security Archives - Defence Intelligence Blog

Hackable Houses and Compromised Cars

The following is a guest post written by Lucy C., a co-op student from Lisgar Collegiate Institute in Ottawa.

The idea of having a smart home or a smart car is extremely tempting. Being able to live in a world that is fine tuned to exactly your needs seems like a sci-fi paradise. Cars that drive and park themselves, pre-programmed with GPS systems and traffic control, so you know exactly how long your drive to work each morning will be. A home that adjusts it temperature controls depending on your body heat and doesn’t require a key for entry as it recognizes your presence. A kitchen that can cook you breakfast each morning before you awake and a pillow that wakes you up at the exact right moment in your REM cycle.

All of these features and products sound great in theory, but in practice they do have a major downfall; your privacy and security will never be more at risk. All these useful devices will be collecting a slew of personal data about every aspect of your life and if any devices were hacked and controlled by an outside source, the ramifications would be unimaginable.

With your every action tracked and recorded, companies will have all the personal data they could ever want on every consumer. Even if the system is not compromised by a hack and the data is never stolen by an outside source, there is still the lurking possibility that the company will sell your data to other enterprises or to the government, who would then know the every movement of every citizen.

This lack of privacy is accompanied by a frightening lack of security. If someone were to gain control of your smart home or smart car, they could wreak havoc on your life. You could be unable to access your home or they could gain entry to your home by simply pressing a button. It would bring a new age to terrorism, imagine the power a group would hold if they had the capability to crash every car in a city in an instant. Or lock whole cities out of all their buildings.

And the scariest part of these new smart homes and cars? So far, they are surprisingly easy to hack. There are already stories of strangers gaining access to baby monitors and being able to speak through them. The Insteon home control system, a remote control system for turning on and off electronics and controlling temperature in your home, used to be based online with only occasionally password protection, so, if you discovered one of the sites, you could turn on and off any electronics in the home and have access to all the personal data that the system had gathered.

These potentially disastrous consequences of smart homes and cars bring about a burning question: are consumers ready to part with their security and privacy just to have all these cool new personalized gadgets?

Your Reputation after a Data Breach.

Whether you asked for it, had an active hand in making it, or even acknowledge it, you have a reputation. It can be built up, blown up, and is blended from both fact and fiction. It is a wild beast that is only tamed in the way an adult grizzly plucked from the forest can be tamed. Despite all volatility and fragility you must manage it as best you can, because when your reputation takes a hit the foundations of success begin to shudder.

A company’s reputation is the same. After Target’s data breach one year ago, their customer satisfaction and service reputation stayed in decline for many months after. S&P cut target’s credit rating due to the breach’s bigger than expected impact on traffic and sales. Their profits dropped 46% in Q4 of 2013 and their CEO was ousted five months after the breach went public.

There are plenty of tangible costs when a data breach occurs: lost productivity, forensic investigation, technical support, system availability, compliance and regulatory failure. Much of these costs, while significant, are manageable to an extent when the breach is kept under wraps. When word of a breach crosses over to the consumer side, the final tally of damage and cost is unpredictable.

42% of breached companies lost customers and business partners. 46% of a breached company’s clients would no longer recommend the organization.

Companies like Sony, Home Depot, P.F. Chang’s, Staples, Michaels, K-Mart have all been targets of data theft. Their damaged reputations will recover over time but the repair costs are significant. A Ponemon survey stated the average damage done to a brand ranges from $184 to more than $330 million and, at best, brands lost 12% of their value after a breach.

Every company needs to do more to keep their reputation secure. While some data breaches will be physical blunders, many of them will be malware forcefully or welcomely entering the network.

Defence Intelligence helps their clients keep their data and their reputation secure with their advanced malware protection services. Take a look at what we can do to help.
Don’t be the next victim.

Heartbleed: What Do I Do?

The KeePass Password Safe icon. (Photo credit: Wikipedia)

You’ve probably read a little about Heartbleed by now and you either understand the details or not. For some additional reading you can visit heartbleed.com. Either way, you are, and should be, worried if this is going to affect you directly. The answer, probably. Not all sites and software rely on the security torn open by Heartbleed but many do. For these locations which are currently vulnerable you will need to confirm that they, the site owners, have fixed the issue BEFORE changing your passwords.

How do you do that? Go to Heartbleed Test or Heartbleed Checker and type in the site you’re worried about, such as your banking site.

If it comes back green it was either fixed or never had a problem. I recommend a password change anyway. You are probably overdue for one.

If it comes back red, check back again later until it comes back green. Then change your password.

I think you’ll find at this point that many sites have fixed the issue, but it can’t hurt to check.

For those who are interested in the related CRA website shutdown from Heartbleed, read this story as well: ctvnews.ca.

Is Anybody Listening? The Struggle for More Security

Communication (Photo credit: P Shanks)

You might know the immense value of IT security, but you probably know at least a few professionals who don’t. Apparently, communicating the importance of security is a difficult task for many people, so you’re not alone if you find this hard to do.

It can be tempting for some senior executives to only look at the cost of security programs, while others are ambivalent toward their effectiveness. But either way, the true value of IT security is not getting across, and that’s a breakdown in communication. In fact, according to Infosecurity Magazine, the authors of a study done by the Ponemon Institute for Tripwire claim, “As business leaders are required to disclose more about their organization’s security risks, those business-oriented security executives with good communication skills will be in even greater demand.”

The study – which involved IT professionals from both the US and Britain – found that approximately half of those surveyed admitted they were ineffective at letting management know about security risks. Many say it’s because the security metrics are too complex for their bosses to understand. The result is that companies are allowing security threats to stick around because management simply doesn’t know about their severity.

But with increasing dependence on technology, security risks are not going away any time soon. In fact, there are more now than ever, which means it is increasingly important for security professionals to properly communicate the risks to senior executives. Getting the point across might require the use of graphs or even the ever-popular infographics, but getting management to comprehend the value of IT security is worth the extra effort.

The Second Annual Women in Security Lecture Series

Last night we had the pleasure of being a diamond sponsor and attending the second annual Women in Security Lecture series at the Hampton Inn and Conference Centre in Ottawa. The event had a relaxed business casual atmosphere with everyone talking about security. We appreciated hearing the different points of view and opinions from the panel and conversations on the current and future state of security.

Students from RMC at the event – Winners for best dressed

One of the speakers that really stood out for us was Lisa Gordon-Hagerty. Her extensive background in security in the corporate and government sector made her extremely interesting to hear from. She touched on the fact that hackers, malware writers, and botmasters all work together sharing information and technologies. This allows them to constantly be a step ahead of the organizations they’re attacking.

“She’s been on both sides of the fence and very much believes in having the government and corporate entities work hand in hand to develop better security policies, to share information on different events and act as a collective unit to better combat cyber security,” says Mohamad Haidara of Defence Intelligence.

Mohamed Haidara and his cinnamon hearts.

There were lots of interesting ideas and discussion around the need for transparency among organizations and the need for organizations to learn from each other’s mistakes and leverage different strengths to secure their networks.

One key point was how current security tools are becoming obsolete. There needs to be a new tool or system brought in to help secure the networks of organizations.

Speakers and panel members for the night included:

LISA GORDON-HAGERTY, MPH – Founder and CEO, LEG Inc

DJENANA CAMPARA – President and CEO of KDM Analytics; Author of System Assurance: Beyond Detecting Vulnerabilities (2011)

DR. ALISON WAKEFIELD – Senior Professor in Security & Risk Management at the Institute of Criminal Justice Studies, University of Portsmouth;

NATALIE RUNYON, MBA, CPP – Director, Global Security, Thomson Reuters; Owner of CSO Leadership Training

CHRISTINA DUFFEY, CPP – Vice President, Operations, Paragon Security

SYLVIA FRASER, CPP, PMP, CRM, CSPM (Moderator) – Corporate Security Supervisor, City of Toronto, currently overseeing the Business Strategies and Risk Management Office

We are pleased to sponsor such a quality event for security executives in the Ottawa area. It was a great night filled with excellent discussions and we’re looking forward to next year’s event.

By Sarah Raphael

Increase Efficiency, Reduce Workload

Efficiency Medal (Photo credit: Wikipedia)

As is often the case, if you want something done and done
well you find someone who is already busy to do it. Security executives are no
exception. They are recognized as competent, successful and fully loaded with
projects and responsibilities. Their list keeps growing with the expanding need
for more and more security steps, measures and processes with the ever-changing
threat landscape.

One recent study by specialty recruiters in the UK,
Randstad, found that most IT technicians and engineers
are working the equivalent of 7.5 day’s work during their typical work week.
They often are working on weekends to fit in the extra hours. They’re receiving
the same pay for doing the work of one and a half staff. The instability of the
economy is causing many to take on the extra work.

One of the best responses to
a maximized schedule is to find tools that will enhance the results while not
adding to the workload. One resource proven to be extremely helpful to
security executives is the Nemesis advanced malware protection service. It allows them to do a health check of their network security with minimal
time and energy commitment.

Nemesis was designed to make
life easier for security executives. It takes less than 20 minutes to
configure.

The dashboard offers a quick
view of the number of sites that are used for Command & Control, phishing, fraud, malware distribution and a number of other malicious categories. Each one of these communications is blocked so your data and
system are safe and can’t be used for malicious purposes.

Nemesis also:

Protects all
internet enabled devices, regardless of operating system
Prevents malware
from entering a network
Identifies existing
infiltrated systems on your network
Alerts and reports
on all malicious activity across your network
Disables
communication to Command & Control channels rendering the malware harmless
Delivers
easy to read data in dashboard and report format so remediation can begin

Wondering if Nemesis should be added to your security
team? We’ll help you assess if Nemesis is a good match.

Call us today for a free trial of Nemesis and let us help
you increase your network security without increasing your workload.

Click here to register for a trial or call us 1.877.331.6835 ext 2.

Cyber Security Made Easy – Part 4

The topic of creating great passwords has been visited many
times by many people, yet it remains relevant and important because common
passwords are still too common. As educators often feel the pain of knowledge
falling on deaf ears, we beat this horse once again in hopes that one or two
new pupils may take heed.

Make better passwords!

When creating your list of passwords one tip is to ensure
your password does not rank as one of the world’s most popular passwords such as “Jesus,” “Ninja” and “Qwerty.”

You can also visit our previous blog that covers the basics
on making passwords more effective. Let’s say that your email password is
“whiskers”, the name of your no doubt lovable cat. You can easily keep
the familiarity of the password while increasing its effectiveness as a
password.

Old password: whiskersNew password: I have loved Whiskers since
2004!

Easy to remember, and vastly more secure than
the original password. If you can’t use spaces, simply remove them.

Whenever possible, use words and terms which
can’t be found in a dictionary. This sounds harder than it is. You
can use altered spelling, nicknames, and clues instead of the actual term.

Old password: I love icecream

New password: !love1c3cr3am

You can also visit trusted
opinion leaders such as the Canadian site Get Cyber Safe that
highlights:

· Don’t stay logged into a site but login each
time you visit the site
· Clear browsing history or cache after online
banking and shopping
· Avoid using a single dictionary word

Or the American site Stop.Think.Connect. that includes:

· Keep a separate password for each account
· Make passwords long and strong including
capital, lowercase, numbers and symbols
· Limit how and who has access to what you post by
using privacy settings on websites and set to your level of comfort

Our next blog will cover a list of resources.

Cyber Security Made Easy – Part 3

NEW YORK, NY – JULY 11: A free Wi-Fi hotspot beams broadband internet from atop a public phone booth on July 11, 2012 in Manhattan, New York City. New York City launched a pilot program Wednesday to provide free public Wi-Fi at public phone booths around the five boroughs. The first ten booths were lit up with Wi-Fi routers attached to the top of existing phone booths, with six booths in Manhattan, two in Brooklyn, and one in Queens. Additional locations, including ones in the Bronx and Staten Island, are to be added soon. (Image credit: Getty Images via @daylife)

With all the talk of cyber
security in the news it is common knowledge that the Internet is not a secure
channel for exchanging information. Most
people keep this in mind with making their home network secure. Public WiFi
is another story. To see exactly how easy it is to be hacked using
public WiFi, watch the W5 interview. Part one looks at how
easy it is to view someone else’s laptop and part two looks at how easy it is
to access someone’s password for personal banking.

It is advised when using
public WiFi to avoid logging into areas of the Internet where you may have
sensitive data, such as online banking. As a rule of thumb, when on public
WiFi, pretend everything you are doing is on a giant screen for everyone to
view and all passwords are visible. If you must get on the Internet, when no
familiar and secure network is available, try using your smart phone as a
wireless hotspot instead.

Note: In order to be able to
do this you need to have a data plan that is large enough to support this
option.

Here are the steps for an
iPhone 4G

Step 1: Go to Settings

Step 2: Select Personal
Hotspot

Step 3: Select how you want
to make the connection through Bluetooth, WiFi, or USB.

Step 4: Create password.
Typically it will be 8 characters and you should use best practices including
lower and capital case letters, numbers and symbols.

Step 5: Choose the newly created hotspot from your other
device and key in the password created in the previous step.

In our next installment of
this series we look at best practices for passwords.

Canadian Security Partners’ Forum – Effective Resource for Security Executives

Canada (Photo credit: palindrome6996)

Canadian security executives have long needed the proper
support system and forum regarding the landscape of security in Canada. The Canadian Security Partners’ Forum (CSPF)
is answering that need. The Forum is a unique network that in just one year has
grown to include over 80 organizations that represent most horizontals in most
verticals across industry sectors.

The Forum’s success can be traced back to its founder, Grant
Lecky, who has a diverse background in security and risk management and a
strong focus on business continuity planning and emergency planning and
organizational resilience. Lecky was recently acknowledged by Security Magazine for his efforts, identifying him as one of ‘The Most Influential People in
Security 2012’.

Security executives, educators and thought leaders have all
embraced the Forum’s concepts and goals, helping to overcome the isolation of
silos that often gets in the way for most other organizations.

Bonnie Butlin, Executive Director for CSPF, has observed that “you usually don’t see such swift growth in helpful agile networks. It’s more
often observed in threat networks.”

One of the many ways the CSPF helps to work with the
security community is to be a catalyst and facilitator to help inspire
conversations followed by action to build new networks that fill recognized
voids. As the Forum’s Executive Director, Butlin tracks trends in the news as
well as in forum discussions to identify gaps in the community, and then brings
them forward to be addressed by the Forum participants. By proactively engaging
discussions on observed trends the Forum and its participants can respond to
topics of concern as they arise, not just after the fact.

In the upcoming October issue of Vanguard, CSPF
will be featured in an article outlining just how effective the organization
has become in addressing the foundation needs in joint force development. The
article is based on the Joint Staff’s study “Decade of War Volume I: Enduring
Lessons from the Past Decade of Operations”, which highlights 11 strategic themes
for enabling responsiveness, versatility and affordability for collaborative
mission focused groups. Originally used as a post-Iraq evaluation, the themes
are applied to the security community and the CSPF.

Defence Intelligence is proud to support the CSPF and the
security community at large in proactively combatting threats to Canadian and
North American networks.

Taking Responsibility for a Data Breach

Anti-Sexual Harassment Graffiti reading: No Touching allowed: Castration Awaits You (Photo credit: Wikipedia)

A data breach can cause both public
embarrassment and significant cost to the company involved, as well as
employee turmoil and time spent dealing with the incident internally.
This can similarly be compared with handling a sexual harassment
incident. Equally embarrassing and perhaps costly if handled wrong,
there is a follow up surge in both cases for training and awareness
given to the employees at large, hoping to prevent another incident.

The big difference between these
examples is individual blame and repercussions. There is training and retraining or best practices suggestions, but who is getting fired? Even if a company
didn’t fire the people responsible for the sexual harassment, they
would know who to watch for future mistakes and both sides would know
that a second lapse in judgement would be the final one. With a data
breach however, the parties involved may still be a mystery following
the incident and no one would know who to watch or even who to blame
when it happens again.

Government legislation forced
corporations to adjust their company policies and provide staff
training. The high cost of fines and loss of reputation made acting
responsibly no longer a choice. It is now common practice for most
companies to have a human resources department that ensures sexual
harassment behaviour and the punishment for it is written into the
corporate policy. Is enough training combined with clearly defined mandates and consequences being given to deal with network breaches and data loss?

While the corporation suffers a
financial loss and damaged reputation, the result of a company breach
can cause the company to lose on so many more levels: financial and
proprietary information loss, lost sales, damaged reputation, lost
trust from their customers and vendor-partners, the list just goes on
and on. So why is this not being handled by organizations with more
importance and aggression?

A security breach is usually attributed
to sloppy habits and an irresponsible attitude that leads to
behaviour that creates or allows a breach. It doesn’t matter what
people use as an excuse for sloppy habits it needs to be tidied up.
Right now the attitude of the average employee toward information
security is pure apathy. They don’t care and they have no reason to
care. They take no personal ownership over the data they handle for
the company so they feel no responsibility, and no one is ever
singled out for information security misconduct. People’s thinking
would change quickly if there were a red flashing light that went off
on their computer monitor, laptop or device when they specifically
broke corporate security rules.

Companies should be writing fines and
repercussions into corporate policy for incidents such as:

opening an email link or
attachment that did not fit the proper profile
going to a forbidden or untrusted site
using a USB from an unknown source

Until we can track back data breaches
without fail to individuals that caused it with certain behaviour,
begin with deterring the behaviour that could cause the breach.
Touch that girl inappropriately? You’re fired. Two “red light”
incidents at your workspace? You’re fired. Organizations need a more
aggressive approach to security, because the whole company benefits
and the whole company suffers when reckless and indifferent
behaviour is ignored.

Related articles

Related articles

Related articles