ISACA Journal Author Blog

 ‭(Hidden)‬ Admin Links

ISACA > Journal > Journal Author Blog

Understanding Cyberhacking Tools and Techniques

Omar Y. Sharkasi, CBCP, CFE, CRP
Posted: 10/5/2015 9:01:00 AM | Category: | Permalink | Email this post

It seems like every day there is a new data breach or heist. Hackers break into corporate or government computers and swipe names, addresses, birth dates and those all-important US Social Security numbers. Consider these recent breaches:

  • Hackers hit the jackpot when they cracked the network at the US government’s Office of Personnel Management and accessed Social Security numbers, dates of birth and other personal information of more than 4 million federal workers.
  • Unidentified Russian hackers broke into an unclassified email system used by the US Joint Chiefs of Staff.
  • Gang members are using social media like many others do. In addition to the standard uses for social media, they post threats on social media that include a rival’s street—a practice known as online tagging. Posts and videos threatening rivals and others may accompany online postings.
  • In early February 2015, Anthem (one of the US’ largest health insurers) revealed that hackers had breached a database containing the personal information of 80 million customers and employees.

My recent Journal article focuses on Windows computers with an emphasis on all nonserver Windows computers. This includes Windows end-user devices, such as workstations, desktops, laptops, hybrids and tablets. Workstations are just as important to the security of an organization as servers. Of course, an insecure workstation only directly impacts one user (in most cases), while a server can impact thousands. But all of the biggest breaches in recent times have started with a compromised workstation, not a server. Even though servers and workstations run essentially the same Windows operating system, securing workstations is very different than servers.


Cyberrecovery and the C-suite

Gary Lieberman, Ph.D., CISSP
Posted: 9/28/2015 3:10:00 PM | Category: | Permalink | Email this post

I was recently invited to participate in a panel discussion at a cybersecurity conference. The overall focus of the panel was on best practices for network security, specifically preparing for a cyberattack. We were given 5 focus areas to consider, mostly the usual topics such as zero-day attacks and bring your own device (BYOD). The 5th focus area was deploying a successful disaster recovery (DR) plan with regard to cybersecurity.

In addition to myself, the panel was staffed by 2 chief information security officers (CISOs), a chief executive officer (CEO) and the panel was moderated by a 3rd CISO. When the topic of DR came up for discussion on the preparation conference call, 1 of the participants summarily dismissed it as being old hat and played. He said that topic has been discussed to death and there has been nothing new in that area in years. One person after another agreed with him, and the moderator said “Ok. We will cut that topic out of the discussion.” I disagreed and chimed in with a brief overview of my recent Journal article. Afterwards, they all agreed to keep the topic, and someone even suggested that we move the topic up to be the 1st subject of discussion. They said that they had never looked at DR from the perspective of preparing the C-suite for a cyberbreach.


Mitigating the Quantum Risk to Cybersecurity

Michele Mosca, Ph.D.
Posted: 9/21/2015 3:38:00 PM | Category: | Permalink | Email this post

One of the most fundamental pillars of cybersecurity is cryptography, and most of the cryptography tools used today rely on computational assumptions, such as the difficulty of factoring 2048 bit numbers.

Two decades ago, we learned that the quantum paradigm implies that essentially all of the deployed public key cryptography will be completely broken by a quantum computer, and brute force attacks of symmetric ciphers can also be sped up significantly. Fortunately, quantum computers did not exist at the time.

Today, the wait-and-see approach is no longer a responsible option. Protecting against quantum risk takes many years of planning and deployment. The realistic timelines for evolving to a quantum-safe infrastructure are comparable to the timelines for the quantum risk to become a reality. If one is responsible for providing medium- or long-term confidentiality, the risk of waiting is even more acute.


How to Battle Hackers on an Even Plane

Chris Sullivan
Posted: 9/14/2015 3:03:00 PM | Category: | Permalink | Email this post

In the movie The Untouchables, a hit man pulls a knife to stab Sean Connery, then Connery pulls a shotgun on the hit man. The lesson from this scene is do not bring a knife to a gunfight.

A lot of corporate IT security staff must not have seen this movie. They are bringing knives to the data security fight while hackers bring guns, cannons, tanks and jet fighters.

With increasingly clever malware and phishing tactics, hackers are snagging users login credentials at a frightening pace and gaining access to networks. It can be as easy as exploiting a security hole in a web browser while the user is surfing the web to seize credentials and access privileged services.


Understanding Underground Cybercrime

Posted: 9/8/2015 8:22:00 AM | Category: | Permalink | Email this post

As an information security professional for more than 15 years, I have seen and experienced many aspects of security. I thought I knew what cybercriminals were doing and how they were doing it, but I was wrong. During one of my periods of research, I found papers authored by Trend Micro on the malicious cyberunderground. The papers were a presentation of their research in Russia, Brazil and China. I found the findings enlightening and scary not only to the world’s technology environment, but to everyone who uses it.

The Russian underground provides cybercriminals a place to market their products and services. They sift through traffic stored in botnet command and control (C&C) servers for information useful for targeted attacks. Cybercriminals verify that malicious products support their claims (to avoid false advertising), and there are brokers who make a percentage of the escrow while the product is tested.

<< First   < Previous     Page: 1 of 57     Next >   Last >>