They say that the ground wars are giving way to a more dangerous threat, one that has no readily visible location or target. Military aircraft are of no benefit in this battle. The military’s answer, for one, is the U.S. Army Cyber Command which plans, coordinates, integrates, synchronizes, directs and conducts network operations and defense of all Army networks The enemy can be seen (if seen) wearing tee shirt, jeans and sneakers. They may even be high school aged, not studying – but plotting. Their victim may be a major bank, a healthcare organization, a well-known university or a high-level government entity. Precise calculated measures are taken in creating viruses and other malicious software, otherwise known to us as malware.
The following are four major cyber attacks of 2013 and 2014:
Apr 29, 2013: LivingSocial was hacked this week and 50 million user accounts were breached. The company says credit card data was not stolen.
Dec 19, 2013: As many as 40 million Target shoppers’ credit or debit card information could have been taken during a security breach. Secret Service is investigating.
May 22, 2014: eBay is asking its customers to reset their passwords after hackers broke into the online retail site.
Sep 18, 2014: Home Depot said a data breach between April and September put about 56 million payment cards at risk, signaling that the hacker attack was bigger than the one that struck Target last year. Julie Hyman reports on “Street Smart.” (Source: Bloomberg)
Many breaches nowadays come in what is referred to as a Zero Day (or Zero hour) attack. This is one that exploits a previously unknown vulnerability in a computer application, one that developers have not yet had time to address and patch. In essence, while a programmer normally has ample time to apply patch fixes, in this case they have “zero days” to fix the flaw (where a patch is not yet available at the time). Advanced planning is of the essence to try to ward off such attacks, and major markets are getting better at this, but there is still much work to do to become less vulnerable. Just look at the above examples. Target had no CISO at the time of the attack, leaving them void of an executive level cyber planner. The Russian teenager who executed the attack probably already knew this and most likely said about the attack before executing the breach through their HVAC contractor – “piece of cake.”
Microsoft: Beware IE, Patch Tuesday and bulletins replacing bulletins
Internet Explorer has been well known as the computer browser NOT to use these days. The vulnerability of Explorer right now is epic where users are warned not to use it as it is highly susceptible to malware attacks. In fact, I’ve tried using Explorer within the last few months and sure enough, I had such issues that I had to bring my PC to the Microsoft Store to be repaired. Pretty ironic eh?
In an article “Attacks on Internet Explorer Zero-Day Vulnerability (CVE-2014-1776)” from April of this year, Microsoft confirmed a new zero-day vulnerability found in Internet Explorer. The vulnerability (CVE-2014-1776) affects all versions of Internet Explorer 6 through Internet Explorer 11. That’s ALL versions. It was reported that Microsoft was working on a patch but could not target when the update would be (typical), however they said that the next installment could be Tuesday, May 14, 2014. Hmm. My advice (as well as the level 2 tech I spoke to at Verizon this week) – stay away, far away from Explorer.
Here’s another good one: Patch Tuesday for September 2014 Brings 4 Bulletins Affecting Windows, IE, and Lync which states Patch Tuesday for August 2014 may have been the longest on record with Microsoft finally getting all the offered patches fixed earlier this week. Due to botched, recalled, and released updates, Patch Tuesday turned into Patch Month for many. Yet another: Microsoft Security Bulletin Summary for September 2014 With the release of the security bulletins for September 2014, this bulletin summary replaces the bulletin advance notification originally issued September 4, 2014. A bulletin (published Sept. 9th) replacing a bulletin published on Sept. 4th. Interesting…
The silent attack: Heartbleed bug gives way to Shellshock
You may have thought Heartbleed was bad. Well you ain’t seen nothing yet. Welcome to Shellshock, the latest security threat to hit the Internet. And it’s a big one. Shellshock is a vulnerability in something called Bash, which is a Unix shell. Bash is installed on many computers running operating systems derived from Unix. That includes Macs, as well as a lot of web servers running operating systems including Linux.
One reason Shellshock seems like such a major problem vs. Heartbleed is that much of the vulnerable software resides outside of public sight. With Heartbleed, action could be taken fairly readily. End users basically changed passwords after a website received the Heartbleed bug patch. In certain instances with Shellshock, for example, when an organization runs a server farm, it may not be evident for IT administration to know how to go about helping the situation, or worse, not being able to help at all.
The enterprise world is always vulnerable to malware, bugs, Zero Day attacks and more. IT and cyber security providers including Dell SecureWorks, Symantec, FireEye, Cisco (Sourcefire) and more offer enterprise level solutions to help mitigate attacks and vulnerabilities. Are these the be all end all to total out and out safety? It’s really more about a teaming effort among enterprise C-Levels (CISO, CSO, CIO) and IT administrators. And most of all – vigilance.
So just what do I know? After at a year or more of acquiring knowledge base to cyber as well as mobile security, I’d have to say my share. And in the AV industry, you might want to as well. It would likely be of benefit for you, and you might not believe what you’d be able to bring to the table for your clients as well. You can begin here.