Leverage Risk Assessment to Inform Your Annual Security Budget

If yours is like most organizations, you have a policy or requirement of periodic (usually annual) risk assessment. Financial organizations and medical concerns, for example, fall under this requirement. Also, many organizations that have no regulatory requirement to perform risk assessment, perform one as a matter of best practice. And since you are doing one anyway, you might as well get maximum use from it.

It is the season when many concerns are allocating resources for the coming year. The information security budget is usually limited, even if it is adequate to protect the system and the information it contains. It is therefore very important that information security dollars be allocated wisely, and to maximum effect. To make a wise decision, you need to have the best and most current information. The results of an enterprise-level risk assessment are an excellent source of such information.

Continue reading

Ransomware – payment as business plan?

CBS News recently did an interesting piece on ransomware, and the various reasons that businesses may choose to pay the ransom.

These ransom payments can range from a few thousands – Lees, Alabama negotiated their attacker down from $50,000 to $8,000 – to half a million dollars or more.

On the flip side of the coin, Atlanta, GA decided not to pay a ransom demand of approximately $50,000 – instead spending upwards of $17 million to recover from the attack.

Continue reading

IAM: We Should Use All the Factors We Can

There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.

Continue reading

Zelle…quick, easy, and…problematic?

Measuring risk

With the increasing adoption of PayPal, Venmo, and other instant payment services…it’s no surprise that the financial services industry entered the arena. The concept is simple – P2P payments via phone or email. At least one entity – sender or recipient – needs to have a bank account with a bank that supports Zelle. The other entity can simply link a supported debit card to enable the exchange.

Continue reading

New Attacks Against Misconfigured Amazon S3

Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.

Magecart, a threat actor group involved in a large amount of attacks, has a currently active campaign targeting S3 hosted sites; the attack infected these sites with malicious javascript that steals customer’s credit card data.

Their attack methodology involves specifically looking for buckets that have write permissions enabled for everyone. When one of these buckets is found, it looks for javascript in the bucket – increasing the likelihood that it’s being used to host a site, or serving assets for a site hosted elsewhere. Javascript files are then edited by the attacker and the Magecart malicious javascript is injected into it.

The javascript runs in the customer’s browser, looks for specific forms, and sends that data to another server when it is submitted. Without detailing this further, as there are many other good breakdowns of exactly what this attack entails that are available. The key take away here will be what can you do to make sure a site you have isn’t hosting this code.

Continue reading

State of Security Podcast Episode 17 is Out!

In this episode (~45 minutes), I answer questions from the audience around blockchain and smart contract security considerations. I cover some of the reasons why I think these technologies are important, what their potential impacts are likely to be and how information security teams should prepare. Some of the questions drift into changes around store of value, investment insights and other closely related topics.

This episode is sponsored by MachineTruth™ – a new passive, analytics-based solution for network inventory, traffic analysis and security baselining. Learn more at  http://www.machinetruth.net.

 

Prepping for Incident Response

Prepping? Who wants to prep for incident response?

This particular bit of writing came from a question that I was asked during a speaking engagement recently – paraphrased a bit.

How can a client help the incident team when they’re investigating an incident, or even suspicious activity? 

So, I circulated this to the team, and we tossed around some ideas.

Continue reading

California Consumer Privacy Act

Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.

National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).

Continue reading