is uncharacteristic of me, but I will delve into the personal to illustrate my point.  There was a time in my life where I had a slightly different “shape” (okay, more than slightly).  This shape was unhealthy and thankfully I realized that if I were to keep this shape for any prolonged period of time, I would be down the road to a full network malfunction where even a full system reboot would do little for me.  So what did I do?  I said, “George, clean yourself up.”

How did I do this?

1) Cut unnecessary calories (don’t go to bad websites unless you want to feel blah later).

2) Simple rule when it comes to calories and working out: Input/Output (keep an eye on your inbound and outbound traffic, both in type and volume, because variances should worry you).

3) Just get into a routine and stick to it no matter what (this is called automatic updates and patching your system regularly people…it’s boring, it’s mundane, but if you don’t do it, you’re asking for trouble).

4) Don’t go overboard off the top because you’ll overwhelm yourself and walk away (you do not need to be an expert on how to build a cryptographic key; you need to know how to use one).

5) Play the long game (if you expect to go from a sieve to J.J. Watt overnight you are going to find out you are not J.J. Watt…it takes time to get game ready, but that should not stop you from building up to a goal and each little progression does actually make you better).

6) Resist the temptation (easier said than done, but the risks are much higher in cyberspace…one night of fried chicken during a month-long stretch of good behavior will not give you a heart attack, but one wrong click may do just that).

7) If you plan to cheat, be prepared to go double-time during your next workout (you really want to go that website you know you shouldn’t?…fine, but if your data isn’t backed up and you don’t have a clean system and application image to install on your system if things go wrong, you will feel pain).

8) Train, train, train and push your limits so you can build muscle memory (remember that time it was hard to jog for 20 minutes and now you run for 60 minutes like it’s nothing?…that’s how passwords work too…your brain is just a muscle that needs training, meaning that if you work hard, it’s possible for anybody to go from qwerty1234 to H@Uxs$#8218!!47vwq).

9) Trainers are only useful for specialized things, like intense weight training or self-defense (there are certain things you need to be taught, so go to an expert and know your limits…like writing your own cryptographic key).

10) Train your entire body (having a 24 inch bicep, a 46 inch waist, and a 12 inch calf is probably not balanced health management…updating your anti-virus but not installing critical patches is not balanced cyber health).

11) There is no magical exercise machine that does everything (for every technological convenience, like single sign-on services, there is an undetermined, and potentially explosive, cost).

12) It takes time for your metabolism to reset (for most, it is financially unfeasible to uproot your entire network and replace it…this means you are working on legacy systems that take time to upgrade and get up to speed).

13) You are dealing with a system, not a silo (the body is a fascinating and complex machine, meaning that your food intake, exercise output, sleep patterns, mental health, water balance, muscle-to-fat ratio, pH levels, and so on are intertwined, where one impacts the other…network, information, and data systems, in many ways are the same, meaning that if one is out of whack, the others will almost certainly suffer).

14) You need to be your own best motivator (ultimately, it’s all on you and your own decision will decide your fate).

Sometimes you need that super fancy exercise machine, or that aerodynamic gear, or those shoes that weigh only three ounces to reach your goal (which also means you’re probably training for a marathon or the Olympics).  But if you’re not doing that (or defending the nation’s secrets) some basic exercises and practices make a world of difference.

For example, it’s amazing what simple things, like push-ups, sit-ups, crunches, and running, along with a balanced diet can do for your health.  Using encryption, patching your system, turning on regular updates, and backing up your data, along with knowing how to identify phishing and spear-phishing attempts go a long way in your overall cyber health and hygiene.

Ultimately, good health and weight management is a lifestyle change that you need to stick to.  Cyber health and hygiene is no different.  When it came to my own weight loss, it was sober realization and honest assessment that made me say, “George, fix this or you’re going to be in real trouble.”  That was the only motivation I needed.  It wasn’t easy.  In fact, it sucked and was hard, especially at the beginning.  But long-term health trumped the short-term pain.  And that’s the only motivation you should need when it comes to your own cyber health and hygiene.

June 6, 2017