STE WILLIAMS

Mischel Kwon Unplugged

Security Pro File: Kwon talks about her tenure at DOJ and US-CERT, winning a WiFi antenna contest at DEF CON, voice lessons – and her brief stint as an industry ‘float princess.’

She was craving a soda, but each time Mischel Kwon aced a logic problem the Computer Learning Center representatives put in front of her, they fed her yet another test question.

“They gave me more and more problems, and all I wanted was to go get a soda,” Kwon recalls of her 19-year-old self that day at a Northern Virginia suburban shopping mall in the early 1980s. A CLC rep there had stopped her and asked if she wanted to take one of their tests. “I said, sure, I’ll take it,” not knowing what it was, recalls the former federal government cybersecurity executive.  

Kwon never got her Coca-Cola that day at the mall, but her high score on the test won her a full scholarship to attend CLC’s computer training program, where she ended up graduating at the top of her class. She later landed her first job in technology, as an Assembler programmer for retail giant Woodward Lothrop, where she wrote code for the very first automated cash-register system in the Washington, DC, area.

Like most pioneers in the security industry, Kwon, the former director of the US-CERT and former deputy CISO at the US Department of Justice, landed in security by chance. But along the way, she says her work in IT in the pre-security industry days was also unknowingly honing her security skills. She worked on IBM mainframes while at Woodward Lothrop, coding and developing patch management systems for the big iron. “I started at the base of the system and learned everything about it, and the network, too, and that translates to a good understanding of the technology” of security, she says.

“I did security all along the way, and had no idea I was doing security,” Kwon recalls. “I was so wrapped up with IT.”

It’s that epiphany that has helped shape Kwon’s view that one of the biggest missteps in IT history was separating IT and IT security into separate departments and sectors. It was mistake, she says, to decouple the two worlds. “Melding of IT and the security operations center is absolutely required. We tore them apart with separation of duties years ago,” she says. “But adversaries don’t separate duties.”

Today’s gaps among IT, the SOC, and security teams, basically give the bad guys an edge, Kwon explains. “Security should get its data from the SOC and how they protect the network. These days, it’s being based on security controls and compliance, but we need to move to an operational security model.”

Filling those gaps is at the heart of the strategy of the security consulting and SOC managed services security company Kwon launched in 2010, MKACyber. “I was wanting to get back to my tech roots and wanting to make a difference,” she says of her decision to start the firm, where she serves as president and CEO.

Firsts

Born to a Korean father and an American mother from North Carolina, Kwon grew up in a diverse yet traditional household that emphasized education. In the early 1960’s when she was born, it was illegal for her parents to be married in North Carolina. The family later moved around the US for her father’s career as a toxicologist.

“As a Korean man, it was never his intention for me to work. I was raised to be a mom and a very traditional woman,” she says. “My mom had other ideas, though. She thought I was going to be a singer.”

Kwon’s parents both were opera singers, and her mom put her in voice lessons mainly to deprogram her native North Carolina accent. “I had a very big southern drawl, and it comes back when I go back to Shelby, North Carolina,” my hometown, she says.

Math was always fun for Kwon. Because she grew up before the age of personal computers, she wasn’t exposed to coding until later. The closest thing she had to a computer growing up was a Nintendo. “We played Pong,” she says. She met her first computer in high school in Fairfax, Va.

After her mainframe stint with the now-defunct Woodward Lothrop, she realized she needed a college degree to further her career. So Kwon applied for and won a Clare Boothe Luce scholarship, and in 2002, she went back to school to get her undergraduate degree in computer science at Marymount University, and then her Master’s Degree in information assurance at George Washington University. At the time she was also a mother of four kids between the ages of 4 and 12. “I was working” then as well as taking classes, she says.

While still a grad student in 2004 doing research on wireless technology and hacking, Kwon got her first real taste of the hacker scene at the DEF CON hacker convention in Las Vegas. She won “Most Innovative” in the WiFi Shootout contest for her handmade antenna made out of a cardboard box. “I read the instructions wrong that you couldn’t use any antenna parts,” she recalls, so she built it from scratch. “I had it engineered to go one mile,” she recalls, and it got close, reaching .8 miles.

Her career was refreshed after getting her Masters. “Security was a big open space that I was just curious about, how to break everything, how to hack into everything, and how to protect everything. I had a big love for wireless.”

Source: MKACyber

Kwon’s first big security job was as deputy CISO for the Department of Justice, where she built out the Justice Security Operations Center, after an initial gig as director of wireless security for the agency. While that’s where Kwon first made a big name for herself in security, it was a lesser-known project she worked on there that she says she’s most proud of during her tenure. While performing a penetration test on Motorola’s mobile radio system, she and her team “owned the whole system within a couple of hours,” she recalls.

Motorola then worked, with the help of Kwon’s DOJ team, on re-engineering the radio systems to become secure. “Land mobile radio so strategic for them,” she says, and they continued to work with Kwon after she left DOJ to continue locking down that wireless product. “That was the best work I’ve ever done in the security field,” she says.

During her 18-month gig as director of the US-CERT, where in 2008 she was the first woman named to the post as well as the first director with technical expertise, Kwon got a reality-check about the state of security in the federal government: “I was shocked to find out they [civilian agencies] didn’t know what attacks were about,” she says. “My main mission was to help agencies. There was a large need to educate federal SOCs and give them guidance and information,” she recalls.

So she launched so-called Joint Agency Cyber Knowledge Exchange meetings to help spread the word and educate agencies. “They were so popular that there was not a large enough SKIF area for us to hold a secret-level meeting,” she says.

While head of the US-CERT was one of her favorite jobs, the politics of the newbie DHS began to wear on Kwon. “The job itself was awesome. But DHS was a political nightmare. It was like running down the hall juggling scissors,” Kwon says. “It was a fairly new agency. Mature agencies have decorum, a culture, a way of behaving, sound hiring practices and rules of behavior. DHS was missing all of that.”

That made it a difficult culture for success, causing problems with contracts and “unhealthy behavior,” as Kwon describes it. “It made it difficult to do any work. I didn’t have the patience for that.”

She then returned to the private sector as vice president for public sector security solutions at RSA. Kwon quips that that job ended up as more of a “float princess” role where she was paraded out as a former government cybersecurity executive. “It was an interim gig,” she says of her one year at RSA.

#MeToo

Like many professional women, Kwon has experienced her share of sexual harassment during her career. “No question: Me, too,” she says.

Working long and late hours as a young woman, she says she always “had to worry” about her safety. And there were the questions: Did I get the job because I was a woman? “I hope I got it because I was talented,” she says.

Kwon points out that sexual harassment and discrimination are not just a workplace thing. “It’s our societal norm.”

That’s why Kwon says she created the Cybersecurity Diversity Foundation, which offers scholarship funds and promotes corporate commitments to build a more diverse workforce in the industry.

“Not just because I’m a woman, but also because my last name is Kwon and I’m half-Korean,” she says of her personal experience. “I definitely found myself not being included, not being heard … and being dismissed,” she says.

The good news is that a conversation has begun about implicit biases, she says. “It’s not going to be something we can fix overnight,” though, Kwon notes.

 

 

PERSONALITY BYTES

Worst day ever at work: Being fired. I worked for Network Solutions when I was 25 and was fired for “participating in office politics.”

First Hack: Cell-phone hacking. When I went back to school, I did a lot of breaking things. Phones were pretty open [then].

What Kwon’s co-workers don’t know about her that would surprise them: That I’m a softie at heart. They figure it out eventually, but most people think that I’m a hard-ass.

Security must-haves: Up-to-date, non-DOS machine.

Business hours: I usually sleep between 2am 6am, for a total of four hours a night. The rest of the time is working, either in my career or as Mom.

What keeps Kwon up at night: I’m less worried about adversaries. I’m more worried about system owners and businesses not taking care of their systems – not patching, not wiping [when swapping out old systems], and not looking at their architecture to make sure its current for today.

Fun fact: I had a Token Ring network in my house. My father was getting rid of Token Ring at work.

Favorite hangout: My bed at the beach.

Comfort food: Vegan mac and cheese or kimchi and rice.

In her music playlist right now: Beatles, Red Hot Chili Peppers, Rolling Stones, Eagles, Carly Simon, Carole King

Ride: BMW M4 convertible

After Hours: Play with my kids, yoga, play the guitar, spend time at the Outer Banks, NC.

Actress who would play Kwon in film: Catherine Zeta-Jones, specifically from the movie “Zorro” … I wish!

Next career after security: Making biscuits.

 

Hear Mischel Kwon discuss building and running an effective SOC, at Dark Reading’s INsecurity conference. See the full agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/mischel-kwon-unplugged/d/d-id/1330297?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/11/2017
  • adm

How to wear your password on your sleeve, literally

A dress with an electronic display you can control via your smartphone? Trippy.

Clothing made with photoluminescent thread and embedded eye-tracking technology that’s activated by spectators’ gaze? Yes, please!

Smart textiles are getting SMART. This one, aptly named living pod, changes structure through miniature electric motors activated by light sensors that are sown throughout the garment. It will be giving me nightmares.

But can they be your password?

No, they cannot. Nor can you iron them or throw them in the wash, what with their electronics and power sources.

But that has now changed, thanks to researchers at the University of Washington. Last week, they announced that they’ve manipulated the polarity of magnetized fabric – they used off-the-shelf conductive thread – to create fabrics and fashion accessories that can store digital data or visual information.

As the researchers note, conductive thread is already used to create stuffed animals, clothing or accessories that light up or communicate.

But the UW researchers realized that the thread’s ferromagnetic properties could also be used to store data, or visual information such as letters or numbers, that can be read by a magnetometer: an inexpensive instrument that measures the direction and strength of magnetic fields and is embedded in most smartphones.

Think passcodes to an electronic door lock that can be stored on a patch of conductive fabric sewn to a shirt cuff. That’s one of several projects the researchers undertook, managing to unlock a door by waving the cuff in front of an array of magnetometers like you would a hotel key card.

Using the conductive thread means that such password embedding can be done without on-board electronics or sensors. Shyam Gollakota, an associate professor at UW’s Paul G. Allen School of Computer Science and Engineering:

We are using something that already exists on a smartphone and uses almost no power, so the cost of reading this type of data is negligible.

A report (PDF) on the data-weaving experiment, titled Data Storage and Interaction using Magnetized Fabric, was presented last week in Quebec City at the Association for Computing Machinery’s User Interface Software and Technology Symposium.

The researchers used everyday sewing machines to embroider fabric with the thread, creating patches that could be turned into a neck tie, a belt, a wristband, a necklace, or a strip that can be sewn onto garments.

Then, they rubbed magnets against the fabric to create a pattern of positive and negative polarity that corresponds to the ones and zeros of digital data. There are ways to reverse the polarity of a magnet, but their fabric’s magnetic signal persisted even after machine-washing, drying and ironing at temperatures of up to 320 degrees Fahrenheit.

Just as happens with hotel room keys, the strength of the signal degraded over the course of days – over the course of a week, it weakened by 30% – but the fabric is an easily reprogrammable and remagnetizable data storage medium.

Gollakota:

This is a completely electronic-free design, which means you can iron the smart fabric or put it in the washer and dryer. You can think of the fabric as a hard disk – you’re actually doing this data storage on the clothes you’re wearing.

They also created gloves with the threads embedded into the fingertips, showing that they could use the gloves to swipe, inputting data into a smartphone without taking it out of a pocket. They managed to program six commonly used interactive phone swipe gestures with 90% accuracy.

Next, the team plans to work on developing custom textiles that generate stronger magnetic fields and are capable of storing a higher density of data.


Image courtesy of Ying Goa / Vimeo. 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GLoflqMG7lo/

  • 02/11/2017
  • adm

iPhones get a KRACK patch and a Wi-Fi 0-day on the same day

Yesterday, Apple treated its customers to a number of updates across several products, including an update to iOS – bringing it to version 11.1 – that has a number of security fixes for bugs in Siri andMessenger, as well as fixes for arbitrary code execution vulnerabilities in the WebKit web browser engine, and in the kernel.

Anyone with an iPhone 5s, iPad Air or later can apply this update, so if your Wi-Fi-enabled iDevice can update, I encourage you to do so right away.

The big news though, is that also included in this iOS 11.1 update is a fix for the Wi-Fi-related vulnerability known as KRACK, which is available for some – but not all – iOS devices. The CVE that Apple addresses with its fix for KRACK is CVE-2017-13080, one of the several KRACK-related CVEs.

The even bigger news is what Apple didn’t address: an iOS Wi-Fi 0-day (yes, another one) that emerged yesterday from the annual Mobile Pwn2Own hacking competition. Details are scarce but Zero Day Initiative reports that:

Tencent Keen Security Lab gets code execution through a Wi-Fi bug and escalates privileges to persist through a reboot.

Tencent Keen Security Lab earned a cool $110,000 for their trouble while Apple now has just 90 days to fix the problem festering on our iPhones before details are made public.

According to Apple’s official support documentation, the KRACK fix only applies for iPhone 7s, iPad Pro 9.7 (early 2016) and later.

We don’t know why the KRACK patch is only being made available for newer iDevices only – it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined that these older versions aren’t vulnerable to KRACK at all.

Either way, if you’re a pre-7 iPhone user, keep your eyes peeled for an update from Apple just in case.

Several MacOS security updates came out at the same time as the iOS update, including patches for the KRACK Wi-Fi-related vulnerability, a TLS 1.0 vulnerability, several memory access and arbitrary code execution vulnerabilities, kernel-level vulnerabilities, as well as fixes related to at least 90 (yes, ninety) CVEs for tcpdump issues.

Users of El Capitan (macOS 10.11.6) and Sierra (10.12.6) should install the latest operating system security updates – 2017-004 for El Capitan, 2017-001 for Sierra. High Sierra (10.13) users should update to version 10.13.1 to receive these fixes. (Sorry, Yosemite users: the latest security update for you, 2017-003, was back in July!)


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uHHOdsohg24/

  • 02/11/2017
  • adm

US says it’s identified six Ruski officials as DNC hack suspects

The US government has identified “more than six members of the Russian government” involved in hacking the Democratic National Committee’s computers and leaking information during last year’s presidential election.

The Wall Street Journal reports that Justice Department officials are in the early stages of deciding whether to bring charges in the high-profile case. “Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year,” unnamed sources told the paper.

Publicly released forensics work by incident response firm Mandiant has identified tools and techniques used in the hack associated with the APT28/Fancy Bear group, otherwise identified as a unit of Russian Military Intelligence (the GRU).

The allegation, strongly denied by the Kremlin, is that Russian spooks ran a campaign aimed at influencing the presidential election. US intelligence agencies are unanimous on that point but not so clear cut as to whether the campaign was aimed at getting Donald Trump elected or just weakening the authority of runaway favourite Hillary Clinton.

Emails and other data harvested from the Democrat campaign, as well as the emails of Clinton campaign chairman John Podesta, were released through Wikileaks and other outlets.

The WSJ adds that the case might be compared to the decision back in March to charge two Russian operatives and two other suspects with the Yahoo! hack.

Compiling a dossier on DNC hack suspects is running separately from special counsel Robert Mueller’s investigation into alleged Russian interference in the 2016 election. The latter probe is actively examining allegations of possible collusion between Trump campaign officials and Moscow. President Trump has repeatedly denied any impropriety in his campaign, accusations he has angrily and repeatedly dismissed as fake news and an attempt by the Democrats to avoid accepting responsibility for a losing campaign.

Earlier this week money-laundering and tax-avoidance charges were unsealed against former Trump campaign chairman Paul Manafort and his associate Richard Gates. Both deny any wrongdoing.

George Papadopoulos, a former foreign policy advisor to the Trump campaign, pleaded guilty to deceiving FBI agents about meeting with Russian lawyers and other alleged Kremlin intermediaries during last year’s fractious campaign.

Charges against Russian officials in the more technically slanted FBI investigation, which began before the Mueller probe, are unlikely to lead to arrests. The US strategy of naming suspects in high-profile hacking cases is more an act of diplomatic pressure.

Five Chinese military officers were publicly named back in 2014 over allegations that they systematically hacked the computers of US tech firms and others in order to steal intellectual property and trade secrets. The Chinese government denies the allegation and none of the five have actually been arrested. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/02/dnc_hack_probe_update/

  • 02/11/2017
  • adm

Political Climate Change

 

Article source: https://www.darkreading.com/vulnerabilities---threats/political-climate-change/d/d-id/1330295?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 02/11/2017
  • adm

10 Mistakes End Users Make That Drive Security Managers Crazy

Here’s a list of common, inadvertent missteps end users make that can expose company data.PreviousNext

Image Source: Shutterstock

Image Source: Shutterstock

There’s so much news about major hacks from nation-states such as Russia, North Korea, Iran, and various criminal gangs in Eastern Europe.

But what’s less understood is that an important percentage of breaches stem from insiders. Forrester Research found that nearly 40% of all data breaches are caused by insiders. And of those insider breaches, 26% are caused by abuse or malicious intent by insiders, and 56% are caused by inadvertent misuse or sheer accidents by employees.

“Data is too often mishandled by employees,” says Merritt Maxim, a principal analyst at Forrester Research who serves security and risk professionals. “A good tip for companies is to take more time classifying their data. If people understand what the organization considers sensitive, there’s less of a chance that it will be mishandled.”

Based on interviews with Forrester’s Maxim and IDC’s Frank Dickson and Robert Westervelt, we pinpointed 10 common ways employees mishandle – and inadvertently breach – an organization’s security.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full BioPreviousNext

Article source: https://www.darkreading.com/endpoint/10-mistakes-end-users-make-that-drive-security-managers-crazy------/d/d-id/1330305?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 02/11/2017
  • adm

US May Charge Russian Officials in DNC Hacking Case

An ongoing investigation into the DNC hack has surfaced the names of six Russian government officials.

US prosecutors may bring charges against Russian officials for their involvement in hacking computers belonging to the Democratic National Committee, and stealing information that was publicly leaked during the 2016 presidential election, the Wall Street Journal reports.

Sources close to the matter say the Justice Department has found more than six Russian government members were involved in the breach. While discussions are still ongoing, evidence has been gathered to charge the officials, and prosecutors could bring a case in 2018.

US agencies have already pointed to Russian intelligence services as responsible for the hack, which compromised thousands of DNC emails, emails from the personal account of Hillary Clinton’s campaign chairman, John Podesta, and other sensitive data.

So far, there have been no details on how US intelligence concluded Russian officials were involved. If prosecutors pursue this case, it would provide insight and clarity on the people they believe were responsible for the hack.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-may-charge-russian-officials-in-dnc-hacking-case/d/d-id/1330311?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 02/11/2017
  • adm

iPhone X Face ID a Facial Biometrics Catalyst?

According to Bitglass’s BYOD and Identity report released today – a survey of more than 200 IT and security professionals – 60% have reservations about Apple’s Face ID. Top concerns among 40% of respondents include the accuracy of face detection, while 30% worry about its ability to prevent unauthorized access.

“Even though it works similar as Touch ID, everyone has concerns with the new technology,” says Salim Hafid, Bitglass project manager. “I expect organizations that allow Touch ID will allow Face ID, but there will be a wait-and-see approach for a lot of organizations.”

In addition to the Bitglass survey, other infosec experts in a Wired post recently questioned the security of Face ID. In September, Apple issued a whitepaper on its Face ID technology.

But a majority of end-users, or employees, expect Face ID to be effective for multifactor authentication of users. According to a Secret Double Octopus survey of 522 employees at midsized- to large enterprises, 81% of respondents expect Face ID to be trustworthy in its accuracy in facial recognition.

“We were extremely surprised by these results, since no users have yet tried the iPhone X and used Face ID,” says Amit Rahav, vice president of marketing for Secret Double Octopus.

However, 73% of survey respondents say they would prefer the facial recognition feature over passwords in a work environment. That result is comparable to the 70% of respondents who say Face ID will be “extremely or very trustworthy,” according to the survey.

Although Face ID may be viewed as viable for multifactor authentication, the National Institute of Standards and Technology (NIST) in its digital identity guidelines issued earlier this year noted biometrics, in general, should not be used for single authentication. “Biometrics, when employed as a single factor of authentication, do not constitute acceptable secrets for digital authentication — but they do have their place in the authentication of digital identities,” the NIST guidelines said.

Mark Clifton, CEO of Princeton Identity, says some efforts are currently underway for incorporating facial recognition in an enterprise environment. “If you look at the past, Apple’s Touch ID was a big boom for the biometrics industry,” Clifton says. “You see a lot of enterprises and DHS [Department of Homeland Security] doing trials with facial recognition in airports, and of this nature.”

Currently, fingerprints are the most popular form of biometric two-factor authentication, but facial recognition is growing fast, followed by iris-recognition, Clifton says. “These modalities will all move forward as consumer come forward and use them.”

Ant Allan, a Gartner analyst, says he’s skeptical of Face ID’s impact on the use of biometrics for multifactor authentication in enterprises.

“I can say that the bottom line is, [Face ID] makes little difference from Touch ID,” Allan says. “Whatever its inherent superiority, the lowest common denominator is still the device passcode, which remains as a way of unlocking your iPhone.”

That said, however, Clifton says he has seen a change in the past year in the number of mobile users who rely on phone biometrics.

“At a conference I attended a year ago, there were 500 attendees, and when asked how many used the biometrics on their phone, maybe 30% to 40% raised their hand,” Clifton recalls. “Now, at the sameconference a couple weeks agowhen asked the same question, 100% said they used it. I think phones have definitely been a catalyst.”

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Article source: https://www.darkreading.com/mobile/iphone-x-face-id-a-facial-biometrics-catalyst/d/d-id/1330306?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 02/11/2017
  • adm

Social Engineer Spills Tricks of the Trade

A social engineer points out gaping holes in businesses’ human security and shares lessons learned from years of phishing research.

Imagine this: A bank’s vice president is at work on a day when he knows a penetration test is scheduled. The phone rings. He’s expecting a call, so he picks up. It’s someone who claims they’re calling to fix his email. The VP proceeds to share sensitive company data over the phone, information an attacker could use to target his bank and other businesses as well.

The scenario comes from a real penetration test conducted by PeopleSec founder Joshua Crumbaugh, who says it “highlights a massive problem that happens on a daily basis.” He will present a recording of the call, lessons learned, and best practices from years of social engineering research, during his Black Hat Europe session “How to Rob a Bank Over the Phone — Lessons Learned and Real Audio from an Actual Social Engineering Engagement.”

There should have been “no way” that someone who knew about a penetration test, on a specific day, fell for a phishing attack, he says. It still happened, partly because Crumbaugh did his homework to establish a “pretext” for the conversation: a reason for calling, a background story to make himself seem credible and helpful to the target.

“Any social engineering engagement is only as effective as the data you have,” he says.

Crumbaugh researched the bank and learned it used a small ISP for its email. The ISP had several users complaining about terrible service, lost messages, etc. Understanding this was an issue, he pretended to be a representative from the ISP when he called the bank. Because the VP believed he was calling to address email problems, he was willing to share any data to help.

“You can never underestimate a human’s blindness when it comes to getting what they want,” Crumbaugh points out. In this case, the target so badly wanted to fix the issue that he provided several pieces of sensitive information, including the bank’s antivirus provider and managed services provider.

“Understanding these things from the outside makes it easy to bypass them once you get on the inside,” he explains. “As soon as you know what controls they have in place, you know how to bypass it.”

Crumbaugh has spent several years investigating social engineering tactics, and the past three focusing on phishing, to build out HumanSAMM: a project aimed to create a framework for human security concerns. A career in red teaming and penetration testing taught him human security is the “one flaw in every single organization” that has security leaders stumped.

“As much fun as it was to be able to walk around their security controls and get this level of access, it shed light on the fact there’s a massive problem here that no one seems to have any way of fixing,” he explains.

Years of research have led Crumbaugh to several best practices and a handful of surprises. For one, sales departments are typically most vulnerable: Employees are 400% more likely to click a phishing link than those in other departments, and not always because they’re chasing leads.

“In general, they just click more on everything,” he says. “Something about sales just makes them chronic clickers.” Surprisingly, developers are the second-most-likely group to click into phishing attacks, which is risky since most have escalated rights on the network.

Business can lessen their risk with security awareness training programs, Crumbaugh says, but they need to be smart about it. One of the big problems is that many of these programs are “one size fits all” and train low-risk and high-risk employees in the same way.

“You can be the most secure user in the organization, sitting next to the least secure user in the organization, and you get the same amount of training,” he explains. He recommends customized training, down to the individual user. If you don’t have the technology for this, he advises creating lists of “risky” and “secure” users, and building programs for each category.

Another big mistake is failing to use metrics to learn who is falling for attacks and why. Most companies are very linear, Crumbaugh explains. They want to know whether someone clicked a bad link but don’t look at the type of phish they fall for. These more detailed metrics could help businesses customize training by department and ultimately get better results.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/social-engineer-spills-tricks-of-the-trade-/d/d-id/1330315?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 02/11/2017
  • adm

Mr. Robot eps3.3_metadata.par2 – the security review

This is going to be a brief review, folks, as Mr. Robot is diving in the deep end with the psychological intrigue and going much easier on the technological angle, at least for now.

But first, a warning…

WARNING:SPOILERS AHEAD – SCROLL DOWN TO READ ON

 

The thing about metadata…

A throwaway line from Elliot’s metadata monologue caught my attention. He mentioned that metadata from photos posted on Facebook and Instagram can reveal a lot more about the photo taker than they realize. He utters this line just after he picks through the trash outside Darlene’s FBI-furnished apartment – likely looking for clues about who else might be living there, as we’re unsure if he even realizes this is also the FBI hideout. However, he soon discovers that Darlene and the FBI didn’t cover their tracks well enough from their hacks against him. He was easily able to figure out where they were and – putting the pieces together – what they were trying to do to him thanks to metadata he found.

Elliot’s comment about social media and metadata won’t surprise anyone who’s concerned about their privacy online. Indeed, he’s right that many, if not most, social media users don’t realize exactly how much information about themselves they’re freely and publicly offering, and how much that information can assist someone with a little bit of social engineering experience and some malicious intent. What’s more, plain old camera EXIF metadata can also give away a great deal more than photo snappers might realize (and even cybersecurity experts can forget this now and again.)

We often remind Naked Security readers to lock down social media accounts to maximum privacy levels, disable location-based posting, and remember that what you post online is out there forever. Since this likely isn’t news to anyone reading this review, use Elliot’s line about social media metadata as a reminder to check the privacy settings on your own social media accounts or those of any friends or family who might not be as tech-savvy. (Or any friends you have who might work for the FBI in Mr. Robot, as apparently they could also use a reminder.)

Other notes

  • Dom revealed that, as suspected, the FBI did actually get phished by Elliot’s email in last week’s episode. Color me gobsmacked, I apparently gave them too much credit last week, thinking SURELY the FBI wouldn’t make such a basic mistake? But yes, really, they did. The FBI agent didn’t even check the link in the email in a VM?
  • We see a little not-so-subtle social engineering going on in the bar as Darlene gets some information out of Dom over drinks. It seemed that Dom was being a bit too easily socially engineered, but in the end she’s as human as anyone else. Still, you’d think an FBI agent might be a bit more on guard… so perhaps Darlene wasn’t as successful as she thought.

Still, overall not a great look for the FBI in Mr. Robot. They got phished and socially engineered in one episode. I think they might be overdue for some security basics training, don’t you?


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/veI-rxbRA_g/

  • 02/11/2017
  • adm