Introduction
Some real-life examples of poor information protectionš
SONY 2011/2014
Sony was attacked in April 2011 and then again in December 2014. They failed to implement recommended security controls. The biggest mistake Sony made that led to the PSN hacks was its organizational complexity and a lack of proper security support at the board level. It was found Sony’s data was being stored in an unencrypted format and they had also failed to use firewalls to protect networks. They were also caught using obsolete web applications. Sony said in 2011 that they were going to increase their security, but they never did.
1. PlayStation Network Finally Allows Name Changes, First One’s Free
2. Sony Has Sold Half of Its Spotify Shares
3. Case Study: Critical Controls that Sony Should Have Implemented
J.P. MORGAN 2014
In the spring of 2014, hackers stole the login credentials for one of the employees at J.P. Morgan Chase, a leading global financial services firm. Those attackers then exploited an oversight–the bank’s security had forgotten to implement two-step verification (2SV) on one of the network servers–to gain access to J.P. Morgan Chase’s corporate network.
Following that initial intrusion, the attackers moved laterally across the bank’s network, gaining access to 90 servers in total. They didn’t steal any sensitive financial information before they were detected and blocked in August, but they did succeed in making off with the names, addresses, phone numbers, email addresses, and other information of around 76 million households and approximately 7 million small businesses.
J.P. Morgan Chase didn’t report the cost of the breach. However, the bank did announce it would begin spending about $250 million annually on information security and employing 1,000 security professionals to prevent similar intrusions from happening.
How To Protect Your Business From A Data Breach | MetaCompliance
Why do most people ignore two-factor authentication? | Hacker Noon
DELOITTE 2017
Deloitte, one of the largest private firms in the U.S., which provides auditing, tax consulting, and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms, and government agencies.
Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack discovered in March of 2017. However it is believed the attackers may have had access to its systems since October or November 2016.
The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas.” The account required only a single password and did not have two-step verification, sources said.
Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.
Deloitte hit by cyber-attack revealing clients’ secret emails
Passwords
If you absolutely can’t use a password manager, a password method is a good option ~Habitu8
Base Password
Think the three of your favourite things. I love to live in the darkness with a lappy , mangoes and mango juice etc….
So here darkness lappy mangoes juice are the words Imma getting. Now I will seprate each with my special characters. I like to make fast foward in my life So I’ll use it for this example “»>”
1Darkness>>>Lappy>>>Mangoes>>>Juicenow lets suppose I born at some place with zipcode as 333001
I will reversify it and add it to the pass like this…
1Darkness>>>Lappy>>>Mangoes>>>Juice>>>100333Remember that method»>
This super easy method gives you a really long password and also hits all the complex stuff. Like upper, lowercase, numbers, special characters, etc without even thinking about it. This can be our BASE PASSWORD.
Darkness>>>Lappy>>>Mangoes>>>Juice>>>100333Now that’s a pretty strong password but here’s the thing… As humans a lot of the time we want path of least resistance. So it’ll be really tempting just use this new, awesome, password for all of your accounts. but I can’t stress this enough , you don’t want to do that. Trust me. So do this….
Make ‘Em Special
Now you can make them unique with a special indentifier for each sensitive site. It sounds like a lot, but really it’s not. Maybe for facebook you use FB or something like that and you add it at the beginning , end, or even split it up,
FDarkness>>>Lappy>>>Mangoes>>>Juice>>>100333BFBDarkness>>>Lappy>>>Mangoes>>>Juice>>>100333Darkness>>>Lappy>>>Mangoes>>>Juice>>>100333FBYou’re really just typing things you love and remebering a method you chose. It’s easier than remebering 700 different passwords and what you’re thinking….
What if a Hacker gets my password and sees my method??
Yeah that’s risk for sure, but for 95% of peeps out there this is really great way to have long unique passwords.
Multi-Factor Authenticationš
A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identify for a login or other transaction.
An increasing number or organizations are implementing multi-factor authentication to add a layer of protection (defense-in-depth) to security. By requiring a second authentication method in addition to the standard user name/password method, organizations implement a powerful countermeasure.
Security experts believe the most effective dual-factor authentication uses two of the following type of authentication methods:
Remote Access
Any device that remotely connects to the corporate or control system network provides an opportunity for an
adversary to gain access to the device and attack your network.
One preferred defensive method is the use of security tokens. The security token displays a number consisting of six or more alphanumeric characters (sometimes numbers, sometimes combinations of letters and numbers, depending on vendor and model). This number normally changes at pre-determined intervals, usually every 60 seconds. When it is combined with a password, the resulting passcode is considered to be multi-factor authentication.
To ensure this countermeasure is effective, you should never share your security token with anyone else. You should keep it locked away or on your person at all times.
Other examples of “something you have” are smart cards and USB tokens. “Something you have” methods use readers or scanners installed on a device such as a computer. They are effective because they use a unique trait (such as fingerprint) to identify an individual; however, some people have ethical concerns about their use.
Smart Card
About the same size of a credit card, a smart card has an embedded microchip that can be loaded with data and used for phone calls, electronic payments, and other applications, in the information security context, it identifies you when logging onto a network
USB Token
A device that plugs into a USB port on a computer. It can either contain information that uniquely identifies the owner to the computer network, or like other types of security tokens, it can display numbers that the user must type in to authenticate.
Many other authentication methods are possible. We have described just a few of the most common ones.
Internet and Intranet Accessāļø
Your organization probably has policies about what can and cannot be put on public Internet websites. It may even have a review process to ensure sensitive data are not publicly available. However, sometimes seemingly benign information can reveal more information about your organization than it should.
For example, do your job postings mention the control systems and other equipment used? If so, this may be a piece of information an adversary can use in planning an attack.
Also consider information about your organization on other companies’ websites. Do your vendors’ press releases list where they have deployed their products? Do they publish their products’ manuals (which include control commands) on the Internet? A diligent adversary will gather information in as many ways from as many different sources as possible. A simple web search may reveal far more than you might think.
Do not forget about internal Internet sites. Remember that threats often come from within an organization. Critical information such as network diagrams and proprietary software code should not be made available to anyone without a need-to-know. Think twice before you publish anything on the Internet or Intranetāand if in doubt, leave it out!
Sanitation, Destruction, and Reuseā»ļø
Sanitization
permanently removes all data from equipment (such as a computer’s hard drive) by overwriting the data to make it unreadable.
Destruction
means physically demolishing media to prevent recovery of any of its information.
Reuse
refers to transferring equipment to another employee or an outside entity.
Organizations vary widely in requirements for sanitization. At one extreme, some organizations require all equipment with memory or storage devices must be sanitized before being transferred (even to another staff member) or disposed of. At the other extreme, some organizations have no policy in effect at all.
If your organization does not have a specific policyāor has a lax policyāat least, you should consider the criticality and sensitivity of the information on the device, and determine if it should be sanitized or destroyed before transferring or disposing of it.
Note
:::info Although destruction is the only sure way to permanently render data inaccessible, it is often impractical and expensive. Most organizations, therefore, choose sanitization as the preferred means of removing data from most devices. :::
Device Candidates for Sanitization
Any equipment with a storage device needs to be sanitized in certain circumstances. Such devices include:
- Desktop and laptop computers
- Personally owned equipment that has processed company information
- Smartphones
- Desk phones that store telephone numbers
- Programmable logic controllers (PLCs)
- Copiers
- Fax machines
- Many scientific instruments
- Media such as USBs and removable hard drives
How to Sanitize your Data
When you āpermanentlyā delete files, the operating system makes the space available for future use. New data will eventually overwrite the old data (the ādeletedā files), but until those data are overwritten, they can be recovered by someone with the right tools and know-how. Similarly, when you reformat a hard drive, the original data are still there in raw form and can be recovered.
Deleting files, emptying the Recycle Bin, and reformatting the hard drive are not enough!
Sanitization makes the data unrecoverable by overwriting the data. Fortunately, there are tools available to make this fairly easy, at least for standard desktop and laptop computers. Ask your information technology or security department for advice on selecting a tool or special sanitizing equipment.
Lets Summerize it up
We learned about some ways to prevent information from getting into the wrong hands.
We covered some topics which include:
- Create strong passwords and protect those passwords.
- Use a security token (or some other additional protection method) with a password to provide much stronger protection than a password alone.
- Take great care in what you publish on the Internet and your company intranet.
- Sanitize or destroy all equipment that may contain critical information.
- Follow your organizationās reporting procedures if you observe any suspicious or abnormal activity.