cansguy

Phishing and credential harvesting is on the rise!

janickoM — Tue, 06 Sep 2022 03:30:25 +0000

Phishing and credential harvesting is on the rise!

In the Q2 (second quarter) 2022 CERT NZ report, 2,001 incident reports were received from individuals and businesses throughout New Zealand.

Fraudulent calls posing as bank phone calls.

The authorities have recently warned of an increase in phone scam calls, where scammers pretend to be from a bank and ask the recipient to share their personal details. Rather than viewing this as a new trend in phishing, we should understand this as another iteration of the social engineering technique that has been around for decades.

Phone spoofing

Phone spoofing is a common phishing tactic that follows an increasing trend. Spoof calls have the intent to trick and compromise bank customers into transferring or disclosing financial information to these “phantom” scam artists who steal information and use this confidential data for unauthorised purchases on their own accounts.

The attackers not only can engage in “fake bank support” but also threaten to access personal data and account details if needed. The impersonation technique gains easy trust from the target, making them believe that they are conversing with their trusted bank.

Common sense precautions are urged by experts to protect yourself, such as:

Never disclose your full banking information,
Do not rely on verbal recognition.

In what way is this happening?

Scammers like to use a specific type of software that generates fake caller ID information, so remember to be cautious.
Criminals may use social engineering tactics to get a victim to part with sensitive information such as bank account details or access.
In many cases, attackers pretend to be from a bank’s centre and claim that they’ve detected unauthorised access to the recipient’s account. To sound more plausible, they use scripts and dialogue much like those used by bank call centres. For complex topics, they use fear to get people to act.

Scammers usually do one of the following when they call:

If you receive a phone call that appears to be coming from your bank and it’s using a similar phone number, there are some simple tips to help you make sure it’s not fraudulent.

With a bank scam call, the scammer will usually do one of the following:

Ask you to download remote access software. As an example, they can say: “We want to help you solve your problem even if it requires us remotely access your desktop.”
Send an SMS code to your phone. The code is either a code to either gain access or authorise a transfer, but the attacker may claim it’s a ‘cancellation code’ and ask the recipient to read out the code.
Ask to provide the following information: recipient’s bank account, login information, and full credit card number.
One strategy scammers use fear and urgency tactics to try and keep recipients on the phone. They may do this by telling them that they need to talk with them because they have important information or they’ll get an important request in the mail if they don’t answer now.

Protect yourself and your bank accounts from scam calls

Enable two-factor Authentication (2FA) on your bank account. Two-Factor Authentication (2FA) works by adding an additional layer of security to your online accounts. Gaining account access requires access to something that belongs to you beyond just the username and password. Do not share these codes with anyone. Your bank will never ask you for a 2FA code.
If you have clicked on a suspicious link or received a call where you’ve provided a 2FA code, contact your bank immediately.
Never give out account information, credit card details or remote access to your devices. Your bank will never ask for this information.

News report

There have been news reports of cybercriminals who stole money from unsuspecting bank customers. One common method practised on victims is spoofing phone calls to mimic the call originating from their own bank’s phone number. Armed with highly believable social engineering tactics, it is not a difficult task for them to mimic the caller’s voice, employ fake American accents to pose as a customer

I appreciate your time and look forward to seeing you again

Folow me

Join The club

Be the first to know when new posts are published!

The post Phishing and credential harvesting is on the rise! appeared first on cansguy.

Cybersecurity through the eyes of Chris Romano!

janickoM — Mon, 15 Aug 2022 02:03:49 +0000

Cybersecurity through the eyes of Chris Romano!

As a cyber security career mentor, Chris Romano helps other professionals thrive and succeed within the Cybersecurity industry. I met Chris on Linkedin several weeks ago and we exchanged messages. He agreed to answer a few questions for my blog.

How did you start your journey?

I began by working in a helpdesk role, then moved into IT Enterprise engineering, then into Networking, and I then became a consultant and began working in Cybersecurity by designing Secured Networks and environments.

What do you do now?

I am starting my own Cybersecurity Training program that combines a Cybersecurity Boot Camp, Certification Training, and Career Mentoring into a single program named Cybersecurity Career Mentoring Program: https://www.careerup.tech

How would you define cyber security in your own words?

Cybersecurity is providing a safe environment that upholds the elements of the CIA Triad to protect entities and people for all activities at all times. Information Security is focused on protecting data and enforcing the secure handling of data in all states. (Cybersecurity is a subset of IT and the term may also have various definitions depending on the context and use.)

What do you think is the biggest threat in Cyberspace at the moment?

Unknown attacks since they may be undetected and protection may also not exist. Why are so many people and businesses exposed to attacks every day? Improper application of appropriate Cybersecurity controls, processes, policies, and structure. Unfortunately, many companies do not have the staff or appropriate Cybersecurity mechanisms to secure their environment. This is often related to entities not being aware of their risks and vulnerabilities.

Do you have any advice for people who are new to cyber security?

Develop your foundational knowledge in Operating Systems, Networking, Cybersecurity, and learn at least one programming language. Also, develop attention to detail and the ability to learn and adapt to new situations as Cybersecurity is a constantly evolving area.

What is the best place to seek knowledge and information about this industry?

For anyone who wants to transition into Cybersecurity, I have my program which provides the Cybersecurity technical training that is needed to land positions and excel within them.

What are other resources you would recommend?

Chris recommended a few Youtube channels. NetworkChuck, Chris Greer, Dave Bombal, and Jack Rhysider’s darknet diaries.

NetworkChuck

https://www.youtube.com/c/NetworkChuck

Chris Greer

https://www.youtube.com/c/ChrisGreer

David Bombal

https://www.youtube.com/c/DavidBombal

Jack Rhysider

https://www.youtube.com/c/JackRhysider

Previous slide

Next slide

I also asked Chris: What was the most significant exploit, threat or vulnerability he encountered? However, as we all know, many things in Cyber can not disclose.

Chris very politely answered: No comment

I would like to thank Chris for taking the time to share his ideas and experiences with us, and I encourage you all to check out his Mentoring program.

The Cybersecurity Career Program

Click Here

I appreciate your time and look forward to seeing you again

Folow me

Join The club

Be the first to know when new posts are published!

The post Cybersecurity through the eyes of Chris Romano! appeared first on cansguy.

SYN cookie in DDoS prevention

janickoM — Mon, 08 Aug 2022 02:02:39 +0000

SYN cookie in DDoS prevention

SYN cookie

The role of SYN Cookie in DDoS prevention in case of SYN Flood attacks. A server can use SYN cookies to avoid dropping connections when its SYN queue fills up, according to the technique’s primary inventor Daniel J. Bernstein. In particular, SYN cookies allow a server to avoid dropping connections when it fills up its SYN queue. The sequence number sent in the SYN+ACK response encodes the SYN queue entry instead of storing additional connections. Following a subsequent ACK response from the client with the increased sequence number, the server is able to reconstruct the SYN queue entry using the information encoded in the TCP sequence number and proceed with the connection.

How TCP Connections Are Established:

TCBs (Transmission Control Blocks) are created when a TCP entity opens a connection. A TCB contains the entire connection state. Connection state includes:

Local sequence number.
Sequence number sent by the remote client.

The number of ‘half-open’ TCP connections (TCP connections in the SYN RCVD state) was most commonly limited to 100 until the mid-1990s in order to prevent the entity’s memory from overflowing. Therefore, a server could only have 100 ‘half-open’ TCP connections. When the limit was reached, the TCP entity stopped accepting new SYN segments.

Transmission Control Blocks (TCBs) must be maintained for every established TCP connection. Sending and receiving segments require all the information in a TCB. Following is a list of them:

Local IP address.
Remote IP address.
Local TCP port number.
Remote TCP port number.
Current state of the TCP FSM.
Maximum segment size (MSS).

What is a SYN flood attack?

Cloudflare reported in 2022 Q2 DDoS report on Network-layer DDoS attacks:

In 2022 Q2, network-layer DDoS attacks increased by 109% YoY. Attacks of 100 Gbps and larger increased by 8% QoQ, and attacks lasting more than 3 hours increased by 12% QoQ.
The top attacked industries were Telecommunications, Gaming / Gambling and the Information Technology and Services industry.
Organizations in the US were the most targeted, followed by China, Singapore, and Germany.

SYN flood (half-open attack) is a form of Network-Layer denial-of-service (DDoS) attack. A malicious attacker can overwhelm all available ports on a targeted server machine by repeatedly sending initial connection request (SYN) packets, causing the machine to respond slowly or not at all to legitimate traffic.

SYN Flood Attack Prevention

There are several ways to prevent SYN Flood attacks. SYN cookies can be used as one method.

IP Spoofing attacks can be mitigated by crafted SYN-ACK responses to SYN requests, without creating a new TCP TCB. SYN cookies work by having the server reply to SYN requests with crafted SYN-ACK responses. Only when the client replies to this crafted response is a TCB created for the respective TCP connection. When a server receives a TCP SYN flood, this technique prevents its resources from being overloaded.

How SYN cookies are used in DDoS prevention against SYN Flood attack:

This problem is solved by SYN Cookies method, which uses a function that calculates a random initial sequence number using data from both client and server SYN packets. In an SYN + ACK message, let’s say we send this number as y-1 to the client. The reverse function can verify that a sequence number y is valid if the acknowledgement packet is received with a sequence number y. Connections are established if the TCB is valid. Connections are refused if they are invalid. In contrast to TCBs, SYN cookies don’t require that the server creates and stores a TCB upon receiving a SYN segment.

A firewall (Cisco ASAv Firewall ) can be used to step in as a TCP server and refuse to allow so many half-form sessions to reach the server. It is up to the Firewall to set the threshold. If there are more than a threshold number of half-open TCP sessions, sometimes referred to as embryonic connections, the firewall will take action.

The firewall will intercept this TCP request instead of allowing it to reach the server. This is essentially a reply on behalf of the server. In other words, once the Firewall reaches the threshold, it will respond to whether the new clients are malicious or not. In the event that the client is valid with the final ACK, ASA verifies the validity of the connection and builds a three-way handshake with the server before mixing the two sessions.

The post SYN cookie in DDoS prevention appeared first on cansguy.

ISO/IEC 27001

janickoM — Mon, 08 Aug 2022 01:31:05 +0000

The ISO/IEC 27001 certification

ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. A European update of the standard was published in 2017. Organizations that meet the standard’s requirements can choose to be certified by an accredited certification body following the successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process defined by the ISO/IEC 17021and ISO/IEC 27006 standards:

Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.
Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.

Ongoing involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

Clauses

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

Scope of the standard
How the document is referenced
Reuse of the terms and definitions in ISO/IEC 27000
Organizational context and stakeholders
Information security leadership and high-level support for policy
Planning an information security management system; risk assessment; risk treatment
Supporting an information security management system
Making an information security management system operational
Reviewing the system’s performance
Corrective action

Clause 1: Scope

The first clause details the scope of the standard.

Clause 2: Normative references

All the normative references are contained in ISO/IEC 27000, Information technology – Security techniques – Information security management systems – Overview and vocabulary, which is referenced and provides valuable guidance.

Clause 3: Terms and definitions

Please refer to the terms and definitions contained in ISO/IEC 27000. This is an important document to read.

Clause 4: Context of the organization

This is the clause that establishes the context of the organization and the effects on the ISMS. Much of the rest of the standard relates to this clause. The starting point is to identify all external and internal issues relevant to your organization and your information or

information that is entrusted to you by 3rd parties. Then you need to establish all “interested parties” and stakeholders as well as how they are relevant to the information. You will need

to identify requirements for interested parties, which could include legal, regulatory and/or contractual obligations. You’ll also need to consider important topics such as any market

assurance and governance goals. You will be required to decide on the scope of your ISMS, which needs to link with the strategic direction of your organization,

core objectives and the requirements of interested parties. Finally, you’ll need to show how you establish, implement, maintain and continually improve the ISMS in relation to the

standard.

Clause 5: Leadership

This clause is all about the role of “top management,” which is the group of people who direct and control your organization at the highest level. They will need to demonstrate leadership

and commitment by leading from the top. Top management needs to establish the ISMS and information security policy, ensuring it is compatible with the strategic direction of the organization. They also need to make sure that these are made available, communicated, maintained and understood by all parties. Top management must ensure that the ISMS is continually improved and that direction and support are given. They can assign ISMS relevant responsibilities and authorities, but ultimately they remain accountable.

Clause 6: Planning

This clause outlines how an organization plans actions to address risks and opportunities to information. It focuses on how an organization deals with information security risk and needs to be proportionate to the potential impact they have. ISO 31000, the international standard for

risk management, contains valuable guidance. Organizations are also required to produce a “Statement of Applicability”

(SoA). The SoA provides a summary of the decisions an organization has taken regarding risk treatment, the control objectives and controls you have included and those you have excluded, and why you have decided to include and exclude the

controls in the SOA. Another key area of this clause is the need to establish information security objectives and the standard defines the properties that information security objectives must have.

Clause 7: Support

This section of ISO/IEC 27001 is all about getting the right resources, the right people and the right infrastructure in place to establish, implement, maintain and continually improve the

ISMS. It deals with requirements for competence, awareness and

communications to support the ISMS and it could include making training and personnel available, for example. This clause also requires all personnel working under an

organization’s control to be aware of the information security policy, how they contribute to its effectiveness and the implications of not conforming. The organization also needs to ensure that internal and external communications relevant to information security and the ISMS are appropriately communicated. This includes identifying what needs to be communicated to whom, when and how this is delivered. It’s in this clause that the term “documented information” is referenced. Organizations need to determine the level of documented information that’s necessary to control the ISMS. There is also an emphasis on controlling access to documented information, which reflects the importance of information

security.

Clause 8: Operation

This clause is all about the execution of the plans and processes that are the subject of previous clauses. It deals with the execution of the actions determined and the achievement of the information security objectives. In recognition of the increased use of outsourced functions

in today’s business world, these processes also need to be identified and controlled. Any changes, whether planned or unintended need to be considered here and the consequences

of these on the ISMS. It also deals with the performance of information security risk assessments at planned intervals, and the need for documented information to be retained to record the results of these. Finally, there is a section that deals with the implementation of the risk treatment plan, and again, the need for the results of these to be retained in documented information.

Clause 9: Performance evaluation

This clause is all about monitoring, measuring, analyzing and evaluating your ISMS to ensure that it is effective and remains so. This clause helps organizations to continually assess how they are performing in relation to the objectives of the standard to continually improve. You will need to consider what information you need to evaluate the information security effectiveness, the methods employed and when it should be analyzed and reported. Internal audits will need to be carried out as well as management reviews. Both of these must be performed at planned intervals and the findings will need to be retained as documented information. It should be noted that management reviews are also an opportunity to identify areas for improvement

Clause 10: Improvement

This part of the standard is concerned with corrective action requirements. You will need to show how you react to nonconformities, take action, correct them and deal with the

consequences. You’ll also need to show whether any similar nonconformities exist or could potentially occur and show how you will eliminate the causes of them so they do not

occur elsewhere. There is also a requirement to show continual improvement of the ISMS, including demonstrating the suitability and adequacy of it and how effective it is. However you do this is up to you. ISO/IEC 27001 also includes Annex A which outlines 114 controls to help protect information in a variety of areas across the organization. ISO/IEC 27002 also provides best practice guidance and acts as a valuable reference for choosing as well as excluding which controls are best suited for your organization.

Tips on making IOS/IEC 27001 effective for organization.

The post ISO/IEC 27001 appeared first on cansguy.

Cisco Secure Firewall ASA

janickoM — Mon, 08 Aug 2022 00:56:06 +0000

Proven Firewall and Network Security Platform

The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. It provides users with highly secure access to data and network resources – anytime, anywhere, using any device. Cisco ASA devices represent more than 15 years of proven firewall and network security engineering and leadership, with more than 1 million security appliances deployed throughout the world.

WHAT IS THE CISCO ASA?

In brief, Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.

An ASA is valuable and flexible in that it can be used as a security solution for both small and large networks.

The Cisco ASA 5500 series is Cisco’s follow up of the Cisco PIX 500 series firewall. However, the ASA is not just a pure hardware firewall. The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network. Therefore, the Cisco ASA firewall is the whole package, so to speak.

BEYOND BEING A FIREWALL, THE CISCO ASA CAN DO THE FOLLOWING AND MORE:

antivirus
antispam
IDS/IPS engine
VPN device
SSL device
content inspection

CISCO ASA BRINGS WIDE VARIETY OF FEATURES

You can get even more security functionality with add-on modules which offer a variety of features. The Cisco ASA firewall has one of the biggest market shares in the hardware firewall appliance market, together with Juniper Netscreen, Checkpoint, SonicWall, WatchGuard etc.

THE ASA 5500 SERIES HAS THE FOLLOWING MODELS:

Cisco ASA 5505
Cisco ASA 5510
Cisco ASA 5520
Cisco ASA 5525-X
Cisco ASA 5540
Cisco ASA 5550
Cisco ASA 5580-20
Cisco ASA 5580-40

ARCHITECTURE

The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities. In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.

The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.

STATEFUL INSPECTION

When internal users make requests to the internet, an ASA saves session information so that when a valid response comes back, it can recognize and permit that traffic through. Stateful inspection is the mechanism that allows the ASA to do so.

With stateful inspection, you can have thousands of users all going out to the internet dynamically and allow all the return traffic while simultaneously stopping any traffic that’s initiated on the outside from coming in.

PACKET FILTERING

Packet filtering allows legitimate external users to make inbound requests to your web servers. An ASA protects internal networks by permitting valid packets into the DMZ — and only there.

With packet filtering set up on an ASA, internet users making valid requests can access public web servers. At the same time, we’re never allowing external users from the outside into our inside zone. That’s because everything we know about zone perspectives is maintained when dealing with packet filtering.

NAT AND PAT

An ASA can provide network address translation or port address translation so that all the devices sitting behind it appear to be on the private network. But requests to the internet get global routing addresses, and they’re swapped out when they come back into the network.

Network Address Translation (NAT) and Port Address Translation (PAT) is simply faking source IP addresses. The firewall will have a globally routable address like 18.26.3.4, but devices behind the ASA don’t have one. But as traffic passes through the ASA, it uses NAT or PAT to translate the source addresses into the ASA’s address and lie about where the request is coming from.

ASDM GRAPHICAL USER INTERFACE

The ASDM user interface is designed to provide easy access to the many features that the ASA supports.

To move efficiently throughout the ASDM user interface, you may use a combination of menus, the toolbar, dockable panes, and the left and right Navigation panes, which are described in the previous section. The available functions appear in a list of buttons below the Device List pane. An example list could include the following function buttons:

Device Setup
Firewall
Botnet Traffic Filter
Remote Access VPN
Site to Site VPN
Device Management

The list of function buttons that appears is based on the licensed features that you have purchased. Click each button to access the first pane in the selected function for either the Configuration view or the Monitoring view. The function buttons are not available in the Home view.

The post Cisco Secure Firewall ASA appeared first on cansguy.

Equifax data breach

janickoM — Tue, 02 Aug 2022 02:14:59 +0000

Equifax data breach

This study investigates the recent Equifax data breach, focusing on the causes, effects, and way forward to avoid future occurrences. This study analyzes different reports, including the U.S. government Accountability Report and the Oversite and Government Reforms’. Based on data from Equifax public release papers and an assessment of the efficiency of Equifax incident handling techniques for the huge data breach, it will recommend the best strategies for companies, governments, and individuals. In addition, the report analyzes the implications for cybersecurity education and workforce training.

Corporate cybersecurity incident response and crisis management require effective public communication tactics. Following the 2017 Equifax data breach incident, the company has since been widely criticized for its handling of the situation and its response to consumers whose personal information was compromised by the breach. The company also faces multiple investigations by state attorneys general and federal agencies into how it handled its response to the breach and whether it violated any laws or regulations related to information security (Marinos & Clements, 2018).

Introduction

The Equifax data breach has been called “one of the worst security mishaps ever” (CNN, 2017). The massive data leak is estimated to have affected over 145.5 million people in the United States alone. The Equifax data breach occurred on July 29, 2017, when an unknown hacker or group of hackers managed to break into an Equifax server and steal personal data from thousands of Americans. The stolen information included names, social security numbers, and birth dates (Wiener-Bronner & Danielle, 2017). This information can be used for identity theft purposes or sold on the black market for a high price (Refer to appendix 1 for the data breach process).

The previous finding reveals that the Equifax hack was made possible because the company failed to secure its network and servers properly, allowing attackers to access sensitive customer information efficiently. This case study will examine the actions taken by Equifax after the breach occurred and what it could have done differently to prevent this situation from happening in the first place.

Body

Significance

Data breaches are not a new phenomenon. They have been going on for quite some time now. This is despite the security measures put in place by companies and governments to protect sensitive information from being accessed by hackers. Data breaches have become more common as technology has advanced, making it easier for hackers to access sensitive information. The Equifax data breach case is one among many other data breaches that have been reported in the recent past. The significance of this research is to help other companies learn from Equifax’s mistakes to keep their customers safe and secure. This study will also allow other companies to build stronger relationships with their customers by being transparent about what they are doing to protect them from cybercriminals like those who attacked Equifax in 2017.

Root Cause

The root cause of the breach was not a “0-day” vulnerability in Apache Struts 2. It was a failure to apply a critical patch for the vulnerability available since March 7, 2017. That patch should have been applied within 30 days and would have prevented the attack. The Equifax data breach occurred because Equifax failed to install security updates for three months after Apache released them (Wiener-Bronner & Danielle, 2017). Equifax did not have patch management; they ran vulnerable software without patches or updates. Equifax did not have proper access controls to prevent unauthorized users or systems from accessing sensitive data.

Lessons

The data breach wasn’t not just about the number of records stolen but also how much each record is worth when it comes to identity theft. Moreover, it is essential to remember that you cannot rely on a single company for your information protection; you need to take steps yourself to protect your data. Another important lesson is that there is no such thing as 100% security; even if you follow best practices, there are still risks involved in data breaches and cyberattacks. Therefore, it is necessary to stay vigilant and keep an eye out for suspicious activity in your accounts or credit report (O.G.R, 2018). Finally, it takes individual responsibility to regularly check your credit report and make sure there are no fraudulent accounts opened under your name.

In response to this incident, Congress held hearings and issued a report on the incident; it included recommendations for how Congress might better protect Americans from future cyber security threats. The following are some of the key lessons we should take away from this experience: Companies need to be more transparent about data breaches when they happen, not just when they are forced by law or public pressure to do so. Consumers should have better tools available to them to protect themselves from identity theft. Moreover, companies should have more substantial legal incentives to secure customer data, and Congress needs to pass legislation that provides for more accountability in cases like Equifax’s (Wiener-Bronner & Danielle, 2017).

This research has significant implications for cybersecurity incident response and cyber workforce preparation. It is critical to swiftly notify and disclose discovered data breach events following compliance requirements to prevent legal consequences and unfavorable public opinions of the firm in the event of a underlying discovery of responsibility. Effective communication skills are essential components of educational programs and the evaluation of student learning outcomes (Primoff & Kess, 2017). Public communication competencies and abilities should be included in cybersecurity curricula and courses, given the growing need for competent cybersecurity workers. Furthermore, cybersecurity program evaluation and certification should cover public communication capability for cyber incident response and management (Wang & Park, 2017).

Steps to Secure Personal Data

Following the Equifax data breach, consumers need to take steps to protect themselves from identity theft. The following are some tips for doing so: A credit freeze allows one to prevent the credit bureaus from releasing your information to creditors, insurance companies, and other businesses that request it. A freeze must be lifted temporarily if you want to apply for a new loan or credit card. However, doing so requires contacting each of the three major credit bureaus individually. A security freeze will not block access to existing credit accounts or services; it will only prevent new lines of credit from being opened in your name without authorization. Also, individuals should consider placing a fraud alert on personal accounts. A fraud alert means that anyone who requests your information must take additional steps, such as calling you directly or sending you a letter asking for confirmation of the application before providing it. Fraud alerts are free but only last 90 days unless renewed by filing an affidavit with all three credit bureaus.

Results of the Investigation

The investigation results confirm that the attackers exploited a vulnerability in Apache Struts CVE-2017-5638 to gain access to Equifax’s systems (Wiener-Bronner & Danielle, 2017). The vulnerability was patched on March 6, 2017. However, Equifax did not install the patch for over two months.

The company failed to identify and address vulnerabilities in its system and software. This included unpatched software, known open-source vulnerabilities, and SQL injection flaws. The company also was unable to configure its firewall to prevent or detect unauthorized access properly. Moreover, the company did not conduct sufficient due diligence when choosing third-party vendors for network security, website hosting, and data analytics (Equifax, 2020). These deficiencies were compounded by Equifax’s failure to manage third-party vendors after the contract award adequately.

Equifax did not have sufficient policies and procedures in place to ensure that third-party service providers met its standards for information security controls. Equifax did not perform periodic reviews of third-party service providers to determine whether their practices were consistent with Equifax’s expectations or contractual obligations. Also, it didn’t require those service providers to report security incidents if they occurred on their systems (although Equifax did require those service providers to report certain types of incidents).

Additionally, the investigation found that when the attacker accessed an administrator account, they could use command-line utilities that are part of Equifax’s legacy operating system to take complete control over a server (Equifax, 2020). These utilities have root privileges by default and do not require authentication before being used by an administrator or an account holder.

Recommendations

The Equifax Data Breach Case is a study that illustrates the importance of data security and the risks associated with not having a firm I.T. policy in place. Data breach notification laws should be strengthened to require companies to provide timely, clear, and consistent information to consumers about any data breaches, including the types of information compromised, the number of individuals affected, and steps they can take to protect themselves (Gaglione Jr, 2019). Companies should also be required to report data breaches promptly. Companies should be required to provide notice within 30 days after discovering a breach if the personal information that compromises security or privacy is subject to unencrypted storage or transmission or stored on an unencrypted device. The FTC should have authority over the CFPB’s proposed rulemaking for data security standards for financial institutions and credit bureaus, including Equifax Inc., Experian PLC, TransUnion Corp, and other entities with access to large amounts of Americans’ sensitive personal information (Gaglione Jr, 2019). Congress should consider passing legislation that would require credit reporting agencies like Equifax Inc. Such companies hold vast amounts of personal information about Americans to notify consumers when their personal information has been compromised so they can take action to protect themselves from identity theft and fraud.

Individuals should be wary of their data. People should consider placing a fraud alert or credit freeze on their accounts. A fraud alert warns creditors that someone is trying to open an account in your name and asks them to verify your identity before issuing new credit. With a credit freeze, no one can open an account using your personal information unless they unfreeze it first by contacting you and providing proof of their identity (Gaglione Jr, 2019). Both are free and effective, but they have drawbacks: Fraud alerts last 90 days and may not stop every account application, while freezes require you to contact each bureau separately if you want to apply for new credit or get a loan.

Conclusion

The Equifax data breach is a defining moment for cybersecurity. It is one of the most significant data breaches to date, exposing the personal information of more than 145.5 million Americans (Davidson, 2018). The significance of this breach cannot be understated. The sheer scale of compromised personal information is staggering, and Equifax has acknowledged that it may not accurately picture how many consumers were affected by this breach. Equifax case study is an example of the many commercial business data breach cases experienced worldwide. Future research in this field may include cybersecurity incident response for government and non-profit businesses, such as healthcare institutions and learning institutions with a less economic incentive. Given the growth in ransomware cases, future research on cybersecurity incident handling should focus more on ransomware attacks.

Bibliography

Marinos, N., & Clements, M. (2018). Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. United States Government Accountability Office, Report to Congressional Requestors. https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf

Primoff, W., & Kess, S. (2017). The Equifax data breach: What CPAS and firms need to know now. The CPA Journal, 87(12), 14-17. https://www.proquest.com/openview/920e319e470ab16320958d972ae8aa00/1?pq-origsite=gscholar&cbl=41798

Gaglione Jr, G. S. (2019). The Equifax data breach: an opportunity to improve America’s consumer protection and cybersecurity efforts. Buff. L. Rev., 67, 1133. https://heinonline.org/HOL/LandingPage?handle=hein.journals/buflr67&div=34&id=&page=

Equifax. (2020). Company Profile. https://www.equifax.com/about-equifax/who-we-are/

Wiener-Bronner, Danielle (2017, September 13). Equifax breach: How a hack became a public relations catastrophe. http://money.cnn.com/2017/09/12/news/companies/equifax-pr-response/index.html

Davidson, P. (2018, March 1). Equifax finds an additional 2.4 million Americans impacted by the 2017 data breach. https://www.usatoday.com/story/money/personalfinance/2018/03/01/equifax-findsadditional-2-4-million-americans-impacted-2017-breach/384381002/

Oversight & Government Reform, (Dec 2018). Report by U.S. House of Representatives Committee on Oversight and Government Reform; The Equifax Data Breach Majority Staff Report 115th Congress December 2018. https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf.

The post Equifax data breach appeared first on cansguy.

cansguy

Phishing and credential harvesting is on the rise!

Phishing and credential harvesting is on the rise!

Fraudulent calls posing as bank phone calls.

Phone spoofing

In what way is this happening?

Scammers usually do one of the following when they call:

Protect yourself and your bank accounts from scam calls

News report

Folow me

Join The club

Cybersecurity through the eyes of Chris Romano!

Cybersecurity through the eyes of Chris Romano!

Folow me

Join The club

SYN cookie in DDoS prevention​

SYN cookie in DDoS prevention

SYN cookie

How TCP Connections Are Established:

What is a SYN flood attack?

SYN Flood Attack Prevention

How SYN cookies are used in DDoS prevention against SYN Flood attack:

ISO/IEC 27001

The ISO/IEC 27001 certification

Clauses

Clause 1: Scope

Clause 2: Normative references

Clause 3: Terms and definitions

Clause 4: Context of the organization

Clause 5: Leadership

Clause 6: Planning

Clause 7: Support

Clause 8: Operation

Clause 9: Performance evaluation

Clause 10: Improvement

Tips on making IOS/IEC 27001 effective for organization.

Cisco Secure Firewall ASA

Proven Firewall and Network Security Platform

WHAT IS THE CISCO ASA?

BEYOND BEING A FIREWALL, THE CISCO ASA CAN DO THE FOLLOWING AND MORE:

CISCO ASA BRINGS WIDE VARIETY OF FEATURES

THE ASA 5500 SERIES HAS THE FOLLOWING MODELS:

ARCHITECTURE

STATEFUL INSPECTION

PACKET FILTERING

NAT AND PAT

ASDM GRAPHICAL USER INTERFACE

Equifax data breach

Equifax data breach

SYN cookie in DDoS prevention