Welcome to ISSA KC

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. Through its membership, ISSA -Kansas City helps security professionals in the Kansas City area learn of information security issues and trends, which promote education, collaboration, and leadership, and further the information security profession.

Showing posts with label Articles. Show all posts
Showing posts with label Articles. Show all posts

Online shopping identity theft

Posted by NB Thursday, December 12, 2019

The December Holidays are one of the bright points for most people in the year.  People take time to be with their families, buying gifts and just enjoy the holiday atmosphere.  Two areas that come up that are not as pleasant during this time of year is porch pirating and online shopping identity theft.  In 2018, 43% of all holiday thefts occur online.  To learn more about this, read this article from Experian and learn how to protect yourselves.

- Mike Hill

National Cybersecurity Awareness Month

Posted by NB Wednesday, October 16, 2019

October is National Cybersecurity Awareness Month (NCSAM). NCSAM is a joint industry and government effort to raise all American’s awareness of cybersecurity-from the individual user/consumer and to businesses and how to protect themselves. This effort is significant as our commerce and services requested are increasingly tied to the cloud and the Internet.

As security professionals, it is an opportunity for us to provide additional education to our clients, whether they are internal users for your businesses or external clients.

Some free tools to help educate people are available to us. Some tools or suggestions to look at are the Department of Homeland Security Resources, including the National Initiative for Cybersecurity Careers and Studies Website with their tool kit, StaySafeOnline, Educause Awareness Campaigns and InfoSec Institutes tools to name a few.

Resources can be developed at your company or institution as well that are more personalized to your institution. Working with Delano Regional Medical Center (DRMC) of Delano, CA, the staff and I conducted a Cybersecurity Awareness Day with DRMC marketing support. To make sure staff know how they could be affected, we used a spinning wheel and had questions tied to each number. The questions covered both hospital and consumer situations. The different situations that could occur were very enlightening to the staff. The hospital then provided small prizes for those people answering the questions correctly such as Starbuck gift cards. In the background a video was also shown on a true story about Medical Insurance Identify Theft. The event was popular, so we have been conducting it yearly.

Cybersecurity Awareness Month National is a great opportunity to take advantage for your business or institution. The Information Systems Security Association of Kansas City wished to help with and encourage this.
For more information about this or the ISSA-Kansas City Chapter, please contact Mike Hill at issakc-marketing@kc.issa.org .
DHS/NICCS Cybersecurity Awareness Tool Kit
DHS/NICCS Suggestions
InfoSec Institute
Stay Safe Online

Attributing the Problem with Attribution in Cyberspace

Posted by VP ISSA Thursday, May 24, 2018

Author: Elliott Lillard, ISSA Member
Date: May, 2018

This article provides an opinion on the Attribution problem, especially concerning the conflict between the United States and foreign adversaries like China or Russia. Acting within cyberspace especially during hostile times and dealing with rival nation states adds a lot of complexity in terms of determining risk and appropriate action. Attribution deals with the ability to thoroughly understand who is behind an attack. Attribution can be deciphered based on evidence provided from the action, previous facts of various actors at play in terms of victim and perpetrator, as well as the reward of  understanding the who and why behind a cyber-attack.

Derek S. Reveron, the author of Cyberspace and National Security provides insights behind the problem of attribution, especially so in terms of cyberspace and cyberwar. “The increasing Internet accessibility of secrets, money, and industry creates significant incentives for individuals, groups, and states to find ways to use offensive cyber capabilities. This motivation is heightened by the fact that attributing attacks from cyberspace is often impossible and the laws and social norms relating to cyber espionage, crime, and warfare are often weak or nonexistent...As a result, those who profit from cyber-attacks are unlikely to be apprehended and if caught seldom face punishment,” (Reveron, 91).

The underlying fact behind why various nation states, hacktivists, internal actors and rogue individuals pursue hostile acts that conducted anywhere else besides the cyberspace domain would be considered an act of aggression comes down to the fact that malicious actors feel that they can get away with the crime without any sort of negative consequence. It is also very difficult to understand the full extent of the damage behind a cyber-attack. “The opaque nature of actions in cyberspace makes it difficult for the defender to know how far the attacker has penetrated and, therefore, exactly where they are on the policy slope,” (Hare, 132). Cyberwar is a far different battleground than traditional boots on the ground combat. It is much easier to understand who is behind missile strikes when the trajectory of artillery can be traced back to a hostile regime and thus be responded with equal or elevated kinetic action as well as to fully understand the damage done by such an attack.

At the time of this writing, the United States faces a few rival nations that could benefit from a successful and damaging cyber-attack. Those nation states include but are not limited to Russia, China, North Korea, and Iran. Russia has been under the microscope recently as it came to surface that they had direct impact on the last U.S. presidential election which threatens our democracy and outcome of a fair and just election process. China has gained economic benefits from conducting clandestine operations seeking intellectual property, trade secrets, and classified government documents. Iran and North Korea are increasingly interested in our nation secrets related to nuclear arms production and storage. These rival nations have made actions to infiltrate our nation and extract sensitive materials. However, these actions are not limited to passive actions and could be a more direct and crippling attack if focused on disrupting our critical infrastructure.

“A nation can suffer an existential threat from attacks and infiltrations through cyberspace by either state or organized non-state actors to degrade or disrupt critical infrastructure systems, both privately and publicly owned,” (Hare, 127). The issue of attributing these hostile actions from these attacks back to the original actor is paramount to responding, mitigating and preventing future cyber-attacks.

Rival nation states will continue to ramp up their sophistication and frequency of these cyber-attacks to avoid detection. If not fearful of the consequence of their actions, there would be no reason to hesitate to issue further attacks against our democracy and way of life. “Deterring attacks has depended on convincing opponents that the costs of attacking would be greater than any benefits they might obtain,” (Reveron, 92).  The United States must ramp up the ability to catch cyber-attacks in action before damaging effects can be done and determine who is behind these attacks through attribution. Once an attack has been traced back to an actor there should be standards in place to understand and respond appropriately through direct action or forming a coalition of allies to freeze trade agreements, economic sanctions or bolster together to issue a reciprocating cyber-attack far worse than their original. “Inaction is easy to justify in a deterrence situation, as a would-be adversary can always claim other reasons for not conducting an action for which a victim threatens retaliation,” (Hare, 131). By doing nothing after an attack also does nothing to deter future cyber-attacks.

Preventing future attacks is vital in successful deterrence strategy. “In most cases of cyber conflict confronting developed nations today, the more pressing issue is not deterring an actor from choosing to conduct hostile intrusions in cyberspace but compelling them to stop conducting intrusions that already have been highly successful,” (Hare, 126).

Foreign adversaries such as Russia or China will continue to push boundaries, infiltrate our networks for secrets and potentially wreak havoc on our critical infrastructure and vital systems. Thus, emphasis will need to be made to not only prevent future zero-day attacks but also prevent repetitive intrusion attacks that have already been proven to be successful. “Attribution is central to deterrence [...] [and] retaliation requires knowing with full certainty who the attackers are,” (Hare, 128).  Fixing the attribution problem in cyberspace will prevent future attacks because attackers will be caught in their tracks, responded to with appropriate action, and other nations will view this activity and think twice before conducting hostile actions.

Hare, F. (n.d.). The Signifi cance of Attribution to Cyberspace Coercion: A Political Perspective [Scholarly project]. Retrieved April 22, 2018, from https://ccdcoe.org/sites/default/files/multimedia/pdf/2_5_Hare_TheSignificanceOfAttribution.pdf
Reveron, D. S. (2012). Cyber challenges and national security: Threats, opportunities, and power in a virtual world. Washington, D.C.: Georgetown University Press.

Why Apple Pay and Other Mobile Wallets Beat Chip Cards

Posted by VP ISSA Wednesday, November 15, 2017

Every weekend, when Pierre Houle works the brunch shift at Olea, a neighborhood restaurant in San Francisco, many customers want to split the tab on multiple credit cards, a process that takes much longer than it used to.
For waiters like Mr. Houle, diners going Dutch is nothing new. But now he has to take each of the credit cards, insert them into a chip reader and wait about 10 seconds for every transaction to process. In the past, he could swipe a card, wait a few seconds, print out the receipt and get going. “It isn’t much, but in the restaurant world it can be enormous,” he said. “I have to wait there, and I can’t go check on something else. You need to move all the time when you do a job like that.”
Many merchants and retail workers are watching their lives play in slow motion when they process credit cards. To combat fraudulent transactions, the retail industry is shifting away from the traditional magnetic stripe toward tiny computer chips embedded inside cards. The chip technology, known as E.M.V. (for Europay, MasterCard and Visa) has been around for decades in Europe. But starting last October in the United States, banks pushed the liability of purchases made with counterfeit credit cards onto merchants.
That means if a criminal swipes a counterfeit credit card to buy something, the merchant now has to pay for it. The sweeping change has compelled many retailers to upgrade their equipment to read chips, which have stronger security than the easy-to-forge magnetic stripe. By the end of this year, about 80 percent of all credit cards in the United States should include chips, according to a new report by the fraud prevention company Iovation and the research firm Aite Group. The chip initially may annoy consumers. For most chip transactions, you have to dip the credit card into a slot and wait for the transaction to be approved before you can remove it and scribble your signature.
Mobile payments could be a quicker alternative. Some of the biggest tech companies — Apple, Google and Samsung Electronics — released mobile wallet technologies in the last two years, though they are still a niche product. In the United States, only 0.2 percent of all in-store sales were made with phones last year, according to a survey by eMarketer, the research firm.
“Contrary to what Tim Cook said when Apple rolled out Apple Pay, consumers have been swiping their cards for a long time and it’s not that hard,” said Julie Conroy, a research director for the Aite Group.
I tested chip cards and each of the mobile payments services in three different stores: Walgreens, BevMo and Nancy Boy, a small beauty supply store in San Francisco. I inserted a chip card or tapped a phone and timed how long it took each transaction to be approved and start printing a receipt. The results varied slightly, but the mobile wallets were generally much faster than the chip.
At Walgreens, after I inserted a chip card, the transaction took eight seconds before a receipt started printing; Apple Pay and Samsung Pay took three seconds; and Android Pay (Google’s service) took seven seconds. At BevMo, the chip payment took 10 seconds; Samsung Pay took four seconds and Android Pay and Apple Pay each took five seconds. At Nancy Boy, the chip took eight seconds, and all the mobile payment services tied at 2.4 seconds.
What is happening with the chip to make it so slow? When you dip in the card, the chip generates a one-time code, which is sent to the bank over a network. The bank confirms the code and sends verification back to the terminal. With mobile wallets, the same thing is basically happening in the background. They generate one-time tokens that are sent out and approved by the banks. Stephanie Ericksen, a Visa executive who works on security solutions for new payment technologies, says the sluggishness of the chip is largely a perception issue. The actual transaction time behind a mobile payment and a chip card is the same.
But with the chip, most merchant terminals require you to leave the card inside the reader until the transaction is complete and wait for a screen to tell you that you can remove the card. With the mobile payments, you can just tap the phone, and there is no extra screen telling you to remove the phone, which partly explains why the transaction appears to move along more quickly. Visa is addressing the perception of sluggish transactions with Quick Chip. It is basically a coming software upgrade that will allow the terminals to instruct the customer to dip the card and remove it right away.
Mobile wallets feel faster, more convenient and less awkward to use than the chip, so you should use them whenever possible. The caveat, of course, is that not every merchant that takes credit cards also accepts mobile payments. To see if the wallet is supported at a store, you will have to look out for Apple Pay or Android Pay logos on cash registers, or a logo of a hand holding a card in front of a wireless signal, which means contactless payments are supported.
That brings us to the differences among the mobile wallets. They all work about the same — take your phone out, enter your passcode or fingerprint and tap the terminal — and they have their pros and cons.
Samsung Pay is accepted by the most merchants because it uses magnetic secure transmission, a technology that emits a magnetic signal to mimic the magnetic stripe, meaning it can be used on most credit-card readers. Samsung Pay also supports payments made wirelessly with near-field communications, for NFC, a technology that enables devices to exchange information wirelessly over short distances.
Apple Pay and Android Pay can make payments over terminals that have NFC or inside apps that support them, like Uber or DoorDash. Apple Pay is supported by more banks than the Samsung and Android wallets. (I was surprised, for instance, that I could not add a Chase card to Android Pay). Android Pay’s advantage is it is available on the broadest array of devices. It can run on most Android phones that support NFC, whereas Samsung Pay can only be installed on Samsung phones and Apple Pay can only run on iPhones and the Apple Watch.
In a statement, Samsung said Samsung Pay was the most accepted mobile payment service and it “dramatically decreases opportunities for fraud.” Google’s senior director for Android Pay, Pali Bhat, said, “We want Android Pay to be available everywhere, and everywhere means as many devices as we can support.”
Jennifer Bailey, vice president of Apple Pay, said, “Users tell us they love the convenience and speed of paying with their iPhone or Apple Watch.”
In rare cases, there can be a long wait before you take your chip card back. Mr. Houle, the restaurant waiter, also works part time at the beauty supply store Nancy Boy. He recounted an incident in the store when he dipped a chip card for a customer who left before he could hand it back. He tracked her down on Facebook and mailed it to her in New York three days later. “It was my fault as much as hers,” he said.

 Two U.S. senators have introduced bipartisan legislation aimed at protecting American election systems from foreign interference.

The Securing America’s Voting Equipment (SAVE) Act would help shield voting systems, registration data, and ballots from theft, manipulation, and malicious computer hackers.

And requires your help to “hack the election.”

Among various authorizations and mandates, the proposed bill includes the creation of a “Cooperative Hack the Election” contest: Participants work with vendors to uncover (and ultimately defend) threats to electronic voting systems.

The goal of the annual bug bounty program is to “strengthen electoral systems from outside interference”; discover the most significant vulnerabilities to earn an as-yet-unspecified award.

Hackers, however, may not “exploit” uncovered vulnerabilities or “publicly expose” them, according to the legislation.

“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders,” Sen. Martin Heinrich (D-N.M.), who co-wrote the bill with Sen. Susan Collins (R-Maine), said in a statement. “We must do everything we can to protect the security and integrity of our elections.” The move comes after reports that election-related networks, including websites, in 21 states were targeted by the Russian government during the 2016 campaign.

If enacted, the SAVE Act would invite developers, network specialists, security experts, cyber criminals, and anyone with average computer skills who lives in their parents’ basement to infiltrate nationwide systems.

It also facilitates information sharing, provides guidelines for best practices, and entitles states to additional funding to develop their own solutions to election threats.

The Department of Homeland Security in June confirmed that “a small number” of voting networks—including those in Arizona and Illinois—were successfully compromised last year. Reports also suggested that voter registration databases in 39 states were penetrated.

A “truly disturbing” reality that Collins said should “serve as a call to action to assist states in hardening their defenses against foreign adversaries that seek to compromise the integrity of our election process.” “Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable,” Heinrich added.
(Fortunately, this bill (S.2035) is being given only a 4% chance of actually becoming law.)
Title I calls for the Director of National Intelligence to sponsor a security clearance up to Top Secret for each eligible chief State election official and one designee of such official. In general, the chief State election official is the state’s Secretary of State. There is no mention of what happens if the designated officials either are not eligible for a security clearance or fails a required background check. Title II directs the Secretary of Homeland Security to designate voting systems used in the United States as “critical infrastructure”. The definition of “critical infrastructure” as used in this bill is:
42 U.S.C. §5195c(e)
(e) Critical infrastructure defined
In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
While the protection of voting systems is certainly important, I am not sure the designation as critical infrastructure is appropriate. Also, the designation of voting systems as critical infrastructure extends federal government control into an area traditionally left in State control. Title II also makes funds available in the form of grants for States to upgrade their voting systems, but those grants would be made available only to States that implement the best practices dictated by DHS. I don’t really have an issue with making funds available, but I think the States should be the ones to determine the best security practices for their own systems. Otherwise, there is too much potential for federal government overreach and mischief. (Just my opinion.)
Title III is the one that establishes the “Cooperative Hack the Election Program” and directs the DHS Secretary to develop the program which would include the creation of “an annual competition for hacking into State voting and voter registration systems during periods when such systems are not in use for elections”.
While I understand and accept the desire and need to discover vulnerabilities in computing systems, this is the type of activity that should never be done on live, production systems. It should only take place in controlled, test and development environments, designed to duplicate live environments.
Title III provides a safe harbor from prosecution under 18 U.S.C §1030, Fraud and related activity in connections with computers, for activities conducted that are associated with the program.
My feeling is that this is ill advised. Offering rewards to people for attempting to break into computer systems, especially live, production systems, even within certain constraints, is not a good idea. Nor is it a prudent use of taxpayer funds.  My personal opinion is that, if the States want to standardize security requirements and procedures for voting systems, it should be left to the National Association of Secretaries of State and the National Association of State Election Directors. They are responsible for the conduct of elections and can establish the standards, including the certification of vendors and equipment. If they want to consult with NIST, fine.  Authorize block grants to those association for that purpose if necessary and keep the federal government out of it (Joe Butin, CISSP, CIPP, e-mail message, November 9, 2017).

Experts Weigh Pros, Cons of FaceID Authentication in iPhone X

Security pros discuss Apple's decision to swap fingerprint scanning for facial recognition technology in the latest iPhone.

Apple demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the latest iPhone, which doesn't have a home button, to authenticate users so they can access apps and Apple Pay.

If you were apprehensive after the announcement, you're not alone. Apple isn't the first company to use facial recognition and others have been unsuccessful. Samsung's Face Unlock proved easy to hack when a user logged into one phone using a photo of himself on another; before that, Android's facial scanning tech could be similarly fooled.

Apple uses a different kind of technology, which it promises is more secure. The TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and infrared camera in addition to the built-in camera. The phone creates a 3D map of a user's face and dimensions of their features. Data is locally stored in the iPhone's secure enclave.

"FaceID uses AI in addition to the static biometric recognition techniques," says Zighra CEO Deepak Dutt. "The algorithms bring an adaptive piece into the picture which continuously learns. FaceID typically would have a learning phase where the engine would build a 3D model of the user's face from a large number of data points."

Apple claims its FaceID authentication is 20x more accurate than TouchID. Only one in 1,000,000 people would have a face similar enough to a user's to successfully bypass FaceID -- the same failure rate as a six-digit passcode. In comparison, there is a one in 50,000 chance a random user could log into an iPhone with TouchID using a fingerprint.

So is FaceID really more secure than TouchID, or a passcode?

One concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user's fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

This is not the case with FaceID, he says, though an attacker would need a 100% reproducible bypass using an easily obtainable picture of a user's face. Once the system is broken and can be bypassed using a photo, a victim would have to fall back on using strong and unique passcodes. For some, the old six-digit key login is preferred.

"Given that a passcode can be made strong enough to make brute-force attacks useless, they will still have the preference for some security conscious users," says Bruienne. "When combined with good security hygiene, a strong unique passcode (which iOS allows) can be more secure but less convenient."

That said, passcodes also have their downsides. They cannot be forcibly divulged but can be snooped or coerced from users. An attacker with your passcode can get into your iPhone.

FaceID requires a user's attention and can detect whether someone is correctly holding the phone and looking at it to authenticate. This may lessen the chance of "sneak auths" in which someone holds up a phone and attempts to capture a user's face from a distance.

However, if someone has your body under their control, they can force your finger onto a sensor or force your eye open for an iris scanner. What happens if an attacker tries to use FaceID on a sleeping target, or law enforcement wants to get into a suspect's phone?

"It's one thing to compel someone to unlock a device with their finger," says Bruienne. "It's another thing to just point the camera at their face - [it] will be interesting to see how this is managed."

U.S. senators to introduce bill to secure 'internet of things'

Author: Dustin Volz, Editing by Bill RigbyAugust 1, 2017

(Reuters) - A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects - known in the tech industry as the "internet of things" - which experts have long warned poses a threat to global cyber security. The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.

Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.

"We're trying to take the lightest touch possible," Warner told Reuters in an interview. He added that the legislation was intended to remedy an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind.

The legislation would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy some non-compliant devices if other controls, such as network segmentation, are in place. It would also expand legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.

Security researchers have long said that the ballooning array of online devices including cars, household appliances, speakers and medical equipment are not adequately protected from hackers who might attempt to steal personal information or launch sophisticated cyber-attacks.  

Between 20 billion and 30 billion devices are expected to be connected to the internet by 2020, researchers estimate, with a large percentage of them insecure. Though security for the internet of things has been a known problem for years, some manufacturers say they are not well equipped to produce cyber secure devices. Hundreds of thousands of insecure webcams, digital records and other everyday devices were hijacked last October to support a major attack on internet infrastructure that temporarily knocked some web services offline, including Twitter, PayPal and Spotify.

The new legislation includes "reasonable security recommendations" that would be important to improve protection of federal government networks, said Ray O'Farrell, chief technology officer at cloud computing firm VMware.

Upcoming Events


July Chapter Meeting

August Chapter Meeting

Join the ISSA Kansas City Chapter

ISSA KC Mentorship Program Program Details

Mentor form/Application
Mentee form/Application

Join our mailing list to stay current on ISSA Kansas City!

For more information on how to join the Kansas City Chapter of ISSA click here. ** Join today! **

ISSA Member Login Page ISSA ** Login **

ISSA International’s Special Interest Groups (SIG) and Webinars:SIG On-Demand Conf

SIG groups are:

Security Awareness

Women in Security



Social Media

Chapter meetings are a great way to get to know your peers here in KC. And, if you're currently looking to make a career change, it's an invaluable way to build relationships that can provide you with the "inside information" on open security positions.

Do you have any membership questions? email link


Image result for Synack

Image result for Forcepoint

Image result for Carbon Black

Image result for Zerto

Image result for Tenable

Related image

Image result for CyberArk

Image result for Critical Start

Image result for Securonix

Image result for OKTA

Image result for ProofPoint

Be a sponsor!!! Email us at president@kc.issa.org