Myths die hard. This week the death knell sounded for the myth of Macintosh security. Users can no longer naively claim that they don’t need to be concerned with security because they use a Macintosh.
All complex software has vulnerabilities which cybercriminals are only to happy to exploit. This is true of Mac OS X just as it’s true of Windows. It’s cold comfort that this particular vulnerability surfaced in Java—so well known as a source of attack exploits that we recommend users disable it. The lesson we need to take away from the Mac OS X story is humility in the face of software complexity.
In the 1980s I was a staff security engineer at TRW when my manager gave me a piece of wisdom that applies to the myth of Mac security. “There are three kinds of knowledge,” he said. “There’s what you know that you know you know. There’s what you don’t know that you know you don’t know. And there’s what you don’t know that you don’t know that you don’t know.”
It’s this third category that is most dangerous—what we don’t know that we don’t know we don’t know. This—our hidden ignorance—is what gets us into trouble. Believing the myth of Mac security—jumping to the conclusion that Macs are secure because we don’t know about their insecurities—is dangerous because the myth keeps us from taking the actions necessary to protect sensitive information on our Macs.
We run across a lot of myths about cyber security management in our work with clients, in our workshops and in our cyber security briefings. There is the myth that IT can effectively manage cyber security; that senior management doesn’t need to get involved. There is the myth that antivirus and anti-malware solutions provide sufficient security. There is the myth that “we have nothing of interest to a cyber criminal.” And the most dangerous myth of all—that we can be secure if we simply do A, B and C, whatever A, B and C happen to be. It is these and other myths that keep us from being open to what we don’t know that we don’t know we don’t know.
Myths are not always dangerous. As a child I was enthralled with the myths of the Greek and Roman gods; their stories formed the backdrop for a significant part of my moral education.
Myths become dangerous when we inappropriately apply them to real-world circumstances where they don’t apply. They become dangerous when they keep us from exploring that which we don’t know we don’t know.
When it comes to cyber security management, myths are particularly dangerous. Our greatest security weakness—our greatest vulnerability—lies in the security myths we believe.
That’s why this week’s stories of more than 600,000 Macs infected by the Flashback malware is so important, for it serves as a warning about the dangers of all cyber security myths.
European hackers suspected in Utah Medicaid files breach: SALT LAKE CITY (Reuters) – A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday. The Chicago Tribune, April 4, 2012
Worker error exposes Utah Medicaid clients to hackers: A mistake by a state employee allowed hackers — suspected by state officials to be located in eastern Europe — to gain access to more than 24,000 files submitted to the Utah Department of Health for Medicaid recipients. The Salt Lake Tribune, April 4, 2012
Global Payments: Rumor and Innuendo: Global Payments Inc., the Atlanta-based credit and debit card processor that recently announced a breach that exposed fewer than 1.5 million card accounts, held a conference call this morning to discuss the incident. Unfortunately, that call created more questions than it did answers, at least for me. The purpose of this post is to provide some information that I have gathered, and a few observations about the reporting on this breach so far. KrebsOnSecurity, April 2, 2012
Global Payments Data Breach Exposes Card Payments Vulnerability: Cardholders around the world received a shock late last week when Global Payments Inc. announced a breach in its card data processing system. [1] After all, the company is one of the biggest processors of Visa and MasterCard card transactions, and also processes a sizable number of transactions for Discover Financial and American Express. Forbes, April 3, 2012
How to remove the Flashback malware from OS X: While OS X was relatively void of malware for the first 10 years of use, recently malware scares have cropped up that have affected a significant number of Mac systems. Cnet, April 5, 2012
Widespread Virus Proves Macs Are No Longer Safe From Hackers: For years, Mac users have been told that not only are they cooler than their PC counterparts, they are safer too. Apple has always held that computer viruses and malware only dogged its competitors. That is no longer the case. The New York Times, April 6, 2012
Urgent Fix for Zero-Day Mac Java Flaw: Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems. KrebsOnSecurity, April 4, 2012
Over 600,000 Macs infected with Flashback Trojan: Summary: The Flashback Trojan botnet reportedly controls over 600,000 Macs. Thankfully, Apple yesterday released a patch for Java, which the Trojan exploits, so make sure you install it. ZDNet, April 4, 2012
Apple patches 3-month-old Mac OS X security flaw: Days after a serious malware threat to Mac OS X was discovered, Apple finally patched the three-month-old security flaw that made it possible. MSNBC, April 4, 2012
Security hole exposes Android, iOS to Facebook identity theft: A new security vulnerability discovered in Facebook for Android and Facebook for iOS means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad. ZDNet, April 5, 2012
Cyber Criminals Targeting High-Profile Brands and Keywords to Undermine Users: GFI Software recently released its VIPRE® Report for March 2012, a collection of the 10 most prevalent threat detections encountered during the last month. GFI Labs documented several spam attacks and malware-laden email campaigns infiltrating users’ systems under the guise of communications purporting to be from well-known companies and promotions for popular products and services. Google™, LinkedIn®, Skype™ and the video game Mass Effect™ 3 were among the brands exploited by cyber criminals in order to attract more victims. IT BusinessEdge, April 2012
Ice IX Malware Tricks Facebook Users Into Exposing Credit Card Details, Says Trusteer: A new configuration of the Ice IX malware attempts to trick its victims into exposing their credit card details when they try to access their Facebook accounts, according to security firm Trusteer. PC World, April 3, 2012
Cyber-Criminals Change Tactics as Network Security Improves: IBM in its X-Force security report for 2011 said security efforts have cut spam and improved vulnerability patching, but attackers are now targeting mobile devices and the cloud. CIO Insight, March 23, 2012
Social Media Companies Contribute to Cybercrime: Cybercrime is an everyday problem that threatens business operations and causes large out-of-pocket expenses for individual and corporate victims alike. Although statistics regarding the actual cost of cybercrime vary, the incidence of cybercrime has climbed steadily over the past decade. The 2011 Norton Cybercrime Report claims that more than one million people become victims of cybercrime every day, and it estimates the financial cost of cybercrime is larger than the combined global black market for cocaine, heroin, and marijuana. Forbes, March 14, 2012
Encryption in 2012: Now a strategic business issue: In an increasingly digital world, information security and data privacy have become critically important to the enterprise. According to the 2011 Global Encryption Trends Study from Ponemon, encryption use to protect sensitive data is becoming widespread and strongly correlates to the overall strength of organization’s security posture. So much so that encryption is now viewed as a strategic business issue, a far cry from when it was a niche technology and solely the concern of the IT department. ZDNet, April 4, 2012
Grant Thornton survey reveals Chief Audit Executives most worried about cybersecurity risks: CHICAGO, Mar. 19, 2012 – Chief Audit Executives (CAEs) ranked cybersecurity as their #1 concern in emerging risks, according to a new survey by Grant Thornton LLP. Mobile technology was their second biggest concern, followed by business interruption and social media. While more than half (56%) of CAEs report that their organization had 10 or less cybersecurity incidents in the last 12 months, nearly a third (31%) said that they did not know how many incidents their company had. Grant Thornton, March 19, 2012
Alan Paller of SANS Institute Speaks at ISSA-LA Information Security Summit on Cybercrime Mr. Alan Paller, director of research at the world renowned SANS Institute, will be the keynote speaker at the Los Angeles Chapter of the Information Systems Security Association’s (ISSA-LA) fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business. SecurityOrb, March 29, 2012
Richard Clarke on Who Was Behind the Stuxnet Attack: The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive…or awaiting further orders. Smithsonian Magazine, April 2012
How China Steals Our Secrets: For the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property. New York Times — Richard Clarke Op-Ed, April 2, 2012
The Zero-Day Salesmen: At A Google-Run competition in Vancouver last month the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin. Forbes, March 28, 2012
Anonymous Hackers Deface 500 Chinese Government Websites: The Anonymous movement has pulled off one of its biggest hacktivist coups yet, successfully defacing hundreds of Chinese Government websites in a spectacular protest against Internet censorship. April 6, 2012
A reader asks: “What is the possibility of my personal computer being affected? I have two virus protection programs on the computer.”
Dear Reader:
The possibility of your personal computer being affected is high.
Having an anti-virus program (or even two) on your computer is a cyber security requirement just like having a lock on your front-door is required to protect your house and your family.
But if you want to protect your house and family, you need more than a lock or two on your front door. You want locks on all your doors and all your windows, you may want bars on first-floor windows, perhaps an alarm system, maybe a surveillance system, maybe even a 24 hour guard service. If all you have is a lock or two on your front door, there is a high possibility that your house has been robbed.
It’s the same with cyber security. Your anti-virus software — like a spam filter or a firewall — is designed to keep malicious software (malware) from getting onto your computer, just like the lock on your front door is designed to keep criminals out.
Anti-virus software — like that lock on the front door — doesn’t offer very much protection against today’s breed of cybercriminals and the advanced tools they use, tools that virus protection software can’t cope with.
While anti-virus and anti-malware programs may keep the majority of attacks off of your computer, they allow too many attacks to slip through, becoming like invisible ghosts marauding through the house.
That’s why it’s so important to have more than one layer of defense. By itself, anti-virus programs are grossly inadequate to the task of protecting our computers. What is needed is called Defense-in-Depth.
The following eight recommendations for keeping cybercriminals off your computer are from our Personal Guide to Staying Safe Online. They are all FREE except for the anti-virus software which you already have.
The Guide provides more than a dozen additional recommendations, covering five different defense strategies. Many of them are also free.
Most important, perhaps is the opportunity your question gives to seeing information security from a different point-of-view, replacing the question “what is the possibility of my personal computer being affected” with the far more practical — and also deeper — question “what can I be doing better to keep malware off of my computer?”
I encourage you to keep this question in your mind as you use your computer. The Department of Homeland Security has a public relations campaign to encourage consumers to do just this. It’s called Stop. Think. Connect.
A hospital lost $600,000 to online bank thieves when one its employees clicked on a link in an email supposedly announcing her high school reunion.
A leading cyber security firm lost the keys protecting its customers most sensitive information one of its employees opened an Excel spreadsheet attached to an email. The attachment was titled “Next Year Hiring Plans.”
Cyberthieves plant malware on unprotected web sites; malware designed to infect the too-often unpatched computers of visitors to the web site.
Hacktivist groups like Anonymous seems to be able to bring down web sites whenever they want: Sony, FBI, Department of Justice, the U.S. Senate, MPAA … the list seems endless.
It’s become obvious that we are losing the battle, that right now, in this moment of history, it’s the cyber criminals who are winning. Now, more than ever, we need the Information Security Village that my colleagues and I first described nearly five years ago in the ISSA Journal and that I wrote about more recently in the Los Angeles Business Journal.
Three years ago, ISSA-LA — the Los Chapter of the Information Systems Security Association — adopted the motto It takes the village to secure the village SM — a reflection of the Chapter’s commitment to creating the information security village in the Los Angeles Community.
On May 16, ISSA-LA holds its Fourth Annual Information Security Summit. The Summit is the only educational forum in Los Angeles specifically designed to encourage participation and interaction among all three vital information security constituencies:
The Information Security Summit is a key pillar of ISSA-LA’s Community Outreach Program, designed to provide information security knowledge and education to the 300,000 businesses, not-for-profit and government agencies in the 18th largest economy in the world. The goal of the program is to help our community stay safe from cybercrime by enabling the necessary collaboration between business and community leaders, technical IT professionals and the information security community.
It’s been my privilege to be President of ISSA-LA during the development of the Chapter’s Community Outreach Program. I invite you to be part of this year’s Summit, to join the village. More information for attendees and sponsors is available at the Chapter’s newly redesigned web site.
FBI Director Robert Mueller told the U.S. House Permanent Select Committee on Intelligence this week that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.” Elaborating on the breadth of the threat, he said “there is very little we do in this day and age that is not on or somehow associated with the internet. The theft of intellectual property, the theft of research and development, the theft of the plans and programs of a corporation for the future, of all which are vulnerable to being exploited by attackers.”
It is not just our sensitive information that is threatened. The Internet itself is threatened … and extremely vulnerable. In the last several weeks, we’ve seen successful Distributed Denial of Service (DDoS) attacks against banks, governments, law enforcement and the entertainment industry. We’ve seen Israeli and Palestinian cyber-vigilantes launch DDos attacks against each others web sites. What happens when radical organizations discover they can launch a DDoS attack against their enemies? We should not be surprised to see the Internet become a battleground in America’s culture wars.
In his testimony, Mueller recommended that we need to become better at gathering, sharing, analyzing and using cyber information, offering several specific suggestions to the Committee for needed changes at the Bureau, throughout government and in new legislation.
His recommendation apply as well to individual organizations, as our work with clients continue to demonstrate. Every organization with sensitive information needs to continually ask itself: Are we gathering the information we need to understand our cyber threat and the quality of our cyber defenses? Are we effectively analyzing this information, using it to better secure our information? Are we sharing it with the necessary parties? In particular, is management getting the information they need to proactively manage information risk?
One highly critical defensive measure, for example, is to rigorously keep software patched. One of the easiest ways for a cyber criminal to take control of a computer is to exploit a vulnerability in unpatched software. That’s why we publish our Weekend Patch and Vulnerability Report, alerting readers to major patches.
Patching needs to be on the Weekly Must-Do list of every IT Department and IT vendor. Yet, when we assess the patch levels of organizations, we are not surprised to often see more than 100 unpatched vulnerabilities on desktops. Does IT gather vulnerability information? Do they analyze it, taking appropriate action to keep vulnerabilities to a minimum? Is it shared with Senior Management? Does Senior Management know that IT must patch vulnerabilities to comply with laws like HIPAA HITECH or contractual obligations like the Payment Card Industry’s Data Security Standard? Does Senior Management regularly monitor “weekly vulnerability trends?”
Mueller’s recommendation that we become better at gathering, sharing, analyzing and using cyber information apply to our communities as well. That’s what led our Los Angeles ISSA Chapter to launch our Community Outreach Program 5 years ago. It’s our mission to be the premier catalyst and information source in Los Angeles for improving the practice of information security. It’s the genesis of our tag: It Takes the Village to Secure the Village. SM It’s the orientation of our newly designed website. And it’s the focus of our forthcoming Fourth Information Security Summit, being held May 16, 2012 at the Universal Hilton Hotel.
Human nature being what it is, cyber crime and hacktivism will likely get worse before things get better. While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy.
Three stories from today’s cyber security news.
“U.S. shuts Megaupload.com, hackers retaliate.”
“Anonymous Claims DOJ, RIAA, MPAA Sites Hit for Megaupload Bust.”
The “distributed denial of service” (ddos) attacks by hacktivists on FBI, Justice Department and entertainment industry websites suggests that the battle to protect intellectual property on the Internet has taken a new and ugly turn. Cybergeddon?
Left unnoticed may be the most ominous of headlines as it makes the tools of cyber terrorism available to anyone with a grudge against America: “Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software.” Cybergeddon?
The world changed today and with it the need to prepare for a new and more dangerous round of cyber attacks. It’s more important than ever to follow the advice I learned years ago as a Boy Scout: “Be Prepared.”