The 20 | security Archives | Page 2 of 2

The Internet of Things (IoT) is an idea that could radically alter our relationship with technology. The promise of a world in which all of the electronic devices around us are part of a single, interconnected network was once a thing of science fiction. But IoT has not only entered the world of nonfiction — it’s actually taking the world by storm.

While the possibilities of these new technologies are mind-boggling, they also reveal severe IoT cybersecurity challenges. During the last few years, we’ve seen a dramatic increase in the number and the sophistication of attacks targeting IoT devices.

A Growing Network

IoT devices are no longer a niche market. They have started to move from our workspaces into our (smart) homes, where IoT devices are expected to have the most significant impact on our daily lives. Most smart home devices will be benign, everyday appliances like kettles and toasters. Even if these devices are hacked and compromised, short of ruining your breakfast, there’s not a lot a hacker can do to cause you grief. However, IoT will encompass a significant portion of the electronics around us in a variety of settings. This includes situations involving intruders and could have lethal consequences.

IoT Cybersecurity Challenges

Numerous cybersecurity experts have exposed severe security flaws in IoT architectures. Some have demonstrated how cars can be hijacked and controlled remotely. Perhaps more alarmingly, they’ve shown how medical devices, such as pacemakers, can be switched on and off at will. While this is undoubtedly alarming, what makes it even more shocking is just how little attention people pay to cybersecurity. IoT cybersecurity challenges are plentiful—and those are just the ones we know of.

Researchers who were able to access a multitude of IoT medical devices found that they weren’t password protected. And when they were password protected, many were using default passwords that an experienced attacker with information from the device manufacturer could crack in a few seconds. We can’t afford to have such basic cybersecurity blunders jeopardize the promise of IoT.

Regulate and Standardize Cybersecurity

Consider the difference in the number of security threats that exist for iPhones versus Android phones. Because all iPhone generations run on the same hardware—representing standardization across devices—it’s much easier to secure them from attacks, implementing comprehensive security measures.

If the IoT revolution is going to succeed, we need to have a robust regulatory framework in place to ensure that device manufacturers adhere to minimum, mutually intelligible IoT cybersecurity standards. We should also standardize device-level security protocols to ensure that each network element is part of a general strategy for combatting common threats. We can’t afford to leave any weak, low-level links unguarded.

With new types of cyber-attacks emerging constantly, it’s essential to get ahead of the curve as soon as possible. Every IoT device has a corresponding IP address. Therefore, each small device can have serious implications for global network privacy. An attacker could potentially infiltrate the network and follow a trail of data from any given device to an end-user.

The next few years will be critical for IoT. The entire concept may well rise or fall on the basis of how well we collectively address cybersecurity risks. Connectivity is always a double-edged sword, and most IoT cybersecurity challenges have yet to be overcome. Fortunately, it seems that device manufacturers are being spurred into action.

Imagine you’re a top executive at a company hit by a major crisis within the last 72 hours. First, and most importantly, there may have been serious damage to the community in which you operate. Your customers may have suffered, people’s livelihoods destroyed. The environment may be irretrievably damaged.

What do you do?

The threat is growing

Many incidents inside companies never hit the headlines, but recent evidence suggests that more are turning into full-blown corporate crises.

Why is this a bigger problem now than it has been in the past? First is the growing complexity of products and organizations. A new pickup truck today includes computer controls programmed with more than 150 million lines of computer code, while the average deepwater well is the height of seven Eiffel Towers. Goods travel thousands of miles and move through supply chains that comprise multiple intermediaries and multiple jurisdictions. A second reason for the significance of the problem is a higher level of stakeholder expectations. Customers, often in response to messages on social media, are more willing to sue or shun a company they believe is unethical. Governments are more willing to seek redress from companies they believe are breaking the law, and shareholder activism is on the rise. Third, the changing social contract is driving anxieties and mistrust in institutions, making irreversible knee-jerk reactions more likely. Finally, the raw speed of business operations—from rapid communications to shorter product-development timelines—makes crises more likely.

Understandably, companies spend more time trying to prevent crises than preparing for them. However, crisis readiness has become at least as important as risk management, takeover readiness, and vigilance over safety.

Five parallel paths to resolution

It helps to think of a crisis in terms of “primary threats” (the interrelated legal, technical, operational, and financial challenges that form the core of the crisis) and “secondary threats” (reactions by key stakeholders to primary threats). Ultimately, the organization will not begin its recovery until the primary threats are addressed, but addressing the secondary threats early on will help the organization buy time.

When a crisis hits (or is about to hit), one of the first actions should be to create a cross-functional team to construct a detailed scenario of the main primary and secondary threats, allowing the company to form early judgments about which path the crisis may travel. This helps the organization set out major decisions it needs to make quickly and is the first step toward wresting back control—improving the headlines of tomorrow, rather than merely reacting to the headlines of today.

1) Control the organization

An effective crisis team is central to mounting a satisfactory response. The best crisis organizations are relatively small, with light approval processes, a full-time senior leader, and very high levels of funding and decision-making authority. The team should be able to make and implement decisions within hours rather than days, draw a wall of confidentiality around the people who are responding, and protect those not involved from distraction in their day-to-day activities.

A common error is to choose an external expert as leader of the company’s crisis response. External hires typically struggle to motivate and organize the company in a crisis situation. The right leader usually will be internal, well known, and well regarded by the C-suite; will have served in an operational capacity within the industry; and will enjoy strong informal networks at multiple levels in the company. He or she should possess a strong set of values, have a resilient temperament, and demonstrate independence of thought to gain credibility and trust both internally and externally.

2) Stabilize stakeholders

In the first phase of a crisis, it’s rare for technical, legal, or operational issues to be resolved. At this stage, the most pressing concern will likely be to reduce the anger and extreme reactions of some stakeholders while buying time for the legal and technical resolution teams to complete their work.

For instance, an emergency financial package may be necessary to ease pressure from suppliers, business partners, or customers. Goodwill payments to consumers may be the only way to stop them from defecting to other brands. Business partners might require a financial injection or operational support to remain motivated or even viable. It may be necessary to respond urgently to the concerns of regulators.

3) Resolve the central technical and operational challenges

Many crises have a technical or operational challenge at their core. But the magnitude, scope, and facts behind these issues are rarely clear when a crisis erupts. At a time of intense pressure, therefore, the organization will enter a period of discovery that urgently needs to be completed. Frequently, however, companies underestimate how long the discovery process and its resolution will take.

It’s best, if possible, to avoid overpromising on timelines and instead to allow the technical or operational team to “slow down in order to speed up.” This means giving the team enough time and space to assess the magnitude of the problem, define potential solutions, and test them systematically.

4) Repair the root causes

The root causes of major corporate crises are seldom technical; more often, they involve people issues (culture, decision rights, and capabilities, for example), processes (risk governance, performance management, and standards setting), and systems and tools (maintenance procedures). They may span the organization, affecting hundreds or even thousands of frontline leaders, workers, and decision makers. Tackling these is not made any easier by the likely circumstances at the time: retrenchment, cost cutting, attrition of top talent, and strategy reformulation.

For all these reasons and more, repairing the root cause of any crisis is usually a multiyear exercise, sometimes requiring large changes to the fabric of an organization. It’s important to signal seriousness of intent early on, while setting up the large-scale transformation program that may be necessary to restore the company to full health.

5) Restore the organization

Some companies spend years of top-management time on a crisis, only to discover that when they emerge, they have lost their competitiveness. A large part of why this happens is that they wait until the dust has settled before turning their attention to the next strategic foothold and refreshing their value proposition. By this stage, it is usually too late. The seeds for a full recovery need to be sown as early as possible, even immediately after initial stabilization. This allows the organization to consider and evaluate possible big moves that will enable future recovery, and to ensure it has the resources and talent to capitalize on them.

In conclusion

Risk prevention remains a critical part of a company’s defense against corporate disaster, but it is no longer enough. The realities of doing business today have become more complex, and the odds of having to confront a crisis are greater than ever. Armed with the lessons of the past, companies can prepare in advance and stand ready to mount a robust response if the worst happens.

US Weapons Systems Vulnerable to Cyber Attacks

Authorized hackers were quickly able to seize control of weapons systems being acquired by the American military in a test of the Pentagon’s digital vulnerabilities, according to a new and eye-opening government review.

The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.

A public version of the study, published last week, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.

But even the declassified review painted a terrifying picture of weaknesses in a range of emerging weapons, from new generations of missiles and aircraft to prototypes of new delivery systems for nuclear weapons.

“In one case, the test team took control of the operators’ terminals,” the report said. “They could see, in real time, what the operators were seeing on their screens and could manipulate the system” — a technique reminiscent of what Russian hackers did to a Ukrainian power grid two years ago.

The Government Accountability Office, the investigative arm of Congress, described “red team” hackers who were pitted against cyberdefenders at the Pentagon. The tested weapons were among a total of 86 weapons systems under development; many were penetrated either through easy-to-crack passwords, or because they had few protections against “insiders” working on elements of the programs.

Sometimes the testing teams toyed with their Pentagon targets. One team “reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”

The searing assessment comes after years of warnings about the vulnerabilities of the military systems — some of which the Government Accountability Office said were ignored — and just as President Trump gives American commanders more flexibility to deploy cyberweapons without obtaining presidential approval.

It also suggests that the United States is vulnerable to cyberattacks when it seeks to disable enemy systems.

Nuclear weapons themselves were not included in the report; they are mostly controlled by the Energy Department, which oversees their design and testing. But nuclear weapons have become a focus of increasing scrutiny, both inside and outside the defense establishment.

Last month, the Nuclear Threat Initiative, a group that studies nuclear threats, published a detailed report about the risks that nuclear weapons systems could be subject to cyberattacks. It warned that such attacks “could have catastrophic consequences,” including the risk that weapons could be used in response to “false warnings or miscalculation.”

“The world’s most lethal weapons are vulnerable to stealthy attacks from stealthy enemies — attacks that could have catastrophic consequences,” former Energy Secretary Ernest J. Moniz, former Senator Sam Nunn and former Defense Minister Des Browne of Britain wrote in that report.

“Today, that fact remains the chilling reality,” wrote the three Cold War veterans. “Cyberthreats are expanding and evolving at a breathtaking rate, and governments are not keeping pace. It is essential that the U.S. government and all nuclear-armed states catch up with — indeed, get ahead of and stay ahead of — this threat.”

It can be a scary business that we’re in sometimes, huh?

I think all people can ask for is that we have our very best men and women on the case protecting us at all times. And if your business is looking for that kind of protection, look no further than The 20. Contact us today.

Microsoft re-released its Windows 10 October 2018 Update yesterday, following the company pulling it offline due to data deletion issues over the weekend.

Partner of The 20, and CEO of Cole Informatics, LLC out of Parsons, Tennessee, Terry Cole, made note of these issues on his late last week.

The software giant says there were only a few reports of data loss, at a rate of one one-hundredth of one percent. “We have fully investigated all reports of data loss, identified and fixed all known issues in the update, and conducted internal validation,” says Microsoft’s John Cable, Director of Program Management for Windows Servicing and Delivery.

Microsoft is now re-releasing the Windows 10 October 2018 Update to Windows Insiders, before rolling it out more broadly to consumers. “We will carefully study the results, feedback, and diagnostic data from our Insiders before taking additional steps towards re-releasing more broadly,” explains Cable.

It appears the bug that caused file deletion was related to Windows 10 users who had enabled Known Folder Redirection to redirect folders like desktop, documents, pictures, and screenshots from the default location. Microsoft introduced code in its latest update to delete the empty and duplicate known folders, but it appears they weren’t always empty. Microsoft has developed fixes to address a variety of problems related to these folder moves, and these fixes are now being tested with Windows Insiders.

Speaking of Windows Insiders, Microsoft’s testing community did flag some of these issues ahead of the release. Microsoft appears to acknowledge this as the company is making some changes to the feedback tool for Windows 10 to ensure testers can flag the severity of bug reports. “We have added an ability for users to also provide an indication of impact and severity when filing User Initiated Feedback,” explains Cable. “We expect this will allow us to better monitor the most impactful issues even when feedback volume is low.”

Microsoft will now monitor feedback related to this re-released build of Windows 10 October 2018 Update and will officially launch it to consumers once the company is confident “that there is no further impact” to Windows 10 users. “We are committed to learning from this experience and improving our processes and notification systems to help ensure our customers have a positive experience with our update process,” says Cable.

While we all hope this re-release is a positive one, Microsoft has certain come under fire with its frequent update process. I made note of this in a blog last month that discussed IT admins who are campaigning hard for Microsoft to slow their roll when it comes to their Windows 10 upgrade schedule.

Approximately 78% of more than 1,100 business professionals charged with servicing Windows for their firms said that Windows 10’s feature upgrades — now released twice annually — should be issued no more than once a year.

So, I stumbled upon an interesting article over Labor Day weekend (do I know how to party OR WHAT?) that warned businesses of the risks that come with letting domain names expire. It’s a side of buying expired domains that most domain investors will never think of: the fact that expired domains, despite not having traffic coming to them, still could have emails with incredibly sensitive information attached. The piece gives a very solid example of domains from law firms that expire after the firm takes part in a merger:

To test just how bad the problem is, [security researcher, Gabor] Szathmari re-registered old domain names for several law firms that had merged, set up an email server, and without hacking anything, he says he received a steady stream of confidential information, including bank correspondence, invoices from other law firms, sensitive legal documents from clients, and updates from LinkedIn (Szathmari is working to return the affected domain names to their original owners).

Well, not too surprisingly, it turns out that some of these expired domains are used for fraud since the new owner could essentially gain access to a large amount of sensitive data.

This got me thinking about whether or not there’s an entire market of expired domain buyers; fraudsters and scammers that aren’t looking to resell the name, but instead are looking to use the domain to gain access to email.

It certainly sounds like that might be the case.

Email holds the keys to the kingdom. All your password resets go through email and abandoning an old domain name makes it easy for attackers to re-register the old domain and get your stuff.

According to the article, it appears that the technique of re-registering old domain names could also be used for collecting money. “By reinstating an online web shop formerly running on an abandoned domain name,” Gabor Szathmari writes, “Bad actors could download the original web pages from archive.org, then take new orders and payments by posing as a fully functioning web shop.”

“If the former web shop had a CRM system or MailChimp running marketing campaigns,” he adds, “criminals could access the list of the former customers by taking over those accounts with an email-based password reset. They could offer them a special discount code to encourage them to submit orders which would never be delivered. The sky is the limit.”

Expiring domain names are published daily by domain name registries in the form of domain name drop lists. It doesn’t take a criminal mastermind to download those lists daily and cross-reference them against news of mergers and acquisitions in the relevant trade pubs, or just re-register any domain name that catches their fancy.

So how long should you hang onto those old domains for?

Better to be safe than sorry in this case. Domain names aren’t expensive, and keeping old domains in your possession is the cheapest cybersecurity insurance policy you’ll ever purchase. I mean, is it really worth it to sell at the expense of fraud? I wouldn’t take that chance.

Szathmari recommends setting up a catch-all email service that redirects all incoming email to a trusted administrator, someone who can review correspondence addressed former and current staff, and password reset emails for online services.

Ah, August is here.

And it’s back to school season where both students and parents are making plans for the big return. For some, technology plays a major role.

So here are some quick tips, parents, for when using tech as a tool:

*Plan a technology routine. By creating consistent tech-usage habits, such as limiting computer use to a certain amount of time per day, kids will learn how to better manage both their time and school workload.

*Don’t let technology interfere with sleep — this is crucial for learning.

*Introduce websites that could compliment learning, like Grammarly for writing help or Khan Academy for online lessons.

*LEAD BY EXAMPLE! If you aren’t always on an electronic device, your kids won’t wanna be either. Remember, they’re sponges.

On a more serious note, in addition to monitoring technology use, the FBI is reminding parents this year to review and monitor howtheir children use smartphones. Cell phones are a great way for parents to keep in touch with their children, but parents and kids alike need to recognize the risks that come bundled with that device.

From scams to cyber bullies—if your child is old enough to have and carry a phone, then it’s also time to have a conversation with him or her about potential risks.

Here are 10 basic phone/computer tips to help keep your child safe:

*The phone should default to a locked setting. The only people who should have that access code are the child and the parent.

*Parents should know every password to every device and every password to every app on that device. Sure, you want your kids to have some privacy as they grow up, but they are still kids. You pay the bill, and as long as that child is a child, he or she is your responsibility.

*Check those accounts — as well as instant messaging programs and texts — for disturbing content on a regular basis. You and your kids should have a non-negotiable understanding that this access is a requirement for continued phone use.

*Parents should make sure their child is using appropriate screen names. “Babygirl2005” and “sweet16” may sound cute and innocent, but they can be a beacon to predators.

*Check the privacy and security settings on the phone and the apps. Check regularly to make sure they are up-to-date.

*Learn about how photos are geo-tagged. Even if you are discreet about what you post, your photos could be tagged in the meta-data with your child’s exact location. Do you want just anybody to know what school your child goes to or what field his team uses for soccer practice? You should be able to turn this feature off in settings.

*Teach your kids to never respond to calls, texts, or emails from unknown numbers or people. Scam artists and predators will victimize anyone, regardless of age.

*Talk early and often to your child about the dangers that they may find on the other end of the line. If your child is old enough to carry a phone to school, they are old enough to have a frank discussion with you. Be open and responsive. If your child does encounter a bully or other disturbing content, you want them to feel like they can come to you to for help.

*Talk to your kids about what constitutes appropriate language and photos. One sexually explicit photo can change a life forever. It is crucial that they understand that just because something starts out as a private communication between two people does not mean that it can’t be shared with thousands of people in mere seconds.

*Teach your children to program the privacy settings on social media feeds to the highest level and to reject any “friend requests” from those they don’t know and trust in a face-to-face relationship. Parents should also consider forbidding any new “friend requests” by their kids, without parent approval.