Tags

, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Data Breaches

Legal & Enforcement

Penalties

International Legal Collaboration

Businesses Course of Action

Businesses and their Cyber Defenses

VPNs and Two-Factor Authentication

Remote Access

FREE WI-FI: Coffee Shop, Restaurant & Airport hot spots

Cyber Insurance

Cloud Security

Network & Application Security

Encryption

Behavioral Anomaly Detection

Users of Mobile and other Computing Devices

Users and Passwords

Websites

Home Networking

Home Wireless Security

The ‘Cloud’

Conclusions

The Future of Mobile Communication & Security

Accountability

Definitions

 

 

Data Breaches

Let’s talk Data Breaches because while they have been with us for some time now, Information Security professionals knew about it and had been able to prevent most of those breaches. That past I am referring to is of a time many years back. Since then, the Internet, or the ‘Net as I like to call it, has taken flight and many a Tom, Jane and Fool want to attempt malicious hacking for the fun of it or for making money off of Netizens around the globe – illegally.

We see more mobile communication growth daily, globally and “it ain’t stoppin’!” Smartphones, tablets, smart watches and the comeback (rebirth) of phablets (Samsung & Apple’s 5.7” smartphones) – all of these mean more people, of all ages, are connecting to the ‘Net whenever and wherever they are. Many of these folks just want to connect their devices and share content. Unfortunately, too many of them are making it quite easy for hackers to, ummm, take that content. In some cases, it might even be foreign governments (or our own) attempting to gain some, ahhh, insight into your background – even if you are a law abiding citizen…

POS terminals/units in all shopping environments need better protection (tamper-proofing) so no one can easily walk up and connect a USB device, laden with malware to the POS device. No one should be able to scarf up customer’s data illegally – all stores/shops should get to the point of automatically detecting illicit device and software activity.

We now see more and more of the hacker’s labors splashed across the front pages of many news outlets. These hacks are successful in part, because we have many:

  1. Business web sites not locking or disabling users’ accounts after 3 – 4 unsuccessful log in attempts, and
  2. Users’ having very poor and weak passwords.

We, as a global society, not just an American society, of Netizens have got to do more to ensure we do a great job protecting our data. Businesses, in the same vein, must also do a better job – and yes, the bottom line is important but protecting your customers’ data is even more important. 

Legal & Enforcement

We need to implement stiffer penalties and start requiring web site owners to do a better, holistic job of protecting customers’ data. And no, this does not let government entities (local, state, federal) off the hook, they are already under the gun to do much better jobs of protecting the data of their citizens/constituents. 

Penalties

It might be time for the legal system to classify all illegal hacking as a federal crime and implement harsher penalties such as prison sentences. In addition to that prison time and a felony record, impose a harsh financial penalty inclusive of pay garnishment for a decade or two. The Computer Fraud and Abuse Act (CFAA) created in 1986, which has been amended several times since, needs to be revamped yet again…

Government agencies cannot just willy-nilly do any hacking any time they desire either. There must be transparency and legal justification for any law enforcement (LE) or intelligence agency in performing any cyber snooping or hacking attempts. Over the past several years, there have been such incidents by rogue personnel from various LE/intelligence agencies.

This is not a laughing matter, we have to make hacking and stealing any data a painful crime for anyone to undertake. This is our personal and private data that no one else should be illegally accessing. It should not matter whether that data is located on your:

  • Mobile device (laptop, tablet, smartphone or phablet)
  • Home PC or laptop
  • Work computing device
  • Doctor’s office server or computing devices
  • Banking system servers
  • Investment bankers’ servers
  • Etc.

As a society, as only one measure or tool, we have to put in place penalties that all 50 states and territories and other collaborative countries agree to in order slow down this onslaught of malicious and aberrant individuals who believe that anyone’s data should be free and out in the open. 

International Legal Collaboration

It is also time for more nations to join forces in determining attribution, or rather, who is the cause of the hacks. This is because right now, many hackers use intermediate servers or computers to engineer a hack.

Take the U.S. for example, with our open society and ease of getting access to host servers, a foreign adversary (hackers, hacktivists, government) or even our own government will set up that intermediate jumping off point to commit their hacking / pilferage activities. To make it worse, these hackers make use of Bots (or robot or zombie) placed on innocent home (or business) computing devices to perform most, if not all of the hacking / pilfering activities and through a sophisticated (or not) command and control system, sends the pilfered (stolen) content back to the master, through a multi-layered network of other servers to obfuscate who instigated the crime or where the material is going to as an end destination.

If the criminal hacker is in another country, we need that country’s LE to aid in apprehending the criminal and:

  1. Punish the hacker according to international penalties (harsh ones, not a slap on the hand) or
  2. Extradite the perp to the U.S. or whichever country is demanding possession of that person(s) to punish via their own judicial system

Interpol and the United Nations can be the lead focal point for most of this effort. We need international collaboration. 

Businesses Course of Action

Businesses and their Cyber Defenses

Businesses, large and small, must become more proactive in protecting the data on their networks.

If a business is small and cannot afford their own cybersecurity team, I would suggest they join forces with other small businesses. After forming this coalition, they could engage with a cybersecurity firm to manage that effort for them. The cybersecurity firm would have a greater knowledge base and pool of expertise to draw from than the individual business owner would have as well as freeing up the owner to focus on business.

Because of the cost of enhancing and maintaining cybersecurity, see the Cloud Security section below. 

VPNs and Two-Factor Authentication

To prevent malicious malcontents from intercepting connections (MITM [1], see fig. 1) between employees / customers and the business – the business could employ a VPN to ensure a complete end to end secure connection.

MITM

Fig. 1  MITM 

Although, today, it might be better in ensuring a complete connection from the employee / customers’ application layer (whatever application is being used) to the businesses’ application and vice versa.

With Two-Factor authentication, the user can have more peace of mind by going this route. It is unlikely that malicious perps will be able to duplicate that second method of authentication. At least, they will not be able to do so easily. If you use an RSA token, or if there is the capability to have the site send you an email or text you a passcode to complete the logging in process – do it…!!! 

Remote Access

Businesses, if you have employees that ‘need’ to access the corporate network from home or elsewhere – use VPN connectivity along with access rights for authorized staff.

If you are not using VPN, using strong two-factor authentication and group policy access rights will be your best bets.

A business should only need to allow corporate (proprietary) data to leave the network if certain steps are taken, such as:

  • The employee/user is on the authorized access list to access and/or move data out of the network,
  • The remote (destination) IP AND MAC addresses are authorized to receive that data (and not to be forwarded on),
  • And of course, the most restrictive rights should be on who can remotely access certain databases: Financial, Health, Personnel, etc. 

FREE WI-FI: Coffee Shop, Restaurant & Airport hot spots

Try not to use these “free” Wi-Fi hot spot connections. If you do, that means anyone can sniff the Wi-Fi connections and see what you are doing because when you connect over these “free” Wi-Fi connections, you are doing your ‘Net activities in the clear without any encryption. That means, if you are using your credit card at one of these locations, some ill-minded individual can see that card info. If you are logging in to some other site, such as your bank, that cretin will see that as well.

Try to find Wi-Fi connections with passwords you need to use to connect to their Wi-Fi. It will cut down on what you are freely transmitting to the world. But, you have to be aware, some of these locations do not ever change their passwords, which means some punk can sit outside in a car and perform MITM attacks since they will be on the network with the same password, which never changes. Yes, the individual can always come in, buy a coffee and find out what the password is – but at that point they will have to have come in and can later be identified.

It will be even better if the location is using WPA2 and not WEP connections. WPA2 is the latest more secure connection but its time is coming to an end, we need a much stronger encryption.

Another problem with these hot spots is that a criminal can use a stronger Wi-Fi hot spot signal for those in the immediate area who want to connect. He/she is in effect, hijacking that hot spot connection. The perp’s hot spot pretends to be that coffee shop or airport with the result being the perp is now the MITM (since they know the hot spot password, if any) forwarding your requests on to the original destination and then, answers/queries from that destination back to you… 

Cyber Insurance

This is an area that you might want to engage in more diligently. This would be to help cover you in case of an actual cyber-attack and data breach.

In any breach, we are looking at the result of several things:

  • Destruction of data (viruses, worms)
  • Loss {exfiltration/theft} of data (PII, proprietary R&D, etc.)
  • Business interruption
  • Harm to brand and reputation
  • Legal costs (lawyers, court, payouts, etc)
  • Credit monitoring (for those affected by a data breach)
  • Cyber Forensic investigation efforts
  • Etc.

A Ponemon study [2] found the average cost of a data breach to an organization in 2013 rose to $5.9 million from $5.4 million in 2012. So, would you rather pay for a data breach out of the firms’ coffers or obtain cyber-insurance beforehand…? 

Cloud Security

Most small and some medium sized businesses cannot afford to have the best of breed cybersecurity protections that is now required to fend off most if not all cyber-attacks and data breaches. Because of the cost, businesses should seriously consider joining a collective or decently priced MSSP

A good to great MSSP can effectively and efficiently provide as much of the cybersecurity needs that a business requires, especially when it comes to who is authenticated (authorized) to access any of the businesses data in the cloud.

And if the business is offloading most of the businesses’ work into the ‘Cloud,’ for data storage, processing and other functions – businesses should also look at that Cloud firm to handle the cybersecurity aspect. Why have a Cloud provider for data AND then also have a Cloud provider for cybersecurity….?

You will want to ensure the privacy of the customer’s data and network activity. You will also want to ensure your business meets all cybersecurity compliance regulations too…

You can go it alone in building your own cloud security, outsource it an MSSP for a private cloud security solution or have a hybrid cloud security setup with both you and the MSSP running that cloud security solution together. Either way, be sure you have a solid non-disclosure agreement in place as well as a contract agreement explicitly stipulating who (the business or the MSSP) is responsible for what.

Next, you have to absolutely be aware of state, federal and international laws and jurisdictions when having a cloud network that holds data for customers locally or globally. You may need to get legal advice on this aspect. For example, the E.U. has a more user/customer protective Data Protection Act law on its books.

Bottom line, you will want cloud security to be your multi-layered (or Defense In Depth) system of cyber protection since there is no way you could afford all the needed protections to ward off network invaders. 

Network & Application Security

Okay, if your business does not have Cloud security, your business ‘should’ have in place (even if you’re only using mobile wireless communication) the best of breed network security for your:

  • Router(s)
  • Firewall
  • IDS
  • Mainframe / Telecom (for those larger firms)
  • PBX (digital as well as analog exchanges (for those larger firms))

as well as, best of breed application security for your:

  • Anti-malware (virus, malware, phishing, etc.)
  • Email application (depends on where your email system is based out of)
  • Server(s) (email and other applications such as virtualization)
  • PC (Host based), which may also include software firewalls
  • Database (if you use one or more)

And along with having those items, which is not a complete list, you have to be sure you can do automated (or manual) software, firmware updates (and the requisite hardware updates when necessary). 

Encryption

Because of hackers, thieves and the ever expanding mobile computing world, there is a solid need for all data to be encrypted at all times. The data can be at rest on the computing device (specifically laptops, smartphones, tablets and USB/thumb drives) or sent as an email attachment.

The rub comes in when we need to constantly encrypt and decrypt the needed data to work with. Many, if not most, computing devices do not have computer processing horsepower to encrypt/decrypt data on the fly to give the user a seamless work experience. When we have more (if not all) computing devices to encrypt/decrypt data at a blazing speed, it will become secondhand to encrypt/decrypt all data at all times, only allowing authorized users to access that data.

Right now, no one I know enjoys waiting (even if it is an extra 25 – 45 seconds) for a computing device to boot up and go through the decryption process. 

Behavioral Anomaly Detection

With more and more sophisticated malware emerging every day, every week, we need all the help we can acquire because the days of Anti-Virus software only looking for malware signatures is over. That has been over for several years and is no longer a good enough defense by itself.

Something like a Behavioral Anomaly Detection (BAD) software package can help in looking at trends and patterns of ill-behaving malware. If not a BAD (or any variation of this acronym), then what about some advanced Artificial Intelligence or Expert System to help hunt for and eradiate malware. Not many businesses or MSSP use this because there is not enough of a proven track record to tout its effectiveness. We need to work on this as another arrow in our quiver of data protection. 

Users of Mobile and other Computing Devices

Users and Passwords

A great of the time, many people using PCs, laptops (or notebooks), smartphones, phablets, etc., just do not seem to understand that they are the ones to blame for being hacked. Yes, go ahead, get snide or snarky but many of us in the information security / cybersecurity field have seen it for years, too many people want to use very simple, very easy passwords to log into the different sites. This is especially true when there are so many more websites one needs to log into.

But that is the problem, when people use those simple passwords and even easier security questions (pet names, birthdays, etc.), people make it that much less of a hassle for hackers who want to obtain some person’s private info (medical, financial, intimate).

On the flip side, it is a pain in the derriere to have so many different passwords/passphrases for all the sites.

Many of us have said it before – anyone logging in to any site should be using longer, complex passphrases [3] OR some use 2-factor authentication (whenever, wherever it is offered) to have that site email or text you a one-time password or passcode, in addition to you using your passphrase [4].

Some of us have resorted to creating Word documents (protected by two long and complex passphrases) stored on an external device, which is only connected after the computing device is disconnected from the ‘Net.

As to the numerous security questions sites want you to use, STOP using exact spellings of your mom’s name, your pet’s name or school mascot – mix it up. Use variations on what you type in; add in a couple of extra characters (or special characters) to throw off those who want to guess your security questions. 

Websites

More sites should do more to secure the user logging in process. Websites, as some already do, should implement locking a users’ account for 10 – 15 minutes after unsuccessful attempts. Then in the next round of unsuccessful attempts, the account would be locked for 30 minutes. And finally, in another subsequent round of unsuccessful attempts, the account would be locked, requiring the user to contact customer service (email or phone) to unlock the account. Or have the user go through the self-help process of answering the security questions (see the previous section on creating those security question answers).

Home Networking

When using Wi-Fi routers at home, use good, strong SSIDs. Use long, complex passphrases so no one can easily log in and piggy back off of your ‘Net connection (especially if you have a ‘much faster connection than your neighbors and you have been bragging about it…

Piggyback users can possibly and illegally use “your” IP and ‘Net connection to:

  • Download illegal pornography (think kiddie porn or some other illegal activity) or
  • Run a black market web site (drugs, weapons) or
  • Other activities

So guess who’s door will be the first to get banged on by LE as LE attempts to track down the perp doing these illegal activities – yours! Because you failed to secure your home network, you are likely to become highly embarrassed and humiliated as LE traipses through your computer’s private emails, pictures, dressers (underwear), who will eventually discover that your computer network was a conduit for one of your neighbors. 

Home Wireless Security

For those home wireless networks, you need to focus on ensuring you have the latest wireless router firmware for 802.11ac or 802.11n, whichever you’re using. Then you have to be doubly sure you’re using the longest and most complex SSID passphrase you can put up with to prevent others from usurping your wireless/Internet connection.

Your home networking groups (PC to smartphone to smart TV to tablet to ….) should also have strong passphrases… 

The ‘Cloud’

Wouldn’t it be great to use the ‘Cloud’ to its greatest utility? Alas, if you are not using great passwords and web site owners do not have the best protections at hand, your data is, as sooo many like to say, powned (or the other corrupted version – pwned)! When you choose to sync your computing devices for the ease of sharing your content across your mobile devices, well, you might be sharing that data with more than just yourself, loved ones and friends…

Syncing your content is great but do you really need to, all the time, for all of your mobile and computing devices? That financial data, medical data or private spicy pictures, do you really want to sync that across all the devices – you might want to think about that… 

Conclusions

The Future of Mobile Communication & Security

The future does indeed look bright as what was considered futuristic a decade or two ago is not entering stages of fruition. We will and do have hospital patients that are connected wirelessly to the hospital so there is continual monitoring by both, the nurses on duty and/or doctors who are out of the office. There is wireless connectivity for folks who are in the back yard so they can see who is ringing their door bell. The range and speed continues to increase to handle more Wi-Fi connections and to allow people to roam farther away from their wireless routers.

Having the facility of using foldable, curvable display screens that you can carry anywhere is a tech that is getting closer to reality. Having large, flat, light-weight, super-thin and super-clear OLED type displays is also getting closer to having in homes, hospitals and schools. Remember all the sci-fi movies and TV shows where they have large displays that open up on walls, bathroom mirrors, kitchen counter-tops – we’ll be seeing those in real life and not in a high-tech TV show or movie…

Then there are the massive numbers of wireless/satellite communications that are taking place now and which will grow in the future. For example, aircraft manufacturers talking to their aircraft and engines around the world for software updates or location status, while in flight. Or, look at cars and trucks, your vehicle manufacturer will likely start performing software/firmware fixes on your vehicle overnight if there is a known bug or new problem that can be fixed remotely instead of bringing it in (Tesla [5]). There are many, many more examples I could include here.

The hitch in this ointment still remains wireless security. Encryption protocols, user id’s and passphrases have got to improve. I can see us using a six alphanumeric password (numbers, upper & lower case characters) as well as using a RSA type token (or other firm) with a six alphanumeric PIN. This combination should work for everyone. A six alphanumeric password and a six character alphanumeric PIN is not easily broken… 26 lowercase + 26 uppercase +10 digits gets you your 52 alphanumeric characters, so –> password combo x PIN –> ((52^6)x(52^6)) = (19,770,609,664) x (19,770,609,664) = 390,877,006,486,250,192,896 combos…

A true gift would be a universal token that can be used across all of your banking, health care and other web sites. That indeed is wishful thinking… 

We will see much better and much more mobile communication taking place, wirelessly, for Public Safety members (EMT, EM, fire fighters, police), Park Rangers/Police and other entities. As speeds and bandwidth improve, we’re just going to have more wireless communication…

Accountability

So keep it in mind, there will be massive wireless connectivity and communication between all the devices and maybe to your neighbor’s devices (with permission of course) – think about the wireless security that has to be built in to prevent digital eavesdropping.

Users, not just the web site owners need to take greater responsibility for their accounts and passwords. Yes, it was very easy and convenient to have short and cute passwords. That time has passed. Today, we have far more individuals who want to create harm than ever before. You, the user must do more due diligence in protecting your own data via your log in account at any web site.

As more people carry around mobile computing devices, the risk of more personal data (or corporate data on an individual’s personal mobile device) being exposed continues to grow. Imagine, drive by Bluetooth/Wi-Fi attacks as a maliciously bent individual walks by you, skimming your data without your knowledge. Remember, a lot of people leave there Bluetooth and Wi-Fi connections open ALL the time. This is either because they are not aware they should disable those features when they are out and about or they do not care because they want the convenience of being able to connect to a hot spot at any time or check in to their favorite coffee shop, restaurant or bar at any time…

Businesses must do a greater job in protecting customer’s data, period.

 

 

Definitions

AES              Advanced Encryption Standard – a cryptographic algorithm that can be used to protect electronic data implemented in 2002 – three levels: 128 bits, 192 bits & 256 bits

Cryptographic Algorithm

Mathematical formula used in enciphering/encryption and deciphering/decryption of electronic communication or data files. Encryption algorithm converts electronic data into a form that cannot be read or understood normally, and reconverts it back into a readable form for the user who has the correct key or password. Also called data encryption algorithm

EM               Emergency Management (FEMA, Red Cross) 

EMS               Emergency Management Services 

IDS               Intrusion Detection System – software/firmware that detects intrusion attempts and exfiltration (theft) of data

IP                 Internet Protocol – IP supports unique addressing for computers on a network.

IPv4            Most networks use this standard featuring IP addresses (four bytes or 32 bits) in length – i.e. 133.54.200.20, which has outlived its capacity

IPv6             The newer standard feature addresses (16 bytes or128 bits) in length for an unlimited number of device addresses (at least for a couple of decades) – i.e. “0000:0000:0000:0000:0000:0000:C0A8:6420” or “::C0A8:6420

ISP               Internet service provider – a company that provides individuals and other companies access to the Internet and other related services such as Web site building and virtual hosting

MAC             Media Access Control – a unique hardware (or physical) address that uniquely identifies a computing device (more specifically, a computer’s network adapter card) and in a 12-digit hexadecimal number format, i.e. MM:MM:MM:SS:SS:SS (6 bytes or 48 bits long) – there is more info but it starts getting complex…

Malware       malicious software – viruses, worms, Trojans, phishing email, etc

MITM           Man In The Middle – The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

MSSP           Managed Security Service Provider – an ISP that provides an organization with some amount of cybersecurity management work for other businesses (cost savings due to economy of scale) – from firewalls, to VPN, to Intrusion Detection, etc.

Passphrase  simply a phrase or sentence that you use instead of a word or set of

characters 20 to 30 characters long and is a series of words that creates a phrase and it should not (suggested) contain: common phrases found in literature or music or words found in the dictionary or your user name, real name, or company name [3 & 4]

POS             Point of Sale terminals where your credit/debit cards are scanned

VPN             Virtual Private Network

Wi-Fi            Wireless Fidelity

WEP             Wired Equivalent Privacy: The original encryption protocol developed for wireless networks. As its name implies, WEP was designed to provide the same level of security as wired networks. However, WEP has many well-known security flaws, is difficult to configure, and is easily broken

WPA2           Wi-Fi Protected Access version 2: Based on the 802.11i wireless security standard, which was finalized in 2004. The most significant enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption.

 

References

1 – Man-in-the-middle attack, https://www.owasp.org/index.php/Man-in-the-middle_attack, retrieved 6 Sept 2014

2 – 2013 Cost of Data Breach Study: Global Analysis, http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf, May 2013

3 – Forget Passwords, Use Passphrases for Extra Security, http://www.pcmag.com/article2/0,2817,2419274,00.asp, 23 May 2013

4 – Tips for creating strong passwords and passphrases (for Windows 7 but it applies to all systems), http://windows.microsoft.com/en-us/windows7/tips-for-creating-strong-passwords-and-passphrases, retrieved 4 Sept 2014  

5 – As Software and Hardware Advance Together, the Next Innovation Wave Rises, http://www.businessweek.com/articles/2014-09-04/as-software-hardware-advance-together-next-innovation-wave-rises, 4 Sept 2014

Advertisements