Month: December 2015

IT professionals are the unsung heroes of modern organizations –putting work before family commitments and taking the blame when things go wrong, according to new research conducted by AlienVault™.

The research, which surveyed the attitudes of more than 600 IT professionals into how they are being treated at work, found that almost two-thirds (63%) have missed a wedding, funeral or similarly important family occasion in order to resolve a work issue. The vast majority of respondents (91%) have also come into work when they were sick to ensure that a project does not fail.

In addition, when it comes to their own careers, most will set aside personal ambition for the good of their organization as a whole. A majority of respondents (57%) said that they have taken the blame for another department or colleague’s failure if it was for the benefit of the company.

Yet despite the obvious challenges faced by IT professionals, many of them still love their jobs. The largest group of respondents (36%) reported being happy or very happy at work, while 32% felt unhappy and 31% were neutral.

Javvad Malik, Security Advocate at AlienVault, explained: “IT guys are the unsung heroes of many organizations. Often working in isolation, they are largely considered to be supporting players in many workplaces – yet the responsibility being placed on them is huge. In the event of a cyber attack, network issue, or outage, they will drop everything to fix a problem, even forsaking important personal commitments.  But despite coping with the challenges of what is now a 24-hour-a-day career, many still love their jobs and are motivated to continue by a deep sense of job satisfaction.”

 
How are you treated at work? IT professionals respond in their own words:

“People call me Jesus because I have long hair and save them from IT issues.”
“We are treated like wizards”
“Everybody loves me”
“I am seen like a god and treated incredibly well”
“I am a hero or villain, sometimes both at the same time.”
“I’m either ‘Mr fix It’ or ‘he’s the one that broke it’”
“My boss always blames me when something breaks.”

The research also revealed the extent to which IT professionals work in isolation, and this poses a potential threat to their organizations. Having technical skills and responsibilities which are not always understood by their bosses means that IT professionals often work unsupervised and may not always report problems when they occur.

Respondents were asked how their bosses respond when they make a mistake at work. Nearly two thirds (61%) said that their boss would only notice if the internet goes down or users start complaining. Twelve per cent thought that their boss wouldn’t realize or understand, while over a quarter (27%) said that their boss notices immediately and gets them to fix the problem.

In addition, a mere 8% said that they would ask their boss for help if they made a mistake at work. A fifth (21%) seek advice from their colleagues, a quarter from online IT support group Spiceworks (23%) – while the largest group (37%) said that they would search Google for the answers.

Javvad Malik continued: “IT professionals need to be self-sufficient. With such specialist knowledge, those working in smaller teams can find themselves with no one to turn to for help. This can make the job more stressful for those involved, and is also a potential risk for organizational security, given the scale of responsibility placed upon IT staff. Fortunately there are ample online resources available to help, such as AlienVault’s Open Threat Exchange, where users share information and collaborate on potential cyber security threats. Harnessing the power of the crowd can help even a one-man IT team feel as though they have a group of experts at their fingertips.”

First launched in 2012 as one of the first crowd-sourced threat-sharing systems in the industry, AlienVault’s Open Threat Exchange (OTX) now has more than 26,000 participants in over 140 countries that contribute to more than one million threat indicators daily.

(41)

Brian Krebs reported yesterday that the Office of Personnel Management has sent out more than 17 million letters to victims of the second massive data breach. OPM officially opened the verification centre on 1st December, specifically for those former and current federal employees and their families who haven’t received letters, but think they may have been impacted, and for those people who have received letters but their personal identification number (PIN) isn’t working or has been lost.

But a senior OPM official is asking them to wait at least another week to 10 days until OPM finishes sending out letters to about 93 percent of the estimated 21.5 million former and current federal employees and their families. OPM says the site will be available through the end of December 2018.

Commenting on this, Ryan Wilk, director at NuData Security, told @DFMag:

“With many US citizens being notified this week that their fingerprints, background checks, Social Security numbers and other sensitive information was jeopardised, it has once again thrown the OPM hack from earlier this year back into the spotlight. With breaches such as this being a near weekly occurrence, it is clear that organisations can no longer depend on a single security layered system, and instead should be more proactively looking at multi layered systems that involve the use of user behaviour analytics.

It is no longer enough to rely solely on the data. Many hackers are looking for a quick pay day by stealing data and then selling it on the dark web. But data isn’t always taken for financial reasons; it can also be used for blackmail purposes, or to target governments, as seen here in the OPM breach. Our world today is 100% integrated into technology, and a lot of damage can be done with the right login. To fight this trend, companies need an enhanced method to protect themselves and their valued data. By focusing more on passive biometrics organisations can establish how legitimate account holders actually act, and through that be more secure in the knowledge that it is their real user accessing the account – whether it be for e-commerce sites, or higher risk areas such as OPM. It is only once this is established that companies will no longer have to rely only on login credentials that can easily be spoofed or stolen.”

(25)

FireEye has discovered a Chinese state sponsored attack by admin@338 in which they were able to hide a Command and Control Server on Dropbox.  admin@338 is a group that uses emails that contain booby-trapped Word documents. The documents use current anti-Chinese and pro-democracy topics to lure victims into opening the email attachment. The Word file is weaponized with the CVE-2012-0158 Microsoft Office vulnerability, allowing attackers to install malware named LOWBALL on the victim’s PC. LOWBALL is a powerful backdoor, capable of stealing local data and uploading it to a remote server, but also of downloading new files and executing shell commands.

Craig Young, Cybersecurity Researcher for Tripwire says “This is not a threat toward Dropbox users, but rather the attackers are relying on Dropbox to help stay under the radar.  Many security departments would recognize command and control traffic because the communication is to unexpected places on the Internet but since Dropbox is so prevalent and communication is encrypted, it is impossible to distinguish the sessions from real Dropbox usage.  The idea here is not new and in fact we have learned of various other malware campaigns leveraging cloud services including one that uses the attacker’s GMail account as a private channel for controlling infected systems.

Proper vulnerability management and endpoint security controls along with user education on phishing are the best techniques to protect against this campaign.  The fact that the attackers are successfully using a vulnerability from 2012 is a testament to the fact that the victims are not using up to date software.”

(56)

Customers’ personal and financial data is being put at risk as many industry personnel are not assigned unique login and password details, new research has revealed. The ‘Financial services: access security compliance’ report by IS Decisions, security software provider, showed that 37% of finance personnel do not have unique user logins – a basic security requirement for enabling user identification – which also leaves financial organisations open to the threat of insider trading. Furthermore, 26% are not required to logon to their employer’s network at all in order to access data, despite it being a specific requirement of virtually all regulations around security, from the FCA to GLBA, SOX and PCI DSS.

The figures also showed that half (51%) of financial industry personnel did not receive training as part of their induction even though the FCA’s Financial crime: a guide for firms recommends that new employees should have access to training on financial crime risks. In addition to this, despite clear guidance from compliance requirements in the UK, only 37% of organisations provide ongoing training sessions to meet an acceptable level of security education.

The ability to log in to more than one machine at anyone time can also be a security risk in terms of tracking access and individual user identification, so it was alarming to note that 76% of finance personnel are able to login to multiple machines concurrently. In the event of a breach occurring, only 34% would know how to report it and an even lower 27% were aware of the penalties their company would impose for stealing or leaking sensitive data.

The study also showed that only 48% of organisations do not immediately revoke access rights when employees leave, leaving a window of opportunity for an ex-employee to steal sensitive information.

François Amigorena, CEO of IS Decisions commented, “Data, including card and customer information, is the lifeblood of any financial organisation. Security is the very reason we trust banks with our finances, while data access and ability to identify users is also key to combatting insider trading. As such, sensitive information should be restricted to only those who need it in order to minimise any risk of a breach or possible misuse. Identifying and implementing access control policies are requirements of the financial regulators, but it seems many UK financial organisations are not compliant with these security basics.”

(40)

Reports are slowly starting to appear regarding a breach at Wetherspoons, one of the UK’s largest pub chains. The site’s customers database – which includes names, dates of birth, email, addresses and phone numbers of 656,000 Britons – was breached in June. But Wetherspoons officials were only told about the hack by security experts earlier this week. The cyber criminals also stole credit card and debit card data from pub-goers who bought vouchers from the JD Wetherspoon website.

Andy Heather, VP EMEA at HPE Security – Data Security provided @DFMag with the following commentary;

“When it comes to your data, remember it’s not a matter of “if” it will be compromised – it’s a matter of “when”.  Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances.   When a company is collecting, using, and storing sensitive information about their customers, the risk is to the data itself.  Therefore, a company needs to assume that all other security measures may fail, and the data itself will be the primary focus of the attack. It is important that businesses follow best practices of encrypting all sensitive personal and financial data as it enters a system, at rest, in use and in motion. The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure consumer data remains secure.  It is critical to note that this protection needs to include all potentially sensitive information such as customer’s name and address, and not just financial-related data.  A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyber attacks and other attempts to get this information. A data-centric strategy delivers and maintains protection on the data itself, so that even when a traditional security technology (one protecting the container) fails, the underlying data itself is still protected, and can remain protected wherever that data enters, wherever it moves and however it is used.”

Gavin Millard, chief technical officer (EMEA) at Tenable Network Security offered @DFMag the following insight:

“Whilst the loss of 100 credit card details will be a concern of those affected, more cards will be misplaced this weekend through over indulgence of beer than the breach. What is of concern though is the loss of 650,000 customer details and the time between the data being exfiltrated to when the issues were discovered. Organisations who collect data from customers on their website should ensure that the code deployed is designed with security in mind, auditing continuously for easily exploitable flaw and indicators of misuse.

“Hopefully the company understands the importance of communicating clearly and accurately about how customers could be affected by such a breach and their spokespeople will be briefed by security experts before commenting about the technical details of the protections in place or attack methodology.”

(82)