Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

All Articles

Michele Fincher

Imagine walking into your work lunchroom just in time to hear one person loudly berating another. The yelling male storms off in a huff, leaving the remaining female sobbing.

Would you ask if you can help her?

Suppose the sobbing one tells you s/he is going to be fired for forgetting her security card.

Would you take her to the elevator and swipe her in? Or would you walk her over to security for a temporary pass?  

How would you feel when you discover that neither the male nor the female work in your building, and the entire scene was a setup to get her onto the C-suite floor?

You’d feel just as stupid as anybody who’s ever fallen for the lies of a phishing email.

Chris Hadnagy and Michele Fincher of Social-Engineering Inc specialize in performing such scenarios when testing their clients' users, as well as training folks like us how to act when similar situations arise.

Presented in lighthearted, humorous, easy-to-read language, their book Phishing in Dark Waters prepares you for everything you’ll need to know about phishing, especially if you think email security is boring.

Yes, Chis and Michele have made phishing fun and enjoyable to learn.

They do it thru personal anecdotes, humor, and by making the psychology of phishers and their victims easy to understand.

Starting simply with what a phish is, they move on to the psychology of why phishing works, and the principles behind it, explaining so well that basic users can grasp the concepts.

They’ve divided phishing into levels, so you can begin with the easiest to find, and work your way up as you learn more.

You’ll recognize some of the examples from breaches that were large enough to make the mainstream news.

If you use email, you need this book.

Note: Other than an autographed copy from the author at SC Congress, Securebuzz received nothing for this review.

David Millier

His third week on the job, a new CIO learns 30,000 credit card numbers posted on the Darkweb were stolen from his employer... possibly on his watch.  

Uzado CEO Dave Millier uses his engaging tale to walk you through how breaches occur, what actions to take, which actions to avoid, and how information security professionals can mitigate damages.

He also explains how to defuse office politics during a crisis, which is when people are typically more defensive of their fiefdoms.   

Most important – this story is written so non-technical readers can understand.

Note to all security/privacy geeks and IT propeller heads: it’s safe to give this book to those who have no clue about what you do.

If you want your C-suite to understand some of what you’re up against, then handing them this book is an easy start.

Not an affiliate link – Other than securing a signed copy from the author at SecTor, Securebuzz received nothing for this review.

Ransomware is remotely installed malware (malicious software) that encrypts the files stored on that computer. Criminals install ransomware and then demand a ransom, usually payable in Bitcoin.

The files remain encrypted until they are decrypted using a key, even if you manage to remove the ransomware. If you don’t pay, the files remain encrypted. Sometimes criminals threaten them with deletion. Either way, if don’t pay, you’ll never see your data again.
While email is a common dissemination method, ransomware criminals have other ways of getting their ware on your system.

Easily used website building platforms have exploded in popularity, precisely because they are so easy to use. Non-technical users can put up a site in a few hours, and so they have – by the hundreds of thousands, if not millions.

Because they aren’t technically adept, it never occurs to these site owners to change the Administrator default login and passwords. They also don’t understand the importance of updating and patching, nor do they install security plugins, simply because they don’t know such plugins exist.

The rapid growth of unsecured websites enhances the potential gain for criminals, since the greater the number of victims a criminal can extort, theoretically means greater profits.

Cyber criminals are constantly probing for unprotected websites, sending hundreds of thousands of attacks every day. Upon finding a site that is unsecured, even a mediocre criminal hacker can enter and do whatever s/he wants with the code.

The malware types and the order in which the following event examples take place will vary, because the criminal in charge decides when to deploy and exploit any downloaded malware payloads.

Say for example the criminal installs code on the undefended site that redirects all visitors except one to Russian or Chinese merchandising sites. The lone exception is the site owner’s IP address, so the owner thinks everything is normal and has no idea what’s going on.

If after a while it becomes apparent the site doesn’t send sufficient income-generating traffic to the criminal’s merchandising sites, an impatient criminal may decide to install ransomware payloads, readily deployed to any browser visiting the site.

Alternatively, visitors to the compromised website receive an initial infection of a simple exploit file. They have no idea their machines are infected, because the file lies dormant, awaiting instructions.

Following expiration of a set time or after a certain event takes place, the exploit file receives a command to download ransomware onto the system, from another site that the visitor likely doesn’t know exists, and may have never visited. That way the unsuspecting user has no idea what site the ransomware came from. Hence the term you may have heard: “drive-by malware infection.”

You too can become a cybercriminal, by employing a vendor who sells ransomware as a service. For a small setup fee and a percentage of the total amount you manage to extort from your victims, established criminals will provide everything you need to become a ransomware commando.

Bottom Line: You can become a ransomware victim through no fault of your own.

Until you pay the criminals who unleashed it on you, your data remains encrypted and therefore unavailable.

Some ransoms are small, on the reasonable assumption that smaller ransoms are more easily paid. Others – particularly those demanded from specifically targeted organizations – are larger. Regardless of the ransom amount demanded, you don’t want the downtime and reputation disaster caused from inaccessible data.

So why not pay the ransom? After all, police departments, hospitals, and governments that are supposed to be better protected than you have all paid ransoms.

The official theory is that the criminals will always give you the decryption key, because their extortion scheme falls apart the minute no one trust them to do so. Earlier this year that theory died when a victim organization paid, the criminals collected, and then refused to send the key

At least one malware variant claiming to be ransomware deletes your files instead. If Ranscam infects your system, your files are gone, regardless of whether or not you pay the ransom. There’s a reason “no honor among thieves” remains a truism.

Additionally, even if you pay the ransom, with the ransomware still on your system there’s no guarantee your files won’t be encrypted many more times… or that the original criminal won’t sell your information to another criminal, because you’ve now qualified as a payee.

The best way to protect yourself from any form of ransomware is the same as for any other disaster, and the one nobody ever wants to take: prevention. Nobody likes taking precautions... just ask the life insurance salesperson. Prevention has always been a tough sell – if not for building codes, how many would buy smoke detectors?

The key that prevents ransomware email attacks is education. Train your users to cautiously examine email; to check not only the sender’s name, but also the sender’s address, and examine the actual link the sender wants them to open; not the link the sender claims.

As noted above, email is not the only ransomware attack vector. In the event ransomware holds your data hostage from a drive-by infection, avoid paying a ransom by having a business continuity and disaster recovery plan that includes up-to-date backups and tested data restoration. Having backups, and knowing those backups are restorable to a point in time before the infection, puts you back in business.

When Jake Sethi-Reiner was about five or six years old he started learning introductory programming.

When he was six his father introduced him to Scratch, made by MIT to get children interested in programming. Then when he was about eight his dad got him into Python, via a Codecademy course.

“I tried learning graphics, I tried using other programs, but the tutorials didn’t do much good, said Sethi-Reiner. “My dad found me courses on Coursera on making games. That’s when it became really interesting for me.”

In addition to coding games Sethi-Reiner made a presentation on how to teach Python to a 10-year-old, “Although it should probably have been called ‘How not to’, because it was mostly about that,” he said.  

“Next I did an economics course, and then Linux administration and security. After that I was invited to present at NorthSec 2016. I really enjoyed that, so I expanded that threat model and presentation for SecTor.”

How did he get involved in computer security?

“My dad taught me a small amount of networking, which helped me get interested in security. Getting invited to NorthSec gave me incentive to learn more about security.”

Without giving away the answers, what are some security problems facing an 11 year old?  

“My Wi-Fi is filtered, and turns off at 7:30 each night, because I shouldn’t be using it after that, when I’m supposed to be in bed.”

“My sister is constantly trying to take over my laptop and web accounts. And she’s constantly looking over my shoulder when I log in. If my sister got into my accounts all of my money would suddenly be spent on horse stuff.”

“I’ve got a cloud server that at one point was a proxy server, which needs to be protected.”

There are others that you can discover by attending his presentation.

And his plans after SecTor?

“I’ll continue with presentations and courses, then get admitted to a good high school. I’m hoping to go to either MIT or Stanford. I have some vague ideas about being an entrepreneur, but beyond that I haven’t thought much about it.”

Jake’s father and Securebuzz don’t want to leave you with the impression Jake spends all of his time coding and presenting. He runs around kicking balls and doing stuff a typical youngster his age does.

“I didn’t feel right just sitting around playing Lego. I just wanted something to do.”

Including things he’s not supposed to do. Has he ever used his coding prowess for other than good?

“In second grade I took another kid’s project and changed his fonts in Word so his project looked like gibberish. It took him about 20 minutes to figure out what was wrong with his project. If I remember correctly I was sent to the principal’s office.”

See this unique presentation by registering for SecTor 2016 here.

29 Sep 2016

Many people recognize the potential to increase the number of women in Information Security.

“When the ISC2 2015 Women in Security Study came out last year saying there’s been no growth; basically stagnation, in terms of including more women in this particular field, that’s of interest to me, being a woman who works in Information Security,” said Laura Payne, Senior Information Security Advisor, Bank of Montreal. “We have a huge shortage of qualified resources in this field, and by all means we should be finding and encouraging those women to join.”

Payne will be leading the keynote discussion at SecTor 2016. This keynote is a conversational presentation on what encouraged the female panelists to enter this field. The audience (expected to be about 90% male) will want to know, ‘What can we do?’  

“I think a stigma is you have to fit a certain kind of box,” she said. “The reality is there are many areas -- pen testing, governance policy writing, risk management, communications -- and all of those things require sold grasp of the technical parts of information security. But they’re a different kind of role. Opportunities are there that fit things women are interested in.”

It’s known that that interest in math in young children is the same for both genders. Later something happens around STEM topics that hasn’t been sorted out, which seems to close some doors. Someone who might be interested in security might never see information about it, or even have the chance to discover if they’re interested in it.

“Making sure there is opportunity and awareness is 50% of it; that doesn’t mean you have to wear a hoodie and be alone in your parents’ basement,” said Payne. “This is about helping people be protected. We’re protecting customers, and the livelihoods of people who work in industries that may be jeopardized. That resonates with women… the technical skill comes down to ‘what I can do with it’, rather than the fascination with the technology itself.”

That protection part is a bonus when talked about. Security professionals are doing it for people, and to make things better for our society. It’s not because they’re hoarders and don’t want to share… it’s because they want to provide safe and secure environments with which people can interact. We can live safely, securely, and comfortably using technology assets.

Which raises the stereotype of momma bear protecting cubs. Relating Payne’s original point back to people, two things got most women into information security…
1. Contributing in a meaningful way, not just to themselves, and
2. Someone had pointed out, ‘Hey you’re pretty good at X, and that’s a skill we can use. Would you consider a role or study that leads to a role in information security?’  

“In my case I was doing ITIL processes, and an opportunity opened to be information security officer for that team,” Payne said. “My manager at the time encouraged me. He said, ‘Look, you’re already doing business continuity, disaster recovery, and audit responses as part of your daily duties. Really all you need is a bit of knowledge and you’d be a great for this role.’ If he hadn’t said that I wouldn’t have even considered applying for it, and years later I’m still here.”

Her experience runs counter to another stereotype; that of men wanting to keep security as their own version of The He Man Women Haters Club.

“Fortunately I haven’t experienced that, altho I have heard things anecdotally,” said Payne. “More commonly I run into people who just don’t know what they can do. The people I’ve talked to are supportive. First thing that comes up is, ‘We don’t want to fill positions to hit a certain percentage.’ I’m not interested in having unqualified people in this profession any more than anybody else is.”  

So how do you find those with the qualities for information security?

“The way we write job descriptions – especially in technology – focuses on technical skills. Anybody technically apt can pick up those skills. It’s the critical thinking and soft skills that are important, and people with those can come from a wide variety of backgrounds.”

Also helpful is demystifying security for those who may not be aware, or who labor under misapprehensions about the field. Hence this SecTor keynote panel.

“It won’t be scripted; it’ll be fresh for the audience, and it’s not about ‘guys are terrible and we need more women,’” Payne said. “We’re a community. We want to bring this discussion to the human level of why each of us got into it, how those backgrounds are successful, and how to find people who might not be cookie cutter tech mold candidates, but who have other qualities that make them great IT security candidates.”

To attend the session register for SecTor 2016 here.