Headlines

A+ Certification

Latest Retail Data Breach

SnapChat Compromised

Largest Bond Insurer in US exposes Sensitive Data

A+ Certification

Posted in: Security Awareness, Training | Comments (0)

CompTIA’s A+ is a widely accepted, basic level certification, well suited for entry-level professionals. It is particularly useful for demonstrating an understanding of computers. I was fortunate enough to be able to gain college credit for passing the A+ certification. Western Governors University has the certification built into the IT Management program. The exam covers maintenance of desktops, laptops, mobile devices, operating systems and printers. In order to receive the current CompTIA A+ certification, you must pass two exams: CompTIA Exam 220-801 and 220-802. Each exam consists of 90 multiple choice and performance-based questions. Test-takers have 90 minutes to complete each exam.

In today’s I.T. market, a broad range of knowledge and skills not only makes you more valuable in your present position but also presents you with more opportunities for your future. Having an A+, can help get you into a help desk analyst or desktop support technician to start your I.T. career. Many Government contract IT positions require A+ certification.

I currently hold a Master’s Degree in IT Management and still make sure to list my A+ certification, along with the other certificates I hold. Many employers place a great deal of emphasis on technical certifications. The certification continues to be just as relevant to new trends and cutting-edge technology like as it was when it was launched in 1993 as a credential for the break-fix PC repairman. Staying current with technology, the exam moved from being PC-centric to incorporating learning objectives for PCs, tablets, smartphones, cloud computing and cyber security.

I also see that same lack of basic knowledge from some of my peers even though they may have years of experience, “high-level” certifications, and even degrees. Plenty of times I have seen some of my colleagues struggle with trying to figure out a particular issue without following the proper steps outlined in the troubleshooting theory (covered in the Troubleshooting domain for exam 220-802).

I would strongly disagree with those who say certifications are useless. While on the job experience is invaluable, add to that job-specific certifications like the A+ and you will eventually find more opportunities and more money. When you have three people applying for a position and all appear equal in skills, knowledge, and experience, but one has a certification in the area a company is hiring for, which one do you think will get the job?

The truth is that earning the A+ certification is better than earning no certifications at all. This is especially true for someone with very little or no experience in the field. The A+ demonstrates that they have some knowledge. However, the worth of the A+ or any particular certification will depend on the particular area of I.T. one plans to go into, as well as the potential employer’s opinion about certifications.

I.T. professionals should have the A+ credential on their resumes. Earning the A+ certification gives potential I.T. professionals a higher level of confidence, credibility, better salaries, enhanced career opportunities and even credit towards other certifications. It doesn’t matter if you plan to go into help/service desk, desktop support, web development, networking, or I.T. security, the A+ certification is a great foundation to build your I.T. career on, which is the key.

H.M. DeBardeleben MSITM @ October 18, 2014

Latest Retail Data Breach

Posted in: Security Awareness, Threats, Breaches & Leaks | Comments Off

Kmart has been confirmed as the latest retail chain to be breached after its parent company Sears Holdings Corp admitted that some customers’ debit and credit card numbers had been compromised.

In a form submitted to the Securities and Exchange Commission (SEC), Sears says its IT team discovered the breach on 9 October and that further investigations suggest the incursion may have begun at the start of September.

Ongoing forensic examination suggests that no personal information, debit card PINs, social security numbers or email addresses have been snaffled by those behind the attack.

A statement released by Sears said sorry to its customers:

We sincerely apologize for any inconvenience this may cause our members and customers. We want our members and customers to be aware of the situation and we suggest that customers carefully review and monitor their debit and credit card account statements.

The press release, which neither reveals how many payment cards have been compromised nor the nature of the malware used, says there is no evidence that online customers of kmart.com have been affected.

The company says that Kmart’s IT team launched an investigation immediately, alongside an external security firm, and that it continues to work in conjunction with law enforcement and banking partners. Sears also revealed that it is deploying additional software to help safeguard its customers’ data.

The firm has offered free credit monitoring to customers who shopped at Kmart with a debit or credit card during September and up until 9 October but also advises them to monitor their statements for unusual activity.

Kmart, which has a network of 1221 stores across the United States, is only the latest US retailer to suffer a data breach.

In December 2013 Target became the temporary record holder for the largest ever retail breach as attackers used point-of-sale malware to sneak off with 40 million payment card records. The company also reported a second part of the breach which saw the loss of 70 million ‘guest’ records which contained personal information.

Other notable retail incursions over the previous twelve months include one at luxury US retailer Neiman Marcus which saw an undisclosed number of payment cards compromised.

In January, North American craft store Michaels experienced its second breach in 3 years, later reporting that over 2.5 million payment cards were likely to have been affected.

More recently, the restaurant chain P.F. Chang’s revealed in June that is was investigating a potential breach of credit and debit card data. The company later confirmed that payment cards used in 33 of its restaurants were potentially at risk.

In August, point-of-sale malware was used once again, this time to breach Supervalu. While the company hasn’t confirmed how many payment cards were compromised, it did reveal that its investigation was looking into 200 of its stores.

Last month a breach at Home Depot led to the compromise of 56 million unique payment cards after its point-of-sale systems were targeted with custom malware. The scale of this attack makes it the biggest in retail history, surpassing even Target.

More proof, if any was needed, that data breaches are a huge concern to the retail industry came just a few days ago when Dairy Queen became the latest victim, confirming it has found malware known as Backoff on its PoS systems.

With data breaches costing not only billions of dollars, but claiming executives’ jobs as well, now is as good a time as any for firms within every sector to reassess their security implementation. (We have 6 tips for both businesses and consumers here.)

Companies may also be well advised to revisit their incident response plan, or to create one quickly if they don’t have one in place already.

H.M. DeBardeleben MSITM @ October 14, 2014

SnapChat Compromised

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness, Threats, Hacks | Comments Off

We’ve been warning you for some time now, nothing on the Internet is private, or safe from prying eyes. There are several apps available to capture and save images from SnapChat.

A giant database of intercepted Snapchat photos and videos has been released by hackers who have been collecting the files for years. Shocked users of the notorious chat forum 4chan are referring to the hack as “The Snappening,” noting that this is far bigger than the iCloud hacks that recently targeted celebrities.

Underground photo-trading chat rooms have been filled in recent weeks with hints that something big was coming. Thursday night it finally arrived: A third-party Snapchat client app has been collecting every single photo and video file sent through it for years, giving hackers access to a 13GB library of Snapchats that users thought had been deleted.

Users of 4chan have downloaded the files and are creating a searchable database that will allow people to search the stolen images by Snapchat username.
The database of Snapchat files posted online was hosted on viralpop.com, a fake competition website that installed malicious software on the computers of users trying to take part. That site has now been suspended and taken offline, although thousands of people have already downloaded the collection of Snapchats.

H.M. DeBardeleben MSITM @ October 11, 2014

Largest Bond Insurer in US exposes Sensitive Data

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness | Comments Off

KrebsonSecurity reports that MBIA, Inc., the United States’ largest bond insurer, misconfigured a company Web server and this has led to the exposure of the sensitive personal details. The site reports that the personal data, which includes account numbers and balances as well as administrative credentials, has been indexed by search engines. “In some cases, the documents indexed by search engines featured detailed instructions on how to authorize new bank accounts for deposits, including the forms and fax numbers needed to submit the account information,” states the site.

H.M. DeBardeleben MSITM @ October 10, 2014

Breach Apathy

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness | Comments Off

Is the general public becoming desensitized to security breaches?

Henry M DeBardeleben
October 9, 2014

With new security breaches being reported almost weekly now, has the public in general be come numb to the dangers these breaches represent? Over the past few years there have been breaches of confidential data at TJX, Home Depot, Target and so on.
And the breaches are not limited to retailers; JPMorgan Chase, AT&T and the US Department of Veterans Affairs have been victims of data breaches. It seems that every time I watch the news there’s a story about a data breach.

The disturbing thing is that these breaches are not all the result of hackers breaking into a system from outside of the company. In the case of the VA and AT&T the breaches were caused by insiders. The VA incident involved an employee bringing a VA laptop home and having it stolen from his car. The laptop contained the personal information of several million current and former military members. In the AT&T case it seems that a now former employee accessed account information, including Social Security and driving license numbers.

Data breaches have become so common that people seem apathetic towards them. Home Depot stock is nearing an all-time high, after having compromised the personal information of over 40 million customers. Target, who suffered a data breach last year, dropped nearly 20 points in the market but is now at pre-breach levels again.

RSA, a company that supplied much of the world with security key fobs , those little devices with the ever-changing number sequences in the display, was the victim of a data breach triggered by a failure in security awareness. And RSA employee opened an email, from his Junk email box because it had an eye-catching topic, “2011 Recruitment plan.xls”. This was of course, a spear phishing attempt, one that proved successful and resulted in RSA having to spend millions to redefine the security algorithm used to generate the synchronized numbers and the reissue of tens of millions of new key fobs to customers, many of which were defense contractors.

So what do we take away from this? If customers aren’t going to hold businesses liable for mishandling or under-protecting sensitive data the businesses have little incentive to act proactively in protecting said data. Companies need to implement dynamic security awareness programs in addition to intrusion detection and prevention systems.

RSA had no choice but to react quickly and completely do to the very nature of their product. While Target, Home Depot and the others are still reacting to what happened to them, some several years after the fact. If there were a greater outcry from the customers these companies would have put forth every possible effort to rectify the situation and prevent future incidents. Instead what I fear is they will continue to be reactive rather than proactive.

H.M. DeBardeleben MSITM @ October 9, 2014

AT&T Insider Leaks Account Information

Posted in: Security Awareness, Threats, Breaches & Leaks, Security Awareness | Comments Off

AT&T, one of the US’s biggest telecoms, has fired an insider for having thumbed through customer accounts without authorization and potentially slurping customers’ taxpayer IDs, driver license numbers and more.

Sources familiar with the incident said about 1,600 people were affected, according to The Register.

Michael A. Chiarmonte, director of finance billing operations at AT&T, said in a letter that the now-former employee got into people’s accounts in August:

We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver’s license number.

Additionally, while accessing your account, the employee would also have been able to view your Customer Proprietary Network Information without proper authorization.

H.M. DeBardeleben MSITM @ October 8, 2014

Phishing & Spear Phishing

Posted in: Security Awareness, Security Awareness, Training | Comments Off

Phishing
Phishing attacks use email or malicious websites (clicking on a link) to collect personal and financial information or infect your machine with malware and viruses.

Spear Phishing
Spear phishing is highly specialized attacks against a specific target or small group of targets to collect information or gain access to systems.
For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.

The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.

Spam & Phishing on Social Networks
Spam, phishing and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply on social networks: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets and other posts.
Here are ways to report spam and phishing on social networks:

Reporting spam and phishing on Facebook
Reporting spam on Twitter
Reporting spam and phishing on YouTube
How Do You Avoid Being a Victim?
Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
Before sending sensitive information over the Internet, check the security of the website.
Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Information about known phishing attacks is available online from groups such as the Anti-Phishing Working Group. Report phishing to the Anti-Phishing Working Group (APWG)
Keep a clean machine. Having the latest operating system, software, web browsers, anti-virus protection and apps are the best defenses against viruses, malware, and other online threats.
What to Do if You Think You are a Victim?

Report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
If you believe your financial accounts may be compromised, contact your financial institution immediately and close the account(s).
Watch for any unauthorized charges to your account.
Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the FBI’s Internet Crime Complaint Center.
Additional Resources:

Anti-Phishing Working Group
United States Computer Emergency Readiness Team (US-CERT)
On Guard Online

Protect Yourself with these STOP. THINK. CONNECT. Tips:
When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark it as junk email.
Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true, or asks for personal information.
Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.
Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals
– See more at: http://www.staysafeonline.org/stay-safe-online/keep-a-clean-machine/spam-and-phishing#sthash.6wcttcch.dpuf

H.M. DeBardeleben MSITM @ October 4, 2014

76 Million accounts compromised

Posted in: Security Awareness, Threats, Cyber Attacks, Security Awareness | Comments Off

A cyberattack on JPMorgan Chase compromised 76 million household accounts and 7 million small businesses, the bank disclosed in a securities filing on Thursday. The number is a drastic increase from the bank’s original estimate that only one million accounts were affected by the attack, which occurred this summer in June and was not detected until July. “The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers—a road map of sorts—which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems,” according to The New York Times. Hackers used this approach to gain access to names, addresses, phone numbers, and e-mails of account holders, but the bank said there was no evidence that account information, such as passwords, had been taken.

H.M. DeBardeleben MSITM @ October 4, 2014