Information Security News Alert July 2016
The CIA Triad
INTEGR I
PLUS :N you ne ews ed to kno w!
AVA BILITY ILA
TY
IDENTIALIT ONF
Y
C
How Confidentiality, Integrity and Availability inform our security decisions and shape our security aware behavior.
s! word s s a ng p Stro p! u Back s rights! ry! e s Acce ter recov s Disa ore! m And
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
C
Y
IDENTIALIT ONF
THE
AVA
BILITY ILA
INTEGR I
TY
CIA TRIAD
Imagine a scenario where everything you own and
Welcome to the Integrity part of the triad. Ensuring that
need someone to guard it. Who would you give the key to?
is just as important as making sure it isn’t accessed or
everything that identifies you is stored in a lockbox and you
Someone you trust. Someone who is reliable. Someone
who is accessible. You need this person to maintain your privacy by keeping the box locked, to ensure the contents of your box aren’t compromised in any
the data remains consistent and accurate over its lifespan
altered by unauthorized users, such as in a data breach. It’s our responsibility to verify sources when transferring sensitive information and to maintain strict security aware
practices so that the data won’t be maliciously or inadvertently compromised.
manner, and to be available to unlock
But neither the Confidentiality
the box for only you when needed. In information security, this concept
and
practice
called the CIA Triad, and that “someone” is you.
The CIA Triad is one part
if the data isn’t Available. Failure
one part Availability.
As a whole, it is the most
to
software
implement updates
maintain
Source: https://securityintelligence.com/cost-of-a-data-breach-2015/
Confidentiality,
one part Integrity and
single
nor the Integrity will matter
LAST YEAR, THE AVERAGE COST OF A DATA BREACH (OR A BREACH OF INTEGRITY) WAS NEARLY $4,000,000 (OR OVER €3.500.000).
is
and
hardware
repairs and upgrades in
A RECENT STUDY PROCLAIMS 93% OF PHISHING EMAILS CONTAIN AVAILABILITY-THREATENING RANSOMWARE.
crucial
Source: http://www.csoonline.com/article/3077434/security/93-of-phishing-emails-are-nowransomware.html
element to protecting
sensitive data. Failure
at any one level can lead
to failure at every level. It’s our duty to not only keep data private, but also make sure it is consistently accurate and accessible for authorized users.
A lot of us make the mistake of thinking
that security is just a matter of passwords and logins.
will result in a loss of availability. Downtime
leads to financial loss
and undermines our
75% OF UK CONSUMERS WON’T DO BUSINESS WITH A COMPANY THAT HAS BEEN HACKED BECAUSE IT THREATENS THE CONFIDENTIALITY OF THEIR DATA. Source: http://www.scmagazineuk.com/75-of-ukconsumers-wont-do-biz-with-a-company-that-hasbeen-hacked/article/501677/?utm_source=dlvr.it&utm_ medium=twitter
a timely matter can and
business relationships.
If we stop thinking
about data as just binary
code,
stored
somewhere
in the cloud protected by
passwords and logins, and start
thinking about it as a human process,
we improve our ability to defend and
protect not only the information of our clients, but
Yes, we need to keep data private. That’s the Confidentiality
also that of our co-workers, friends and families. This is
in charge of privacy alters what’s being kept private?
important to data security.
part of the CIA Triad. But what good does it do if the person
the underlying concept of the CIA Triad and why it’s so
Confidentiality Confidentiality is all about YOU! Confidentiality requires vigilant security practices to ensure that only authorized users have access to sensitive information. We can’t just “activate shields” and go about our business. It’s more complicated than that. While safeguards such as firewalls, anti-malware software and data encryption are all vital to privacy, security is a tangible, human process.
CON(FIDENCE) MEN We all know that external threats are getting stronger and more sophisticated. But it’s easy to forget that computers don’t attack computers: people attack people using computers and mobile devices. Social engineering is still
EMAIL ENCRYPTION Whenever you’re emailing sensitive information, whether externally to an outside source, or internally to a coworker, it’s a good idea to use encryption. This protects what’s in the email, should it be sent accidentally to the wrong party, or should it be intercepted by a criminal. Only the correct recipient will be able to decrypt it. Ask about company policy to learn how and when to use encryption.
Follow strong password practices. It’s harder for a bad guy to break in if they can’t find the key.
the number one way criminals infiltrate protected networks.
The use of phishing—generally with emails that contain malicious links or attachments and appear to come from a trusted source— is highly successful because we live in a click-happy society. Criminals don’t need complex software or stolen credentials to gain access. All they need is for you to click. Another common method is pretexting. In this scenario, the bad guy creates an elaborate story (the pretext or setup) in hopes that an individual will be tricked into disclosing sensitive data. Often, the attacker has already done enough research to obtain some information that will be familiar to the victim, thereby gaining trust and increasing the likelihood that the victim will divulge more information, such as logins, passwords, customer information and financial records. Social engineering works because it hacks the human, not the computer. Don’t be a victim! Verify the
source of an email, hover over a link before clicking, use common sense, stay skeptical and always follow policy when it comes to the transmission of sensitive data.
5 Think before you click so you don’t download malware!
At work, know what kinds of data you handle and the levels of protection required for each kind.
Ways to Improve Your Data’s Confidentiality
For all personal and business work, always use a VPN on public WiFi to keep potential bad guys from snooping on your secrets.
Always know and follow our data protection & classification policies here at work.
The Legal Side of Biometrics Companies are increasingly replacing traditional passwords with two-factor biometric authentication. If you’re unfamiliar, Biometrics measure your physical attributes for authentication, such as a fingerprint, voice recognition and face scanning. Biometrics are not super common yet, but some companies are starting to roll it out, such as Citibank did for its Asia Pacific customers. (Read more here: http://bit.ly/1WFofTc ) In the US, implementing Biometrics might undermine your Fifth Amendment right, which protects you from self-incrimination (read more here: http://on.inc.com/1OnsGtM). Always follow policy at work when setting up passwords.
Integrity Backup! Backup! Backup! Data loss would be detrimental to our organization. Redundancy— also known as backup —is key to preventing that. Here at work, ask a manager how redundancy is handled and what you need to know to do your part. At home, consider paying for a cloud service to backup your personal data, and routinely move important data from your mobile devices to a more secure location. At the very least, get an external hard drive (or two!) and install backup software on your computers that run automatically every day. The last thing you want is to lose years’ worth of family photos. Backup software is easy to set up, and many of them are free!
Access Rights
68%
of data breaches are the result of weak, default or stolen passwords.
The average cost of a data breach in 2015 was
$3.8 million (€3.4 million)
For each lost or a number on the rise. stolen record that contains sensitive data, the average cost is
$154 (€136)
89% of breaches have a
While external threats get all the headlines, internal threats are just as much of a risk and require the same amount of vigilance and security awareness. Maintaining the integrity of data is more than just ensuring backups are in place and data is encrypted; it is also a matter of preventing our information from being compromised by those with authorized access, either maliciously or inadvertently. As an authorized user, you need to not only prevent unauthorized users from gaining
access, but also verify the recipient before transmitting sensitive information, verify that you are sending the correct information and always follow policy when accessing and transferring data. If you’re not sure why someone within our organization needs the specific data they requested, ASK! If you find a request for data odd, SAY SOMETHING!
Never assume everything is on the up and up. Skepticism is your best friend.
financial or espionage motive.
A NEW TRIAD Another way to look at Integrity of information security is by breaking it down into its own triad, composed of three basic concepts: Authenticity, nonrepudiation and accountability.
AUTHENTICITY Verification of both the person gaining access and of the data being accessed.
NON-REPUDIATION A service that tracks who changed or sent protected data and to whom.
ACCOUNTABILITY The ability to identify authorized users and determine their level of access.
Another attack method most people don’t think about that affects Integrity is graffiti, or website defacing, a technique that used to be very popular with hacktivists. Similar to what happens to a business when its physical infrastructure is defaced, a business’s website that has been maliciously altered creates a negative perception to viewers. A recent example occured when a hacktivist defaced Spain’s Catalan police department’s website; read more about the attack here: http://bit.ly/1WFmdmd.
Availability Why should you care? We owe it to our clients and co-workers to ensure our systems are active and data is accessible to authorized users at all times. A loss in availability not only comes with financial concerns, it also degrades the integrity of our organization in the eyes of our customers and associates. At home, we owe it to ourselves and our family members to protect our personal data so it can be recovered but not easily lost or destroyed.
What causes a lapse in availability?
You’ve probably heard of Ransomware. It has taken the media cycle by storm while bringing businesses of all sizes to their knees. A Ransomware attack usually starts with a phishing email that contains malicious links or attachments. Once you click or download, your system is infected with malware, which makes its way across servers and encrypts data—causing it to be unavailable—until a ransom is paid.
WEATHERING THE STORM
Maintenance = Stability Improper hardware and software maintenance can lead to system downtime. Criminals will target weaknesses in networks and launch Denial of Service (DoS) attacks by flooding the servers with more traffic than they can handle, effectively causing them to collapse. Ensuring systems and software are always up to date can prevent technical failures, and help us avoid vulnerabilities associated with old software versions. Of course,
While there is a lot of overlap in the CIA triad, availability
here at work, all of this is taken care of by our organization. If you
is really the sum of both confidentiality and integrity
ever have questions about how we maintain our networks, don’t
with one other crucial feature: a disaster recovery
hesitate to ask. At home, you should keep the software of your
program. Despite our efforts, data loss can occur due to
computers, gaming systems, routers and mobile devices up to
unpredictable events such as fires or flooding. Having a
date, and routinely check for firmware updates, as well.
disaster recovery program or incident response plan in place is imperative to recovery. Make sure you know your role in ours! At home, set up a worst case scenario
Your Role Always follow policy. If you’re not sure about something, ask! If you see something unusual, report it! Remember that the confidentiality, integrity and availability of information security is a human process, too, not just a technical one.
plan for your family. Do you grab the hard drives in case of a fire – or are they backed up to the cloud? What if you’re robbed? Do you keep backups in a lockbox or hidden from plain sight? If you’re not using off-site backups like the cloud, consider storing a secondary backup at a family member’s house in the event of an emergency.
HEADLINE NEWS Phishing Emails Hit Record High; 93% of Them are Now Ransomware
IS
Infosecurity @InfosecurityMag • June 8 Hacker linked to recent MySpace, LinkedIn & Tumblr breaches is now selling 32M Twitter creds on Dark Web for $5,820 bit.ly/1VQ6PlX
PhishMe recently released their Q1 Malware Review
(http://bit.ly/1Yb7j6w), and their findings are sobering. After analyzing phishing email campaigns from the first three months of this year, they saw that phishing volumes have
THN
The Hacker News @TheHackerNews • June 7 University paid $20,000 to hackers for ransomware decryption bit.ly/25RKszs
TW
Techworm @Techworm_in • June 6 Anonymous shuts down London Stock Exchange for protest bit.ly/213Vb6t
risen almost 800% due to the global epidemic of ransomware.
Ransomware is now quicker and easier for criminal hackers
to send, and offers a much larger reward. Whereas other
types of breaches take several months (or years) to detect, investigate and repair, ransomware forces targets to act and
pay up quickly. And because most ransoms are relatively low in price point for small- to medium-sized businesses (usually between $400 and $1000), it’s generally easier for them to pay than to attempt to recover the data themselves.
The clever ransomware delivery method called “soft
R
targeting” is also on the rise. These types of emails are
somewhere between a spear phishing attack – targeted at
Reuters @Reuters • June 1 US Federal Reserve breached 50+ times in last 5 years, including nation-state espionage reut.rs/1sLkeA7
specific, high-level employees – and a generic spam email
that goes out to everyone. Soft targeted phishing attacks are sent to everyone within a specific job position and might
include a little customization (such as a name). A popular
example of this is a fake resume email with attached malware,
KB4
KnowBe4 @KnowBe4 • May 31 CEO & CFO of aerospace company fired after fraud causes €50M loss bit.ly/1YeRjjO
supposedly coming from a potential applicant and sent to people who work in human resources. Because these people
might be accustomed to seeing emails like this on a regular basis, they’re much more likely to trust that the attachment is valid and open it.
CNN
The FBI suggests that organizations take steps to make their
CNN Money @money_cnn • May 27 Hacker group “Lazarus” hits bank in Philippines, 4th victim in string of global banking system attacks cnnmon.ie/1P1KUGZ
employees aware of and able to identify the very real threat
of ransomware. In addition, they also suggest individuals
make sure all their operating systems, software, firmware and antivirus/antimalware databases are up-to-date and properly
patched. It’s also a good security practice to make sure that
E
Extreme Tech @ExtremeTech • May 25 Hospital pays criminals to decrypt files but was asked for more money bit.ly/25iSKjy
CNN
CNN Money @money_cnn • May 23 $13M from South African bank using forged cards in Japan cnnmon.ie/1NHYS04
data contained on computers and networks is backed up regularly and secured, but located in a place disconnected
from the computers and networks they’re backing up in case of an infection.
Read more, including further technical advice on decreasing
the threat of ransomware, here: http://1.usa.gov/1VFh2lE.