• Cyber Counterintelligence Blog - Speartip

SpearTip Blog

SpearTip’s blog provides insight and information about cyber security and counterintelligence related news and events that are of strategic importance to leadership within these sectors.

About SpearTip:

SpearTip, LLC Is A World Class Cyber Security & Counterintelligence Firm.We offer incident response, malware detection, managed security services, MSSP, penetration testing, enterprise risk management, zero day malware analysis, gap analysis and digital forensics services through the US, and in select foreign countries.

The Department of Homeland Security is the latest victim of an insider threat who stole confidential digital documents from a “well-guarded network” for years unnoticed. The DHS has confirmed that they lost the personally identifiable information (PII) of more than 200,000 employees, past and present, in early 2014. The breach was noticed earlier in 2017, and reported today, claiming the stolen information includes the employee names, DOB, and Social Security numbers.

Insider threat awareness is not an often-discussed vulnerability, as many organizations like to believe their employees are following the company mission to the T, and would never harm the business in any way. The unfortunate truth is that disgruntled employees are formed in many unforeseen ways. Something as simple as releasing a new company policy requiring employees to walk an extra 50 feet from the building to smoke for fire hazard prevention, may tip an employee over the edge who doesn’t share the vision of the fire prevention necessity, and sees this as a means of harassing smokers. In response, said employee plans an exit strategy which involves deleting important proprietary documents from the server on the last hour of the last day before switching companies.

In a more extreme case, you didn’t give the c-suite open position to Director Dan, who thought for sure he was the next successor. In response, Director Dan decides to make the money he’s “entitled to” by other means. Director Dan calls up a foreign competitor, and claims he has the keys to the castle, and for the right price will give the companies secret sauce to them. Competitor agrees, and suddenly your entire organizational plan, structure, and proprietary property is in the hands of your competition.

Protecting your organization from insider threats can be as simple as refreshing access control policies and credential monitoring. A good rule of thumb to follow is granting employees access to only the files they need to perform their immediate jobs, a security concept called “least privilege.” In other words, your accountants can access the raw data necessary to run the books, but only the CFO and payroll manager has access to payroll information. This way, if an accountant becomes compromised, the scope of the threat is drastically lessened to just what he/she had access to.

Consumer Cyber Best Practices

The end of the year is a valuable time to clean up bad cyber habits. With a new year comes new opportunities for both you, and the bad guys. Bad guys prey on ignorance to compromise your identity and assets. I frequently hear, “I’m not worth a whole lot so bad guys aren’t going to waste time trying to compromise me,” or “there’s nothing in my bank accounts so I’m not a target.”

Consider this – in most cases, the content of your bank account is irrelevant to the hacker because the original hacker is only after your account information to be sold to a third party on the dark net. The average credit/debit card is worth about 25 dollars on the cyber black market. This is why you see “skimmers” being used at retail locations and gas stations. Each time a consumer swipes a card at that terminal with a hidden skimmer, bad guy pockets 25 bucks, regardless of the owner of the card, or their current wealth.

There are many easy steps that can be taken to better protect yourself from cybercrime on and off the internet. First and foremost, good password hygiene. Having at least a 10-digit password utilizing at least 2 upper and lower-case letters, as well as a special character drastically lowers an adversary’s ability to break your password. Think of it this way; if I was tasked with trying to guess a co-worker’s password, and the co-worker’s password was 123456, it may be a quick day at the office. However, if that co-worker’s password was 9ijhB&^72A, I’m in for a long night. The password cracking ability of a hacker works in the exact same manner. If a password is short and typical such as password1, the hacker’s computer will guess it correctly in a matter of minutes. If the password is 9ijhB&^72A, the hacker would give up long before the computer program came close to guessing the correct sequence. In addition, use different passwords for each website visited, especially sites with sensitive information such as online banking or social media accounts. This way, if one site’s credentials are compromised, the attacker doesn’t have access to all the others with the same credentials.

The internet however is not the only place you can unknowingly give up your identity or bank account information. Every time you swipe a credit/debit card, you give up your data to the vendor, hoping that they have the means and infrastructure in place to keep your information safe. As we’ve seen with Target and The Home Depot, assuming an organization is secure based on its size is a recipe for identity theft. So, the question isn’t should I never swipe a card again, as much as what card should I be swiping?

If you can navigate the temptations of the almighty credit card, this is your safest option. When using a debit card as your everyday method of payment, you are accepting the risk of losing the entirety of your bank account relevant to that card. In other words, when you swipe with your debit card, whatever amount is in all accounts relevant to that card, ie -checking, savings, IRA’s, you are liable for that full combined amount in the event that the card is compromised. With a credit card however, limitations of liability are attached, usually around 500 dollars, to which you are responsible for in the event of a breach. Banks and other financial institutions are getting better and better about not holding their members liable for these fraudulent activities, however, you can limit your liability simply by switching to a credit card as your go-to card for everyday swiping.

Around 90% of compromises are initiated from user’s ignorance of cyber best practices. In most cases, if it feels like a scam, it’s probably a scam. Fellas, no, the Victoria’s Secret model on Tinder did not come across your profile and decide she wants to immediately chat with you on this other website link for you to click on, and ladies, unfortunately no, you did not win the purse shopping spree that this email claims you won even though you never entered into a contest and only needs your social security number to process your winnings. Instead, if it feels like a scam, or might be too good to be true, consult with an information security expert who can diagnose the contact as legitimate or spam. If you don’t know one, I’m happy to help!

Are Your Firewalls and Antivirus Keeping You Safe

Nearly every day I’m asked if an impressive firewall configuration is enough to prevent malware from entering a company’s environment, or I overhear someone’s overconfidence in their own security architecture. Unfortunately, no matter how many rules you write, or ports you close, utilizing firewalls as your go to defense against your organizations cyber adversaries is a recipe for ransomware!

To answer this question, it is important to first consider the purpose of these security elements in your security architecture and environment. A firewall serves an advantageous and necessary purpose to your organization, and should be managed properly and frequently. However, really understanding the firewall’s purpose will help you to understand your weaknesses. The firewall’s purpose, whether protecting the network or a singular host, has one job: only allow safe traffic in and out. “Safe” traffic being deemed by your IT team.

This opens up a few problems for an organization and a few opportunities for the bad guys. If your organization doesn’t have a dedicated IT Security team, it can be difficult for the network admin alone to focus on current threats and organizational vulnerabilities. Without this constant intelligence gathering, bad guys are going to take advantage of new access techniques and neglected vulnerabilities, which grant them access through the firewall and onto the host system. In addition, you can write as many firewall rules as you want, any security professional will tell you that your companies biggest vulnerability is your users, and users who are ignorant of cyber hygiene best practices frequently and unknowingly invite bad guys in, bypassing the firewall.

This gets bad guy to your host where the antivirus or host based IPS is supposed to kick in. Unfortunately again, unless the exploit is old enough that antivirus managing companies have had time to write a patch against the threat, and then consecutively your team follows good patch management practices and applies the patch to each of your systems, your hosts will not recognize the infection. (Equifax breach) This puts your entire enterprise at risk, and possibly spreading the infection across the network because you have no other security measures in place to protect against the most critical exploit: zero-day malware.

A decently talented hacker can find his way through your firewalls and avoid antivirus detection with little effort. However, once on the system, the activity is still detectable, but requires a much more advanced detection and mitigation system. To catch malicious activity as it happens in it’s infancy on the network, every host and operating system in the environment needs to have active memory sensors looking for activities such as power-shell commands launched from a word-file executable that can cut the transmission and report the activity to a qualified team of engineers who can diagnose the infection and eradicate the exploit. Unfortunately, hiring a team with this skill set is difficult to find and more importantly often cost prohibitive.

If your organization has or hosts clients and/or employee personally identifiable information, (PII) or falls under one of the many heavily governed compliance standards such as HIPPA or Sarbanes Oxley, you are a constant target, and keeping your information secure is imperative to the success of your company. I encourage each of my Information Officer friends to ask your team, ” What is our plan for zero-day risks such as new ransomware, as well as, what is our incident response plan to such an event?” If you get back the same blank stare or shoulder shrug I normally see when I ask teams that question, you’re at risk, and I’d be happy to help!

BrickerBot & Phlashing your IoT

Malware Aims to Brick IoT Devices

Home automation is a growing trend, and as smart technology evolves so does the consumer’s in home use for it. We have smart devices everywhere: TVs, refrigerators, washers, driers, even light bulbs, just to name a few items that ultimately comprise the Internet of Things (IoT). However, as we have seen in the headlines this year with Amazon’s Echo, these devices can fall prey to unintended use that could be exploited by hackers costing you time and even worse, a hefty hit to the wallet.

Introduction to Phlashing

You may have heard of phishing or vishing at some point in your career or from the network security team at your organization. These two methods are related to social engineering attacks, but phlashing is a relatively new term that has nothing to do with social engineering and everything to do with denial of service (DoS) attacks. More →

Importance of Secure Cloud Storage For Business

Why Secure Cloud Storage Is A Necessity For Business Information & Customer Data

secure cloud storageImplementing Secure Cloud Storage strategies is becoming a necessity.  Storage of business information and customer data is growing in popularity. The benefits of cloud storage seem to far outweigh the risks, making cloud storage an attractive solution. Among the main advantages are drag and drop file transfers, file accessibility from any device, cloud file linking capability, off site storage for disaster recovery and the relatively inexpensive cost of cloud storage. But, when choosing a cloud storage solution for corporate use, understanding the hidden risks is essential.

Does your corporate cloud storage satisfy the core principles of an effective information security program? Can it ensure the confidentiality, integrity and availability of your business information and customer data? If your organization has, or is planning to, implement Dropbox, AWS, Azure, Office365 or similar cloud storage solution, please consider the information below carefully before making your decision.  More →