CyberheistNews Vol 4 #49 Dec 23, 2014



 
 
                               
 

Lessons Learned From The Sony Pictures Hack

Bruce Schneier reminded me of an old but very relevant concept in IT  Security. There are two types of attacks: opportunistic and targeted. And then you can characterize attackers on two axis: skill and focus.

For example, script kiddies using point-and-click hacking tools are  low-skill and low-focus. They grab what they can if the low-hanging fruit is available. On the other side of the spectrum are highly  skilled nation-state hackers with a single focus, and Sony Pictures is  a good example. A large Democratic People's Republic of (North) Korea  (DPRK) hacking team went in and shut down Sony, their job made easy  by Sony's third-rate security. As the DPRK specializes in unconventional  (asymmetric) warfare, this type of attack may have been a great practice  run for them.

In the middle between these two sit the opportunist high-skill, but low-focus attacks that we read about in the paper regularly: Target,  Home Depot, JP Morgan Chase and now news breaks that Staples lost  a million cards. I'm getting breach-fatigue, how about you?

So, what are the lessons learned? 

  1. If you are the target of a high-skilled, high focus attack you can count on them getting inside. You need to focus on defending the crown jewels and make sure they do not get exfiltrated. The fact Sony  did not notice terabytes of data leaving the network is an epic fail.  Lesson learned: use encryption and breach detection tools.
  2. If you handle a lot of credit cards, Russian cybercrime has you in their crosshairs but so are a million others. If Home Depot would have upgraded their POS systems in time from XP to Win7, they would not have been hacked. So, good security makes the attacker's job a  lot harder, more expensive and more risky. This type of bad guy is in it for the cash and their time is money -- they will move to a  weaker target. Lesson learned: create enough IT security budget to  give the InfoSec team the time and tools to implement best practices.
  3. The time to start is before the attack and be prepared. Get a professional pentester and see how they penetrate your network, the good ones always get in. Remember that IT security is really three things: protection, detection and response. Lesson learned, and I'm quoting Schneier here: "You need prevention to defend against  low-focus attacks and to make targeted attacks harder. You need  detection to spot the attackers who inevitably get through. And you  need response to minimize the damage, restore security and manage  the fallout."

Taking a possible inside-job or help from the inside off the table  for a moment, as the Sony attackers came from across the planet,  there are only three ways they could have gotten in:
  1) Mis-configured servers that allowed unauthorized access;
  2) Software vulnerabilities, either known holes or unknown zero-days;
3) Social engineering untrained employees that simply allow the  bad guys in by clicking on a spear-phishing link. 

At least you can do something about the last one right away. The brand new, updated Kevin Mitnick Security Awareness Training 2015. We have  now sent over 2 million simulated phishing emails across 35,000  campaign runs! Find out how affordable this is for your organization:
https://info.knowbe4.com/kmsat_get_a_quote_now

Malware Used To Wipe Sony's Drives Was Quick And Dirty

It's still not clear (and it may never be discovered) how the Democratic  People's Republic of (North) Korea (DPRK) hackers came in, perhaps  they used all available threat vectors since Sony's security was so  lax: mis-configured servers, software vulnerabilities and social  engineering spear-phishing emails to employees. 

But CERT said: "Cyber threat actors are using an SMB worm to conduct  cyber exploitation activities. This tool contains five components –  a listening implant, lightweight backdoor, proxy tool, destructive  hard drive tool, and destructive target cleaning tool."

Quick And Dirty

However, an analysis by security researchers at Cisco of a malware sample  that matches the MD5 hash signature showed that the code was full of bugs  and anything but sophisticated. They compared it to the software equivalent  of a crude pipe bomb.

Put next to other state-sponsored malware, "It's a night-and-day difference  in quality," said Craig Williams, senior technical leader for Cisco’s  Security Group, in an interview with Ars Technica, "The code is simplistic,  not very complex, and not very obfuscated."

Heck, it does not take a lot to wipe a disk. Remember the old "Format C:"  command? Here are the CERT details. Alert (TA14-353A) Targeted Destructive  Malware:
https://www.us-cert.gov/ncas/alerts/TA14-353A

Here Is A Video Holiday Wish From All Of Us At KnowBe4

Here is the link to our blog where the video will play. Enjoy!!
https://blog.knowbe4.com/here-is-a-video-holiday-wish-from-all-of-us-here-at-knowbe4

The 5 Biggest Cybersecurity Myths, Debunked

WIRED wrote: “A domain for the nerds.” That is how the Internet used to  be viewed back in the early 1990s, until all the rest of us began to  use and depend on it. But this quote is from a White House official  earlier this year describing how cybersecurity is too often viewed today.  And therein lies the problem, and the needed solution. 

"Each of us, in whatever role we play in life, makes decisions about  cybersecurity that will shape the future well beyond the world of  computers. But by looking at this issue as only for the IT Crowd, we  too often do so without the proper tools. Basic terms and essential  concepts that define what is possible and proper are being missed,  or even worse, distorted. Some threats are overblown and overreacted  to, while others are ignored." See the 5 myths here:
https://www.wired.com/2014/07/debunking-5-major-cyber-security-myths/


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

"A smart person will give you smart answers, but a wise person will ask  you smart questions." - seen on the Web -

"The most difficult thing is the decision to act, the rest is merely  tenacity. The fears are paper tigers. You can do anything you decide  to do." - Amelia Earhart

"Success is not final, failure is not fatal: it is the courage to  continue that counts." - Winston Churchill

 


 

 

 

Security News

 

Train Your Employees About Mobile Device Security

BYOD is the number one headache for InfoSec pros at the moment. We can help. Our new 20-minute, refreshed for 2015, Mobile Device Security module of the Kevin Mitnick Security Awareness Training  series specializes in making sure your employees understand the  importance of staying safe online while using a mobile device. 

They will learn the risks of their exposure to mobile security  threats and are able to apply this knowledge in their day-to-day  job. Learn more and request a quote:
https://info.knowbe4.com/mobile-security-module-14-12-23

InfoSec World Conference & Expo March 23-25 2015 Orlando, FL

InfoSec World 2015 returns to Disney’s Contemporary Resort with a  lineup of conference sessions, workshops and summits that address  the most pressing matters in information security today. With a  selection of top-rated returning speakers and a roster of  highly-regarded new-to-InfoSec World speakers, you’ll find content  that is compelling, actionable and applicable to the current  challenges you face at your job. Join your peers this March for  90+ sessions, 11 in-depth workshops, 3 co-located summits, a packed  exhibit hall and a host of memorable networking events. Disney's Contemporary Resort
www.misti.com/infosecworld

Malware Incident At Mental Health Nonprofit: $150K Fine

As cyberattacks targeting the healthcare industry continue to escalate,  the U.S. Department of Health and Human Services Office for Civil Rights  (OCR) has published its first-ever resolution agreement stemming from  an incident involving malware, highlighting the importance of reviewing  systems for unpatched and unsupported software that can leave patient  information susceptible to malware and other risks. More at:
https://www.jdsupra.com/legalnews/malware-incident-at-mental-health-nonpro-25161/

Nine Data Breaches That Cost Someone Their Job

This is actually a good article to send to your managers in your everlasting battle for IT Security budget.

Tis’ the season for data breaches. Following last year’s big  announcement of not just Target’s data breach but executive job loss,  CSO lays out 9 data breaches resulting in job loss, comparing Target  alongside other breaches that have fallen under the radar:
http://www.csoonline.com/article/2859485/data-breach/9-data-breaches-that-cost-someone-their-job.html

Staples: 6-Month Malware Breach, 1.16 Million Cards

Office supply chain Staples Inc. finally acknowledged that a  malware intrusion this year at some of its stores resulted in a credit  card breach. The company now says some 119 stores were impacted between  April and September 2014, and that as many as 1.16 million customer  credit and debit cards may have been stolen as a result.

KrebsOnSecurity first reported the suspected breach on Oct. 20, 2014,  after hearing from multiple banks that had identified a pattern of credit  and debit card fraud suggesting that several Staples office supply  locations in the Northeastern United States were dealing with a data  breach. At the time, Staples would say only that it was investigating  “a potential issue” and had contacted law enforcement.

In a statement, Staples released a list of stores hit with the  card-stealing malware, and the stores are not limited to the  Northeastern United States. Russian Cybercrime at its best, after  Target, Home Depot and JP Morgan Chase. That Was Easy! (could not help myself)
https://krebsonsecurity.com/2014/12/staples-6-month-breach-1-16-million-cards/

About Time: Obama Signs 5 Cybersecurity Bills

This is the first time in dozen years that major CyberSec bills  actually become law. Without ceremony, President Obama on Dec. 18 signed  five cybersecurity-related bills, including legislation to update the  Federal Information Security Management Act, the law that governs  federal government IT security.

It's the first time in 12 years that significant cybersecurity  legislation has become law. The last major piece of cybersecurity law  to be passed by Congress and signed by a president was the E-Government  Act of 2002, which included FISMA.

The five cybersecurity measures, among 48 bills the White House announced  the president had signed, include the:

  • Federal Information Security Modernization Act;
  • Homeland Security Workforce Assessment Act;
  • Cybersecurity Workforce Assessment Act;
  • National Cybersecurity Protection Act;
  • Cybersecurity Enhancement Act.

 More about these at the GovInfoSecurity site:

https://www.govinfosecurity.com/obama-signs-5-cybersecurity-bills-a-7697

Here is the best (comedy) rendition of "White Christmas" evah!:

https://www.youtube.com/watch?v=u7iLc7XhU8E

A "must-listen"... this TED talk by Mikko Hypponen from F-Secure:
  https://www.youtube.com/watch?v=QKe-aO44R7k#t=1115

Last but not least, I simply could not resist this vanity license plate!
https://blog.knowbe4.com/i-simply-could-not-resist-this-vanity-plate

                                                                       
                                                                   
                                                       
                                                                   
        
                                                           
                                                                                   
 
 
                                           
                                                                   
                                           



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews