The Newberry Group Blog RSS Feed

Social Media in the Cyber Security Space

Ryan Steinbach — Tue, 11 Jun 2013 10:26:00 GMT

Last fall, I started as an intern at the Newberry Group with objectives of assessing the impact of growing a social media presence, developing a strategy for social media use and executing on that strategy. After nine months, my team and I accomplished these objectives and learned a great deal about the cyber security digital community in the process.

In my relatively short, but deep dive into social media strategy and development over the last two and a half years, I’ve witnessed how different the digital communities can be. The cyber security digital community is particularly fascinating. My team found that cyber security professionals tend to fall into two buckets when it comes to social media. There are those who embrace social media due to their above average understanding of its utility, and there are those who avoid it at all costs due to their above average understanding of the risks associated with it.

This creates an interesting obstacle when engaging with the cyber security digital community. The space expects a sophisticated level of engagement, yet can also feel fragmented and reserved. It seems most companies have accepted that they need to be present on social media but there are huge disparities in utilization. Some online presences are merely place holders while others are hosting weekly webinars.

My team at Newberry decided the greatest value was between these two extremes. We saw opportunities for talent sourcing, service promotion, and partnership development, but we also needed to be realistic about the amount of capacity we could commit to these efforts. The value is there to be had, but only with the people and buy-in to capture it effectively.

We knew we didn’t have the capacity to be active in every space or create a large amount of unique content so we focused our efforts on building out the spaces we felt had the most value and created a content strategy that balanced quality and thought leadership with consistency and practicality.

Creating a social media policy also became a critical element of our strategy. The greatest enemy of engagement is uncertainty and, in a space as sensitive as the cyber security community, assessing the appropriateness of a 140 character tweet will likely lead to abandonment. We want to be as explicit as possible about our internal expectations for social media because we believe it will remove that uncertainty and foster greater internal engagement.

The development of a social media strategy and policy that balanced value with capacity is the product of what has become my biggest take away from my time at Newberry. I’ve learned that the benefits of social media do not appear over night. Early wins can be few and far between. But, sustainable and consistent execution of social media builds equity in a digital community that eventually translates into real company value.

This kind of sustainability requires a hard look at where a company can be most effective and then tailoring that to the company’s internal capacity. Instead of leaving social media to the intern as many companies do, my team decided early on that there was no point in me doing any of the day-to-day social media work. Instead, I focused on strategy and setting up Newberry’s internal structure – things that once set in place can be utilized with minimal maintenance.

I’m confident that as I leave Newberry my work will be appreciated, not missed. I’ve helped give Newberry the tools to continue to build value in the cyber security digital community on their own. While this was not part of the three original objectives I had going into the internship, I believe it is by far the most valuable and can serve as an example to others in the space.

Click here for more information.

Social Engineering through Social Networking: Defending Your Organization

Steven Carney — Tue, 16 Apr 2013 12:15:00 GMT

Human beings are the weakest link in data protection. Social networking has made this weakest link, even weaker. Social engineering continues to be one of the most leveraged attack vectors for targeting an organization’s electronic data or IT systems. Historically, a social engineering attempt would consist of an unsolicited phone call or e-mail. Attackers would attempt to obtain reconnaissance-related information from an unsuspecting employee or get them to click a link, or download an e-mail attachment, that would introduce malware to the system, potentially allowing backdoor access to the network. As users have become more educated on information security, they have learned not to open attachments or click links from individuals they do not know or trust. However, with the continued growing popularity of social networking, potential attackers can perform a more targeted social engineering attack that exponentially increases their level of possible success.

One piece of information typically found in social networking profiles is employment information. A quick search on LinkedIn or Facebook can reveal a list of potential social engineering targets for just about any organization. By using the information found in the target’s profile, the attacker can craft an e-mail that looks legitimate and includes an attachment or link containing malicious software. If an attacker determines the target worthy, they may even establish a false profile reflecting similar interests and befriend the employee, allowing them to eventually introduce the malware through an e-mail or link.

Since it is not feasible to control and monitor what employees put on their personal social networking profiles, how can an organization appropriately defend against this type of attack?

1. User Education: This has been, and always will be, the most effective tool for combating social engineering. In addition to the typical IT security training provided by most organizations today, users should be educated on what company information is appropriate for disclosure on social networking sites and how this information could be used to exploit them. Employees should understand that individuals they make contact with online should not be considered a trusted contact. E-mail attachments or hyperlinks from these online contacts should not be accessed from company-owned computers.

2. Policy and Procedures: Organizations should prohibit employees from using, or listing, their company e-mail addresses on social networking sites. If the social networking sites are a means for networking or marketing and part of official job duties, then look at establishing a generic e-mail account with increased security restrictions that the employee can utilize. This will allow the employee to identify any contact that is made through the site and treat it as untrusted.

3. Security Infrastructure: A reputable web proxy with malware scanning capabilities should be utilized to scan web traffic for potential malware. URL filtering should be enabled and sites that contain known malicious code or malware blocked. Social networking sites should also be restricted for users that do not have a business purpose for visiting them. URL filters typically have groups of sites that are categorized and updated to make this process easy. Finally, a spam filter device or service should be used to scan inbound e-mail for malware and filter unwanted e-mail. Some spam filtering devices also have the capability to scan outbound e-mail for sensitive information such as social security or credit card numbers; this is commonly referred to as Data Loss Prevention (DLP).

With employees advertising more personal information on social networking sites, we can expect to see a continued increase in targeted social engineering attacks. As with any security threat; a layered defense strategy is the best defense against social engineering attacks.

Click here for more information.

5 Tips for Building a Cyber Security Career

Phillip Justice, Jr. — Mon, 19 Nov 2012 09:57:00 GMT

The cyber security field is rapidly expanding to deal with the accelerated risks of changing technology and now is a great time to make the move into a security career. However, not only do you need the qualifications, but also an analytical mindset and good communication skills to effectively convey your expertise to the wide range of customers. Cyber security experts are always chasing an elusive problem and you have to think outside the box quite a bit to find that advanced persistent threat. Here are five tips on how to build your successful career:

1. Develop a Solid IT Foundation

In the case of cyber security, it's really beneficial to have a strong background in information technology. A lot of universities have modified curriculum to provide security focused-degrees. Previously you might have been restricted to computer science or information technology, but now there are actual degrees tailored around computer security. These programs are often sponsored by entities that are focused on cyber security and want to help build the workforce. For example, currently the U.S. government has a shortfall of cyber security professionals. So they have started working with universities to establish these programs to help grow the cyber security field and fill the jobs that they know will be out there.

2. Get Certifications and Training

Certifications are necessary because they establish a foundation. They identify the individuals that have put in the time and effort to understand the fundamentals of cyber security. The CISSP certification is a well-known and internationally recognized security certification and is a great starting point. But with all the different domains of expertise within the security field, you should hone your craft and acquire certifications for your specific area.

3. Use Your Past Military Experience

Today, information technology in the military is no different than it is in the corporate world. There are disciplines within the military that focus on IT and cyber security, so veterans have an opportunity to directly transfer their experience from military service into commercial cyber security work.

4. Use Your Existing IT Career

If you've been in IT for a long time and you have a strong background, you have most likely been exposed to security issues. In all reality, you probably have a level of experience that would qualify you to easily transition and adjust to cyber security work without having to start from the ground up. Talk to your peers or managers about what security opportunities are available to you. Also take some personal initiative to start working on a certification in your area of interest.

5. Build Up Practical Experience

At the end of the day, just like in any field, you need the qualifications and the practical experience. And you have to work your way up. Unless you have a lot of applicable experience, expect to start at the bottom and prove yourself so that you have the evidence to put in your resume. Certifications are great because they establish a foundation through the training, but practical experience is just as important. If you don't have the experience, be forthcoming about it, but also have the wherewithal to press forward with developing your career.

Are there jobs out there?

There is a wide range of cyber-related jobs and almost every industry will have availability whether it's on the commercial side or federal side. In some cases, a cyber opportunity might be there, it just might be coupled with 2 or 3 other roles at the same time; You might be the cyber expert and the IT guru. Newer fields within information technology or security, such as cloud security, mobile security, digital forensics, and malware analysis, are all hot domains so you'll see a lot of opportunities advertised. However, no area in cyber security has lost momentum. Cyber security as a whole is a hot industry to be in, and I predict it to be so for the next couple of decades. It's not slowing down.

Click here for more information.

October is National Cyber Security Awareness Month (#NCSAM)

Newberry Marketing Team — Mon, 15 Oct 2012 17:55:00 GMT

We’re one of the official champions of National Cyber Security Awareness Month (NCSAM) and there’s still time to get involved! National Cyber Security Awareness Month is a campaign focusing on the need for improved online safety and security for all Americans. The National Cyber Security Alliance has sponsored National Cyber Security Awareness Month every October since its founding in 2003.

This year’s theme is “Our Shared Responsibility.” So how can you help?

1. Share Tips and Resources with Your Friends and Family

The National Cyber Security Alliance (NCSA) website is full of tips on how to protect your personal information, teach online safety, and keep your business safe online. Would you know what to do if your accounts were hacked? Do you need resources to help teach cyber security in your classroom? Does your small business have a Cyber Security Plan?
Find resources and tips on www.staysafeonline.org.

2. Attend An Event and Share It!

Organizations all across the United States are hosting cyber-related events to help raise awareness.

Find an event in your area on the Events page: www.staysafeonline.org/ncsam/events
Stay at your computer and check out these FREE Webcasts from SANS:
Securing The Human
Oct 16th and Oct 30th
Register on their website: http://www.securingthehuman.org/blog/2012/09/06/three-security-awareness-webcasts-for-oct/

Newberry Group is proud to be a part of National Cyber Security Awareness Month. Anyone can help raise awareness in their community, let’s continue to help others stay safe online!

To learn more about the National Cyber Security Alliance, visit www.staysafeonline.org.

Click here for more information.

5 Tips to Get Your Data and Computer Storm-Ready

Breanna Cooke & Nicholas Trifiletti, contributor — Fri, 31 Aug 2012 12:19:00 GMT

Hurricane season is upon the southern United States and now is a good time to make sure your data and computer is prepared for an emergency too. Here are some tips to get you started:

Backup your data with an online backup service - There are many online backup services to choose from. This article by PC magazine does a great job of outlining the different options available.
Copy your User folder (the folder named "Username") to an external hard drive – This will ensure that all of your documents, photos, videos, music, desktop, and application data such as email archives and application preferences are saved. For the ultimate backup, consider making a "snapshot" of your entire computer with a program such as Acronis True Image (PC) or Carbon Copy Cloner (Mac). The "snapshot" will allow you to boot from that hard drive if you had to completely restore your files.
Use a battery backup + surge protector – If you use a desktop computer, a battery backup will provide some buffer time for you to save your files when there is a power outage. Most battery backups also give you the benefit of a surge protector.
Plug your cable modem’s coaxial cable into a surge protector – If you use a cable modem and your computer is directly connected to it via an ethernet cord, be sure to plug the coaxial cable into the battery backup. This will help prevent power surges being transferred from the cable, through the ethernet cord, and on into your computer.
Unplug your computer when not in use during a storm – The most certain way to avoid power surge damage is to simply unplug your computer from its power cord.

Click here for more information.

Why do Nigerian scammers say they are from Nigeria?

Diane McClain — Wed, 11 Jul 2012 09:49:00 GMT

Far-fetched tales of West African riches strike most as comical. So why do Nigerian scammers say that they are from Nigeria? Why so little imagination? Why don’t Nigerian scammers claim to be from Turkey, or Portugal, or Switzerland? Stupidity is an unsatisfactory answer: The scam requires skill in manipulation, considerable inventiveness and mastery of a language that is non-native for a majority of Nigerians.

We’ve all seen some form of this "too good to be true" chopped up English type of technique designed to part us from a significant amount of money. However, the initial reaction of a scam-savvy person is just what the attackers are looking for. This scam method relies on a vast numbers game and is examined in Cormac Herley’s whitepaper, Why Do Nigerian Scammers Say They Are From Nigeria?. A researcher at Microsoft, Herley’s analysis delves into the numbers that make these scams work and the gullibility of the victims. Make no mistake, these scammers are smart and they know what they’re doing.

Attacks are seldom free.

Malicious software can accomplish many things but few programs output cash. At the interface between the digital and physical worlds, effort must be spent. Turning digital contraband into goods and cash is not always easily automated. For example, credentials may be stolen by the millions, but emptying bank accounts requires recruiting and managing mules. The end game of many attacks require per-target effort. Thus when cost is non-zero each potential target represents an investment decision to the attacker. He invests effort in the hopes of a payoff. Therefore, he must "qualify" his victims prior to expending significant amounts of resources (time and money) to attain the prize.

Who is a target and how are they chosen?

There are several models of human behavior that illustrate the theory that when large numbers of communications are cast to random recipients, there is a direct relationship to the number of viable targets harvested. The attacker is looking for people gullible enough to respond to the communication. These people make the "short list" and the attacker continues to nurture these targets until all false positives have been eliminated and there are only true positives left. True positives represent a tiny subset of the initial list of random recipients. In addition to a high gullibility trait, true positives must also have money and an absence of any factors that would prevent them from following through all the way to sending the money.

Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. These are the communication recipients who respond. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. Therefore, shrewd recipients are in a sense, helping the scammers by inadvertently classifying themselves as non-viable targets merely by the absence of their response.

So how does this approach answer the question in Herley’s title? His answer: By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select and tilt the odds in his favor.

So what…?

You say, "I don’t fall for these Nigerian scams so this won’t affect me." That’s great… AND keep in mind all that was discussed in this article was only one type of scam. There are millions more scams relying on the same gullibility factors of human behavior with the same end game. We are the weakest link.

Read the full whitepaper by Cormac Herley here:
http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf

Click here for more information.

June is National Internet Safety Month

Breanna Cooke — Fri, 22 Jun 2012 10:38:00 GMT

Like wearing a bike helmet, staying safe on the Internet is all about taking the right precautions. In celebration of National Internet Safety month, we’re directing you to some resources from the National Cyber Security Alliance’s (NCSA) website. The National Cyber Security Alliance is a non-profit organization that collaborates with the government, corporate, non-profit and academic sectors to empower citizens to use the Internet securely and safely. Visit their site, www.staysafeonline.org, for more information and resources.

Tip Sheets from the NCSA

The NCSA has put together some tip sheets that are great reminders and can help facilitate Internet safety discussions with your family. Some of the sheets include:

Online Gaming Safety – Tips for Parents: Most video games are connected to the Internet whether they are played through an Internet browser or a computer or gaming console. NCSA gives steps on how you can help keep your child’s information safe and be an informed parent.
Mobile Device Safety Tip Sheet: With apps that access your location, public wi-fi hotspots, and text messages with suspicious links, mobile safety is just as important as on the home computer. These tips serve as a good reminder about how to safely manage your mobile devices.
Safe Social Networking Tip Sheet: Taking time to set your privacy settings and being conscious of the personal information you share is what helps keeps social media enjoyable. Go over these tips with your family so that everyone is on the same page about what information should be shared and how to keep accounts secure.
For more tip sheets, visit www.staysafeonline.org/tools-resources/tip-sheets

Free Security Checkups

NCSA has provided a list of security vendors who offer free online security checkups. Most of these will search for viruses and spyware and will help you keep a clean machine. Check out the list of vendors here: www.staysafeonline.org/tools-resources/free-security-check-ups

Also, check out the Microsoft Computer Safety Index survey. The survey will ask you some questions about your online habits, then will walk you through some steps to check the settings on your computer. (For PC only)

Click here for more information.

Your Digital Footprint: What can you control?

Valerie Root — Wed, 09 May 2012 09:59:00 GMT

Do you know how much of your private information is available to strangers?

We may be in a digital world but that doesn’t mean that we shouldn’t take precautions with our information. Many of us do not realize how much of our personal information is available to outsiders and how it contributes to our digital footprint.

What is a Digital Footprint?

Your Digital Footprint is the information about you or from you (activities, comments, public records) that can be accessed via a digital environment.*

The 3 Main Sources of Information

Our personal information is available from a variety of sources and much is out of our control: we don’t have any say in who can access our information.

1. Public Records

The Freedom of Information Act was first enacted in 1966 by President Lyndon B. Johnson and supplemented by President Bill Clinton with the Electronic Freedom of Information Act Amendments in 1996.** Some of the information available to anyone as a public record includes:

Census records
Consumer protection information
Court dockets
Criminal records
Government spending reports
Legislation minutes
Professional and business licenses
Real estate appraisal records
Sex offender registration files
Voter registration

2. Web Searches

Have you ever Googled yourself? Almost anyone can be found online. Someone can find information about you through:

Simple search by name, e-mail or phone number (it gives thousands of results!)
Companies that help you look up anyone if you can provide some basic information. Many of the results will come back as free searches and then they offer more in-depth information for a fee.
Companies who maintain massive databases that troll public and government websites for information and sell it to anyone willing to pay.

3. Social Websites

Do you have a Facebook, Google+ or LinkedIn account? Even with extensive privacy settings, there is no guarantee that the information you share won’t get into the wrong hands. A simple status update about being away from home can be an open invitation for a thief. Some of the information you may have shared includes:

Home address and phone number
Dates for vacation and travel
Photos or “check-ins” of where you are
Names of your family members

What do you want your Digital Footprint to be?

Take steps to protect yourself and the information that you can actually control. Privacy controls are an important component when interacting with online resources. Regularly reviewing and setting your privacy controls helps limit what is available to the general public. Not everyone will look at the pictures, posts, blogs, likes/dislikes or comments without evil intent. Being aware of what you are putting online and who might see it is the best step in protecting yourself.

* http://en.wikipedia.org/wiki/Digital_footprint
** http://en.wikipedia.org/wiki/Public_records

Click here for more information.

Identifying and Reporting Suspicious E-mail

Jerry Kennedy — Wed, 18 Apr 2012 15:45:00 GMT

If you are like me, you receive the occasional e-mail that just doesn’t look quite right. It may be from an anxious individual looking for your help to move their recent monetary windfall out of their impoverished country. Or it’s from someone who has a “can’t miss” investment opportunity that just needs some additional capital. Or it’s from someone who is simply looking for a sales quote for a business that just doesn’t look right. While I am sure that none of us have taken that bait, we shouldn’t ignore these suspicious e-mails. We should be reporting them to the Defense Security Service (DSS) and the Federal Bureau of Investigation (FBI).

How do I know if it’s suspicious?

Most of us understand that phishing is the act of someone trying to elicit personal information from you so they can exploit you or IT systems/accounts that you have access to. However, what if these e-mails do not ask for anything other than your simple response? Many of the examples above only ask you to respond and, if you do, they will “send you further information.” Once you respond and essentially confirm your e-mail address is active, these devious folks commonly do a number of things. They do as they promise and send a response back that is typically malware or spyware that infects your computer or network. They also typically sell your e-mail address to hackers or spammers who inflict their own damage to your systems.

What does DSS and the FBI do?

The DSS and FBI depend heavily on leads and information from the general public. It is rare for Federal investigation cases to be initiated by the DSS or the FBI. The sources of many of their investigations stem from reports from the general public. To aid in their data collections, we can forward suspected e-mails to them. DSS and the FBI then track these to the source, compile it with other data on file, and determine if an investigation is required.

Should I report everything?

It is important to keep in mind that not all unsolicited e-mail is malicious. Legitimate companies often send mass e-mails hoping to gather customers. And those lengthy “Terms and Conditions” that we all ignore when signing up for an online service or purchasing software often gives the recipient authority to use your e-mail address as they see fit. Always remember that you should never open any attachments that come from unknown or unexpected recipients.

How do I report suspicious e-mails?

Seek the advice of your company’s Security Officer or IT Department on how to handle and report malicious e-mails.
OR
Visit the FBI website for instructions: http://www.fbi.gov/scams-safety/e-scams

Click here for more information.

Deeply Embedded Metadata

Mon, 01 Jan 0001 00:00:00 GMT

Click here for more information.