What Is Really At Stake With The People Part Of The Cyber Equation?

images (15)

In 2016, the world experienced an enormous uptick in data breaches; numerous ransomware attacks and devastating DDOS attacks. In 2017, the attacks are increasing in number and scope with no slowdown in sight including the WanaCry Ransomware attack that targeted 74 countries, spread by a phishing email. According to a recent PhishMe study, 91 percent of all cyberattacks begin as phishing emails.

In today’s world of technology, human error can be the difference between success and ruination. Nowhere is this truer than in the workplace, where humans are the weakest link.

Case and point being, last week I was sitting on the tarmac, my flight had been delayed due to an unruly passenger, which is nothing new these days. However, what happened next was mind-boggling.

The man sitting next me was talking to his office; he explained that his flight was being delayed upwards of an hour and wanted to make use of the time by calling his list of ‘cold calls,’ the only thing is, the list was on a word file on his computer. Apparently, he never heard of the cloud.

He instructed his assistant Julia, whom he mentioned by name several times to turn on his computer, gave her his username and the password- three times, very slowly – at a decibel so loud, it was heard by more than half of the 100+ passengers on the plane.

He then told her that his username/password in the future could be found on a blue sticky note in his top left-hand drawer and that it is never locked.

When he hung up with his assistant, he made several cold calls which he proceeded to tell each one the same nauseating scripted story. Adding insult to injury, on one call he explained to the prospective client how to avoid the security desk. I was trying not to stare, but that was ultimately futile at this point.

So, just what did I learn? (All names have been changed.)

  • His name is Paul XXXXXXX.
  • He is a Senior Vice President.
  • Paul works for a Financial Services Company.
  • His company specifically works with high-net-worth clients.
  • His office is located at xxx Wacker Drive, Chicago.
  • His office is on the XXth floor, on the west side of the building.
  • Sensitive information in his office is not secured.
  • Username is first and last name.
  • His Password for all his accounts is ‘654321′ <= Clever…
  • His Business email is PaulW@company.com.
  • Office Phone number is 872-xxx-xxxx
  • Cell Phone number is 312-xxx-xxxx
  • His personal email is Paul2xxxxxxx@AOL.com
  • His assistant’s name is Julia, who just had a baby boy 3 months ago
  • He has 4 kids (3 boys, 1 girl), all in Ivy League Universities, that is costing him an arm and a leg.
  • His 3rd wife, Natalie, who cannot cook a meal to save her life, rents high-end Jewelry for a variety of events.
  • This is my favorite => If you do not want to deal with the ‘hassle’ of going through the security desk, there is a side entrance that is always opened and will not alert the alarm system because the smokers in the building use it for a smoking area and the elevators are located at the end of the hall
  • Come up to the XXth floor, knock on the window, and ‘someone will always let you in.’

I thought for sure this has to be a joke and at any minute someone probably dressed in a killer clown suit, was going to jump out and yell ‘Never, ever do this.’ No one jumped out.

The bottom line on how does this happen? Employees know far too little about the cyber security threats today and organizations are not doing enough to educate their employees or protecting their clients’ critical data.

 It is time for all organizations to act.

It is estimated that the majority of incidents globally involve human error. Cyber imagescriminals know this is an area of weakness and they target it, and more often than not, very successfully.

Cyber security awareness is a process that needs to concern the entire organization. All employees must understand both their roles and responsibilities as employees.

Moreover, all organizations whether small, medium or large, need to understand where their weaknesses are. A good first step is by conducting cyber-risk assessments through a holistic review of their policies and education for all employees from the C-suite to the third party relationships.

Suggested training activities

  • Educate employees on the need for resource protection including protecting passwords, locking computers and locking up sensitive information.
    • Never leave your password on a sticky note where it can be stolen. Once it is out of your control, so is your security.
    • Never share your password with another co-worker. NEVER.
    • Create different passwords for different accounts and applications.
  • Educate employees on why using strong passwords is essential, not a hassle.
    • A strong password should be at least eight characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
    • Adding just one capital letter, and one special character changes the processing time for a cybercriminal to crack an eight character password from 2.4 days to 2.10 centuries. Think about that!
  • Train employees on strategies used by cybercriminals to compromise networks including Phishing and fake websites; and how malicious software is installed by clicking on the links within the emails and downloading attachments from compromised websites.

Frequently conduct unannounced tests.  Engage your IT department or use outside experts to test employees both in person and on the computer using social engineering strategies.  Moreover, employees who routinely fail the tests need to be held responsible for their actions.

Cybersecurity is an enormous problem to address. Training and testing require planning and resources, but the process of preparation is far better than dealing with the aftermath.

A single vulnerability can lead to data breaches; it can also result in the theft of Personally identifiable information (PII) which often proves the most costly and detrimental to organizations. Negative headlines, financial and reputational penalties, while legal and regulatory sanctions can quickly escalate into the millions of dollars.

 

As-A-Service Expands, Buckle Up Your Seatbelt.

Cybercrime is a thriving high reward low-risk business model, and it can be summed up easily with just-$.

In the past, there were various obstacles to overcome in order to get into the cybercriminal game. The ‘original cybercriminals’ ran a centralized operation which images (7)owned the servers and constructed malicious software (malware) from scratch.

This business model proved to be incredibly expensive to operate and exceedingly time-consuming; in order to make a substantial profit, large organizations were the only option.

However, similar to other ecosystems, the cybercriminal ecosystem continues to evolve. obrela-security-industries-8-638Today,  it is a distributed system where anyone with an agenda can simply rent, lease or purchase an ‘as a Service,’ services and ‘cash in’ on their crimes.

Some of the more of the well-known as a Service, services include:

  • Malware as a Service (MaaS)
  • Distributed Denial of Service as a Service (DDoSaaS)
  • Ransomware as a Service (RaaS)
  • Hacking as a Service (HaaS)
  • Money Laundering as a Service (MLaaS) to name a few.

The distributed system requires less effort because the criminals take advantage of the current ‘trends’ including the ‘human factor,’ where one in three individuals within an organization, regardless of training, will click on a phisher’s email and/or ‘low-hanging fruit’ otherwise known as the persons or organizations that despite all the warnings incur the risks with sub-par security, found easily by an exploit kit. Rather than deploying sophisticated and expensive Zero-Day attacks, now, any endpoint becomes a potential source of revenue.

As a Service, services is a flourishing business model run on the black markets found on the DarkNet such as the TOR network. TOR is a technological revolution in the ddasfacilitation of cybercrimes, because of the anonymity under which groups are able to operate.

Cybercriminals commit crimes directly against individuals, organizations, or governments through means such as malware attacks.

Direct methods are when resources are taken directly from the victim including

The criminals also attack in indirect manners including identity theft and fraud.

Indirect methods involves information obtained covertly from the victim which can be sold on the DarkNet including

The introduction of the cloud computing as a Service, services paradigm has brought abundant 3bjbp2xc-1323738953advantages to the information technology industry but also greater opportunities for cybercriminals.

Cybercriminals no longer need to rely on their own skills and assets to carry out exploits.

Several of these services include

  • Infrastructure as a Service (IaaS) provides the rental of servers and storage devices.
  • Software as a service (SaaS) provides the infrastructure enabling the dynamic production of applications.
  • Data as a Service(DaaS) Data is stored in the cloud and is accessible by a range of systems, and devices.
  • Platform as a Service( PaaS) allows users to develop, run and manage applications without the complexity of building and maintaining expensive infrastructure and the space required to develop and launch applications.

These cloud-based technologies afford cybercriminals with greater flexibility, greater resource management and agility in the furiously-paced technological environment allowing for even-more-dangerous and aggressive exploits.

Cybercriminals have taken full advantage of these services because they eliminate the need to maintain their own infrastructure, they can facilitate better operational security (OpSec) which adds a layer of obfuscation between the cybercriminals and the organizations hunting them while efficiently creating and distributing their malware attacks.

Another fuel for as a Service is the rise and popularity of cryptocurrencies. Cryptocurrency iscrypto-currency_market_capitalizations digital money that utilizes a decentralized, peer-to-peer (P2P) payment network thus making it harder to discover criminal activity.

The most utilized form of cryptocurrency is Bitcoin.

Bitcoin is used globally for legitimate organizations but is better know for the criminal exploits.

The topic of Bitcoin would not be complete without addressing the processes of Tumbling. Tumbling essentially adds an additional layer of anonymity to block attempts to track and uncover Bitcoin transactions. There are multiple ways to Tumble Bitcoins including

  • Multiple Wallets Cybercriminals creates a wallet via TOR and adds Bitcoins to it. Atop-crypto-currency-wallets-03 second wallet is created, again, utilizing TOR, and moves the funds into the second wallet. Last but not least, a third wallet is created, and the funds are moved again, thus confusing the trail of transactions between the three wallets making attribution almost impossible.
  • Third Party Services DarkNet organizations offer services in order to launder howitworksbitcoins which add a ‘proprietary obfuscation technology’ that breaks the link to the source of the funds and prevents any blockchain analysis tracking bitcoin transactions.

The DarkNet is an encrypted network built on top of the DarkWeb. Two typical DarkNet Deep-Web-Dark-Webtypes are P2P used for file sharing and networks such as TOR for anonymity.

Tor-EncryptionTOR which is short for ‘The Onion Router,’ provides anonymity to its users by bouncing the user’s communications around a distributed network of relays worldwide; TOR also prevents tracking of what sites are visited, prevents the sites visited, from learning the user’s physical location, and allows access to .onion sites ranging from legal to absolutely illegal. TOR can be used on Windows, Mac OS X, or Linux without any additional software.

As with all things as a Service, where there is a need, service providers seem willing to satisfy it. Moreover, as long as the return on investment (ROI) remains high, the expectation for continued investment into even more resources in order to unleash greater numbers of cybercrimes on the broadest possible range of targets will continue. Buckle up your seatbelt.  

                                                 Prevention Guidelines

  • Use strong passwords- Eight characters. Include upper and lower case letters, Numbers and Special Characters (!@#$%^&*(
    • Adding just one capital letter, and one special character changes the Brute Force processing time for an 8 character password from 2.4 days to 2.10 centuries. Think about that!passwords
  • Never write your password on a sticky for an intruder to find.
  • Group the sites you visit into categories, i.e. business, personal, sensitive, and use a password for each category.
  • Activate your Firewall- it is the first line of defense.
  • Use your Anti’s
    • Anti-Virus
    • Anti-Malware
    • Anti-Spyware
  • Secure your Mobile Devices-They are just as vulnerable as your computer.
  • Install the latest OS updates.
  • Download Applications and Attachments FROM TRUSTED SOURCES ONLY.
  • Delete all unknown e-mails.
  • Use encryption for all your sensitive data.
  • Use HTTPS for all your transactions.
  • Backup your data frequently and store it in multiple locations.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Security Is An Arms Race, The Only Way To Win, Is To Stay Ahead And Stay Knowledgeable.

unsecured-wireless-net

Securing your home wireless network is not a game, it is a serious business. If your network is not secured, an online cybercriminal will exploit it; it is just a matter of time. They will ‘listen’ to your traffic, retrieve sensitive data and/or take advantage of your network to launch malicious attacks. For this reason, learning how to exploit your home network before the cybercriminal does, is a very smart move.

Quick Overview On Wireless Security Options
WEP

  • Wired Equivalence Privacy
  • First 802.11 standard.
  • Very easily ‘hacked’ due to a 24 Bit Initialization Vector (IV) and weak encryption.
  • Uses RC4 Stream Cipher and 64 or 128 Bit keys.

Never use.

[A cyber attack executed against retailer T.J. Maxx in 2009 was traced back to WEP vulnerabilities.]

WPA

  • Wired Equivalence Privacy.
  • Implemented to address major WEP flaws.
  • Backwards compatible with WEP.
  • Personal and Enterprise Mode.
  • RC4 along with longer IV’s 256 Bit Keys.
  • Each user acquires new keys with TKIP.
  • Enterprise mode uses 802.1x & EAP

Only use if WPA2 is not available.

WPA2

  • Wired Equivalence Privacy.
  • Strongest standard.
  • Additionally, the Advanced Encryption does not affect performance.
  • Personal and Enterprise mode.
  • Replace both RC4 and TKIP with CCMP and AES algorithm for a strong authentication and encryption
  • Seamless roaming. Individuals can move from one AP to another on the same network without having to reauthenticate.

Most secure method.

There are fundamentally two types of vulnerabilities which can be found in the Wireless Home Network.  The most common one is poorly constructed configuration including weak passwords, no security settings, or using the ‘out of the box’ default configurations.

  • First things first, change the name of your Wi-Fi network, also known as the SSID (Service Set Identifier).
  • Your wireless router comes pre-set with a default password. That is very easy for a cybercriminal to guess it, especially if they can learn the manufacturer.
  • A strong password should be at least 8 characters and should include uppercase, lowercase, and special characters – like @#?%^&*.
  • Adding just one capital letter, and one special character changes the processing time for an 8 character password from 2.4 days to 2.10 centuries. Think about that!

passwords

  • The second vulnerability is using weak encryption including the security keys (WEP, WPA) to protect the wireless network.
  • The strongest encryption settings to increase your Wi-Fi protection is WPA2 AES.
    • AES is short for Advanced Encryption Standard and is used by governments around the world, including the US.
  • WPA2 AES is a standard security system now, so the majority of wireless networks should be compatible with it.
  • If you are using WPA2 personal. Disable WPS.
    • WPS stands for Wi-Fi Protected Set-up.  It is a wireless networking standard that makes connecting a router and wireless devices faster and easier. However, although WPS can make your life easier, it is very vulnerable to attacks. (See Fern Wi-Fi)

Quick Overview On Wireless Cracking and the Tools

Knowledge is powerful. Cybercriminals are powerful because they have the critical knowledge that leverages all other knowledge, the ability to solve that puzzle-known as your password and win that prize-known as your data. Beat them to the finish line.

Wireshark

If you enjoy networking and know your protocols, then you will so enjoy Wireshark as much as I do. Essentially, it is a network protocol analyzer tool. You can ‘live capture packets’ and analyze them in order to find various things related to your network and lets you see what’s happening at a microscopic level. This tool is available for Linux, Windows, OS X, Solaris and other platforms.

Aircrack-ng

This is one of the most widely-known, and many would say popular wireless password cracking tools.

Aircrack-ng is a complete suite of tools to assess your Wi-Fi network security. It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking Wi-Fi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA-PSK (WPA 1 and 2).

All tools are command line which allows for heavy scripting.  It works primarily on Linux but also Windows, OS X, NetBSD, as well as Solaris and even eComStation 2.

Airsnort

Another popular wireless LAN password cracking tool and it can crack WEP keys of a Wi-Fi802.11b network. This tool passively monitors transmissions and then computes the encryption key when enough packets have been gathered. This tool works on Linux and Windows platform.

Kismet

This is yet another popular Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and intrusion detection system. It is available for Windows, Linux, OS X and other platforms. This tool is used in Wi-Fi troubleshooting and passively collects packets to identify the standard network and also detects the hidden networks. Built on a client-server modular architecture, this tool can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic.

Fern Wi-Fi

Fern Wi-Fi Wireless Cracker helps with network security by allowing you to see real-time network traffic and can identify hosts. It works with Apple, Windows and Linux platforms. It can run other network based attacks on wireless or Ethernet based networks. For WPA/WPA2, it uses WPS based on dictionary based attacks. For WEP, it uses Fragmentation, Chop-Chop, Caffe-Latte, ARP Request Replay or WPS attack.

inSSIDer

inSSIDer is the only tool that I use in which I pay for (19.99), But it is worth it. It is a very popular Wi-Fi scanner for both Microsoft Windows and OS X platforms. The Wi-Fi scanner can find open Wi-Fi access points, track signal strength, and save logs with GPS records. One of the best uses is to find issues in wireless networks. That alone is worth the money!

I learned how to use these tools through trial and error. My first target was my wireless home network, and I kept at it until I was able to strengthen my overall security. Then I focused on my family and friends (with their permission). Breaking into a wireless network without permission to gain access is a cyber-crime. Do not put yourself at risk.

I was able to turn this experience into an educational session for both my ‘test group’ and me. I was able to show them the importance of having a strong wireless network, and I proved to myself that I could ‘hack’ them.

Overall Results – 8 home wireless networks tested (Again, I stress, I had their permission)

  • 5 Set up their networks straight out of the box security – Fail
  • 1 Networks used WEP  – Fail
  • 1 Network had WPS enabled – Fail
  • 1 Network used a well-known password (hello…Not kidding) – Fail

Cybersecurity is a shared responsibility. Stop. Think. Connect.