Why is it that in this day and age, people are not concerned about Cyber Security?

2015-10-26T23:50:44-04:00

I saw something this past drill that has me pretty concerned. Concerned enough that I went to my PSG and requested to give a class on Cyber Security / PII. What I saw was an NCOER saved on a "public" computer. When I opened it, I saw full name and social of NCO being evaluated. Plus, full name and social of his 3 supervisors. If I was malicious, that would be a gold mine to me.

Now, as I was giving my class, my PLT seemed disenfranchised by what I was telling them and what I can do to them if I were to receive that information.

A couple years ago, I watched an E-9 give an E-7 his/her CAC card. I then heard the E-9 yell out his/her PIN number as E-7 walked away (along with several other soldiers I was by). That is a HUGE security breach.

OPM security hack should never have happened. Management didn't care about security therefore neither did the employees.

State Department - According the the IG, under Hillary Clinton, the security at the State Department started to decline and continued to decline with her successor.

At home, I have a full blown UTM with a managed switch. I have one port dedicated to all incoming and outgoing packets get dumped there into an IDS/IPS. My UTM has an IDS/IPS built in also. I also have a honey pot setup. All of this is done with recycled systems people didn't want anymore and ALL done with free software.

The only thing that cost me real money was the managed switch (don't remember the actual cost but it was over $300).

My system has had attempted breaches originating out of China, but I have been able to block thus far. If I can do this on my own, why the HELL can't the US GOVT with all of it's resources, spend the damn money to secure it's network and put together a decent IA Awareness Program.

The one the military currently has sucks. An IS program would be better suited to bring in the home networks that people have and say hey, you use these at work, you can also use them at home. And not just say this is our network and they are only attacking us. Hackers attack ANYONE. Period. Whether it's to use your system to store child pornography, pirated music/movies etc.

This is a rant. I know and I am sorry. But I'm irked about all of this and I'm also sleep deprived due to my civilian employment and trying to get stuff done. If anything doesn't make sense, let me know what it is and I will try to clarify.

Response by TSgt Private RallyPoint Member made Oct 27 at 2015 12:59 AM

2015-10-27T00:59:54-04:00

It is very simple. If you don't hold people accountable for their actions then bad things happen.

Ever read how Edward Snowden did what he did? People violated standard security protocols for him...

Most security incidents are people leaving the door open for the hacker to let people in.

I know of a Phishing incident where a Red team sent an e-mail out to senior leadership and it was forwarded by a few of them to civilian friends...Little embarrassing when you have to explain how your friends might have been hacked because you were the idiot.

How many people do you know that have the ultra-strong password of "1qaz@WSX3edc$RFV"? Really people? Just because it meets the requirements does not make it safe...

Most people that have there identity stolen then are careful but until they leave the door open for attacks.

Being quiet now...I could go on and on about this....

Response by SSG Private RallyPoint Member made Oct 27 at 2015 6:14 AM

2015-10-27T06:14:27-04:00

People don't care about things until it impacts their life directly.

Response by Sgt Aaron Kennedy, MS made Oct 27 at 2015 9:16 AM

2015-10-27T09:16:32-04:00

"Big Sky little bullet." It's a phrase I once heard when asked about the deconflict ion of Artillery and Air Assets. I'm "pretty sure" it was said it jest. Much like NASA doesn't worry about comets running into the Earth for the most part.

A lot of Cyber is like that. "If" you take reasonable > some > none > flaunting safe practices, you are fairly safe, just because "you're one sheep in a crowd of sheep." It's when you start drawing attention to your self by being a heavily armored sheep that you end up looking like a tasty morsel.

The people go after OPM, and government sites not because of the quality of the data, but because of its quantity. High pay-off targets. They went after SONY because of the quality (and quantity to a lesser extent).

Now, you used a couple examples. The E9 didn't sweat it, because it didn't matter. Just like me saying my PIN number to my bank card in front of my kid doesn't matter. Controlled card plus trusted people. You have to have multiple failures for it to become an issue. Is it a bad practice? Sure.

Now, I'm a firm believer in the vigilance concept. People should be doing the right thing every time. But sooner or later the minutia is just going to become overwhelming and stupid. I have one company website I use that doesn't allow me to use the same password as within the last 6 months, must contain cap, special character, number, and cannot contain words in the dictionary. Do you know how hard that is without writing them down? When policies like this are instituted, bureaucracies start breeding "mold pits" where OPM and "Private servers" happen.

Response by SSG Warren Swan made Oct 27 at 2015 6:09 PM

2015-10-27T18:09:02-04:00

1. Great job recognizing a problem, and even better having a ready made solution. Lots of folks would've just walked on.
2. Kudos on your system. Most don't even know what a "honey pot" is.
3. What you are able to do successfully on your home system or even through a small enterprise system is a lot different than what's found in the civilian world. I'm blown away by some of the things DOD did that actually made sense, but in the civilian world are NOT done. I've even brought this up to my supervisor and he shook his head. I think he knew it was wrong. But trying to make a large scale enterprise work when everyone wants their system set up their way is what would bring on some serious headaches as a SA or network admin. None of them match, yet they all claim to be "secure". Also some of the best data hacks are on UNCLASS because folks want to talk about everything, and if you can get two emails that form a picture, more than likely you'll score the third which will give a complete picture that is needed. Loose lips sink ships...but no one wants to take it seriously until they are on FB with multiple profiles, their credit is jacked, or you're emailing yourself with the standard scam from Nigeria. How are you going to write yourself a million dollar check?
Don't give up. Sooner or later, YOU'LL be the one who can look back and say you made someone more aware, and if you helped one person, that's a success. You won't be able to save them all.

Response by SGT Private RallyPoint Member made Oct 28 at 2015 12:59 AM

2015-10-28T00:59:04-04:00

Okay. I have some free time for a second.

First... Yes, I do know that since I'm a bit "beefed up", I am a very attractive target. A few things on that though.
1. Most attackers are in it for some type of gain (i.e. monetary, intelligence, or even to use your system as a distribution point to distribute illegal content).
2. Very few hackers now a days are in it just for the challenge. There are some, but it's a small percentage. Those have no malicious purposes other then cracking your security (also known as Gray Hat Hackers).
3. Nothing is 100% non-hackable. Unless you have a system in a vault and it is unplugged. The purpose of security is to make it more time consuming and costly to try to penetrate the network then it is worth (i.e Cost Benefit Analysis).

I received an email today from a company called KnowBe4. They are a security company I am subscribed to. Today they shared a story. One which can happen to all of us. The text is below.

Beautiful Social Engineering Attack
by Gorgeous IBM Rep
"Credit card numbers are small potatoes.

Big-time computer hackers are after proprietary information: source code, pharmaceutical research, legal documents, chemical formulas, blueprints, product designs and other trade secrets that can be sold on the black market for huge profits.

The tactics hackers are using to sneak into business and government networks should curl the hair of any business leader. A few months back, Symantec released a disturbing report on 'Butterfly,' a mysterious and sophisticated group of hackers that it described as 'highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain.'

Last week, Ron Taton, president of Cleveland-based IntelliNet Corp., told me about a real-life incident he'd learned about from a security-software vendor. Here's a version of how it went down, and it's right out of a spy novel: You're a chemical engineer at a large company that's working on something special, let's say new battery technology that will triple the range of electric cars. It could mean billions in revenue and freedom from Mideast oil.

You're proud of your work — you should be — and you include your employer info on your Facebook page. And like most guys (yes, it's a man in this example), you're competitive, so you make sure to post photos and updates from your victories at Tuesday night trivia at the local sports bar.

One night, as you wait for a pitcher to be filled at the bar, a beautiful woman two stools down says hello. You look to the left, then the right and realize she is talking to you. You say hello back, and a conversation begins.

She becomes even more attractive when she talks about technology and lets it slip that she works for IBM. You tell her you're an engineer and love tech. She offers to pay for your pitcher. You forget all about trivia night as she discusses her work and gives you a business card with the iconic blue IBM logo. 'I have some swag in my car,' she says. 'Give me a second.' As she heads out to the parking lot, you pop a breath mint and pinch yourself.

'Merry Christmas,' she says when she returns, placing on the bar an IBM coffee mug, T-shirt, mouse pad and 8-gig flash drive. The next morning at work, the coffee tastes extra rich in the new mug, the mouse moves so smoothly on the new pad, and with a new confidence, you push the thumb drive into your computer.

Within seconds, the company's entire email network is compromised, and hackers begin work scraping messages, documents, attachments and images.

The most sophisticated hackers may clean up after they're done, removing traces of the breach and making it even more difficult for companies to know they've been violated — until a competitor in Russia or China unveils a product developed with stolen intelligence.

'Everything is hackable,' says IntelliNet's Taton. 'Assume you are going to be hacked. There is no such thing as a trench around a network. It doesn't exist.' Instead, he says, companies need to be able to be ready to respond, mitigate and play defense. And skip trivia night."

By the way, effective security awareness training would have helped against a honeytrap like this. Find out how affordable it is and be pleasantly surprised.
https://info.knowbe4.com/kmsat_get_a_quote_now

Hat Tip to John Campanelli for this fabulous story.

I also heard of another instance (quite a few years back) of hackers dropping USB sticks in parking lots. Here's the story:

http://www.zdnet.com/article/criminals-push-malware-by-losing-usb-sticks-in-parking-lots/

Now, every IT person in the world will agree with this statement. Your user is the weakest link. They will always do the dumb stuff that compromises your network. Unless they are properly trained and incentivized to know what to look for and to help stop it.

So, how do we get all (or at least most) military personnel, the proper training and incentives to get them to think before they "click" (or save)?

Here's is a prime example of why you need to protect your network to the best of your abilities.

http://www.wired.com/2011/07/hacking-neighbor-from-hell/

If your system is hosting and distributing illegal stuff, who do you think they're going to come for first? Yes, you may be cleared of all wrong doing, but what kind of stress will you and your family be under during the investigation? I know I'll lose my job immediately.

Now, I hear excuses all the time. I'm not smart enough. It's not my network, why should I care etc etc. If you're military (Army at least) https://usarmy.skillport.com. Register. And start taking the damn courses they offer for FREE! I have over 300 correspondence course hours and the majority come from here. And if you are military, as for the it's not my network biz, your ass signed up to protect this country. That also includes the military network. It ALL falls under OPSEC.

SSG Private RallyPoint Member - SSG Valencia. I'm including you in this as you know me and the security aspect. No offense SSG.

The rest I am including to see if I can't get some dialogue to help figure out this epidemic and get these military personnel trained up.

Find out how affordable this is

KnowBe4 provides Security Awareness Training to help you manage the IT security problems of social engineering, spear phishing and ransomware attacks.

Response by SSgt Alex Robinson made Oct 28 at 2015 7:21 AM

2015-10-28T07:21:51-04:00

SGT Private RallyPoint Member cyber security should be foremost in our attention. Too much of our society is Internet-based or computer-based in the subjects to hacking. We must consider everything from robust passwords to enhanced firewalls.