Cyber Risk Whitepaper

Recent cyber events around the globe, including the political arena, once again draw attention to the critical urgency of cybersecurity.  Casino resorts are a regular target for people or “bad actors” that wish to steal, do harm, or cause havoc with their data and systems.  For your situational awareness, we have included a whitepaper authored by Dr. Curtis Levinson, Director of Cybersecurity Consulting for WhiteSand.  In it, you will find a number of insightful tips and topics for consideration that we hope will help you in your cybersecurity efforts.

Dr. Curtis Levinson has over 25 years of focused experience in Cyber Security, Information Governance, and Continuity of Operations. Mr. Levinson has served with distinction, two sitting Presidents of the United States, two Chairman of the Joint Chiefs of Staff, and the Chief Justice of the United States. He has been selected by NATO (North Atlantic Treaty Organization) to represent the United States as an advisory subject matter expert on Cyber Defense.

Curtis K. S.  Levinson, CISSP, MBCP
Director of Cyber Security Consulting

Digital Doomsday:
What Happens to Facebook if the World Ends?

“As a parent, I have some very strong opinions on social media and as privacy practitioner; I have the exact same strong opinions on social media.”

So, what does it take for the cyber world to end?  Cyber-attack, electric grid failure, EMP attack?

Exactly how dependent are we on technology and especially Internet connected technology?

How long can we last; cut off from social media, shopping and email?  No chat, no posting, no tweets…. Whatdaya mean, No Tweets?????

What else do we use social media like Facebook for?  Logins for other sites, shopping and more.  Can the world really be saved by hashtags instead of action?

We are at war.  They are already here. They are already in our networks. They are already attacking us. They are stealing our most precious assets.

Nations no longer confront each other on a field of battle or isolated theaters of conflict.  The methods and tools of warfare have changed and yet the paradigm of the warfighter has not. War in cyberspace has victims, loss, triumph but seldom, if at all, victory or defeat. In cyberspace; real people can perish, nations and societies can suffer but not one bullet is fired or a single multi-billion dollar weapons system is ever launched.  In cyberspace, there are no negotiations, truce talks or cease fires.  In cyberspace we fight invisible and often anonymous adversaries in a battle without either clear goal or end.

In our multiverse of network interconnections, Cyber Attack has become THE unifying common factor of virtually all elements in our contemporary society.

The analogy is that crime has been a part of human society since the dawn of time.

We, as a technologic society MUST accept that we are and will be attacked constantly with cyber-space.  We must accept that at some level, cyber-attack is UNAVOIDABLE.

Once we accept that we will be attacked, no matter what the countermeasure(s) and will potentially be totally or partially disabled.  The process and concepts of continuity and recovery becomes increasingly critical. For example, the merging of Continuity/Recovery with Cyber Security.

Our cyber-security paradigm MUST change:   Our adversaries are already INSIDE our networks and systems and while it is important to maintain a strong perimeter defense, it is also extremely important that we protect the data, information and command/control INSIDE out networks.

Our technology dependence leads to increased vulnerability. Our adversaries understand our culture and way of life far better than we understand theirs.

The primary advantage the bad actors have over us is;   Lack of bureaucracy, Smart people, sophisticated tools, minimum financial support, good communication infrastructure, strong defenses and the burning desire to do us harm. Our own bureaucracy and lack of financial support chokes us from effective response

“The need for persistent detection and defense in depth has never been more apparent.  Anyone that has a computer needs to assume that they have already been compromised. In order to accomplish this goal, the security scrutiny needs to be placed at the likely point of attack of the data, not at maintaining 20th Century technologies of perimeter defense.

This requires a paradigm shift from Reactive, not to Proactive, but rather to the state of Constant Incident Response.

Currently, existing infrastructure, technological limitations, regulatory overreach and operating cost, impair innovation and impede rapid deployment of next generation, real time discovery and protection capabilities. Executive and Board cyber decision making processes are based on staid methodologies that don’t account for the new scope, speed and severity of these escalating threats, nor the resolve of our exponentially increasing adversaries.

Technological innovation must incorporate reduction of human resource dependencies, machine-to-machine discovery, rapidly effective and efficient response by continuously monitoring known data assets while constantly discovering unknown data assets.  These capabilities need to mesh with the regulatory and audit demands without detracting from the CISO’s job of protecting organizational assets.  Operational efficiency, in combination with technological innovation can be accomplished within existing budgets. ”

What can we do?

Significant Innovation.

Sustainable Security via persistent detection. “

Here are five ways cyber terrorists can and do target industry and the government of the United States, including Weaponized versions of current exploits:

  1. Denial of Service (DoS)
  2. Cyber-Crime and Business Extortion
  3. Cell Phone Targeting (Android and IOS botnets)
  4. Wiping Bank Records (wiping causes far more disruption than stealing)
  5. Targeting Critical Infrastructure (both Government and Industry)

To end on a positive note, here are four cyber mitigation strategies from the Australian Signals Directorate (NSA in Oz) that will greatly reduce the potential for cyber-attack at the Organization level by approximately 60%:

  1. Application White Listing:   Everything is prohibited except that which is specifically permitted.
  2. Patching ALL systems and networks:  They must be absolutely current/up-to-date.  If patches are not possible, compensating controls MUST be implemented.
  3. Restricting Administrative Privilege and performing extended background investigations on those personnel who have administrative privilege(s).
  4. Implementing a Defense in Depth strategy of different security layers and segmentation including; VPNs, V-LANs, and Application Level Firewalls and STRONG cryptography to ensure that there is no single point of failure and/or single direct path into the system.  Our definition of Defense-in Depth MUST be expanded to include network core as well as perimeter systems.

The only thing the bad actors are vulnerable to is something we are supposed to have loads of: Common Sense

To wrap up, here are 21 very simple personal mitigation strategies which if implemented correctly will greatly reduce the potential for cyber-attack at work or at home:

  1. Make sure you install anti-virus, anti-spyware, malware, and adware detection software from a reputable vendor on to your computer and keep it up to date. This will protect your computer from known viruses, malware and adware.
  2. Make sure you’re banking site (URL) starts with https://, not http://. The “S” indicates a secure transaction using a different method of communication than standard internet traffic.
  3. Never use a link to reach your financial institution’s website; emails and search engine links should not be trusted. Type in your banks website address into the Internet Browser’s address bar every time.
  4. Know what your financial institution’s website looks like and what questions are asked to verify your identity. Some attacks, known as man-in-the-middle attacks, will change the login page. These changes allow the attacker to see your answers and to add additional security questions. When you log in, the information is transmitted to the attacker and to your financial institution, logging you into your bank’s website, while also giving your attacker all of your account information. A vigilant user can sometimes spot these attacks by noticing slight modifications to the bank’s standard page: extra security questions, poor grammar, misspellings, a fuzzy or older bank logo or a change to the location of each feature.
  5. Be extremely suspicious of emails purporting to be from your financial institution or a governmental agency. Financial institutions should never contact you via email to request you to verify information. If you believe the contact may be legitimate, do NOT use the link provided in the email, instead type in the link to your financial institution in the Internet browser’s address bar or contact your financial institution at a phone number you know is valid.
  6. If you use a credit card to shop online, use only one credit card with a low limit. Choose a credit card with an online purchase protection plan if possible and monitor the activity on the card as often as possible.
  7. Avoid using check or debit cards for online transactions.
  8. Always lock or shut off your computer when you leave it unattended. Set your computer to automatically lock after a set period of inactivity (i.e. 15 minutes).
  9. Do not allow your computer to save your login names and passwords.
  10. Use a strong password; at least 10 characters combining upper case and lower case letters, numbers and symbols.
  11. Never access your financial institution’s website from a public computer at a hotel, library, or public wireless access point.
  12. Properly log out of all financial institution websites and close the browser window. Simply closing the active window may not be enough.
  13. When you are finished with your computer, turn it off or disconnect it from the Internet by unplugging the modem or Ethernet/DSL cable.
  14. Do not open emails from un-trusted sources or suspicious emails from trusted sources.
  15. Do not visit un-trusted websites or follow links provided by un-trusted sources.
  16. Do not use the same computer for financial transactions that children or “non-savvy” Internet users use for regular Internet access.
  17. Do not use the login or password for your financial institution on any other website or software. Do not write it down. However, do change it frequently.
  18. Do not post your personal information on the web. Your high school, maiden name, date of birth, first car, first school, youngest sibling’s name, mother’s full name, father’s full name, best friend’s name, etc. are the answers to many security questions on financial websites. When you post this information, you are making it easier for criminals to gain access to your financial information.
  19. Check with your financial institution about enabling “Alerts” and other security measures that may be available.
  20. If possible, set up accounts that are not accessed through the Internet and use those for long-term savings. Move money between those accounts and active accounts via the phone or in-person visits.
  21. Immediately report any suspicious activity in your accounts.  There is a limited recovery window and a rapid response may prevent additional losses.