- Email: [email protected]
The ultimate cybersecurity checklist for your workforce
WAR & PEACE IN CYBERSPACE Law Enforcement Act”, specifically in regard to J-STD-025B where it covers CDMA2000 packet data wireless services. The aim was to address issues with technical deficiencies in the standard in respect of time stamping for forensic events, packet information to be made available to LEAs, location information for interception of wireless communication as well as secure transfer of information between the CSP and LEAs. If you consider the US on its own, investigators already have to deal with four time zones hence the requirement for more accurate time stamping for LEA analysis of intercepted IRI, call data and CC. It is vital
for content to be linked to time stamping for correlation and accurate analysis. In terms of location technology for mobile phones, there is a clear call for the information to include both the location at the start of the call as well as at the end of the call as the target is likely to have moved during the call. It is also very likely that further petitions will be filed in the US with similar moves in other jurisdictions.
References • www.SS8.com • http://blog.tmcnet.com/lawful-intercept/doj-files-deficiency-petition-
The ultimate cybersecurity checklist for your workforce Dario Forte and Richard Power Columnists Richard Power and Dario Forte present seven simple tips to get security awareness through to employees. They advocate merging online security tips for the home with work best practice. This way they begin to see it as a lifestyle change. “Auditors from the US Treasury Inspector General for Tax Administration Office (TIGTA) conducted a test in which they telephoned employees and contractors at the IRS and, pretending to be IRS help-desk workers, asked them to provide their usernames and temporarily change their passwords to new suggestions. Sixty percent of those telephoned complied with the request. A 14
Computer Fraud & Security
similar test in 2004 netted just 35% and in 2001, 71% changed their passwords. That test prompted “corrective actions” designed to increase awareness of social engineering tactics. The most recent test involved 102 employees. Just eight of the people who received phone calls responded appropriately by “contacting either the audit team, the TIGTA Office of Investigators, or the IRS computer
with-fcc-over-jstdo25b.asp • www.endace.com • http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-baloo.pdf
Recommended industry event ISS World organised by Telestrategies http://www.telestrategies http://www.telestrategies.com/ISS_SPR07/agenda.htm
About the author Mathieu Gorge is the Managing Director of IT security consultancy – Vigitrust – in Ireland.
Dario Forte
Richard Power
security organization to validate [the] test as being part of an official TIGTA audit.” Sixty Percent of IRS Employees Succumb to Social Engineering (SANS News Digest, 8 July, 2007). Don’t deceive yourself into thinking this report on IRS vulnerability to such engineering attacks is indicative only of the state of government bureaucracy, and that somehow the private sector is better at thwarting such attacks. The illusion that big business runs more efficiently than big government, particularly in regard to security is only kept alive because big business exercises tight control over all September 2007
WAR & PEACE IN CYBERSPACE information about its internal security, whereas big government is compelled to release such information, especially when the news is bad. The TIGTA report on IRS employee willingness to cough up user IDs and passwords during social engineering attacks is deplorable, but the work forces of many if not most big corporations would not fare much better. The only difference is that such testing results for private sector entities will not show up in the headlines. Furthermore, that’s not the only bad news coming from the IRS. “According to the Treasury Inspector General for Tax Administration (TIGTA), US taxpayers’ personal information is at risk because managers and employees within the Internal Revenue Service (IRS) are not complying with security policies and procedures. Despite the IRS losing at least 490 computers with sensitive data between 2003 and 2006, employees were still found not to be encrypting personally identifiable information on their laptops and disregarding email policy. In addition systems were found neither to have been hardened nor to have the default passwords changed. The report calls for IRS executives to hold managers and staff accountable for their actions.” (SANS News Digest, 15 August 2007) Lack of serious, effective security awareness and education, both in regard to social engineering in particular, and information security in general, is a chronic problem. Why? Awareness and education is economical. Even if you develop a robust programme, you are still not going to spend much more than two or three dollars a year per employee. And if it is done right - i.e. if it is current, topical, hip, psychologically clever, and customised to be relevant to the business environment of the work force – awareness and education can mitigate risk. These especially include: • Social engineering. • Laptop theft. September 2007
• • • •
Malicious programs. Piracy. Inappropriate online behaviour. Inadvertent exposure of confidential information, etc.
So why isn’t more invested in security awareness and education, and why isn’t it used more effectively? Part of the answer is simply the pervasive penny-wise, pound-foolish attitude about cybersecurity. But the rest of the answer is subtler, and more complex: although corporations and government agencies haven’t invested a lot in cybersecurity (at least not commensurate to the risks posed), they have invested a great deal in living and working in denial, and entities whose approach to security risks is predicated on denial don’t really want awakened, empowered work forces. Such bodies of budding cyber warriors tend to raise questions like: “Hey, how come our laptops are not encrypted?” and/or “How come you are still using the last four digit of my social security number as my employee ID number, and require me to write it on the envelope containing my expense receipts?”
Ultimate cybersecurity checklist for your workforce Well, we have written about these issues before, both in regard to social engineering (Social engineering: attacks have evolved, but countermeasures have not, October 2006) and security awareness and education (Case study: a bold, new approach to awareness and education, and how it met an ignoble fate, May 2006), and no doubt we will have reason to address these subjects again and again. But for this issue, both in honour of the US Treasury Department’s candor, and in discrete confirmation of similarly egregious vulnerabilities not only across government agencies, but also throughout the private sector, whether
you work in Europe, the Middle East and Africa, or Asia Pacific, or the Americas, we offer this “ultimate cybersecurity checklist for your workforce.” It is what we have adapted and used for our work with various global organizations, and we urge you to adapt it, use it and disseminate it within your organizations. It is a powerful tool, and teaching device. It is designed to turn the user on to the truth that cybersecurity at home and in the work place are one and the same, and what you do for the organization, you should also do for yourself, and vice versa. The concept is that if you get them turned on to cybersecurity in their personal life, you will have increased their level of attention, knowledge and engagement in cybersecurity for the work place. The concept is effective! This “ultimate cybersecurity checklist for your workforce” is organized into seven sections: • • • • • • •
Password security. Home PC security. Email security. Child safety online. Social engineering. Identity theft. Road warrior security.
No, it is not 100% complete, either in its categories, or even within each category, it is not meant to be, it is meant to convey a message to your workforce, i.e. cybersecurity is no joke, and if you do not take it seriously you could lose your job, your financial good name or even a loved one. It is open-ended, so that you can add to it, or subtract from it, and so that you can publish as a whole or socialise each section individually. Enjoy. Adapt it, use it.
Password security Whether you’re working on your home computer or your office computer, Computer Fraud & Security
15
WAR & PEACE IN CYBERSPACE password security remains the most basic concern. Although password security will not protect you, or your family, or your organization from determined, sophisticated attackers, it will thwart low-life and petty criminals, and it will force the professionals to use more serious methods of attack. • Do not share your password-controlled access to any system. • Do not disclose your passwords to anyone. • If you cannot avoid writing them down (because they are too numerous), you must conceal their hiding place and secure them as well as you would secure a stash of cash or jewellry. • Change your password frequently (e.g., every 60 days or less). • Do not enable the “save your ID and password” feature on any applications (yes, it will save you time, but it will also save time for any cybercriminal who gets hold of your system). • Create strong passwords, i.e. passwords of at least seven characters, including a mix of numbers, letters and special characters in some combination that is both easy to remember and hard to guess, e.g. take a phrase like “pearls before swine” and turn it into “pearlsB4sw!ne” by replacing “before” with “B4” and the “I” in “swine” with an exclamation point – easy to remember, hard to guess.
Home PC security The days when all you needed to secure your home PC was to install anti-virus software and maintain regular and efficient back-ups of your system is long gone. Now, even if you buy a computer that comes fully loaded with “security features,” or purchase a suite of integrated security programs, you are going to have to know more and be more proactive than you ever had to before. 16
Computer Fraud & Security
There is a need to make the IT security mind frame part of people’s lives.
• Install anti-virus software (AV), and keep it updated. • Download and install security patches and upgrades for operating systems, applications, etc. • Install a personal firewall, and keep it updated. • Create strong passwords. • Back up your system regularly and thoroughly. • Do not violate software or music copyright or license agreements. • Be wary of Internet hoaxes, fraudulent websites and email scams, etc. If you are diligent about these countermeasures, you will significantly reduce your exposure to the countless threats that relentlessly bombard all online systems great and small.
Email security • Delete all hoax messages, spam, online scams, chain letters, etc.
including anything unsolicited, out of the ordinary, especially if you are asked to offer up information about your personal finances, or about your work. • Do not respond to them under any circumstances. • Do no click on the links contained in such emails. Don’t worry – if your bank wanted to get in touch with you about the security of your account, it would not email you. And when was the last time anyone you know won several hundred thousand euros in a lottery they didn’t enter? • Do not simply click on an email attachment you are not expecting, do not recognise or cannot verify, especially if it is from someone you do not know. Although even if it seems to be from someone you know, it could be the result of a worm or virus exploiting that person’s email address book. Yes, we know, this is frustrating and weird, but it is the September 2007
WAR & PEACE IN CYBERSPACE
Police intercept network communications around the world.
truth. If you get a birthday card from a friend, and it isn’t your birthday, or you get a file that is suppose to contain a nude photo of Paris Hilton, but it is contained in an email message presents itself as being from your mother-in-law, be suspicious. Password security is, as mentioned above, important in general, but email password security is particularly important. Unless, of course, you want people snooping in your inbox, or worse yet forging email in your name to your boss, or your husband, or your local constabulary. And do not make your password security measures meaningless by walking away from your computer, while you are still logged on to your email account. Perhaps, most importantly, do not send any email message that you would feel uncomfortable about reading in the newspapers sometime in the future. If an incoming email, or other stimulus, has upset you, or aroused you, take a breath, and revisit the correspondence later. Remember, if your email is unencrypted, and most of it still is, you are essentially passing a postcard along a long chain of people, and anywhere along the way, one of them could glance down and have a peek at that postcard. (We know you will break this rule, all of us do, but at least keep it September 2007
in mind. And be much more rigorous about the following one.) Oh yes, and always, take a hard look at the “TO:” and “CC:” fields before you hit the send bottom. Outlook and other email applications are getting very helpful, but they are helpful to a fault, and you can easily end up sending a confidential message to the wrong people.
Child safety in cyberspace Nothing is more primal than the need to protect our children. Arguably, nothing is more important in this age than giving children the opportunity to get a head start online. And, it is beyond dispute, that short of leaving a child alone on the streets of a city in the dark of night, nothing is more dangerous. Here are some suggestions to take advantage of the opportunity, while mitigating the risk. Unfortunately, today, the television is often used as a nanny. Although this is damaging to children if allowed to get out of hand, it is not overtly dangerous. TVs don’t interact in real-time, TVs don’t ask questions that are inappropriate or too personal, TVs do not allow someone else to actively and freely enter your child’s room or their psyche. Do not use the Internet in the same way as
you may be tempted to use the TV, i.e. do not park your child at the computer, log them into the Internet and let them dwell there unsupervised for long periods of time. You need to do due diligence on the content of your child’s online experience. Just as you will take a look at books, DVDs or games, your child might want to get its hands on and its mind into, you need to scout out sites, services and activities that are appropriate, engaging and healthy for their ages. Audit your child’s online activity. You would not allow them to go unescorted, untracked, or unreachable in your own city, why would you let them explore the wilds of cyberspace without inquiring into their whereabouts, retracing their footsteps and reviewing their downloads, etc.? Keep an open dialogue going with your children about their online acquaintances. You want to know who your child are associating with on their way home from schools, you want to know the parents of children who invite them over to play; likewise, you need to inquire into who their online friends are and what kinds of activities they engage in. • Sit your children down and let them know about the dangers. • Drill them not to disclose any personal information (e.g. full name, address, phone number, etc.) to an online acquaintance from a chat room. • Drill them never to meet such a person. • Do not allow your children to physically meet someone they have contacted in a chat room without going with them. • Make it easy for them to confide in you immediately if anything strange, scary or upsetting happens to them online. • Share your child’s email account with them, so that you can monitor the traffic. Computer Fraud & Security
17
WAR & PEACE IN CYBERSPACE • Keep an eye on the browser records; be especially suspicious if your child has figured out how to “clear history.” • Use Internet content filtering software, but do not rely on it solely, stay involved, it is not 100% effective. The older your child gets the more complicated the effort to protect them may become, teenagers need and deserve privacy, but this privacy put them at even greater risk. Before you get there, inculcate sound security awareness and education principles in them, just as you would teach them how to swim or drive safely.
How to thwart social engineering attacks Social engineering, the practice of gettting you to give up sensitive information that you should not share with unauthorised people (and would not share with them if they came to you without deceit) is a form of attack that all of us are vulnerable to both at home and in the work place. Some social engineering attacks are grounded in technology, i.e. they come to you as email messages or present themselves to you as a seemingly familiar or disarming website. Other social engineering attacks are ground into human to human cons, i.e. someone calls you on the phone, or even shows up at your cubicle in a stolen uniform, or with a phoney business card. Maybe they are looking for passwords, maybe they are looking for financial information, maybe they are looking for trade secrets. It really doesn’t matter. What matters is that you follow these hard and fast rules to thwart such activity: • Learn to recognise such attacks. Social engineers will play on your emotions, e.g. with intimidation or flattery. They will usually be in a hurry. They will name drop. 18
Computer Fraud & Security
• Always verify the identity of callers, if they are not immediately known to you. • Never provide information in response to requests that are out of the ordinary or unanticipated, unless you can identify the caller and somehow confirm that his or her need is legitimate. • If you feel you might have just encountered a social engineering attack, do not just shake it off and go back to your work, write down as much as you can remember of the incident, and then inform the appropriate person within your organization immediately. You will very likely find it is not an isolated event.
How to fight identity theft Someone once asked one of us, during a question and answer session at a presentation, what is the best way to thwart identify theft. The answer? “Well, the surest way is having bad credit.” But, of course, none of us wants to go there, and if we are there, we do not want to stay there. • Here are a few ways to mitigate the threat: • Run regular credit reports on yourself (e.g. quarterly basis). Look for anomalies, and follow up on them immediately. • Do not give into scams. If you follow our recommendations vis-à-vis email security and thwarting social engineering attacks of all kinds you will limit a lot of your potential exposure. • Do not underestimate physical security precautions: e.g., keep vital documents, like your passport, your social security card, your birth certificate, etc. in a locked (and fireproof ) box, and shred any documents that contain financial information if you do not have to hold on to them, and
shred them when their retention period expires. • Again, just as with email security and social engineering suggestions, if you follow our guidelines for home PC security, your financial information will not be so easy to hack into online. • If you lose your wallet or your purse, or some vital document like your driver’s license or your passport, act pronto. Inform the appropriate authorities, including law enforcement, immediately. To this end, keep a list of the emergency numbers to reach the relevant institutions, agencies and services. This will help you minimise your stress level and compress the arc of time, if something bad happens.
Road warrior security • Use the power-on features for your laptop, PDA, cell phone, etc. • Adhere to the password security checklist above, in particular, create strong passwords, and turn off any “save password” features, so you do not facilitate access for anyone who steals or happens upon your laptop, PDA or cell phone. • Always use a cable lock, at a minimum to secure your laptop to an unmovable piece of furniture or other fixed object. • Never leave your laptop, PDA or cell phone switch on, and unattended. • Never leave your PDA connected to your laptop, or other computer, without its password protected screen saver/lock being activated. • Your laptop, PDA and cell phone should all have up to date anti-virus software installed; and you should understand how it is kept updated, and what you have to do, e.g. log into your organization’s main network, or to a vendor’s support site, to keep it updated while you are on the road. • Do not fall into the bad habit of storing sensitive information on your PDA, unless the device is encrypted. • Likewise, if possible, permissible, and provided for within your September 2007
ESPIONAGE organization, encrypt the hard disk of your laptop. • Turn off wireless, Bluetooth, etc. other functionalities, when not using them. • Limit the kind of online business activities you conduct in hotel business centres and cyber cafes. Keep such communications to a minimum. Do not expose sensitive information in such environments and do not download proprietary documents to such systems. • Be aware of what people can see over your shoulder on a flight, or in an airport lounge, and ask yourself if any confidential information, or other
intellectual property is vulnerable to exposure. • Be wary of what people can hear while you are on your cell phone in a public place, and ask yourself if any confidential information, or other intellectual property is vulnerable to being overheard. • Back up your laptop and PDA before you take off for the road, and put that back up in a secure location. • Back up your laptop and PDA during your road trip, and store the media (e.g. removable hard disk or flash stick) securely, but in a different piece of luggage or clothing then the one that carries your laptop or PDA.
About the authors Richard Power (www.wordsofpower.net) is an internationally net recognized authority on cybercrime, terrorism, espionage, and so on. He speaks and consults worldwide. Power created the CSI/ FBI Survey and his book Tangled Web is considered a must. Dario Forte (www.dflabs.com) is one of the world’s leading experts on Incident Management and Digital Forensic. A former Police Officer, he was a Keynote at the BlackHat conference and lecturer at many worldwide recognized conferences. He’s also Professor at Milan University at Crema.
Mamma Mia! – here we go again Calum Macleod Calum Macleod looks at how to prevent double-crossing employees from embarrassing your organization Here we go again. If the news is to be believed, it seems that an employee at Ferrari just could not resist it and helped himself to a few secrets. Not only that, but reports say an employee at a competitor couldn’t resist the temptation when offered the chance to gain some inside information. After all, who in their right mind could resist the temptation of getting the inside gossip? We’re all curious and live in a world where we daily try to steal a lead on our competitors and every little bit of information helps. So there we have it and a court battle ensues between McLaren and Ferrari! One may wonder if Ferrari chiefs have ever read a CERT report. After all CERT revealed late last year through a study that sabotage was frequently carried out by disgruntled employees who had been passed over for promotion, and who had privileged September 2007
access to information. This particularly applies in the IT world. It appears from what Ferrari is saying that its employee became rather agitated after he wasn’t promoted to a senior position after his old boss left. Apparently his behaviour, according to his employers, was not exactly ideal. As an “armchair” sometimes fan of Formula One (F1), I think that it’s fair to say that it’s highly unlikely given the firms rather extensive use of IT in everything they do that the information that was allegedly “relocated” just happened to be lying around in some hand written notes. The ability to help one’s self to highly sensitive and valuable, confidential information has never been as easy as it is today because virtually all that information is in digital format – in data files on servers. And whether the allegations against the
employee are right or wrong in this case, it does not change the fact that organizations are playing a dangerous game when they underestimate the risk posed by the disgruntled insider determined to wreak havoc, or the insider who is just simply a bumbling idiot who is an accident waiting to happen. Sensitive information requires extra-care. Just as you would not leave your valuables lying around in the garage, sensitive information requires a different management approach. When sensitive information is compromised, the implications for the organization can be catastrophic – like not winning maybe. Access and distribution of sensitive information such as financial reports, clinical trial results, technical design, etc. is something that many organizations have not addressed adequately. Data must be secure, tracked, privacy should be maintained, and strict auditing should be applied. Information leaks in all forms are occurring with increasing frequency today within Computer Fraud & Security
19
for content to be linked to time stamping for correlation and accurate analysis. In terms of location technology for mobile phones, there is a clear call for the information to include both the location at the start of the call as well as at the end of the call as the target is likely to have moved during the call. It is also very likely that further petitions will be filed in the US with similar moves in other jurisdictions.
References • www.SS8.com • http://blog.tmcnet.com/lawful-intercept/doj-files-deficiency-petition-
The ultimate cybersecurity checklist for your workforce Dario Forte and Richard Power Columnists Richard Power and Dario Forte present seven simple tips to get security awareness through to employees. They advocate merging online security tips for the home with work best practice. This way they begin to see it as a lifestyle change. “Auditors from the US Treasury Inspector General for Tax Administration Office (TIGTA) conducted a test in which they telephoned employees and contractors at the IRS and, pretending to be IRS help-desk workers, asked them to provide their usernames and temporarily change their passwords to new suggestions. Sixty percent of those telephoned complied with the request. A 14
Computer Fraud & Security
similar test in 2004 netted just 35% and in 2001, 71% changed their passwords. That test prompted “corrective actions” designed to increase awareness of social engineering tactics. The most recent test involved 102 employees. Just eight of the people who received phone calls responded appropriately by “contacting either the audit team, the TIGTA Office of Investigators, or the IRS computer
with-fcc-over-jstdo25b.asp • www.endace.com • http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-baloo.pdf
Recommended industry event ISS World organised by Telestrategies http://www.telestrategies http://www.telestrategies.com/ISS_SPR07/agenda.htm
About the author Mathieu Gorge is the Managing Director of IT security consultancy – Vigitrust – in Ireland.
Dario Forte
Richard Power
security organization to validate [the] test as being part of an official TIGTA audit.” Sixty Percent of IRS Employees Succumb to Social Engineering (SANS News Digest, 8 July, 2007). Don’t deceive yourself into thinking this report on IRS vulnerability to such engineering attacks is indicative only of the state of government bureaucracy, and that somehow the private sector is better at thwarting such attacks. The illusion that big business runs more efficiently than big government, particularly in regard to security is only kept alive because big business exercises tight control over all September 2007
WAR & PEACE IN CYBERSPACE information about its internal security, whereas big government is compelled to release such information, especially when the news is bad. The TIGTA report on IRS employee willingness to cough up user IDs and passwords during social engineering attacks is deplorable, but the work forces of many if not most big corporations would not fare much better. The only difference is that such testing results for private sector entities will not show up in the headlines. Furthermore, that’s not the only bad news coming from the IRS. “According to the Treasury Inspector General for Tax Administration (TIGTA), US taxpayers’ personal information is at risk because managers and employees within the Internal Revenue Service (IRS) are not complying with security policies and procedures. Despite the IRS losing at least 490 computers with sensitive data between 2003 and 2006, employees were still found not to be encrypting personally identifiable information on their laptops and disregarding email policy. In addition systems were found neither to have been hardened nor to have the default passwords changed. The report calls for IRS executives to hold managers and staff accountable for their actions.” (SANS News Digest, 15 August 2007) Lack of serious, effective security awareness and education, both in regard to social engineering in particular, and information security in general, is a chronic problem. Why? Awareness and education is economical. Even if you develop a robust programme, you are still not going to spend much more than two or three dollars a year per employee. And if it is done right - i.e. if it is current, topical, hip, psychologically clever, and customised to be relevant to the business environment of the work force – awareness and education can mitigate risk. These especially include: • Social engineering. • Laptop theft. September 2007
• • • •
Malicious programs. Piracy. Inappropriate online behaviour. Inadvertent exposure of confidential information, etc.
So why isn’t more invested in security awareness and education, and why isn’t it used more effectively? Part of the answer is simply the pervasive penny-wise, pound-foolish attitude about cybersecurity. But the rest of the answer is subtler, and more complex: although corporations and government agencies haven’t invested a lot in cybersecurity (at least not commensurate to the risks posed), they have invested a great deal in living and working in denial, and entities whose approach to security risks is predicated on denial don’t really want awakened, empowered work forces. Such bodies of budding cyber warriors tend to raise questions like: “Hey, how come our laptops are not encrypted?” and/or “How come you are still using the last four digit of my social security number as my employee ID number, and require me to write it on the envelope containing my expense receipts?”
Ultimate cybersecurity checklist for your workforce Well, we have written about these issues before, both in regard to social engineering (Social engineering: attacks have evolved, but countermeasures have not, October 2006) and security awareness and education (Case study: a bold, new approach to awareness and education, and how it met an ignoble fate, May 2006), and no doubt we will have reason to address these subjects again and again. But for this issue, both in honour of the US Treasury Department’s candor, and in discrete confirmation of similarly egregious vulnerabilities not only across government agencies, but also throughout the private sector, whether
you work in Europe, the Middle East and Africa, or Asia Pacific, or the Americas, we offer this “ultimate cybersecurity checklist for your workforce.” It is what we have adapted and used for our work with various global organizations, and we urge you to adapt it, use it and disseminate it within your organizations. It is a powerful tool, and teaching device. It is designed to turn the user on to the truth that cybersecurity at home and in the work place are one and the same, and what you do for the organization, you should also do for yourself, and vice versa. The concept is that if you get them turned on to cybersecurity in their personal life, you will have increased their level of attention, knowledge and engagement in cybersecurity for the work place. The concept is effective! This “ultimate cybersecurity checklist for your workforce” is organized into seven sections: • • • • • • •
Password security. Home PC security. Email security. Child safety online. Social engineering. Identity theft. Road warrior security.
No, it is not 100% complete, either in its categories, or even within each category, it is not meant to be, it is meant to convey a message to your workforce, i.e. cybersecurity is no joke, and if you do not take it seriously you could lose your job, your financial good name or even a loved one. It is open-ended, so that you can add to it, or subtract from it, and so that you can publish as a whole or socialise each section individually. Enjoy. Adapt it, use it.
Password security Whether you’re working on your home computer or your office computer, Computer Fraud & Security
15
WAR & PEACE IN CYBERSPACE password security remains the most basic concern. Although password security will not protect you, or your family, or your organization from determined, sophisticated attackers, it will thwart low-life and petty criminals, and it will force the professionals to use more serious methods of attack. • Do not share your password-controlled access to any system. • Do not disclose your passwords to anyone. • If you cannot avoid writing them down (because they are too numerous), you must conceal their hiding place and secure them as well as you would secure a stash of cash or jewellry. • Change your password frequently (e.g., every 60 days or less). • Do not enable the “save your ID and password” feature on any applications (yes, it will save you time, but it will also save time for any cybercriminal who gets hold of your system). • Create strong passwords, i.e. passwords of at least seven characters, including a mix of numbers, letters and special characters in some combination that is both easy to remember and hard to guess, e.g. take a phrase like “pearls before swine” and turn it into “pearlsB4sw!ne” by replacing “before” with “B4” and the “I” in “swine” with an exclamation point – easy to remember, hard to guess.
Home PC security The days when all you needed to secure your home PC was to install anti-virus software and maintain regular and efficient back-ups of your system is long gone. Now, even if you buy a computer that comes fully loaded with “security features,” or purchase a suite of integrated security programs, you are going to have to know more and be more proactive than you ever had to before. 16
Computer Fraud & Security
There is a need to make the IT security mind frame part of people’s lives.
• Install anti-virus software (AV), and keep it updated. • Download and install security patches and upgrades for operating systems, applications, etc. • Install a personal firewall, and keep it updated. • Create strong passwords. • Back up your system regularly and thoroughly. • Do not violate software or music copyright or license agreements. • Be wary of Internet hoaxes, fraudulent websites and email scams, etc. If you are diligent about these countermeasures, you will significantly reduce your exposure to the countless threats that relentlessly bombard all online systems great and small.
Email security • Delete all hoax messages, spam, online scams, chain letters, etc.
including anything unsolicited, out of the ordinary, especially if you are asked to offer up information about your personal finances, or about your work. • Do not respond to them under any circumstances. • Do no click on the links contained in such emails. Don’t worry – if your bank wanted to get in touch with you about the security of your account, it would not email you. And when was the last time anyone you know won several hundred thousand euros in a lottery they didn’t enter? • Do not simply click on an email attachment you are not expecting, do not recognise or cannot verify, especially if it is from someone you do not know. Although even if it seems to be from someone you know, it could be the result of a worm or virus exploiting that person’s email address book. Yes, we know, this is frustrating and weird, but it is the September 2007
WAR & PEACE IN CYBERSPACE
Police intercept network communications around the world.
truth. If you get a birthday card from a friend, and it isn’t your birthday, or you get a file that is suppose to contain a nude photo of Paris Hilton, but it is contained in an email message presents itself as being from your mother-in-law, be suspicious. Password security is, as mentioned above, important in general, but email password security is particularly important. Unless, of course, you want people snooping in your inbox, or worse yet forging email in your name to your boss, or your husband, or your local constabulary. And do not make your password security measures meaningless by walking away from your computer, while you are still logged on to your email account. Perhaps, most importantly, do not send any email message that you would feel uncomfortable about reading in the newspapers sometime in the future. If an incoming email, or other stimulus, has upset you, or aroused you, take a breath, and revisit the correspondence later. Remember, if your email is unencrypted, and most of it still is, you are essentially passing a postcard along a long chain of people, and anywhere along the way, one of them could glance down and have a peek at that postcard. (We know you will break this rule, all of us do, but at least keep it September 2007
in mind. And be much more rigorous about the following one.) Oh yes, and always, take a hard look at the “TO:” and “CC:” fields before you hit the send bottom. Outlook and other email applications are getting very helpful, but they are helpful to a fault, and you can easily end up sending a confidential message to the wrong people.
Child safety in cyberspace Nothing is more primal than the need to protect our children. Arguably, nothing is more important in this age than giving children the opportunity to get a head start online. And, it is beyond dispute, that short of leaving a child alone on the streets of a city in the dark of night, nothing is more dangerous. Here are some suggestions to take advantage of the opportunity, while mitigating the risk. Unfortunately, today, the television is often used as a nanny. Although this is damaging to children if allowed to get out of hand, it is not overtly dangerous. TVs don’t interact in real-time, TVs don’t ask questions that are inappropriate or too personal, TVs do not allow someone else to actively and freely enter your child’s room or their psyche. Do not use the Internet in the same way as
you may be tempted to use the TV, i.e. do not park your child at the computer, log them into the Internet and let them dwell there unsupervised for long periods of time. You need to do due diligence on the content of your child’s online experience. Just as you will take a look at books, DVDs or games, your child might want to get its hands on and its mind into, you need to scout out sites, services and activities that are appropriate, engaging and healthy for their ages. Audit your child’s online activity. You would not allow them to go unescorted, untracked, or unreachable in your own city, why would you let them explore the wilds of cyberspace without inquiring into their whereabouts, retracing their footsteps and reviewing their downloads, etc.? Keep an open dialogue going with your children about their online acquaintances. You want to know who your child are associating with on their way home from schools, you want to know the parents of children who invite them over to play; likewise, you need to inquire into who their online friends are and what kinds of activities they engage in. • Sit your children down and let them know about the dangers. • Drill them not to disclose any personal information (e.g. full name, address, phone number, etc.) to an online acquaintance from a chat room. • Drill them never to meet such a person. • Do not allow your children to physically meet someone they have contacted in a chat room without going with them. • Make it easy for them to confide in you immediately if anything strange, scary or upsetting happens to them online. • Share your child’s email account with them, so that you can monitor the traffic. Computer Fraud & Security
17
WAR & PEACE IN CYBERSPACE • Keep an eye on the browser records; be especially suspicious if your child has figured out how to “clear history.” • Use Internet content filtering software, but do not rely on it solely, stay involved, it is not 100% effective. The older your child gets the more complicated the effort to protect them may become, teenagers need and deserve privacy, but this privacy put them at even greater risk. Before you get there, inculcate sound security awareness and education principles in them, just as you would teach them how to swim or drive safely.
How to thwart social engineering attacks Social engineering, the practice of gettting you to give up sensitive information that you should not share with unauthorised people (and would not share with them if they came to you without deceit) is a form of attack that all of us are vulnerable to both at home and in the work place. Some social engineering attacks are grounded in technology, i.e. they come to you as email messages or present themselves to you as a seemingly familiar or disarming website. Other social engineering attacks are ground into human to human cons, i.e. someone calls you on the phone, or even shows up at your cubicle in a stolen uniform, or with a phoney business card. Maybe they are looking for passwords, maybe they are looking for financial information, maybe they are looking for trade secrets. It really doesn’t matter. What matters is that you follow these hard and fast rules to thwart such activity: • Learn to recognise such attacks. Social engineers will play on your emotions, e.g. with intimidation or flattery. They will usually be in a hurry. They will name drop. 18
Computer Fraud & Security
• Always verify the identity of callers, if they are not immediately known to you. • Never provide information in response to requests that are out of the ordinary or unanticipated, unless you can identify the caller and somehow confirm that his or her need is legitimate. • If you feel you might have just encountered a social engineering attack, do not just shake it off and go back to your work, write down as much as you can remember of the incident, and then inform the appropriate person within your organization immediately. You will very likely find it is not an isolated event.
How to fight identity theft Someone once asked one of us, during a question and answer session at a presentation, what is the best way to thwart identify theft. The answer? “Well, the surest way is having bad credit.” But, of course, none of us wants to go there, and if we are there, we do not want to stay there. • Here are a few ways to mitigate the threat: • Run regular credit reports on yourself (e.g. quarterly basis). Look for anomalies, and follow up on them immediately. • Do not give into scams. If you follow our recommendations vis-à-vis email security and thwarting social engineering attacks of all kinds you will limit a lot of your potential exposure. • Do not underestimate physical security precautions: e.g., keep vital documents, like your passport, your social security card, your birth certificate, etc. in a locked (and fireproof ) box, and shred any documents that contain financial information if you do not have to hold on to them, and
shred them when their retention period expires. • Again, just as with email security and social engineering suggestions, if you follow our guidelines for home PC security, your financial information will not be so easy to hack into online. • If you lose your wallet or your purse, or some vital document like your driver’s license or your passport, act pronto. Inform the appropriate authorities, including law enforcement, immediately. To this end, keep a list of the emergency numbers to reach the relevant institutions, agencies and services. This will help you minimise your stress level and compress the arc of time, if something bad happens.
Road warrior security • Use the power-on features for your laptop, PDA, cell phone, etc. • Adhere to the password security checklist above, in particular, create strong passwords, and turn off any “save password” features, so you do not facilitate access for anyone who steals or happens upon your laptop, PDA or cell phone. • Always use a cable lock, at a minimum to secure your laptop to an unmovable piece of furniture or other fixed object. • Never leave your laptop, PDA or cell phone switch on, and unattended. • Never leave your PDA connected to your laptop, or other computer, without its password protected screen saver/lock being activated. • Your laptop, PDA and cell phone should all have up to date anti-virus software installed; and you should understand how it is kept updated, and what you have to do, e.g. log into your organization’s main network, or to a vendor’s support site, to keep it updated while you are on the road. • Do not fall into the bad habit of storing sensitive information on your PDA, unless the device is encrypted. • Likewise, if possible, permissible, and provided for within your September 2007
ESPIONAGE organization, encrypt the hard disk of your laptop. • Turn off wireless, Bluetooth, etc. other functionalities, when not using them. • Limit the kind of online business activities you conduct in hotel business centres and cyber cafes. Keep such communications to a minimum. Do not expose sensitive information in such environments and do not download proprietary documents to such systems. • Be aware of what people can see over your shoulder on a flight, or in an airport lounge, and ask yourself if any confidential information, or other
intellectual property is vulnerable to exposure. • Be wary of what people can hear while you are on your cell phone in a public place, and ask yourself if any confidential information, or other intellectual property is vulnerable to being overheard. • Back up your laptop and PDA before you take off for the road, and put that back up in a secure location. • Back up your laptop and PDA during your road trip, and store the media (e.g. removable hard disk or flash stick) securely, but in a different piece of luggage or clothing then the one that carries your laptop or PDA.
About the authors Richard Power (www.wordsofpower.net) is an internationally net recognized authority on cybercrime, terrorism, espionage, and so on. He speaks and consults worldwide. Power created the CSI/ FBI Survey and his book Tangled Web is considered a must. Dario Forte (www.dflabs.com) is one of the world’s leading experts on Incident Management and Digital Forensic. A former Police Officer, he was a Keynote at the BlackHat conference and lecturer at many worldwide recognized conferences. He’s also Professor at Milan University at Crema.
Mamma Mia! – here we go again Calum Macleod Calum Macleod looks at how to prevent double-crossing employees from embarrassing your organization Here we go again. If the news is to be believed, it seems that an employee at Ferrari just could not resist it and helped himself to a few secrets. Not only that, but reports say an employee at a competitor couldn’t resist the temptation when offered the chance to gain some inside information. After all, who in their right mind could resist the temptation of getting the inside gossip? We’re all curious and live in a world where we daily try to steal a lead on our competitors and every little bit of information helps. So there we have it and a court battle ensues between McLaren and Ferrari! One may wonder if Ferrari chiefs have ever read a CERT report. After all CERT revealed late last year through a study that sabotage was frequently carried out by disgruntled employees who had been passed over for promotion, and who had privileged September 2007
access to information. This particularly applies in the IT world. It appears from what Ferrari is saying that its employee became rather agitated after he wasn’t promoted to a senior position after his old boss left. Apparently his behaviour, according to his employers, was not exactly ideal. As an “armchair” sometimes fan of Formula One (F1), I think that it’s fair to say that it’s highly unlikely given the firms rather extensive use of IT in everything they do that the information that was allegedly “relocated” just happened to be lying around in some hand written notes. The ability to help one’s self to highly sensitive and valuable, confidential information has never been as easy as it is today because virtually all that information is in digital format – in data files on servers. And whether the allegations against the
employee are right or wrong in this case, it does not change the fact that organizations are playing a dangerous game when they underestimate the risk posed by the disgruntled insider determined to wreak havoc, or the insider who is just simply a bumbling idiot who is an accident waiting to happen. Sensitive information requires extra-care. Just as you would not leave your valuables lying around in the garage, sensitive information requires a different management approach. When sensitive information is compromised, the implications for the organization can be catastrophic – like not winning maybe. Access and distribution of sensitive information such as financial reports, clinical trial results, technical design, etc. is something that many organizations have not addressed adequately. Data must be secure, tracked, privacy should be maintained, and strict auditing should be applied. Information leaks in all forms are occurring with increasing frequency today within Computer Fraud & Security
19