Have you had your Security Wellness Check?…

So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.

Gartner Identity and Access Management Summit

How Can a Company Guarantee a Successful, Strategic Identity Access Management Program?

The Gartner Identity and Access Management Summit is right around the corner and leaders from all over the world will be coming to try to get this question answered.  Here are a few ideas from our ten years in the industry.

Strategic Identity and Access Management (“IAM”) projects can be difficult and the new challenges with mobile, social, and cloud compound the problem.  Protecting the perimeter is not enough anymore.  Safeguarding identities are the key to a truly secure enterprise.

The industry has seen way too many train wrecks with IAM.  To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan.  Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports.  But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.

Read more

Ingestible Computers

Today I had the opportunity to be a guest on over a dozen Fox News Radio affiliates around the county to discuss the topic of the “password pill.”

These tiny, ingestible “smart pills” may be making their way to a pharmacy near you as early as next year.  These traveling sensors are in the form of pills which are swallowed and then powered on by stomach acid.  They transmit low frequency signals to a wearable patch and then a smart phone app.  The pill passes through the body in about 24 hours and can then be recycled!  Eeww!  Several companies are making these in various forms including a consumer version that would send information to your cell phone.

The technology is already FDA approved.  In fact, astronauts have been using these for years to help monitor vital health indicators.  We can expect the technology to be main stream for consumers by next year.

For medical applications, this would enable sending real-time data about health conditions and effectiveness of medications directly to your doctor.

For password or authentication applications, the “password pill” can act as a form of strong authentication where YOU become a form of a password.  This provides stronger security than something you know or something you have (and can be stolen or misplaced). Read more

7th Stage (Security) of IS growth, Part II

A little background:

Now that you’ve been in the CIO’s position for your first quarter, it is time to prepare for your first review with the board of directors.  The agenda for the IS presentation will cover key factors that you discovered in your operations, your accomplishments and your plans for the next year.  Since this is the quarter for your next year’s budget, it should contain the funding needed to accomplish the IS plan.

One of the key factors in the review of your operations was discovering the lack of security focus and non-compliance issues that made the operations vulnerable to unwanted intrusion in your network.  Listed in your accomplishments is the Security Assessment study and recommendations provided by PathMaker Group when you engaged them for a study of your IS environment.  One of their recommendations was to deploy IBM’s Security products for managing Identify and Application Access in your enterprise network.  This is an important undertaking as your company will replace the outdated security monitoring with IBM’s Showcase Solution to keep unwanted intruders out while making it easier for the authorized users to have easy access to their applications.  As a result of PathMaker Group’s findings and recommendations, you asked them to submit a proposal for the corrective solution using IBM Security Products and PMG Professional Services to deploy them in your IS Network.

This section of your review was very well received by the board of directors and they gave you the approval to get started.

Read more

CUNA website attacked and user data exposed

Team GhostShell has released the data acquired through more successful attacks against a wide variety of websites. Victims include the Credit Union National Association (CUNA) and several other companies and government organizations. Initial estimates put the total number of leaked CUNA website usernames and MD5 hashed passwords at around 46,500. Many of the hashed passwords have already been cracked and were included in the release. The data released also included full names and physical addresses as well as individual names tied to phone numbers.

This attack was just the latest example of what can occur when your website has not been tested thoroughly for SQL injection (SQLi) and other vulnerabilities on a regular basis. SQLi occurs when an attacker finds a vulnerable or poorly protected website and passes commands directly to the backend database. When an attack is successful the effect can be a devastating disclosure of personal information. This type of attack has been documented time and time again and remains one of the top vulnerabilities listed in the OWASP top ten. (https://www.owasp.org/) Any company that maintains sensitive information on individuals should regularly have trusted third party security firms review the current security status of their websites through penetration tests.

Best practices recommend a penetration test be conducted at least annually to ensure security of your website has not been compromised by any changes that have occurred since the last test. Many of today’s websites utilize content management system like WordPress, Drupal, Joomla, etc. Content management systems (CMS) like this are regularly tested by both users and developers to ensure their security. However many vulnerabilities found on websites today will actually stem from plugins or software add-ons installed by the end user to the CMS platform. Unfortunately not all plug-ins are properly tested for security by their developers. We at PathMaker Group have found that even after being notified of a security vulnerability many customers will not implement a fix for some time leaving their website vulnerable to attack.

Another issue that stands out from this latest attack is the ability for users to set weak, dictionary based passwords on their accounts. Many of the cracked passwords were comprised of a single lower case word found in any standard English dictionary. This is not a recommended security best practice configuration. User account passwords must be administratively required by the system to be strong in nature. For example, a reasonably strong password should contain at least 12 characters comprised of UPPERcase, lowercase, numb3rs, and $pecial characters. By allowing your users to store weak passwords, you may be allowing attackers authenticated access to your systems. This can lead to a PR nightmare for both you and your client.

PathMaker Group can provide professional security testing of your current security controls including penetration testing of your websites. Talk to us about becoming your partner in defending your most valuable assets. Click the “Contact Us” button on the right to get in touch with a security expert who can assist with your annual security testing and provide guidance on securing your business from outsider attack.

We have not included link to the data exposed by Team GhostShell due to the sensitivity of the included data and respect for those who have been affected.

Update:
CUNA has now confirmed the attack via press release: http://www.cuna.org/newsnow/12/system121012-8.html

Included is a statement from CUNA President/CEO Bill Cheney.“We do not believe any sensitive personal information from our web site was accessed, however, we are contacting all users of our website to advise them of the breach. Further, we will continue to analyze the information posted online by the (hackers) group, as well as continue to validate that no other risks exist. We will also continue to monitor our website and take increased security measures to ensure it is safeguarded.”

Knock Knock. Who’s there? Ivanna. Ivanna who? Ivanna steal your data!

I recently read a story about a vulnerability that was discovered in electronic door looks commonly used in hotels.  The problem centers around a particular popular model of hotel door lock sold to hotels globally. Hackers claim to have discovered that the company left a security port uncovered that allows them to open any of the locks with a universal key of sorts.  The article goes on to say that until this flaw has been fixed it’s more important than ever to make sure to go the extra step of securing your door with the deadbolt and chain.

A lot of people will trust that the basic security of their software/operating system/network (the electronic door lock) is good enough.  They won’t bother adding additional security (the deadbolt/chain) and will end up getting their data hacked in the same way that some hotel guests are going to wake up to find their room cleaned of valuables way better than the maid removes dust and dirt.

Thieves are counting on people to trust standard security and not do their own due diligence to identify vulnerabilities or provide additional security to deal with these deficiencies.  While the average person has no way to determine if the hotel door lock is secure, they can at least provide another layer of security to prevent a breach and loss of property.

Fortunately for you, Pathmaker Group can review your security system and find vulnerabilities and patch them up before data thieves strike.   They can also provide additional layers of identity and access management to secure application access and prevent unauthorized access, even from those already on the inside.  So don’t delay, you never know who’s knocking on the door…

Got Bot?

The world of malware (literally bad software) has some interesting terminology. Botnets and Zombie networks sound like they should be different, but they are basically the same thing. The imagery of masses of robots (ala I Robot) or hordes of Zombies from Night of the Living dead is surprisingly a relatively accurate description. Botnets or Zombie Nets are collections of computers that have been infected with a specific class of malware that is managed by an external ‘Controller’. Ok, Zombie hordes are not easy to manage, but the robot masses are. I’ll use the term botnets to refer to both.

Botnets can be used for many different illegal purposes such as distributed denial of service (DDoS) attacks, mass spam mailings, illegal data collection and more. Like the domestic robots in the movie I Robot, malware bots establish themselves unobtrusively in your network through the same types of mechanisms as a virus, worm, Trojan or other malware. In fact, Trojans, malware that masquerades as legitimate software, are often used to distribute ‘Bot’ malware. That ‘swimware calendar’ program you downloaded may look nice, but underneath there may be some malware silently doing bad things to your computer. Read more

7th Phase of growth – Security of the enterprise’s IT/IS Investment

So congratulations, you were just named Chief Information Officer of your company and now moved into your new office.  Looking through the top desk drawer you find a note with three sealed envelops attached.  The note says when you have your first major crisis, open envelop one, the second one open envelop two and the third one open envelop three.  Being the type “A” personality, the one that got you here, you decide to open all three now.  The first one says this is your first crisis blame it on me, your predecessor. The second one says this crisis is yours and you will need a plan to solve it.  The third one says “Oops”, prepare three envelops and leave them in the top draw for your successor.

At this point being a Type “A”, you decide that you are going with envelop two and throw away the other ones.  Your first step is to evaluate your staff and their capabilities.  Looking at their performance records you can learn some of the basics, but you will not be satisfied with just that limited amount of information.  You know about Maslow’s hierarchy of needs.  Although this was explained in a paper by Abraham Maslow in 1943, it still applies today.  The phases are: (1) Physiological (breathing, food, water, sleep, etc.); (2) Safety (security of body, employment, resources, morality, the family, health, property, etc.); (3) Belonging (friendship, acceptance by the group, social needs, sense of belonging); (4) Esteem (self-esteem, confidence, achievement, respect of others, respect by others); (5) Self-actualization (morality, creativity, spontaneity, problem solving, acceptance of facts).  You are aware that Self-actualization is the goal, studies show that only about 2 % are performing at this level.  As people move up the hierarchy with their needs, if suddenly there is a need below, a person will revert back to that level.  (i.e. if someone is working at a self actualization level and can’t breath he would abruptly revert to the Physiological level or if threaten to safety. Read more

Strengthening the Authentication of Your Users

They say a chain is only as strong as its weakest link.  In the world of IT systems, you don’t want that weak link to be user authentication.  Once a hacker gains access to a system as a valid (potentially high level) user, the amount of damage they can do is unlimited.  There are different ways to validate a user’s identity and they have different levels of security.  Using the three little pigs as an analogy, let’s take a look at the options:

1)      The straw house – This is what we call single factor authentication.  This just involves something you know or have.  An example for physical security is a badge that is tapped on a door reader to gain access.  If someone gets hold of the badge, that’s all they need to walk into the building.  Another in the IT world is the familiar user ID and password.  It’s what a majority of users use to gain access to their computer’s OS and applications. This has the potential to be fairly secure, but often times isn’t due to poor password choice.  Users frequently pick passwords that are easy for them to remember which means they are easy for hackers to crack. Once they know the password they have total access to the system/application.  Read more

Developing Useful Information Security Policies

Going through the process of developing a set of policies for your workplace is a must as you reach some point of growth within your organization. Many companies operate for years without taking the time to develop a standard set of information security policies. We have started to see an uptick in the number of organizations making the move toward budgeting time for policy development, testing, and implementation as a result of the various regulatory requirements the business may be subject to. I want to take a moment of your time to cover some areas I recommend you think about as you go through the process of putting together the necessary policies for your organization. Read more