Top 10 Threats to Information Security - Week 4

Top 10 Threats to Information Security

Last week, I was talking about the data breach case that happened to Marriott hotel.  Data breach is one of the most critical threats to all organizations.  This threat will never stop, so all businesses and homes need to be well prepared for defending against this threat.  This week, I am going to expand on the security risk and talk about the top 10 threats to information security. 

According to Georgetown University, the top 10 threats to information security are:

1. Technology with Weak Security - This threat comes from new technology and new technology devices, especially devices with Internet access that have little or insecure security protection.  With the fast development of technology, some innovators focus more on new inventions or features for technology, but focus less focus on security, which causes security holes in the development of technology.

2. Social Media Attacks - Social media has boomed in the last decade or so.  According to the latest social media statistics, "81% of the U.S. population has a social media account. That amounts to about 264 million people” (Lincoln, 2018).  With a huge number of people using social media, Cybercriminals have exploited social media for attacks, such as the Water Holding attack, which is when attackers identify and infect a cluster of websites they believe members of the targeted organization will visit.

3. Mobile Malware - According to Statista, "In 2019 the number of mobile phone users is forecast to reach 4.68 billion. The number of mobile phone users in the world is expected to pass the five billion mark by 2019" (Statista,2018).  With more and more people using mobile devices, I believe that there will be more mobile threats, malware attacks, and more threats/vulnerabilities on mobile devices.

4. Third-party Entry - Many enterprises use third-party software/services for their business.  The reasons being are the third-party service providers are often highly experienced, certified, and efficient.  Another reason is to save money for the company.  For example, if the company wants to write their own antivirus software, it would cost a lot more money than just buying one from the third party.  However, third party software or services have security holes too, and Cybercriminals could exploit those security holes to steal confidential data.  For example, "HVAC vendor was the unfortunate contractor whose credentials were stolen and used to steal financial data sets for 70 million customers" (Georgetown University, 2018).

5. Neglecting Proper Configuration - most security controls come with default settings and the settings do not fit all businesses.  It is not "one size fits all", so when the enterprises use security controls, they need to understand the tools and configure them to best fit with the business needs.  Do not use the default security settings. 

6. Outdated Security Software - a common mistake about this threat is when a business uses antivirus software but does not configure it to auto update the definition files.  Both businesses and homes are facing new threats every day.  Without having the latest security software or definition files, both businesses and homes are vulnerable to the current threats. 

7. Social Engineering - this threat is so popular now that hackers try to use different techniques on social interaction and psychological manipulation to gain access to confidential data.  The common techniques that hackers often use are phishing, spear phishing/whaling, pretexting, water hole, and tailgating.

8. Lack of Encryption - To protect data at rest or in transit, companies should protect the data by encrypting the data.  For example, all websites, especially the websites with the online transactions, should use https.  For sensitive data at rest, they should be encrypted.  For example, SSN, date of birth, addresses, banking account numbers, and driving license numbers should all be encrypted.

9. This is another common threat since many enterprises have started using the Bring Your Own Device (BYOD) option.  For example, many employees use their personal phones to connect with their worked email server to read emails and download work documents to the phone for review.  The same thing for laptops; many employees use their own laptop for work.  One common security problem is the personal devices don’t have any type of encryption, and if the device get stolen, people can retrieve and view the information easily.

10.  Inadequate Security Technology – companies need to invest the right amount of money for security technology.  Security is a trade-off between risk and cost.  Each company has different types of business.  Spending more or less on IT Security is dependent on each company’s situation.  However, “businesses now spend a higher percentage of their IT budgets on security than ever before. According to the survey, large organizations spend an average of 11 percent of their IT budgets on security while small businesses spend nearly 15 percent” (Rubens, 2015)

These are the things that you need to consider for today security.  Wherever you are at work or at home, those threats can happen to you.  It is good to know the current threats so that you can understand and defend against them.  I always like a sentence: “Prevention is better than a cure”.  Do you agree with me on this? 

Reference:

Cooney, D.  (2018, Jan 22).  5 Social Engineering Threats.  Retrieved from http://www.consultparagon.com/blog/5-social-engineering-threats

Lincoln, J.  (2018).  Powerful Social Media Statistics In 2018.  Retrieved from https://ignitevisibility.com/social-media-statistics/

Georgetown University.  (2018).  Top 10 Threats to Information Security.  Retrieved from https://scsonline.georgetown.edu/programs/masters-technology-management/resources/top-threats-to-information-technology

Rubens, P.  (2015, Apr 1).  Why you should be spending more on security.  Retrieved from https://www.cio.com/article/2904364/security0/why-you-should-be-spending-more-on-security.html

Marriott Data Breach

We are living in the age of technology and at the same time, we are facing a variety of threats within the IT or cyberspace environment.  For example, many of us are carrying credit cards or debit cards now instead of carrying cash to make payment for the purchases.  According to The Nest, “The Census Bureau estimates 183 million Americans have credit cards. Of those Americans, 104 million have Visa cards, 83 million have MasterCard, 99 million have a store card, 56 million have an oil company card, and 36 million have an American Express card. There are 1.27 billion cards in use” (Skeen, 2018).  For debit cards, according to the MarketWatch, “Americans use debit cards twice as much as credit cards” (Lamagna, 2016).  Why are more and more people using credit cards or debit cards nowadays?  I think it is because it is more convenient and more secure.  For example, when traveling and booking for a hotel, it is much easier to use cards to book a hotel room or restaurant reservations.  Now in most of the cases, the hotel requires their customers to provide the credit card or debit card information, and the person's name, addresses, phone number for the reservation.  This request has become a norm or common procedure for the hotel to book a room for the guests.  If the hotels have good methods to collect and keep the customers’ information safely, this would help their guests to protect their sensitive information.  If the hotels don’t have good methods to collect and keep the customers’ information safely, both the hotels and their customers would run into a serious security problem. 

Two weeks ago, there was shocking news about the data breach.  The news broke that Marriott’s Starwood guest reservation database encountered a data security incident.  The data breach impacted hundreds of millions of guests who made reservations at a Starwood property that runs a number of hotels, including the St. Regis and Westin chains.  The information at risk includes name, phone number, mailing address, email addresses, passport numbers, birth dates, arrival/departure dates and information, and potentially credit card numbers of the customers.  This data breach was considered “the second largest data security breach in history” (2018, U.S. Gov Connect).  It was just after two record-setting Yahoo hacks. 

Since the data breach was focusing on the information of the large percentage of the world’s travelers “that Marriott may have been the target of nation-state hackers seeking to track the movements of diplomats, spies, military officials and business executives” (Timberg, Telford, 2018).  In recent years, when there are many conflicts among the US, China, Soviet Union, North Korea, and Iran and when something like this happens, it always makes me think the hackers must come from those.  For this particular data breach, it was assumed that “Chinese intelligence could have been involved in the data breach that affected 500 million guests who have made reservations with hotels under Marriott's Starwood division” (Chong, 2018). 

Private investigators believe China was the culprit of the Marriott data breach because the similar tools, techniques, and procedures have been used in earlier cyberattacks that have been linked to Chinese hackers.  In the coming years, I would say these countries, especially China, would cause more data breaches, more cyberattacks and the targets are mainly companies, government offices, and households in the US.  It’s because President Trump has imposed “tariffs on $200 billion worth of goods and was prepared to tax all imports” (Bradsher, Tankersley, 2018) from China.  The acts that President Trump has done really make China angry and they wants different ways to retaliate againts President Trump and the US. 

China often tried to steal intellectual information from the US.  As you can see, within the last four decades, they can build their own their aircraft carrier.   They can build the J-10 fighter that has many same features and functions as the F-22 or F-35 steal fighters of the US.  The US has invested millions of dollars and efforts to build those fighters and it took years to build those aircraft.  How is it possible China can build the aircraft carrier and the most advanced J-10 fighters in a short time?  Do you think they built them by their own knowledge?  I would not think so.  The tension between the US and China will continue to increase based on the economy and military since China wants to dominate the world and the US does not want that to happen. Therefore, more data breaches and cyberattacks will happen.

Reference:

https://www.usgovconnect.com/marriot-data-breach

https://budgeting.thenest.com/percentage-americans-credit-cards-30856.html

https://www.marketwatch.com/story/americans-use-debit-cards-twice-as-much-as-credit-cards-2016-12-28

https://www.washingtonpost.com/business/2018/11/30/marriott-discloses-massive-data-breach-impacting-million-guests/?noredirect=on&utm_term=.37a5729f5011

https://www.cnet.com/news/clues-to-marriott-data-breach-suggest-china-ties-report-says/

Credible sources of information for threats, vulnerabilities, updates, and security news

We are living in the age of technology and we are inheriting many results from high technologies that help various aspects of our lives.  For example, in communication, we can talk and see the face of people who live halfway around the earth.  We can send a message that can reach everywhere on the globe by just one click.  For education, we can take online classes now that fit perfectly the time and schedule for the students who are working full-time.  For e-commerce, it saves us time when we shop online.  Amazon is one of the best examples for the most successful e-commerce.  Technology is good, but many people take advantage of it and use it unlawfully.  That’s why we face different security threats every day.  Following are credible sources of information for threats, vulnerabilities, updates, and security news that organizations and home owners can use for their protection and prevention.

1.      SANS (SysAdmin, Audit, Network, Security) - https://www.sans.org/ 

SANS is not only providing computer security training and certification, but it is also providing the most current information for threats, vulnerabilities, updates, and security.  Under the Resource menu, it provides newsletters, blogs, critical security controls, and critical vulnerabilities.

2.      MIT Technology Review - https://www.technologyreview.com/ 

MIT Technology Review provides different journals, analyses, reviews, essays, and reports about the current important new technologies.  It also provides cyber threats and vulnerabilities for both businesses and non-businesses to be aware of.  For example, on Jan 2, 2018, MIT Technology Review had an article “Six Cyber Threats to Really Worry About in 2018” written by Martin Giles.  He mentioned six critical cyber threats for the current year, which were data breach, ransomware in the cloud, the weaponization of AI, cyber-physical attacks, mining cryptocurrencies, and hacking elections.

3.      Symantec Security Center - https://www.symantec.com/security-center 

The Threatpost of Symantec Security Center is a publication that provides daily articles, podcasts, and videos on all security. It provides reports on a new vulnerability or threat that may be affecting organizations at large.  The publication is a great daily resource for both organizations and people to learn and understand the current security threats and vulnerabilities.

4.      Kaspersky Lab – https://threatpost.com/

Kaspersky Labs’ Threatpost is a publication that provides daily articles, podcasts, and videos on all things security.  It focuses on the most current threats and attacks.  It is one of the trusted and useful sources for all organizations and employees to read and be aware of the threats and not be exposed to them.

5.      McAfee

McAfee is one of the most well-known antivirus software.  Besides the best antivirus software that McAfee provides, it also provides the current security reports, security trainings, security awareness, security controls, and all the current threats and vulnerabilities.  Under the Threat Awareness main menu, there is a Resources submenu that provides so many articles about current threats, vulnerabilities, ransomware, and threat reports that are beneficial for both businesses and home.

6.      The National Cybersecurity and Communications Integration Center (NCCIC) - https://www.us-cert.gov

The NCCIC is the Nation’s flagship cyber defense, incident response, and operational integration center.  It provides the most current cybersecurity threats that all businesses or homes could be aware of.  For example, on its homepage, it lists the current security breach of Marriott International Starwood guest reservation database.  Another critical security that NCCIC mentioned was the SamSam Ransomware.  Its targets were multiple industries, including some within critical infrastructure in the US.  The main attacks of SamSam were gaining access to victims’ networks then escalating privileges for administrator rights, dropping malware onto the server, and running an executable file, all without victims’ actions or authorizations. 

7.      Paul’s Security Weekly (securityweekly.com)

“Paul’s Security Weekly is an award-winning podcast, webcast, and security publication, publishing a number of weekly shows focused on recent security events, enterprise security, and interviews with professionals in the field” (SecurityScorecard, 2017).  Paul’s Security Weekly provides insight and current security news that might not be covered by other security organizations.

8.      The Security Ledger (securityledger.com)

The Security Ledger is an independent news provider that publishes current news on security on the Internet of Thing and the external threats from malware to cyber-terrorism.  For the last two decades or so, I could see that the world is facing different threats, which were the cyber-terrorism.  This threat has increase due to the fact that there are more and more countries

Normally, all the credible sources provide accurate information about the threats and vulnerabilities.  However, if they found to be provided invalid or conflict information, I would double check the information with other sources, professors, or friends.  I think I would also write an email to the authors or the credible sources and ask them to verify the information that they posted.  Communication, as I have mentioned earlier has been integrated into the fast and easy platform for the human.  To reach out a business or a person, it is very easy now.  To exchange the idea or information, it is just a click.

Reference:

McAfee.  (2018).  Threat Landscape Dashboard.  Retrieved from https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard.html

MIT Technology Review.  (2018, Jan 2).  Six Cyber Threats to Really Worry About in 2018.  Retrieved from https://www-technologyreview-com.cdn.ampproject.org/v/s/www.technologyreview.com/s/609641/six-cyber-threats-to-really-worry-about-in-2018/amp/?usqp=mq331AQHCAFYAYABAQ%3D%3D&amp_js_v=0.1#aoh=15440577789201&referrer=https%3A%2F%2Fwww.google.com&amp_tf=From%20%251%24s&ampshare=https%3A%2F%2Fwww.technologyreview.com%2Fs%2F609641%2Fsix-cyber-threats-to-really-worry-about-in-2018%2F

SecurityScorecard.  (2017, May 10).  Top 10 Information Security Websites You Have to Follow.  Retrieved from https://securityscorecard.com/blog/top-10-information-security-websites-to-follow

SANS.  (2018).  Information Security Resources.  Retrieved from https://www.sans.org/security-resources/

Current threats in Cybersecurity

Hi,

My name is Hai Pham.  I am a software developer and I have been working in software development for almost 18 years. Although I have worked in software development, but many projects that I worked relate to security.  Therefore, I am trying to pursue a cybersecurity program to increase my knowledge in IT security.  In the long run, I really wanted to work in the IT Security field.  Hopefully, once I am done with my Cybersecurity field, I would have a chance to move from software development to IT Security or Cybersecurity field.

My blog's purpose is to talk about the current information security threats that happen in IT security in general.  It can be a current virus, cyber attack, ransomware attack, phishing attack, spy hardware, etc.  Life is constantly facing new security threats every day and it is wise to be able to know and stay alert with those threats so that we could "Mitigate it, eliminate it, transfer it, or accept it" (Shostack, 2014).

One crazy security threat from last month that really drew my attention was the tiny spy chip.  A report from CNBC  mentioned that "the Chinese government snuck a pencil tip–size spy chip into equipment from an Amazon and Apple component supplier " (McKinley, 2018).  The spy chip compromised America’s technology supply chain.  It impacted almost 30 US companies: including two major companies: Apple and Amazon.  We often see software attack, such as trojans, worms, viruses, and they are very common.  The spy chip that China created was a hardware attack.  This is not common, and I think this is a more complicated attack.  Hardware attacks are very hard to detect and potentially more devastating.

(BLOOMBERG BUSINESSWEEK, 2018)

According to the Bloomberg BusinessWeek Report, the chips were used for gathering intellectual property and trade secrets from the US companies.  I am surprised that the problem was found in 2015 by independent security investigators but the chip was not reported to the public until Oct 2018.  The chip is small like a grain of rice and had been inserted during the manufacturing process of the motherboard.  The main impact was “the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code” (Bloomberg, 2018).

Referemce:

McKinley, E.  (2018, Oct 5).  China pencil-tip spy chip’s ultimate market risk: The profits built on big tech’s low-cost global supply chain.  Retrieved from https://www.cnbc.com/2018/10/05/chinas-cyber-spying-keeps-a-lot-of-us-tech-ceos-up-at-night.html

Bloomberg.  (2018, Oct 4).  The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.  Retrieved from https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies