DOCSLIB.ORG

Getting​​Personal

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Getting​​Personal ​ ​​ ​​ ​​ ​ Getting​ ​Personal The impact of cybercrime on executive leadership. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Executive​ ​Risk​ ​Whitepaper Corporate leaders and directors are often the targets of cyber crime. Sometimes they​ ​are​ ​just​ ​collateral​ ​damage.​ ​​ ​In​ ​either​ ​case,​ ​it​ ​can​ ​be​ ​costly​ ​and​ ​career​ ​ending. EXECUTIVE​ ​RISK​ ​WHITEPAPER Contents ​ ​[2]​​ ​​ ​​Executive Summary [3]​ ​​ ​​Take​ ​it​ ​from the​ ​top ​ ​​ ​​ ​​ ​​ ​[6]​ ​​ ​​A​ ​Broken​ ​Circle of​ ​Trust [7]​​ ​​ ​​Accidents Happen [8]​ ​​ ​​Sent​ ​Packing [9]​ ​​ ​​Spare​ ​Me [10]​ ​​ ​​Conclusion ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​1​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER Executive Summary When it comes to cyber threats, the C-suite and board room have a lot to worry about. What would a breach do to our company’s reputation? What could happen to our stock price? What if our intellectual property is stolen? How could the cost of a breach affect our financials? Or our viability​ ​as​ ​a​ ​company? These are all important questions, and smart companies consider how to answer them before an incident occurs. But there is one question that few executives think to ask​ ​until​ ​it’s​ ​too​ ​late: What​ ​if​ ​I​ ​am​ ​the​ ​source​ ​of​ ​the​ ​breach? When a CEO’s account is breached, it can trigger an earthquake for the entire enterprise. Aftershocks often include phishing scams, exfiltrated intellectual property, exposed stolen customer lists, and countless other incidents that cause severe​ ​financial​ ​and​ ​reputational​ ​damage​. 4iQ’s unique, outside-in approach can keep you and your company safe. We scour the full attack surface to uncover lost, leaked or​ ​stolen​ ​credentials​ ​and​ ​data. ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​2​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER Take​ ​it​ ​from​ ​the​ ​Top Increasingly, cyber criminals are targeting company leadership to gain access to networks, information, notoriety and money. Nobody is safe. Consider just a few of the executives and high-profile people who have been hacked​ ​recently: Exposed​ ​Executives​ ​and​ ​Celebrities Alf​ ​Goransson​,​ ​former​ ​CEO. Bo​ ​Shen,​ ​​founder​ ​of​ ​Fenbushi​ ​Capital. Identity​ ​Theft Social​ ​Engineering Stolen identity was used for a false Bo, an early investor in digital currencies loan application in March 2017. No Ethereum and Augur, was considered a “whale.” legal action was taken until District Hackers stole and dumped his REP and ETH, Court​ ​declared​ ​him​ ​bankrupt​ ​in​ ​July. which​ ​then​ ​caused​ ​trading​ ​prices​ ​to​ ​plummet. Amy​ ​Pascal,​​ ​Sony​ ​Pictures. CFO​ ​and​ ​Head​ ​of​ ​Investor​ ​Relations Email​ ​Hijack Insider​ ​Hacking Hackers leaked Pascal’s embarrassing Former IT technician stole passwords of company emails that damaged her reputation, executives and remotely accessed electronic caused a PR disaster for the company devices and mined confidential information to and​ ​ultimately​ ​forced​ ​her​ ​to​ ​resign. make​ ​“highly​ ​profitable”​ ​stock​ ​trades. Sundar​ ​Pichai​, Google CEO. Werner​ ​Vogels​, Amazon CTO. Account​ ​Takeover Account​ ​Takeover OurMine Hackers took over his Twitter CTO of Amazon Web Services had his social account by going through his linked networking​ ​account​ ​hacked​ ​and​ ​taken​ ​over. Quora​ ​account. Katy​ ​Perry,​ ​​celebrity. Anne​ ​Hathaway​, celebrity. Social​ ​Media​ ​Hijack Social​ ​Media​ ​Hijack The most followed person in the world Intimate photos have surfaced and widely shared had her Twitter account hijacked. on​ ​Tumblr,​ ​Twitter​ ​and​ ​Reddit​. Hackers tweeted profanity and slurs targeting​ ​rival​ ​popstar​ ​Taylor​ ​Swift. Tiger​ ​Woods​,​ ​golfer,​ ​celebrity. Social​ ​Media​ ​Hijack Dozens of nude photos of Tiger and other celebrities were hacked and released on an internet​ ​porn​ ​site. ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​3​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER These examples are of sophisticated executives at the helm of cutting edge tech companies or people in the public eye with careers dependent on their reputation, yet their accounts and identity are often compromised largely​ ​using​ ​the​ ​same​ ​tactics​ ​that​ ​put​ ​us​ ​all​ ​at​ ​risk.​ ​​ ​Let’s​ ​start​ ​with​ ​this​ ​one. 1. CEO​ ​Phishing​ ​Scams Cyber criminals use phishing to gain access to identities and networks for one good reason – it works. Every day, even the most tech savvy execs fall for spoofed emails. By clicking on a seemingly innocuous link or entering a password in a familiar looking site, they put untold personal and corporate information and reputations​ ​at​ ​risk. Preventing phishing scams is particularly vexing for corporate IT departments because they often do not set off spam​ ​traps.​ ​​ ​They​ ​aren’t​ ​mass​ ​emails​ ​and​ ​they​ ​use​ ​familiar​ ​domains. In 2015, Ubiquiti Networks, a San Jose based maker of networking technology, was taken for $46.7 million when a​ ​hacker​ ​“impersonated”​ ​executives​ ​and​ ​directed​ ​funds​ ​to​ ​be​ ​transferred​ ​to​ ​an​ ​overseas​ ​bank. Tech Firm Ubiquiti Suffers $46M Cyberheist ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ Networking firm ​Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international​ ​wire​ ​transfers.​​ ​​[1] In April 2016, Brian Krebs reported that the U.S. Federal Bureau of Investigation (FBI) alerted the public of a global increase (270%) in identified victims and exposed losses from “CEO scams.” As Brian notes in his blog, spoofed​ ​emails​ ​rarely​ ​set​ ​off​ ​spam​ ​traps​ ​because​ ​they​ ​are​ ​carefully​ ​calculated​ ​and​ ​targeted,​ ​not​ ​mass​ ​emailed. FBI:​ ​$2.3​ ​Billion​ ​Lost​ ​to​ ​CEO​ ​Email​ ​Scams The ​U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than​ ​$2.3​ ​billion​ ​in​ ​losses​ ​over​ ​the​ ​past​ ​three​ ​years.​​ ​[2] [1]​ ​August​ ​8,​ ​2015.​ ​Brian​ ​Krebs.​​ ​​Tech​ ​Firm​ ​Ubiquiti​ ​Suffers​ ​$46M​ ​Cyberheist [2]​ ​April​ ​16,​ ​2016.​ ​Brian​ ​Krebs.​​ ​​FBI:​ ​23​ ​Billion​ ​Lost​ ​to​ ​CEO​ ​Email​ ​Scams ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​4​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER 2.​ ​Stolen​ ​credentials If cyber crime is a fast moving wildfire across the global internet, stolen credentials are the oxygen. They are the source​ ​of​ ​80%​ ​of​ ​all​ ​data​ ​breaches. Massive​ ​711​ ​Million​ ​Emails​ ​and​ ​Passwords​ ​Dumped​ ​and​ ​you​ ​are Probably​ ​on​ ​the​ ​List...I​ ​Was A malware researcher going by the Twitter handle, ​Benkow moʞuƎq​, uncovered a huge stash of emails and passwords stored on an open server in The Netherlands. The stolen credentials were apparently harvested by a spambot known as, Onliner. This spambot has been used to deliver banking malware which has compromised over 100,000​ ​accounts.​​ ​[3] Like the rest of us, executives frequently use the same username and password combinations to log in to multiple​ ​accounts.​ ​​ ​On​ ​average,​ ​most​ ​people​ ​use​ ​2​ ​-​ ​5​ ​passwords​ ​to​ ​access​ ​25​ ​accounts. This means that once a hacker gains the credentials that At​ ​4iQ,​ ​we​ ​estimate​ ​an​ ​80%​ ​chance​ ​a unlock one site, with a little time and the right software, he or she can gain access to the executive’s other online hacker​ ​can​ ​find​ ​a​ ​password​ ​belonging accounts, including the enterprise network. This is an to​ ​the​ ​victim​ ​if​ ​​ ​3​ ​different​ ​accounts all-too-common way intellectual property, money and are​ ​able​ ​to​ ​be​ ​tested. identities​ ​are​ ​stolen,​ ​and​ ​networks​ ​are​ ​held​ ​for​ ​ransom. After the credentials are used, accounts drained and networks ransacked, criminals usually sell (or dump) the information on the dark web for others to use. At this point, it is a “free for all” and the stolen credentials are available​ ​for​ ​anyone.​ ​​ ​It’s​ ​akin​ ​to​ ​leaving​ ​your​ ​keys​ ​in​ ​the​ ​ignition​ ​with​ ​the​ ​engine​ ​running​ ​and​ ​the​ ​doors​ ​unlocked. Mark Zuckerberg used the same password (“dadada”, seriously) to login to his Facebook, Adobe and LinkedIn accounts. Needless to say, they were breached multiple 92%​ ​of​ ​Executives​ ​have times. The last time, he learned of it by a tweet sent by credentials​ ​Exposed hackers​ ​from​ ​his​ ​very​ ​own​ ​Twitter​ ​account. PASSWORD DECRYPTED EMAILS BREACH/SITE ALGORITHM PASSWORD [email protected] Linkedin SHA1 dadada [email protected] MySpace SHA1 *****fee [email protected] Last.fm MD5 *****v3a [email protected] Adobe 3DES dadada [email protected] Tumblr SHA1 *****nis [email protected] Dropbox SHA1 *****325 [email protected] Fling None *****980 [email protected] VK None *****123 [email protected] Adobe 3DES dadada [3]​ ​August​ ​30,​ ​2017.​ ​SecureYourWorkplace.net.​​ ​​Massive​ ​711​ ​Million​ ​Emails​ ​and​ ​Passwords​ ​Dumped​ ​and​ ​You​ ​Are​ ​Probably​ ​on​ ​the​ ​List...I​ ​was ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​5​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER A​ ​Broken​ ​Circle​ ​of​ ​Trust Password​ ​Security​ ​Checklist By analyzing hundreds of
Load more

Recommended publications
  • UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re
    Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 1 of 7 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION MDL Docket No. 2800 In re: Equifax Inc. Customer No. 1:17-md-2800-TWT Data Security Breach Litigation CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Plaintiffs move for entry of an order directing notice of the proposed class action settlement the parties to this action have reached and scheduling a hearing to approve final approval of the settlement. Plaintiffs are simultaneously filing a supporting memorandum of law and its accompanying exhibits, which include the Settlement Agreement. For the reasons set forth in that memorandum, Plaintiffs respectfully request grant the Court enter the proposed order that is attached as an exhibit to this motion. The proposed order has been approved by both Plaintiffs and Defendants. For ease of reference, the capitalized terms in this motion and the accompanying memorandum have the meaning set forth in the Settlement Agreement. Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 2 of 7 Respectfully submitted this 22nd day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 [email protected] /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 [email protected] /s/ Norman E.
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]
  • The Future of the Internet (For PDF)
    TODAYS PREDICTIONS FOR TOMORROWS INTERNET JOSH PYORRE (SECURITY RESEARCHER) ▸ Cisco Umbrella ▸ NASA ▸ Mandiant THE WORLD IS A MAGICAL PLACE THE INTERNET IN THE 70’S THE INTERNET IN THE 70’S SMALL MAPPING OF ASN’S TO THEIR IPS TO GET A SENSE OF SCALE INTERNET SIZES TODAY INTERNET SIZES TODAY POODLE OCTOBER 14, 2014 BUG IN SSL VERSION 3.0 MITM 256 SSL 3.0 REQUESTS < 1 BYTE ENCRYPTED DATA HEARTBLEED APRIL 7, 2014 BUG IN OPENSSL BUFFER OVER-READ CLIENTS AND SERVERS POST DATA IN USER REQUESTS SESSION COOKIES/PASSWORDS PRIVATE KEYS YAHOO, IMGUR, STACK OVERFLOW, DUCKDUCKGO, PINTREST, REDDIT, AKAMAI, GITHUB, AMAZON WEB SERVICES, INTERNET ARCHIVE, SOUNDCLOUD, TUMBLR, STRIPE, ARS TECHNICA, SPARKFUN, PREZI, SOURCEFORGE, BITBUCKET, FREENODE, WIKIPEDIA, WUNDERLIST, LASTPASS AND A LOT MORE REVERSE HEARTBLEED AFFECTS MILLIONS OF APPS CAN READ CLIENT MEMORY HP SERVER APPS, FILEMAKER, LIBREOFFICE, LOGMEIN, MCAFEE, MSSQL, ORACLE PRODUCTS, PRIMAVERA, WINSCP, VMWARE PRODUCTS, DEBIAN, REDHAT, LINUX MINT, UBUNTU, CENTOS, ORACLE LINUX, AMAZON LINUX, ANDROID, AIRPORT BASE STATIONS, CISCO IOS, JUNIPER FIRMWARE, IPCOP, PFSENSE, DD-WRT ROUTER FIRMWARE, WESTERN DIGITAL DRIVE FIRMWARE… AND A LOT MORE SHELLSHOCK SEPT 14, 2014 BASH IS USED IN INTERNET-FACING SERVICES CGI WEB SERVERS OPENSSH SERVERS DHCP CLIENTS BASH IS USED IN INTERNET-FACING SERVICES PROCESSES REQUESTS ATTACKER CAN SEND EXTRA DATA SECURE HASHING ALGORITHM 3B260F397C573ED923919A968A59AC6B2E13B52D = I HOPE THIS PRESENTATION ISN'T BORING SHA-1 ▸ Dates back to 1995 ▸ Known to be vulnerable to theoretical
    [Show full text]
  • Effective Crisis Response Communication and Data Breaches: a Comparative Analysis of Corporate Reputational Crises
    Michael Schonheit s2135485 Master’s Thesis 02/10/2020 Effective Crisis Response Communication and Data Breaches: a comparative analysis of corporate reputational crises Master’s Thesis Crisis and Security Management Table of Contents 1 1 Introduction 2 Literature Review 2.1 Placing data breaches within the cybersecurity discourse 6 2.2 Paradigm Shift: From Prevention to Mitigation 10 2.3 Data breach by Hacking: A Taxonomy of Risk Categories 12 2.4 Economic and reputational Impact on organizations 15 2.5 Theoretical and empirical communication models for data breaches 16 3 Theoretical Framework 3.1 Organizational Crises: An introduction to framing and perceived responsibility 21 3.2 Attribution Theory and SCCT 23 3.3 Crisis Types and Communication Response Strategies 24 3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship Performance 25 3.5 Communication Response Strategies 27 3.6 SCCT Recommendations and Data Breaches 30 3.7 SCCT and PR Data Breaches by Hacking 32 4 Methodology 4.1 Operationalizing SCCT in the Context of Data Breaches 35 4.2 Stock Analysis and News Tracking: Assessing cases on varying degrees of reputation recovery 36 4.3 Refining the Case Selection Framework and the Analysis Process 40 4.4 Intra-periodic Analysis and Inter-periodic Analysis 43 5 Analysis 5.1 Narrowing the Scope: Building the Comparative Case Study 44 5.2 Statistical Recovery: Stock and Revenue Analysis 49 5.3 News Media Tracking and Reputation Index Scores 58 6 Discussion 6.1 Intra-periodic Analysis: Assessing Organizational Responses 72 6.2 Inter-periodic analysis: Verifying the Initial Propositions 74 7 Conclusions 77 8 Appendix 79 9 Bibliography 79 1.
    [Show full text]
  • Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper
    Software bug bounties and legal risks to security researchers Robin Hamper (Student #: 3191917) A thesis in fulfilment of the requirements for the degree of Masters of Law by Research Page 2 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. COPYRIGHT STATEMENT ‘I hereby grant the University of New South Wales or its agents a non-exclusive licence to archive and to make available (including to members of the public) my thesis or dissertation in whole or part in the University libraries in all forms of media, now or here after known. I acknowledge that I retain all intellectual property rights which subsist in my thesis or dissertation, such as copyright and patent rights, subject to applicable law. I also retain the right to use all or part of my thesis or dissertation in future works (such as articles or books).’ ‘For any substantial portions of copyright material used in this thesis, written permission for use has been obtained, or the copyright material is removed from the final public version of the thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. AUTHENTICITY STATEMENT ‘I certify that the Library deposit digital copy is a direct equivalent of the final officially approved version of my thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. Thesis/Dissertation Sheet Surname/Family Name : Hamper Given Name/s : Robin Abbreviation for degree as give in the University calendar : Masters of Laws by Research Faculty : Law School : Thesis Title : Software bug bounties and the legal risks to security researchers Abstract 350 words maximum: (PLEASE TYPE) This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators.
    [Show full text]
  • A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act
    Campbell Law Review Volume 42 Issue 1 Winter 2020 Article 7 2020 Protecting Personal Data: A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act James H. Ferguson III Follow this and additional works at: https://scholarship.law.campbell.edu/clr Recommended Citation James H. Ferguson III, Protecting Personal Data: A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act, 42 CAMPBELL L. REV. 191 (2020). This Comment is brought to you for free and open access by Scholarly Repository @ Campbell University School of Law. It has been accepted for inclusion in Campbell Law Review by an authorized editor of Scholarly Repository @ Campbell University School of Law. Ferguson: Protecting Personal Data: A Survey of Consumer Protections Throug Protecting Personal Data: A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act ABSTRACT "Data is the pollutionproblem of the information age, andprotecting privacy is the environmental challenge."' You trade it every day. In a technologically-evolved world, our per- sonal data has become a form of currency in the digitalmarketplace. Who is responsiblefor protecting that data? What happens when it is compro- mised? This Comment conducts a descriptive assessment of North Caro- lina's data breach notification law, exploring the legislative history of the Identity Theft Protection Act and comparing the consumer protections found therein to those offered in other states' statutory schemes. Addition- ally, this Comment evaluates the extent to which a statutorily requiredrea- sonable security standard comports with consumer protections, and their competitive interplay with businesses' economic interests. A B STRAC T ...........................................................................................19 1 IN TRO DU CTION ....................................................................................192 I.
    [Show full text]
  • Examining How System Administrators Manage Software Updates
    Keepers of the Machines: Examining How System Administrators Manage Software Updates Frank Li Lisa Rogers Arunesh Mathur University of California, Berkeley University of Maryland Princeton University [email protected] [email protected] [email protected] Nathan Malkin Marshini Chetty University of California, Berkeley Princeton University [email protected] [email protected] ABSTRACT While prior studies have investigated how end users deal with soft- Keeping machines updated is crucial for maintaining system secu- ware updates [18,19,22,30 –32,35,40,45,46,49,50], there has been rity. While recent studies have investigated the software updating less attention on system administrators, whose technical sophisti- practices of end users, system administrators have received less at- cation and unique responsibilities distinguish them from end users. tention. Yet, system administrators manage numerous machines for Industry reports and guides on administrator patching exist (e.g., their organizations, and security lapses at these hosts can lead to Sysadmin 101 [41]), but these lack peer-review and transparent rig- damaging attacks. To improve security at scale, we therefore also orous methods. Prior academic work on system administrators is need to understand how this specific population behaves and how to often dated and focuses on aspects of administrator operations other help administrators keep machines up-to-date. than updating (e.g., on general tools used [11]) or specific technical (rather than user) updating aspects. Given the critical role that sys- In this paper, we study how system administrators manage software tem administrators play in protecting an organization’s machines, updates. We surveyed 102 administrators and interviewed 17 in- it behooves us to better understand how they manage updates and depth to understand their processes and how their methods impact identify avenues for improved update processes.
    [Show full text]
  • How to Use Hacker Persona's to Successfully Build Devsecops
    How to use hacker persona’s to successfully build DevSecOps Pipeline • Robin Yeman • Lockheed Martin Sr. Fellow • Lockheed Martin • twitter @robinyeman Agenda • DevOps and Pipeline • Securing the pipeline • Apply the practices 2 DevOps and delivery pipeline DevOps DevOps is “a cross-disciplinary community of practice dedicated to the study of building, evolving and operating rapidly-changing resilient systems at scale.” - Jez Humble Why DevOps Forsgren, Nicole. “DevOps Solutions | Google Cloud.” Google, Google, 22 Aug. 2019, https://cloud.google.com/devops/state-of- devops/. DevOps Pipeline Requirements / Design Version Control Build Tool(s) Continuous Integration Test Framework(s) API Library End to End Security Commit & Build Validate Deploy D Application Code & Build Application a s Integration Acceptance Production h Version Control Test Test Deploy b Environment o Commit & Build Validate Deploy Infrastructure Automation Package Infrastructure a Development Integrated r d API Library Configuration Environments Monitoring Artifact Repository Product Backlog Management Schedule Securing the delivery pipeline Threat Modeling • Identify Assets • Using IDDIL-ATC Methodology • Define the Attack Surface – Gain understanding • Decompose the System – Assess risk • Identify Attack Vectors – Justify security controls • List Threat Actors • Analysis & Assessment • Triage • Controls DevOps Pipeline Threat Model Attack Surfaces in the pipeline Requirements / Design Version Control Build Tool(s) Continuous Integration Test Framework(s) API Library
    [Show full text]
  • Information Provided by DHS Regarding Russian Scanning Was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM
    From: (b) (6) To: (b) (6) Subject: FW: Information Provided by DHS Regarding Russian Scanning was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM From: Secretary of State, Press Sent: Wednesday, September 27, 2017 2:58:05 PM To: Secretary of State, Press Subject: Information Provided by DHS Regarding Russian Scanning was Incorrect AP17:073 FOR IMMEDIATE RELEASE September 27, 2017 CONTACT: Jesse Melgar or Sam Mahood (916) 653-6575 Information Provided by DHS Regarding Russian Scanning was Incorrect SACRAMENTO – California Secretary of State Alex Padilla issued the following statement. “Last Friday, my office was notified by the U.S. Department of Homeland Security (DHS) that Russian cyber actors 'scanned' California’s Internet-facing systems in 2016, including Secretary of State websites. Following our request for further information, it became clear that DHS’ conclusions were wrong.” “DHS confirmed that Russian scanning activity had actually occurred on the California Department of Technology statewide network, not any Secretary of State website. Based on this additional information, California voters can further rest assured that the California Secretary of State elections infrastructure and websites were not hacked or breached by Russian cyber actors.” “Our notification from DHS last Friday was not only a year late, it also turned out to be bad information. To make matters worse, the Associated Press similarly reported that DHS has reversed itself and 'now says Russia didn’t target Wisconsin’s voter registration system,' which is contrary to previous briefings.” epic.org EPIC-17-03-31-DHS-FOIA-20180416-Production-1 000001 NPPD 000650 “The work of our intelligence agencies is critical in defending against cyber threats.
    [Show full text]
  • Software Security Building Security In
    Software Security Building Security in CMSC330 Spring 2021 1 Security breaches • TJX (2007) - 94 million records* • Adobe (2013) - 150 million records, 38 million users • eBay (2014) - 145 million records • Equifax (2017) – 148 millions consumers • Yahoo (2013) – 3 Billion user accounts • Twitter (2018) – 330 million users • First American Financial Corp (2019) – 885 million users • Anthem (2014) - Records oF 80 million customers • Target (2013) - 110 million records • Heartland (2008) - 160 million records *containing SSNs, credit card nums, other private info https://www.oneid.com/7-biggest-security-breaches-of-the-past-decade-2/ 2 2017 Equifax Data Breach • 148 million consumers’ personal information stolen • They collect every details of your personal life • Your SSN, Credit Card Numbers, Late Payments… • You did not sign up for it • You cannot ask them to stop collecting your data • You have to pay to credit freeze/unfreeze 3 Vulnerabilities: Security-relevant Defects • The causes of security breaches are varied, but many of them owe to a defect (or bug) or design flaw in a targeted computer system's software. • Software defect (bug) or design flaw can be exploited to affect an undesired behavior 4 Defects and Vulnerabilities • The use of software is growing • So: more Bugs and Flaws • SoFtware is large (lines oF code) • Boeing 787: 14 million • Chevy volt: 10 million • Google: 2 billion • Windows: 50 million • Mac OS: 80 million • F35 fighter Jet: 24 million 5 Quiz 1 Program testing can show that a program has no bugs. A. True B. False 6 Quiz 1 Program testing can show that a program has no bugs.
    [Show full text]
  • Regulatory Responses to Data Privacy Crises and Their Ongoing Impact on E-Discovery
    The Global Business Law Review Volume 9 Issue 1 Article 7 1-31-2021 Regulatory Responses to Data Privacy Crises and Their Ongoing Impact on E-Discovery Teo Marzano Cleveland-Marshall College of Law Follow this and additional works at: https://engagedscholarship.csuohio.edu/gblr Part of the Litigation Commons, and the Science and Technology Law Commons How does access to this work benefit ou?y Let us know! Recommended Citation Teo Marzano, Regulatory Responses to Data Privacy Crises and Their Ongoing Impact on E-Discovery, 9 Global Bus. L. Rev. 157 (2021) available at https://engagedscholarship.csuohio.edu/gblr/vol9/iss1/7 This Note is brought to you for free and open access by the Journals at EngagedScholarship@CSU. It has been accepted for inclusion in The Global Business Law Review by an authorized editor of EngagedScholarship@CSU. For more information, please contact [email protected]. 157 VOL.9 (2021) REGULATORY RESPONSES TO DATA PRIVACY CRISES AND THEIR ONGOING IMPACT ON E-DISCOVERY TEO MARZANO* Abstract .................................................................................................................................................... 157 I. Introduction ..................................................................................................................................... 158 II. Background ..................................................................................................................................... 164 A. The E.U. Approach to Privacy .....................................................................................................
    [Show full text]
  • Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman
    Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman & Littlefield Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman & Littlefield Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman & Littlefield Being Digital Citizens Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman & Littlefield Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman & Littlefield Being Digital Citizens Second Edition Engin Isin and Evelyn Ruppert London • New York Being Digital Citizens, Second Edition OPEN ACCESS PDF from Rowman & Littlefield Published by Rowman & Littlefield International, Ltd. 6 Tinworth Street, London SE11 5AL, United Kingdom www.rowmaninternational.com Rowman & Littlefield International, Ltd. is an affiliate of Rowman & Littlefield 4501 Forbes Boulevard, Suite 200, Lanham, Maryland 20706, USA With additional offices in Boulder, New York, Toronto (Canada), and London (UK) www.rowman.com Copyright © 2020 by Engin Isin and Evelyn Ruppert All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without written permission from the publisher, except by a reviewer who may quote passages in a review. British Library Cataloguing in Publication Information A catalogue record for this book is available from the British Library ISBN: HB 978-1-78661-447-6 ISBN: PB 978-1-78661-448-3 Library of Congress Cataloging-in-Publication Data Names: Isin, Engin F. (Engin Fahri), 1959- | Ruppert, Evelyn Sharon, 1959- author. Title: Being digital citizens / Engin Isin and Evelyn Ruppert. Description: Second edition. | London ; New York : Rowman & Littlefield, [2020] | Includes biblio- graphical references and index.
    [Show full text]