Thursday, May 22, 2014

The Hitlist: Compliance

Cross posted from where I am a regular author.

The Hitlist is a new series where we will attempt to provide a quick list of security considerations for a particular technology or initiative within an organization.  Our first post will be on compliance.  What we mean is if your organization is attempting to become compliant to an industry standard or regulation, these are things that will have to be considered and more than likely implemented across the board for things such as PCI-DSS, HIPAA, ISO27k, FISMA and more.  Here is the hitlist for things to consider when planning to meet a compliance standard:
1. Risk Assessment
How do you know what to protect if you don't know where your risks are?  A risk assessment will evaluate your biggest gaps and your biggest liabilities.  This will allow your organization to focus its efforts where the most impact can be made quickly.
2. Data Classification
You need to know what your data is and where your data is.  If only a small portion of your data contains sensitive information, then all of your data doesn't need to be under the same scrutiny.  You need to identify what the sensitive data is so that you can identify where that data is.  Once you know where it resides, then you can put controls and processes in place to protect it.  Additionally, it is essential to have policies and procedures in place so that all this information is documented.
3. Network Monitoring/Testing
Many compliance standards require annual penetration testing and vulnerability assessments.  Additionally tools should be in place to monitor the network in real time: antivirus, intrusion detection/prevention (IDS/IPS), enterprise class firewalls, Data Loss Prevention (DLP).  The extent of the required real-time monitoring will vary on the budget of the organization, the requirements of the compliance standard and the type of data being protected.
4. Data Encryption
Do you have sensitive data?  It needs to be encrypted now.  Whenever it moves (email, ftp, file shares) that communication needs to be encrypted.  Whenever it's at rest (USB drives, file shares, desktops, mobile devices) it needs to be encrypted, no exception.  Industry standard, strong encryption is the only sure way to make sure that if portable media is lost or stolen, prying eyes can't read the data.
5. User Training
Most standards require annual security training.  It is also just a good practice for any organization.  How many of your users can recognize a phishing email?  How many users have their guard up for a phone call asking them to give up sensitive information?  Users need to good reminders on basic security tenants.
6. Authentication
Why lock your doors if the key is hanging on the wall?  Not only to strong and unique passwords need to be enforced (this includes the C-suite), but 2 factor authentication needs to be strongly considered, especially for access to sensitive data.  If 2 factor authentication is available, then the complexity requirements on passwords can drop a notch (that doesn't mean 6 characters, no special characters).  An ideal corporate authentication strategy for standard users would be 8-12 characters, numbers, letters, special characters, and a password history of at least 10 in addition to 2 factor authentication.  For users with direct access to sensitive data or with technical administration roles the requirements should be stricter.
7. Separation of Duties
Have you ever seen the movie where they are about to launch the nuclear missiles and it requires a code and 2 keys?  They do that so that no single person can launch a nuclear missile.  The same is true for network administrative.  Your network admins should be using their standard user accounts for performing administrative functions.  They should have separate accounts used for remote access, email access, and workstation access from the accounts they use to manage the network.  There are exceptions based on the magnitude of the operations (adding users, joining a computer to the domain, etc).  I have seen too many organizations where a system administrator has a standard account that is a member of the most privileged groups in the domain and also uses that account for remote access.
8. Centralized Logging
This one isn't a requirement for all standards, but it is for some and it is essential to know what is happening in your network.  Centralized logging can allow you to find information about a security incident without having to go look through 15 different sources.  Additionally, there are tools that allow an organization to add analytic and correlation to those logs that provides intelligence on top of the logs.  What if you could know if a user account was attempting to log into your network from multiple cities or countries?  This is how you can reduce the mean time of 87 days until discovery of a breach to just a few days.
9. Physical Security
If you have everything else buttoned up, but leave the back door open, it doesn't matter.  You need to be able to know when people come and go, you need to be able to see when people come and go, and  you need to know where your assets are.  Electronic key cards, video surveillance, and asset management are essential to a robust network security program.
10. Auditing
You can theorize about how good you are, you can make educated guesses, and you can read a bunch of studies, but until you have a third party measure your compliance against your policies and your standards  you won't know.  Most standards require for 'periodic review,' but put it this way, how will you ever know if you are compliant without having someone look?

Heartbleed: What you need to know


Heartbleed is a serious vulnerability that can allow attackers to intercept secure communications.  Email, Websites, VPNs, and other trusted security technologies are at risk – passwords and encryption keys can be breached.  You most likely have something that is affected. 

What to do

  1. Update anything using OpenSSL, see below for more information.
  2. Check to see if you are vulnerable. (Adrian Hayter, a consultant with CNS Hut3, revealed a proof of concept that many of the testing tools have bugs themselves)
    1. Check your public facing websites for the vulnerability.  Use one of these tools: SSLLabs
    2. Check internet facing equipment to see if it uses OpenSSL.   This can include firewalls, VPN, mail servers or services that utilize TLS; anything that uses SSL.
  3. Apply vendor patches.  Here is a good list of vendor notifications for fixes.  Here is a list of file transfer applications and their status.
  4. Update IPS/IDS devices with signatures to detect the vulnerability.
UPDATE 4/11/2014: Vulnerable devices do not have to be using SSL actively.  We have confirmed a Windows Server running IIS running a file sharing application over port 21/FTP is vulnerable even though it is not using an SSL certificate.

These last two are not easy, but recommended – it is that serious.

  1. Once you have updated a website, revoke any SSL certificates for sites that were vulnerable, and reissue them.  Keep in mind any sites that share an SSL certificate with a vulnerable site, even if that site was not vulnerable.
  2. Issue password resets for network users, and notify users to reset their personal passwords for affected sites.  Here is a good list of sites that are affected: Sites affected by Heartbleed
*These tools can give false negatives.  This means that if it says a site is vulnerable, it is, but if it says it is not, it could still be vulnerable, so don't use only these tools to test.

More information:

What is heartbleed?

First, it is very serious and this is something everyone in IT needs to familiarize themselves with.  This graphic gives a very simple explanation of the bug.  Heartbleed is a vulnerability found in OpenSSL.  OpenSSL is an opensource, commercial grade program that allows the implementation of SSL v2/v3 and TLS v1.  This means that websites using SSL, VPNs and TLS that utilize OpenSSL could be vulnerable.  For a comprehensive overview, Troy Hunt, has a really good blog post.  There is also a variant, 'reverse' Heartbleed, that can affect client infrastructures as well.

What's the big deal?

Heartbleed allows an attacker to view information stored in memory of a website that is vulnerable.  This could include usernames, passwords, private keys or more.

What can this affect?

This can affect the obvious, HTTPS, VPN, TLS services that run on websites, routers, firewalls and email servers as well as the certificates that effect those servers.  The scary part is this can also affect services such as IMAP, POP, FTP, SFTP SSH and more.  Not only do some of these services use certificates, they can also run openssl on the servers that support them and make them vulnerable.

Wednesday, May 21, 2014

Trustwave Global Security Report 2014

Cross posted from where I am a regular author.

The Trustwave Global Security Report for 2014 was recently released.  There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations' networks.  We wanted to highlight a few of these statistics below:
Top 10 Internal Network Penetration Test Vulnerabilities
- which include weak passwords, shared accounts, and unencrypted storage
internal-vuln [av_hr class='short' height='50' shadow='no-shadow' position='center']
Top 10 External Network Penetration Test Vulnerabilities
- which include default SNMP strings and weak passwords:
external-vuln [av_hr class='short' height='50' shadow='no-shadow' position='center']
Top 10 Web Application Vulnerabilities
- including path traversal, authentication bypass, SQL injection, unencrypted pages and XSS, just showing that the OWASP top 10 is alive and well
web-app-vuln [av_hr class='short' height='50' shadow='no-shadow' position='center']
Passwords were the cause of a compromise 31% of the time
- it's time to start upping the requirements for password length and complexity
[av_hr class='short' height='50' shadow='no-shadow' position='center']
Criminals relied most heavily on
Java applets as a malware delivery method
- Java and Adobe often have the top number of vulnerabilities when we assess an organization. Patch schedules for these products are essential.
[av_hr class='short' height='50' shadow='no-shadow' position='center']
71% of victims did not detect a breach themselves
- who wants their client notifying them of a breach. It's time to implement defense in depth strategies with IDS/IPS protection and SIEM solutions
[av_hr class='short' height='50' shadow='no-shadow' position='center']
67% of victimes were able to contain a breach within 10 days upon discovery, however, the median number of days
from intrusion to detection was 87
- organizations just need to know it happened; in general they can handle the situation well once they know
[av_hr class='short' height='50' shadow='no-shadow' position='center']
Top Intrusion Indicators Include:
anomalous account activity, unexplained or suspicious outbound data, new and/or suspicious files dropped, geographic anomalies in logins, registry changes, log tampering, anti-virus tampering, services added/stopped/paused and more
- learning to recognize these signs or implementing tools that correlate these types of events can help in self detection
[av_hr class='short' height='50' shadow='no-shadow' position='center']
Over 13 client side zero-day vulnerabilities
were actively exploited in 2013
- again, it is essential to have a patching procedure
for third party plugins and apps
[av_hr class='short' height='50' shadow='no-shadow' position='center']
78% of detected exploits were Java related
[av_hr class='short' height='50' shadow='no-shadow' position='center']
Botnet analysis showed a continuing trend of using common and compromised passwords across multiple sites
[av_hr class='short' height='50' shadow='no-shadow' position='center']
Microsoft SQL Server was the only database that did not experience any known vulnerabilities in 2013
[av_hr class='short' height='50' shadow='no-shadow' position='center']
Android and iOS both had a number of vulnerabilities 
- don't assume that something is more secure based on social stigma, make sure all of your mobile devices are managed
[av_hr class='short' height='50' shadow='no-shadow' position='center']
In conclusion, I suggest everyone take a look at this report and take note of some of the recurring elements in any of these reports.  Organizations need stronger passwords and they need to patch their stuff.  Those two steps alone will mitigate a number of risks.

Monday, May 19, 2014

Study: Cost of Data Breaches Increasing

Cross posted from where I am a regular author.

A study published by Ponemon Institute, and sponsored by IBM, purported that the average total cost of data breaches increased 15% in the last year to $3.5 million, or $145 per record containing protected information.  The study included participants from 314 companies in at least 10 countries.  There are a number of key facts that the study shows regarding reduction factors in the cost of a breach, as well as factors that increase the cost.  The study found that appointing CISO, maintaining a business continuity management program, and developing an incident response program can reduce the cost per record of a data breach.  It also discovered that, on average, over the next two years, organizations have a 22% chance of a breach of 10,000 or more records. Change in cost per record based on organizational factors. cost-per-record   The study found that Only 38 percent of companies have a security strategy to protect its IT infrastructure, while 45 percent have a strategy to protect their information assets.  Considering that the study also found the highest percentage of breaches was due to malicious or criminal attack, it would seem that organizations may need to rethink their budgets. attack-vectors The industry where the breach occurs also has a direct affect on the cost.  Heavily regulated industries, like healthcare, had the largest cost per breach.  The overall average cost of the breach was $145/record. cost-per-record-industry At first glance, the report appears to address what we all already know, but I think it does a good job at pointing out some key pieces of information:  Where should I spend my money?  Where should I focus my efforts?  Am I at risk?  I believe it is worth a read. Download Report

Monday, April 28, 2014

Tips for Spotting a Phishing Email

Cross posted from where I am a regular author.

Every day users are targeted with phishing emails from all around the world.  These emails can range from overtly "spammy" and easy to detect, to quite sophisticated an difficult to notice.  We have found that this is typically the least defended position in an organization, as well as one of the easiest to exploit.  Even organizations with millions of dollars worth of network security equipment can be vulnerable if even a single user clicks on a malicious link.  Here are some tips and tricks for spotting phishing emails:

Do You Know the Sender?

There are two parts of an email that make the 'sender' portion of an email, the "From" field and the "Reply-To" address.  The "From" field identifies the name of person who sent the email.  This field can easily be spoofed.  The "Reply-To" address is the email address that will receive an email if you reply to it.  This cannot be spoofed; therefore, what you see is who you will send the email to.  For example, the following headers show the "From" and "Reply-To" fields in this phishing email: phish-headers Outlook displays the following information:phish-outlook If an email purports to be from a well known brand or company, but the actual email address does not appear to be one that would come from that company (USPS <info (at)>) then the email should be deleted.

Is This Something You Expected?

Let's say you received an email from UPS stating that a package was undeliverable.  Ask yourself, were you expecting a package, or did you order anything?  More often than not, the justification for receiving a phishing email simply wont make sense.  Another type of a phishing email could claim to be from a financial institution.  Perhaps the email couple appear to be from a bank, or it might request account, or credit card information.  You should ask yourself, "do you actually have an account with this bank?"  If not, it is probably a phishing scam, and should be deleted.  If emails such as these contain very specific information about you, or believe that you may have inadvertently been compromised, you should check your credit report and make sure no new accounts have been opened in your name.

Did Your Systems Flag This as Suspicious?

phish2 Many times email clients do a pretty good job of recognizing spam.  More often than not, you should trust the email client's recommendations, and delete these messages.  As you can see in the photo above, Outlook recognized this email as spam and moved it to the junk mail folder.  This automatically prevents images from being downloaded, and blocks any links that may be in the email.

Are There Grammar Mistakes?

Emails from large corporations will go through rigorous proofs and checks for grammar.  This does not mean that they will never have mistakes, however, mistakes are usually unlikely, and very few in number. Our courier couldnt make the delivery of parcel to you at 20th April. Notice in the above example that there is no apostrophe in "couldn't" and the word "the" is missing before "parcel".  These errors are dead giveaways.  Additionally, the US is one of the only countries in the world that uses the MMDDYYYY format for dates.  This email used DDMM format which is common throughout the rest of the world.  This wouldn't have come from the USPS.

Is a File Attached?

Many phishing emails will attempt to have the user open malicious files.  Most email systems will block file with executable program extensions (such as .exe or .bat) however, there are many known vulnerabilities in other well known file types, such as Adobe.  They could also try to mask malicious files within a ZIP file.  Flags should be raised any time an unexpected email is received with attachments, especially if the email matches any other of the signs listed in this article.

Does The Email Ask for Personal Information?

Financial institutions will never ask for personal information in an email.  They will also never ask for a password at any time, whether via email or on the phone.  Most phishing emails will attempt to glean some sort of personal information, whether its as simple as trying to get a user to respond to an email simply to determine whether or not that email is valid, to asking for usernames and passwords, or banking information.  Sometimes an attacker will ask for the information directly in the email, but most will link to a separate file or web page which will ask a user for information.  Guard this information well.

Are There Links In The Email?

Before ever clicking a link in any email from anyone, first hover over the link to see if the link in the ToolTip matches the link you see and to make sure the URL is something you recognize.  If it is not a .com URL, then I would be highly suspicious.  The email below says it is from USPS, however, look at the URL when we hover over the link:phish-url   Checking URLs in an email should become second nature, otherwise, you will eventually click a malicious link.  Another item of note is that, even if you recognize the URL, any URL that ends in .php should automatically require extra scrutiny.


Once you learn what typical physical emails are comprised of, your ability to spot one will significantly improve.  Phishers can become sophisticated when they are specifically targeting individuals or organizations.  These take a great deal of acumen to spot.  However, these typically follow the 80/20 rule.  You spend 20% of your effort to spot over 80% of phishing emails.  According to Symantec, 1 in 392 emails contain a phishing attacks.  They are not uncommon, and if successful, can be very dangerous.  Stay vigilant.

Thursday, April 24, 2014

Verizon Breach Report 2013: What does it mean for your organization?

Cross posted from where I am a regular author.

Each year Verizon releases their Breach Report; it is sort of a state of the union with regard to last year's breaches.  It is worthy research to help determine the industry trends that could help steer the budgets and focus of IT departments.  This year's report includes 1,367 Confirmed Data Breaches, and 63,437 Security Incidents. No one is immune: [av_image src='' attachment='1929' align='center' animation='no-animation' link='' target=''] According to the report, 92% of all breaches can be categorized in 9 groups.  Here is a summary of things every organization should be doing to keep from being included in next year's report:
  • Restrict Remote Access
  • Enforce Password Policies
  • Deploy AV
  • Employ Network Monitoring
  • Reconsider Network Topologies and Connectivity
  • Two Factor Authentication
  • AppDevs use the OWASP Top Ten
  • Information Management - Where is your data and who has access?
  • Review User Accounts
  • Encrypt Devices
  • Use mobile device management systems
  • Patch Your Stuff
  • Implement Change Management
  • Maintain Logs
  • Monitor your corporate email addresses for breaches:
Let's break down the sections for quick overview of the report:

Point-Of-Sale Intrusions

In 2013 over 99% of POS intrusions were initiated by external parties, but even worse, in 99% of the cases an external party (law enforcement. fraud detection or customer) notified the organization of the breach.  So this begs the question, Is Compliance Enough?

What can you do?

  • Restrict Remote Access
  • Enforce Password Policies
  • Use POS systems only for POS activities
  • Deploy AV
  • Employ Network Monitoring
  • Reconsider Network Topologies and Connectivity

Web App Attacks

Applications are vulnerable from many fronts.  The attack vector is almost always in the OWASP Top Ten and Developers need to be familiar with each item in the top ten.  60% of compromises occur within minutes of an attack.  Over 85% of attacks are discovered in days, and 50% can take months or longer to discover.  So while discovery is the area that needs the most focus, most organization, once they discover the attack, respond within days.

What can you do?

  • Two Factor Authentication
  • Strongly Consider your CMS
  • Validate Inputs
  • Enforce Lockouts
  • Monitor Outbound Connections

Insider and Privilege Misuse

Most crimes by trusted parties are perpetrated for personal or financial gain.  In 71% of these incidents the attack began on the corporate LAN, and 28% took advantage of physical access within the corporate facility. This means that most of these types of attacks take place at work.    72% of these attacks were perpetrated for financial gain, and in 70% of intellectual property theft the person stole information within 30 days of announcing their resignation.

What can you do?

  • Information Management - Where is your data and who has access?
  • Review User Accounts
  • What data that leaves your network
  • Publish Audit Results

Physical Theft and Loss

Corporate assets are stolen more often than vehicles or residences, and 40% of thefts involve mobile assets.  80% of these thefts allowed a user to gain access through disabled or bypassed controls.

What can you do?

  • Encrypt Devices
  • Encrypt Devices!
  • Use mobile device management systems
  • Segregate Secure Data (logically and physically)
  • Consider preventing secure data from being mobile

Miscellaneous Errors

Almost all data breaches include some element of human error.  Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure.  According to the report, "government organizations frequently deliver non-public information to the wrong recipient; so much so, in fact, that we had to remove it from [one of our figures] so that you could see the other error varieties.

What can you do?

  • Implement a DLP Solution
  • Create better publishing policies
  • Control what is trashed and what is shredded


Zeus is still number one in malware attacks.  Statistics in this area are difficult to manifest because there are variables such as instead of removing a virus, the machine is just wiped.  Additionally, often times the partners who report these outbreaks never know about them.

What can you do?

  • Patch Your Stuff
  • Keep Browsers up to Date
  • Disable Java in the Browser
  • Use Two-Factor Authentication
  • Implement Change Management
  • Leverage threat feeds

Payment Card Skimmers

100% of incidents involved data disclosure.  Most skimming occurred at ATMs and gas pumps.

What can you do?

Cyber Espionage

According to Verizon, "Strategic website compromises (SWCs) have proven to be an effective tactic of state-affiliated threats to infiltrate the networks of target organizations."  Over 75% of compromises took advantage of browser based zero-day vulnerabilities.

What can you do?

  • Patch Your Stuff
  • Make Sure AV is Up to Date
  • Train Users
  • Segment Networks
  • Maintain Logs

DOS Attacks

No data was disclosed as a result of a DoS attack.  The average attack utilized a sustained 10Mbps of bandwidth.  The amount of traffic in the Spamhaus attack ranged from 85-120Gbps. Yikes!

What can you do?

  • Turn off unused ports and services
  • Segregate essential IPs from unused IPs
  • Contact your provider about anti-DDoS services
  • Have a plan in place
  • Know your servers' limits

Monday, February 10, 2014

The Switch to Chip & Pin: Will it change anything?

Cross posted from where I am a regular author.
Chip & PIN, the future of credit cards
Late next year the U.S. will finally catch upto the rest of the world when it comes to credit card transactions.  Customers will no longer be signing credit card receipts, instead they will enter a PIN, similar to making a debit transaction.  The U.S. is the last major market to still use the old-fashions signature system, which is the primary reason why about half of the world's credit fraud happens in the U.S.
What is Chip & PIN?
Basically, we are replacing our signature with a PIN code.  Each card will include a microchip that is matched to a PIN code. When inserted into the POS system, the Chip is read and the PIN code authenticates the card.  Already flaws in the system have been reported since 2010, not to mention how incredibly vulnerable 4 digit PINs are to social hacking as discussed in this article.  If most of the fraud occurs in the US where we don't use this system, is it logical to think that most of the effort to commit fraud is not focused on finding flaws in the Chip & PIN system?  A British research firm has released a paper detailing a new vulnerability with Chip & PIN.  According to the paper, "EMV did not cut fraud as its proponents predicted. While using counterfeit and stolen cards did become more dif´Čücult, criminals adapted..."  According to their research, it does not appear that Chip & PIN technology reduced cyber-related fraud.
Will this really make our information safer?
Let's take the Target breach for example.  This data was compromised because of malware installed on their POS system which gathered information as it was in transit.  Would having a chip & pin system in place have prevented the loss of the information?  It doesn't appear that way.  So the question is, then, will the new system, in the event of data loss, prevent the abuse of that information and protect consumers from fraud? The problem in the Target breach was not a result of fraud; that was the outcome.  The result was the lack of comprehensive security policies and programs at place in the organization or at the very least the lack of diligence in enforcing them.  This is an issue that is not unique to Target or retail or any other industry.  If the problem is not fraud, but broken security why are we poised to spend billions as a total economy to shift to a solution that doesn't solve the problem?  Is it really to protect consumers from fraud? UPDATED: PayPal President's credit card was stolen and used fraudulently.  "Marcus noted that his credit card had EMV chip technology, a more secure system currently in use in Europe. But that didn't stop the data from being stolen and used for a "ton of fraudulent" transactions, according to the PayPal chief." Source: USAToday
What does the Chip & PIN system solve?
The WSJ article announcing the shift says it best, Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs...So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable. The new system is not about protecting consumers, it's about protecting credit card companies and shifting the liability to the merchant and the consumer.  There are benefits to the consumer, and it will reduce fraud.  It will require a higher level of sophistication to commit fraud with any data that is gathered.  That is just it though, there are still ways to commit fraud and we know there are ways to get the data, its just a matter of time. So should we be spending the effort and the capital to invest in this new system while creating a false sense of security?  This system should not be touted as the be all and end all of credit card fraud.  It is a step to mitigating the risk.
Where should we start?
As I was writing this, I discovered this article, by CSOOnline.  This articles takes a very strategic approach to analyzing the situation I am discussing. I strongly suggest reading it. Companies should stop trying to only meet compliance requirements and instead focus on comprehensive security.  Many industry standard compliance requirements focus so much on privacy they often neglect general security, such as segregation of networks like environment and protected data.  Organizations must focus on general, overall security, and data will become protected within, otherwise, regardless of the protections we put in place at the point of sale, breaches will continue to happen. Why is it hard to do this?  It's often not visible and it's expensive.  Consumers don't see the results of a secure network, they only see the results of an insecure network or of changes at the POS.  This is a difficult position for CISOs and CIOs to compete in, and in the end the consumer loses.

Tuesday, January 21, 2014

Password gets the boot, 123456 reigns supreme

Cross posted from where I am a regular author.

2013 crowned a new champion of the #1 password based on passwords collected from data breaches.  The top password for 2012 was 'password,' but 2013 announces that '123456,' reigns supreme. SplashData, a security firm, releases their findings each year of the top passwords discovered from breaches.  This year, due to the size of the Adobe breach, you'll see some Adobe passwords make the list.
  1. 123456 (+1)
  2. password (-1)
  3. 12345678 (0)
  4. qwerty (+1)
  5. abc123 (-1)
  6. 123456789
  7. 111111 (+2)
  8. 1234567 (+5)
  9. iloveyou (+2)
  10. adobe123
  11. 123123 (+5)
  12. admin
  13. 1234567890
  14. letmein (-7)
  15. photoshop
  16. 1234
  17. monkey (-11)
  18. shadow
  19. sunshine (-5)
  20. 12345
  21. password1 (+4)
  22. princess
  23. azerty
  24. trustno1 (-12)
  25. 000000
So what can you glean from this?  First, if your password is in this list, change it immediately.  It is literally one of the first passwords someone will try if you are targeted.  Second, it shows why users should not use the names of the application they are protecting in their passwords nor easy to remember letter and number combinations. Securit360 recommends using passphrases made up of letters, numbers and symbols.  The longer the word the better, preferably 10 or more characters.  If you have to choose between long or complex, choose long.  Don't use common words or phrases, don't be predictable.  Don't share passwords among accounts, but find a way to make a unique password for each account. Don't use real information in your security questions, but if you do, use a phrase and not just a single word.  Turn on 2 factor authentication if it is available.  Don't be afraid to use a password manager to help you remember complex passwords, but be sure to protect the password manager.

Sunday, January 12, 2014

Target Data Breach Timeline

Cross posted from where I am a regular author.

Updated: Originally posted by the WSJ, and sourced here from Business Insider, Target had warning last spring about a new emerging threat against POS systems.  Internal analysts requested additional scrutiny. Updated: According to an article posted on Krebsonsecurity "the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor." The recent retail breaches show that compliance is not enough.  Cyber security needs to be an organizational wide initiative:   
Initial Target Data Breach
Breach: Target, sometime between Thanksgiving and December 15th, 2013.  Estimated 40 million records. Discovered: Sometime around mid December 2013. Reported: Target confirms breach of 40 million records on December 19th, 2013. Notes: Wed, December 18th, data from the theft had already flooded underground markets.
Neiman Marcus Confirms Breach
Breach: Scope unknown UPDATED: included credit card and debit cards dated back to July 2013. UPDATED: approximately 1.1 million credit and debit cards affected Discovered: Sometime around mid December 2013. UPDATED: The breach was not confirmed until January 1st. Reported: Jan 10th 2013, Neiman Marcus reports breach.
Second Target Data Breach
Breach: On Jan 10th, 2013 Target confirms a second breach, which included names, emails, and phone numbers of up to 70 million additional records.  This occurred sometime between Thanksgiving and December 15th, 2013.  Estimated 70 million records for a total of 110 million records. Discovered: Two to five weeks after the initial breach. Reported: Over a month after the initial breach.

Jan 12th, 2013 Reuters reports more well-known retailers have been breached.

Source: UPDATE: The malware known as  KAPTOXA has been reported to be involved in the Target breach and suspected to be involved in the Neiman breach.  The article linked here is from firm, iSight Partners, a global cyber intelligence firm that works with the U.S. Secret Service and the Department of Homeland Security.  They claim that the malware has probably infected a large number of POS terminals throughout the retail industry.  We still don't know who the other retail companies are that were breached around the same time as Target, but it is safe to consider that they were all linked somehow. Retailers are extremely vulnerable during during the holiday season simply due to the high amount of customer volume.  They try to get as many customers in and out as possible during peak times, and they neither want, nor have the ability, to inconvenience their consumers with any increased scrutiny.  In these recent attacks the attackers had access to customer data for several weeks, as the breaches weren't even discovered until at least 3 weeks after they initially started, and they weren't reported until about a month later.  Additionally, even after the breaches were discovered, all of the information was not available, so the scope was incomplete.  It took Target over a month to understand the full scope of their breach, which is currently the largest breach in history, surpassing the TJ Max breach by over 60 million records. This begs the question, is compliance enough?  Retailers, such as Target, are required to be PCI-DSS compliant to handle credit cards, but does that mean the organization is secure?  Security is a top down, cultural and organizational mind set.  If security doesn't start from the top, with financing and initiative, and bubble down to scrutiny and diligence, then security holes will exist and there will never be a completely secure organization.  People make mistakes, systems will be compromised, and ultimately data will be breached.  The question is, how quickly can an organization recognize and respond to the breach?

Tuesday, June 28, 2011

Vertical Bar Graph with XSLT in Data View Web Part (DVWP)

As part of a recent project, I needed to create a dashboard page for the requests for executive management. However, since the data was in a list and not a database this was easier said than done. So I started off by researching my options and I found this post on MSDN. This post explains very well how to modify the XSL of a DVWP to create a bar graph. I used this post and the code below to do as such. You will noticed that I overwrote the .ms-selected CSS class so that I could control the image as well as the colors of the chart.

Example Bar Graphs:

My second issue was that I wanted a vertical bar graph too. I was unable to find an example anywhere on the web, so I sat down and started playing with the code.

I used the code from the MSDN article, but overwrite the CSS class in order to control the color of the chart:

.ms-selected {
background-color: #6a9a21;
border-bottom: 1px solid #6a9a21;
border-top: 1px solid #FFFFFF;

Now to change the above chart into a vertical bar chart we have to replace three sections of code.

The first is the CSS:
I created a new class called .ms-selectedc and the c stands for column.

.ms-selectedc {
background-color: #6a9a21;
border-left: 0px solid #6a9a21;
border-right: 0px solid #FFFFFF;

We have to replace the main table with the following code:

Replace -

With -

Finally we have to change the XSL that creates each bar.

Replace -

With -

Depending on the length of the column titles, you may have to play with the height and width of the table where the title and percentage is created.

If anyone has any suggestions for more efficient code, please let me know. I also suggest filtering out unneeded data in the CAML so as reduce load on the client.

Vertical Graph:

And my dashboard: