20th October, 2019 – Purple Post
Author’s Note:In cyber security, ‘prevention’ is the first line of defence, followed closely by ‘detection’ when your defences are penetrated. I propose to re-target this newsletter to explore how you can protect yourself, and your organization, when the inevitable breach does occur. Using the cyber security news in the week, I will try to highlight where the vulnerability was & what was done in response to the incident. And, if possible, how you can prevent it.
I think this would a more profitable use of your time, rather than just reading the week’s threat intelligence. Please do let me know your thoughts & if you would like to see some other kind of content here.
Multi-factor authentication is a basic hygiene practice that goes a long way in making you secure. (If you have not enabled it for your important accounts, please go and do it right now. I will wait!).
An SMS based 2FA is the most common MFA. It is also the most easily broken authentication method. It is prone to a SIM swap, or a SIM jacking attack which are quite easy to execute. However it is quite sufficient for non-critical accounts and is definitely more secure than password based authentication.
If you are a good target for spear phishing, or if a compromise of your credentials has a very high impact, you are better off with an authenticator app based MFA, like Google Authenticator, than an SMS based one. Unless you lose your physical device or allow remote access, you would be secure.
A dedicated hardware key offers still greater security, at the risk of a minor sacrifice in convenience. In this method, you need the physical key to access your account and there is a tight binding between the device you use to access, your credentials & the key. So, even if you lose the key, since nothing is stored on the key itself, it will be useless to access your account. However, if you do lose the key, you would need to remove the key as a form of authentication from your accounts, replace the key and re-establish the authentication again. The peace of mind is worth the minor compromise in convenience, if the impact of wrongful access is great enough.
If you would like to explore a security key, Google has released a USB-C version of its popular Titan Security Key last week for $49. Do check it out.
And, if you need even more security (and if you are on the Google eco-system), and if you do not want to even entertain the possibility of your account being compromised, you could also enroll into the Google Advanced Protection Program. It is basically impenetrable but not very broadly usable outside of Google; Apple users, for example, cannot use this. You can learn about multi-factor authentication & their ins and outs in this excellent PC World article.
Read on for more information on learning from this week’s incidents and for the human interest cyber security news stories of the week. And, if you need the threat intelligence on high priority vulnerabilities, they are there too!
– Sridhar Parthasarathy
Learning News this Week
The latest ransomware attack victim turns out to be global mailing and shipping service, Pitney Bowes. As confirmed by the firm itself, their systems suffered a ransomware attack which caused disruption to their services.
The average cost of a ransomware attack on a small company is pegged to be around $200,000 per incident. The irony is, even though ransomware attacks are common, they are not particularly sophisticated or insidious. They are easily preventable even by a small , non-technical businesses.
The best defence against this type of attack is having regular, well tested back-ups. Both aspects of backups, regularity and testing, are important for this defence to be effective. Additionally, your frequency of backup has to meet your organization’s standards for RPO (Recovery Point Objective).
The other aspect to keep in mind is that since most ransomware are introduced via email to the organization, either as an attachment or as a link, it might pay excellent dividends to invest in the security education of your employees. Combined with a good back-up process, this will help you prevent or recover from 90% of ransomware attacks.
You are aware of all the epigrams:
– “If you’re not paying for the product, you are the product”,
– “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”
– “Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.”
What all these bon mots fail at is telling you how to erase your digital footprints on the broad internet. It is not always possible to browse the net using the incognito mode – after all, it is convenient get recommendations for that playlist that is tuned just to your tastes!
You should be able to balance your need for convenience with how much of your information is collected and how much of it is stored for how long.
So, how do you ensure that your digital history is not stored on the internet? First, practice safe browsing practices:
– Examine a URL before clicking
– Do not install random software from unproven sources
– Install & use a good anti-virus
– Unfriend/ disassociate with anyone you do not actually know
– Look critically at the permissions you have given and fix them
Read the article from Gear Patrol to find out more.
News You can Use
For most organisations in India (92%), cybersecurity is an executive level priority. However, higher workloads and fatigue leave leaders little time to actually look into cyber security threats, according to Cisco’s 2019 Asia Pacific CISO Benchmark Study
Indie Japanese idol Ena Matsuoka ‘gave away’ her location to her obsessed fan Hibiki Sato! Apparently, he was able to stalk her from her photos on social media. The 26-year-old fan used the angle of the light and shadows to approximate her GPS location! He also zoomed in on the singer’s eyes and identified a train station from the reflection in her iris. He then used Google Maps to find the train station.
In an ironic twist of fate, BriansClub, a black market site that contains stolen credit cards, was hacked to rescue the data of more than 26 million credit and debit cards.
KrebsOnSecurity reports that the data stolen in August from the site, which goes by the name BriansClub was shared with financial institutions who were able to identify, monitor, and reissue cards that were compromised.
Kaspersky has set up ‘honeypots’ in various geographies to find out the nature & pattern of threats on smart devices. These are small footprint devices which have some processing capabilities.
They setup around 50 honeypots around the world. They found that there were 20,000 infected sessions every 15 minutes.
Their conclusion? Read the title of this snippet!