Russian security firm Kaspersky has just released details of an elaborate, multi-year, multi-country heist that netted hundreds of millions for the group orchestrating the crime. Rather than a series of spectacularly violent bank robberies, this campaign played out quietly and slowly on the technology infrastructure of over 100 financial institutions in 30 different countries. Unfortunately for us, Kaspersky and the banking industry are keeping specific names out of the public spotlight, as expected. It can be assumed that the organizations involved don’t want to damage their reputations, and authorities typically refuse to comment on onging investigations. How did the criminals gain such unprecedented access? Simple malware campaigns targeting employees and officials, which eventually led to a fully compromised infrastructure that allowed the criminals to quietly funnel away millions and leave very few traces behind.
What this means for you:
It may sound a bit cliched to trot out the saying, “There are 2 types of companies, ones that have been hacked, and ones that have been hacked and don’t know it,” but in this case, the criminals were able to steal vast amounts of money by staying well under the radar, an approach that is at direct odds with the normally disruptive and in-your-face style of malware and hacking many people have encountered previously. By lurking quietly in the background, the criminals gained complete familiarity with organizational procedures and employee habits, allowing them to digitally impersonate privileged officials and processes to move money around and out of the organization with impunity. Without a smoking gun, shell casings, fingerprints or DNA evidence, the only trail authorities could follow was the money one – a trail that was obfuscated by digital sleight-of-hand and spoofed internet addresses. Even though your organization may not be targeted for this kind of heist, there are many other types of data cybercriminals value, and it’s in their best interest to not get caught. Don’t look for the obvious malware symptoms – those types of attacks are analogous to vandalism and random, impersonal pollution. The real cyberattack you need to worry about is the one you can’t see.
Image courtesy of 1shots at FreeDigitalPhotos.net
If you didn’t hear it on the news, you probably got an email from Anthem letting you know that your personal information has been exposed in a massive data breach that impacts over 80 million people served by the medical insurer. According to Anthem’s own website established to address this breach, no medical records or credit card information was stolen (that they know of) which is a faint blessing in the face of what was stolen: names, addresses, birthdates, social security numbers, phone numbers, email addresses and employment history. In other words, everything a thief needs to steal your identity.
What this means for you:
As before with other large data breaches, there’s not a darn thing you could have done to protect yourself from the attack. If you just happened to not be a current or former Anthem-covered individual, it’s likely your information was stolen previously in any of the numerous other breaches from last year. Anthem will be offering free credit monitoring to all affected individuals, something that is going to sting their deep pockets signicantly, but will do little good in the long term. Why? Well, unlike credit card numbers, addresses or phone numbers, 80 million people aren’t going to change their names, dates of birth or social security numbers. Identity thefts can outwait the one year of monitoring (still unconfirmed, one year is my guess) that Anthem will provide. You can bet a large number of people won’t continue that service on their own dime, but you might want to consider factoring this type of fee permanently into your annual budgets. Or at least until someone can figure out how to secure our identities and credit better.
From a business standpoint, Anthem’s plight illustrates an important lesson. Though current legislation recommends this sort of data be encrypted, it is not a requirement. Shouldn’t Anthem have taken the extra step to protect your data? Does the government need to mandate common sense and best practice? Will Anthem’s current nightmare convince you to enforce more strict security practices in your own work and personal life? I don’t think you need me to tell you that if you want a prosperous and sustainable business protecting your sensitive data is no longer a recommendation, it’s a requirement.
Like the predictable “tick-tock” of a clock, reports are coming in of an infection spreading rapidly through Facebook via a fake Flash Update. The “tick” in this case was the report last week of a zero-day Flash vulnerability, and the subsequent legitimate update of the Adobe Flash plug-in. Not wanting to miss an opportunity, cybercriminals have released the “tock” – a video on Facebook is tricking clickers into installing a set of malware that can take complete control of the victim’s computer. Over 100k have fallen for this scam which is only 2 days old as of this writing.
What this means for you:
If you see a warning pop up on your computer that software on your computer may be out of date, it may be legitimate, and it may not be. With Adobe Flash, it’s very easy to check by going to Adobe’s own Flash website http://helpx.adobe.com/flash-player.html. Also be wary of the source of the update warning, such as that which comes from clicking on a dodgy link on Facebook or in an email. Doublecheck it against a legitimate source. Not sure what that source might be? Your trusted IT professional is only a quick call away. Spending five more minutes to vette that update warning is certainly worth avoiding a malware infection, right?
Microsoft has announced that Windows 10 will be free for users upgrading from Windows 7 and 8. There is an asterisk behind that statement however, and depending on your world-view, it’s a big one. First off, it won’t be free forever – only for a year after its release. It’s not clear what that means if, for example, after upgrading your Windows 7 machine to 10, you need to wipe the hard drive and reinstall. Do you have to reinstall 7 first and then upgrade to 10? Is there a cost if that happens after that initial year has lapsed? Microsoft has also been deliberately vague on what this means for enterprises and organizations with large installations of 7 or 8. Do they get it for free?
What this means for you:
Some experienced industry analysts predict that there will probably be a different “flavor” for the corporate world, especially as Windows 10 will come hard-coded with Microsoft’s new update/upgrade “Windows as a Service” model where improvements and fixes will come at a more rapid pace than most IT organizations have traditionally been willing to follow, and that “versions will no longer matter.” While this might sound like music to the average consumer’s ears, trends like this are rarely viewed favorably in tightly controlled IT environments, especially when it means maintaining compatibility with legacy apps and systems. Microsoft is still fuzzy on when Windows 10 will arrive – “later this year” is the current expectation, but you can bet that most large enterprises and organizations will probably forgo an immediate upgrade, as they have traditionally done for previous iterations of Windows. If you want to see Windows 10 right away there is a preview build which is still in very early development, but unless you are a stalwart early adopter and understand the pitfalls that lie ahead, I’d recommend waiting until it’s officially released. You can also watch Microsoft’s 2+ hour long presentation on the latest build of Windows 10 online.
Adobe has confirmed that a recently discovered vulnerability in the current version of Flash for Windows, Macintosh and Linux is actively being exploited on the internet. Adobe is planning to release a patch the week of January 26th, but did not confirm a specific date. Though security vulnerabilities are nothing new to Flash, this particular loophole is being exploited by a well-known and widely distributed exploit “kit” called Angler which could indicate a rapid spread of compromised websites and a large spike in malware infections. Once used to gain access to a victim’s computer, the device could fall prey to any number of malicious programs, including key loggers, ratting, ransomware, and good ole-fashion zombification.
What this means for you:
According to Adobe’s own advisory, pretty much everyone is affected by this exploit, though some reports suggest that Windows 8.1 and Chrome users may be safe for the moment, but that was based upon the current version of the Angler kit in distribution. The actual security hole Angler exploits exists in every version of Flash on all OS platforms. The easiest way to protect yourself from this exploit is to disable Flash altogether. For all browsers except Chrome is usually a matter of disabling the plug-in. For Chrome, you have to type “chrome://plugins/” into your address bar to access the hidden internal plug-ins page, at which point you can disable it from there. Aside from keeping your browser’s “head” down until the storm passes, make sure your antimalware software is functioning properly and updated, and avoid any strange links you may receive over the coming week.
Laptops and cellphones were once the sole domain of high-powered business executives, but thanks to the proliferation of high-speed internet and falling hardware prices, they are pervasive not only in professional environments, but in just about any walk of life. As you can probably guess, this also means an exponentially expanded attack surface for cyber criminals who are no longer focusing on traditional targets. Anyone who has a bank account or credit history is a potential victim, and younger targets can be exposed to potentially dangerous privacy invasions. Rather than enumerate the various ways in which your security and safety could be violated (we all have enough nightmares as it is), I’d like to focus on some positive actions you can take to make your mobile, digital life safer and more secure.
- Password protect your devices.
Even the most careful professional will misplace their mobile device on occassion. While passwords won’t stop determined hackers, it will keep most everyone else out until it can be recovered or remotely wiped. Laptops normally do not have remote wiping capabilities, so don’t stop at just a password for protecting these types of devices. - Use built-in apps, or purchase location-tracking software.
Late-model Android and iOS devices have location tracking and recovery capabilities built-in, but they must be enabled. You can add location tracking or a “phone-home” program to your laptop, but it requires the device to be connected to the internet in order for it to report its location. - Don’t store sensitive information on mobile devices.
With any portable device, the chance of it falling into the wrong hands is high. If you don’t have an IT department managing your device and controlling what can be stored on it, you should inventory what is stored on the device (sensitive client info, photos, personal financial data, passwords) and consider whether you need that information to be stored on that device. If you do, make sure you observe #4. - Encrypt any storage media.
All late-model Android and iOS devices have the capability to encrypt all data stored on the phone. It’s on be default on iPhones, but must be enabled manually on most Android devices. If you have to store sensitive data on your mobile device, make sure encryption is enabled and working. While it’s not completely necessary to encrypt your entire laptop hard drive, it is possible, and many financial service firms require it on their laptops. At minimum, store your sensitive data in an encrypted partition or folder, or on an encrypted thumb-drive. - Back up your data.
Do I even need to qualify this particular practice? Backups should be stored separately from the hardware being backed up. It should be transmitted and stored encrypted if it’s internet/cloud based. It should be as frequent as the minimum period of data loss you are willing to lose, e.g. if you can’t stand to lose an hours worth of work, your backups should run on an hourly basis. Be aware of the performance hits this may have on your hardware and network bandwidth. - Hide devices in parked cars or take them with you.
Mobile device thefts from parked cars is consistently at the top of all loss categories. Thieves know to target cars coming and going from office parks, universities, airports, and the retail/service businesses near these locations. Before you drive away from your work location to a Happy Hour or a quick bite or some grocery shopping, stow your laptop bag in the trunk or hide it in a hard to access part of the car. Don’t do this when you reach your destination, as the thief may already be there, watching for someone to do just that. If you can’t secure it or hide it properly, take it with you. - Add a leash.
If you are highly mobile and work from many locations, it’s easy to misplace your smaller electronics, and sometimes even laptops. Add a colorful leash to your thumb drives so you don’t forget them, and maybe even consider the same for your phone if you are prone to misplacing it. If you have to take your laptop bag with you to a place where you don’t plan to use it (because of #6), attach the strap to something you will be using at that location, whether it be to your jacket or purse, or even to your leg if you are sitting in a location with lots of noise or distraction. It’s easy to forget work-related tools when you are focused on non-work activities. - Be less conspicuous.
In open public places with crowds, conspicuous use of expensive mobile devices will flag you as a target for bold thieves. I’ve talked with victims whose laptops were pulled right out from under typing hands in a sidewalk cafe or picnic table, and have read numerous reports of smartphones and tablets being grabbed in broad daylight. If you want to work on your device in a busy environment, keep one eye on your surroundings, and place yourself and your device in a position where it will be less easy to snatch by a fleet-footed thief. - Educate your friends and family.
Even though you may be cautious and secure, the people around you can undo your careful preparations with carelessness or even well-meaning intent. Be mindful of everyone around you who might not be as savvy as you in technology, and choose carefully how you interact with them via email, social media, and even device sharing. Work laptops are notorious for being infected by family members who don’t have the same security concerns as you do. Quieting a young child with your smartphone may seem like a good idea at the time, but maybe there is some other way you can entertain them that doesn’t involve your work phone. - Report thefts/losses immediately.
Eventually, it will happen. Whether the device is stolen, damaged or infected and compromised, you should work immediately with the appropriate authorities and professionals to make sure you limit the damage, both to you and your organization, as well as any customers or clients who might be affected. Don’t wait.
The big headlines have been all about Sony’s security breach, and the massive data leak that occurred. What you didn’t hear about was how large parts of their technology infrastructure were rendered unusable. Most of their workstations were severely infected and inoperable for at least several days (some for weeks) and a large portion of their network and server infrastructure was compromised. Even If the hardware was functional, everything still had to be taken offline, scrutinized and analyzed for evidence, reprogrammed then finally redeployed. Qualified or not, Sony’s IT department had a gigantic mess to clean up, and they had to do this quickly (and improve security along the way) as the company was hemorrhaging money every minute their operations were offline.
If there is one thing that is certain (besides Death & Taxes) is that hardware will fail, and probably at the worst possible time. Why it fails is not important – but how you recover from failure is critical and can mean the difference between an inconvenience and a catastrophe. Sony’s disastrous breach is more of an exception in terms of hardware failure – it’s unlikely every single machine in your company will fail at once, but there’s always the chance that a catastrophe – natural or man-made – can wipe out multiple machines at a time. Preventing this type of event from happening is largely beyond your control. What you can do is control how you recover from it, which is a mixture of preparation, training and flexibility.
- Have a current, offsite backup of all your critical data.
The words “offsite” and “current” cannot be emphasized enough. Onsite backups are better than no backups, but if they get destroyed alongside the equipment they were backing up, it’s the same as having no backups. Depending on your business, current can mean different things – old data might be better than no data, but it could still mean many hours of lost work to get back to where you were before the data loss, and then you have to make up for that lost time. Make sure you are backing up the right data as well. Backing up email that is already stored on a server (which is itself being backed up) is a waste of time and money that could be focused on backing up your work documents. - Understand where your data resides.
Where is your data stored? Where is your email stored? What about your applications? You don’t have to understand the technical details, but you should know whether your data is stored onsite, offsite, in the cloud, or some mixture of all of the above. More importantly, you should know how to get to it – either from an alternate location and hardware, or – in the case of backups – who to contact to have data restored. If your critical business data resides at a single point of failure (e.g. your laptop hard drive), consider what would happen if you were to lose that laptop or if the drive was to fail. - Document your infrastructure.
If your business or organization relies heavily on technology-supported processes, rebuilding your infrastructure from scratch could result in serious disruption, especially if it is built differently, and given the pace of technology advancement, this is almost a guarantee. Older equipment and software may not be replaceable, so plan for replacing them on a non-emergent timeline, and prepare your employees for the change. At minimum, you should know that even if you are able to get equipment and software quickly, there will still be a ramp-up period while everyone gets acclimated to the new environment. Making changes in a stable calm environment is a lot less disruptive than doing so in a disaster recovery situation. - Train yourself and your employees to be flexible.
While it may not be possible for all jobs and functions (and some businesses), the crux of disaster preparedness (and recovery) is knowing how to get things done with the tools you have at hand. Most folks don’t realize that their email can be accessed via other methods than the one or two ways they use currently. The same could be said for accessing organizational data. This is not to say that everyone needs to know exactly how to get it done (technology can be complicated, especially tech that isn’t used on a regular basis), but to be open to doing their jobs differently by using alternate tools and methods.
Whether your company relies on racks of equipment or a single laptop, all of the above applies. Catastrophes come in all shapes and sizes, but hardware failure is always a disaster when you are ill-prepared.
As many of you know, one of my specialties is framing complex technology concepts in more simple, human-relatable terms. When people have a better understanding of the tools they use, they have a tendency to use them more efficiently, effectively and to take better care of them. A thoughtful article in the Atlantic written by security guru Bruce Schneier got me thinking about cyber security and the internet in a new way.
Cyber attacks are something most people only comprehend at a conceptual level, but even high-profile victims and their big-budget investigations struggle to really understand what actually happened. In the case of the Sony attack, even the experts are still debating who was behind the attack, and it’s a definite possibility that we may never find out. As Schneier deftly points out, with physical attacks (criminal and political) there is usually a trail of evidence and witnesses that allow us to identify the weapons and attackers as well as motives.
Unfortunately, modern technology and the internet have made it possible to perpetrate large scale, damaging attacks that are difficult to see (even when they are underway), vexingly hard to counteract and sometimes impossible to trace back to the aggressor. In the case of Sony, does it even matter who was behind the attack? Would they retaliate? How? For those of us suffering under a never ending tide of smaller malware attacks held back by only the thinnest veneer of defenses, there’s no one person to arrest, group to disband or government to disrupt that will stop the onslaught. It’s largely anonymous, amorphous and pretty much dangerous to everyone who comes in contact with it.
It’s better to think of malware and cyber attacks as the digital equivalent of pollution.
It’s certainly a lot easier to visualize, and the analogies might help everyone understand and better prepare themselves for the next time they head out on the digital highway. It may also help organizations and governments frame their actions in a more productive manner. Even if North Korea was actually behind the Sony attack, is leveling sanctions against them really going to stop future attacks? No. Neither will hacking their internet nor any other retaliation measure we could take. Why not invest efforts in combating internet “pollution” (you could lump hate speech in there as well!) – instead of putting fingers in a leaky dike, why not see if you can reduce the pressure causing the leaks?
It’s hard to imagine how the cyber equivalent of solar energy or the banning of CFC’s might be able to stem the growing miasma of malware choking our technology, but maybe that’s because we are thinking about it the wrong way.