The number of people in the United States has been increasing heavily over time and we are currently the third most populace country on the planet. In the last century, the population has more than tripled here, and it is estimated that we will add more than 100,000,000 to the current total by 2050. One of the things that help us cope with such huge numbers is taking advantage of economies of scale.
For example, we build truly giant ships to carry our oil and cargo because the bigger the ship is the more hydrodynamic advantage there is and the less cost there is per ton for transportation. Similarly, we build enormous power plants and network them into grids because it is more efficient and cheaper per kilowatt hour to do so. There are many more examples of this trend all across American commerce. While this practice indeed does work and enables us in many ways, it comes with a variety of costs; one of which is increased risk.
We stand to lose a lot of oil and cause major environmental catastrophes if someone starts sinking major super tankers, for example. And if an enemy starts destroying our large power plants (or critical nodes in the infrastructure connecting them), the impact could be very much worse than that.
I mention all of this, because now we are seeing the trend toward economies of scale coming into the information processing world, mainly in the form of cloud computing. This trend is inevitable because it truly is more efficient, cheaper and improves peoples’ lives in many ways. But it must be realized that this centralization of data processing and storage brings with it the same increase in impact if a major compromise occurs – and the greater the impact, the greater the risk.
What this means in the information security world is that we need to have more security assurance built into these large cloud systems. It should be stated like a natural law: the bigger the system, the more effective the security controls need to be. So before you put all of your valuables into the cloud, keep the risks inherent in economies of scale in mind and vet your cloud provider’s security measures. Make sure that they have all the technical, operational, physical and management controls in place. Ensure that their information security program is transparent and reactive to realistic criticism. And ensure that your own organization realizes the risks inherent in the cloud and plans accordingly as well. Remember, it is your own organization that is ultimately responsible for the security of their data no matter where it is stored or processed.

Drafting an Incident Response Policy can seem overwhelming. At the beginning, it doesn’t seem feasible that a single document can help you maintain order during a breach. You may ask yourself if it’s even possible to prepare your team for responding to all of the latest Tactics, Techniques and Procedures (TTP) that attackers are leveraging. It’s not possible to craft a document that addresses every possible threat individually. However, you can create an effective policy that covers each major threat category as opposed to each individual attack.

If you’re not sure which categories to focus on, I recommend taking a look at Microsoft’s STRIDE Threat Model. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. By leveraging the STRIDE model (or any other threat model), you can create a policy that will be relevant for years to come. This “one size fits all” approach will not only make your policy more efficient, it will be much more effective.

After you’ve crafted your policy, be sure to take the time to walk through a few scenarios. It’s even worthwhile to bring in a 3rd party to help you simulate a computer security incident on a regular basis. This exercise can help you identify any gaps that exist within your policies and procedures. It will also demonstrate how a simple policy will help your company respond to the even the most complicated security issues.

Working in IT, one of my biggest challenges has been to convince end-users that it is worthwhile to forego a convenience in the name of security. Regardless of whether it’s requiring the use of multi-factor authentication or forcing a computer to auto-lock after a certain amount of idle time, it often boils down to the end-user facing some sort of hinderance to their productivity. I completely understand their frustrations. I’ve managed Active Directory networks that served around 15,000 people and still managed to lock out my account. Was I annoyed? Absolutely, but I understood the need for the control. If you take the time to explain security to the end-user, they’ll be more likely to understand your decisions.

Here are some tips I’ve found to be helpful when convincing an end-user to implement a security control:

1. Remind – Remind them that you’re not making this change just for fun. It’s being completed to reduce the likelihood that your organization’s systems will be compromised by an attacker.
2. Example – Give an example of a high-profile breach that could have been prevented by implementing this control. It’s likely that they’ve had their personal information exposed as a result of a breach within the last few years. Even if they (somehow) haven’t personally been affected by a data breach, they have a friend or family member who has. Using an example of something that has affected them personally will go a long way to helping them understand why it is worthwhile to implement a security control that could have an adverse affect on their productivity.
3. Analogy – Still having trouble rationalizing why you’re implementing a new security system? Try to use an analogy to describe how the new control will help prevent an issue. For example, if they are upset that they can’t reuse a password across multiple systems, remind them that the key to their Ford vehicle won’t work on ALL Ford vehicles.
4. Describe –  Take some time to describe why you’re implementing the new security control. It’s important to make the effort to explain the task in terms that the end-user will understand. Don’t use the complexity of the topic as an excuse. If you can’t explain the issue to a non-technical employee, chances are, you don’t understand it yourself.

A distributed denial of service attack is a malicious attempt to make machines, applications or other network services unavailable to legitimate users. There are many types of DDoS attacks including SYN and UDP floods, reflected attacks, application attacks and multi-vector attacks that employ several types of attacks in combination. In the past, it was typical for businesses to accept the risk of DDoS attacks since they were relatively rare and small scale. But that has all changed in recent years; both the number and scale of DDoS attacks have increased dramatically. Because of this trend many savvy businesses have changed their philosophies and taken steps to mitigate DDoS attacks. Unfortunately, this trend is far from universal. Many businesses remain complacent and have done little or nothing to prepare for DDoS attacks. Is your business one of these and if so, what should you do about it?

The first step I recommend taking is to perform a basic risk and impact study on the subject: how likely is it that my business will be attacked, and if it is, how badly will it hurt us? If the answer to either of these questions is unacceptable, then you should certainly move on to step two and start the process of incorporating DDoS into the incident response plan. In a nutshell – develop the policy language, include likely DDoS attack indicators and attack scenarios in the plan, develop specific strategies to counter these attacks, assign responsibilities to specific individuals and practice the plan. Sounds easy, but how do we go about doing that you may ask. Here are some basic tips:

• Contact your ISP. Get their advice, find out about their experience and capabilities with DDoS attacks, find out about any anti-DDoS tools they might have available and their cost, etc. If you don’t do anything else, at least take this step. You probably won’t be able to do much at all to counter a DDoS attack without your ISP’s help.

• Ensure that your team is fully aware of all the capabilities your present equipment and infrastructure has for handling DDoS attacks.

• Ensure that your IR and IT teams are aware that DDoS attacks are sometimes persistent and can last for days, weeks or more. Make plans for keeping your reactions strong and timely.

• Employ centralized logging and ensure that proper monitoring procedures are in place and reviewed.

• Make sure you maintain a whitelist of source IPs and protocols, major customers, critical service providers and partners that must be allowed access during attacks.

• If you are at high risk and impact levels for DDoS attacks, consider improving your infrastructure and/or employing specialized DDoS services or products. Cloud based servers, for example, have great capabilities for fighting DDoS.

• Ensure that applications, networks and operating systems that may be targeted in DDoS attacks are fully hardened.

Here’s hoping that no one out there targets your business with a major DDoS campaign. But if you think the possibility is high, better take a tip from the Boy Scouts and be prepared!

The news just came out that the OPM data breach was even more serious than was first announced. The toll has risen from 4.2 million to the present total of 22.1 million people – nearly seven percent of the US population. They are now saying that nearly 2 million of these aren’t even people who have applied for security clearances themselves, but are spouses and other people close to applicants. What a wealth of information for cyber-criminals!

One of the things that make this such a bad hack is the kinds of information that may have been revealed. Background checks, depending on the level of clearance that is being applied for, can delve into an individual’s past quite extensively. Information such as all your past addresses, who you associated with, who your teachers were, the periodicals you read, your medical history, your arrest records, the organizations you associate with, etc., etc. Just the sort of juicy information that Spear Phishers dream of! But worse than that, this is the sort of information that can be used to blackmail people.

Blackmailing is probably the most dastardly type of social engineering there is. Here you are; nice family, good job, couple of kids, respected in the community – life is sweet! Then all of a sudden, someone contacts you and threatens to release some scurrilous information to the public if you don’t do as they say. Maybe you were arrested for something embarrassing such as being caught as a Peeping Tom. Maybe it lists a past relationship that you were not candid about with your spouse. Maybe it’s an embarrassing medical condition such a venereal disease. Or maybe it’s some really bad dirt concerning your spouse or another family member. Whatever it may be, suddenly you are faced with the choice of cooperating with criminals and breaking the law or abject ignominy – what would you do?

It’s amazing how many people will actually cooperate with their blackmailers and do their bidding. Even if it means jail time! Either alternative seems so bad to the blackmailed that they just can’t face either. So they go along in the desperate hope that nobody will find out and the whole mess will just go away. Good luck!

The way to deal with this problem, in my opinion, is to give them a third choice. Agencies and organizations should set up programs that offer forgiveness and help for these individuals if they come forward. Make sure that your personnel are aware of the possibility of blackmail, explain the forgiveness program to them, and make them understand that no matter what, they are better off reporting the incident than submitting to intimidation.