It may seem best to start with a perfect secure network design from the ground up. Take into account all aspects of security and process and the end result could be amazing. Building something from scratch often seems easier than fixing an existing system or process. But if we are limited by our unique circumstances not building new doesn’t mean we should just stay where we are.
Sometimes we can start fresh and create something; learning from our history and tapping into our knowledge garnered over the years. Othertimes, you have to renovate. Both ways have the ability to produce an amazing end result. Secure design can be achieved in any scenario. You just have to start the process.
Starting in October 2015 financial liability for card-present counterfeit losses will shift from issuing banks to merchants if merchants receive EMV-enabled cards but have not yet installed EMV-capable terminals. This is a significant change in how merchants will accept payment and whose liability it is.
If you are not planning on deploying EMV-enabled terminals before then you need to understand this shift. All of the financial burden will now be on you.
If you are planning on deploying these terminals you need to understand the technical requirements to make this switch possible.
2015 will be a significant year in the security space and businesses had better prepare. Get an assessment, get a plan, and get secured.
As soon as I got to the office this morning I read a blog post about Starwood Preferred guests getting their passwords hijacked by scammers. Using a tool found on a known malicious site, the tool attempts to login to Starwood accounts, then transfer the points balance to another Starwood account. The scammers can also sell access to these confirmed Starwood accounts. 70,000 Starwood points sells for $3, for example. They are using these tools on other sites too, this was just one that was mentioned.
The tool uses usernames and passwords stolen from other data breaches. The tool works because many people use the same username and password across multiple sites. Websites usually have our email as a username so they just need the password, they then test against passwords associated with that email address and bullseye, access to your account. This is called Password Reuse and attackers know that most people are predictable.
This post is not meant to send a message saying change your password, or use different passwords for multiple sites, like you always hear on the news after a breach occurs. I think everyone knows that but human nature is to keep things easy. It occurred to me that this password reuse problem is likely more prevalent in sites that we frequent and login to often. Banks, travel rewards, kids’ school sites, Amazon, etc. We like it easy so if we can make things quick and simple we most likely will.
Further, I believe that this problem is being fueled by the rise in Apps on our mobile devices. Having quick and easy access to your bank, Amazon, and stocks on our phones makes things very quick and easy. So the need for a password we can remember is escalated even more. I can buy a book on Amazon while walking around Barnes and Noble with my kids and I can trade stocks while waiting on my drink at Starbucks. Using a password I know easily and can type on the phone quickly makes things even quicker. Password tools such as Last Pass only add to the complexity for many users so they go unused. It requires an extra step most people are not willing to take, so people being people we continue this predictable behavior allowing tools that rely on this password reuse to work. These scammers are counting on one thing, people will be people and people are a creature of habit.
The day will come when scammers will have to answer for their actions. But until then, they will continue to exploit our weaknesses and cause us more stress.
When is the last time you asked your IT provider what security measures have they implemented? How is the data on their network secured? When was their last pen test? What was the result? Why will my business be safe with you?
Being an IT security provider is about more than just having a great pitch and certifications. It is about actually living and practicing what they believe. Ask your providers the tough questions. See what they say and see if they are qualified to give you security advice.
The fear of having an insecure business can be a powerful motivator for some people, for others it leads to inactivity. This is not unlike the fear of taking a test for fear you may not pass. But businesses simply don’t have a choice anymore but to take a deeper look into their security and how their IT departments are handling, or not handling, issues.
I took the last few weeks off of writing for the Christmas season. Just since my last post here is a brief list of the companies with new or possible breaches.
- One Stop Parking
- Microsoft Xbox
- Sony Playstation
- Staples – Breach Expanded
- Pak ‘N Fly
The problem with this list is I only named companies that are household names. Big companies we have all heard of. People in my business do this often. By us naming a company you have heard of when discussing security gives us attention and credibility with our audience. The truth is, this list is nothing more than a drop in the bucket. We never hear about the thousands of other breaches taking place each day in schools, churches, law firms, local banks, doctor offices, convenient stores, parking decks, accounting firms, local government, recreation leagues…
Not getting your network looked at by a third party isn’t saving you any money. It is only delaying the inevitable.
Target and Home Depot weren’t the practice filed, it was the major leagues. Smaller companies is where they perfected their skills. And they packed up and moved before you knew they were there.
What if malware on your network has never been seen before?
Malware writers are getting better and better about creating custom software to steal data from your network. The malware at Home Depot had never been seen before. Therefore, it could not be detected by traditional anti-malware programs. IDS programs would not be able to detect it. In fact the only way you could detect the attacks would have been through reviewing the log data and uncovering the suspicious activity.
Anti-virus, Anti-malware, IPS, and IDS systems rely on known signatures to detect know vulnerabilities, or their variants. They cannot, by design, detect something they don’t know about.
Reviewing logs from all network sources (servers, firewalls, switches, desktops, SAN’s) is the only way to know what is really happening on your network.
I thought this week I would recommend a great new book by Brian Krebs called SPAM Nation. If you ever wanted to know why we deal with SPAM and malware this is the book to read. He goes into the reasons why, who is buying these offers, and what the business model is.