Information Security News Alert February 2016
e T he T hre
curit y e S f o s Domain
CYBER PHYSICAL
N A M HU We all face threats in the Cyber, Physical and Human domains. Following compliance regulations and work policy will help us all stay more secure.
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
THE RULE OF THREE
Humans are hardwired to think in triads. We best make sense of, collect and remember information using groups of three. The Rule of Three is an integral part of our jokes, speeches, music, and movies. Security experts created the following security triads to help organize the many facets of security we encounter every day.
The CIA Triad
The Many Lives Triad
The first information security triad is known as the CIA – Confidentiality, Integrity and Availability – the 3 pillars of information security. This triad is the foundation upon which all security principles are founded.
Today, most of us lead three distinct lives, and each has its own set of security concerns and challenges. In our Personal lives, we do all we can to protect our families from harm in the Physical domain. Teaching and protecting them in the Cyber domain is no different. At work, we are expected to follow certain rules, protocols and policies. But when we telecommute from home, how much of our Personal and Professional lives overlap? No matter where we are, we must stay aware of security as it affects our organization. To make matters even more complicated, any time we are not in the comfort of our home, or in the confines of an office, we are considered Mobile. Meaning we can be anywhere in the world at all, connected to anyone, anywhere, touching both our Personal and Professional lives.
PERSONAL • PROFESSIONAL • MOBILE
THE Domains TRIAD
Information security is about a lot more than just techno-babble, computers and mysterious networks. It’s about the three domains in which we live, work and play. The Domains Triad neatly enhances the C-I-A Triad, giving us a more complete view of security.
Cyber
The Cyber domain includes the internet, networks, the cloud, computers, phones, tablets,
Human
THREE DOMAINS OF SOCIAL ENGINEERING Social engineering has been and remains one of the most effective methods for attacking organizations because it doesn’t rely on technology to get past defenses. Instead, social engineering hacks the human. Even though social engineering relies on exploiting human emotions and characteristics, such as empathy, curiosity and greed, the specific techniques can fall into any of the three domains.
CYBER
PHYSICAL
HUMAN
PHISHING: By now, we are all too familiar with this common and highly effective social engineering technique. Phishing is said to be the first step in most of the APTs, or Advanced Persistent Threats, against organizations. Phishers send massive amounts of potentially harmful spam to anyone and everyone using email lists available on the underground internet. However, there are two kinds of phishing attacks which are much more prevalent: Spear phishing targets specific people or job functions, and whale phishing targets management, high profile employees and senior executives.
PIGGYBACKING: You’ve heard the term “tailgating” before, which refers to when another person passes through a secure door or checkpoint without the knowledge of the person who had legitimate access. Piggybacking is very similar, except that it implies consent on the part of the person with legitimate access. For example, if you swipe your ID badge to get into a secure area, and hold the door open for that frazzled co-worker with their arms full, you’ve just allowed them to piggyback on your credentials. This can also occur in the cyber domain with user IDs and passwords. Never allow someone to piggyback on your credentials!
PRETEXTING: This common telephone technique involves a pretext, or scam scenario, in which the scammers lie about their identity and their motives in order to obtain information they want. The technique is often used by private investigators to obtain information and is commonly used by people pretending to be from your bank or credit card company. It can also be used to impersonate coworkers, admins, executives, or anyone in a place of authority. Pop culture shows us many examples of pretexting, such as in Star Wars, Ocean’s 11, Catch Me If You Can, and many others.
Not that kind of whale.
SMISHING: SMS Phishing is exactly what it sounds like – phishing through text. If you’ve ever received a text from an unfamiliar number or person containing a URL or phone number, it could be a smishing attempt. The smishing message will use classic phishing techniques such as urgency, threats of account closure or the lure of a prize to get you to click. Do not respond to smishing messages. Delete them.
Check out this blog post about social engineering and pretexting in Star Wars: http://blog. thesecurityawarenesscompany.com/ looking-for-security-in-alderaan-places/
USB STICKS: The Greeks duped their Trojan opponents by presenting an enormous “gift” only to have their soldiers jump out of the wooden horse once inside the city’s walls. The same concept is used today when an attacker leaves an infected USB stick for victims to find. Most people who find it may think, “Awesome, a free USB drive!” But when they plug it in, their computer becomes infected with a Trojan horse or other malicious software, allowing the bad guys access to all of their data. Many USB sticks (even new ones) have auto-run enabled, which can automatically infect a computer just by plugging it in. Make sure you are aware of company policies regarding bringing USB sticks and other data devices into our networks.
VISHING:
Phone phishing (or “vishing”) is an automatic pretexting attack, using and interactive voice response (IVR) system. The victim is prompted to call a toll-free number in order to “verify” information. The rogue IVR will reject the log-ins continually, ensuring the victim enters PINs or passwords multiple times.
PII in all Protecting Personally Identifiable Information, or PII, is everyone’s responsibility. It involves a combination of encryption, threat detection, data-loss prevention and policy compliance – tools and actions that lie in all three domains.
RESPECT IT, PROTECT IT: Try thinking about PII like money, and respecting and protecting it as such. Consumer and client PII is not only valuable to the organization but also to the consumers themselves.
Did You Know...? PII is sometimes called SPI (Sensitive Personal Information) or NPI (Non Public Information).
DATA PRIVACY AROUND THE WORLD: Personal information is legally protected differently in different countries. For example, a key difference in how PII is defined in Australia (versus in the United States) is that a piece of information can be considered PII even if it indirectly identifies the person. The Austrailian Privacy Act of 1988 says, “...’personal information’ means information or an opinion…whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” To learn more about how personal data is protected around the world, take a look at the 2015 International Compendium of Data Privacy Laws PDF. To learn about the Safe Harbor agreement and what that means for US companies and EU citizens, read this explanation.
PHYSICAL LOCATIONS: Think about all the places PII might be stored. File cabinets. In your desk. On your desk. On a memory stick. On a mobile device. On hard copies in the trash. Always follow proper procedures for shredding physical documents containing PII – we wouldn’t want the wrong person getting any documents containing customer or client PII! Also, adopt the habit of maintaining a clean desk; never leave documents with PII out in plain view when away from your workstation.
Learn More: Interactive Map of Global Data Protection Laws Global Privacy Blog by Latham & Watkins, LLP 2015 ID Theft Report by ITRC
SHARE WITH CARE: Much of data privacy comes down to the Human domain and the decisions we make every day as we interact with technology. Remember that what you post online can last a lifetime. Before posting anything, always think about how it might be perceived and who might see it. Take control of your digital presence by checking your privacy settings on all social networks and limiting what data your Friends can see. Also, stay aware of what is being shared, not only by you, but about you by others.
UNDERSTANDING COMPLIANCE REGULATIONS: Compliance might seem like something you don’t want to hear about, annoying and tedious and just another roadblock to getting your job done. But we need to remember that compliance standards exist to help us protect data and actually do our jobs better. Every organization, and the people who work there, needs to understand which compliance regulations they are expected to follow. If you don’t know, ask immediately!
RECOGNIZE PHISHING ATTACKS: The phishing emails themselves, carefully crafted and often highly targeted, rest in the Cyber domain, laced with malware and just waiting for an unwitting victim to click without thinking. But the awareness that keeps you from being one of those victims is squarely in the Human domain. Stay aware of current phishing trends.
WHAT IS PII? The US Department of Homeland Security defines PII as, “any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful
permanent
resident,
visitor to the U.S., or employee or contractor to the Department.” Click here to learn more.
5 Traits of a Security Aware Employee
Organizations rely on their trusted employees to protect and defend their networks. Are YOU a truly security aware employee? A security aware employee…
1
Knows, understands and follows policy to the letter… in all three domains.
Policy exists for a reason: to protect company networks and data. Think about policy like the brakes on a car. The brakes are there not to make you stop but to allow you to go fast! Policies (laid out in the human domain but affecting all three) are designed to let you do your job as best you can while keeping the data and networks secure. We can not pick and choose which policies to follow – “Oh this one about the corporate VPN sounds good… but the badge policy is so annoying…” – since they all exist to protect us, our customers and data.
2
Reports all (potential) security incidents immediately... in all three domains.
Security aware employees are sentinels (not tattletales) for any potential situation that could cause problems for the organization. This includes everything from an unknown person (Human) on the premises (Physical) without identification, to a usually locked door that is sitting wide open (Physical). A potential security incident doesn’t have to be dire – like if you actually clicked on a phishing link and now your computer is infected with ransomware (Cyber). In fact, that’s why we call them “potential” security incidents; they are not yet incidents but could be. If you think you may have seen, done or overheard something that could potentially become a problem somewhere down the line, tell someone.
3
Stays alert and aware at work, at home and on mobile devices... in all three domains.
We must be alert for potential security incidents in all three domains, and in all three of our lives – Personal, Professional, and Mobile. Remember that security awareness is not any one thing but a balance of many triads, working together. Read about it here: http://blog. thesecurityawarenesscompany.com/the-many-lives-triad/.
So how do you stack up? Do you think you are truly a security aware employee? What can you do to improve your security posture and be more security aware in all three domains?
4
Keeps up-to-date with security news and improves security posture regularly... in all three domains.
The only way to avoid security risks is to know what to look for, and the only way to know what threats we must be on the lookout for is to read the news and know what’s going on in the security world. What tactics are criminal hackers using now? What caused the most recent data breach? What kinds of malware should my software be detecting? Following infosecurity news outlets and Twitter feeds will keep you in the know and make you a more informed digital citizen.
5
Asks questions when they aren't sure about something... in all three domains.
There’s no such thing as a dumb question! Your managers and bosses won’t mind if you need to ask who you should report security incidents to or clarify policy. They would rather you ask when you don’t know than for you to stay quiet and passive. So whether it’s about badge policy, your email passwords, or if that delivery guy is really supposed to be in the server room, ask away! Asking questions shows that you are engaged and care about the security of the organization.
Have you taken the Human Firewall Pledge? http://bit.ly/1S8t4lw
ANSWERS: DUMPSTER DIVING: PHYSICAL // CLOUD COMPUTING: CYBER // IGNORING POLICIES: CYBER, PHYSICAL, HUMAN // MESSY DESKS: PHYSICAL // EMAIL: CYBER, HUMAN // TALKING TOO LOUD: PHYSICAL, HUMAN // SHOULDER SURFING: PHYSICAL, HUMAN // HARD COPIES: PHYSICAL // BADGES: PHYSICAL // SOCIAL NETWORKING: CYBER, HUMAN // SOCIAL ENGINEERS: CYBER, PHYSICAL, HUMAN // INTERNET OF THINGS: CYBER // FREE WIFI: CYBER // TAILGATING / PIGGYBACKING: PHYSICAL, HUMAN // USB STICKS: CYBER, HUMAN // PHISHING: CYBER, // NOT FOLLOWING COMPLIANCE: CYBER, PHYSICAL, HUMAN // PASSWORDS: CYBER // DISASTERS: PHYSICAL // DOWNLOADING SOFTWARE: CYBER // ID THEFT: CYBER, PHYSICAL, HUMAN // MOBILE APPS: CYBER // LOST DEVICES: PHYSICAL // ACCIDENTS: PHYSICAL, CYBER
P P P P
H H
C
P
H
C
DOWNLOADING SOFTWARE
C TAILGATING
H H
C
P
H
/ PIGGYBACKING
P
H
P
P
H
ID THEFT
C
P P
C
C
P
P P
H H
PHISHING
H
BADGES
H
C
MOBILE APPS
H
USB STICKS
C
HARD COPIES
C
CLOUD COMPUTING
C
P
C
P
C
H
C
P P
H
C
P
P
H
ACCIDENTS
H H
SOCIAL ENGINEERS
C
MESSY DESKS
P - Physical
P
LOST DEVICES
C
NOT FOLLOWING COMPLIANCE
H
SOCIAL NETWORKS
H
IGNORING POLICY
C - Cyber
HUMAN
C
NATURAL DISASTERS
C
FREE WIFI
C
SHOULDER SURFING
C
DUMPSTER DIVING
KEY:
GAMES
Domain
H
C
P
H
PASSWORDS
C
P
H
INTERNET OF THINGS
C
P
H
TALKING TOO LOUD
H - Human
Can you correctly classify each of these potential threats into the correct domain/domains? Careful! Some might fall into more than one. Print this out & challenge your co-workers to a face off! Fold on the dotted line to hide the answers. No peeking!
HEADLINE NEWS EU General Data Protection Regulation Finalized & Expecting Approval The text of the European Union’s new privacy legislation, the General Data Protection Regulation (GDPR), has been finalized and is awaiting approval from the European Parliament this month. It is expected to pass, and if so will become law across all 28 EU Member States in 2018. The GDPR is a direct replacement of the EU Data Protection Directive, which was put into place in 1995 and since then hasn’t grown with the exponential advancement of technology. The GDPR will change how data is collected, stored, and transmitted into and out of the EU. It will also consider jurisdiction as something not physical or geographical, but rather digital. To learn more, click here: bit.ly/1S8CmxS
New Trojan “SlemBunk” Targets Mobile Banking Apps Across the Globe Just as mobile banking apps were ranked among the top ten malware threats by Kaspersky Lab (http:// bit.ly/1lRIvBE), a new Android banking trojan called SlemBunk was found targeting 33 financial institutions around the world. Researchers at Fortinet and FireEye have discovered that SlemBunk is downloaded via adult websites, where users are tricked into installing a fake Flash Player app to view videos. SlemBunk immediately starts invading their device and taking over permissions, secretly collecting login credentials for banks and payment systems (though it steals other types of logins, too). This trojan is still active and has grown in its scope and sophistication. To learn more about this mobile banking malware, click here: http://bit.ly/1ZSj2q8
CN IS IS
TC IS HS
S BBC
IS
CNET @CNET • Jan 12 Support for IE versions 8, 9 and 10 ends on Jan 12th. http://cnet.co/1IRi21b Infosecurity @InfosecurityMag • Jan 7 WhatsApp Malware Attack Unleashed via Phishing. http://bit.ly/1OR82rg SAC @SecAwareCo • Jan 7 EZCast TV streaming service allows hackers easy access to home network. http://bit.ly/1RdcSPR TechCrunch @TechCrunch • Dec 22 free login testing. http://tcrn.ch/1PO0pyM Infosecurity @InfosecurityMag • Dec 21 US Congress passes highly controversial http://bit.ly/1PTicGH Heimdal Security @HeimdalSecurity • Dec 21 New IRS spam campaign already hitting inboxes; Trojan attachment delivers ransomware. http://bit.ly/1RdQ2HD Symantec @Symantec • Dec 17 lures users to click. http://symc.ly/1kSOLaW BBC @BBC • Dec 16 under EU privacy laws. bbc.in/1T1wSSU Infosecurity @InfosecurityMag • Dec 16 80% of companies had a security incident in 2015. http://bit.ly/1QtFdRD
#infosec