Information Security|Social Engineering>Phishing|Compliance>Privacy

Phishing and FIFA

I have some friends staying with me right now from Brazil.  They arrived a few days ago, and said that, due to the world cup, the level of excitement in Brazil is very high, and that there are many foreigners that have arrived in the country to see the games.  The World Cup is all over everything in the country right now.  Apparel, food, merchandise, etc. is all branded with the World Cup (similar to how the U.S. advertises items for the World Series or the Super Bowl).  The World Cup is one of the largest sporting events in the world, and encompasses a much larger audience than any single country.

The World Cup began a few days ago, and will last for about a month.  Network teams will see their bandwidth spike in unison with the matches, and organizations will see hours lost as employees sneak peeks at the games.  The World Cup Final alone can draw 100s of millions of viewers.  In other words, much of the world is not only expecting, but anticipating news about the World Cup.  This frenzy is ripe for phishing attacks and spam.  Some of the most popular, by FIFA’s own admission, are lotteries, or requests for money, and competitions.  Now, these aren’t really different from average spam/phishing attacks, but they can play on a relaxed defense and awareness for scams.

Each game also brings additional risk.  Consider the opening game where Brazil beat Croatia, scammers could easily pray off the excitement that Brazil won, but also that there were referee controversies.  These types of events provide great leverage for newsworthy stories to the pique the interest people, all too willing to watch a video or read an article.

More so today than in many years past, a number of World Cup apps are being released into mobile device app stores.  This is a new attack vector that could provide legitimate news information, but can also harvest information such as passwords, network access, documents, etc.  Organizations need to closely examine their BYOD policies and make sure their corporate data is secure on mobile devices.

There are many people in the United States who are not interested in the World Cup and are often oblivious to the popularity around the world.  I have heard people say they don’t expect it to impact their networks that much because they don’t think many people will watch it.  We tend to forget that America is a very diverse workforce, and many organizations are global in their operations.  What other countries, where the World Cup may be a very big deal, may have access to your networks?  Does your organization have any global contractors who are in the United States?  Has your organization considered the impact the World Cup could have to the information security of these, often overlooked, back doors into your network?  At the very least, organizations should have information security awareness notifications sent to their employees.

Why the World Cup?

The World Cup is not unique to these types of information security risks.  Security risks tend follow many major sporting events, natural disasters, or trending global news headlines.  However, the World Cup is unique in the size of the global audience, the anticipation of the event, and the often overlooked security risks to a network in today’s global landscape.

What can my organization do?

First take a look at our recent article, How to Spot a Phishing Email.  As we mention in the article you can ask yourself some of these questions:

  • Do I know the sender?
  • Is this an email I expected?
  • Does my system think this email is suspicious?
  • Is a file attached to the email?
  • Does the email ask for personal information?
  • Are there links in the email and are they from trusted sources?

As organizations continue to expand their global footprint, even indirectly as many organizations utilize the cloud more and more, they must start taking a global perspective on information security and the effects world events, trends and entertainment can have on their networks.




Research>The Hitlist

The Hitlist: BYOD

“Bring Your Own Device” or BYOD is becoming an ever increasing topic among CIOs and other executives.  We are not here to argue the merits of BYOD, but we do want to mention a few key topics to think about if you consider implementing it.

1. Policy

The first thing an organization should have before implementing BYOD are policies that govern it.  They should cover topics such as: What is acceptable use, what types of devices can be used, what should I do if my device is lost or stolen, is MDM required, etc.

2. Corporate MDM (Mobile Device Management)

If personal devices will be on your corporate network, you must know where they are have some degree of control over them.  Most MDM solutions will enable you to require specific security features, lock or wipe lost/stolen devices, and require or prevent specific types of software from being installed.  Enterprise level MDM is a must.

3. Screen Lock Password

All mobile devices should be required to have a screen lock with a minimum of 5 alphanumeric characters in the passcode.  Anything less than 5 characters can quickly and easily be hacked.  This feature can be enforced through most MDM solutions.

4. Device Encryption

Again, this is another control which can be enforced through a MDM solution, and is a must have.  All mobile devices should be encrypted, without exception, ideally using a corporate encryption management system.  This is a straight forward way to reduce the impact of a lost or stolen device.

5. Jailbroken/Rooted Devices

No jailbroken or rooted devices should be allowed on your network, bottom line.  Even though these hacked devices can have many enticing features, they can also bypass many of the built-in security features on the devices.  This is another control which can be enforced though most mobile device management solutions.

6. Regular Updates

For mobile devices, you are at the mercy of the carriers for the latest updates, unfortunately.  For laptops and desktops, however, you have much more control.  As a matter of policy and enforcement, all devices should be running the latest updates available.

7. Separate Business and Personal Data

Ideally, you should put all corporate data into a separate container on mobile devices (also known as containerization).  Many times this is not practical from a user experience perspective.  Many containerization applications do not have all of the features that users want or need.  Without containerization, it is much more difficult to track corporate data.  How this is accomplished is something that should be addressed.

8. Know Where Your Data Resides

If you don’t know where your data is, how can you protect it?  Make sure data you thought was secure, doesn’t walk out of your walls on a mobile device.

9. Data Loss Prevention

DLP allows an organization to track its data and to prevent it from leaving its walls.  This first requires know where your data is, who can access it, how it can be accessed, and having control over the devices on your network.

BYOD is not something that should start over night.  This should be well thought out and considered and weighed against the risk and benefit.  Compliance, Remote Access, Network Security, Wireless Configuration and many other facets of the enterprise should be considered before allowing users to bring their own devices.

Research>The Hitlist

The Hitlist: What Can I Do to Prepare For An Audit?

areas that may be covered in an audit

Assign an audit lead internally – yearly internal audit checks, point of contact

Plan a portion of your budget for audit remediation

Make sure to document policies, procedures, and reports.  keep them in a central location for auditing

follow standard security practices daily (link to some other hit list articles)

understand the legal and compliance ramifications of an audit



Research>The Hitlist

The Hitlist: Perimeter Network Security Part 2

Part 1 of our “Perimeter Network Security” Hitlist covered the virtual considerations one must consider when securing their network.  Now, we will cover the things one should consider when securing the physical side of their network.

Physical Considerations:

Even though the virtual perimeter is the most obvious and most likely to be attacked, the physical perimeter can provide just as much access to resources inside of your network.

1. Wireless

There was some debate as to whether to include WiFi in the “physical security” section of this post, however, the fact remains that someone must physically be on site (or very close to it) in order to hack into your WiFi network, and it provides another gateway directly into your network.  Some things to think of when planning a new WiFi network, or attempting to secure your existing network are the actual corporate needs for wireless access, the type of encryption/authentication to use, the range, and whether or not to broadcast the SSID.  We recently wrote a separate piece in this series about securing your corporate wireless network which you can check out for more detailed info.

2. Key Card Access

All entrances and secure locations in the corporate office should be secured by electronic key card access that provides a log of all entries and exits.  When a physical security breach occurs, it is important to be able to trace who was in your building, how they got in, and for how long they stayed.  We have seen a number of places that will log when people enter the building or secure location, however they do not track when they leave, this can leave unanswered questions, and large gaps in time if an investigation is ever needed.

3. Cameras

All entrances and other secure locations should also be protected by video surveillance, using cameras with a great enough resolution so that faces can be recognized.  Cameras not only offer additional proof, should a breach occur, but they can also act as a deterrent against breaches from occurring in the first place.  People are much less likely to attempt to do any misdeeds if they know they are being watched.

4. Compliance Requirements

Many compliance standards may require additional controls.  Organizations which are held to compliance requirement standards must be aware of exactly what they need to do in order meet those standards.  These compliance requirements have to be considered when securing your network.


Users nowadays are being granted more freedom within networks, and there is an increasing trend among corporations which allow their users to bring their own devices to work (phones, tablets, laptops).   This, of course, lends itself to several more attack vectors.  BYOD should really only be considered if and when the organization is able to maintain control over the devices that are brought into the corporate network through mobile device management, or other similar solutions.  If users are not willing to install this extra security software and put up with the extra scrutiny they will receive by bringing their personal devices onto your network, then they should not be allowed to do so.

6. Penetration Testing

Similar to vulnerability assessments, penetration testing not only provide a measure of your vulnerabilities, but actually tests those measurements, both physically and virtually.  This allows an organization to determine if their controls and processes are actually working.  Without the appropriate testing, how can you really be sure if your security measures will be enough to prevent breeches from happening?

In conclusion, there are many considerations when securing the perimeter corporate network; we just covered a few.  One must think about:  what data needs the most protection, where is that data located, how much would it cost if we lost the data, what solutions can be put in place quickly with minimal impact and reduced cost?  Sometimes it requires someone looking from the outside in to see the forest for the trees.

Research>The Hitlist

The Hitlist: Perimeter Network Security Part 1

To “completely” secure an enterprise network is a very complex, and often, nearly impossible task.  There are several different factors that come into play that must be considered and weighed: business requirements, stakeholders, network configuration, compliance requirements, etc.  We have told a number of our clients that, in most situations, if someone really wants to get into a network, they will, and you can’t stop them.  However, you can prepare yourself to better recognize, and respond to attacks.  This list is designed to offer a list of basic  key points of entry into a network, both virtual and physical, one should consider.

Virtual Considerations:

The virtual perimeter of an organization often requires the most regular attention.

1. Enterprise Firewall

You should use nothing less than an enterprise class firewall.  There are a number of well-known vendors that you can consider, but any firewalls securing a corporate environment should be enterprise class and not a small business or consumer class; you should not skimp on spending when it comes to your primary perimeter security device.  Enterprise class devices cost what they do for a reason, and are built to protect more robust networks.  They offer the performance needed, as well as the feature sets, and the configurability that an enterprise will need to secure their network.  The firewall acts as the front gate to your network.


An intrusion detection/prevention system (IDS/IPS) is a very important piece to network security, both internally and externally.  An intrusion detection system lets you know if something is happening, but can’t do anything about it.  An intrusion prevention system allows automatic prevention measures to be taken if a threat signature is detected.  These devices should be deployed behind the external firewall, in-line with network traffic, in a DMZ.  If the firewall is the front gate, an IDS/IPS acts as the security guards for the gate which can detect and prevent malicious visitors from intruding on your network.

3. Close Unnecessary Ports

We assess many networks where there are many unused, and unnecessary ports left open on the network.   A review of all externally opened ports and services should be conducted and only those necessary for business should be allowed to be opened.  So, if you have your gate, and guards at the gate, if you leave unnecessary ports open on your external network, that would be like having a side entrance on your guarded gate that you just leave unlocked.

4. Use Secure Protocols

Unsecured protocols such as FTP and HTTP should not be used unless there is no other alternative.  All published web applications, with the exceptions of content only websites, should be secured using HTTPS.  In general I would recommend hosting the company website outside of the corporate network as it often allows unnecessary vulnerabilities.  Also, file transfers should only be made using secure methods such as SSH, FTPS or SFTP.  Insecure protocols could be thought of as being like weak locks on your door.  So, even though there might be a lock there, it will not take much to bypass it.

5. Vulnerability Scanning

This is necessary to measure your efforts at protecting your network.  If you do not test your network for vulnerabilities, how will you know whether they exist or not?  Vulnerability Assessments provide a way to scan all externally facing IPs and web applications in your network, and measure the effectiveness of the defenses you have in place.

6. Logging

As we previously mentioned, if someone really wants to get into your network, and has the resources and motivation, they probably will.  Without logging, you may never know that it happened.  Centralized Logging with an enterprise class SIEM solution provides correlation between events and logs. This allows you to quickly and effectively review logs and determine if/when an attack has occurred.

7. Social Engineering

This is often one avenue that people forget to consider when securing their network.  Even if you think you have done everything possible to button up your network by purchasing and implementing thousands of dollars of network security hardware/software, your users can still be the weakest point of failure.  Social engineering comes in many forms, including phishing emails, malware, phone calls, and more.  The types that we most commonly see are phishing and phone calls.  End users should be trained to spot phishing emails and recognize suspicious phone calls in order to reduce the amount of information that freely given out to potential attackers.

8. Remote Access

Remote access is one of the easiest ways to breach a network if it is not properly secured.  Several home users do not have a firewall, and many don’t even have antivirus, and if they are using their home computer to connect to your corporate network, their home devices can easily be compromised and provide direct access into your network.  Consider only allowing firm owned or secured devices to connect to the corporate network remotely, and only with an enterprise class VPN solution.  An alternative could also be to use a virtual desktop solution to provide remote access, this would prevent opening any services to the outside except for HTTPS.

The virtual perimeter of a network is constantly changing on a number of fronts.  Often, not by way of attack surface, but by way of tactics. In Part 2 we cover the physical considerations for securing the perimeter of a corporate network.