[BreachExchange] Beware Of Social Media And Cybersecurity

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 1 18:30:32 EST 2016


http://www.forbes.com/sites/joannabelbey/2016/02/29/beware-of-social-media-and-cybersecurity/#28f86960307c

There are no hackers, only spies, says Eric O’Neill, former FBI
counterterrorism and counterintelligence operative.

O’Neill shared “cloak and dagger” stories about taking down the notorious
spy, Robert Hanssen, at a recent event. Hanssen spied for the Russians, the
Soviets and then the Russians again, from 1979 to 2001 – right from the
offices of the FBI. He was ultimately caught while making a drop in a park
at night and is serving fifteen consecutive life sentences at a super max
prison.

Hanssen Was The First Hacker

According to O’Neill, Hanssen stole information by exploiting the failures
of computer systems. He was able to access and steal data throughout the
Bureau without the FBI noticing. He was even one of the first spies to
share information by using data disks. When he made his first drops to the
Russians, he would drop five and a quarter floppy disks. The Russians
initially tried to play them on a record player and scratched their heads
because they wouldn’t make music. Overtime, the packages got smaller as he
moved to three and a half floppy disks and finally thumb drives.

Dispelling The Myth Of The Hacker

Hollywood is responsible for the perception that hackers are overweight
guys, sitting in a dark basement, hammering away at a computer. You hear
tap, tap, tap. Suddenly there is an eureka moment. The hacker hammers the
enter key, and says, “We’re in”. O’Neill is trying to dispel that myth.
Hackers are not typically using brute force methods. Rather than hacking
computers, they’re trying to hack people to find easy ways to access data.
Hacking is the evolution of espionage. Now that we store data in computers
instead of paper, spies and their modern day equivalent, hackers, had to
become more sophisticated in how they steal information.

The Trusted Insider

Like the case of Robert Hanssen, the most wicked, nefarious hackers, are
trusted insiders who steal information and are responsible for data
breaches. They are the hardest to identify and catch. Unlike worrying about
a specific end point like a laptop, phone or thumb drive, you need to worry
about a person. Like Robert Hanssen at the FBI, this person is sitting in
your company behind your firewall, with access to your proprietary
information. They can be very hard to detect. If you don’t have a plan to
catch them, and if you don’t know where your information is and what you’re
trying to protect, sometimes you don’t even know that it’s gone.

Governments Spying

O’Neill says that in the past, you had to worry about your competitor up
the street trying to steal your information. Now you have to worry about
state-sponsored, militarized hacking crews, sitting in warehouses and with
stealthy advanced persistent threats. They are just waiting for someone to
make a mistake so they may pass through your firewall. It’s very hard to
protect against. Some of the biggest hacks have come out of China.
State-sponsored hackers want to steal technology, information, and more
recently, identities. Identities have value and can be sold on the internet.

Hacktivists Is The New Buzzword

Hacktivists break into computer systems for political or socially motivated
purposes. One example is Anonymous, which according to O’Neill “is both
good guys and bad guys” because they take down ISIS websites. WikiLeaks is
another hacktivist, that publishes companies’ proprietary information so
competitors can legally learn from it. And then there’s the Impact Team
which attacked Ashley Madison, a dating site for married people. Impact
Team gained access, probably through a trusted insider, and stole the names
of all the people who registered. Impact Team threatened to publish these
names and email address unless the site was shut down. The firm refused and
the information was published for everyone to see.

Worry About Social Media

Social media can really trip you up, O’Neill warned. Hackers can “recruit”
employees by learning enough about them from posts and tweets to craft
authentic looking phishing emails to gain access to personal accounts or to
enterprise passwords. The recent Anthem breach is an example how social
media can be used against a firm. Anthem had good cyber controls in place
and prohibited their system administrators from listing their current job
function on social media to help protect them from cyberattacks. However,
government sponsored hackers used LinkedIn to search for everyone who
worked at Anthem. Hackers then methodically searched for anyone who had
worked as a system administrator at a prior firm. Hackers then sent
phishing emails to all those people. A few system administrators at Anthem
clicked on links and the hackers quickly gained access to millions of
consumers’ personal information, including names, birth dates, addresses,
email addresses, employment information and Social Security/member
identification numbers.

3 Tips To Prepare For Breaches

How can firms prepare for the breaches that are going to happen? O’Neill
offered three tips:

1. Compartmentalize sensitive, important information. Understand where the
data is and what are all the points where it can be accessed. Build circles
around your core information to protect the data and limit access. Audit
and monitor access to the data from within and outside the firm.
2. Be diligent. Actively find out whether, and from where, information is
being accessed. Understand which endpoints are being accessed at what time.
Whitelist applications for your firm. Watch for employees that connect
their personal laptop to the network. Their personal laptops may be loaded
with gaming software that may provide access to communities, voice and chat
right across your network.
3. Beware of social media. Teach your employees to be careful what they
post and which links they click on. Put protections in place to protect
users from themselves. O’Neil concluded, “It’s as though we all live in a
massive reality show and we don’t see the cameras. But those cameras are
there, they’re recording, and that stuff lasts forever. And who knows,
someone might go through it in the future”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160301/204e73a6/attachment.html>


More information about the BreachExchange mailing list