« May 2012 | Main | July 2012 »

June 2012

Wednesday, 27 June 2012

Incident Response Cheat Sheets

Colleague Lance Spitzner shared an interesting resource for Incident Response (IR) methodologies today and I'm paying it forward.

The CERT Societe Generale, in cooperation with SANS and Lenny Seltzer, offers a set of guidelines and practices that describe how an organization can respond to a variety of security incidents. Each of these operational best practices describes the order and actions to take if your organization falls victim to events that are becoming all too common: social engineering attack, data breach, worm infection, and more. CERT Societe Generale currently offers 15 such guidelines. All the guidelines folllow a common methodology (shown at right).

 IRhandling

While these "cheat sheets" are not sufficient to fully prepare to respond to any incident, they will greatly simplify how you go about preparing your organization. Several of the guidelines point to other valuable rsources to use when preparing your response or defining the actions you can take to identify, contain and recover from specific classes of incidents.

Take a few minutes to visit the site. I'm confident that if you browse at least one of these two page worksheets, you'll download the entire package.

Posted at 05:32 AM | | Comments (0)

Monday, 25 June 2012

Are Your Data at Rest Also at Risk?

In a recent tweet (@securityskeptic), I offered a definition of "data at rest" in social media driven society:

Data at rest are information waiting to be exfiltrated or disclosed without notice or consent.

Is this a spot on assessment or am I overly cynical?

Much of your data at rest are data you disclose or share, so judge my assertion by considering how large a portion of our increasingly mobile- and tech-enabled society shares seemingly every waking thought. Everything's in play: what food we eat, where we dine, our travel plans, the sports we play or watch, whom we like or despise, Our work place matters, projects, or research. Our social engagements, personal health, medical advice, emotional states, and (intimate) relationships. Even information that is arguably not for play is at risk of disclosure, a consequence of mishandling or malicious (criminal) activities (exfiltration, exploits, or targeted extraction).

Many Internet users share spontaneously or frivolously. In some cases, users share because they can’t access content without doing so. In other cases, users share because they think they are only sharing with friends, family or colleagues. In social networking, sharing (disclosing) can be infectious (“he shared so I will”).

The problem with sharing

What you  post to a social network has more permanence – and exposure to unintended use or misuse – than what you share in a face-to-face conversation. How often do you consider who processes or collects data that you share or why, where the data are stored or for how long? Do you think about the possibility that "your" data may be further shared by web sites that collect data? Many users are only now coming to realize that when all these data are coupled with location services or applications, they paint a detailed and elaborate picture of the intimate or sensitive aspects of who we are and how we live and behave.

As a test, look at your history of tweets, Facebook or Google+ postings, public and restricted. Nearly all of us voluntarily reveal a great deal more personal data than we imagine. But while we facilitate, we really aren’t our own or only worst enemies.

Your data are more popular than you are

The extent to which bits and pieces of personal data are collected and shared for commercial purposes is alarming. If you have a virtual presence, virtually everyone wants to know everything about you. Worse, our willingness to share is creating markets for even more data. Moreover, the risk that personal data will be exfiltrated or disclosed as a result of a data breach can no longer be discounted or dismissed.

Every day, the same people who share without hesitation or discrimination express righteous indignation when they discover an app, service provider or vendor is collecting or sharing their life bits without notice or consent. But even a small sampling of evidence tells a different story:

We don't have the will to question why something is free. Example: mobile users are so consumed with the notion that "the Internet is free" that they hesitate to buy a registered version of an app for a paltry $.99 when they are offered a "supported by advertising" version. Few consumers consider what the app is collecting from a mobile device, how the collected data are used, and by whom.

We undervalue our personal data. Example: users concede to sharing or disclosing what they might in other circumstances consider private information because it's a precondition for joining a social network. The prevailing sentiment? Shoulder shrug, it's the cost of participation.

We are more trusting or naive in the virtual world than the physical world. Example: We’ll happily strike up a conversation with a Twitter account we follow or see in a retweet. Would we be as trusting if a fellow subway passenger inserted himself into a conversation we’re having with a colleague or friend? 

How do we correct course?

Don't think in terms of major course corrections. Instead, begin with these small measures:

Accept that “free” is not worth the hidden cost. Paying for a mobile app may “free” you from ads or tracking, and you may unlock more features.

Use social media, but do so with eyes wide open. Assume that no matter what privacy controls say, what you publish may be shared or disclosed (remember, privacy policies can be deceiving or may change, and legislation like CISPA may render such policies moot).

Review what you have already published on social networks. Look at the profiles and posts you've made. Where possible, take advantage of privacy settings. Delete or obfuscate personal data that reveals more about you than you are comfortable revealing.

When subscribing to new social network, submit the barest minimum of information you need to create an account. For example, if you can create an account merely by identifying your country of residence or state, don't include your street address.

Separate personal and social network correspondence. Create a separate email account and use this as your designated point of contact with social media sites (and for correspondence). I know individuals who have separate email accounts for each social network ([email protected]<emailservice>, [email protected]<emailservice>...).

Small adjustments to behavior can be beneficial. The harder but sometimes wisest adjustment, however, is:

Walk away if you're not comfortable with terms or conditions of service, privacy policy, or treatment of data you disclose.

 

Posted at 07:01 AM in Stop Think Connect | | Comments (0)

Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories