OK, so you may not be protecting a nuclear reactor against insider threats, but this presentation from the International Atomic Energy Agency contains a LOT of good information on what you need to think about when designing an insider threat program. Worth a read!
I have the privilege as serving as a mentor for a course at SUNY-Albany focusing on the problems posed by insider threats. Since I am SUCH a wonderful mentor, I will be keeping an eye out for interesting resources for the students. Since these might also be useful to others, I will be a list of them blogging them each week.
Mitigating the Inside Threat: Boeing’s Successful Approach
Security Magazine – Feb 2018
Requires free registration to read (which seems to be busted right now – hope they fix this as it sounds like an interesting piece)
Updating our Knowledge of Insider Threats
Measuring Organizational Confidence in Addressing Insider Threats
Conference Board of Canada – Jan 2018
7 Insider Attacks Behavioral Analytics Detects
CSO Magazine 2018-01-31
2017 US State of Cybercrime Highlights on Insider Threats
US Veterans’ Administration
What the Count of Monte Cristo Teach can teach us about Cybersecurity
IEEE Spectrum – Jan 2018
Russia’s apparent interference in the United States’ Presidential election marks an escalation in the targeting of state sponsored cyber attacks. What the US does in response to this strike against the very basis of our (somewhat) fair and free elections process really matters.
Letting Russia achieve its goals without any response is problematic, as it would encourage them and other state and non state actors to continue to target the US without fear of retribution. If you believe (as I do) that cyber operations will play a significant role in 21st century conflicts, doing nothing is clearly not an acceptable response.
So, if the US were to respond, what is a proportionate response? As imperfect as our electoral system is, interference in Putin’s sham elections in which there is no opposition with a snowball’s chance in hell of winning, is clearly a non starter. A limited attack on critical infrastructure (shutting down the electric system in Novosibirsk) sounds good at first, but would seem to violate the laws of war about collective punishment and targeting civilians. There is also a risk that mounting such an attack would tip off Ivan to methods and sources, and make it harder to use such weapons in war time. An attack on a manufacturing control system aimed at shutting down production or damaging machinery might be more appropriate as a demonstration of both capabilities and intent.
So, if the US were to take out Vodka Distillery No. 6, should we take public credit or would a private note government to government be enough to deter future attacks? It seems to me that taking public responsibility for such an attack is important if we want to deter Russia and other state and non state actors in the future.
Of course, all of this seems to be academic as the next administration clearly benefited from this attack and seems to include many with close ties to Russia and Putin. Even if the Obama administration could plan, mount, and execute a response it is unclear whether the new administration would pursue a policy of continuing response over the next four years. Without threats of future retaliation for new cyber attacks, a response now would be a one time gesture of revenge.
Getting political here for a minute, it seems to me that a President who does not pursue a program of responding to serious attacks by a nation state on our homeland would be, at the very least, not be doing their job and at worst, acting as an agent of a foreign state. Time will tell what President Trump will do, but you will have to pardon me if my expectations are low.
In the coming days, the Obama administration should make every effort to collate and make public all the evidence of the Russian government’s role in this affair. Then, it is up to we as a people to demand a proportional response from our elected officials.
According to CSO Online, someone is offering for sale what they claim is a 6GB file of “data enrichment” information pertaining to over 200 million people. The information in this file is truly disturbing – it provides over 80 attributes for over 200 million Americans, including:
…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.
In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.
Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).
There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.
The price for this treasure trove? US$600.
With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision. They could choose victims to concentrate their effects on for maximum profit. Real world attackers could also use this information to plan crimes such as burglaries or kidnappings. Governments (both foreign and domestic) could use this information to select targets for surveillance.
The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use. If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection. If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.
This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real. If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.
Stay tuned.
This morning, I read an amazing story in the New York Times about a Syrian refugee family building a new life in Canada. As you would expect, the piece highlighted the many challenges they are facing, from cultural differences to finding work. What really stood out for me however was that Canada not only took these people in, but that everyday Canadians “adopt” each family and volunteer their time to help them make the transition.
When I contrast the attitudes expressed here in the US about taking in these refugees, who are truly fleeing persecution and death, it makes me very sad. Canada’s response seems much more in keeping with American values than anything I have heard down here in a long time. I fear that the US has lost its place in the world as a beacon of hope and democracy.
If I wore a hat, it would be off to the government and people of Canada.
I received some very sad news this morning – Melissa Claros (one of my colleagues at the Weehawken Volunteer First Aid Squad) lost her husband, Robert, suddenly this weekend. Melissa and Rob shared love and a common desire to help their communities. Rob was an EMT for the West New York ambulance squad and a volunteer fireman in their town in Pennsylvania and Melissa is a volunteer EMT here in Weehawken. Rob was just 28 years old and he leaves Melissa not only with a broken heart, but also two young children to raise while she attends nursing school.
While there is nothing we can do to fill the void in Melissa’s heart left by Rob’s untimely passing, we can help her and her kids deal with some of the financial burdens which they face now and in the future.
Rob’s colleagues in West New York have set up a GoFundMe page to help the family out at this difficult time. Rob and Melissa have consistently stepped up to help their communities. Rob was and Melissa is “good people” who could use some help.
If you would like to help out someone who has spent a lot of time helping out others, please consider making a donation at https://www.gofundme.com/2a8byaxc
Thanks
Al
Sometimes, saving money can cost you money (like $81 million)… Apparently the hackers who made off with millions from the Central Bank of Bangladesh had some help from the bank’s IT department, who decided to save money by foregoing firewalls and purchasing used routers that could not segregate private from public traffic. My new favorite information security quote of all time was in this article:
A firewall would have made attempts to hack the bank more “difficult” Mohammad Shah Alam, a forensic investigator who works on the Bangladesh team investigating the theft, told Reuters.
Yes. Yes it would. Can’t get anything past this guy.
Be careful when typing those URLs! TypoSquatters register domains which are very similar to those of popular sites and use them to serve up malware to the unwary. Leave the “c” off of “.com?” You could end up at a shady Omani domain bearing gifts you don’t want to get!
A reminder that while iOS still seems to be safer from malware threats (as long as you don’t jailbreak your device), Apple’s walled garden is not totally weed free. Researchers found malicious apps in Apple’s App Store which use vulnerabilities in iOS’s digital rights management software to install malware on standard (non jailbroken) devices. This particular family of malware only targets devices located in mainland China, but there is no guarantee that others may try and exploit this issue to infect other users.
Apple removed the malicious apps from the App Store when they were informed of the issue, but it is important to note that the apps stayed up in spite of multiple reviews by Apple until then.
We iDevice users have been quite lucky when it comes to malware, but it is important to remember that iOS is not immune to malware attacks. The best defense is to be choosy about the apps you install – if you have not heard of an app, look for reviews and information out on the net before downloading it to your phone.
Of course, Donald Trump promises to build a “terrific” wall around Apple’s App Store and make Mexico pay for it…
OK, I already tweeted this story with a snarky comment about spelling, but there is an interesting lesson to be learned from this incident. It was plain old human intervention that kept an $80 million dollar fraud from becoming an $800 million plus fraud against Bangladesh Bank. Educating your people to recognize out of the ordinary behavior is one of the best security investments you can make. (Not that losing $80 million is a great outcome).