MeriTalk - Where America Talks Government
Steve O'Keeffe

Delicious Digg StumbleUpon
View All Entries
Popular Tags
Posted: 10/10/2012 - 5 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]


Knock, Knock – Who’s There?
Is Uncle Sam suffering from a false sense of security? We spend one in four precious cyber security dollars on FISMA paperwork – well over $1 billion each year. GAO says HSPD-12 has given us expensive keys with no locks. TIC’s fighting with Cloud First. The iPad’s a moving target. What’s next for the embattled CISO?

And, if that wasn’t enough alphabet soup, here’s a new TLA for you – welcome to the Advanced Persistent Threats, or APTs to his friends. APTs aren’t things, they’re sophisticated actors – typically hostile foreign governments – with the cyber smarts and resources to target specific entities. No script kiddies here. They’re focused on getting into our networks and siphoning off sensitive data. And, they use infected media, supply chain compromise, and social engineering to get in.




Gone Phishing

Think of APTs as very malicious knock-knock jokes – and hackers are focused on getting the last laugh. APTs typically launch their attacks via email – phishing, but not your standard “Nigerian Prince Kidnapping” scam. What Fed exec would fall for that malarkey?

No, APTs often hunt their quarry by spear phishing. Think phishing meets social engineering. Far from sending out blanket spam email, hackers identify high-impact, well-placed individuals within agencies – people with privileged security access. Then, they do their homework. Who do you know? What type of email would catch your attention? When the knock-knock comes in your email, you’ll know the sender of the message – or think that you do.

You’ve Got Mail

You receive an email from your colleague Dave. It flags a new expense approval process and includes an attachment. You know Dave, you care about your expenses, you click on the attachment. The hacker’s in. Now, they have a foothold in the network. Some are coy – they stay quiet for awhile. But soon enough, they start to siphon off data, passwords, and connect to other networks from the inside.

Pedicure Anyone?

Depending on how deep into the APT you want to go you could ask, how valuable are your users’ web browsing histories and habits? If they’re valuable enough for the USDA, ( why wouldn’t a foreign state embed malicious code into a website that your execs are likely to, or do, visit? Still think we shouldn’t secure the networked printers? A quick look at the logs of the URLs being printed by users can reveal a lot – pedicure anyone?



Chumming the Water

Then again, what about browser-based email access still using only username and password? We hear a lot about enabling two factor login – 2FA – for logical access, but why phish one email at a time when you can chum with a free-to-download password-cracking utility? Maybe the threatening “U. S. Government” warning banner will make our capable adversaries think twice…?

No Laughing Matter

The net takeaway here – phishing’s not just for scammers. It’s really grown up. And, the biggest threats to Federal security may come from the people you know and trust – or appear to…

The world’s a hostile place. Cyber’s the new frontier. We need to unfetter Uncle Sam’s cyber defenders to prioritize threats and put first things first. If we spend too much on compliance, the last laugh will be on America.

 We need to refocus on APTs and a new class of phishing – it’s no joke.

Opt in today to keep stirring IT up.

Back to Steve O'Keeffe's Articles