IBM blog: The History of Connected Car Research in Israel

Israel is becoming a major center for connected car research. Fueled by government-backed military research, test labs established by automakers and numerous connected car startups, the country has attracted top talent from around the world and provided innovative technologies in automotive cybersecurity.

In my post for IBM’s SecurityIntelligence blog, I talk about the rise of this research after meeting some of the principals at a conference in Israel earlier this month.

Why you should be afraid of phishing attacks

I have known Dave Piscitello for several decades; he and I served together with a collection of some of the original inventors of the Internet and he has worked at ICANN for many years. So it is interesting that he and I are both looking at spam these days with a careful eye.

He recently posted a column saying “It sounds trivial but spam is one of the most important threats to manage these days.” He calls spam the security threat you easily forget, and I would agree with him. Why? Because spam brings all sorts of pain with it, mostly in the form of phishing attacks and other network compromises. Think of it as the gateway drug for criminals to infect your company with malware. A report last December from PhishMe found that 91% of cyberattacks start with a phish. The FBI says these scams have resulted in $5.3 billion in financial losses since October 2013.

We tend to forget about spam these days because Google and Microsoft have done a decent job hiding spam from immediate view of our inboxes. And while that is generally a good thing, all it takes is a single email that you mistakenly click on and you have brought an attack inside your organization. It is easy to see why we make these mistakes: the phishers spend a lot of time trying to fool us, by using the same fonts and page layout designs to mimic the real sites (such as your bank), so that you will login to their page and provide your password to them.

Phishing has gotten more sophisticated, just like other malware attacks. There are now whaling attacks that look like messages coming from the CFO or HR managers, trying to convince you to move money. Or spear phishing where a criminal is targeting someone or some specific corporation to trick the recipient into acting on the message. Attackers try to harvest a user’s credentials and use them for further exploits, attach phony SSL certificates to their domains to make them seem more legitimate, use smishing-based social engineering methods to compromise your cell phone, and create phony domains that are typographically similar to a real business. And there are automated phishing construction kits that can be used by anyone with a minimal knowledge to create a brand new exploit. All of these methods show that phishing is certainly on the rise, and becoming more of an issue for everyone.

Yes, organizations can try to prevent phishing attacks through a series of defenses, including filtering their email, training their users to spot bogus messages, using more updated browsers that have better detection mechanisms and other tools. But these aren’t as effective as they could be if users had more information about each message that they read while they are going through their inboxes.

There is a new product that does exactly that, called Inky Phish Fence. They asked me to evaluate it and write about it. I think it is worth your time. It displays warning messages as you scroll through your emails, as shown here.

There are both free and paid versions of Phish Fence. The free versions work with Outlook.com, Hotmail and Gmail accounts and have add-ins available both from the Google Chrome Store and the Microsoft Appsource Store. These versions require the user to launch the add-in proactively to analyze each message, by clicking on the Inky icon above the active message area. Once they do, Phish Fence instantly analyzes the email and displays the results in a pane within the message. The majority of the analysis happens directly in Outlook or Gmail so Inky’s servers don’t need to see the raw email, which preserves the user’s privacy.

The paid versions analyze every incoming mail automatically via a server process. Inky Phish Fence can be configured to quarantine malicious mail and put warnings directly in the bodies of suspicious mail. This means users don’t have to take any action to get the warnings. In this configuration, Outlook users can get some additional info by using the add-in, but all the essential information is just indicated inline with each email message.

I produced a short video screencast that shows the differences in the two versions and how Phish Fence works. And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in. Check out Phish Fence and see if helps you become more vigilant about your emails.

Why Your Survey Won’t See the Light of the Media Day

I wrote this piece with Greg Matusky, the head of the Gregory FCA agency.

As a marketer of a security firm, you know that surveys can serve as high-impact marketing tools when shared with clients, used to power top-of-the-funnel lead gen campaigns, punch up sales literature, incorporated into white papers, and create great content for any number of channels.

But when it comes to gaining media attention for your survey, well, that can be a struggle. The media is inundated with corporate-funded surveys and often turn a jaundiced eye to them precisely because of their inbred biases.

Gaining exposure in the media or by having the results “go viral” on social media requires you to create surveys that deliver results that withstand media scrutiny. But these surveys also must meet the definition of what is new, what is newsworthy, and what is interesting to an audience eager to better understand the changing world of cybersecurity. Above all, you need to put away your marketer’s hat and assume a reporter’s perspective in order to create results welcomed, not ignored by the media.

If you would rather listen than read, check out this podcast episode that Paul Gillin and I did about surveys, from our FIR B2B series.

Here’s what you need to know.

Man Bites Dog. Findings should be unexpected, counter-intuitive, unusual, or all three.

Having a survey that repeats common wisdom is a sure way for reporters to instantly hit the delete key.

This Barracuda survey found that 74 percent of respondents stated that security concerns restrict their organization’s migration to the public cloud and have prevented widespread cloud adoption. So tell me something new! The results might have been news back in 2000, but not now.  A great survey breaks new ground. It adds to the common knowledge and doesn’t just repeat it. Push your organization to formulate questions that produce the unexpected, counter-intuitive findings that media love.

Bigger is Better!

Sample sizes need to be big enough to impress – and be meaningful. Sample sizes of a few hundred participants, based on some non-random selection, such as people filling out a SurveyMonkey form, isn’t going to cut it. You can’t fool the media. They want statistical validity and the credibility that comes from large sample sizes.

Want a prime example? Consider Kaspersky Lab and B2B International release of a survey that drew on 5,000 companies of all sizes from 30 countries. Now that carries heft, and indeed, the results were cited in several places, including that the average cost of a data breach for enterprise businesses in North America is $1.3M. Another survey from Bitdefender interviewed 1,050 IT professionals in several countries to find out their cloud security purchase decisions. Both of these surveys are keepers.

Compare those surveys to a Beyond Trust study of nearly 500 IT professionals and concluded the “5 Deadly Sins” within organizations that ultimately increase the risks of a data breach. Yes, that will be conclusive – not. You are cherry picking the results here for sure.

But sample size isn’t enough. Take for instance a recent survey conducted by One Identity. It asked 900 IT security professionals for their thoughts. Seems like a promising sample size. But the results talk about inadequate IT processes around user access by disgruntled former employees and other nefarious actors — providing a widespread opportunity to steal usernames and passwords, risking the infiltration of their entire IT network. That brings us to our next point.

Blind them with science!

Make sure you ask the right evidence-based questions. Many surveys focus on “soft” assessments, such as “Do you believe your cybersecurity is better/worse this year when compared to last year?” Can anyone really answer that question with hard facts? Probably not. To win media coverage, show the reporters the evidence behind the questions, or ask for specific information that can be based on more than just a “feeling.” As an example of what not to do: “Most organizations are worried that the technical skills gap will leave them exposed to security vulnerabilities,” which is from a Tripwire survey.

Here is another result from that same Tripwire survey that doesn’t really have any solid data behind it: “Seventy-nine percent believe the need for technical skills among security staff has increased over the past two years.” Where did they get their beliefs from?

And then there is this survey from ABI Research, which finds that 40% of respondents believe that data security is the leading barrier to adopting innovative technologies. Again, how did the participants rank their beliefs and come up with this conclusion? This survey says nothing.

Consider the source of the discontent.

Sometimes having surveys come from surprising places, such as academic researchers, is a sexy way to interest media. Third parties make the findings more newsworthy and citable. Here is a report about the relative security of swiping patterns versus a six-digit PIN code that was done for the US Naval Academy. They surveyed more than a thousand people to find out that “shoulder surfers” (busybodies who look over our shoulders at crowded places) can remember the swipe patterns better than the numeric PINs. It also provides an unexpected result too. Could your organization team with a similarly credible third party to tell its story?

The best surveys use data that isn’t easily available.

Data such as server logs or actual threat data that show particular trends is useful and notable. Many security vendors now report on data from their own networks, using their monitoring tools that track what is actually being observed “out in the wild.” There is no belief system required: This is cold, hard data. The king of these kinds of surveys is the Verizon Data Breach Investigations Report, which has been coming out for the past decade. This report examines the actual attacks and isn’t asking for anyone’s opinion or feelings. It is encyclopedic, comprehensive, thoughtful, and analytical. Because it has been around for so long, the analysts can pull together trends from its historical records. And, at least until Verizon was itself breached, the data came from a solid brand too.

As you can see, there are some surveys that are worthwhile. The best ones take time and cost money to pull off properly. But they are worth it in terms of great media coverage.

How to protect your emails using Inky Phish Fence

Inky Phish Fence is an anti-phishing platform available for many email systems and can detect and defend against many types of suspicious emails and phishing attacks. It comes as an add-in for Outlook for Exchange/Office 365 accounts. It is also available for G Suite and Gmail as a Chrome extension. Enterprise users would most likely use a purely server-side gateway version where the checks are performed automatically and the warnings get inserted into the actual email. The consumer add-ins are free, the corporate version starts at a few dollars per month per user with quantity discounts available.

I tested the product in November 2017.

And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in.

SecurityIntelligence blog: The history of ATM-based malware

I haven’t used a bank ATM for years, thanks to the fact that I usually don’t carry cash (and when I need it, my lovely wife normally has some handy). I still remember one time when I was in Canada and stuck my card in one of the cash machines, and was amazed that Canadian money was dispensed. I was amazed at how the machine “knew” what I needed, until I realized that it was only loaded with that currency.

Well, duh. Many of you might not realize that underneath that banking apparatus is a computer with the normal assortment of peripherals and devices that can be found on your desktop. The criminals certainly have figured this out, and have gotten better at targeting ATMs with all sorts of techniques.

Back as recently as three years ago, most ATM attacks were on the physical equipment itself: either by placing skimming devices over the card reading slot to capture your debit card data or by forcing entry into the innards of the ATM and planting special devices inside the box. Those days are just a fond memory now, as the bad guys have gotten better at defeating various security mechanisms.

For many years, almost all of the world’s ATMs ran on Windows XP. Banks have been upgrading, but there are still a lot of XP machines out there and you can bet that the criminals know exactly which ones are where.

But there is a lot happening in new ATM exploits, and my post for IBM’s Security Intelligence blog on the history of ATM malware hacking talks about these developments. In fact, ATM malware is now just as sophisticated and sneaky as the kind that infects your average Windows PC, and ATM malware authors are getting better at emptying their cash drawers. For example, malware authors are using various methods to hide their code, making it harder to find by defensive software tools. Or they are taking a page from the “fileless” malware playbook, whereby the malware uses legit OS code so it looks benign.

There is also a rise in network-based attacks which exploit lax banking networking topologies (segmentation seems to be a new technology for many of them), or rely on insiders that either were willing or had compromised accounts. Some of these network-based attacks are quite clever: a hacker can command a specific ATM unit to reboot and thereby gain control of the machine and have it spit out cash to an accomplice who is waiting at the particular machine.

Sadly, there are no signs of this changing anytime soon and ATM malware has certainly become mainstream.

HPE Enterprise.nxt blog: CEO cybersecurity 101: Improve your executives’ security hygiene

Chances are, your CEO doesn’t have the best data security hygiene. A recent analysis of passwords leaked by Equifax executives showed they used rather simple passwords that could be easily guessed, let alone made use of multifactor authentication methods. It is time we made our executives more responsible and exemplary users of our corporate security.

After the Equifax breach, researchers found their “chief privacy officer, CIO, VP of PR and VP of Sales, used passwords with all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year,” evidence that the company failed to follow best security practices. What makes this worse is the likelihood that numerous internal Equifax apps probably used the identical simple passwords.

While Equifax continues to make news as the security poster child, they aren’t alone and the problem is pervasive. There are hundreds of CEOs of ordinary companies who don’t understand good IT security hygiene. Just because most of these companies haven’t been in the headlines doesn’t mean they aren’t equally poor at their implementations. The  2017 Verizon Data Breach Investigations Report found that a whopping 81% of hacking-related breaches use either stolen or weak passwords. In other words: the breaches came from easily compromised identities.

I have spoken to many IT managers over the years who have told me of their frustration with their top executives when it comes to implementing better security policies. One manager that I interviewed last year (who asks not to be named for obvious reasons) told me that he tried to make a very small change to his organization’s password policy. While he had greater goals, he was trying to deploy a policy that made passwords expire after a certain period. His goal was to try to get ahead of any breaches because many of his users’ passwords to common websites had already been posted in earlier leaks, such as with Yahoo and LinkedIn.

For years his organization had passwords that never expired. He went ahead and got the various management approvals, and was all set to go with this very simple change until he was rebuffed by his CEO. “My CEO told me that he had been using the same password for more than 30 years and wasn’t about to change it now. So we still have hundreds of people using non-expiring passwords around the organization.” Argh.

He isn’t the only frustrated IT manager. And passwords aren’t the only security issue. Another recent study by Code42 found that 75 percent of CEOs and more than half of other top executives admit that they use applications that are not approved by their IT department. This could be caused by a number of factors, including that the security team is not engaged with the C-suite, the executives are just stubborn and clinging to their old ways (such as that 30-year old common password), or that security isn’t taken very seriously by management. Or all three.

But we shouldn’t just blame our executives, when the problem could be our own making. “There will always be a natural tension between the CIO and the CISO,” as Saryu Nayyar wrote in an op/ed in Dark Reading earlier this summer. He is the CEO of Gurucul, a security vendor.  “This dynamic is determined by the reality that the CIO is driven to provide more and better services at lower costs, while a CISO’s job is to protect everything.” Over my years with talking to many IT professionals, I have seen lots of such infighting between management teams. Certainly, the time for working together in the name of better security policies has come.

Another reason for CEO security malaise could be that security professionals aren’t good at communicating the actual risks and don’t practice what they preach. What ends up happening is that executives get turned off by the level of effort that is required to lock down their infrastructure. In a recent article in ITWorld,  the author talks about how security practitioners are drowning in noise end up taking the hunter mentality and eventually abandon the data itself. “They spot check it and look for very specific patterns that have been successful in the past,” said Bay Dynamics co-founder and CTO Ryan Stolte, interviewed in the article.

So what should CSOs and CISOs do, other than find a more amenable CEO to work for? Start by first assembling some of the horror stories cited above. Look at the root causes of these incidents and try to factor these into your own plans for improving – and simplifying — your enterprise’s security practices.

Understand the value of leaked data and how it can live forever. “I think what’s being overlooked to some extent is the fact that the data that was compromised has perpetual value to a fraudster,” says credit expert John Ulzheimer quoted in this blog post. “In five, 10, 15 years that data will still be valuable to a fraudster.” Certainly that is the case if users stick with their age-old go-to password collections, as has been illustrated here.

Next, you need to be talking about these risks in the only language your CEO understands – money. Security consultant David Froud has written about this extensively. “This is not the language of security, it’s the language of business goals. Or to put it crassly, it’s the language of money,” he said in this post.

Forget about next-generation firewalls, or even last-generation ones. Or the details about how your anti-malware algorithms work. Your CEO isn’t interested. It is all plumbing, and about as exciting. What will get the CEO involved is how much money you can save your company by following a particular practice. Map your organization’s assets to your business processes as a start and make sure you understand how to value each of these processes.

Keep your security as simple as possible, and then people will actually use it. “If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse,’ says Froud in another post. As an example of this, take a closer look at using single sign-on or password manager tools that take the burden of passwords from your users and automate the password creation process. Once you take the creation – and remembering—passwords out of human hands, you have a prayer of fighting back with the criminals who prey on the collections of reused and simple passwords.

There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it. In fact, find a simple multifactor authentication product and get everyone on board. Make sure you implement programs that are workable and usable. Don’t pile on security for security’s sake. And if you are evaluating two different security solutions, choose the simpler one if at all possible. Have I said “simple” enough times here?

Of course, using single sign-on tools isn’t 100 percent secure either. A recent hack into Vevo, an online music video site, was subjected to a phishing attack through LinkedIn that compromised an employee’s Okta account. From this account, the hackers were able to gain access to Vevo’s media servers and helped themselves to terabytes of private files.

That brings up my next point. Any security program should plan on better executive and user awareness education, particularly when it comes to a type of phishing attack called “whaling” or CEO impersonation. These are emails sent by attacks that appear to be coming from your CEO or CFO to transfer huge sums of money, but in reality are just scams writ large. Numerous security vendors offer these programs, if you don’t want to design your own. All it takes is a single email to break through your defenses, as the folks at Vevo found out.

Finally, practice what your preach. If you aren’t trying out what you are going to recommend what everyone is supposed to use, you aren’t going to get very far. Lead by example. Years ago when I first started working in IT, I had a CTO (we didn’t call him that, but that is what he was) who refused to use the Lotus 1-2-3 spreadsheet software that everyone else was getting for their PCs because 1-2-3 came with copy protection on the disk. When he found out that I had a version that removed the copy protection, then he insisted that I install it on his PC. We don’t need more hypocrites in IT. Do as I say and as I do.

Clearly, we still have a long way to go before we can get better-behaving CEOs, at least when it comes to security practice. And maybe convincing them of being able to change their passwords, or heavens, use a password manager or a single sign-on tool. Either could be the first important step.

Interview with Yassir Abousselham, Okta CSO

Yassir AbousselhamI spoke to Yassir Abousselham, the CSO for Okta, an identity management cloud security vendor. Before joining Okta this past summer, he worked for SoFi, a fintech company where he built the company’s information security and privacy program. He also held leadership positions at Google, where he built both the corporate security for finance and legal departments and the payments infrastructure security programs, as well as at Ernst & Young, where he held a variety of technical and consultancy roles during his 11-year tenure.

When first started at E&Y, he worked for an entertainment company that hired them to examine their security issues. He found a misconfigured web server that enabled them to enter their network and compromise systems within the first 30 minutes of testing. This got him started in finding security gaps and when he first realized that security is only as good as your weakest link. “The larger the environment and more IT infrastructure, the harder it is to maintain these systems.” Luckily they weren’t billing by the hour for that engagement! He went on to produce a very comprehensive look at the company’s security profile, which is what they needed to avoid situations like what he initially found.

“The worse case is when companies do what I call check mark compliance assessments,” he said, referring to when companies are just implementing security and not really looking closely at what they are doing. “On the other hand, there are a few companies who do take the time to find the right expertise to actually improve their security posture.”

“To be effective, you have to design many security layers and use multiple tools to protect against any threats these days. And you know, the tools and the exploits do change over time. A few years ago, no one heard about ransomware for example.” He recommends looking at security tools that can help automate various processes, to ensure that they are done properly, such as automated patching and automated application testing.

Although he has been at Okta only a few months, they have yet to experience any ransomware attack. “The first line of defense is educating our employees. No matter how much you do, there is always going to be one user that will open an phished attachment. Hackers will go through great lengths to socially engineer those users.” Okta employs a core security team that has multiple functions, and works closely with other departments that are closer to the actual products to keep things secure. They also make use of their own mobile management tool to secure their employees’ mobile devices. “We allow BYOD but before you can connect to our network, your device has to pass a series of checks, such as not being rooted and having a PIN lock enabled and running the most updated OS version,” he said.

How does securing the Google infrastructure compare to Okta? “They have a much more complex environment, for sure.” That’s an understatement.

Working for an identity vendor like Okta, “I was surprised that single sign-on or SSO is not more universally deployed,” he said. “Many people see the value of SSO but sometimes take more time to actually get to the point where they actually use this technology. Nevertheless, SSO and multi-factor authentication are really becoming must-have technologies these days, just like having a firewall was back 20 years ago. It makes sense from a security standpoint and it makes sense from an economics standpoint too. You have to automate access controls and harden passwords, as well as be able to monitor how accounts are being used and be able to witness account compromises.” He compares not having SSO to putting a telnet server on the public Internet back in the day. “It is only a matter of time before your company will be compromised. Passwords aren’t enough to protect access these days.”

iBoss blog: Implementing Better Email Authentication Systems

To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.

You can read my latest blog for iBoss here to find out more.

Protecting your Windows endpoints with VIPRE Endpoint Security Cloud

VIPRE offers a nice package for small and medium-sized businesses that is easy to use and manage with a wide array of protective features.

We tested VIPRE on a series of different Windows clients during September 2017. It supports all versions of Windows desktop since v7 and servers since v2008R2. It currently protects more than six million endpoints and finds more than a million daily malware infections. VIPRE also sells an on-premises endpoint solution that also includes patch management features.

Pricing starts from $30/yr/seat with significant volume discounts. VIPRE offers free phone based US support during business hours.

iBoss blog: What Is WAP Billing and How Can It Be Exploited?

An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. I explain the exploit and how it is being used in my latest blog post for iBoss here. One infection point is a “battery optimizer” app that conceals the WAP billing trojan.