Sunday, June 22, 2014

Chinese-Made Smartphone Comes With Spyware, Surprise, Surprise...NOT!

I know this comes as no surprise to savvy folks like you, but G Data, a german Cyber Security firm conducted a test of the Star N9500, a cheap Android-powered smartphone made in China, ships with more than just an 8-megapixel camera and quad-core processor. According to G Data, it has discovered malicious software—which could be used to track the phone’s user and manipulate the device remotely—embedded in the device.
G Data, said it discovered a so-called Trojan-horse malware, called Usupay.D, in the phone’s Google Play app store.
It said it fielded several complaints from buyers of the phone and ran tests on a newly purchased device. During testing, it was discovered that the spyware on the smartphone sends phone identification and specification data to an unidentified server located in China.
G Data said the malware could also operate phone functions remotely, like turning on the camera, though it said it found no evidence that had happened in the phone it studied.
It also said that sending data to a Chinese served doesn’t necessarily suggest an attacker targeting the phone is based there.
G Data could not say how the malware ended up on the phone. 
The N9500, similar to the best-selling Samsung Galaxy S4, is a popular low-cost smartphone, found on for between £85 ($141) for a new 5.0 inch version to £119.89 for a new 5.7 inch HD version.
The malicious software is pre-installed in the so-called firmware, the software that comes with the phone and operates its systems. It can therefore not simply be deleted like a regular app installed from a third-party app store.
The malware program itself was identified by Kaspersky Lab in March 2013. G Data says its analysis is the first time Usupay.D has been discovered bundled with a mobile phone.

Saturday, June 21, 2014

Creating Good IT Security Metrics is vitally Important to Security Programs

One of the biggest problems I see in most security programs is a lack of metrics that REALLY measure the effectiveness of the program.  IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization. 

It is essential that whomever is leading your cyber security program chooses and designs effective measurement strategies and addresses the data requirements of those strategies. 

There is a Security Process Management Framework that allows for the production of analytical strategies for security metrics data.  I will discuss that in my next blog.  Using this framwork, youcan take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time. 

On any account, here are examples of security measurement ideas that will allow you to have effective measurements of your program.
  • Define security metrics as a manageable amount of usable data
  • Design effective security metrics
  • Understand quantitative and qualitative data, data sources, and collection and normalization methods
  • Implement a programmable approach to security using the Security Process Management Framework
  • Analyze security metrics data using quantitative and qualitative methods
  • Design a security measurement project for operational analysis of security metrics
  • Measure security operations, compliance, cost and value, and people, organizations, and culture
  • Manage groups of security measurement projects using the Security Improvement Program
  • Apply organizational learning methods to security metrics
I will expound on these, and other concepts in upcoming posts.

Sunday, June 8, 2014

Cyber Sense: Derek A. Smith on Cyber Security: Defending against Denial of Service Attacks

Cyber Sense: Derek A. Smith on Cyber Security: Defending against Denial of Service Attacks: The Denial of service attack, also known as DoS, is one of the most common attacks on the internet so it is important that you understan...

Cyber Sense: Derek A. Smith on Cyber Security: Security as a business enabler

Cyber Sense: Derek A. Smith on Cyber Security: Security as a business enabler: One thing that business for get is that security is supposed to be an enabler, not an inhibitor. What I mean is that often security ge...

Security as a business enabler

One thing that business for get is that security is supposed to be an enabler, not an inhibitor. What I mean is that often security gets in the way of doing business, or sometimes even drives business operations. That is why when other business functions see us coming you here them mumble statements like, "here come those security geeks again, what do they want us to do NOW?" instead of, "Hey, here comes the security pros, I wonder what wonderful business enhancers they have for us today?"

There are some security experts that believe that security is NOT a business enabler because according to them, "in order for a function to be a “business enabler” it should directly contribute to the revenue stream of that business, not indirectly participate as part of the total business. Therefore, in order for security to fit into that definition it would require the product that is sold to be security centric or the use of security as a competitive differentiators for the product line."

I have to disagree with this statement. According to an enabler is, "Capabilities, forces and resources that contribute to the success of an entity, program, or project. This definition stated nothing about revenue stream, although I would argue that if security contributes to success, and success in business is earning revenue, then it is indeed an enabler.

I believe that it is about time Security is getting the respect it deserves. For many years security has been treated as the proverbial "step child" of business. Like custodial services, security guards, and other things of this nature, IT security has been regarded as a necessary evil, or a money drainer for businesses. However, business leaders are now beginning to "see the light". They are now recognizing the value of excellent IT security to their reputation, security, and yes, the bottom line, profit.

My detractors argue that "security as an enabler" was a concept "created as a sales tool by both security product vendors, large consultancies, security research firms, and the large security magazines. They say it is "designed to feed the undying need to provide security with a tangible evidence of it's importance. It is analogous to asking for a ROI on an insurance policy." to them this concept is nothing more than a way to sell security and it's services. I say NAY, I will argue that good security processes can help increase revenue up to 10% and you cannot measure the return on investment of good security stopping a security breach and preserving the companies good night...just ask Target EBay, and others. 

Saturday, June 7, 2014

Learn more about cyber security at my new SQUIDOO lense

Cyber-Sense at Squidoo

Defending against Denial of Service Attacks

The Denial of service attack, also known as DoS, is one of the most common attacks on the internet so it is important that you understand how it works and know how to defend against them.

The Denial of service attack is any attack that has a goal to deprive you the use of your computer system or network.  It is not a hacker trying to infiltrate, break into, your system to critical information.  Instead, its goal is to prevent users from having access to your system.  This could mean a loss of millions of dollars to a business.

The thing is, DoS attacks are rather easy to perpetrate.  They can even be downloaded from the internet and put into action by amatuers.  The key is not the ease of launching a DoS is covering tracks and not getting caught.

The concept of the DoS is that all devices has operational limits to their capacity to perform.  These are composed of such things as the maximum numbers of users, the speed of data transmission, or the amount of data that can be stored. Exceeding limits such as these will cause the system to stop responding.

One example of a type of DoS attack is called the SYN Flood.  The SYN flood consists of simply sending a flood of "pings" or connection requests very rapidly and then fail to respond to the expected reply that is sent as a result of them (more to the attack than this bu,t a little complicated to explain here). In other words the attacker requests a connection to your system, then never follows up with the rest of the connection sequence.  This leaves the connection to your system "half open" and the buffer memory allocated to the system reserved and not available to other applications...or people trying to connect. They SYN Flood is a primative method of causing a DoS, but makes my point.

Their is no guaranteed way to prevent DoS attacks, however there are steps you can take to minimize the danger.  The defenses fall into two catagories, technical and procedural.  Technical defenses are those items you can install on your system to make it safer.  These include such things as antivirus software, micro blocks, RST cookies, and stack tweaking.  Procedural defenses include such things as modifying your system usage behavior as related to security measures.  Things like not downloading suspicious files that might have DoS software inbedded and not opening unverified attachments.

It should be obvious that protecting your system is critical, and you must do what you can to deny...a denial of service.


Friday, June 6, 2014

Come join me in the wonderful and lucrative world of cyber security

CHa Ching!!! Following a number of very high profile cyber-attacks, some of the largest companies in the world are hiring security specialists, not just to fulfill security roles, but also to join corporate boards and provide cyber security guidance from the top down.

Due to these attacks companies have lost hundreds of millions of customer records, including financial details, in attacks.  

With all this happening, this is a GREAT time to become a Chief Information Security Officer (CISO.)  CISOs at major organizations can typically command pay packets of more than $500,000, with some earning as much as $2m.

CISOs typically report to the CIO, however many of the companies now hiring CISOs are looking to make them report directly to the CEO and the board - in some cases, putting them on the board, too.
According to Reuters, global bank JPMorgan Chase, drinks company PepsiCo, US medical giant Cardinal Health, agricultural machine maker Deere & Co and the US Automobile Association (USAA)are just a few of the Fortune 500 companies looking to recruit chief information security officers (CISOs) in order to tighten up their organization’s cyber defenses.
The reason behind this is that that boards fear that they lack the knowledge to make the right decisions on IT security. Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it" Bottom line…if you had not considered a career in cyber security, now might be the time to do so.

Monday, June 2, 2014

Catch that phone thief!

Phone theft has become a really big problem lately.  Last year, 3.1 million Americans had their phones stolen, according to a Consumer Reports survey Here in DC our metro lines even has a voice message that constantly reminds you to be cognizant of your phone use while in the metro stations and on trains.  Today I heard about an app originally developed for iPhone that you can now get on your Android as well.  It is called iGotYa!
While iGotYa cannot keep your phone from getting stolen.  It may help you get it back.  Realistically 60% of stolen phones are never recovered.  but that leaves 30% that are.  With iGotya, if someone steals you phone, every time that someone try to unlock your device and enter a wrong code you will receive the thief's photo and location in your email immediately. You can also force your device to phone you if the thief tries to unlock it unsuccessfully for a few times.
Your phone will be safe and protected against thief thanks to iGotYa. You just need to enter your mail address and you will start receiving alerts in case your phone or tablet is being use without authorization.
iGotYa is the easy to configure, just activate it and type your mail and it's done. 

The mobile security firm Lookout also has something similar iGotYa.  they have anew tool for tracking down bad guys by providing a "theftie," a covert snapshot of someone trying to steal your phone.
Their app also alerts you to suspicious behaviors on your phone, like a screen password mistyped three times. With this one you also get an email containing your phone's location and a highly unflattering look at the person holding your phone—be they Samaritan or supervillain. 
Although these are made for catching a thief, think of the possibilities.  Do you want to know if your spouse or boyfriend is snooping in your phone...this might help.