The name of the sender seems vaguely familiar. They point to enough facts in the case that you have no reason to believe that the email isn’t legitimate. And just like that, you’re hooked and being reeled in. The email was an attempt to get you to reveal a piece of information that is considered intellectual property.

These attempts are not unusual. Law firms today are facing more sophisticated attempts to lure employees into revealing information that will allow them to gain access to the network and steal large amounts of intellectual property.

The typical phishing attack involves a mass email that is sent to hundreds of thousands of email addresses trying to get access to information like email addresses, passwords, social security numbers and more. You may have been the recipient of a phishing email from an attacker posing like your banking institution and asking you to verify your online password.

Attackers that are more sophisticated utilize a similar method but target specific organizations to gain access to confidential data. This is called spear phishing. While spear phishing targets a specific individual, whale phishing is yet another sophisticated method that targets specific individuals in high ranking positions. The attacker in this case is looking for information from managing directors, partners and other top executives. But what makes these spear phishing and whale phishing attempts possible?

Today’s attackers have greater access to information than ever before thanks to the broad adoption of social media. An attacker can scan a managing partner’s Facebook page and then send an email that references a recent vacation or even that partner’s family. It is social engineering at its finest and makes phishing an even more prevalent threat.

What best practices can your firm embrace to safeguard its employees against these targeted attacks? Here are a few recommendations we provide our customers to ensure that they address all components in the security ecosystem: people, process and technology:

• Educate your employee base not to click links within emails. Even if the URL is for a trustworthy organization, the user should type it in manually into a web browser.
• Create security policies across your organization and ensure these policies are monitored and enforced.
• Utilize content filtering solutions. In fact, 80% of threats today are still web-based. Web and email content filtering solutions will prevent malicious links from coming through the network. Often organizations that are implementing filtering technology, simply are not using best of breed solutions that are enterprise worthy.
• Prepare for the worst – attacks are inevitable – so have an incident response plan in place.

By preparing your firm and its employees for spear and whale phishing scams, you can help avoid becoming big game. Do you have other questions or concerns about protecting your organization’s intellectual property?  Drop me a comment below.

Within the information security domain, we’ve begun utilizing various business intelligence (BI) tools to visualize/analyze, and in general, begin dealing with the “Big Data” challenges that are currently facing our federal and corporate information security communities. While Big Data, Digital Decay and the hazards of data retention are interesting discussions, this post isn’t a piece on analytics. This is about the data destruction issues in the modern age of solid-state media. Furthermore, if you believe your organization doesn’t have solid state drives (SSDs) and flash media in production, you may consider speaking to your SAN admin or virtualization guru to confirm your assumptions.

As the resident security guy, lately I’ve been having a number of conversations with customers about data destruction. Before I go much further in depth, let me say that we primarily work with federal government customers and have deep ties to the usual suspects whom you might assume would have more than a passing interest in information security. Knowing this, we can also state with a certain amount of veracity, that many of our discussions have relevance to national security.

So let’s take a look at data destruction in the old days and today, and discuss some best practices and tips.

Data Destruction of Yesterday

In the old days, data destruction was “easy.” I grew up during the days of boot disk destruction where we would create a DOS or *NIX boot disk, load the requisite kernel data destruction apps (such as DBAN), make certain the floppy had a bootable sector and off we went.

For magnetic media such as hard disks, the standards were consistent: overwrite the drive a number of times, execute the built-in secure erase command and destroy or degauss the drive.

Magnetic media has a particular method to the data destruction and what we as practitioners would do is use some disk scrubbing utility (DBAN, srm, shred, PGP) to wipe either the file or the entire disk via the Gutmann method, or something along the lines of the Airforce System Instruction 5020.

Below is a screen shot from the PGP 10.x client with file shredding capabilities on OSX.

There were a number of clear-cut options of how to execute a data destruction process:

A) Single file overwrite with an option to overwrite with random data 1-35 times
B) Whole disk overwrite with an option to overwrite with random data 1-35 times

To quote Gutmann’s original paper, “A good scrubbing with random data will do about as well as can be expected.”

Lastly, there was arguably at least one other effective method of data sanitization:

C) Degaussing via some specialized hardware

Degaussing requires the termination of the disk itself, which magnetically destroys the media, as well as the drive motor. How?  By rotating some multi-K gauss field co-planar to the chips and a multi-K gauss perpendicular alternating field. The point is, you put a hard drive in or on the device, it creates a magnetic field and ruins the media and the drive heads.

Data Destruction in the Present Day

Presently, we have a plethora of cheap, high-density disks that happily respond to the usual ATA and SCSI destruction commands.

We tend to use these plentiful disks as backend storage, and for any system that requires rapid response or quick boot times, we use SSDs or disks, which don’t require any moving mechanical components. And with that, the fun begins.

When presented with some data destruction questions from one of our more interesting clients, I was forced to dig into whitepaper land. Short of incinerating a USB memory stick, I had never attempted performing data destruction on solid-state media, and it is most certainly an animal of a different color.

Also worthy of note: All of the above data destruction ideas (Gutmann, AF, etc.) are irrelevant, as SSDs do not play by any of the old rules. Per the Wei whitepaper, the above methods of data destruction are either ineffectual, falsely effective (showing destruction successes with full simple recovery possible) or a waste of energy.

According to the whitepaper:

“None of these solutions are satisfactory: Our data shows that overwriting is ineffective and that the ‘erase procedures provided by the manufacturer’ may not work properly in all cases.”

So what does work? Scrubbing. For details on how SSDs read/write, please read the summary of University of California’s whitepaper here.

“Programming individual pages is possible, so an alternative is to re-program the page to turn all the remaining 1s into 0s.”

And what is the net effect of using an only marginally effective data destruction method on the SSDs? The eventual destruction of the disk OR a heavily increased latency of the read/writes—meaning, you ruin the disk.

“Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations.”

For the layman, this translates to what exactly? Overwriting doesn’t work.

So based on this perspective, we have a few take-away points for your organization to keep in mind when considering data destruction:

• Right now, there are few, if any, controller based integrated provisions for performing data destruction operations on SSDs
• Traditional hard disk or file-based destructions do not work. Read the source document and make operational decisions based upon these findings
• Do not consider decommissioning SSDs and releasing them into the public domain. If you can handle the degradation of speed, consider using FDE on all SSD endpoints, devices and drives

In summary, unless there is a large crucible with which you can melt your SSDs, we recommend reviewing and revising your organization’s data destruction policy with regard to SSDs.

Let’s take a look:

What’s a laptop?
It’s not hard to imagine today’s children looking quizzically at a record or cassette tape since they fell out of favor decades ago. Now, desktop and laptop computers could be running the risk of joining that illustrious list of archaic technologies.

According to a recent Forrester report, 375 million tablets will be sold globally in 2016. Forrester analyst, Frank Gillett, expects these tablets to conduct a hostile takeover of the workplace and replace the desktop and laptop computer as the primary device in enterprises. However, Frank predicts there will still be room in the enterprise for the old standards to tackle creative work and other tasks that require more computing muscle.

With tablets taking over the office, IT professionals need to prepare for the strain on the data center and ensure their security is up to snuff.

Google Drive gets the green light
According to USA Today, the long awaited debut of Google Drive has finally arrived!

Google’s cloud-based data-storage solution will enable users to store large files and access them from any web-connected device. This is an attractive option for consumers and small businesses looking to gain access to videos, pictures, documents or any other data from anywhere at any time.

Google isn’t the first and only player in the space. Startup company, Dropbox, is already offering similar cloud-based storage solutions. However, Google’s pricing for Drive appears to be a bit more aggressive and business friendly.

Hacktivists top the network security terror charts
According to a recent survey by security vendor Bit9, IT security professionals are nervous about being targeted by hacktivist attacks in the next six months.

An IDG article about the survey results quotes some interesting statistics. According to the article, the survey found that 64 percent of the responders expect their companies to experience a cyberattack in the next six months. Also, 61 percent of respondents thought that hacktivists would be the ones responsible. The survey was taken by 2,000 IT professionals.

Despite only being responsible for a small percentage of last year’s cyberattacks, hacktivists stole the most data of any group.

Is your organization concerned about attacks by hacktivists? What is your IT staff doing to secure its network?

For long-time players in the space, the answer was clear. For the rest, Intel’s CTO, Justin Rattner, stated that security was job number one. The immediate play was a tight integration of security technologies into the silicon, which is one of the many “holy grails” (or perhaps banes) of information security.

For years, various trusted platform module (TPM) technologies supporting digital rights management (DRM) initiatives and data-centric controls were built into chipsets and then integrated into a variety of systems.

The concept is somewhat elegant on paper: a virtual secure sandbox for cryptographic keys, SSL certifications, biometric data, AV hives and other controls that would allow for secure and trusted hardware level access on the integrated chipsets.

The whitepapers were compelling, but the industry had some technical challenges and philosophical issues that slowed adoption. Regardless of the various issues, Moore’s law drove the industry onward and Intel was no stranger to the technology.

After a bit of time, and many low vocalized rumblings, the industry is finally getting to see some of the fruits of the acquisition. The following is from a recent announcement from Xerox and McAfee:

“A new survey commissioned by Xerox (NYSE: XRX) and McAfee, reveals that more than half (54 percent) of employees say they don’t always follow their company’s IT security policies (33 percent) or aren’t even aware of the policies (21 percent) – leaving the security of customer credit card numbers, financial reports, and HR and tax documents at risk.”

Their partnered proposed response? Embedding McAfee technologies into Xerox devices.

While the article isn’t specific about what we can expect to see, one can certainly extrapolate that this integration may mean EPo, AV or even DLP style technologies resident in printers, scanners and fax machines.

Within the next decade, the advent of IPv6 and household appliances being issued networked interfaces could lead to refrigerators that keep tabs on milk-freshness and thwart the next malnet (thank you Team Cymru!) that cuts our power and defrosts everything in our freezer.

While this is spoken tongue-in-cheek, the fact of the matter is that as more and more critical systems convert into “green” appliances, our WiFi-enabled, smart-grid connected power meters and radio-frequency identification (RFID) capable edge devices will all carry some critical personally identifiable information (PII) and require continuity of operations. This in turn will require the vendors to integrate security solutions tightly into the firmware/hardware of the systems they provide.

This year’s report points to a fundamental change in Distributed Denial of Service (DDoS) attacks.  The rise of hacktivism has influenced the pure number of DDoS attacks seen over the past year instead of the traditional financial motives. With hacktivist groups embarking in grassroots efforts to organize and grow, these various hacker cells are leveraging easy attack tools such Low Orbit Ion Cannon (LOIC) to train others.

Here are three points from the report that are worthy of mention:

1) The fundamental nature of DDoS is changing in that the average flood-based DDoS attempt is within the 10Gbps range (typically 60-100 Gbps)

2) DDoS is no longer purely a saturation issue, complex multi-vector and application attacks are becoming commonplace

3) Most conventional network devices such as stateful firewalls, IPS tools and load balancers continue to fail under internet facing DDoS attacks

So what does this really mean?

While these issues are anecdotally interesting, they represent greater implications in terms of national security and internet resilience.

Cyber-conflicts are rapidly becoming precursors to kinetic action. Precision digital strikes have been, and will continue to be executed under the cover of multi-vector DDoS. This in turn will make our internet intelligence surveillance reconnaissance (ISR) tools blind and our response capabilities hobbled.

The new “fog of war” is digital in nature, and Multivector DDoS will be its name. As with any conflict, when the landscape changes and the enemy are covertly attacking, a strong defensive line must be in place.

Both federal agencies and enterprises alike need to ensure that they have the proper security controls in place to secure critical assets. Yet, it would be foolish to assume that traditional security methods and technologies will be enough to protect the network against these attacks. One of operational mantras for 2012 and beyond will herald back to Dan Geer’s Harvard Journal article in Jan/2011: “Risk absorption — the ability to operate in degraded states.”

Organizations today must have the understanding that an attack will occur and the capacity to continue functioning despite cascading systemic failures.  Additionally they must be able to use the event to gather intelligence for remediation and mitigation against future attacks. In the case of DDoS, that means resilient and robust systems with ever-increasing network/system capacity, and out of band ISR toolkits.

To prepare students for the possibility of engaging in this high-demand field, local schools are empowering students to define a career path through technology. It is an effort that we embrace and support.

In fact, our President and CEO, Rene LaVigne, was asked to serve as honorary chairman of the first annual Patriots Cyber Security Competition. The purpose of the competition is to allow middle school students in Prince George’s county to explore science and technology through research and interactive learning. Through this competition, we are educating a new generation about the vital need for cybersecurity, as well as inspiring students to embrace this as a career path in the future.

With the guidance of mentors from government, academia and the industry, students will research a career in cybersecurity and prepare to present what they have learned at the competition’s awards dinner to be held on February 22 at the Marriott Hotel in Greenbelt, Md. Each team will have an exhibition booth to showcase their cybersecurity project and then present their findings in a five-minute presentation. A panel of ten judges, comprised of leaders from industry, government and education will choose the winning team.

In addition to giving their presentations, students will have the opportunity to hear the thoughts of the keynote speaker, Admiral Gretchen Herbert, Commander of Navy Cyber Forces.

For 12 years, the Patriots Technology Training Center, based in Seat Pleasant, Md., has offered programs for students ranging in grades 5^th to 12^th in science, mathematics, engineering and computer technology to encourage college education and careers in those interrelated fields. The Center has partnered with major technology companies, government agencies and foundations to offer innovative programs and mentoring.

Prosecutors allege that Pfc. Manning was working to intentionally break military rules. And the case against him is solid. Prosecutors have presented evidence against him, including memory cards and hard drives that have been found with encrypted files that he sent or planned to send to Assange. They’ve also found emails and chats with Assange and other acquaintances.

The United States military is privy to extremely sensitive information and data that could lead to the deaths of American citizens should it fall into the wrong hands. If the military could suffer from such a serious data breach, what does that say for your company?

Many people think of security threats and data breaches as external threats that are perpetrated by evil hackers in this country or abroad looking to steal credit card data or other information. Well, that’s not always the case. In fact, according to the 2011 Verizon Business Data Breach Report, almost 20 percent of security threats come from within the enterprise.

And it’s not always a situation like Pfc. Manning’s, where an individual purposely leaks information or sensitive data. Often, it’s something far more innocuous. Employees share information that they shouldn’t via email or instant message. Or they bring home the company laptop with spreadsheets filled with employee or customer data only to have it stolen.

Unfortunately, most companies are so focused on the external threats that they miss what is right in front of them. As a result, they dedicate their security investments towards external threats and don’t put systems and practices in place to eliminate the insider threat.

But what can your company do to help eliminate these insider threats?

A large part of eliminating threats within the enterprise is simply education. Many employees just don’t realize that they’re doing something that could potentially lead to data theft or security threats. By establishing an “acceptable use” policy and educating employees on it, companies can raise awareness of risky practices and help to eliminate them.

However, sometimes insider threats aren’t always created by individuals accidentally doing something risky, as in the case of Pfc. Manning. In these situations, there are technological solutions that can help to identify insider threats and neutralize them.

Many companies prefer to avoid these types of threat detection because they can walk the line of appearing very “big brother.” Unfortunately, with the cost of data breaches constantly and rapidly increasing, these solutions could become necessary.

Fortunately, there are multiple options when it comes to insider threat detection that range drastically in how invasive they are. While some solutions, such as those that take video of users’ screens, may come across as too invasive, other solutions aim only to identify irregular activities that could be a result of an insider threat.

When it comes to protecting your company from data theft, just having a good security posture against external threats is no longer enough. The damage to a company’s wallet and reputation is just too steep to ignore the potential for an insider threat, especially since they account for almost 20 percent data breaches.

With 2012 around the corner the security threats will not be slowing down. In fact, in certain areas, security threats will quickly gain momentum.  So what should your company be prepared for in the New Year?

Latest holiday gadgets drive BYOD
Many employees are already synching their mobile devices to the network causing IT administrators to struggle to manage devices and security.  As the holiday season approaches and the latest tablets and smartphones are given as gifts, there will be an increased desire for employees to bring their own devices to the office. These “bring your own device” or “BYOD” scenarios require stronger mobile device management to secure your company’s network.

Out with the old and in with the new
Traditional firewalls have become stagnant in their development and will continue to give rise to the next-generation firewall, which puts application visibility and application control back where it belongs – at the firewall level.

Heading to the clouds
My colleagues have been discussing the issues resulting from cloud adoption on the blog already. Ultimately, companies must be particularly aware of the security issues that arise when they continue to implement their public /private cloud strategy.

Naughty or nice list
Applications are often run on systems without authorization and by malicious outsiders looking to compromise a device. Application whitelisting will continue to see traction as administrators are able to control access for approved and un-approved applications and implement a strong defense strategy. .

Beware of malware
According to many of the latest security research, malware is infiltrating the most popular sites on the Internet, including Facebook, and is being seen more frequently in the mobile market.  As employees begin to utilize more consumer devices and access social sites, anti-malware solutions will need to be implemented to protect the network.

These hacktivists, including such well known groups as Anonymous and LulzSec, aren’t necessarily out for their own personal gain. Instead, they’re looking to show their agreement with, or disagreement with a particular issue or side of a debate and otherwise looking to punish those that they consider, “wrong.”

Many of the notable targets of hacktivists have been large, globally-recognized brands. These have included Sony and the government of Egypt. However, there are other smaller companies and organizations that should be wary of hacktivist attacks aside from governments and large corporations.

Smaller organizations, such as law firms, could very easily become the target of hacktivists.

Why? Well, law firms often act in the defense of, or the prosecution of individuals, companies and other organizations that hacktivists feel strongly for or against. By prosecuting a person or company that hacktivists support, or defending a company whose policies hacktivists revile, a law firm can very easily find itself on a list of targets.

Unfortunately, many law firms direct significantly less resources towards their security postures than, say, an electronics giant like Sony. These firms often underestimate their risk and their lack of investment in security leaves them in a less favorable position to protect themselves from attack by hacktivists than large global enterprises and government agencies.

What’s worse is the sheer type of information that’s at stake. With attorneys and law firms often held in close confidence, they are privy to information that could make a difference in a court case or otherwise irrevocably damage a client’s reputation.

But the clients’ reputations aren’t the only ones on the line. The firm’s brand reputation is also at stake. Who would want to work with a law firm that has had its clients’ data stolen or exposed? This lasting impact on the company’s brand could seriously hinder its ability to win new clients in the future.

Although 2011 wasn’t the first time there’s been an act of hacktivism, the sheer amount of information that is being digitized and stored, and the increase in hacktivist activities makes this an important consideration. To help protect themselves and their clients, law firms need to take steps to improve their security posture and prepare themselves for attacks.

When considering security improvements, many companies look to acquire one particular technology and implement it. This may help protect the network in one area, but leave it susceptible in others. In the case of sophisticated attacks, such as those perpetrated by hacktivists, an overall more robust security posture is needed.

The best course of action for law firms and other businesses that could be at risk is to work with a proven information security partner to identify the current state of the company’s defenses, analyze the risks and identify where the company’s security posture should be to defend against them. From there, a complete security architecture designed to get the company’s security posture from where it is currently, to where it should be, can be identified and implemented.

The emergence of hacktivist groups has truly changed the information security landscape. For many smaller companies and law firms that may be at risk of attack, now is the time to ensure that your security systems are prepared for the threat.

This year’s National Cybersecurity Awareness Month has focused on education and providing the cybersecurity resources for home users, and small and medium-sized businesses (SMBs) that have been historically lacking.

In an effort to support the cybersecurity efforts of SMBs, FCC Chairman Genachowski joined DHS and private sector partners at the U.S. Chamber of Commerce this week to unveil a new FCC online tool. This new tool is called the Small Biz Cyber Planner and is designed to help small businesses create a cybersecurity plan, which is considered essential for organizations of all sizes.

However, having a cybersecurity plan is just one small step for businesses. These organizations still have to take action on the plan that they put in place.

As we’ve learned from many of the government agencies, which have reported a 650% increase in security incidents in the past five years, failure to properly implement a cybersecurity plan will have negative consequences. This is especially true for SMBs, which will find it much more difficult to respond to a cyber incident than to proactively work to prevent them.

For more details on the FCC online tool, click on this fact sheet or watch video of the event on the U.S. Chamber’s site.