Cyber 321: 14th January 2022

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: How the bad guys get hold of your password, why the US is so concerned about Huawei equipment, and why do large organisations have both a CIO and a CISO?

This week’s action: Double-check your two-factor authentication.

If reading isn’t your thing, you can now listen to Cyber 3-2-1.

This week’s episode is accessible from https://www.buzzsprout.com/1914497/9885514

All episodes are accessible from this page. You can also listen and subscribe on Apple Podcasts, Google Podcasts or wherever you get your podcasts.

THREE ARTICLES

1: 5 ways that hackers steal passwords and how to stop them

The first article this week discusses the 5 ways that the bad guys try to steal your password.

Social engineering is top of the list, whereby they try to fool you into revealing it to them. Other ways include:

Infecting your device with malware that records your keystrokes or takes screenshots of your device
Credential stuffing, whereby attackers “feed large volumes of previously breached username/password combinations into automated software. The tool then tries these across large numbers of sites, hoping to find a match”.
Guesswork, whereby attackers use commonly-used passwords to see if you were foolish enough to use one of these. The most common password of 2020? 123456. The second most-common? 123456789. And the fourth? ‘password’.

To make it more difficult for these attackers to succeed, recommendations include the use of unique passwords and the adoption of two-factor authentication so your password is no longer enough to gain access to your account.

2: Why did the US and its allies seek to prohibit the use of Huawei equipment in 5G networks?

The U.S. government has warned for years that products from Huawei pose a national security risk. But there was never any evidence published to back up these claims.

A recent Bloomberg article discusses the evidence.

Apparently, in 2012, “Australian intelligence officials informed their U.S. counterparts that they had detected a sophisticated intrusion into the country’s telecommunications systems”. And apparently, “it began with a software update from Huawei”.

While the update appeared legitimate, “it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China [..] After a few days, that code deleted itself” using a clever self-destruct facility which reduced the risk of being caught.

There is no evidence that senior management in the company were aware of this malicious code, and they would not need to know – All it would take is for a junior programmer to infect the process.

Another interesting angle to the story is that, apparently, the NSA tried to find evidence of collusion by senior management by hacking into Huawei’s email system. And Bloomberg reports that the “NSA also looked for ways to exploit Huawei products in Chinese-built networks in countries considered high-priority intelligence targets, including Afghanistan, Cuba, Iran, Kenya and Pakistan.”

3: Why do we have a Chief Information Officer and Chief Information Security Officer?

In many of the larger organisations that I’ve worked with, there is a CIO (Chief Information Officer) and a CISO (Chief Information Security Officer). One is responsible for building and supporting the technology used in the organisation, while the other is responsible for securing it. Sometimes, it feels like one is responsible for saying YES to all business requests, while the other is expected to say NO to all of them.

JJ Guy, CEO of Sevco Security, asks why CIO and CISO are two separate roles.

As he says: “Two decades ago in the Air Force, there was no such thing in the military as a CISO as distinct from the CIO. The IT executive owned IT operations and security operations, and those grew together.”

JJ wonders why a separate CISO position has now emerged in many firms.

“Maybe because the CIOs at the time just couldn’t get their heads around security. Or maybe some organizations felt the need to create a C-level position to underscore cybersecurity’s growing importance.”

In any case, he believes these are not two separate roles. They are one.

“Everything in IT is too unified and interlinked to give the jobs of running and securing an operation to two different seats.”

If an organisation believes they need both a CIO and a CISO, JJ believes the CIO should report into the CISO. Clearly, security must be the priority.

TWO NUMBERS

1: 193 billion

There is an estimated 193 billion password / credential stuffing attacks in 2020, according to a report published by Helpnet Security.

2: 3.4 billion

3.4 billion of these password attacks in 2020 targeted financial services organisations.

ONE ACTION

1: Two-factor authentication: Make sure you turn it on

I know I harp on about two-factor authentication every single week. But it is an easy security measure to implement and one of the most effective measures to keep you safe.

But it’s no good if you don’t switch it on and keep it on.

You would be amazed at the number of times people have told me they thought it was enabled on all of their important accounts, only to find out it wasn’t.

So, stop what you are doing and double-check that your important accounts remain protected (e.g. your email accounts; your online banking; your password manager).