FBI Releases Article on Protecting Business Email Systems

Original release date: May 31, 2017

The Federal Bureau of Investigation (FBI) has released an article on Building a Digital Defense with an Email Fortress. FBI warns that scammers commonly target business email accounts with phishing and social engineering schemes. Strategies for preventing email compromises include avoiding the use of free web-based email accounts; using multi-factor authentication; and updating firewalls, antivirus programs, and spam filters.

US-CERT encourages users and administrators to review the FBI article for more information and refer to US-CERT Tips on Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Caught in the breach – what to do first

Security experts have been saying for more than a decade that it is “not if, but when” an organization will be hacked. So, the more relevant question, posed in the title of a panel discussion at May 24’s MIT Sloan CIO Symposium is: “You Were Hacked: Now What?”

Indeed, given that there is no sure way to prevent every intrusion by so-called, “determined adversaries,” much of the defense playbook has shifted to incident response (IR). And that, said panelists, if done quickly and correctly, can mitigate the damage attackers can cause, even if they make it inside a network.

“Hacking is an action,” said Andrew Stanley, CISO of Phillips. “A breach is the outcome. So we spend more time on the hack than the breach. We want to know how, why – what was the intent – when and where. That’s what the C-suite wants to know more than the nature of the breach.” Answering those questions is what helps make the response, and therefore containing the damage, more effective, he added.

James Lugabihl, director, execution assurance at ADP, agreed that the key to limiting the damage of a breach is, “how quickly can you respond and stop it.” He said it is also crucial not to react without complete information. “It’s almost like a disaster scenario you see on the news,” he said. “It takes a lot of patience not to react too quickly. A lot of my information may be incomplete, and it’s important to get everybody staged. It isn’t a sprint, it’s a marathon. You need time to recognize data so you’re not reacting to information that’s incomplete.” With the right information, he said, it is possible to “track and eradicate” malicious intruders, plus see what their intentions were.

Both panelists said legal notification requirements can vary by country, or even by state, and if it is not a mandate, notifying law enforcement is something they will sometimes try to avoid. “Executives don’t like it, because it becomes a matter of public record,” Stanley said. “But it also can affect people’s privacy, and you don’t want to become an arm of the government.”

Aside from who needs to know and who legally must know, Stanley said collecting information that can help with the response is the most important thing to do. “It’s about intent,” he said. “If all (phishing) emails are going to one location, that’s an attack. So we need to ask: What do we do there? What’s the target?”

Both also said they conduct tabletop exercises, pen testing and simulated crises to practice their IR for when the real thing happens. But, as Lugabihl noted, “it takes perfect practice to make a perfect response. Bad practice makes bad response.”

To a question from moderator Keri Pearlson, executive director of the MIT Interdisciplinary Consortium on Improving Critical Cybersecurity Infrastructure, about how to cope with the reality that “people are the weakest link” in the security chain, Lugabihl said workers are not entirely at fault. “We haven’t fostered an environment that lets them do their jobs,” he said. “I’ve seen security professionals fall for phishing – those are getting more sophisticated. We just need to encourage them to report it. We need to help make things easier and more transparent.”


This article was written by Taylor Armerding from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to [email protected].

The post Caught in the breach – what to do first appeared first on McAfee Blogs.

Defense contractor stored intelligence data in Amazon cloud unprotected

Enlarge / NGA headquarters. A trove of top secret data processed by NGA contractor Booz Allen Hamilton was left exposed on a public Amazon cloud instance. (credit: Trevor Paglen)

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The files, which were connected to the US National Geospatial-Intelligence Agency (NGA)—the US military's provider of battlefield satellite and drone surveillance imagery—were posted to an account linked to defense and intelligence contractor Booz Allen Hamilton. The data was classified at up to the Top Secret level.

Based on domain-registration data tied to the servers linked to the S3 "bucket," the data was apparently tied to Booz Allen and another contractor, Metronome. Also present in the data cache was a Booz Allen Hamilton engineer's remote login (SSH) keys, as well as login credentials for at least one system in the company's data center.

Vickery immediately sent an e-mail to Booz Allen Hamilton's chief information security officer but received no response. The next morning, he contacted the NGA and within nine minutes, access to the storage bucket was cut off. At 8PM Eastern time on May 25, Booz Allen Hamilton's security team finally responded and confirmed the breach.

Read 1 remaining paragraphs | Comments