Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 6: Physical Weapons.

Chapter 6 it’s all about physical weapons. A key point is how both the physical and logical worlds are tied together in cyberspace. Computers and networks need buildings, utilities, electricity, cooling, etc. to operate. But it is also true that software and applications are what run and manage this infrastructure. These two worlds have a symbiotic relationship. Therefore, the strategy in cyber warfare, as in conventional, is understanding all aspects of a system and determining where are the vulnerabilities.

The logical world requires physical utilities to operate. That is why sometimes the best offense is not attacking the computers directly but rather the utilities and supporting infrastructure. As any general will tell you and any military strategy book with teach, supply lines can be the Achilles heel of any army. Computes and networks are no different. The attack can be physically from cutting wires to detonating EMP weapons. Attacks can also be logical from infecting a utility company’s computers to taking down an entire Supervisory Control and Data Acquisition (SCADA) system.

Probably the best example of a SCADA attack was with the Stuxnet malware. This piece of code was injected into Siemens controllers and other parts of the Siemens SCADA. Stuxnet is part worm, Trojan Horse, spyware and rootkit. It is designed to find a specific type of SCADA system, spread throughout, capture passwords and/or change application files, while all the time covering up its tracks to prevent detection.

The authors cite a number of different examples of supply chain disruption. These disruptions can be in the form of inferior components, compromising hardware, or even simple non-technical means. An attack can be something as simple as defective electronic components like a capacitor being sold to vendors to purposely inserting malware into software that you know your enemy is trying to steal and in turn infecting their entire network when they succeed. The attack could even be on the people with something like food contamination.

Finally, there is the outright physical attack. This might include sophisticated signal jamming, vandalism, Denial of Service, access into the building, eavesdropping or electronic “man-in-the-middle” message manipulation. Physical attacts are usually less covert but they can also introduce a level of fear that had not existed before. Even forcing people to change the usual habits can have devistating effects.

CONCLUSION:

Overall, the message here is that anti-virus, firewalls and encryption is not enough to protect computer networks. Sometimes the best attack is simple and indirect. If security was simple then no nation or individual would spend the money they do to protect their valued assets. Even some of the most sophisticated systems can still be made useless with a simple pair of wire cutters two miles away. Security is an ongoing effort and that is why if your business has information that requires hardened protection, bring in experts to suggest the best ways of securing the information. Sometimes bring in more than one team.

Access Smart^® is pleased to announce a new Power LogOn - Password Manager for Windows – reseller in Africa. Pure Access IT, LTD, located in Abuja, Nigeria, is adding password manager for Windows to their extensive line of IT services. The addition of Power LogOn provides Pure Access IT customers with a complete secure network solution.

With data breaches and identity theft at epidemic levels, businesses and government agencies need network access access authentication to identify a person prior to them getting past the firewall. Passwords are the most common way people use to log onto a computer, network and internet; but, the way individuals choose, use and manage their passwords makes them vulnerable to attack. Power LogOn delivers a secure means to manage passwords with multi-factor authentication, plus user conveinence  of never having to remember, type or know their passwords. Power LogOn can also be tied in to Active Directory to keep IT as the central manager of access rights and privledges.

“Secure user authentication should never be a luxury and never a barrier to preventing cyber-attacks,” said Dovell Bonnett, Founder and CEO of Access Smart. “We are so pleased to have Pure Access IT as a strong partner.”

Pure Access IT Ltd is a multi-disciplined information technology integrator that offers IT solutions, training as well as expert implementation of the best technologies for website architecture and design, data access, transactions, Internet Service provision and information security. We work with leading companies to deliver to government and businesses at the highest level of technology, integration, and services. Pure Access is also engaged in the provision of software outsourcing services. Today hundreds of small and medium sized businesses including Government rely on the superior technical expertise of the Pure Access Team to support their Systems, network infrastructures, and to provide the necessary support to keep their businesses running.

“Access Smart adds those additional layers of security, low cost of ownership and user convience needed to authenticate the user,” said Wasiu Olatundun, CEO of Pure Access IT.

Please contact Access Smart or Pure Access IT for more information.

 Google Inc. (GOOG) supposively has the motto, “do no harm.” But who defines what is harmfull? Employees recently testified to the U.S. Federal Communications Commission that they didn’t initially know that their mapping-service project software was gather personal data, even though an undisclosed engineer told a few fellow workers. The software would access payload data like e-mails, text messages, passwords, internet-usage, and other highly sensitive personal information. The FCC ended up not penalizing Google for data gathering, but assessed a $25,000 fine for not cooperating with the FCC during the initial inquiry. The fine would not even be considered a slap on the wrist.

This is another example of how the technology companies who are responsible for the security of their products get off scott free. Whereas, the businesses who buy and use these products to run their companies are targeted by the FTC and congress with huge fines and laws for exposing private information. According to OpenSecrets.org, Google contributed $814,540 to Obama’s election. Gawker.com claims  Larry Page and Eric Schmidt donated $25,000 each for Obama’s swearing-in party. Bloomberg disclosed that Google hired 12 lobbying firms after the U.S. Federal Trade Commission began a review of its business practices. Finally, the National Journal reports that Google hired the former Rep. Susan Molinari, R-N.Y. to head Google’s Washington office. With the average per-inncident cost to a company in 2010 for a privacy data breach being $7.2 million, one has to wonder where’s the justice.

I am posting this story as a warning to companies looking to upload all their confidential data into cloud storage or using cloud services. Can you really trust that the supplier is not able to access your information? By law, if a cloud supplier gets hacked and your customer’s personal information is exposed, you may still be liable for all the damage. Companies need to follow the same guidelines that I tell individuals using social networks; “If you want the whole world to know what you are doing for the rest of your life, then go ahead and post your info on Facebook. Otherwise, it may be better to keep it to yourself.”

Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 5: Logical Weapons.

This chapter is chocked full of valuable information. Instead of going through the details of all the tools discussed, I think that startling insight into the defense of these attack tools is more important. I do, however, strongly suggest your read this chapter to get a better perspective on the types and capabilities of the available logical access weapons.

The weapons or tools available to cyber warriors are vast and many are free and open sourced. The non-government and non-military attackers are using common or customized tools. At times the same tools used to investigate an attack are also the same tools used to attack. While many may believe that the government and military warriors have highly specialized tools, the authors suggest that they are using some of the same commercially available tools.

The authors break down the tools into 7 different classifications where each tool builds off its predecessor:

1.  Reconnaissance – Used to gather general information about the network or system to be attacked. No attack has occurred.

2.  Scanning – More targeted information gathering about the systems mapping, ports, and enumerating users. Again not really an attack yet.

3.  Access and Escalation – The most available tools to gain access into a system and escalating the privilege levels of the attacker. A common tool includes password cracking/capturing. Now the attack has begun by gaining unauthorized access.

4.  Exfiltration – Using different means to physically carry out data on memory sticks, hiding data in messages, protocols that are not secure and “out of band methods” like cell phone cameras coping information. Theft of information.

5.  Sustainment – These are methods in which once access into a system has been achieved, the attacker wants to have hooks in place to return back into the system undetected. Two common methods include created an authorized account for the attacker and/or placing backdoors into applications or system. Long term attacks causes the fines and costs on a company to increase.

6.  Assault – After a system have been investigated and access has been achieved the third major component to cyber ware takes over, the manipulation and modification of the system to perform unauthorized activities. These activities can include creating botnets, Denial of Service and other destructive attacks. Now the attacks start spreading from the inside so less reconnaissance and scanning is required.

7.  Obfuscation – Finally, once the attack has begun the cyber warrior needs to cover his/her tracks, to cover up the nature of the attack and where any important information is being sent. This is where tools that obscure and manipulates logs, files and locations are used.

DEFENSES:

•  Reconnaissance is difficult if not impossible to defend against since most of the information gathered is found just by visiting a website. The authors best defense suggestion is to limit the amount of information available. As a personal side note, the same defense suggestion should apply to social media sites too. Don’t include to much personal information.

• Scanning is also difficult to prevent and the best defense is to not send out traffic that can be visible to unauthorized people. Encrypt documents, emails and don’t run services on standard ports.

• Access and Escalation defense is mostly around strong passwords and password policies, keeping operating systems and applications up-to-date, and incorporate system hardening measures. An eight character password what includes uppercase, lowercase, numbers and symbols will take a computer, running 100,000,000 combinations a second, two years to try all 7.2 quadrillion possible combinations. However, complexity is only a part of the defense. Adding password management components removes the threat of multiple site usage, post-it note security and non-authentication.Next, close down ports, services and accounts that are not required.

• Exfiltration can also be very hard to defend against because there are so many avenues of documentation and information leakage. About the only suggestion is to add security classification nomenclature to documents and restrict their viewing similar to what the military and government does. Also, better screening and background checking may help before allowing someone access to sensitive data.

• Sustainment backdoor defense is done by first making access to the system to insert code difficult, and second by performing periodic audits. While auditing is time consuming it is a very important task. Audits are best when done mannually.

•  Assault are also classified as something that is difficult to defend against. Once administrative right have been granted, it is virtually impossible to control what changes are made. Prevention with strong passwords is still viewed as the best defense.

CONCLUSION:

When it comes to protecting against the cyber attack tools there seems to be very little defence. What frustratites me the most is that Congress is busy passing laws putting the onis on large and small companies to protect data when the very operating system, browsers and applications these companies are using are filled with holes. It seems that the best a company can do to protect data is 1) encrypt, 2) limit the amout of information they put our on the web, and 3) to really beef up their password security policies. But just requiring longer and stronger passwords is not enough. If passwords are too cumbersome for they user then those same users are more likely to write them down on notes, in speadsheet or on whiteboards that are easy to find.

The posts I am writing about Cyber Warfare is not designed to promote the products of our company Access Smart. However, after reading this chapter and that the best defence is secure passwords, I have to at least ask that you look over our Power LogOn – Password Manager for Windows solution.

In the english language the prefix “Pro” means to be for something, whereas the prefix “Con” is to be against something. So then the opposite of “Progress” must be “Congress”.

Source: Lifehacker, by Thorin Klosowski

I am an extremely private person. I don’t broadcast my location, I use privacy tools to keep advertisers from tracking me, and almost never give any app access to Facebook. Of course, a lot of people don’t have a problem with living publicly. I’ve always wondered what the benefits and downfalls of doing so are, so I decided to give it a three-week test run. Here’s how it went.

We’ve talked a lot about the importance of your privacy because your data is often used for ads you don’t know about, logged in databases you’ve never heard of, and used to find out where you are and what you’re doing. Some of the things I consider “radical public living” experiments are probably commonplace to you, but even so, my experience may give you a better insight into what you’re gaining—and potentially losing—with your choices. Let’s start by looking at my experiences with location-sharing every move I made and then move on to the data collected by my browser. Finally, we’ll close by handing all this information over to a third party and seeing what type of demographic picture gets formed.

Click the the link to read the full story on Lifehacker

Access Smart®, LLC expands our network access authentication product line for data security. Power LogOn for MagStripe allows any issued magnetic stripe card to be used to log onto a computer and network. Imagine the cost savings and convenience of not having to re-issue cards, and the convenience for customers to use their existing loyalty card for network access authentication into a computer network. Some of the key markets are hotel lobby and airport kiosks, internet cafes

Power LogOn for MagStripe is a secure, two-factor authentication, single sign-on (SSO) and single sign-off system that uses any magnetic stripe card (i.e. access control, student ID, drivers license, loyalty card, etc.) to be the “what you have” component. After swiping the card the user must enter a single PIN for the “what you know” authentication to securely access a server network. If the PIN is wrongly entered after six attempts the account is securely locked and requires IT to determine authentication before un-locking and re-setting authentication. Once authentication is validated the user accesses Windows® Active Directory and all their secure accounts. Plus, Power LogOn allows IT has the ability to secure sites so the employee doesn’t know the passwords, and the employee can save their personal sites so IT cannot see these passwords.

“The upfront costs of re-badging have been a barrier for companies to implement a multifactor card security,” says Dovell Bonnett of Access-Smart, Inc. “But, a company’s costs from a data breach can be far more costly. To help companies implement security, we develop different password management solutions based upon the needs of our customers.”

Here are just some of the Network Access Authentication cost savings from Power LogOn for MagStripe:

1. Works with existing cards
2. Users/employees self-enroll using their existing cards
3. IT can build account templates to make account access secure and protected

“Strong security mechanisms must be at the forefront as businesses move to cloud based services,” said Mr. Bonnett. “If security is perceived by business owners as being too cumbersome or expensive to implement, they leave themselves vulnerable to data breaches and their customers to identity theft.”

Power LogOn for Magstripe is fully compatible with other security suites, applications and partner solutions. It is compatible with Win7 and Server 2008 systems. Please contact Access Smart for a no obligation discussion on how Power LogOn can improve your network access authentication.

Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 4: Cyber Warriors.

Understanding who the cyber warriors are and their level of training is just as important as the techniques they use. Chapter 4 starts off with defining that there are two types of warriors: Those with no training (most of the current warriors) and those that are now getting trained. The scary part is that because cyber conflicts are becoming more prevalent and invasive, more specialists are needed.

The new cyber warrior will receive certifications (either from vendors and/or organizations) in 1) “general information security”, 2) “penetration testing” and 3) “forensics”. The most prestigious certificates will come out of the Certified Information Systems Security Professionals (CISSP^®) but certificates from SysAdmin, Audit, SANS, GIAC and ISACA will also be required for cyber security jobs.

Cyber warriors are typically well-educated but formal education is usually not enough. Master degrees in computer science, engineering, information technology, etc. are required but so are practical knowledge and industry certificates. Today the main source of cyber warfare education is still from the military with National Security Agency (NSA) Center of Academic Excellence (CAE) oversight. After all the formal education is done, these warriors must constantly keep up with the latest attacks and computer technology changes by attending conferences, following blogs, etc. throughout the year. Finally, why experience is important in cyber warfare is that many attackers approach problems from non-conventional ways that are often dismissed or discounted in formal educational environments.

Cyber warriors are quite different from the traditional warrior. Stamina and physical agility is replaced by problem-solving skills, maturity and intelligence. Thus, age and physical conditioning has diminishing importance. The physical conditioning taught in a traditional boot camp is not necessary for cyber warriors. Most cyber warriors like isolation, sitting by their computers for hours and their non-traditional activities to clear their heads. If there was a boot camp, I wonder if the physical training would require the ability to bench press a 6-pack of Mountain Dew.

Just about every developed nation has or is developing cyber-warriors, but they are not the only ones. Corporations and organized crime have their warriors too. Because of the high demand for cyber warriors (for legal or illegal activities) it seems that somebody is willing to look the other way of past indiscretions in order to hire a cyber-warrior. Many times the black-hat hackers who have been caught are then recruited by law enforcement agencies to help find and defend against other attackers. Equally surprising that law abiding crackers (or white hat hackers) could slip over to the dark side for a chance for more money and notoriety.

CONCLUSION:

The number and the sophistication of cyber warfare is going to increase. New warriors are being trained every day. In a recent article about cyber-crimes the FBI predicted that 2012 will be worse than 2011 which was worse than 2010. This should not be a surprise since gaining the knowledge and experience can be done from the comfort of one’s own kitchen table or bedroom desk.

We all have been told by IT that network access authentication requires complex passwords, a minimum of ten characters, different passwords for every sites, and changing passwords every 60-days. While this does set up a strong password security from IT’s perspective, it also forces employees to circumvent the security for their own convenience.

Now the government is mandating companies protect patient and customers personal data stored in computers. Companies need network access authentication by deploying a smartcard-based password manager.

Network Access Authentication Weaknesses without password manager security

As password security becomes more complex, employees typically will use one or more of the following to circumvent IT’s security.

• Writing passwords on notes by their computer.
• Saving an Excel spreadsheet store passwords on the desktop
• Storing passwords in the cell phone can can be lost or stolen.
• Using the same password for both personal and business accounts
• Managers telling their assistant their corporate passwords
  

Companies need to install password manager security solutions that are cost effective, secure and convenient to the employee. Plus, companies need to combine security solutions like logical access, anti-cloning technologies, biometrics and physical access onto a single employee badge. All tackle the security problem a little differently, but they all are solid, robust products. 

Password managers for network access authentication has to including:

• Multi-factor authentication
• Log into computers and networks
• Log into intranet, extranet internet sites
• Log into computer program applications
• Stand alone and Server modes.
• Broad range of card technologies to keep card costs low and re-badging efforts to a minimum
• Backward compatibility with existing card technologies

Some companies are delaying their security efforts for what seems to be higher priorities. But with the low cost of password manager security technologies and the high cost from a data breach, delaying may be the bigger mistake. No matter which product or solution a company chooses, password manager security technologies has to be deployed now.

Power LogOn^® enterprise password manager integrates with DameWare Mini Remote Control (DMRC), part of the SolarWinds family of IT Management products.  The integrated offering is designed to provide users with a complete secure communications channel from log on to data channel encryption.

In the age of mobile communications, when cyber attacks are at epidemic levels, IT professionals need secure connections between remote and local computers.  Security has to start by first authenticating the user before any connection is established with an enterprise password manager.

First, the user authenticates to the Access Smart smart card. This can be done through multiple methods including pin and biometrics. Then, the card automatically launches the DameWare program, which continues the secure connection through multiple built-in security features. DameWare Mini Remote Control gives an administrator the ability to remotely control any machine on the LAN or WAN (across town, across the country, or even around the world).

“Secure user authentication should never be a luxury and never a barrier to preventing cyber-attacks,” said Dovell Bonnett, Founder and CEO of Access Smart. “Once authentication is established, DameWare finishes the secure communication channel.”

SolarWinds, a leading provider of powerful, affordable and easy to use IT management software, acquired DameWare in December 2011.  The addition of the DameWare products to the SolarWinds portfolio further extends the company’s presence in the systems and application management market with tools that allow systems administrators to remotely manage the computers on their networks.

Many different businesses, law enforcement, healthcare and government agencies rely more on their remote employees. IT cannot be expected to have computers sent back to a centralized location for the latest software or download updates. Combining Power LogOn enterprise password manager and DameWare secures this remote connectivity.

I recently commented in my LinkedIn Smartcard Group to a posting about why The USPS was promoting their “snail mail over email. Some commentors argued that promoting older technologies like the post office is trying to capitalize on fear of new technologies or the inconveniences it brings. I disagree that inconvenience or fear of the unknown are the problems. Rather it’s a self-preservation reaction. With almost 20-years of smartcard support and being on the bleeding edge of technologies even longer, I think I have the credentials to somewhat support the USPS stance, but not for the reasons they give.

Ray Wizbowski from Gemalto wrote an insightful post about how “Strong Authentication, not ‘Snail Mail’ is the answer to cyber crimes“. In it Ray builds the case that the USPS is having a “Luddite” movement in its last-ditch attempt to convince consumers and businesses to ditch electronic communications in favor of snail mail. Ray makes the analogy to the regular occurrences of mail train robberies but the railroads survived.  Train travel did have its problems in the U.S. for safety concerns with Indian raids, robbers and derailment. In fact, the railroad barons almost went bankrupt if they didn’t solve these and other security/safety issues for their riders.  Most people put a higher valuation on personal safety that some new glitzy technology. It was because of the security efforts from groups like Pinkerton, Texas Ranger and U.S. Marshalls that made the price to pay for robbing a train too high for its rewards. The old West had few laws but the most recognised one was 45, that’s Colt 45.

When trying to make a security comparison between email vs. standard mail the first question has to be “from what security perspective?”. Sure a letter can be stolen from a box that has your banking or social security information it, but it is not going to infect everything you do, cause your house to crash and force you to buy a new house to get an updated mail box. In the comment, “…digitization is now so much a part of our everyday lives that the suggestion that we should regress seems preposterous.” This is  true but it seems that technology companies have put a higher valuation on profit and market share than on security. The devastation to individuals, businesses and governments that a hidden malware in spam, file attachments, pharming sites, electron ads and such is inexcusable today. And it only takes one careless click to propagate into a $7.2M data breach catastrophe or an identity theft nightmare.

• So for individuals to revert back to snail mail – Understandable
• For businesses to revert back to snail mail – Very understandable

I don’t buy from websites that don’t have https:// shopping carts. I don’t click the email links anymore from people I don’t know. I certainly don’t open any email attachments even from my credit card company or bank. I know it’s not because I’m a technophobe, but because I can’t trust the delivery and the cost of a mistake is too high for me to pay. It is also inexcusable for companies like Google, Microsoft, Adobe, Amazon, Facebook, etc., and the U.S. Government to treats security, privacy and trust as after thoughts or worst, not at all. Even recently, states are selling personal email information to presidential campaign organizations so the state can make money and so you can be bombarded with their evil hate ads. Microsoft should also be ashamed of themselves for having a day every month since 1998 named for their products insecurity: Patch Tuesday.

In conclusion, ask yourself if you have changed any of your computer, email or internet habits due to viruses, identity theft , malware, spam, etc.concerns? How much security add-ons do you have because you felt vulnerable with the original product? Are you longing for the good old days of pony express and covered wagons because they were so convenient. Finally, back to the train analogy, gun sales were at its highest for the times when so were train robbers. Maybe that is why there are so many technology security companies today. So for the USPS to try to capitalize on the cyber security fears is no different from cyber companies trying to capitalize on the USPS speed. What all technologies come down to is the convenience it offers the user until the fear of personal harm from that technology drives self-preservation.