Countering Threats Oct28

Countering Threats

A panel of corporate security experts held a recent Realcomm-hosted webinar to discuss strategies for managing cyberattacks to buildings that are increasing in frequency, sophistication and impact. Don Goldstein, senior vice president of IT for CBRE, recounted how the “Not Petya” ransomware attack of June 2017 encrypted hundreds of thousands of computers around the world and shut down whole networks and systems for weeks.  With the damage still being added up, the initial $850 million economic cost estimate could rise. “Not Petya hit all verticals, from nuclear plants and pharmaceutical firms to steel makers, consumer lenders and law firms,” Goldstein said.  Cautioning against disaster fatigue, he added, “We need to get people to think about and prepare for this type of event.” Ryan Allbaugh, business initiatives consultant for Wells Fargo, said that because internet of things (IoT) connected devices don’t have traditional IT operating systems or antivirus and antimalware, cyberattacks are “no longer an IT problem, but an operational problem” for every part of the economy. As we see more IoT connections, everything is vulnerable, from remote lighting control to elevator and video surveillance controls, Allbaugh noted.  “The challenge with IoT is that these systems often lack centralized visibility, and doing something as simple as getting a physical inventory can be a challenge,” especially with widely dispersed properties.  He outlined the National Institute of Standards and Technology Cybersecurity Framework, which offers guidance on assessing and improving prevention, detection and response to cyberattacks. Lorie Wigle, general manager for Intel, noting that “one company can’t solve this on its own,” urged collaboration and information sharing among IoT participants.  “We need to have ongoing lifecycle security management services in place to continue to measure and detect compromises to components of end-to-end services,” she said. Given that there’s...

Equifax Hack Sep19

Equifax Hack

The breach of the Equifax database, which exposed the personal credit history of over 140,000,000 individuals, has left consumers scrambling for answers and wondering what steps to take. While many experts continue to weigh in on the issue, and law firms begin lining up for those class actions lawsuits, you may still be wondering what you can do to mitigate the damage. No doubt an investigation by Congress will provide some relief, and many private companies like Credit Karma and Capital One are already reaching out to beleaguered consumers. As we wait for the cavalry to arrive, we’ve collected a summary of all the information you need to protect yourself and give voice to your fears and frustrations. What Happened? Equifax believes hackers accessed the company’s network sometime between May and July of this year, gaining access to the social security numbers and extensive credit history of 143 million Americans as well some citizens of Canada and the UK. The hack itself came to the company’s attention on July 29, when the intrusion was immediately curtailed. Somewhat suspiciously, three Equifax executives chose to sell almost $2 million in Equifax stock on August 1st and 2nd, almost a week before the company went public about the incident. On September 7th, Equifax alerted the public about the breach, also issuing a statement denying the three executives knew about the hack. By the next day, company shares lost more than 13% of their value. The following week, the Senate began initial inquiries into the extent of the incident, also searching for evidence of compromised government accounts. By September 14, the Equifax CEO had been called to testify before Congress and the Federal Trade Commission announced it would begin investigating the breach. Who’s affected? At this point, if...

Travel Tech

For many international business travelers, crossing a border means more than just a stamp in their passport. It also means making sure cell phones and laptops stay secure. Whether it’s an intrusion from foreign hackers or the evermore-invasive surveillance of customs officials, protecting sensitive data – both personal and business – has never been more complicated. As a result, more and more jet-setting corporate employees are making sure to secure their devices before their trip and while on the move. “Although mobile devices can facilitate connecting back to headquarters and maintaining workflow, the risk for exploitation of these devices and the information accessed can greatly increase on overseas travel,” warns the US Department of State Overseas Security Advisory Council (OSAC). Before Departure The OSAC’s best practices guide for traveling with mobile devices suggests several steps business travelers should take before stepping out the front door. As a matter of course, all nonessential devices should simply be left at home. Data can also be kept local through a backup on an external hard drive or a secure cloud-based service. For travelling devices, it’s important to make sure all software and apps are up-to-date. That means upgrading passwords with stronger variables and initiating file encryption with tools provided by BitLocker, TrueCrypt or Apple Firevault. Bluetooth and GPS should also be disabled and available firewalls enacted. During Travel Once you’re on the road, there are plenty of ways for your device to be compromised. In addition to maintaining physical control whenever possible, the best way to protect your device in transit is to power down before entering customs. As an added step, Wired recommends disabling any biometric access – like Apple’s TouchID – and sticking to PIN accessibility. It’s good practice to disable automatic Wi-Fi connections and use a...

Stranger Danger

In many ways, 2016 will be known as the year of the hack. Between Russian Hackers, DDoS attacks bringing down the eastern seaboard, or the little matter of over a billion compromised Yahoo! Accounts, last year marked the moment “cyber” security went mainstream. While there’s no doubt more of the same is on the way, Wired has put on its prognostication cap to ponder what new security threats will emerge over the next 12 months. After all, as they say, forewarned is forearmed. “It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year,” begins Wired. “…the more we can anticipate them, the better we can prepare.” Dawn of the Drones Military drones have been fighting proxy battles across the globe for quite some time now, but private, commercial drones could soon turn deadly. Though they’re smaller than their battle-worn counterparts, commercial drones have existed in an unregulated, wild west-type no-man’s-land. Though the FCC currently requires drone owners to register their devices, internationally, there’s little oversight. Wired reports small drones have already been used for terrorist activities and guerrilla warfare, including an attack on US-allied Kurdish soldiers in October of last year. “What better way to deliver deadly ordnance across enemy lines or into secure zones of cities than with remote-controlled accuracy and off-the-shelf hardware that offers no easy way to trace the perpetrator,” Wired asks. “The US government is already buying drone-jamming hardware. But as with all IEDs, the arms race between flying consumer grade bombs and the defenses against them will likely be a violent game of cat-and-mouse. iPhone goes to Court Wired predicts the conflict between federal authorities and mobile-phone providers, which hit...

Smart Homes, Dumb Security

On October 21, 2016, many of the world’s most popular websites were incapacitated by a series of distributed denial of service (DDoS) attacks. Users trying to blast off a tweet or listen to their favorite track on Spotify suddenly found themselves stranded on 404-error pages or stalled by perpetual “loading” messages on their browser. The culprit? Massive denial of service attacks overwhelming servers and cutting off access. While DDoS attacks are actually quite commonplace (though not always as widespread), this time the method of was a little different. Rather than travel along traditional online pathways, the attackers commandeered all manner of unsecured Wi-Fi-enabled devices to turn the internet of things into a battering ram. By exploiting the security vulnerabilities of connected gadgets, from fridges to DVRs, the latest attack highlighted the smart home’s Achilles heel. Major DNS host Dyn told CNBC in October the attack was “well planned and executed, coming from tens of millions of IP addresses at the same time.” Taking Down Twitter Why are DDoS attacks so effective? It starts the how Domain Name Services (DNS) work. The DNS operates in many ways like a traffic controller at a busy intersection. When users click a link to a webpage, the DNS directs that user to twitter. During a DDoS attack, the webpage itself is left unscathed, but all the roads leading to it are jammed with service requests in something akin to rush hour traffic. In effect, users are left stranded on the service highway, their destination in sight but with no means to get there. As security expert Bruce Schneier explained in a recent blog post, “Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet.” “These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.” Assessing the Damage The October 21 attack incapacitated DNS providers across the US and Europe. Almost no type of website was spared, from consumer products to real estate listings to news sites. Pinterest, Zillow, Kayak, the New York Times…all found themselves cut off from users as the DDoS ambush spread across the western hemisphere. The entire event lasted for hours, and while the damage hasn’t been fully assessed, the greatest fear is what this level of infiltration means for the future of the internet. This is because the October attack significantly differed from previous incursions by groups like hacker collective Anonymous. In the past, perhaps one individual website was incapacitated for a short amount of time, like CNN. In this case, the DDoS attack was massive, taking out “a major piece of the internet backbone for the entire morning – not once, but twice.” “This event was not your conventional DDoS attack, writes Gizmodo’s William Turton. “ Instead, it seems to be the first large-scale attack using IoT devices.” “Because of the estimated billions of available unsecured IoT devices,” he continues, “these attacks could allow for an unprecedented amount of DDoS power—enough power to take down major pieces of internet infrastructure protected by some of the best DDoS mitigation in the business. That’s exactly what we saw on [October 21].” A New Era of Threats Assessing the aftermath of the October attack, Gizmodo writer Turton warns of a bleak future full of political conspiracies and foreign hackers waging online war against their adversaries. “Details of the how the attack happened remain vague,” writes Turton, “but one thing seems certain. Our internet is frightfully fragile in the face of increasingly sophisticated hacks.” “This could be the beginning of a very bleak future,” he concludes. “If hackers are able to take down the internet at will, what happens next?” Unfortunately, it’s the smart devices intended to make our lives easier that may pose the biggest threat. A new report by Akamai,...

Security Reminder

The latest Yahoo breach holds the record for the largest single breach of user account. The hack, which occurred in 2014, enabled hackers to collect personal information associated with at least half billion Yahoo accounts—names, email addresses, phone numbers, birth dates, and even security questions and answers, according to Yahoo’s press release. What’s even scarier is that encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also stolen. As consequence, Yahoo users are encouraged to review their accounts for suspicious activity, change their passwords and security questions, avoid clicking on suspicious links and consider using a new authentication tool called Yahoo Account Key. Of course, there is always the option to switch to Gmail or iCloud. According to research from Alertsec, about 97 percent of Americans lose trust in companies like Yahoo after massive data breaches, so it will take Yahoo quite some time before it starts rebuilding their users’ trust. However, when a company has allowed their customers’ data to fall into the hands of criminals, regaining trust is difficult, and in some cases, impossible. This breach serves as a reminder of how widespread hacking is and raises again the question of whether the current system of passwords and security questions provides the best kind of protection, and the answer seems pretty obvious, something needs to change. Cybersecurity specialists recommend using a different password for each account, while other experts are working on alternatives to passwords such as one-time passwords, biometrics and the two-factor authentication process. “Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud,” said Brett McDowell, executive director of the FIDO Alliance, an organization that...

Cybersecurity

If you think cybersecurity is “just an IT issue,” better think again. Experts agree that cyber risk in the multifamily industry is largely underestimated, given the volume of personal and financial data multifamily companies collect and maintain about their prospects, residents and employees. And the fact that many real estate organizations rely on third-party service providers to collect and protect data further increases exposure to damaging cyber incidents. What are some of the common risk factors? Using disparate software solutions and multiple vendors with various interfaces and logins elevates exposure to breaches. To further complicate matters, information security programs in the multifamily industry tend to be relatively less sophisticated compared to more heavily regulated sectors such as banking and retail. Since cyber criminals will always take the path of least resistance, this poses a major threat to the industry as a whole, which maintains information about tens of millions of Americans. And after a well-publicized breach in 2014, the multifamily industry is — or should be — on high alert. To not only reduce risk but also to increase operational efficiencies, many companies have made the move to a single platform — and now consider it a best practice to consolidate core property management and accounting along with ancillary products in one database supported by a single vendor. And while no business can expect to achieve perfect security, in the current cyber threat landscape with so much at stake a comprehensive plan — and one point of contact for software and services — can mean a direct line to better peace of mind. At the NMHC 2016 spring board meeting, panelists emphasized that cybersecurity is not simply an IT problem, but rather an enterprise risk management issue. Developing a strong cybersecurity program is not...