2013 - Page 2 of 2 - Defence Intelligence Blog

Thinking twice about shopping online and BYOD

Image representing Cisco as depicted in CrunchBase

Cisco has recently published their annual security report that has some interesting and significant security findings for both security
companies and executives.

The study reports that “the majority of web
malware encounters actually occur via legitimate browsing of mainstream
websites. In other words, the majority of encounters happen in the places that
online users visit the most and think are safe.”

This means the assumption that malware
infections commonly result from bad sites like counterfeit software is a delusion.
Online shopping sites were identified by Cisco as being 21 times more likely to
deliver malicious content than counterfeit software sites. The Cisco report
also states that large organizations are 2.4 times more likely to encounter web
malware.

The Symantec Internet Security Threat Report volume 17,
which was also recently published, reports that “advanced targeted attacks are
spreading to organizations of all sizes and variety of personnel, data breaches
are increasing, and that attackers are focusing on mobile threats.”

Both reports identify a significant increase in mobile, specifically Andriod, malware from
2011. This indicates mobile devises are a tangible threat to all organizations.
Symantec clarified that the malware was being created for activities such as
data collection, sending content, and user tracking.

The increase in mobile attacks creates a
higher demand on security companies and security executives to protect these vulnerable
areas on networks.

Many security executives have added an
extra layer of protection to their security plan with Defence Intelligence’s Nemesis.
Nemesis is able to protect all mobile
devices that are within a network, and can identify and sever malware
communications on legitimate sites, which have been compromised. This provides
security teams and traditional tools the time needed to respond and remediate.

Contact Defence Intelligence
today for a free presentation on how
easily and effectively Nemesis can fit into your current security plan.

What can we learn from Twitter?

Twitter Logo (Photo credit: Jon Gosier)

With each new breach it’s good practice to
find a takeaway that can serve as a reminder or new insight. The recent breaches with Twitter, The New
York Times and The Washington Post are no different.

Twitter has offered the most transparent
account of the breach thus far. Bob Lord, Twitter’s director of information security, offers an extensive explanation in his blog. Lord reveals that the attack was not the work
of amateurs nor was it an isolated incident against Twitter. The hackers were
clearly targeting other companies and organizations. It was for this reason
Lord, “felt that it was important to publicize this attack while [Twitter] still
gather information, and we are helping government and federal law
enforcement… to make the Internet safe for all users.”

The Daily Mail consulted an independent
privacy and security researcher for input on the Twitter breach and what can be
gained from Twitter being so public about it. Considering the breach impacted a
relatively small number of users and how quickly Twitter was able to
effectively respond and mitigate the breach, it was deemed well contained.

This reflects the discussions we
participated in at the Women in Security Lecture Series recently. Namely, that there is a clear need for more
communication between security executives and more learning from each other’s
mistakes. Twitter is setting a positive example in how to be transparent in process
and sharing details for others to learn from and how to proceed.

Given that it’s now understood that it’s
not a matter of if a company will be breached but when, responses like
Twitter’s go towards removing much of the taboo and shame associated with a
breach. This is the necessary first step
towards true sharing and progress.

Severing
the communication at an early stage, which Twitter seems to have been able to
do, is an essential part of any security plan. As Lord stated in his blog,
these attacks were specific and not perpetrated by amateurs. The hackers have
gotten sophisticated and the security executive’s plan must evolve to keep pace.

Defence Intelligence’s main service
offering, Nemesis, is able to add that layer of protection. Many security
executives rely on Nemesis as the extra layer that will protect their network
from breaches. Nemesis effectively protects networks by severing communication
between the network and the attacker. This allows security groups and
traditional security tools the needed time to respond and remediate.

Contact Defence Intelligence today to find
out how easily and effectively Nemesis can fit into your current security plan.

The Second Annual Women in Security Lecture Series

Last night we had the pleasure of being a diamond sponsor and attending the second annual Women in Security Lecture series at the Hampton Inn and Conference Centre in Ottawa. The event had a relaxed business casual atmosphere with everyone talking about security. We appreciated hearing the different points of view and opinions from the panel and conversations on the current and future state of security.

Students from RMC at the event – Winners for best dressed

One of the speakers that really stood out for us was Lisa Gordon-Hagerty. Her extensive background in security in the corporate and government sector made her extremely interesting to hear from. She touched on the fact that hackers, malware writers, and botmasters all work together sharing information and technologies. This allows them to constantly be a step ahead of the organizations they’re attacking.

“She’s been on both sides of the fence and very much believes in having the government and corporate entities work hand in hand to develop better security policies, to share information on different events and act as a collective unit to better combat cyber security,” says Mohamad Haidara of Defence Intelligence.

Mohamed Haidara and his cinnamon hearts.

There were lots of interesting ideas and discussion around the need for transparency among organizations and the need for organizations to learn from each other’s mistakes and leverage different strengths to secure their networks.

One key point was how current security tools are becoming obsolete. There needs to be a new tool or system brought in to help secure the networks of organizations.

Speakers and panel members for the night included:

LISA GORDON-HAGERTY, MPH – Founder and CEO, LEG Inc

DJENANA CAMPARA – President and CEO of KDM Analytics; Author of System Assurance: Beyond Detecting Vulnerabilities (2011)

DR. ALISON WAKEFIELD – Senior Professor in Security & Risk Management at the Institute of Criminal Justice Studies, University of Portsmouth;

NATALIE RUNYON, MBA, CPP – Director, Global Security, Thomson Reuters; Owner of CSO Leadership Training

CHRISTINA DUFFEY, CPP – Vice President, Operations, Paragon Security

SYLVIA FRASER, CPP, PMP, CRM, CSPM (Moderator) – Corporate Security Supervisor, City of Toronto, currently overseeing the Business Strategies and Risk Management Office

We are pleased to sponsor such a quality event for security executives in the Ottawa area. It was a great night filled with excellent discussions and we’re looking forward to next year’s event.

By Sarah Raphael

The Intern’s Security Practices Part 3: Attitudes

The last area of our survey focused on the attitudes and values of the students. We wanted to know if their security was strict or lax because of their views. This survey was given to first year public relations students at Algonquin College.

We asked the students if they cared if someone accesses their Twitter, Facebook, Linkedin, or Google+ accounts. I was surprised that only 77 per cent of the students said yes. It is really important to me because I use social media to make professional connections and keep in touch with family.

Only 55 per cent said that they are more cautious when using the campus computer labs. Personally I don’t bank online in the campus labs but I do log on to social media, e-mail, and school accounts. With the exception of online banking the rest of my accounts seem like second nature. I don’t always think before I log in. That is something I have become more conscious of since I started working at Defence Intelligence.

We then asked students to rank the following three points from one to three, one being the most important and three being the least.

Your Twitter/Facebook/LinkedIn or Google+ account(s) is (are) hacked and someone posts lies on your account(s)
Your email sends spam to all of your email contacts.
Your banking information is stolen and hackers steal money from your account

Fifty per cent of the students ranked them in the following order from most important to least.

Your banking information is stolen and hackers steal money from your account
Your Twitter/Facebook/LinkedIn or Google+ account(s) is (are) hacked and someone posts lies on your account(s)
Your email sends spam to all of your email contacts.

I agree with this ranking because I do a lot of my banking online and use social media to communicate with family and friends. I don’t have a lot of important or professional contacts on the email account, but as I come closer to graduating and I gain more professional contacts I realize the damage that can be inflicted by someone sending spam from my email.

Surveying other students has really helped identify my personal security habits and ways to improve them. Hopefully I will be able to keep up the good habits and change the bad ones so I can avoid major security issues.

By Sarah Raphael

Our Top 3 Stories from January

Each month we want to highlight three news stories that stand out to us. Now that it’s February, it’s time to look back on all the things that happened in the first month of 2013.

Here are the stories for January:

Pupil expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data.

A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account …….. Read more.

Kim Dotcom Goes on Mega-Offense Against U.S. Copyright Case

AUCKLAND, New Zealand — Facing extradition and possibly decades in U..S. prison, Megaupload founder and filesharing kingpin Kim Dotcom is fighting back, internet-style, launching kim.com, in an attempt to foment a protest movement on his behalf. Dotcom, currently on bail in New Zealand, argues the “the U.S. government has declared war on the internet” and is trying to convince the netroots community to vote against President Obama on Nov. 5 if the case isn’t dropped ….. Read More.

Activist Swartz’s suicide raises questions about prosecuting computer crimes

Internet freedom activist Aaron Swartz, who was found dead in his New York apartment Friday, struggled for years against a legal system that he felt had not caught up to the information age. Federal prosecutors had tried unsuccessfully to mount a case against him for publishing reams of court documents that normally cost a fee to download. He helped lead the campaign to defeat a law that would have made it easier to shut down websites …… Read More.

The Intern’s Security Practices Part 2: Links and Software

As Defence Inteligence’s intern, I decided to survey my class at Algonquin College to find out how they protect themselves from digital threats. Here is the next section of the survey results on links and software.

To start, I asked if my classmates open links on various social media sites and in emails. Here is what they said:

Some of these results could be off because they may not have an account on LinkedIn or Twitter. Since all students have an e-mail address and the majority have a Facebook account as well, it’s not surprising that they have the highest percentage. I will open links on any of those platforms if I recognize the sender and it’s something they normally do. This is how I fall into the 67 per cent that open links from known sources.

With that said, I don’t open every link received from someone that I know. I read the text around the link and check Google for any warnings. This habit saved me from a virus spread through Twitter where you received a message from a friend saying they found a picture of you. When you clicked the link it gave you the virus. With 80 per cent of the students saying they don’t open messages that are just a link, it looks like when it comes to links they have an idea of how to act securely.

It surprised me to find that only 65 per cent of the students admitted to downloading music or movies through sharing and torrents. I’m definitely guilty of this from time to time, especially when it comes to movies.

Moving on to software, we wanted to know when students decide to update their software.

It’s interesting to note that one student wrote on the survey that that they check to see how important the update is.

The most surprising results for the survey was that 82 per cent of students said that they don’t have antivirus software on their phones. I would be curious to see how many are iPhone or Andriod users. As an iPhone user I’m not sure I have any antivirus software.

“People fail to realize that their phone is a computer and should be treated as such,” said Keith Murphy Defence Intelligence CEO.

Similarly 35 per cent of students don’t have antivirus software on their computer or laptop, and 22 per cent don’t know if they have any. This was a shock to both Murphy and myself.

“If they don’t know whether they have AV, it’s safe to assume that they don’t,” said Murphy.

With this news, it’s no surprise that 22 per cent admit to discovering a virus on their computer. Of the 43 per cent of the students that have antivirus software on their computer or laptop, 17.5 per cent use McAfee, 12.5 per cent use Symantec/Norton, two per cent use Windows Essentials, seven per cent use Avast, and five per cent use a different type of software.

Stay tuned for our last post concerning the security attitudes of the students.

By Sarah Raphael

90 Minutes to Privacy

In light of this being National Data Privacy Day for the U.S. and Canada, here are eight tips to create safe, online personal security habits.

Previously we covered best practices when working with passwords,
ensuring your software is up to date, and that you’re working with a decent
anti-virus solution, get ready to start the timer and do what you’ve been
meaning to do for years.

Image representing Google as depicted in Crunc...

Image via CrunchBase

Reconnoiter – 15 Minutes

The first step in securing your privacy is to
find out just what is out there for the world to see. If you’ve never Googled yourself, now is the
time. Google searche to check on:

1.
your name

2.
your name + your city

3.
your name + your employer

4.
your phone number

5.
your address

6.
your email addresses

7.
screen names

8.
gamer tags

Google
search anything that you’ve ever used to identify yourself. Don’t forget
to do an image search while you’re at it.

You might be surprised to find that your dating
profile, gaming history, forum posts, site memberships, comments, pics from the
office party, etc. are easily uncovered.

Now find out what Google knows about you here.

Turn off your Google search history here.

Get your credit report. You should know what’s on there, and it’s
easy and free to request it. Look for
anything suspicious or incorrect and contact the agency immediately if anything
is amiss.

You don’t need to pay for the upgraded service, there is no charge to receive your credit report.

Canada – Equifax [PDF]
– Transunion

USA – Equifax/Transunion/Experian

Call your doctor and get a copy of your medical
history. Most people have details about
every oil change they’ve ever paid for but have no clue about their own health
records.

Depending on where you live, you’ve got the
right to access different information that is on file about you. Insurance companies, payroll companies,
social services, etc. should all supply you with what they know about you.

Shrink
your footprint – 20 minutes

Haven’t used a Groupon in 6 months but still
getting spammed daily? Sign up for 5
different streaming radio services but only use Songza? Find your true love but
still have profiles on dating sites? Now is the time to delete any accounts
that you no longer use. It’s a pain, but
it only takes a minute. If your myspace
page is still sparkling and blaring music out there, just put it out of its
misery. As an added bonus, your inbox
will thank you.

Can’t remember all the crap you’ve signed up
for?

Look through your spam folder.

Check your purse or wallet for points cards,
rewards cards, coupons, etc.

Location services – Maybe you love Google’s
location aware search results, but there is no need for most apps to know where
you are. Similarly, nobody needs the GPS
coordinates of the party you were at last night. If the app doesn’t need to know where you are
to work, then turn it off.

Delete –
10 minutes

Take ten minutes to go through the files and
folders on your computer. Delete
anything and everything you can. Be
merciless.

Tighten
your social media belt – 10 minutes

Adjust your privacy settings. Facebook is the big transgressor here, but be
sure to check your LinkedIn, Twitter, Foursquare, Pinterest, etc. as well. Even if you don’t care, your contacts might.

Your privacy settings on sites like Facebook and
LinkedIn don’t only affect you. Take the
time to make sure that you’re not sharing any data about your friends with
people that you don’t have today. Why
let strangers creep all of your contacts on LinkedIn and share friend’s data
with third party developers on Facebook?

Go on a
friend diet – 10 minutes

Prune your lists of friends: Facebook, LinkedIn, Google+, Skype, MSN, ICQ,
AIM, IRC, etc. If you haven’t talked to
them in the last year, you probably never will.
If you need to look them up, you can always do so.

Go on an
app diet – 10 minutes

Look through the apps on your phone. If you haven’t used it in a month, uninstall
it. No matter how many times you tell
yourself otherwise, you are never going to use Google Sky. Bored with Fruit Ninja? Downloaded Layar just
to show off your phone? Get rid of
them. You can always install them again
later, even the ones you’ve paid for.

The same goes for any facebook apps you may be annoying
your friends with. Ditch them. Nobody cares about your farm or what you just
played in Words With Friends.

Create an
alias – 10 minutes

Not just a username, make a whole person. First name, last name, email address,
birthday, pet. When you need to sign up
for something non-critical, use your alias.
If they don’t need your real name, don’t give it to them. With the birthday/email/pet, you should even
be able to recover your password if you forget it. Now is your chance to have the supercool name
that you always wanted. Hello, Mr. Mike
McCool.

Lockdown
– 5 minutes

Make sure you use lockscreens on your phone,
tablet, computer, etc. Set them to lock after 2 minutes. No exceptions.

Install Prey or similar tool on your devices
just in case. preyproject.org

Sign out of everything you log into, whether
it’s a site, a program or a computer.

Tell us how you did with the 90 Minute to Privacy Plan. Did it take more or less than 90 minutes?

The Intern’s Security Practices Part 1: Passwords

Being the newest addition to the Defence
Intelligence team and having recently been introduced to the world of security,
I’ve been learning some best practices and adjusting my Internet usage habits.
Over the past few weeks I’ve learned that some of my habits, especially when it
comes to passwords, could use some improvement.

We decided to survey a class of first year
public relations students at Algonquin College, in Ottawa, to see how my
practices compared to theirs. The majority of the class is female with an
average age of 21.

We found that 90 per cent of the students
use the same password for multiple accounts. Personally I use different types
of passwords for different types of accounts. I use the same passwords for
social media accounts, another password for my e-mail, and a separate one for
my online banking. I find it difficult to use a different password for
everything because I use a lot of social media sites.

“It’s interesting that this generation has
been called digital natives yet their security practices are very poor. By
using the same password on multiple accounts they are trading their personal
information and security for convenience,” says Keith Murphy the CEO of Defence
Intelligence.

Fifteen per cent of the students said they
change their passwords frequently. For the next survey we will need to define
how often ‘frequently’ is. I only change my passwords if the site prompts me to
or I need to reset my password because I forgot it. I was surprised that 77 per
cent of the students use passwords that have more than eight characters. I tend
to use the minimal allowable amount of characters when I create passwords. I
think that the school’s password standard is seven characters, which could be
why some students are using longer passwords.

With only 45 per cent recording their
passwords in a safe place I’m not surprised that their passwords are changed
often. I’ve trouble finding a place to store passwords. When I discussed this
with Murphy, he said that the best practices were to use encrypted storage or
to write them down. He also recommended to avoid saving passwords in the
browser and on your computer. The
following article from lifehacker
is very helpful outlining some common mistakes and best practices. You can also see our tips here.

The following chart shows the type of
characters the students are using to create their passwords:

I’m not surprised that the majority of the
students use upper and lowercases, those are fairly common. What surprises me
is that there is a significant drop when it comes to the use of numbers,
special characters, and punctuation. I didn’t start using special characters
and numbers until Google, Apple, and other sites started showing you the
strength of your password.

In the next blog post we will discuss the
survey results concerning the use of links and security software.

By Sarah Raphael

Start Your 2013 Learning and Connecting

Photo image thanks to Keerati at FreeDigitalPhotos.net

Is one of your resolutions for 2013 to remain
current with security information and connected with security professionals? Then
one event you’ll want to include in your schedule is the Canadian Security
Partners’ Forum’s second annual Women in Security Lecture Series. The event will
be hosted in Ottawa, ON at the Hampton Inn and Conference Centre on Thurs Feb 7
at 5:30PM.

The CSPF is committed to creating a meeting place
for all disciplines and domains within security, including national security,
defence, law enforcement, public sector, private sector and public safety. Last
year more than 300 in the security profession came out, with almost an even
split of women (55%) and men (45%).

The confirmed speakers list includes:

Dr. Alison Wakefield
Senior
Professor in Security and Risk Management at the Institute of Criminal Justice
Studies, University of Portsmouth
Director
of the Academic Board at the Security Institute
Serves
on the editorial boards of Security Journal and Police Practice and Research
Her
influential publications on criminology and law enforcement include: Selling
Security: The Private Policing of Public Space; The
Sage Dictionary of Policing; and Ethical
and Social Perspectives on Situational Crime Prevention

Natalie Runyon, MBA, CPP

Director,
Global Security, Thomson Reuters
Owner
of CSO Leadership Training
Member
of the ASIS CSO Roundtable and its Leadership Development Committee
Former
Illicit Transactions Analyst for the Office of Global Security, Goldman Sachs
with the Central Intelligence Agency

Christina Duffey, CPP

Vice
President, Operations, Paragon Security
Former
President, ASIS Professional Certification Board (PCB)
Recognized
expert in the security field with extensive security operations knowledge and
expertise in asset protection, physical security, and risk management

Sylvia Fraser, CPP, PMP, CRM, CSPM (Moderator)

Corporate
Security Supervisor, City of Toronto – which requires Sylvia to oversee the Business
Strategies and Risk Management Office
14
years of experience in the security industry providing security management,
security system designs and project management across both government and
private security endeavours
Specializes
in security risk management programs, portfolio management, and critical
infrastructure

Providing
closing comments to this exemplary list of presenters is Colleen D’Iorio,
Executive Director, Security and Identity Management (Treasury Board of Canada
Secretariat). Previously she held the distinguished roles as Director General
Access and Director General Cyber Protection Communications Security Establishment of Canada
(CSEC).

Defence Intelligence is proud to be a Diamond Level Sponsor for CSPF’s Women in Security Lecture Series. We hope to see you there.

Tickets, which include a full meal, are only $70.
Register today, this event is sure to sell out.

For more details and to register visit: http://cspfwomeninsecurity2013.eventbrite.ca/

The evolution of the CIO and CISO

The role of the Chief Information Officer
was first created in the 1980s; before that the responsibility of
information security belonged to the Chief Financial Officer. As technology and society changed over the
years so has the role of the CIO in organizations.

The traditional role of the CIO and CISO is described by Bill Brenner, the senior editor at CIO magazine as “over-glorified
IT security administrators, babysitting the firewalls, arguing with software
vendors over botched antivirus signature updates and cleaning spyware off of
infected laptops.”

Since then the CIO has taken on a more
prominent role and become a central position in business operation. Expected to
be knowledgeable about business and up to date with technology, this makes the
modern day CIO a kind of Superman. This
explains CIOinsight writer Allan Alter’s discovery that the majority of CIOs
have a mixed background in technology and business.

Paul McDougall, a writer for Information
Week, discusses how the rise of the Internet economy has created a need for
CIOs to play a central role in organizations. The Internet economy has made IT
departments more central with the added pressure to deliver more results with
fewer resources. In a blog entry on Information Week, Cisco chief technologyofficer Padmasree Warrior explains the new expectations for the IT department:

“CEOs now expect IT to provide profitable growth and
business agility. The role of the CIO is changing.”

This significant shift in thinking is also
being faced with the emerging challenges of mobile integration and cloud
computing placing pressure on the CIOs to integrate more mobility into the
daily operations of the business environment.

With all of these new challenges and
demands it is necessary for the CISOs role to change from reactively responding
to security threats towards a more intelligent and holistic risk management
style.

A study conducted by the IBM Center for
Applied Insights called Finding a strategic voice: Insights from the 2012
IBM Chief Information Security Officer Assessment, found that security professionals are under intense
pressure to protect the firm’s most valuable assets; money, customer data, and
intellectual property. IBM created a list of mature security practices of
influencers in a variety of organizations.

Security is
seen as a business (versus technology) imperative.
The use of data-driven
decision making and measurement
Sharing
budgetary responsibilities with the C-Suite

“This data painted a profile of a new
class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said
David Jarvis, author of the report and senior consultant at the IBM Center for
Applied Insights. “The path of the CISO is now maturing in a similar
pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical
one to a strategic business enabler. This demonstrates how integral IT security
has become to organizations.” [v]

The role of the CISO in organizations will
continue to change over the next few years.
It’s apparent that the CIO and CISO have a crucial role that needs to be
recognized and given proper authority to put into place their in depth security
plans. This will help avoid incidents such as the recent breach at the South
Carolina Department of Revenue. We’ll follow this discussion up in our
subsequent blog. Do you agree that while a good start there is room for improvement?

By Sarah Raphael