Posts

Regular Software Patches Could Have Prevented Equifax Breach

Published with Permission by:
Lint, James R., “Regular Software Patches Could Have Prevented Equifax Breach”, In Cyber Defense, 3 October 2017, Web, http://incyberdefense.com/james-lint/regular-software-patches-prevented-equifax-breach/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

We often think of Equifax as a company that can be trusted to securely save and control our personal information. But as CNN Money’s Kaya Yurieff reported in September, “A huge security breach at credit reporting company Equifax has exposed sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans.”

It seems that some rookie mistakes were made. However, this breach provides good lessons that can be used to protect future victims.

Splitting Up Your Security May Make for a Weaker Brand

Wired Magazine reported that Equifax started directing potential victims of the breach to a new, quickly constructed website called “equifaxsecurity2017.com.” However, “quickly” often does not mean securely built. Bugs were found in the new site, which was ostensibly designed to discuss protection from breaches.

This revelation is not a confidence builder for Equifax victims. It would have been logical to put the information on the website Equifax.com, which was already online and branded. Using the existing Equifax website would have given customers more confidence that they were getting the correct information.

One possible reason for this change to a new website might have been that Equifax did not trust its own security on its branded website. Yes, Equifax was hacked, but it was the databases containing personal information that were hacked. Normally, the main website could be secured again quickly from a backup disk.

The new website asked people to input the last six digits of their Social Security number to check if their information was compromised in the breach of Equifax servers. But the website asking for this information also had bugs.

Again, that was not a confidence builder for Equifax. Future organizations in Equifax’s situation will probably try to remain on their branded sites.

Using an Established Branded Website versus a Non-Branded Website

Nick Sweeting, a web developer, thought it strange for Equifax to set up a non-branded website. He set up “securityequifax2017.com” (note: the fake site’s name was a simple transposition of two words) to show how traffic could be driven to a wrong or malicious website. Sweeting created the site not to cause harm, but to show the potential damage a non-branded website could do.

Sweeting set up the bogus phishing site to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting told The Verge.

Compounding the confusion for Equifax victims, customers were sent to Sweeting’s website when they called the Equifax help desk. One Equifax employee even tweeted Sweeting’s fake website four times. Luckily, the alternate URL was not malicious.

“A day after the breach and launch of the legitimate help website, scammers had created 194 phishing websites that shared similar addresses with equifaxsecurity2017.com,” USA Today reported on September 21.

Equifax Acknowledged that It Failed to Ensure Software Patches Were Properly Installed

According to a September 24 Wired article by Lily Hay Newman, “The fact that attackers got into Equifax’s systems through a known vulnerability with a patch available galls security analysts. But the company also acknowledged that it knew about the patch when it was first released, and had actually attempted to apply it to all its systems.”

The fact that the company failed to ensure that the patches were properly installed and tested does not bode well for any future court actions against Equifax.

Newman also quoted Michael Borohovski of Tinfoil Security, who commented on Equifax’s mistake of tweeting out the wrong website for victims of the hack: “When your social media profile is tweeting out a phishing link, that’s bad news bears.”

We like to believe that large companies holding the credit history of over 100 million Americans is incredibly strong. Sometimes, that is an illusion.

In this case, just as in the WannaCry ransomware attacks, the Equifax security breach could have been prevented if the company had installed updates on all of its systems. However, this did not happen and Equifax became the latest victim of a preventable hack.

Former Equifax CEO to Face the Senate Committee on Banking, Housing and Urban Affairs on October 4

Equifax’s former CEO, Richard Smith, is scheduled to talk with a Senate committee on October 4. Their discussions will cover Equifax’s security lapses and the Equifax executives who sold stock before this breach was discovered. Currently, there is no proof of insider trading on privileged information, but the appearance of wrongdoing is there.

One of the worst management mistakes made by Equifax in the handling of this incident was stated in CNN Money. Journalist Jackie Wattles noted that “Equifax initially asked affected customers to give up their right to sue the company in exchange for credit monitoring services.”

The concept of breaking even or making a profit during a crisis breach is unusual. Many victims viewed it as outrageous that Equifax wanted to charge fees for doing credit freezes to protect themselves from Equifax’s errors.

Additionally, the idea of giving up the ability to sue for damages in exchange of protection created a public relations nightmare. The company stock has rapidly fallen by 32%. This shows that crisis management and cyber defense failures are costly to executives who are often paid bonuses based on stock prices.

Did State-Sponsored Espionage Play a Role in the Equifax Hack?

While investigations are still continuing, the hackers who penetrated Equifax used techniques that are similar to the techniques used by nation-state hackers. Bloomberg reported, “One person briefed on the probe being conducted by the Federal Bureau of Investigation and U.S. intelligence agencies said that there is evidence that a nation-state may have played a role, but that it doesn’t point to China. The person declined to name the country involved because the details are classified.”

Later, the same article showed that “One of the tools used by the hackers — China Chopper — has a Chinese-language interface, but is also in use outside China.” Most espionage hacks have layers to hide the true identity of the nation-state doing the hack. It will take a few more months to hopefully work towards the attribution of a nation-state identity.

The Golden Rule of Cybersecurity: Patch Now, Patch Often

If this were a humorous article, it might be worth mentioning that in Argentina, Equifax had a system running on weak credentials. Both the login and the password were “admin.”

Of course, this is not a humorous article. The havoc caused by the Equifax breach will last for years. And it could all have been avoided by simply updating the system with the new software patches.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

BSidesLV Information Security Conference Provides Useful Job Information

Published with Permission by:
Lint, James R., “BSidesLV Information Security Conference Provides Useful Job Information”, In Cyber Defense, 27 July 2017, Web, http://incyberdefense.com/james-lint/bsideslv-information-security-conference-provides-useful-job-information/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

In addition to learning more about information security, the BSidesLV Information Security Conference in Las Vegas is a target-rich environment for gaining information about jobs. In some cases, you might even have the chance to interview with potential employers as well.

Amazon Offers Jobs to Military, Military Spouses and Dependents

I saw someone at BSidesLV wearing a shirt that read “Warriors@Amazon.” He was a former Marine who now works for Amazon. He talked about how Amazon offers some of the same camaraderie that most military members miss after getting out of the service.

In fact, Amazon has three job websites that relate to the military. One website discusses the military community within Amazon. It states that “Amazon Warriors is made up of Amazonians who have served in their respective country’s military forces, those who are still serving and all Amazon employees who support them. The group’s mission is to provide its members a professional network and a means to organize community outreach programs, to aid veterans during their transition into the Amazon workforce and to be a resource for recruiting top military talent.”

The second website is about jobs for service members transitioning out of the military, veterans and military spouses. The website includes a quote from owner and founder Jeff Bezos about the military needs of Amazon. Bezos says, “We actively seek leaders who can invent, think big, have a bias for action and deliver results on behalf of our customers. These principles look very familiar to men and women who have served our country in the armed forces, and we find that their experience leading people is invaluable in our fast-paced work environment.”

Amazon’s third website offers support to military dependents, often called military brats. In Amazon’s Career Choice program, Amazon pre-pays up to 95 percent of tuition for courses related to in-demand fields, regardless of whether the skills are relevant to a career at Amazon. The website also states, “Investing in our employees is one of the many reasons Amazon is an employer of choice for military families.”

#brainbabe – Advocating and Supporting Women in Cyber Jobs

Cyber or information technology conferences often lack many female participants. One organization that supports bringing women into the information security profession is the nonprofit #brainbabe.

Its mission statement notes that “#brainbabe is directly impacting three statistics:

10% of the cyber security workforce [are] women, 1% of the cyber community are women leaders, 53% of women end up leaving the industry.”

#brainbabe supports changes that will attract and utilize women in cyber security. On #brainbabe’s website, Deidre Diamond, #brainbabe’s founder and CEO, discusses her background and states, “As a woman who was hired as an entry-level employee with a liberal arts degree and trained to lead sales teams for tech companies, who has been the CEO of a software company, and who is currently the Founder and CEO of a cyber security company, I have a lot of content and enthusiasm to offer the tech community about training people — specifically, women.”

Diamond is a motivated person who strongly believes in training. She and her crew often attend conferences such as BSidesLV and speak about how to increase the cyber workforce by training and bringing more women into cyber security.

She says on the website, “We can attract more women into cyber security while fostering the interpersonal and communication skills needed to retain them.” The training and improved communication skills may be a solution for growing our future cyber workforce in both the corporate world and government sector.

New People You Meet at Conferences Are a Rich Source of Industry Information

Attending conferences such as BSidesLV is more than just about learning in a conventional manner as you listen to scheduled talks. It is also about meeting people in the booths, on the floor or at lunch tables.

By meeting others at the conference, you sometimes learn just as much information as you do at formal presentations. Conferences show that learning happens everywhere, if you keep your eyes and brain open to new ideas.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

First Day at BSidesLV Information Security Conference Offers Insightful Lessons

Published with Permission by:
Lint, James R., “First Day at BSidesLV Information Security Conference Offers Insightful Lessons”, In Cyber Defense, 26 July 2017, Web, http://incyberdefense.com/james-lint/first-day-bsideslv-information-security-conference-offers-insightful-lessons/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

The BSidesLV Information Security Conference was filled to capacity on the first day of the show. This free conference has grown in popularity over the years, generating lots of interest because of its excellent speakers and topics.

Both the speakers’ pool and the various interest tracks enlighten experienced professionals as well as young people looking to break into the information security field.

Security Innovator Urges Business to Involve CSOs in Their Operations

Allison Miller delivered one of the opening addresses. Miller has worked at the intersection of cybersecurity, human behavior and predictive analytics for almost two decades.

She is an innovator in the security industry’s data-driven detection technology, specifically within security, anti-fraud/anti-abuse and payments/commerce systems. In her talk, “Something Wicked: Defensible Social Architecture in the context of Big Data, Behavioral Exon, Bot Hives and Bad Actors,” Miller urged companies to integrate their chief security officers (CSO) into their business operations.

A CSO pushed to the side or not in the boardroom often does not have the full picture of the organization, she said. That results in the CSO not having enough knowledge to protect all organizational assets or to understand what targets would attract hackers.

Miller noted that with so much new and expensive technology on the market, CSOs must understand that their purchasing decisions have a cost. Miller said CSOs must know how to communicate new technologies’ return on investment (ROI) to the board members.

Today’s cyber defenders must design architectural systems that operate in real time at Internet speeds, while also protecting millions of customers, transactions, end points and actions on any given day. As scale and complexity grow exponentially, manual intervention must be the exception and not the expectation, Miller noted. The future is new design-driven approaches infused with data and artificial intelligence to bolster cyber defenses.

Penetration Tester Recounts How He Accidentally Got a Job in Information Security

Johnny Xmas is a penetration tester for Chicago-based MMS and security assessment firm Redlegg International. Xmas shared his story of weaving through many career beginnings, but never gaining traction on a career path.

His passion for computers and technology led to many short-term contract jobs. Xmas became the man people called to solve computer problems, but no one ever wanted him for a full-time job.

His career path changed one evening while he and his roommates were having their weekly board game night. One of the new players, who turned out to be a senior information security professional at Office Max, said he was looking for someone to hire who was well versed in information security. Xmas spoke up and got the job.

Xmas told the audience to take advantage of social events because you never know who is attending. You won’t get a job if you don’t network and let people know you are interested in working for them, he added.

Security Mentor Explains What a Career in Public Service Is All About

Bobbie Stempfley has been a mentor to many aspiring security professionals. She reviewed her career in the Hire Ground Track of BSidesLV. Hire Ground gives job seekers resume reviews and interview practice.

Stempfley said her engineering degree wasn’t much use when she started her career as an intern shredding documents for the Army. However, she gained skills and a good deal of knowledge by observing how information security professionals went about their jobs.

That internship launched her decades-long career in public service with the Army, Department of Energy and the Department of Homeland Security. In 2015, Stempfley resigned as DHS Deputy Assistant Secretary of the Office of Cybersecurity and Communication to take a position with The MITRE Corporation.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

BSides Las Vegas Information Security Conference Opens

Published with Permission by:
Lint, James R., “BSides Las Vegas Information Security Conference Opens”, In Cyber Defense, 26 July 2017, Web, http://incyberdefense.com/james-lint/bsides-las-vegas-information-security-conference-opens/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for In Cyber Defense and Contributor, In Homeland Security

BSidesLV, a non-profit organization designed to advance information security knowledge, opened its annual two-day open conference in Las Vegas on Tuesday, July 25.

BSidesLV includes discussions and debates for security engineers and their affiliates. But what makes this conference unique is that admission is free; costs are covered by donors and sponsors.

As the 2017 handbook states, “The technical and academic presentations at BSidesLV are given in the spirit of peer review and advanced knowledge dissemination.”

BSidesLV Offers Multiple Specialized Presentations to Suit Needs of Attendees

BSides LV offers a multitude of presentation tracks to help attendees improve their knowledge. The various tracks are indicative of the scope of the convention – everything from new research and password protection to hiring opportunities.

Breaking Ground Track

In the Breaking Ground Track, speakers present new and ongoing research and solicit attendees’ feedback, insight and opinions.

Ground 1234! Track

The Ground 1234! Track is all about password security. Its sessions include topics such as why people need to entirely rethink the use of passwords, as well as how to make passwords easier for end users without compromising security.

Proving Ground Track

In the Proving Ground Track, first-time speakers have a platform to make their voices heard in a welcoming environment, supported by mentors who assist them in their preparation and practice runs. First-time speakers give BSidesLV attendees an opportunity to hear about new topics and new research.

Ground Truth Track

Ground Truth focuses on innovative computer science and mathematics as applied to information security, natural language processing, machine learning, statistics and all manner of big data manipulation and analysis.

I Am The Calvary Track

This track features presentations from a group of information security advocates called “I Am The Cavalry.” This group examines IT issues and how they affect human life and public safety.

Job Hunters Track

Besides being a rich environment for learning and networking with information security professions of all skill levels, BSidesLV is also an event of interest to organizations looking to hire additional staff.

Hire Ground is a series of talks devoted to the hiring process – everything from resumes to interviews. For this track, a large conference room is reserved for human resources employees and hiring managers, who review job seekers’ resumes and conduct interviews.

One of the more interesting companies in Hire Ground is ClearedJobs.Net. According to its website, “ClearedJobs.Net is a veteran-owned career site and job fair company for professionals seeking careers in the defense, intelligence and cyber security communities.”

The success of the conference is dependent on the effort attendees put into learning and networking. There is something for everyone to learn at BSidesLV, and even the possibility of finding new employment opportunities.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Cybersecurity Hazards Abound in Airports, Parking Lots and Conventions

Published with Permission by:
Lint, James R., “Cybersecurity Hazards Abound in Airports, Parking Lots and Conventions”, In Cyber Defense, 19 July 2017, Web, http://incyberdefense.com/james-lint/cybersecurity-hazards-abound-airports-parking-lots-conventions/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

With so much public attention to viruses, ransomware and cyberattacks, you might think that you’ve heard all the possible ways someone can attack your computers or mobile devices. But there are many bad actors who have devised devious ways to get your data through public charging stations, USB hub power stations and thumb drives.

Public Wi-Fi Poses a Cybersecurity Risk

Watch out for Wi-Fi hotspots that are not sponsored by an airport or your hotel. If you notice that the airport or hotel’s Wi-Fi service has a slight variance in the service’s name or has a #2 added to the actual name of the hotspot, that is a fake hotspot used by scammers. Others can access your computer or phone and use it as a launch pad for other activities.

Public Charging Stations Can Collect Your Private Data

For the convenience of travelers, airports offer free charging stations. However, “free” is not always good and it is easy for a tired traveler to make security mistakes.

A new way for hackers to access your data is through phone data cords plugged into “free” USB charging stations. These phone data cords can also be used to connect your phone to a USB port on your laptop. When you transfer data or pictures from your phone to your laptop, for example, that data or those images are vulnerable to a hacker.

Unfortunately, some USB charging hubs have more than just a charging capability. They can contain a hidden hard drive that can suck in your personal photographs, an important PowerPoint presentation or Word documents relating to your company’s business. This type of data is valuable and eagerly sought by hackers.

USB Hub Power Stations Could Also Be a Cybersecurity Risk

Be wary of public USB hubs with eight plug-in ports. When you plug your USB device into one of these ports, do you know the people around you who are also plugged into the ports? Your company’s competitors or your government’s enemy could be using those same ports.

That same hub could be configured to allow one port to pull data from the other ports by introducing a new motherboard or modifying the existing motherboard in the USB hub power station. Most of us have no idea of that potential for hacking when we blindly plug in our devices and are happy to get free power. Depending on the data loss you could incur, maybe that power is not really “free.”

USB Thumb Drives ‘Lost’ in Parking Lots

Penetration testers, hackers and espionage agents have another way to collect your data through what appear to be “lost” thumb drives. They will drop a couple of USB thumb drives in company or government parking lots. This process is called “seeding.”

Unwary employees pick up these thumb drives, take them into their office and plug them into their computer. Most of these people are Good Samaritans simply trying to identify the owner and return the thumb drive. Sadly, the thumb drive could contain a virus that attacks the organization’s networks and allows outsiders in to steal data.

This same seeding technique has worked at conventions and conferences. Convention display booth workers often hand out thumb drives that ostensibly feature their company’s products. But the same thumb drives can contain vulnerabilities that are a hazard to your network and data.

Cybersecurity Precautions to Take When You Travel

  • In airports or other public facilities, do not trust free USB hub power stations. Carry a second power pack, power cord or battery to power up your devices.
  • Be wary of Wi-Fi hotspots that have additional numbers or misspellings in their names.
  • Never pick up a “lost” USB thumb drive and stick it into your computer or mobile device. Turn it into your organization’s security office. If you have no other alternative, plug it into a stand-alone machine, not one that is connected to your organization’s network.

The common link to all of these types of cyberattack is the lure of getting something for free. As someone once said, nothing in life is free. Sometimes in cyber, free can be a hazard and cause disruption.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016, “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

Cyber Security Professionals Must Prevent Attacks or Be Terminated

Published with Permission by:
Lint, James R., “Cyber Security Professionals Must Prevent Attacks or Be Terminated”, In Cyber Defense, 14 June 2017, Web, http://incyberdefense.com/james-lint/cyber-security-professionals-must-prevent-attacks-terminated/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

My recent article, “Cyber Defenders Are Often Not Fired, When Others Would Be” stirred responses from many physical security professionals. The common theme was that there are standards in physical security, but the cyber security problem is too difficult to solve. Cyber defenders, however, know standards and solutions are available.

Cyber Defense Standards Can Be Found

The National Institute of Standards and Technology (NIST) has created a cyber security framework for private sector organizations to assess their ability to prevent, detect and respond to cyberattacks.

The “The Framework, which was created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure.”

Also, on May 11, 2017, the White House released a Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

The United States Computer Emergency Readiness Team, a division of the Department of Homeland Security, (US-CERT) website states that US-CERT “strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”

The US-CERT website has numerous publications, alerts, tips, and resources. It is updated daily, and has many ways to be contacted.  Any cyber defenders who have not signed up for the alerts and tips email list are missing good professional development and also timely protection information for their organizations.

Comparisons of Physical Security and Cyber Security

Many physical security personnel are not trained in cyber security, just as many cyber security personnel are not trained in physical security. Training helps both.

Physical security specialists are trained for many different sectors such as government security, security for intelligence facilities, shopping centers, banks, and hospitals. No one is an expert in all of those sectors. The security standards for a Top Secret intelligence facility are much different from those of a hospital. In turn, a hospital security is different than that of a bank.  With all the knowledge needed in these sectors, why would some people think they can also be experts in cyber security/defense?

Cyber Defenders Must Install Updates

Companies that do not upgrade their software are as derelict as those companies that leave a door open to thieves.

On Friday, May 12, the BBC reported an international ransomware attack involving hackers using ransomware called WanaCrypt0r 2.0. As many as 74 countries, including the U.K., U.S., China, Russia, Spain, Italy and Taiwan, were affected. Thousands of computers were locked by a program that demanded $300 in Bitcoin for each hacked computer. But in March Microsoft had issued the first patch to prevent the WannaCry attack.

That means all those companies and officials who were affected by WannaCry Ransomware could have prevented the attack if they had installed Microsoft’s update and upgrades two months earlier.

Why are boards of directors not firing CIOs and senior IT managers who fail to take steps to prevent cyberattacks?  Why are they not firing CEOs who did not ensure that their CIOs and IT managers implemented the Microsoft update patches? Why do they treat cyber security personnel so cavalierly but do not reprimand or fire physical security personnel who make similar errors?

Visual Comparison of Security Physical Holes and Unpatched or Upgraded Networks

If a company does not repair a large hole in its building for two months, wouldn’t that be cause for termination of its security manager? Would that business’s insurance company continue to insure a firm with a large hole in its building?

If you don’t patch a hole in your fence, people will think you are incompetent or lazy. If you leave a large hole in your building you should be fired for cause. Why do we not hold CIOs to the same standard of responsibility? It really is that simple. There will be new innovative hacks in the future. But any security professional who does not deal with existing vulnerabilities should be fired.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Cyber Defenders Are Often Not Fired, When Others Would Be

Published with Permission by:
Lint, James R., “Cyber Defenders Are Often Not Fired, When Others Would Be”, In Cyber Defense, 01 June 2017, Web, http://incyberdefense.com/news/cyber-defenders-often-not-fired-others/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

If a security guard does not make his rounds at night and a door is left open, should he get in trouble with his superiors? Should he be reprimanded? If a robbery occurs because of the open door, should he be fired?

Is it fair then that cyber defenders or information technology security specialists are not fired after a cyberattack?

Cyber defense used to be a safe job after a crisis, if the IT specialists had documented what the company needed to protect itself from a cyberattack and management did not act on those recommendations and purchased the products or services that could have enhanced security.

Cyber Security Is Still Undefinable

Yahoo, LivingSocialFacebook and Twitter spent millions of dollars to protect their networks and data. Yet all were victims of massive cyberattacks. They discovered the truth in the security managers’ words of wisdom that “there really is no such thing as perfect security.”

Any system, building or company can be penetrated. No set of security measures will completely protect against determined cyber hackers. Security continues to evolve based on the threat actors.

If any company used the same security and firewalls today as it did in 2005, even amateurs in the security field would laugh. It would probably be smarter to invest in a welcome mat instead of a 2005 firewall. (There is a possibility that they would cost the same.)

What Cyber Defense Managers and CIOs Need to Do to Protect Their Jobs

In 2013, a credit card breach at Target put 40 million shoppers at risk. In the end, the CEO and the chief information officer lost their jobs. The incident illustrated how a cyber security incident can affect cyber leaders and managers.

The IT Security for Managers website noted that “Target, in fact, passed their compliance requirements several months before the breach occurred, but as evidence now clearly shows, they were not secure.”

To prove its point that compliant does not mean secure, the website recalled a historic tragedy. “[T]he Titanic was actually compliant with the British Board of Trade, which required all boats over 10,000 metric tons to have 16 lifeboats. It didn’t matter how many passengers were on board. Just put 16 lifeboats on. So was the Titanic compliant? Yes. Did compliance avoid a tragedy? No.”

Law360, a LexisNexis company website, reported on an internal probe of Yahoo’s “trio of data breaches believed to have affected at least 1.5 billion users.” The probe concluded that certain senior executives failed to adequately respond to the incident. As a result, Yahoo‘s general counsel resigned and CEO Marissa Mayer’s annual bonus for 2016 was withheld.

Protect Yourself and Your Organization

Documenting company safeguards is critical when corporate executives have to go to court for a breach of contract dispute or for a management hearing for termination. Here is a brief checklist that can help to protect you and your organization:

  • Know where your security response plans and procedures are located.
  • Can you prove you exercised those plans?
  • Did senior managers participate so they knew their responsibilities and can support you?
  • Alternatively, were senior managers notified of the exercises?
  • If not, why not?

Not involving senior managers in cyberattack plans, procedures and resolutions can be a career-ending decision. Cyber defenders should have written documentation to that effect. Every exercise should have a post-action report that shows what was learned, what was performed well, and where the weaknesses in training, equipment and processes were.

Free Information and Government Readiness

The Department of Homeland Security’s “Ready” program has information on before, during and after a cyber incident. The DHS also has information and a monthly newsletter at its Stop. Think. Connect. campaign.

A more technical email list is from the United States Computer Emergency Readiness Team (US-CERT) provides a more technical mailing list.

The information is out there to protect your organization. So stay secure!

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Hacking Assistance for Social Oversharing

Published with Permission by:
Lint, James R., “Hacking Assistance for Social Oversharing”, In Cyber Defense, 30 May 2017, Web, http://incyberdefense.com/news/happy-birthday-hacking-assistance-social-oversharing/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

For some 40 years, the U.S. military has required all service personnel to wear identity tags, also known as dog tags, which include each soldier’s Social Security Number (SSN). In the recent years, dog tags provide a name, SSN, blood type and religion. All are essential items when soldiers are injured or worse.

Now the Army is changing the dog tag to protect soldiers’ data. It will switch to a 10-digit, randomly-generated number on an as-needed basis, said Michael Klemowski, Soldiers Programs Branch chief, U.S. Army Human Resources Command. The first to get the new dog tags will be those units being deployed into hostile locations.

One reason for the change is that in today’s battlefield, being captured wearing a dog tag with the soldier’s name and SSN could create trouble for the soldier and his family. The enemy is savvy and could use the SSN and the Internet to exploit bank accounts and other personal data.

Even in an organization as tradition-bound as the U.S. Army, change is possible. This switch to a 10-digit dog tag should be an example to other organizations that use or require more privacy data than needed on identification badges or other forms of ID.

Avoid an Un-Happy Birthday by Keeping Certain Data off the Internet

When people post their birthday on social media such as Facebook or LinkedIn, they expect to receive many Happy Birthday greetings for a couple of days before and after their birthday.

There is also the possibility they could have an unhappy birthday, too. Posting a birth date can be used by hackers to reset passwords on email accounts, bank accounts and other personal apps.

Sadly, some websites will ask for your birthday as an identity check. Often, they are not looking to know someone’s age, just what is stated as that person’s age for their inquiry verification. But that information is now in a database.

Cyber Security Defenders Call Birthday Data Vulnerabilities

Professor Herbert H. Thompson asked some of his acquaintances for permission to break into their online banking accounts. The goal was to access their online accounts using the information about them, their families and acquaintances that is freely available online.

He described his hack into a bank account in an article in Scientific American: “In a rare moment of clarity, I simply searched her [university email server] for ‘birthday.’ She made a reference to it on a post that gave me the day and month but no year.”

Thompson’s guess of her birth year turned out to be off by only one year. That was enough to successfully change her passwords, because of the number of attempts allowed on the email system.

Hackers call these attempts guesses; cyber security defenders call them vulnerabilities.

“A birth date, along with a name and hometown, can be used in a formula to recreate your Social Security information,” cyber security expert John Sileo told ABC News. “And, those are three defaults on Facebook.”

Your Birthday Can Lead To Your SSN

“[M]ost of the SSN-related ID theft problems have resulted from institutions that were careless with their record keeping, allowing SSNs to be harvested in bulk,” says ARS Technica. But a “pair of Carnegie Mellon researchers has now demonstrated a technique that uses publicly available information to reconstruct [individual] SSNs with a startling degree of accuracy.”

This came from a 2009 article. Most of us would readily agree that technology has changed a lot since then. The hackers too are much more advanced.

Industry Must Adopt Data Protection Methods Like the Army Has Done

We see the U.S. Army make improvements in data protection. Now we need to see similar improvements in industry. The future is bright for cybersecurity engineers, innovators and inventors. There is a wide-open race to build security safeguards into the programs and devices we use.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”

Cyber Warfare: Could It Be in Our Future?

Published with Permission by:
Lint, James R., “Cyber Warfare: Could It Be in Our Future?”, In Cyber Defense, 20 Apr. 2017, Web, http://incyberdefense.com/james-lint/cyber-warfare-future/

By James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Last week, the Army published a new and unclassified document, Army Field Manual 3-12Cyberspace and Electronic Warfare Operations. However, it appears that U.S. cyber superiority is not as dominant as we believe.

The foreword of FM 3-12 says that in the past decade, “U.S. forces dominated cyberspace and the electromagnetic spectrum (EMS) in Afghanistan and Iraq against enemies and adversaries lacking the technical capabilities to challenge our superiority in cyberspace.” Unfortunately, this manual also gives bad news, stating “However, regional peers have since demonstrated impressive capabilities in a hybrid operational environment that threaten the Army’s dominance in cyberspace and the EMS.”

What is the significance of this statement? It means that not just the leading powers of Russia and China can impact our dominance of cyberspace, but smaller countries such as North Korea, Iran or similar economically inferior countries have the opportunity for cyber warfare as well.

Cyber Warfare Today Is Cheaper for Smaller Countries

The world has changed and many countries are investing in the brainpower needed for the relatively cheap weaponry of cyber. For example, the M1 Main Battle Tank per unit cost was $6.21 million in 1999. Now, the price of 10 cyber warriors (formally called geeks two decades ago) is much more cost-effective.

Cyber warfare can cause damage to defense and civilian infrastructures. Countries with smaller budget can now have field forces that can hurt the U.S. population and slow military deployments.

In the past, cyber warriors would have been a source of comedy, but not today. While M1 tank operators are well known for their swagger, now it’s the hackers who can do major operational or strategic damage while the tank operators can only influence a tactical battlefield.

Examples of Strategic Hacking

Ukraine has been the target of two large power disruptions in 2015 and 2016, which impacted a total of 100,000 to 225,000 people. The 2015 attack alone affected 225,000 people; a pro-Russian group called Sandworm was the suspected attacker. These hackers denied people heat during a cold Ukrainian winter.

The Sony Corporation hack in 2014 cost Sony $35 million in information technology repairs. If this attack had occurred in a government or military organization, the cost would be equally high. Imagine an attack on government or military research and development site. The price could easily climb to the cost of the Sony hack and could influence future national security and combat superiority at the same time. An attack on government organizations isn’t only expensive; it can have a huge effect on a country’s future.

US Readying Its Ability to Fight Cyber Wars

U.S. cyber leaders and the U.S. uniformed forces’ cyber commands are growing their cyber-fighting capabilities. With the publication of this new cyber field manual, the U.S. military has clearly recognized that cyber is a warfighting domain.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 45th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017, Secrets to Getting a Federal Government Job.”

What to Do during the Federal Hiring Freeze

Published with Permission by:
Lint, James R., “What to Do during the Federal Hiring Freeze”, In Cyber Defense, 7 Feb. 2017, Web, http://incyberdefense.com/news/federal-hiring-freeze/

Commentary by James Lint
Faculty Member, School of Business, American Military University
Senior Editor for
 In Cyber Defense and Contributor, In Homeland Security

Now that President Trump has instituted a 90-day federal hiring freeze, it’s time to study the government hiring situation and improve your application. It’s time to reassess your strategy for getting a federal job and to determine if you are serious about working for the federal government.

When the hiring freeze is lifted, it’s likely that new legislation will restrict managers to hiring just one person for every two vacancies in their office. This will increase the competition and make it more difficult to get hired for a federal job.

The Manager’s View of a Hiring Freeze

It’s smart to look at federal job vacancies from a hiring manager’s point of view. After the freeze ends, I know from personal experience (as a hiring manager during the freeze of 2012-13), that managers will be eager to hire. They need employees to fulfill their agency’s mission.

Until a vacancy is filled, current employees must share the work of the vacant position. Currently, it takes at least six months from the time a hiring process begins to actually bringing a new hire onboard.

When the new employee arrives and assumes his duties, the existing staff is better able to focus on their own jobs. Overall efficiency improves and work is completed in less time than during the freeze.

It is important to remember that the hiring freeze is only for 90 days. Specific exemptions permit some federal agencies to continue to hire during the freeze.

Exceptions to the Federal Hiring Freeze

Experienced federal professionals know that every rule and regulation has exceptions. Paragraph 3 of the January 31 Memorandum: Federal Civilian Hiring Freeze Guidance from the White House lists the following hiring exceptions:

3g. Federal civilian personnel hires are made by the Office of the Director of National Intelligence (ODNI) and the Central Intelligence Agency (CIA).

3h. Appointments made under the Pathways Internship and Presidential Management Fellows programs (this does not include the Recent Graduates program). Agencies should ensure that such hires understand the provisional nature of these appointments and that conversion [to full-time employment] is not guaranteed.

3i. Conversions in the ordinary course to the competitive service of current agency employees serving in positions with conversion authority, such as Veteran’s Recruitment Act (VRA) and Pathways programs.

3r. The head of any agency may exempt any positions that it deems necessary to: Meet national security (including foreign relations) responsibilities, or public safety responsibilities (including essential activities to the extent that they protect life and property).

Cybersecurity Field Fulfills Critical Needs and Has Many Exemptions

Many cybersecurity jobs are in intelligence organizations, so those jobs are considered essential to the protection of health and safety. (Think hospital records at military facilities and the Department of Veterans Affairs.) Similarly, cyber defense jobs support foreign affairs organizations and are deemed essential to meeting national security responsibilities.

Opportunities Exist in Cybersecurity Despite Hiring Freeze

Despite President Trump’s executive order, there are still opportunities available for cyber defenders. Cyber organizations are hiring employees fresh out of college as well as service veterans.

So don’t be discouraged; the future of the federal civil service is not as bleak as media sources describe. In fact, some job seekers might think it’s more difficult now to obtain a federal job, so there could be fewer applicants and thus less competition.

Be persistent. Keep focused on your career goals and your readiness to meet the challenges of the job you seek.

About the Author

 James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. James has been involved in cyberespionage events from just after the turn of the century in South Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 43rd scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and also served 14 years in the Army. His military assignments include South Korea, Germany and Cuba in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book in 2016, “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a book in 2017, “Secrets to Getting a Federal Government Job.