The team at Integrity wishes you and your family a very Merry Christmas season.  We pray that you are able to stop and reflect on this as a season of hope and will share it with those close to you.

From a personal perspective, the hack of Sony is of little consequence to me.  I probably own stock in the company via a mutual fund somewhere but any financial losses will be minimal and likely undiscernible in the grand scheme of my retirement planning.  The Target and Home Depot hacks however were a pain in the rear.  I had to change debit cards and have fraudulent transactions reversed.  Yes, VISA covered the nearly $1,300 in fraudulent charges but I still had to cancel the cards, wait for new ones and setup recurring payments to Netflix.  Do you know what happens in a house with four kids who can’t get their Netflix fix?

Even though Target and Home Depot have or will spend millions to deal with their breaches and improve information security, I think the Sony breach is worse, and here’s why.

Read more: Why the Sony Hack is Worse than Target or Home Depot

A best practice that appears to be overlooked in many organizations is that of reducing your attack footprint.  During recent audits, we’ve discovered that organizations large and small are leaving themselves unnecessarily open to a security breach.  Hackers are like rock climbers.  They only need a series of small cracks within reach of the each other in order to make it to the summit.

Leaving unnecessary services running on a server, not locking down internal resources and allowing egress traffic with no filtering all increase your attack footprint.  It makes you easier to find, grab hold of and allows for a hacker to continually climb your infrastructure without falling off or having no other way to advance.

Read more: Reducing Your Attack Footprint

While NSA Director Admiral Rogers was providing the keynote at the ISSA International Conference last month, he made a comment that I found interesting.  He said that we can’t expect US companies to be able to continue to defend against hacking and espionage attacks from nation states.  I agree. 

Many of you may disagree and think corporate espionage is just a myth.  It is not.  It is real and costly.  For countries who rely on nationalized industries for the revenue to fund their government and military, the incentive to gain the upper hand is unparalleled.

Read more: NSA Chief Says Corporate America Shouldn’t Have To Defend Against Foreign Governments

The US Postal Service announced that a breach discovered in mid-September may have compromised the SSN and other personal information of more than 800,000 employees.  It also states that information on callers to the USPS call center may have been compromised as well. 

The government of China is currently the prime suspect in the hack.  At some point these hacks are going to escalate into a full blown cyberwar.  It’s only a matter of time before the cyberwar division of a foreign government hits pay dirt.  The president is in China this week. How will we respond?  Will it be addressed?  Guess we’ll have to wait and see.

One of the most overlooked information security practices is the shredding of handwritten notes.  Part of our ethical hacking engagements, also known as penetration testing, is trying to discover information about the organization or system through its users.  This practice of social engineering is a core component to an ethical hacking exercise.

Many organizations have trained their employees to shred PHI, PII, PCI and other P – whatever-I that gets printed out.  What we find though is that many organizations have tons of valuable information that is handwritten but never destroyed.  During social engineering tests, these handwritten notes can often be found in various trash or recycling bins.

Read more: Social Engineering Tip #43 - Shred All Handwritten Notes

October is National Cyber Security Awareness Month.  We at Integrity partner with the National Cyber Security Alliance to help promote information security awareness both at work and at home.  Take a minute to check out the Stop. Think. Connect campaign and the Stay Safe Online campaigns put together by NSCA.

http://www.stopthinkconnect.org/

http://www.staysafeonline.org/

Do your part in keeping our children safe online.  Teach them how to protect their identity and data by using smart tips that kids as young as 5 can learn.  Cyber security education works best when parents help their children learn about cyber security.  There are multitudes of resources available.  If you need help, just contact us and we’ll provide free resources you can use to help teach your child about safe online habits. 

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724