Universities Get an "F" in Cyber Security

In a recent article by “The Institute”, it brings up the topic that students and schools are both shying away from Cyber Security education. Within their article it goes on to say:

“Only three of the top 50 university computer science programs in the United States require students to take a cybersecurity course, and many don’t even offer a class on the subject, according to a recent study by CloudPassage, a cloud computing security company.”

They happen to quote our friends at Cloudpassage and the study they did regarding the same subject. Within their study, they have a few Key Findings, but this one stands out:

“None of the top 10 U.S. computer science programs require a cybersecurity course for graduation. In fact, three of the top 10 university programs don’t even offer an elective course in cybersecurity.”

This finding shows that the leaders in charge of education aren't taking cyber security seriously. It's still seen as an afterthought and not a skill that can be applied to all industries of academia. This limited mindset has helped cause a gap in knowledge and is lead employers left scrambling when it comes to hiring real talent. Consider this quote from their article: 

“The skills gap is so wide, he says, that employers are recruiting from other fields, like biology and law, to find talent. People in such fields, he points out, have learned skills required of cybersecurity professionals, such as problem-solving and finding flaws in human and legal systems, which can translate to computer systems.”

I’m glad that security is becoming integrated into schools, but it’s concerning that it’s more of an afterthought, instead of a requirement. Hopefully, as time goes by we’ll continue to see the awareness of cyber security pushed into all disciplines during the education process and beyond.

Frontline Sentinel Makes a Few More Recommended Reading Lists

I was recently informed this blog was added to a few more "recommended reading lists" on information security. I'm super pumped to be included on these lists as a resource on cyber security. Thanks again for reading and check out the other blogs that were mentioned too!

1. http://workhack.com/security.php
2. http://uh.edu/tech/cisre/resources/blogs/
3. https://www.onionid.com/blog/17-amazing-blogs-on-insider-threats-you-should-be-following/
4. http://www.masterofhomelandsecurity.org/national-security.html 
5. http://www.securityinnovationeurope.com/blog/40-information-security-blogs-you-should-be-reading

The Biggest Cybersecurity Threats Are Inside Your Company

This may come as a shock to the majority of the public but the amount of threats (as defined by CSOs, IT managers and security specialists) are found within the confines of the company itself.  Yes, hackers do still exist and there are times when they succeed in their nefarious deeds and penetrate security measures and cause a breach.  And, while this type of cyberthreat is the kind to be highlighted in the front pages of newspapers and magazines, it represents but a small fraction of cybersecurity threats to a company.

Whether they want to believe it or not, the biggest threat to the overwhelming majority of companies comes from within.  Whether their actions were intentional or not, employees not hackers are considered to be larger threats to a company’s security.  Most alarming is that these incidents of error are not decreasing, but are increasing steadily.

In a recent study by IBM, it was found that a third of all cyberattacks that a company faces can be directly linked to the actions of (or lack thereof) its employees.  Disgruntled employees who often have access to sensitive, and even classified, data are a likely cause.  These employees simply copy the data to a flash drive or upload it to a third party cloud service, and just like that the company’s security measures have been breached.  These types of offenders are usually trained and know the ins-and-outs of the system enough to bypass its security protocols.  These employees are methodical and act with deliberate intent, often having planned the heist for week or months ahead of time.

Then there are opportunists.  These bad apples often stumble across a weak link in the security fence, quickly exploit it and harvest any and all data made available to them.  They often do not know what to do with the data they just pilfered.  If the data contains money that can be easily liquidated then that is the most likely course of action, however another likely event is that they would sell the information on the black market, which in this day and age is easily accessible via the Dark Web.

Finally, there is the last category which is a catch all for errors of omission.  These can include anything from poor email handling strategies to bad decision making and phishing strategies.  Basically, in this category employees do not intend to expose their company to a cyberthreat, but because they failed to pursue the correct course of action, they have basically let the fox in the hen house.

The bad news is that these are very real scenarios and the roles that insiders play in putting the company in danger is has been on a steep uptick.  The good news, is that strategies can be implemented to decrease such incidents and even eliminate them altogether (in some cases).  Errors of omission, while broader, may be the easiest to tackle, that is because there are protocols that can be created to plug the leaks and fortify the wall of security that surrounds a company’s systems.  Email handling, web surfing and download protocols should be created and enforced throughout the organisation without exception.  And yes, that includes the C-suite of executives.

The human component is a bit harder to deal with, as you never know when the “switch” will be flung in the minds of people.  What may be a great and stalwart employee one day, may very well be a malicious hacker the next day.  Compartmentalisation of systems and restricting access to those that have been cleared to do so will definitely decrease the amount of intrusions and internal hacks that occur.  Furthermore, making things just a little bit harder to access is often all it takes to deter or hinder the opportunist from going through with the crime.  By creating a blacklist of sharing software and cloud services that can be run on company devices, you are effectively decreasing the number of outlets with which a disgruntled employee can smuggle out company data.  Employ deep analytics that are able to track who has accessed what files and directories, and it should be able to send out a warning if file transfers are taking place.

It should go without saying, but it is still worth to mention that the easiest way to prevent a lot of intrusions and cybersecurity threats is to implement a data security plan.  Many would be surprised at how the implementation of even the most minimal of security measures is effective at deterring a great deal of threats, both externally and internally.  The amount of threats your company is exposed to just gets smaller, the more layers of security are added.  While this last piece of advice may seem like a “no-brainer”, the sad fact is that more often than not businesses choose to operate without even the most basic of cybersecurity measures. 

While it may seem normal, even natural, for companies to keep their vigilant eyes looking outwards.  They should pay an equal attention, if not greater, to the on-goings and threats that may come from within.  So why then does it seem that only external attacks make the headlines?  Well that’s because no company ever wants to admit that it hires criminals or those that can be perceived as criminals.  There are public relations and optics to worry about after all.  Now more than ever, companies must know or should know their employees on a much deeper level in attempt to discern their motives, intent and whether or not they are seeking to harm the company.  This is not to say that company’s should not trust its employees, indeed doing so may very well lead to that company’s demise.  However, the figures do not lie.  Attacks are coming from within, and since companies are already investing in security to prevent attacks from without, it should not take that much more to implement measures from internal cyberattacks.

Guest Author - David Share
Director at Amazing Support
http://www.amazingsupport.co.uk/

David has held positions as Operations Director and Head of IT in legal and professional firms for more than 10 years. He is a Director and co-owner of Amazing Support, a Microsoft Silver accredited and specialist Managed IT Support and IT Services company. David actively helps SME businesses receive better Managed IT Support and IT Services in the London and Hertfordshire areas. He also assists overseas companies who are looking to expand their business operations into the UK and helps with their inward investment IT process. A professional member of The Chartered Institute for IT (BCS) and an event speaker promoting business start-ups and technology awareness. Married with a son, you will often see him riding his bicycle around the Hertfordshire towns! David regularly participates in charity bike rides for the British Heart Foundation.

Strategies to Defend Against Ransomware Today

Here's an article I contributed towards for Tripwire with some advice on defending against

ransomware. At the end of the day, if we don't pay the ransom these attacks will go away. Here are some steps from David Balaban, Travis Smith and myself on the precautions needed to defend against ransomware today.

http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/a-three-pronged-strategy-to-help-organizations-defend-against-ransomware-attacks-2/

Why the Mirai IoT Botnet Changed the DDoS Game

Over the weekend the Mirai code for the IoT botnet was released on the internet. Essentially, this allows copy cats and borderline script kiddies to adjust the code as needed for their own misguided use. The Mirai botnet was the botnet that took down both Krebs and OVH last week and there’s been debate as to the number of hosts commanded by it. Either way, it ended up throwing two of the largest DDoS attacks ever seen. The OVH attack tipped the scales at around 1 tbps, which is like wielding your own personal Death Star across the internet. 

This being said, I think we’ll see the Mirai botnet start declining, but that they’ll be an uptick in IoT related DDoS attacks. This was only one botnet, made mostly from small cameras attached to the internet, but what happens when someone goes out and starts creating a botnet from multiple IoT related devices? What if they slowly harvest vulnerabilities within the plethora of insecure IoT devices? An attacker could slowly command an army of soda machines, thermostats, cars, DVRs, etc that when combined will be larger than anything we’ve ever seen before. This like a botnet-of-botnets (BoB) making one mega-botnet to rule them all (okay, now there’s LOTR references in here too, sorry).

Either way, the Mirai IoT botnet has shown that DDoS is about to turn it up to 11 real soon and hopefully the Akamai’s, Cloudflares, Google, etc are going to be ready for it. These providers are always looking to have N-size the amount of bandwidth from the largest known DDoS attack on record, so this might leave have them scrambling to determine bandwidth sizes for the future. I also think the ISPs need to start playing a bigger role here when it comes to botnets of this size, but regulation and corporation from other countries would also need to be involved and this has always historically been difficult.

So this is why Mirai changed the game. It almost completely brought down a DDoS mitigation network, which means if there were two botnets of equal size it would be difficult to maintain. This also means if they can’t support multiple attacks of this size their other customers will be left unprotected and vulnerable to attack, or even leaving their “always on” customers with a potential internet outage.  Lastly, this starts the herding of an untapped market of IoT devices ripe for the picking and I think we’ll see copy cats using similar code on different IoT devices real soon. Things are about to get interesting.

Shine Your Light on the Dark Web

Here's an article I wrote about using the dark web as a monitoring tool. Honestly, we should be using every tool at our disposal in order get a step up when it comes to defending against attackers. If attackers are using the dark web as a tool for malicious activity, then we need to flip the tables on them and use it for our advantage. This is pure intelligence which can be used as an early warning sign that "bad crap is coming". Either you do nothing and wait, or you attempt to infiltrate the lion's den. 

Wanted: Conversation with forensic psychologist to assit with security research

I'm looking for introductions to behavioral or forensic psychologists in regards to a cyber security research project I'm working on. I'd like to setup a conversation and pick their brains on a couple of topics. Anyone you guys recommend?

If so, please contact me at mpascucci [at] frontlinesentinel.com.