So you think your cell phones are safe do you? These days for most of you your smartphone is your life, but I can tell you that your smartphones are not impervious to hacks when connected to a network—cellular or wi-fi. In this video, you will see a host of real-time phone hacks to tackle the question of mobile phone security.  Oh, just to let you now....they are NOT too secure!

Hackers have the time and desire to hack anything.  they do it for fun.  In this blog entry I would like to introduce you to Information security researcher Mathew Solnik.  In the video he gives a first-hand demonstration on how to remotely send commands to a car and remotely tell it what to do. A hacker, or even you, can do this for very little cost and effort not that Solnik spent a little over a grand and about a month of work to to reverse-engineer a car's computer system to make it ready for a takeover. Wait until you see how simple this can be.

Chinese-Made Smartphone Comes With Spyware, Surprise, Surprise...NOT!

I know this comes as no surprise to savvy folks like you, but G Data, a german Cyber Security firm conducted a test of the Star N9500, a cheap Android-powered smartphone made in China, ships with more than just an 8-megapixel camera and quad-core processor. According to G Data, it has discovered malicious software—which could be used to track the phone’s user and manipulate the device remotely—embedded in the device.

G Data, said it discovered a so-called Trojan-horse malware, called Usupay.D, in the phone’s Google Play app store.

It said it fielded several complaints from buyers of the phone and ran tests on a newly purchased device. During testing, it was discovered that the spyware on the smartphone sends phone identification and specification data to an unidentified server located in China.

G Data said the malware could also operate phone functions remotely, like turning on the camera, though it said it found no evidence that had happened in the phone it studied.

It also said that sending data to a Chinese served doesn’t necessarily suggest an attacker targeting the phone is based there.

G Data could not say how the malware ended up on the phone. 

The N9500, similar to the best-selling Samsung Galaxy S4, is a popular low-cost smartphone, found on Amazon.co.uk for between £85 ($141) for a new 5.0 inch version to £119.89 for a new 5.7 inch HD version.

The malicious software is pre-installed in the so-called firmware, the software that comes with the phone and operates its systems. It can therefore not simply be deleted like a regular app installed from a third-party app store.

The malware program itself was identified by Kaspersky Lab in March 2013. G Data says its analysis is the first time Usupay.D has been discovered bundled with a mobile phone.

Creating Good IT Security Metrics is vitally Important to Security Programs

One of the biggest problems I see in most security programs is a lack of metrics that REALLY measure the effectiveness of the program.  IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. 

It is essential that whomever is leading your cyber security program chooses and designs effective measurement strategies and addresses the data requirements of those strategies. 

There is a Security Process Management Framework that allows for the production of analytical strategies for security metrics data.  I will discuss that in my next blog.  Using this framwork, youcan take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time. 

On any account, here are examples of security measurement ideas that will allow you to have effective measurements of your program.

• Define security metrics as a manageable amount of usable data
• Design effective security metrics
• Understand quantitative and qualitative data, data sources, and collection and normalization methods
• Implement a programmable approach to security using the Security Process Management Framework
• Analyze security metrics data using quantitative and qualitative methods
• Design a security measurement project for operational analysis of security metrics
• Measure security operations, compliance, cost and value, and people, organizations, and culture
• Manage groups of security measurement projects using the Security Improvement Program
• Apply organizational learning methods to security metrics

I will expound on these, and other concepts in upcoming posts.

Cyber Sense: Derek A. Smith on Cyber Security: Defending against Denial of Service Attacks

Cyber Sense: Derek A. Smith on Cyber Security: Defending against Denial of Service Attacks: The Denial of service attack, also known as DoS, is one of the most common attacks on the internet so it is important that you understan...

Cyber Sense: Derek A. Smith on Cyber Security: Security as a business enabler

Cyber Sense: Derek A. Smith on Cyber Security: Security as a business enabler: One thing that business for get is that security is supposed to be an enabler, not an inhibitor. What I mean is that often security ge...

Security as a business enabler

One thing that business for get is that security is supposed to be an enabler, not an inhibitor. What I mean is that often security gets in the way of doing business, or sometimes even drives business operations. That is why when other business functions see us coming you here them mumble statements like, "here come those security geeks again, what do they want us to do NOW?" instead of, "Hey, here comes the security pros, I wonder what wonderful business enhancers they have for us today?"

There are some security experts that believe that security is NOT a business enabler because according to them, "in order for a function to be a “business enabler” it should directly contribute to the revenue stream of that business, not indirectly participate as part of the total business. Therefore, in order for security to fit into that definition it would require the product that is sold to be security centric or the use of security as a competitive differentiators for the product line."

I have to disagree with this statement. According to Businessdictionary.com an enabler is, "Capabilities, forces and resources that contribute to the success of an entity, program, or project. This definition stated nothing about revenue stream, although I would argue that if security contributes to success, and success in business is earning revenue, then it is indeed an enabler.

I believe that it is about time Security is getting the respect it deserves. For many years security has been treated as the proverbial "step child" of business. Like custodial services, security guards, and other things of this nature, IT security has been regarded as a necessary evil, or a money drainer for businesses. However, business leaders are now beginning to "see the light". They are now recognizing the value of excellent IT security to their reputation, security, and yes, the bottom line, profit.

My detractors argue that "security as an enabler" was a concept "created as a sales tool by both security product vendors, large consultancies, security research firms, and the large security magazines. They say it is "designed to feed the undying need to provide security with a tangible evidence of it's importance. It is analogous to asking for a ROI on an insurance policy." to them this concept is nothing more than a way to sell security and it's services. I say NAY, I will argue that good security processes can help increase revenue up to 10% and you cannot measure the return on investment of good security stopping a security breach and preserving the companies good night...just ask Target EBay, and others. 

Learn more about cyber security at my new SQUIDOO lense

Cyber-Sense at Squidoo

Defending against Denial of Service Attacks

The Denial of service attack, also known as DoS, is one of the most common attacks on the internet so it is important that you understand how it works and know how to defend against them.

The Denial of service attack is any attack that has a goal to deprive you the use of your computer system or network.  It is not a hacker trying to infiltrate, break into, your system to critical information.  Instead, its goal is to prevent users from having access to your system.  This could mean a loss of millions of dollars to a business.

The thing is, DoS attacks are rather easy to perpetrate.  They can even be downloaded from the internet and put into action by amatuers.  The key is not the ease of launching a DoS attack..it is covering tracks and not getting caught.

The concept of the DoS is that all devices has operational limits to their capacity to perform.  These are composed of such things as the maximum numbers of users, the speed of data transmission, or the amount of data that can be stored. Exceeding limits such as these will cause the system to stop responding.

One example of a type of DoS attack is called the SYN Flood.  The SYN flood consists of simply sending a flood of "pings" or connection requests very rapidly and then fail to respond to the expected reply that is sent as a result of them (more to the attack than this bu,t a little complicated to explain here). In other words the attacker requests a connection to your system, then never follows up with the rest of the connection sequence.  This leaves the connection to your system "half open" and the buffer memory allocated to the system reserved and not available to other applications...or people trying to connect. They SYN Flood is a primative method of causing a DoS, but makes my point.

Their is no guaranteed way to prevent DoS attacks, however there are steps you can take to minimize the danger.  The defenses fall into two catagories, technical and procedural.  Technical defenses are those items you can install on your system to make it safer.  These include such things as antivirus software, micro blocks, RST cookies, and stack tweaking.  Procedural defenses include such things as modifying your system usage behavior as related to security measures.  Things like not downloading suspicious files that might have DoS software inbedded and not opening unverified attachments.

It should be obvious that protecting your system is critical, and you must do what you can to deny...a denial of service.



 

Come join me in the wonderful and lucrative world of cyber security

CHa Ching!!! Following a number of very high profile cyber-attacks, some of the largest companies in the world are hiring security specialists, not just to fulfill security roles, but also to join corporate boards and provide cyber security guidance from the top down.

Due to these attacks companies have lost hundreds of millions of customer records, including financial details, in attacks.  

With all this happening, this is a GREAT time to become a Chief Information Security Officer (CISO.)  CISOs at major organizations can typically command pay packets of more than $500,000, with some earning as much as $2m.

CISOs typically report to the CIO, however many of the companies now hiring CISOs are looking to make them report directly to the CEO and the board - in some cases, putting them on the board, too.

According to Reuters, global bank JPMorgan Chase, drinks company PepsiCo, US medical giant Cardinal Health, agricultural machine maker Deere & Co and the US Automobile Association (USAA)are just a few of the Fortune 500 companies looking to recruit chief information security officers (CISOs) in order to tighten up their organization’s cyber defenses.

The reason behind this is that that boards fear that they lack the knowledge to make the right decisions on IT security. Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it" Bottom line…if you had not considered a career in cyber security, now might be the time to do so.

Catch that phone thief!

Phone theft has become a really big problem lately.  Last year, 3.1 million Americans had their phones stolen, according to a Consumer Reports survey.  Here in DC our metro lines even has a voice message that constantly reminds you to be cognizant of your phone use while in the metro stations and on trains.  Today I heard about an app originally developed for iPhone that you can now get on your Android as well.  It is called iGotYa!

While iGotYa cannot keep your phone from getting stolen.  It may help you get it back.  Realistically 60% of stolen phones are never recovered.  but that leaves 30% that are.  With iGotya, if someone steals you phone, every time that someone try to unlock your device and enter a wrong code you will receive the thief's photo and location in your email immediately. You can also force your device to phone you if the thief tries to unlock it unsuccessfully for a few times.

Your phone will be safe and protected against thief thanks to iGotYa. You just need to enter your mail address and you will start receiving alerts in case your phone or tablet is being use without authorization.

iGotYa is the easy to configure, just activate it and type your mail and it's done. 

The mobile security firm Lookout also has something similar iGotYa.  they have anew tool for tracking down bad guys by providing a "theftie," a covert snapshot of someone trying to steal your phone.

Their app also alerts you to suspicious behaviors on your phone, like a screen password mistyped three times. With this one you also get an email containing your phone's location and a highly unflattering look at the person holding your phone—be they Samaritan or supervillain. 

Although these are made for catching a thief, think of the possibilities.  Do you want to know if your spouse or boyfriend is snooping in your phone...this might help.

.

Essential Security Resources

When it comes to cyber security it is essential that you often visit the available security resources to keep up with the latest security information.  While there are many sources of information I have found four that are a must for the security professional or just those interested in cyber security.

CERT (www.cert.org/). CERT stands for the Computer Emergency Response Team.  CERT, the first computer incident response team ever created, is sponsored by Carnegie Mellon University. If you are interested in securing your computer network you should visit the CERT sight on a regular basis.  The CERT site has a wealth of information and documentation including security policies and guidelines, cutting edge research, security alerts and a whole lot more.

SANS institute (www.sans.org/) is my next favorite. The SANS site provides detailed documentation on almost any aspect of cyber security.  The SANS institute also offers some awesome classes on various security topics and is respected as one of the best sources of cyber security training and information.  In addition, SANS also sponsors many security research projects to further cyber security knowledge and publishes information about the projects on their website.

Microsoft Security Advisor (www.Microsoft.com/security/) is my third recommendation because just about every computer in the world runs on Microsoft products. This site is a portal to all Microsoft security information, tools, and updates and you should definitely visit it often.

F-Secure Corporation (www.f-secure.com/) is another great source of security information.  This site provides a great repository for detailed information on virus outbreaks.  The site provides notification and detailed information on specific viruses.  The information provided includes details on how the virus spreads, how to recognize the virus, and the specific tools you will need to clean your system should it become infected with the particular virus.

As stated, there are many resources for obtaining security information.  These are but four of my favorites.

Paradigms of Cyber Security

The  are a variety of paradigms organizations can choose from when it comes to implementing cyber security. The chosen paradigm will drive and set the tone fro all other network security decision within the company. These paradigms can be classified by the how proactive the system need to be or the scope of the required security measures.

When a leader decides on the security approach his or her organization will use they must decide on how proactive or reactive the system needs to be.  The leader makes this decision by deciding on how much the security infrastructure and security policies are dedicated to preventative measures vs. simply responding to a breach after it has occurred.

A passive security approach does not take steps to prevent a security breach, or if it does...very little.  On the other hand a dynamic (proactive) security approach takes steps to actually prevent the breach before it happens.  AN example of this is using an intrusion protection system (IPS) to detect AND prevent a potential security breach. The IPS can also be used to gather information about the techniques an intruder uses to gain conduct an assessment of your net work.

A perimeter security paradigm focuses on protecting the perimeter of an organizations network.   The bulk of the security system might be composed of firewalls, password policies, proxy servers and other types of technologies that tries to lesson access to the network. This is a flawed paradigm as it makes no attempt to secure the internal network systems.  The perimeter is secure, but not the network itself.

A layered security paradigm focuses on the perimeter AND the internal systems of the network.  The servers, workstations, routers, switches, hubs and other components of the network are secured.  One approach to layered security is segmenting the network and then securing each of the segments.  This way if the perimeter is compromised the internal systems may not be.  Or if one of the segments is compromised the others won't be.

In a real system the best approach will likely be a hybrid approach with elements of each paradigm combined into one layered dynamic highly secure design.