Capps, R. (2021, February 19). Fight back against covid-19 cyberfraud. Retrieved February 20, 2021, from https://securityboulevard.com/2021/02/fight-back-against-covid-19-cyberfraud/
Lisa's Cybersecurity Blog
Tuesday, February 23, 2021
Covid-19 cyberfraud
Tuesday, February 16, 2021
The CIA Helps You Protect Your Data
TL;DR- wait, what?! The CIA helps me protect my data? Uhhhhh...
To start off, I'm an attorney. This is relevant because we have to do continuing legal education classes (CLEs) to stay current. I'm partially working on this because I hope to present it someday as a CLE at my local bar. They actually take cyberlaw and cybersecurity very seriously. For the cybersecurity professionals reading this, this is going to be Cybersecurity 101 and insultingly simple. For everyone else, let's get to why you need to actually take cybersecurity seriously, ESPECIALLY if you don't know anything about it.
First, I want to start with the most basic definition. What the heck is this cyber stuff anyway? I get what the Internet is (sort of) but what's cyber?! Great question. First, cyber is an adjective. I remember constantly yelling at my TV every time Senator John McCain came on because he'd talk about "we need to improve cyber." I would always yell back, "CYBER WHAT?!? Cybersecurity? Cyberspace? Shall we improve cybercrime, you freakin' idiot?!" So think of cyber as meaning technology and we'll call it good enough. But that's only an adjective. We need to figure out what particular realm we're talking about. Because I promise you, we don't want to improve cybercrime, even though we might want to improve our defenses against it. For purposes of this discussion, we're talking about cybersecurity. Given the definition I've provided, that means the security of technology.
For those new to this, you're probably thinking, "I just figured out what cyber means and that it's an adjective, and now I have to take on security issues. I can't do that! I don't know enough." That's great, because now we have a starting point for the discussion, definitions, and hopefully a willingness to figure it out.
I would argue that we need to know the goals of cybersecurity before we can apply any fixes. So what are the goals of cybersecurity? That's where we get to the title... Many people would raise an eyebrow that the CIA is going to help protect your data. But we're not talking about that Central Intelligence Agency. Here, the CIA triad stands for:
- Confidentiality- C
- Integrity- I
- Accessibility- A
Thursday, February 11, 2021
Social Engineering
I'm currently taking three classes in my last semester of a cybersecurity degree, and one of them is Human Aspects of Cybersecurity. I did not expect this at all, but I'm kind of having a blast. Essentially, it's social engineering. What's that, you ask? Manipulation. How are people manipulated to give up information?
It's actually terrifyingly easy. People are so conditioned to be friendly. And apparently, being friendly means opening up your entire life story. Some are worse than others. I have met people that in less than ten minutes, I know how many ex-husbands they have, their neighbor's horse's names, and that they spend large amounts of money on antique furniture.
I can't do much with this information, nor do I want to. But I think about certain friends I know that can't resist a good Facebook quiz. In fact, one that I'm thinking of, I know that she's Capricorn born on January 5th, her favorite color is purple, she's divorced but in a new relationship since then, and where she's eaten in the last week. I can use this. How many security questions ask your favorite color? How many verifications want your date of birth? I can start predicting patterns based on where she regularly eats. I can get into other things based on the name of her new relationship. This is all info in various Facebook quizzes and profile. It's even discarding a lot of other random things I could learn simply by "relating" to her. Drop a mention about Supernatural or Harry Potter and I can find out a lot.
And this isn't just her. It's shocking the amount of stuff people put out there for everyone to read. The Internet has a long memory, and when someone is posting upwards of 10 posts or more a day, it takes some time to sift through, but they've given you an entire picture of who they are.
Off of Facebook, it's not much harder. You just have to do more work for it. I know that my next door neighbors have two adult children- one of whom has twins. They live in Michigan. That probably irritates dad because of a long standing football rivalry. The guy worked at a dishwasher repair place before retiring and has had heart issues. The woman works as a hostess at a local Italian restaurant. Her sister also worked there and has served Chrissie Hynde. She likes to run, her mom has dementia, and their dog was named Jake and he liked to sleep under the tree in my yard.
How do I know all of this? I listen. People talk. You're probably thinking, "yeah, but it's a friend and your next door neighbor. Not everyone does this." Sure they do. I've had conversations with complete strangers and they told me they're fixing up their house so they can sell within the next six months. Cool. If I was evil-inclined, I'd wait for your house to go up for sale, break in, and if caught, I know the name of the owner. She introduced herself to me.
What does this have to do with cybersecurity? Everything. According to the Verizon Data Breach Incident Report, 30% of attacks involved an insider (https://enterprise.verizon.com/resources/reports/dbir/2020/introduction/). Now, this doesn't necessarily mean that a person in a company intentionally attacked their own company 30% of the time. It does mean they bear responsibility for it. Lousy password security, not locking your computer, etc. all make it very easy for an attacker to get in. Not shocked yet? In 2003, 90% of office workers at London's Waterloo station gave away their computer password in exchange for a cheap pen (https://www.theregister.com/2003/04/18/office_workers_give_away_passwords/). People are ridiculously lax with their information and security of that information.
So where am I going with all of this? Well, be smarter than that. Not just the computer password in exchange for a pen, but stop doing the Facebook quizzes to find out your spirit unicorn name. Be bold. Make up your own spirit unicorn name! While you don't necessarily have to stop chatting with the neighbors, be circumspect about who you reveal information to.
Monday, December 28, 2020
Software blues
tl;dr: I have a love/hate relationship with software.
Let me explain what happened... Last year, about this time, I had one attorney and three law clerks working for me. We had checklists and the law clerks would use a template, change the header information, and edit from there. We rarely sent out discovery because it took approximately an hour to edit the template and just wasn't worth the money.
And then (like more or less everyone is saying), the pandemic hit. We had some staff who were high risk. We had some simply take off to go "home" to California before the state shut down. We had some like me that were just scared and didn't want to be around humans that breathed the same air. So, we moved to work from home (WFH). I still interpret those letters as "what fresh hell?!".
Because I'm primarily practicing in debt defense and because the creditors developed a little bit of a conscience, cases dried up. I'm not one to sit and wait for things to get better and I knew that this was likely only temporary. If businesses are shutting down and people are being laid off, the creditors aren't going to simply get over someone owing them thousands of dollars. They're going to wait, they're going to get their judgments eventually, and when they can do so without looking like pandemic profiteers, they're going to collect. I knew we would eventually see an absolute tsunami of debt collection lawsuits and bankruptcies. So, I took the downtime to improve my software.
We'd need a communication function. If some are in Ohio, some in California, some in South Carolina, and nobody is face to face, we'd need a way to communicate "I need you to do this answer by Monday." We found some software that worked. I also needed to streamline the process for the future. I put together some Word templates that allow me to enter the information in one place and it auto-populates throughout. Suddenly, I boiled down a process that should have taken approximately 3 hours to less than 30 minutes. Finally, we digitized everything. Every single file came home and got scanned, uploaded, renamed, and sorted into digital files so that it was all accessible from anywhere.
This worked great until recently. I'm licensed in a ridiculous number of states and that tsunami of cases I mentioned?? Well, we haven't even been hit by the hardest wave yet but we can see it coming for us. Frankly, my office manager is struggling to keep my calendar up to date and accurate. So, for the second time in less than a year, we're changing our entire software.
This has led to about two weeks of 3-4 hours sleep a night while I'm inputting client info. We had a false start on one software before realizing it was not going to do everything I needed it to do. I just paid for a different one today. The scalability is incredible, and I keep finding little features here and there that make me more and more impressed. I truly feel like I'm punching above my weight class with this one, because it's going to take that 30 minute process and streamline it to more like 10. All of the future invoices for future work... it's no longer a matter of 5 minutes per invoice and more time to actually be sent. It's literally a matter of pushing two buttons to create it and then hitting the send button without even switching to a different screen. It's impressive. It's a CRM (client relationship management) software, and although it's often used in sales, I don't think too many law firms use it outside of the major firms.
So why do I hate software? Why do I have software blues? Do you know what it's like to enter information for approximately 200 clients? Everything from the court to opposing counsel to a file number, etc. Then we have to get the files associated with the right people. Finally, I have to create all of the templates all over again that let me push two buttons to send an invoice. Once all of that is done, we still have yet to really dig deep into it and figure out how to make it accomplish even cooler things because I have the gut feeling I've only explored about 15% of this. I am tired. I did not think I would be completely abandoning an entire workflow system and creating a new one from scratch TWICE in one year (let alone this dumpster-fire of a year).
Naturally, since I'm getting my Cybersecurity Master's degree, I am considering all of the other stupid things that normal people don't. Do I change the address making it easier for my employees if they get logged out, or leave it complex so it is not easy for hackers to find? Do I require two-factor authentication and complex passwords, or do I need to set fire to my employees who will just write it down anyway? What is the exact level at which I set permissions for my office manager who needs access to both my calendar and email, but needs to leave the forms alone because she was experimenting with them and changed categories I very much needed? How do I clearly explain the workflow process to my paralegal so that she can do her job when I haven't really played with that particular feature too much in depth? And in a sense, this familiarity with software and cybersecurity is what led to the false start a week or so ago when we tried the other software but ultimately found it lacking. I could not do the things I wanted and needed to do, and I thought it was rather dumb that I couldn't customize it the way I wanted. Ultimately, if I'm told software cannot do something, I know there are plenty of other programs out there. If I can't allow people to do their job to the best of their ability but restrict them from changing something that will badly disrupt other areas, I will go elsewhere.
Friday, December 4, 2020
Alexa, what are my security concerns?
TL;DR- my daughter doesn't trust Alexa because she didn't program it.
First, I need to give you a little context... my daughter is a world champion in robotics at 18 years old. No, seriously. She was on her high school robotics team and they won several notable competitions. One is called "Night at the Museum" where they were playing at the Smithsonian museum and literally practiced directly under the space shuttle. The second notable competition was the year before when she was a junior. Her team went to World's competition. Her team won the Design award at both, which is one of the highest awards given out. It means that they have an exceptional log, can thoroughly explain things in interviews with the judges, and in general, display a high degree of excellence. She was the logger on her team, so she recorded literally everything in a notebook for the judges to review.
At my house, I've started converting all light switches and outlets to smart switches and smart outlets. It's a small thing of beauty because I can walk into my living room and say, "Alexa, turn on living room lights," and the whole room becomes much brighter. In the kitchen, not only can I listen to my favorite music while I'm loading the dishwasher, but if my hands are full or messy, I just say, "Alexa, turn on kitchen lights" and suddenly I have all the task lighting I need.
But my daughter refuses to speak to it. She'll say, "can you tell it to turn on the lights?" with disdain in her voice as if it is a contemptuous necessity. Sometimes I will tease her and say, "no, but you can" and she will continue to sit in the dark or use the light switch the old fashioned way. The only time she has used it is that she accidentally triggered it one time with something that was in no way the dreaded "A-word" and it started playing a Justin Bieber song; and one time when she asked for the "gummi bear song", which is an abomination of music that should not exist or ever be played. I asked her why she wouldn't use it. She answered: "because I didn't program it".
I can't say she's fully wrong. She is smart enough to program one and she has programmed one before. It's low level, but I certainly couldn't manage it! And it is a little disturbing that it listens to everything (although according to Amazon it almost instantly deletes it if it does not hear its wake-up word). Can I guarantee that's happening? No, not really. My boyfriend told me of a vulnerability whereby someone could take it over if they had sight of it (it is supposed to be fixed now). As I considered my home, I couldn't think of where I would place it that was within reach of an outlet but not within sight of a window. Combine this with the fact that I have several throughout my home to create a wide net where I can exit the living room and head for the stairs to my room, announcing lazily, "Alexa, turn off living room lights... Alexa, turn on bedroom lights" without breaking my stride. Plus, it's concerning that I'm in my last semester of a cybersecurity degree, know all of the risks, use it as more or less a lightswitch, and still shrug off all of the security concerns. But turning on my own lightswitch with my fingers?? Do I look like a Neanderthal?!
It's very convenient to simply announce, "Alexa, turn off my bedroom lights" instead of getting out from under the very cozy blankets at night. But I understand my daughter's concerns. She's a tech whiz Luddite who enjoys technology very much, but doesn't trust the brains behind it. Her robots were fine because she programmed them to follow her commands from her controller. And maybe that's something where I could learn a lesson. She's done her own analysis, decided she does not trust Amazon, and therefore she will not give it directions. She knows she cannot stop me from using it, but she's not going to actively participate in it because she doesn't want a hand in training something for a company she distrusts.
"I don't trust it because I didn't program it." For a lot of people, that would be a funny line to toss off, but for her, it's a fully considered, philosophical, principled stance. I may never become swayed enough by it to give up the convenience, but I support young people understanding technology AND I support them taking stands for what they believe in.
But I swear to god... the Gummi Bears song?! Truly torture!
*This has been Blog 1 of my Current Trends in Cybersecurity class. If you have something to say, let me know in the comments!
Monday, November 16, 2015
Summary of the cybersecurity posts
Not long ago, I received my law degree. I remember having a similar argument with one of my law professors. He insisted that a better contract was needed between the parties, and that would have solved the problem. I replied that from what I had seen in my office and in my studies, that was probably a true answer, but it doesn't account for the fact that every single case we study involves a situation where the parties failed in some respect. Nobody goes to court when everything is going perfectly according to the contract. The parties in that particular case didn't draw their contracts carefully. How are they supposed to proceed now? Furthermore, what happens when I get a client that didn't have me do their contract; instead, they did it themselves, and now they are having problems, and I need to help them solve those problems. My professor didn't have a good answer.
The same is true in IT. If the company engaged in perfect security measures for their information at all times, there is no need for a cybersecurity degree. Everything is going smoothly, and no hackers exist. Unfortunately, that's a fictional world. Companies mess up and hackers want to exploit those mistakes. So how do we proceed in helping companies that have messed up? The easy answer is to simply throw money at the problem and fix it before it's ever a problem. That's a good answer in many respects. Create a strong system and there's less to do later. But how do you proceed if you are hired at a company that hasn't done that? You have to study how other systems were breached. You need to know what is occurring in the real world, and figure out how to make it work when it's imperfect.
I examined breaches and hacks because it's the imperfect side of business. These involve big and small companies. Some focused on the insider threats, whereas others were outside attacks. Some could have easily been fixed, while others are still perplexing years later. My goal was simply to shine a light on these past breaches in an attempt to learn more about them.
The assignment was valuable because it showed me where to look for breach causes. In some cases, I discovered the answer, and some I didn't. This exercise also taught me to think about other consequences, such as when I received a letter than my information was compromised for a company I had no dealings with. How did they get my information? Was this a proper use of my information, or were they not supposed to have it in the first place? These questions all drive at the root of discovering how breaches occur and what they affect.
Tuesday, November 10, 2015
Week 11, New York Taxis
The breach involved improperly encrypted data that gave information about over 173 million individual trips. It revealed the pickup and dropoff location and time, and the license number and medallion number. The problem is, what is this information likely to be used for? In other words, if we're going to boil it down to a risk analysis, there's a risk here. The data was not encrypted properly, it was released, and anyone with any skill at decrypting can figure out all of the information above. On the other side of the analysis- what is this data actually worth?
The article discusses how one cabbie was making an unusual number of trips. At first, I thought this is where the story would get juicy. Maybe he is doing a drug running business on the side. The article says it was just an error in the data. Even assuming it had been a drug running business, that information is useful to the company because they will want to fire him. It's useful to the authorities because they may want to prosecute him. It's not so useful to hackers looking for information to exploit.
There is one scenario where a hacker may benefit from the information. Say there is a particular person being targeted for assassination. They know that this target has an apartment in a particular area. They could use the data to figure out if there is a pattern to the target's movements. There are two problems with this theory: 1) this is the stuff of bad Hollywood movies, and 2) an assassin would likely already have that info without relying upon a data breach. Simple observation is a much more effective way of finding out the info.
In other words, when you finish the risk analysis, lots of information was released, but the information doesn't seem to hold a very high value. That's why this didn't make the front page of the news- no customers were harmed, no valuable sensitive info was taken. It's just an information dump.
The value of examining a breach like this is that it's a good study not only in how not to properly encrypt your data, but also in conducting a risk analysis. Just because information was breached doesn't mean this information was worth anything.
References: