SecuritySkeptic.COM: Dave Piscitello's Security Journal April 2009

This page uses style sheets created by Ruthsarian Labs

Mon, 27 Apr 2009 00:00:00 00, 726

Antiphishing messages: good for youth web sites, good for enterprises

My daughter's enjoyed many *safe* hours on Gaia Online, an anime-themed social networking and forums-based website. The folks who operate Gaia Online do a laudable job of keeping content and conversation age-appropriate (it's not perfect, but it's better than the average social network by a long shot). Another reason to toss kudos at Gaia Online is that they take user account management and the ever present phishing threat seriously.

You may ask, "what could I possibly steal at Gaia?" MMORPGs typically allow players to accumulate in-game loot and gold; in some cases, special items can be purchased using credit cards or PayPal. Stealing an identity in virtual worlds is a real threat and can become as life-interfering a threat in this context and to youth and teens as a successful identity theft from a financial institution.

Gaia makes an earnest effort to combat this threat through user education. A good example is reproduced below:

Consider this example carefully. The message is clear: phishers want your account information! It's presented in the anime context that Gaia users will pause to read. This is an important aspect of antiphishing messaging that is often lost in the enterprise. Sending uninspiring email messages or displaying the same antiphishing "message of the day" at a Wiki may not be the wisest strategy if you want to impress your audience. Try a cartoon, something age appropriate, from Dilbert or any cartoonist who's popular among employees in your company. Be creative: use Adobe Photoshop to add your phishing education message in callouts to photos of employees and executives (with approval of course). Including executives sends a twofold message: they are as vulnerable and they recognize the threat as well. And it never hurts to show employees that senior management has a sense of humor and is willing to engage with employees.

Archived at http://www.securityskeptic.com/arc20090401.htm#BlogID726 by Dave Piscitello

Fri, 24 Apr 2009 00:00:00 00, 725

Guest column: Troubled Economy Puts Organizations at Greater Risk

A long time ago in Internet time I edited TISC Insight. While I don't have the bandwidth to continue that publishing endeavor, I do occasionally find something interesting to publish here. Today's guest column is by Manoj Patel, and considers the sticky subject of insider threats. - enjoy!

The risk of insider threat greatly increases during times when companies are laying off staff, cutting back on raises and bonuses, deferring promotions, consolidating operations, and outsourcing work to save money. During these turbulent times, security analysts are warning companies to be even more alert to potential insider threat. Not only are angry employees more likely to lash out against their employers, but stressed, worried employees also make easier targets for opportunistic rivals looking to uncover trade secrets. People who are worried about losing their jobs or worse - paying their mortgages - can become desperate and, therefore, are more easily enticed by rival companies to steal and hand over corporate data and intellectual property in exchange for what they perceive to be a more stable or lucrative job opportunity.

The attacks run the gamut - from fraud to stolen proprietary information to bits of code planted to cause system or network failure, and from financial institutions to retailers to technology companies. For example, last year in San Diego an IT specialist deliberately deleted patient and allied data from his former employer's computer systems. And, in November 2006, a DuPont scientist admitted to stealing corporate-given conditions valued around $400 million shortly before he left DuPont to work for a rival company.

Insider attacks occur across all organizational sectors, often causing significant damage to the affected organization. According to research from the Ponemon Institute, the average cost of a data breach was US$4.6 million in 2006. The largest case of identity theft to date was the result of an insider attack and ended in September 2004 when Philip J. Cummings, a former technical support representative at Telecommunications Data Inc., pled guilty to one count of wire fraud, one count of fraud related to ID documents and information, and one count of conspiracy for his involvement in a scheme to steal identities, which defrauded financial institutions of more than $11 million. Cummings allegedly stole the passwords and access codes of Ford Motor Credit and other financial companies to access credit report records and downloaded credit report information on 30,000 individuals. He allegedly sold the credit reports to a group of co-conspirators.

Organized crime rings are also coordinating attacks. In April 2005 in Hackensack, NJ, Orazio Lembo led an organized insider crime ring that stole more than 675,000 identities and earned Lembo as much as $4 million. Lembo allegedly set up a bogus collection agency called DRL Associates. He then hired seven bank employees - including branch managers from Wachovia, Bank of America, Commerce Bancorp, PNC Bank NA and a former NJ Dept. of Labor manager - to steal personal account data and social security numbers of bank customers. The group created a manual database of all the identities and sold the data to more than 40 other collection agencies. Lembo paid bank employees $10 for each record they delivered, and then he charged collection agencies up to $150 for the data.

The harsh reality is that insider threats exist for all organizations. If your organization has not taken a hard look at insider threat controls, then now is the time. Here's a short list of "must have" capabilities for insider threat solutions:

Technology that permits 'as needed' access to critical assets and then monitors that access.
Software that provides a video capture of employee movements inside the system, enabling corporate executives to see what IT workers with privileged access are actually doing while they are logged into the system.
A solution that alerts organizations to unauthorized systems access so they can combat and prevent insider attacks.
Technology that provides in-depth investigation and forensics for insider attacks.
A solution that, in the event of legal proceedings, can produce digitally signed evidence.
A modular and scalable product that allows for integration with other security solutions currently in use.

Special Note: Many of the insider theft crimes noted in this post we're found in the book "The Insider," by Dan Verton. Thanks, Dan, for your long-time research and reporting on the subject of Insider Threat.

About the Guest: Manoj Patel, CEO and founder of Unity Solutions, is an expert in insider threat identification and containment.

Archived at http://www.securityskeptic.com/arc20090401.htm#BlogID725 by Dave Piscitello

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, LOOP, ISSA Journal, and Information Security Magazine. Dave maintains a security infoblog at http://www.securityskeptic.com/weblogindex.htm

The Security Skeptic