Tuesday, 1 March 2016

Impact of human error in breaches

We tend to blame a system for security breach. Reality is that human error voluntary or involuntary is the number one cause of cyber security breaches. Here are some points to consider:

1. Social engineering: This is currently the biggest cause of leak in the system still. Phishing is an example of social engineering. In simple language any means by which a human can be coerced to divulge confidential information is social engineering. Abject lack of infosec awareness still plagues most organizations and individual. Honestly basis of cyber security is mere common sense.

2. Backdoors or zero day hacks: These are attacks that either take advantage of a poor piece of code or  ill configured devices. Again who configured or coded them in the first place?

3. Lack of stakeholder commitments: Small and medium scale businesses that are not heavily into IT tend to ignore the presence of cyber threat to their business as usual. These are most likely to fall prey to scam, spam and malware. They do not realize that it is not the IT infrastructure that faces threat, it  is the information that is vulnerable to attacks.

4. Security is a virtue not a product: Decades of research and effort to improve quality has been put in as people realized its importance in the industrial revolution era. In information revolution era people should understand that security has the same importance as quality.

5. To err is human: True that humans cannot be 100% all the time but a conscious effort can bring numbers close to that. Plus there are means and measures like continuity plan and disaster recovery for the rest of the percentage.

6. Information security is nerdy gobbledygook: May be so is theory of aerodynamics. Does it prevent anyone from flying? You have an information that you have to protect, all you need to know is how. Leave the rest to the researchers.

7. I have antivirus syndrome: Just get over it man! They are not enough. Like I said earlier it is your data that is vulnerable. There are 100 more ways in which you share your personal data willingly to unintended audience.

To add to this I am putting an interesting number here: "... potential annual cost to a company in the event of a successful phishing attack is around $3.7 million.." (Source). What is interesting is that most of the loss is due to loss of employee productivity, so there goes your quality!

Sunday, 7 February 2016

Backdoor

Backdoor: Gaining unauthorized, often hidden, access to a system after bypassing security measures in place. Users are unaware a lot of times. Anomaly detection could be used to scan for existing backdoor.

Tuesday, 19 January 2016

Detect Phishing / Malware in an Email


There are countless mails for promotions or otherwise in your inbox, a lot of which have malicious intent. Some of them try to extract your personal information. Others might just carry a file that can infect your computer. Here are some tell tale signs to detect a spurious email.


This is a classic social engineering trick to make it seem like the mail is from a reliable source. In below figure it says it is from Reserve Bank of India. It also carries an attachment and has no subject.
This is the first sign as RBI does not send such emails. One should not open such emails and mark them as spam or delete them right away. 
Modern email services do filter many such mails automatically but some emails do pass the filter.

On opening the mail you can notice the email id as something completely unrelated to RBI, confirming that it is a potentially dangerous email.


You can see that there is an image file attached. This file should not be opened or downloaded. The file could be of any format (.zip, .doc etc.) This is a clear sign of a malware and opening it on your system might have severe effect. 
Small pieces of  code can be easily embedded in the file to install on your system and can vary from doing nothing to installing a keylogger or a virus.
 
On opening the header of the mail we can see complete details of the sender. This is called mail header showing complete details of the sender. 


It is easy to understand that a central government institute like RBI would not have an email id as shown in the image.
 
What to do if you see such a mail?
 
This part is simple. Just delete or mark the message as spam. If your email is handled by an IT team, notify them.
 
Detecting Emails such as the one discussed in this post is pretty straight forward. Sometimes even the email id also seems to be genuine. It can happen in case a mail server is hacked and is used to send spurious emails. It might also happen that you receive such emails from a person you know! This happens when their email account or the device where it's client is configured is compromised
 
Best policy for emails is to follow these simple steps:
  1. Be very careful with emails from unknown senders.
  2. Check the email header for clues.
  3. Do not open the attachments in unsolicited mails before checking.
  4. If you have a doubt that your friend's account is compromised, verify.
  5. Delete or spam such mails.
Many of us are not aware about such threats and even aware people fall prey to them, so please be careful.

 

Denial Of Service (DoS) Attack

DoS attack: When someone or something prevents the user from accessing desired services. While the shop would open only after repairs, there are many ways of preventing/mitigating the attack in cyber security! Load balancing is a prevention technique.

Monday, 11 January 2016

Dumpster Diving

Dumpster diving is a term in information security. It means going through trash to look for useful data or clues to find it, without owner consent.

Wednesday, 6 January 2016

Phishing

Phishing: To dupe someone to divulge sensitive or personal information

Monday, 4 January 2016

Man in the middle

Man in the middle is a kind of attack where an attacker tries to listen or alter communication between two parties.