- Swiss Cheese Security
- There Is No Security In Reactivity
- The Plight of the Public IP
- AP Isolation
- The Importance of Traditional POTS Landline Phones
What is Spear Phishing?
Spear Phishing is an attack technique in which an attacker crafts an e-mail using customized information about the recipient with the goal of tricking the recipient into divulging sensitive information such as usernames, passwords, credit card details, etc, or enticing the recipient to click a link that may introduce maliciously coded programs, such as spyware to their computer. The spear phishing e-mail usually will appear to come from a trusted identity, such as a familiar individual or business. It will contain information that the reader can relate to and can even be very specific to the reader’s personal life or business dealings, based on data the attacker has ascertained about the individual. The e-mail will usually contain links where the link text appears to be a familiar website, however the underlying URL (universal resource locator) actually links to a different site. For example http://www.KnownBank.com can actually point to http://FooledYouBank.com. It is best practice not to click on links embedded in e-mails unless you are absolutely sure that they are valid links. These type of attacks are becoming increasingly common as potential attackers have access to high-quality customized information that can be used to target unwitting, susceptible individuals.
Example of Spear Phishing E-mail
Below is an example of a spear phishing attack that I received today. It appears to be from Apple, an organization I have done business with. It speaks specifically about purchases through iTunes, a product I use regularly to purchase Apps, Music and other media. It also entices me to click the link for fear that an invalid purchase has been made with my Apple account.
However, after a cursory look, you can plainly see that it is a malicious e-mail. When I hovered over the embedded link, it clearly pointed to a different address than the displayed text. When reviewing your own e-mails, if you are unsure of an e-mail’s validity, ask your local technology representative or geek friend to look at the underlying code of the e-mail to make a determination. Reminder, best practice is to never click on links that are received via email unless you are positive they lead to valid URLs.
Technical Exploration of Underlying E-mail Code
Below is the underlying code of the email message displayed above. The first blue highlight indicates the sending server. Clearly this message did not originate from Apple.com. The second blue highlight indicates the underlying hyperlink reference, and again, clearly this does not link to Apple.com.
Small business, college, and non-profit personnel tend to have administrative rights on their work machines. Bad move IT! Most computer users want to do, what they want to do, when they want to do it; treating their work computer as their own personal computer. Often these very same users have little understanding and/or complete disregard for the due diligence required when handling computer information systems. Leadership must make it a priority to inform end-users of computing issues and provide adequate training. In addition policy and procedure must be implemented prohibiting end-users from putting computer networks and information systems in jeopardy.
Self-administration has its benefits and detriments. It gives end-users the benefit of being able to instantly install applications and/or modify the computer system to meet their own needs on their own time. This eases the load on the IT helpdesk and IT administrators, allowing end-users to perform trivial tasks such as third-party software updates, or plugin-installation. However this same ability opens up each endpoint to potential exploitation. Running a system as an administrator allows black-hat hackers to easily drop a malicious payload into the system. Often, the end user is duped into allowing the system to be compromised. Seemingly legitimate e-mails may contain links to malicious content. Seemingly legitimate files may contain malicious code or executables unbeknownst to the end-user. It is quite easy to fall prey to phishing schemes or to click seemingly legitimate web links to pages containing scripts that can deliver malicious payloads to the system. When logged in as an administrative user, opening a file or link with hidden malicious content through Adobe Acrobat, Flash, Microsoft Word, web browsers, etc., may execute this code. This may allow the malware to compromise the system. To mitigate against malicious attacks, proper administration of computers and networks is necessary, however more costly. Proper administration calls for the elimination of end-user privileges, putting administrative decision making in the hands of those who are knowledgeable in the field of information technology and security.
Often, end-users become disgruntled at the thought of having their administrative rights curtailed. However, adhering to the principle of least privilege is a benefit to all. Allowing end-users to be administrators basically lets them treat their work computer as if it were their home computer. Kindsight Security Labs, in an April 2012 study, reported that 13% of all Windows and 7% of all Macintosh home computers are infected with malware. If these computers were office computers or home computers used to access organizational information the ramifications could be vast.
The tendency to use a work computer as a personal computer with administrative privileges not only puts end-user banking information, credentials, and other personal information at risk, but there is significant risk to the organizational information. Granting administrative privilege to technically unqualified and conceptually unaware end-users should be restricted. The computers of end-users with administrative permissions are often compromised. Such compromise, can result in significant down-time causing lack of productivity, increased financial liability and additional burden on human resources. Data leakage could lead to a tarnished image in the press and exposure to law suits. The list goes on.
Security is everyone’s obligation. “If you see something, say something” just doesn’t cut it in the digital realm. Pro-activity from all stakeholders is required. Precautionary technical measures ought be implemented. End-users need to be trained about the issues at hand, the risks, ramifications, and how to avoid them. The security firm Beyond Trust claims that a review of the Microsoft security bulletins showed that 90% of Microsoft vulnerabilities would have been thwarted by implementing the principle of least privilege. Implementing policy and technical controls allows an organizations’ administrative team to have greater control over their systems, minimizing risk. Specifically, eliminating end-user administrative control will necessarily, and immediately give an organization a better security posture.
One of my personal mantras is, backup, Backup, BACKUP! Commonly, many individuals, organizations, and businesses do not take take the appropriate measures to archive their critical information on a scheduled basis.
Today, I received a call from a someone who I have not heard from in many months. I remotely logged into their company’s computer systems to help one of the employees fix an issue with their QuickBooks accounting software. Immediately, I noticed that there was a backup status warning message indicating that the accounting database had not backed up since 4/9/11. Mind you, it is now February 2012. That is 10 months without backup.
My email to the business owner included this statement: “Since every aspect of your business revolves around the QuickBooks software and the data accumulated over the course of its use, if your computer systems fail now, your business will be crippled!”
Lessons To Be Learned / Take Aways
1. CHECK THE LOGS! Often, individuals, non-profit world administrators, academics, and small business owners, do not bother to check backup logs. Often, no one is assigned responsibility for ensuring whether or not the backups are successful. Individuals and organizations frequently rely on automatic backups alone. To make matters worse, no one checks to see if restores can be completed successfully from backup. Make and adhere to a schedule for checking log files. Specifically look for backup completion or failure notices. Periodically run a test, restoring individual files, folders, and even perform complete system restores of mission critical systems.
2. Understand how your business processes influence the functionality of your chosen technology and vice versa. In this case, Quickbooks Online Backup does not back up files that are currently in use. This means, for a successful backup to occur, the active files must be closed prior to running the backup procedure. Upon completion of the backup, the database can be reopened. This particular small business has its backups run on a nightly basis, seven days a week. Often, the employees leave the Quickbooks application and database files open at night, causing the backups to fail. To compound the problem, the company has an accountant overseas who uses the data files directly off of the production server. Due to the time difference, they are opening the Quickbooks files in the middle of the backup procedure. This means they interrupt the backup process.
3. Security Principle = Availability. If the backup and restoration process are not successful, the availability of information may be in jeopardy in the event of a failure.
Be sure to take into account all variable business processes that can influence your technology and how your technology can influence your business processes. Test your business processes and ensure that the technology is working to support these processes. Inversely, test the technology and ensure that your business processes leverage the chosen technology successfully. In this case, ensure your, backup, Backup, BACKUP!
Yesterday, I was assisting a new client who was moving into a new office space. In the corner of the room was a system labeled as the department server. My heart sank in IT disbelief. The “server” sat there with at least three glaring issues.
These glaring issues constitute a breach of all three of the basic principles of information system security; Confidentiality, Integrity, and Availability.
If your organization has any of these issues, please remedy them immediately. Should you require assistance or a technical consultation, visit http://Layer9.it.
Due to the mercurial nature of the technology and information security landscape, information security can be regarded as an ongoing process. The security process involves awareness and training, assessment of risk, the development of procedure and policy, and finally, the implementation of hardware and software security measures. Then, frequently repeat the process, reassessing and enacting the latest measures.
Information security measures should include much more than a firewall and antivirus. A proper security posture is an amalgamation of policy, procedure, and infrastructure. Maintaining an adequate security posture requires active participation and continual awareness in both personal and organizational realms. Information security entails the protection of the Confidentiality, Integrity, and Availability of information stored on computer systems. Information must be protected from unauthorized access, modification, deletion, or service disruption.
The topic of information security ought not be taken lightly or summarily pooh-poohed. Since technology pervades all areas of life, the issues of information security affect each and every one of us. A breach could happen to you or your organization at any time. As my mother used to always say to me, “be aware of what’s around you.”
We all should recite this little chant until we are blue in the face and get into the rhythm of obliging the namesake phrase. So many individuals and small businesses do not have ample data protection policies and procedures in place to safeguard their digital worlds. Computer users store business letters, data sets, school assignments, photographs, etc., usually on a single hard disk inside of their personal or business computers. Since it is possible to lose data from primary storage at any moment, it is imperative to assess your personal and organizational data storage and backup needs. All too often people learn the hard way, especially when it comes to information safety and security. Don’t fall victim to the learning the hard way! Learn to preempt a disaster and implement backups on a regular basis to safeguard your personal or organizational data.
What is backup?
Backup is the process of creating duplicate copies of data for the purposes of being able to restore to that point in time should the primary documents become unavailable or inaccessible. Documents can become corrupted or accidentally deleted, computers can be damaged by fire or even stolen, and inevitably computer hardware fails over time. Duplicate your data. Backup!
What to backup? When to backup?
The first step towards preventing data loss is to understand your personal and organizational backup needs. Make a list of files and folders, including word processing documents, spreadsheet documents, photographs, databases, and all other digitally stored documents that you or your organization could not afford to lose. Define what would constitute an acceptable loss, should this data be unrecoverable. Can the documents be recreated or would they be lost forever? How much downtime would be acceptable? For organizations, critical documents encompass such things as financial documents, day-to-day operational documents, etc., and for individuals, personal banking records, receipts, proofs of purchase, appraisals, personal photographs, etc., should be backed up to remote sites on a routine basis. After defining what needs to be backed up, define an acceptable backup schedule, taking into account the present volume of information, duration of time required for completing a backup, expected growth rate of the data store, and cost of storage technology needed to implement the backup policy.
Backups can be written to duplication media locally onsite and/or remotely to data centers offsite. Local backups require additional storage hardware on premises. Remote backups deposit data to remote network drives across the Internet. Creating both local and remote backups on a scheduled basis is strongly recommended to protect against data loss.
Online Remote Backup
With the widespread availability of high speed Internet access, backups can be securely transmitted via wired or wireless Internet connection to anywhere in the world. There are backup hosting companies that provide this service at reasonable costs to individuals and organizations of all sizes. The leading vendors of online remote backup are Mozy, Carbonite, and Norton Online Backup. There are also numerous other vendors such as SOS Online Backup, iDrive, DollyDrive, BACKBLAZE, etc., that make up the online remote backup arena. When choosing a backup provider, it is important to understand the service level agreement and the providers’ obligations to you. Each provider has different levels of guarantee, different capacity agreements , and of course different pricing schemes. Peruse through all the options and chose the one that is best for you or your organization.
Local backups can and should be made in addition to remote backups. It is important to do so for two reasons. 1, the process of local backup and restoration takes significantly shorter periods of time, minimizing downtime. 2, having a secondary backup is always good policy in the event of recovery failure from one of the backups. In many cases a blended approach to backup will suit individuals and organizations well.
Local backups can be accomplished using a variety of physical media, however as technology has progressed, hard disk media has declined in price significantly as storage capacity continues to increase. Local drives can be directly attached to individual computers or attached to the local network. Direct attached will be faster, but network attached could allow multiple machines to backup to a single network drive. Storing local onsite backup copies in the same building as the original copies may not be such a good idea in the event a disaster strikes. To account for this potential danger, traditionally, backups were written to disks and then carried offsite to a secondary secure location, requiring the rotation of multiple physical backup media. This process is still an option, but due to the ability to leverage online backup, if you or your organization is willing to shell out the subscription fees, it may be unnecessary to create a physical local backup rotation.
Local backup drives are available from a variety of vendors. Personally, I like the Western Digital MyBook Studio II for directly attached storage for either Mac or PC since it has multiple interfaces (USB port, FireWire 800, Firewire 400, eSATA) and large capacity drives, capable of redundancy. Mac users can harness the seamless power of Apple’s Time Capsule network attached storage device. Windows users, although it is a bit pricy, can leverage the power of Windows Home Server, on hardware by HP, Lenovo, Acer or Asus. Alternatively, Windows and Mac users can also use a variety of third-party backup utilities that usually ship with other Network Attached Storage devices from Western Digital, Lacie, Seagate and iomega.
How to Backup?
Luckily, both Windows and Mac OSX natively have the ability to run local backups to external local backup drives or local network shares, using Windows Backup and Time Machine respectively.
* Third party software is also available and many times comes packaged with the backup hardware.
A Note on Free Online Services
Inversely, with the rise of cloud computing, services such as Google Apps, iCloud, iDisk, Windows Live Mesh, DropBox, etc, provide wonderful primary storage and cloud based replication of files, contacts, calendar events, messages, etc. Remember, unless you or your organization is a paying subscriber, these are free services without a service agreement. There may be no contractual obligation for these services to actually work and continue reliably. It is not uncommon for companies offering free services to eventually discontinue service as this tends to be stipulated in their terms of service. Understanding this, it is important to create manual backups of your files, calendar events, contacts, messages, etc. Legally, the transfer of money constitutes a commitment to a contractual obligation and binds a company to the service agreement, thus if you want reliability, always pay for service(s) instead of relying on free services.
* * *
Once a backup procedure has been put in place, it is just as imperative to test the backups integrity by recovering files from backup to make sure the backup and recovery process actually works. Backup success or failure should be monitored manually on a scheduled basis.
* * *
My Personal Backup Procedure
As I rotate between locations throughout the week, I plug my laptop into the following:
askWinters is always at your service, answers delivered!
Hello World! Today, I start my askWinters.com blog. Blog posts will be my personal opinions on current technology issues from web 2-3.0 applications, web services, information security, small office computing, technology infrastructure, and of course new hardware and software products. Feel free to comment and criticize to your hearts content!
-Jonathan N. Winters