Last year was a pretty big year for data breaches, and it seems like 2015 is not so much different. Online retailers used to be a big target, but this we've seen breaches across many different sectors including insurance, many health companies and even governments. These targets carry even more of our personal data than retailers did.
Awareness of security issues is higher than ever, with people putting more efforts into protecting their data. However, according to studies, the cost per stolen records has still managed to increase by 6% this year to an average cost of $154 per stolen record.
Companies like Uber, Experian, Anthem, Premera and even the IRS had data breaches. Check out this graphic from Bromium to see the size and extent of breaches in 2015.
Pages
Wednesday, December 30, 2015
Tuesday, December 29, 2015
Call for Security Authors! No Prior Writing Experience Needed!
Over the course of the next year, I’d like to publish a few
small booklets regarding reoccurring themes we’ve seen year-over-year in the
security industry. What I’d like to do is have these booklets broken down into
chapters with people within the security industry assisting with adding the
real world material and insights. There is really nothing better than having
those working in the trenches each day to guide the way the booklets should be
written. There are so many people out there that don’t have the ability to share
what they’re learning and doing each day and hopefully this can allow them to
share their experience. By doing so, we
all benefit.
Within each topic I’d like to include multiple chapters,
each topic will be somewhat different, but what I’m aiming at is education on
topic itself. The granularity of the information for each topic will vary, but
we should attempt to hit on the following main themes on each subject:
Booklet Themes
- Review of the topic
- Why it’s a reoccurring topic
- Advice with solutions
- Tricks of the trade
- Improvements
At this time I’m proposing the following six topics to start
with, since this advice is either in great demand when looking to resolve an issue
or when proactively looking to improve your security posture. I’d like people
to use these booklets as a way to guide people in creating better security for
the topics being written on. These won’t be vendor slicks trying to sell a
product, but something valuable that can be taken without bias. This in my opinion
is more valuable. Also, this is a first stab at the topics, if you have others
you think should be on the list, please let me know. We’re flexible.
Topics
- Incident Response
- DDoS
- Deception in Depth
- Security Monitoring
- Phishing
- Application Security
If you have experience in any of these areas, and want to
submit some content on the topics, please let contact me at the email below.
Once we get enough authors signed up we’ll start breaking down the themes of
the topics in more detail. These booklets aren’t being sold and would hopefully
be put under a creative commons licensing approach where others can share and
add to it freely, but by giving credit to those that worked on it.
If you’re interested, please contact me at matthewpascucci@protonmail.ch.
Monday, December 28, 2015
Cyber Security 2015 Reflections - Another Year Gone By
Here's some cyber security reflections I've written for Algosec as the year comes to a close. Also, a few things we're forecasting for the new year to come.
http://blog.algosec.com/2015/12/the-state-of-security-reflections-on-2015.html
http://blog.algosec.com/2015/12/the-state-of-security-reflections-on-2015.html
Wednesday, December 23, 2015
Another Example of Why Governments Should Exit the Encryption Debate (The Juniper Debacle)
With the recent revelation of the Juniper backdoor
vulnerability, it begs the question as to why we should “let” the government put
purposeful backdoors into our products. Apple has been very vocal on why they won’t
be bullied into allowing this type of behavior with the government, and how
the privacy of their users data is paramount. With the recent terror attacks in Paris
and other places in the world, governments everywhere, U.S.A and U.K being the
loudest, are attempting to use fear to push their agendas. This isn’t news
anywhere. We know they’re looking to create backdoors into our encryption and
it’s for that very reason why we have the Juniper scandal today.
In a recent article by WIRED magazine they explain
that the backdoor was made possible due to the DUAL_EC_DRBG encryption
algorithm which was purposely created by the NSA to decrypt
data surreptitiously. This was always assumed while the protocol was in review, but was eventually pushed into NIST standard as one of the recommended encryption protocols at the time.
It’s been reported that this was part of the NSA’s operation BULLRUN,
which was created to break encryption for monitoring targets, and one in which
they had a nearly $250 million dollar yearly budget to do so. Even more concerning is
that the NSA purportedly paid off RSA with the sum of $10 million to include this
algorithm into their product. RSA has since said that they were unaware of this at the time,
but it’s still highly suspicious.
This being said, governments have already been
accessing our systems, either in cooperation with technology vendors, or by
illegally circumventing vendors technology to gather the data they’re looking
to collect. So why should we trust them to be more responsible by allowing them to put holes into products that we use everyday? What have they done in the past to gain this respect and trust? They don’t have our confidence to play within the rules, so what makes them think we’d be willing to
be taken by the hand and walked down a path we'll eventually regret? The
problems they’re creating, look at Stuxnet and DUAL_EC_DRBG, discredit them
from being taken serious. Also, it’s overreaching to start using the terrorist
attacks in Paris, where they didn’t use encrypted channels for communications,
or the terrorist attacks in San Bernardino, where there were public Facebook
announcements made by the terrorist alerting of their actions. Both of these attack communications were in cleartext and both of these attacks weren’t stopped. This might be
somewhat far-fetched by me, but if you want all the encrypted information now start
stopping things that happen in the clear first.
What many of these governments aren’t thinking now is that
they’re making your device less secure and more vulnerable to eventual attack by someone else. I
understand they want to have a separate key that would only allow them to
access the data when needed; which is still scary. But just like Dr. Ian
Malcolm said in Jurassic Park, “Life, uh….finds a way” and it’s possible that the vulnerability/hole you created for yourself
will be abused by others. That this hole will be used to spy against you, or
that even more malicious actors will use a similar method to abuse the access
that was blown open to “protect”
people. I can’t see any concrete
reasons, or examples, that have been used in the past that dramatically slides
the argument into the governments favor against us giving up our privacy. So as we watch the latest backdoor issue we've seen come to light with Juniper, all due to the NSA making a hole that shouldn't have been there to begin with, is yet another example of why the government should remove themselves from this debate completely. They don't have a track record of being responsible with this type of access and we don't want to give it to them.
Monday, December 21, 2015
Shop Safe This Holiday Season
With the holiday shopping season in full swing, many shoppers are deciding to skip the long lines and instead, make their purchases from the convenience of their mobile device. Did you know that nearly 53% of online purchases during last year's holiday season were made from a smartphone or tablet? This number is expected to grow even higher, making mobile shoppers a major target for cybercriminals. It's more important now than ever to fully understand how to stay safe when it comes to shopping from a mobile device or online. #ShopSafe.
Thursday, December 17, 2015
What's on Your InfosSec Wishlist?
I was recently asked the following question from TripWire: “If you had one wish for the infosec community this holiday season, what would it be and why?”. This is a very loaded question to be honest, since there's so many things on my wishlist, but there's one area I'm particularly passionate about that I think we should be doing more of next year. Here's my wishlist item, including many other information security professionals, as to what we'd like to see the community start doing this new year.
Subscribe to:
Posts (Atom)