The benefits of implementing an information Security Management System based on ISO 27001 range from Improving the overall information security in your company, Compliance with the ISO 27001 standard and Information Security legislation, Lowering Expenses, Organizing your company, and Providing a marketing edge.
Improving (and continually improving) the overall information security in your company in these days is almost mandatory. Attaining an ISO Certificate helps protect you from risks that you didn't know were out there - external and internal risks. The Certification not only protects your from threats, but provides your organization with policy and procedure on how to correct and treat those risks. The ISO 27001 will inherently help with organizing your company's ISMS (which then influences more Dept's), because the Policies and Controls that come from it are documented, planned, tested, implemented, and constantly monitored for improvement.
Compliance with the ISO 27001 standard almost automatically makes you compliant to Information Security legislation. This is important because fines and fees are real. Fines/Fees can range from thousands of dollars to millions of dollars based on organization size and egregiousness of actions. But, why find out the hard way? Gaining a certificate such as this, removes you from the threat of legal action. Building security within your organization reduces the risk of legal or malicious compromise, ultimately lowering expenses. Not to mention, when/if your organization was compromised attempting to patch things up take money -Money for apps, money for more engineers, and more money for consultants.
Lastly, if all the above is completed and you attained the Certificate, you also attain the respect and trust that come with it. It almost markets itself. It's just a"S.M.A.R.T." choice.
What is a Denial of Service (DOS) attack? Does it Differ from a Distributed Denial of Service(DDOS) attack? If so how?
A DOS is where a computer, multiple computers, flood a server with TCP/UDP packets/requests.Consider your Server as a Waitress in a restaurant during a particularly demanding rush hour, and all it's coworkers either didn't show or are completely spacing. The waitress has a food critic who has extremely demanding requests - making it almost impossible to put their efforts on any of the other customers.
A DDOS is where multiple systems target a single system with DoS. The restaurant is filling, the other waitresses are no where to be found, and yet another food critic comes for dinner. Every single hungry demanding customer is clamoring at one waitress. The waitress will now have to attempt to accept and complete the requests of all those hungry customers all at once. The Server/Waitress will become overwhelmed and will not be able to function.
This type of attack is one the most fearsome threats in today's landscape, because it can bring your whole company's functions to a halt or even cause the systems to malfunction and cause more problems. (Not mentioning the costs of systems being down for long periods of time.)
So what can you lookout for? Here are some very common DOS attacks even a script kiddie can preform: Volumetric(bandwidth completely consumed), Fragmentation (sending fraudulent packets your network cannot reassemble), or Application Layer (attempt to user up as many resources as possible with requests and transactions).
There are ways to prevent these attacks from happening such as taking preemptive measures, such as load balancing and network monitoring. But First, you will need a plan of attack.
Social Engineers use deception to manipulate unsuspecting individuals into giving away confidential or personal information that may be used for malicious intent. There are many ways for someone to complete this work: remotely or up-close & personal.
Some of the remote ways we see social engineering is through email (also known as phishing),through a phone call (also known as voice phishing aka vishing), or even through text (also known as SMS phishing aka smishing). There is a common theme that we all should pay attention to - FISHING! This can help you better understand the attack and they proper response. This person will pretend to be anyone to get that information they need, from "The Social Security Office" to A friend from High school you can't quite remember. When (PH)Fishing, the attacker can go to where they can get a lot of fish(that's us)and throw a net. This would be equivalent to a general email such as, "To Whom it May Concern", which is meant to reach as many people as possible - this is known as Mass Phishing. Or the attacker may throw bait to catch a singular person, by scraping information from someone's social media sites - this is known as Spear Phishing.
Some Attackers take a more up-close & personal approach. Such as, "Shoulder surfing", that’s when someone simply looks at your screen from behind your shoulder to get the information they need. Or Maybe, they may sneak some information seeking questions to you through a casual conversation. However, we are not helpless. The Attack can not be successful with the Fish taking the bait!Without your action there can be no harm done to you. Therefore, if you are receiving emails from unknown people DON'T CLICK THE LINK and DON'T DOWNLOAD THE ATTACHMENT. When you receive phone calls from people you're unsure of threatening something bad or promising something good, DON'T GIVE THEM YOUR INFORMATION. Don't be so trustful of strangers, ask more questions.
I know times are hard, and we are all looking for a little help, but I can almost guarantee that Nigerian Prince you gave $15,000 to years ago, isn't coming to find you and give you millions of dollars. If it seems too good to be true, many times it is. Stay Safe.
Most people haven't been taught how to create a proper password. What most of us do is pick a special date or a special person and use some form of the two as your"password". Then we keep using them - duplicating the same passwords (or a variation of the same password) for everything. This is dangerous because if that date/person is as special as we believe, we leave clues all around us alluding to them. Wedding, family, or vacation pictures with their dates paint our social medias. This is what hackers have no problems guessing.
I compare passwords to a lock on the door. Hackers are about as much deterred by weak passwords as Intruders are deterred by a flimsy barn-door latch. And similar to physical intruders, Hackers also have tools to help them "pick" your proverbial lock. On of those tools is called, Bruteforce Attack. A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Therefore, if your password is "WilliamJones" or "Ilovemyhusband" or"Ciara041190", it would be relatively simple for a bruteforce algorithm to crack this.
Most sites now require a mixture of letters, numbers and symbols when creating a password to enter their site. I encourage many people to do use a PassPhrase as the base of their password. I tend to lean towards memorable songs, like the infamous"Don't Cha" by the Pussycat Dolls. Then incorporate numbers and symbols to meet the requirements of the sites. Such as,"D0n't<h@w!shy0urg!r1fr13nd". Not bad. Utilize your keyboard's letters and numbers and create your own personal language, if you will.
The point of this article is to encourage your to make your passwords readable. But, the key is not having to remember them all. Therefore, I also encourage that your only make a few of the explained passphrases, and then allow a Password Manager to Store, and generate the rest. Here are some recommended products:
Password management system Recommendations:
1. Nordpass
2. Bitwarden
3. 1password
4. Lastpass
5. Dashlane
What’s the difference?
In this day and age, we often hear words tossed around with little understanding or grasp. Terms are being used interchangeably, without many being able to define each one. I wanted to take a moment to briefly breakdown some very popular, but essential, terms that are being used within many of our workplaces.
Security holds three main components: Confidentiality, Integrity, and Availability. These all are to ensure that a particular message is available to its intended party fully and completely as it is designed to.
Confidentiality, mentioned in the security triad, is to make sure that no other eyes lay on this message other than the intended party. In order to do that, a professional makes sure to add additional controls: administrative controls (policies surrounding that assurance), technological controls (password, biometric, key controls surrounding that assurance), and physical controls ( guards, cameras, locks surrounding that assurance). Most of all, the intended parties must do their part not to act clumsily with that message. Therefore, they must agree upon the level of sensitivity of information, and create a practice surrounding how to classify and handle that information. Once they do that, they must test it and train on it.
Privacy is not mentioned in the triad. This is because it’s much more people based. Privacy is all about determining authorization. Authorizing or giving permission to who may have authority over that message, or even who can view that message. Once authorized personnel are recognized, privacy has everything to do with protecting that person's rights to the level of security to view that message. This can mean, a person protects their rights to not share their PII (personally identifiable information - firstname+lastname, address, SSN, etc.).
All the above terms are interconnected, but each serves its own purpose. One cannot be achieved without the other, but we must learn the difference.
Intro
Is voice authentication best for voice recognition? Voice recognition is a technology which is advancing from its new stages. Unfortunately, many flaws have been found in its journey from an elementary idea to a technological movement. For instance, what if a hacker could simple replicate your voice or even uses your social media account to manipulate your own words? Most, if not all, these attacks are in attempt to gain unauthorized access to devices. Has this technology been tailored with the 4 main security factors of identification, authentication, authorization and accountability in mind?
Purpose
The purpose of voice recognition is to decode human voice into digi-data comprised of frequencies and intensities in order to perform functions remotely. Voice recognition, has proved useful in healthcare, customer support, aviation, safety feature advancement and Military; which means it’s probably not going anywhere soon. However, in reference to another one of my previous articles, “Aviation Hacking”, airplane security suffers another blow to its vulnerabilities when voice recognition is involved.
One of the most commercial voice products used in mainstream is kinda’ a type of speech recognition. It is the automated operator services used in many customer support units. (You know when you call a company’s customer support line and you have to talk to an auto service? Yeah, that one.) Yet, since you only have the option of choosing from a limited list of words / functions, these act less as voice recognition software and more as word or sound-pattern distinguishing software.
How it works
Voice recognition works through a complex mixture of pattern mating, pattern & feature analysis, language modeling & statistical analysis, and artificial neutral networks.
Recognition is when the system is pairing a chunk of sound patterns (or utterance) to a function stored in its memory. A speech system’s vocab memory is called a domain. So, in theory you can build this domain to understand an infinite amount of words. However, programing and pairing that many words to programs and functions is very time consuming and not very efficient.
Speech recognition starts by getting a system to listen to an utterance (chunk of words).
1st. One must digitize the sound (analog the sound waves and turn them into a digital format)
2nd. Turn that digi-data into a graph of frequencies and intensity using a mathematical technique. (High frequencies take more energy/ intensity to create. Low frequencies take less energy/ intensity to produce.)
3rd. Those acoustic frames of 0.25 seconds must then be analyzed to see that type of speech components they contain.
4th. Once these frames are identified they must be recognized as a function/ word.Since speech is built from a small amount of phonemes (distinct units of sound [singular: phone]) the system simply has to recognize the phonemes within the utterance.Beads-on-a-string is the stringing together of phonemes and utterances to figure out the word. Once the word is recognized the context must be formed. The correct string of “beads” will create a meaning/ function.
Threats & Fears
What if someone can steal control of the gadgets in your home without breaking a window or physical lock? Over-the-air attacks are also tailored to the vulnerabilities of the voice recognition movement. And they are not limited to your mobile device, but to your smart TV, smart refrigerator or toaster; your virtual home is in jeopardy.
Voice impersonation is a common attack which by passes security by cloning recorded or synthesized speech. Many people can also collect voice samples through various types of unnoticeable tactics like spam calls, recording someone adjacent from you (covertly or overtly), or just collecting a voice from Instagram / YouTube videos.
Pay attention to the app permissions which have downloaded, especially the permissions to your microphone. Your phone can be used against you at any time.
Examples
The new voice recognition technologies not only figure out what you’re saying, but also what you mean when you say it. Google Chrome has silently placed this technology within their search engine with the intention of growing their technology’s domain, as well as the context associated with it. Google’s Chrome browser have been found to be vulnerable enough that a malicious actor can listen into the victim’s computer through their microphone without being noticed.
Siri is iOS’ virtual assistant, who is making frequent appearances on the majority of device’s Apple has made available. In 2011, Siri was breached and ‘jailbroken’ by a Chinese hacker group. The group was able to steal sensitive information through the voice recognition feature. This group has not used the feature to just access the device, but exfiltrate private data. Siri can also be exploited by electromagnetic wave forms. By sending the correct frequencies, Siri answers to anyone.
ANSSI, a French government sector ardent to informational security (basically their NSA). They have found, experimented with and band electromagnetic waves / electrical signal capable of remotely controlling devices. Without speaking one word ANSSI was able to point frequencies, through earphones, to an adjacent person’s device. They were able to make calls, send texts and emails through that radio attack.
Many have found that voice programs can me remotely controlled fairly easily… I mean they were built to do so.
Conclusion
Many have found that voice programs can be remotely controlled fairly easily… I mean they were built to do so. However, 4 main security factors of identification, authentication, authorization and accountability should be considered when dealing with this credible threat. This shouldn’t be taken lightly. There should be a system in place to better identify, authenticate and authorize through personalized / custom tones for that particular voice. I laugh at all the comparisons of movies I’ve made. Like for instance, this voice recognition was hacked during The Charlie’s Angels (2000 and 2003). Any who, all these systems should be designed for not just flair but care.
With so many security breaches in the news companies, governments and citizens alike are concerned with the raw information/data that is floating around as insecure as a middle school girl. Government regulations are changing rapidly with this issue in-mind and everybody, including the President, are thinking about it. However, these policies are far-removed from what the general public is concerned about; their information. This blog post breaks down the new policy changes and could reveal how this may or may not affect your life.
Today’s politics are entrenched in the idea of “cyber theft/hacking” and how the government will step in to secure this floating data in THE CLOUD (DUNDUNDUN). The House/Senate and Executive branch have made steps in creating policies and attending conventions to discuss the matter of Cybersecurity. However, during these discussions they tend to focus on the protection of what is profitable (knowledge or monetary) to their own interests rather than protection of the victimized. But, will their efforts matter in the future?
In 2011, President Obama began to address Cybersecurity by giving kind suggestions to legislature on Cybersecurity policies and topics, such as:
"Unnecessary personal information”,
"Further requirements for the Department of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government" and
“Complementing rather than limiting the existing effective relationships between government and the private sector.”
He also called for the setting of norms, such as:
The upholding fundamental freedoms[1],
Respect of property (including IP),Valuing privacy and the expectation of[2],
Protection from crime[3] which includes the right to self-defense,
And finally doing this all while keeping it commercially appealing for international and interstate commerce[4].
He explained that through these policies we should be considering sustaining a free (and fruitful)-trade environment which encourages:
Technological involvement,
Protection of IP (not internet protocol, but intellectual properties),
Ensuring the importance of “interoperable and secure technical standards” and
Attempting the harmonization of international policy following the Budapest Convention[5].
Obama also stressed the primacy of providing the knowledge to protect technical and cyber capacities not just for the citizen infrastructure[6], but military infrastructural needs as well.
So far the legislation that is to be enacted/enforced this year are The National Cybersecurity Protection Act of 2014, The Cybersecurity Enhancement Act of 2014, and The Cybersecurity Workforce Assessment Act. However, since me regurgitating pages and pages of legislative jibber-jabber from all implemented policy to the passing reader; I will just summarize The National Cybersecurity Protection Act of 2014. Still, I encourage you to do some research on the others[7]too.
S.2519 - National Cybersecurity Protection Act of 2014 (passed by the Senate on December 10, 2014)The National Cybersecurity Protection Act creates a National Cybersecurity and Communications Integration Center (NCCIC) with in the DHS. This new body must provide risk, incident, warnings, risk mitigation and analysis to and for federal and non-federal bodies. The center is directed to ensure continuous collaborative coordination/ information sharing with councils, certain organizations and “appropriate non-federal partners” must work under a Non-Disclosure Agreement. The bill also necessitates the DHS secretary to report analysis and suggestions to Congress regarding the information-sharing agreements. This bill directs the Under Secretary to have in place plans for cyber incident response to address any risks to the Critical infrastructure. The Secretary is in charge of regulations and standards relating to the Cybersecurity infrastructure of private sector critical infrastructure.
Whew, that covers most of Obama’s previous requests, if not all. BUT WAIT! There’s more! This bill directs the Office of Management and Budget (OMB) to ensure data breach notification policies[8]. Yet, this bill is governing everything but the flesh behind this “cyber”-wall, but protects what makes good online business. Unfortunate.
I asked myself, “Self, what would they do next to protect my privacy and how have they defined what was private or not? Why not just make it illegal to upload, ask for, or enter certain personally identifiable information (PII) such as SSN, GC #, or Account #’s, etc.?” That was kinda’ introduced the new Cyber Privacy Fortification Act of 2015 which included PII to be:
An individual's first and last name ( or any variation of such),
Address or phone number in combination with any 1 of the following data elements where the data elements are not protected by a technology protection measure that renders the data element indecipherable such as:
A no-truncated social security number, driver's license number, state resident identification number, passport number, or alien registration number; mother's maiden name, month, day, and year of birth;
An unique biometric data such as a fingerprint, voice print, a retina or iris image
And finally, a financial account number in combination with any security code, access code or password.This bill may stir debate on the issue of SS# and location information (address).This information is not hard to obtain for those with skills to require to penetrate networks and systems—the OPM breach and the recent IRS hack gave criminals access to hundreds of thousands of records of SS#, personal records, biometric data, and even high-level security clearances.
4 basic factors of Authentication: What you HAVE, KNOW, ARE, and WHERE YOU ARE…In the event of identity or information theft or breach, the status quo provides various private and public channels to seek resolution and possible compensation. If a corporation is a victim of a data breach, consumers’ personal information is the ultimate target, but the reality is there is rarely any resulting economic loss or decrease in profits. Bodies that monitor target activity operate based on the existence, and at-will of the existence of target activity.
But people sometimes forget that there are other people, some even weirder than I am, on the end of that connection who intentionally or accidentally cause the majority of Data Leakage to begin with. And placing policy to attempt to reign in the intangible might not work as effectively as they make it seem to the under/uneducated voter. The idea of an intangible cloud is interesting—all data uploaded to a “cloud” server is stored on physical storage servers. These storage servers are located in massive air-conditioned warehouses that are just as vulnerable as other “secure” channels. And even though this is true, there are still no Tron-like individuals protecting your/consumer data on this cyber field under and influenced by the policy makers on Cap. Hill.
I think this topic is really “hot” right now and they know that, and people want answers to this topic of “Cloud Security”. Many might say that a large portion of these policies resemble nothing but pork-fat wrapped in the illusion of security. Many may also claim that these policies are to protect the rights and actions of growing e-commerce infrastructure and the data involved rather than governing the actions of the people standing to gain from this. People are going to be people and that extends to the cyber-web; so, the same consequences to physical theft and such should be placed in the non-physical world of Cyberspace and the flesh behind it. These policies are put in place to protect Federal Data and Non-Federal (but appropriate partners) and there information sharing. However, none of them seem to restrict nor protect the end-users, like us.
Footnotes:
[1] “fundamental freedoms,--- the ability to seek, receive and impart information and ideas through any medium and regardless of frontiers has never been more relevant”
[2] “expectations for privacy---: individuals should be able to understand how their personal data may be used, and be confident that it will be handled fairly The United States is committed to ensuring balance on both sides of this equation,”
[3] “by giving law enforcement appropriate investigative authorities--- it requires, while protecting individual rights through appropriate judicial review and oversight to ensure consistency with the rule of law”
[4] “commercially;--- cyberspace must remain a level playing field that rewards innovation, entrepreneurship, and industriousness, not a venue where states arbitrarily disrupt the free flow of information to create unfair advantage”
[5] Is the first international treaty seeking to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations
[6] Infrastructure--- the basic physical and organizational structures and facilities (e.g., buildings, roads, and power supplies) needed for the operation of a society or enterprise.
[7] Obama's Suggested Cyber Strategy , S.2519 - National Cybersecurity Protection Act of 2014 , H.R.2952 - Cybersecurity Workforce Assessment Act ,S.1353 - Cybersecurity Enhancement Act of 2014 , Summaries for the Cyber Privacy Fortification Act of 2015
[8] You know, if I may, I think that they’ve shown competence in the area and I have full faith that they will expose all of the details of their and other’s incidents past and future. And those being able to access agency implementation of notification policies will be followed to the letter.
