Aujas US

An IDG Ventures Company

Phishers Target Social Media, Are You the Victim?

Phishers target social media

Phishers are targeting social media. Your company and employees have to play their part to fight them.

Social media has been all the buzz recently. While I am writing this post, there are more than 500 million active users on Facebook, with 50% of them logging on at least once a day from their office, home, coffee-shop, school, or while mobile. Today many organizations have an active presence across LinkedIn, Facebook or Twitter. Social media has emerged as an effective marketing tool to engage with a mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research, Inc., said, “Social media isn’t a choice anymore – it is a business transformation tool”.

This new and growing means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using social media in a big way to retrieve vital information from users. They also use social networking malware for financial gains. Message or web links coming from immediate connections over Facebook or Twitter lead users to believe that they are genuine and there’s nothing wrong with clicking them. Scammers leverage on this fact and exploit human emotions such as greed, trust, fear, and curiosity to conduct phishing attacks. According to the latest Anti-Phishing Q2 2010 Report, there is a definite increase in social networking phishing attacks. While attacks were almost negligible in Q1 of 2010, they accounted for nearly 3 percent of reported attacks in Q2.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards people affected by tragedy. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD 

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation 

“Hey, I am your old college friend! Just joined your company; why not reconnect? – http://biz.ty/23424 

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

The above websites could be asking for your Internet-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, the malware or virus gets downloaded your system is compromised.

Often scammers target one social networking site user account, compromise it using script, and this script gets propagated to the user’s friends’ accounts. This is called self-replicating malware, and uses application vulnerabilities such as invalidated redirects, click jacking, and cross-site request forgery to spread across multiple user accounts. For mobile users, it becomes even worse because it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. Organizations need to look beyond traditional technology controls, and look to continuous education and awareness to fight phishing attacks.

Organizations can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed and not allowed to discuss and disclose in social networking sites.
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent websites.

As an employee, these best practices can help you avoid becoming prey of phishing attacks:

  1. Never click on a link or a bookmark which is associated with financial transactions or asks for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about yourself or your organization.
  4. Report suspected links to your internal security team and the social networking site so that they can work with the hosting provider to bring down the phish website.

Both the organization and its employees have to play their part to fight against phishing risks over social media.

Aujas can help your company manage risk from phishing threats with its industry-leading Phishing Diagnostic Solution. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

Advertisements

April 27, 2011 Posted by | Cyber Crime, Identity Theft, Phishing, Risk management, Social Engineering | , , | Comments Off on Phishers Target Social Media, Are You the Victim?

Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

Amazon data center crashes

Building Cloud-friendly applications can help your company manage risk and avoid losses when the host's data center crashes

Early in the morning of April 21, Amazon’s EC2 data center in Virginia crashed, bringing down many popular websites, small businesses and social networking sites.

The strange fact is that the outage still ensures that the 99.55% availability as defined in the SLA (Service Level Agreement) is not breached. Let us put aside the other aspects and focus on Cloud services and the new generation of programmers and business who use these services. Though the SLA leads to quite an interesting debate, we will leave that to the legal experts.

More often than not, when we discuss building applications in the Cloud, the basic assumption is that of 24×7 service availability. While Cloud service providers strive to live up to this expectation, the onus of designing a system resilient to failures is on the application architects.  On the other hand, SLA driven approaches are very reactive in nature. In purest sense, SLA’s are just a means of trust between the user and the service provider. The fact is that SLA’s can never repay for losses. It is up to an Architect and CIO to build systems that tolerates such risks (Cloud system failures, connectivity failures, SLA’s, etc).

With Cloud infrastructure, we end up building traditional systems that are so tightly coupled and hosted without taking advantages of the availability factor. These shortcomings maybe part and parcel of software world where functionality takes precedence over all other aspects, but such tolerance cannot be expected in the Cloud paradigm. A failure on part of the Cloud service provider will bring down the business and getting back the data becomes a nightmare when all the affected businesses are trying to do the same.

Accommodating and managing these factors are the business risks, which need to be identified. Businesses that do not envision these risks are sure to suffer large scale losses. The truth is that building such resilient systems is not very complex task. The basics of all software principles have remained same whether they are built for Cloud or enterprise-owned hardware. Mitigating as many risks as possible requires that several basic designs and business decisions be made – while considering the software provider – such as:

  • Loosely couple the application
  • Make sure the application follows “Separation of Concerns”
  • Distribute the applications
  • Backup application & user data
  • Setup DR sites with a different Cloud service provider

These decisions involve software that follows these basic designs and business decision managers who identify various service providers to mitigate such risks. Cloud service will enforce a thinking among the business managers that availability should not and cannot be taken for granted.

These failures will not stop the adoption to Cloud but will make the customers aware of the potential risks and mitigation plans. The Cloud failure will have serious impact on the CTO/ CIO and the operations head. In a non-Cloud model, a CIO’s role has been noted as very limited. The interaction of the CIO with a CTO in the everyday business is much less. These two executives need to work more closely to protect the business and reduce risk.

The best practices for the Cloud application builders are:

  • Build Cloud applications, not applications in the Cloud
  • Design fault tolerant systems, wherein nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component

The best practices are necessary for all the architects who build Cloud applications. Do not simply port a traditional application to the Cloud. They are architecturally different and will not take advantage of the underlying services – and most often – will result in failure.

Remember “Everything fails, all the time.” It is time to think and manage risks and not let the SLA stare at you when you are losing business. Be proactive; build Cloud-friendly applications.

The new world on Cloud looks more promising than ever. However, failures can make us realize that functionality without proper foundation and thought process can have serious repercussions. It is essential for every business to review their risks and redefine their new perimeter in the Cloud.

For more information on how Team Aujas is assisting clients with security risk in the Cloud, please contact Karl Kispert, our Vice President of Sales. He can be reached at karl.kispert@aujas.com or 201.633.4745.

April 27, 2011 Posted by | Cloud Security, Data Losss Prevention, Data protection, IT security | , , , , , | Comments Off on Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

The Business Case for Secure Development Lifecycle

Vulnerability ManagementSoftware is integral to business operations for most organizations. Unfortunately, the increasingly indispensable nature of software-based systems has also made them high-value targets for cyber crime.

Today, most of vulnerabilities targeted by cyber criminals are at the applications level rather than at the operating system or network levels. The cost involved in fixing these vulnerabilities is very high due to:

·         Incident response

·         Customer compensation

·         Penalties for compliance violations

·         Short-term fixes

·         Cost to remediate the problem

When a cyber attack is successful, fixing vulnerabilities can grow even more costly.

Although recognition of the importance of secure systems is growing, software security must still compete for a place in an increasingly tight enterprise budget. However, a well-optimized security program can reduce the overall cost of developing an application and the business process it enables. The program can integrate security at various layers to mitigate risks that the company or software can face.

One proven and time-tested model is to incorporate security into every stage of the software development lifecycle. The Microsoft Security Development Lifecycle (SDL) is one such comprehensive process that offers an industry-leading software security methodology. The Microsoft SDL embeds security and privacy throughout the software development process.

The SDL delivers real cost savings:

·         When software development processes include security practices as early as possible, the cost to fix many vulnerabilities can decrease dramatically.

·         A structured approach to security makes the process more predictable, can significantly improve its efficiency, and allows the security team to deploy its resources in a heavily leveraged, top-down manner.

·         It is cheaper to plan early and have a security requirement rather than performing a final verification.

·         A combination of high-level analysis, low-level review, metrics-based risk management, and tools can provide an optimal, measureable ROI.

By following a defined process like the SDL, vulnerabilities are more likely to be found and fixed prior to application deployment. This helps reduce the total cost of software development.

Improving the security of a system makes it more reliable and less expensive to operate in multiple ways. While software security efforts require some resource commitment, a significant ROI can often be achieved with a small initial expense. Careful use of metrics allows tracking of the effects of the investment, and those same metrics allow long-term improvement of security ROI and overall effectiveness.

Understanding software security problems is a foundational part of building better software. A recent survey conducted by Forrester Consulting noted that 0 out of 7 company executives who responded selected “lack of time to perform security tasks” as a challenge for implementing a secure development program. Rather, they cited “lack of security expertise”… as a top challenge. So it’s essential to know what talent is available in-house and where to look for expert advice.

Aujas is a member of the Microsoft SDL Pro Network, a group of security consultants, training companies, and tool providers that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL. We can help you make security and privacy an integral part of how software is developed for your company.

 

For more information about Aujas and the Microsoft SDL Pro Network, contact Karl Kispert at karl.kispert@aujas.com.

April 11, 2011 Posted by | Cyber Crime, Enterprise Security, SDL, Secure Development Lifecycle | , , , , , | 4 Comments

Data-Breach Risk Is Not Only from Insider Threats

Data Breach Risk

Consider the threats and risks involved when you share data outside your company.

There’s a very large push within the last few years for many organizations to spend their data protection efforts mainly on the “Insider Threat” – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.

The question to consider is: “What about the critical data assets businesses willingly send out to external organizations?”

Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm’s reputation, when not properly controlled.

Here’s what you need to consider when you share data outside your company:

  • Threats

–    What or who is placing the data at risk?

–    The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.

  • Risks

–    The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn’t have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.

–    Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.

  • Security Controls

–    The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.

–    Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.

The bottom line is that once your firm’s information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party’s infrastructure, and is now dependent on their data security controls and processes. This isn’t just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:

  • Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
  • Who and how many people will have access to your data while sitting out at a third party?
  • Do you know the third party’s process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
    • How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
    • Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?

These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.

As an example, a bank business manager decides one day to send the firm’s tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.

Per the Open Security Foundation’s DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:

“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”

In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.

Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.

April 1, 2011 Posted by | Cyber Crime, Data governance, Data Leak Prevention, Data protection, IT security, Risk management | , , , , , | 1 Comment