• Man uses phone applications for email, shopping and other daily activities

    Cybersecurity Can No Longer Be Ignored: Picks of the Week

    Why Everything Is Hackable | The Economist

    Hey: Don’t Click That Weird Google Docs Link You Just Got (and Tell Your Mom Not to Click, Either) | New York Magazine

    Getting Beyond Norms: When Violating the Agreement Becomes Customary Practice | Centre for International Governance Innovation

    There’s a good chance you — or someone you know — received an email on Wednesday inviting you to edit a document in Google Docs. Phishing attacks and online scams are nothing new, but the massive attack on Google Docs that hit the Internet on May 3rd took phishing to a new level and spread throughout the globe in a matter of minutes. Most of the emails asking to review or open those Google Docs came from known contacts (colleagues, friends, or family members) and many of them included references to local schools, but all were addressed to a strange contact that boasted a whole string of H’s in its name ([email protected]). If you clicked on the link, it asked for some access permissions to your Gmail account, and then spammed everyone in your contacts with a link to a Google Docs file.

    What the phishing accomplishes in unknown, but the widespread scam made its way across the Internet incredibly quickly, and the attacker potentially had access to multiple victims’ Google accounts and contacts.

    Google promptly responded, disabled offending accounts, and put out multiple social media posts to warn users not to click on those links. While Google estimates that “fewer than 0.1 percent” (or about 1 million) of Google users were impacted and that only contact data was exposed, enough people reported receiving these invites that the hashtag #PhishingScam began trending on Twitter and email inboxes clogged with nearly as many warnings about the scam as instances of the scam itself.

    If you were on the receiving end, hopefully you did not click on the malicious link and simply deleted the malicious email. Many of the school districts affected by the phishing
    scam asked their employees to change their passwords as a preventive measure and called students and parents warning them not to open emails, change their passwords if they had opened them, and report any of those instances to Google. For those who may have been tricked by the attack and clicked on the phishing link, Google also recommends that you visit their account page at https://myaccount.google.com/secureaccount and remove any apps you don’t recognize.

    Cyber threats and phishing attacks are only increasing in scope, volume, velocity, and sophistication. Just in the last quarter of 2016, multiple Internet service providers (ISPs), businesses, and other organizations around the globe were victims of a variety of disruptive and damaging distributed denial of service (DDoS) attacks. In October 2016, a piece of malicious software called “Mirai” was used to turn thousands of insecure Internet-connected devices into remotely controlled “bots,” which were then used to flood the Domain Name System (DNS) infrastructure and Internet provider Dyn in the US, knocking off-line many of its customers, including PayPal, Twitter, Reddit, The New York Times, Spotify, Airbnb, and others. In November 2016, the Mirai software was used again in Europe, knocking nearly 1 million Deutsche Telekom customers off-line. This time, the malicious software attempted to infect routers and thus could have affected a much broader part of the Internet’s infrastructure. The Mirai attacks have highlighted various vulnerabilities and the lack of security of the “Internet of Things” (IoT) and the “smart” devices it comprises. As Melissa Hathaway, former cybersecurity adviser to U.S. Presidents George W. Bush and Barack Obama, explains in her latest piece on the breakdown of international norms of responsible state behaviors in cyberspace: “the Mirai attacks also highlight why the Internet’s security and stability is an international issue. As countries continue to embrace the economic opportunities of becoming more connected to the Internet and adopting and embedding more IoT devices in every part of life, they must also prepare for the misuse of those same ICT-based devices.”

    The fact that cybersecurity made the front page of a magazine like The Economist (usually written about making money) is a pretty big deal economically speaking and the gloomy prediction is troubling. The article, headlined “Why everything is hackable,” noted how profitable it is for malicious actors to exploit vulnerabilities and prey on people’s ignorance or ingenuity. With the availability of ransomware and exploit kits readily available on the Dark Web, initial investment is low, and the potential revenue generation is high. The article cleverly pointed out that high tech companies “value growth above almost everything else,” and there is a mentality of “Ship it on Tuesday, fix the security problems next week – maybe.” I sadly have to agree, and fear that this mentality has further disincentivized tech companies from developing well-engineered products with less vulnerabilities and increased redundancies. The Economist recognizes that these and many other cybersecurity issues are a serious problem and, while it might have been excusable to overlook these issues when the Internet was new, this is no longer acceptable or feasible in today’s highly connected world. – Senior Fellow Francesca Spidalieri

  • Man uses smartphone as home automation device

    Is your phone or smart home device spying on you? Picks of the Week

    Are your sensors spying on you? | Science Daily

    Amazon Makes the High-Performance 7-Mic Voice Processing Technology from Amazon Echo Available to Third-Party Device Makers | Amazon

    Hackable IoT washing machine provides channel for breaching hospital IT | CyberScoop

    Technology is infused in our modern life. Attempts at attaining perspective often fall to historical comparisons. Images frequently circulate of warehouse-sized computers from the 1960s which can hardly compare to the computer power, size, speed, and functionality that even a low-end smartphone possess today. Much has been written on the blistering pace this technological infusion has taken since those early images. Innovation in the technology sector barrels forward. For a short golden age, we marveled at the change, the improvements in our daily lives, and the increase in efficiency, productivity, and global reach that technology afforded us. Yet, in our haste to constantly deploy new technology, masked in a liberative utopian narrative, we may have missed a shift. A slope downward from our zenith. The host of new technology, now pervading almost every aspect of our lives, paired with our physical proximity to all those technologies and connected devices and sensors, creates a variety of privacy and security problems.

    A smartphone is a patchwork of technology. Complementing the most obvious sensors (e.g., touch screens, microphones, cameras), smartphones have also Global Position System (GPS) connections, accelerometers, gyroscopes and orientation sensors, bluetooth, light sensors, and Near Field Communication (NFC) to name just a few. Culturally, we have acclimated to living with smartphones in our hands for an average of ~9 hours a day. The constant connection and instant feedback this miniaturized computer affords us creates a bargain: we must provide our phones the information it asks for and allow it to “follow” us around. When installing any smartphone application, the app will proposition a phone for permissions, asking the phone for the ability to interface with sensors on board. Most users do not read the permissions when installing an app, and even if they did and wanted to refuse any part of it, they would not be able to install the app. Some of the sensors built in those devices do not even require permissions to access the data on the phone. While using our smartphones for simple tasks, a number of apps interface with a multitude of sensors in any given moment. Recently, researchers in the United Kingdom revealed the ease with which malicious websites, as well as installed apps and built-in sensors, can spy on us and be exploited by hackers, in one case using the orientation sensor (the sensor phones use to calculate which way it is facing) to crack the pin number of the user. Despite the variety of cyber threats these vulnerabilities expose us to from phishing attacks to identity theft, research shows that people are unaware of the risks and most of us have little idea what the majority of the 25+ different sensors available on current smartphones do.

    Our closeness with technology has expanded outward from our pockets and personal computers. The rush has served to saturate the “real world” with Internet-enabled devices. Recent events have highlighted the potential danger of our increased reliance on technology, and media reports have highlighted a series of vulnerabilities in popular consumer-oriented, Internet-connected light bulbs, DVRs, thermostats, security cameras and GPS trackers. In October, hundreds of thousands of insecure IoT devices were used to launch a large-scale distributed denial of service (DDoS) attack on the Domain Name Service host “Dyn” interrupted service for swaths of the Internet. The attack is believed to have launched from compromised “Internet of Things”(IoT) enabled devices, like DVRs, cameras, and baby monitors. Other IoT devices like Amazon’s Echo and Alexa have come under intense scrutiny over concerns of information collection and utilization. Records collected by Alexa are stored by Amazon and have often been subpoenaed by law enforcement, and Alexa records have even been sought as evidence in at least one murder case.

    The metaphor used ad nauseum of our current situation is Jeremy Bentham’s panopticon, a circular prison in which a guard can watch all prisoners but the prisoners are never sure if they are being watched. For Bentham, the possibility of always being watched would keep the prisoners behaved. In the modern world, we are always being watched but, unlike Bentham’s prisoners, we are not held in a prison cell. To keep ahead of these developments at best appears overwhelming, and at the worst sisyphean. Privacy, as we conceived by modern society, may be on the path to extinction, but as consumers we can hold on to modicums. Paying attention to the permission requests of apps on your smartphone, reading carefully the functionality of new devices purchased, checking what purchases require an Internet connection, only installing applications from approved app stores, and keeping our phone operating system and apps up-to-date can be effective steps to preserve those remaining fragments of privacy and certainly increase our security online. Encouraging awareness and piecemeal observations may seem a lackluster solution, but it requires a necessary self-reflection on the intent and purposiveness of our technology, and the nature of our increasingly connected society and ‘always on’ devices. – Francesca Spidalieri and Francis Quigley

  • An American flag at center of a cyber grid

    Trump, Twitter, and the Tide of Cybersecurity: Picks of the Week

    Obama officials: There is hope for cybersecurity under Trump | The Christian Science Monitor

    At RSA, doubts abound over US action on cybersecurity | CSO Online

    The Rules of the Brave New Cyberworld | Foreign Policy

    This year’s RSA Conference—one of the largest cybersecurity conferences in the world—broke attendance records with over 40,000 participants, including cyber professionals, academics, and public servants. Although the conference has historically been focused primarily on security tools and technologies, it has increasingly attracted policy-makers and government officials as both attendees and keynote speakers in an effort to obtain the government’s views on cybersecurity, to facilitate government interaction with cyber experts, and to encourage the tech industry to work collaboratively with the government.

    Markedly absent from the crowd this year, however, were officials from the Trump Administration.

    While no one from the current administration appeared to be in attendance, the impact of ‘cyber insecurity’ on government was widely discussed, as many panels and side events explored cybersecurity policy and government responses to cyber attacks. A leaked draft of an executive order on cybersecurity provided the fodder for much of the discussion, however the order itself has been in limbo as the Trump Administration remains entangled in controversy around its other executive orders and actions.

    The leaked draft of the executive order on cybersecurity received mixed responses from the community of cyber professionals and industry experts, largely because there was not much in it beyond past policies established by the Obama administration, and a request for federal agencies to report back to the White House within 60 to 180 days.

    In the meantime, there is an increasing push in Congress for a full investigation over the alleged Russian meddling in the 2016 presidential election. The Trump Administration’s plans to improve U.S. cybersecurity for the government and the private sector—or to commit to any sort of norms of state behavior in cyberspace—remain unclear. On the campaign trail, Mr. Trump had vowed to make cybersecurity a top priority if he were elected, and even promised comprehensive reports from intelligence officers on hacking by foreign actors.

    The reality of governing has seemed to transcend the promises of the campaign trail, however, as cybersecurity appears to have taken a backseat to other issues facing the Trump Administration. Some of the participants at the RSA conference, such as Virginia State Governor Terry McAuliffe, suggested that instead of waiting for the federal government to act, it might be up to the states to assume a larger role in promoting cybersecurity. Indeed, as I have argued before, states cannot wait for the federal government to provide all responses and solutions before taking action, and they must start developing comprehensive strategies to strengthen their cybersecurity posture, improve their cyber resilience, and ensure that their citizens can rely on safe and secure Internet connectivity.

    In an effort to address cybersecurity headwinds, various committees, think tanks, and experts have published a variety of policy proposals and reports in recent months for the Trump Administration to consider, and have emphasized that the new president begins his tenure at a time of considerable cyber risk to the U.S. government and businesses, and a growing public awareness of these issues.

    As cyber threats continue to grow in scope, volume, and sophistication, however, there are relatively few indications as to how the Trump Administration will approach the significant cybersecurity challenges that the government will need to address both domestically and internationally, and how it will prioritize competing interests. It remains to be seen how an administration highly skeptical of active government regulation will contend with a problem that, because of its scope, will likely require the federal government to take a leading role. It also remains unclear whether the President’s use of Twitter will eventually bring cybersecurity issues to the forefront.

  • Clip art image of people interacting with technology on data privacy day

    Data Privacy Day: How to Protect Yourself and Your Organization Online: Picks of the Week


    Americans and Cybersecurity | Pew Research Center

    Data Privacy Day: Easy Tips to Protect Your Privacy | Forbes

    Data Privacy Day: know the risks of Amazon Alexa and Google Home | Naked Security

    Champion Badge.fwToday is Data Privacy Day (DPD), an international effort held annually to raise awareness about data privacy and promote data protection best practices. This event is celebrated every year on January 28th in commemoration of the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Across the country and around the globe, organizations like the Pell Center at Salve Regina University have held DPD events throughout the week aimed at raising consumer and corporate awareness about data privacy issues, including the Internet of Things (IoT), data breach security, identity protection, and sophisticated new cyber threats.

    While this year’s theme is focused on Respecting Privacy, Safeguarding Data, and Enabling Trust, many of the discussions around the country have centered around the implications of IoT devices – from fitness trackers to cars, smart TVs, baby monitors, children’s toys and any other device that is being connected to the Internet – on security and privacy. The sensors embedded in these devices and their deep penetration into people’s lives, businesses, and homes enable them to listen to our conversations and collect incredibly private data about individuals and organizations, which in turn could be used to quickly triangulate people’s identity from mere fragments of data, exposing our lives to a variety of cyber threats. Indeed, while the IoT allows for virtually endless opportunities and connections to take place – many of which we haven’t even thought of today – experts from tech companies, watchdog organizations, and universities agree that these devices also open up more avenues for companies, hackers, and governments to violate our privacy.16251575_1251988678181581_3985538137095730250_o

    With new data breaches emerging daily and an increased use of information as a tool of political warfare, individuals and organizations should take advantage of every opportunity to discuss the importance of protecting personal data and empowering leaders to take better actions to safeguard information and digital assets. Ensuring the integrity of data and controlling its use is critical to maintaining trust not only in private companies, but in public institutions and government leaders’ ability to make decisions. This not only means having the right policies and security solutions in place, but also making sure everyone in every given organization that comes into contact with confidential data knows how to protect it. Organizations should recognize that data privacy starts with the individual users and that employees can actually become the first line of defense if they receive proper training and know what they can do to not only protect their organization, but also protect their own personal information. As many of the events hosted throughout the week – including at the Pell Center – reminded us, holding regular data privacy and cybersecurity seminars and trainings for employees can serve to develop a culture of security and privacy across the entire enterprise, communicate internal cybersecurity policies and procedures, address specific security and privacy issues, and remind everybody of their fundamental role in maintaining an organization’s strong cybersecurity posture.

    Basic tips for any individual to be safer online include locking down logins, adopting dual-factor authentication, making sure all Internet-connected devices are up to date, and if something looks suspicious, deleting it instead of clicking on it or opening an attachment. A few other recommendations include:

    • Share with care – What you post can last a lifetime: Any information you share online can easily be copied and is almost impossible to take back.
    • Personal information is like money. Value it. Protect it.: Information such as your online purchases, web searches, and contact lists has value ‒ just like money. Understand the value of your information and be more selective with the information you provide to apps and websites.
    • Post only about others as you would like to have them post about you: Remember the golden rule and that it applies online as well. What you post online can positively or negatively impact other people.
    • Own your online presence: Review your privacy and security settings on your apps, games, and social media platforms.
    • Don’t connect sensitive accounts to your smart home devices (e.g. Echo, Alexa) and mute them when not in use: The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
    • Stay current. Keep pace with new ways to stay safe online: Keep up with new technology and ways to manage privacy. Visit staysafeonline.org or other trusted websites for the latest information about ways to stay safe online.

    privacyRaising visibility of initiatives like DPD and spurring ongoing discussions will help to maintain global awareness, even as single celebrations and cybersecurity headlines fade from the front page. While recent research shows that half of Americans feel that their personal information is actually less secure than it was 5 years ago, the hope is that efforts like Data Privacy Day continue to increase individuals’ awareness about safeguarding their own privacy and highlight why it’s important for nations, organizations, and people to be responsible data stewards.



  • Binary code on a surface of a planet

    Will 2017 finally be the year of cybersecurity? Picks of the Week

    From Awareness to Action: A Cybersecurity Agenda for the 45th President | CSIS

    Russian Hacking Illustrates Increasing Role of Cybersecurity in Geopolitical Warfare | The Hill

    In 2017, real action on cybersecurity will happen after loss of life | CSO Online

    Cybersecurity stories dominated the headlines in 2016, so it is unsurprising that new reports and many cybersecurity experts claim that 2017 will see continued nation-state cyber attacks, bigger and more damaging data breaches, targeted ransomware and Distributed Denial-of-Service (DDoS) attacks, and longer downtime and increased financial costs caused by successful attacks.

    Organizations in both the public and private sectors strengthened or launched new cybersecurity initiatives in the past year, including addressing issues such as endpoint security, cloud security, cybersecurity funding, security controls, and cybersecurity staffing.  This is important because 2016 was a year of unprecedented cyber attacks and massive data breaches, from the high-profile hacks of Democratic political organizations by the Russian government in an attempt to discredit American democracy and interfere with the US election, to the mega breaches that plagued Yahoo, LinkedIn, and numerous others (compromising millions of personally identifiable information and other sensitive data in the process), to cyber disruption involving critical infrastructure services such as the attack on the Ukrainian power grid by Russian hackers, to blackmarket ransomware and DDoS attacks that can take control of critical IT systems and then leverage it for extortion.

    Much of what we saw in 2016 will evolve in complexity, scope, and sophistication in 2017. Cybercriminals will continue following the money trail, with ransomware and DDoS attacks becoming more widespread and increasing in scope and severity. Hackers will continue finding new vulnerabilities to exploit and ways to evade detection systems. Nation-states will increasingly rely on cyber espionage and cyber warfare as instruments of state power in order to gain an advantage on the battlefield, infiltrate and manipulate critical infrastructure services, such as the case with the Ukrainian power grid, and coerce adversaries toward a desired outcome. At the same time, U.S. and international law have not kept pace with technological innovation and enforcement of existing laws in cyberspace is intrinsically difficult, with some countries still refusing to cooperate in prosecuting cybercriminals.

    We’re now at a tipping point in the digital age and the Internet economy: as we continue to adopt the Internet of Things (IoT), embed connected devices into all our essential services and every part of our lives, and rely more than ever on technologies that are inherently insecure, we’re also becoming increasingly less resilient and exponentially more vulnerable to cyber attacks.

    Cybersecurity is not a new problem, nor is it a unique concern to world powers, large companies, or specific sectors. Despite an exponential increase in attention and awareness about cybersecurity and much activity on the international stage and within government to tackle these issues over the last decade, we are still at risk (and increasingly so!) and much is left for governments and organizations around the world to do to ensure a secure and stable digital environment that promotes innovation and supports continued economic growth, while also protecting personal freedoms and national security.

    A new report released this week by the Center for Strategic and International Studies (CSIS) addresses these specific issues and provides detailed recommendations for the next administration to strengthen the cybersecurity posture of the United States. The CSIS Cyber Policy Task Force behind the report included members of Congress and identified specific policies, organizational improvements, and resources needed for progress in this challenging area. The report, titled “From Awareness to Action: A Cybersecurity Agenda for the 45th President,” builds on the report published in 2009 by the Commission on Cybersecurity for the 44th Presidency – a foundational document for creating a strategic approach to cybersecurity – and follows the December report of the Commission on Enhancing National Cybersecurity, established by President Barack Obama in February 2016. Two of its widest-ranging recommendations included the creation of an appointed post of assistant to the president for cybersecurity and the establishment of a new program to consolidate all civilian agencies’ networks into a single network. CSIS’s report included the first, but not the second.

    As Sen. Sheldon Whitehouse (D-RI), Ranking Member of the Senate Judiciary Subcommittee on Crime and Terrorism who served as co-chair of the CSIS Cyber Policy Task Force, said upon the release of the report, “this past election has proven just how important it is for the President-elect and his national security team to appreciate the scope and the severity of the cyber threat.” Building on strategies the Obama’s administration established, the CSIS report recommends that the next administration improves and reorganizes oversight authorities, elevates the role of the White House cybersecurity coordinator, establishes an independent cyber agency within DHS and a Division of Data Protection within the Federal Trade Commission, clarifies the cyber defense roles of civilian and military agencies, better secures critical infrastructure and services, and works closely with allies against common cyber threats.

    Although President-elect Trump continues to express skepticism about the Russian government’s attempt to orchestrate pre-election cyber attacks to undermine the U.S. democratic process and has yet to offer details about his cybersecurity priorities and agenda, this report will hopefully provide a blueprint for the next administration to follow since one of its key authors, Karen Evans, is now a member of the Trump transition team.

    Will 2017 finally be the year of increased cybersecurity? And what will it take?

  • Online Christmas shopping with a credit card

    Don’t Get Grinched by Cybercrime During the Holiday Season: Picks of the Week


    “Holiday shopping by mobile phone? Beware fake apps and bad Wi-Fi hotspots” – Computerworld

    Worried about Black Friday Cyber Scams? 6 Ways to Protect Your Money” – Forbes

    “5 Ways Retailers Can Stay Safe Over the Holidays” – Dark Readings

    The holiday shopping season is about to get into full swing and retailers are gearing up for another record season of online sales. Research group eMarketer expects that online retail sales will bring in at least $94 billion – or 10.7% of the total retail sales – from now until the end of the holidays, a 17.2% increase in online sales from last year.

    But as millions of consumers pick up their smartphones and tablets to go holiday shopping and flock the Internet as their preferred, convenient “one-stop-shop” for all gift-buying needs, hackers and cyber criminals are not too far behind… In fact, this is prime cybercrime season for digital crooks timing their phishing emails, malicious links, and other online scams and attacks to Black Friday, Cyber Monday, and through the rest of the holiday season. They prey on the naiveté of shoppers looking to score a holiday deal or take advantage of a special reward to trick them into downloading malware, giving up login credentials and credit card information, or send payments to bogus sites.

    Consumers and retailers alike should be prepared for an even higher risk of online fraud and social engineering scams across all channels than in past years. A new report from cybersecurity company Kaspersky Lab shows that the number of online attacks during this high sales season is 9% higher than the average number of attacks that happen during other months of the year, and 2016 is on track to be a record season for online sales… and online scams!

    While security experts continue to work to find possible solutions against the latest malware and scam techniques, here are some of my yearly  tips on how to protect yourself from online Grinches this holiday season:

    • Before, during, and after the holidays, keep an eye on your bank and credit card accounts for signs of suspicious activity, mystery charges, or “micro-charges” – Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. If you notice any unauthorized charges, immediately contact your bank.
    • Buy only from reputable merchants and recognized websites – Be wary of emails and pop-up messages asking for your password, credit card number, or personal information. No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look for the ‘HTTPS’ in the address bar of your online retailer and check the specific email address and domain name of the sites to make sure it’s really from the retailer and not a close derivative. If in doubt, contact the legitimate organization directly to verify authenticity.
    • Be aware of fake commerce apps – Download apps only from Google and Apple official app stores – which have more rigid requirements for banning malicious apps – and be skeptical of apps that ask for suspicious permissions like access to contacts, text messages, stored password, or credit card information.
    • Avoid “free Wi-Fi networks” – Don’t use public Wi-Fi networks, especially when using your phone for banking and e-commerce. Personal and banking information should never be sent through unsecured wireless connections in public places. Get you Starbucks Peppermint Mocha and don’t stay for the free Internet!
    • Be skeptical of deals that sound too good to be true – Do not fall for rock bottom bargains unless you make certain they are legitimate by contacting the merchant and asking questions before making a purchase. If a deal seems too good to be true, it probably is!
    • Be alert for potential charity donation scams – Think before clicking on emails requesting donations. Make a contribution by navigating to the trusted web address of the charity, never through a link in an email.
    • Use strong passwords and dual-factor authentication – Create long, complex passwords using upper and lower-case letters, special characters, and numbers, and use a different one for each online account. Various password management programs (1Password, KeePass, or LastPass) exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
    • Do not send cash or wire money for payment – Pay with a credit card or, even better, gift/charge card. The best option is to keep a separate credit card for online purchases.
    • Secure your computer and mobile devices – Update your devices to the most current operating system and keep your anti-virus and anti-spyware software up to date, along with your firewall. They will help monitor all online activities and protect your devices from viruses, worms, Trojan horses, and other types of malicious programs.

    Some additional tips on how to protect your company from cyber threats and strengthen your overall cybersecurity posture:

    • Protect your organization’s endpoints and servers – Scan your organization’s network environment for threats that may have been lurking for several months before surfacing as a malicious attack during the holidays. Harden your servers with good access control and security tools such as antivirus and antimalware software, and run frequent patches and updates. Consider advanced endpoint threat prevention tools that protect memory from experiencing distributed denial-of-service (DDoS) attacks and other complex advanced threats.
    • Train your organization’s workforce – Before the holiday season starts, make sure all your employees receive at least some basic training in cybersecurity and cyber hygiene, and create an environment where they feel comfortable coming to managers if they see any suspicious emails or files.
    • Have a documented and tested incident response plan in place – Make sure your employees know what to do and who to contact if they see something suspicious, and establish clear roles and responsibilities before a serious breach happens. The incident response plan should be regularly exercised and updated.
    • Create a culture of security that starts from the top – if management is committed to a culture and environment that embraces honesty, integrity, security, and ethics, employees are more likely to uphold those same values. Cybersecurity is a shared responsibility!


  • Can the Vote Really Be Hacked? Picks of the Week

    No, the presidential election can’t be hacked | CNN

    US election machine technology is out of date, expert say | CNBC

    How Clinton, Trump Could Champion Cybersecurity | Dark Reading

    Although we are aware of the efforts by the Russian government to discredit American democracy and interfere with the election, the chance that a malicious actor can carry out a hack that would change the outcome of the presidential election seems virtually impossible. Nonetheless, the recent high-profile hacks of Democratic political organizations and states’ voter registration databases by Russian hackers have already achieved the desired effect of sowing at least some doubts about the integrity of the US election, a concept reinforced repeatedly by Republican nominee Donald Trump in his proclamations that the election is “rigged.”

    Skeptics have dismissed those concerns based on the fact that the electoral system is a decentralized system managed at the state and local levels, and that the voting machines themselves – which are what voters will use to cast their ballots – are standalone systems that are not connected to the Internet. Unlike state voter registration systems that have been hacked or probed in past weeks, the actual voting machines would be much harder to hack remotely and the probability of hacking at the polls remains low. The election may still be manipulated, however, through other cyber means such as bribing a machine operator to inject malicious software, rewriting software to change the way that votes are counted or tabulated, manipulating other weak points in the system, or directly exploiting a vulnerability in the machine’s software.  So, if the question is, ‘Is it possible to hack the vote?’, the answer is yes, definitely!

    Moreover, research shows that the technology behind most voting machines is grossly outdated – 43 states have voting machines that are at least a decade old – and that many of those machines are so riddled with vulnerabilities that almost anyone with rudimentary technical skills could break into them in order to corrupt voting results. And most states don’t have the funding to upgrade their equipment, which in turn doesn’t motivate technology providers to innovate those systems.

    In addition to legacy systems and outdated technology, another concern with voting machines is that some of them don’t have any form of paper trail. Over the past few years, almost all states have moved to using paper ballots or electronic voting systems that maintain a verifiable paper audit trail of the ballots.  Five states (Delaware, Georgia, Louisiana, New Jersey, and South Carolina), however, use completely paperless voting systems. If even one of the voting machines in those jurisdictions is hacked, or malfunctions, or if concerns arise about the legitimacy of a county or state’s election results, there is no independent means to audit individual votes in those particular precincts. Other states, including Pennsylvania, Virginia, Kentucky, and Tennessee, use a combination of paper ballots and paperless voting systems, depending on the jurisdiction.  The concern with paperless systems is that they do not offer the same solid audit trail that a paper ballot does, and would make it much harder to prove with absolute certainty that votes were recorded as cast. Additionally, 31 states allow Internet voting, which could in principle be intercepted and subverted by a sophisticated hacker. Fortunately, most states that allow online voting restrict it to military and overseas residents or citizens with disabilities only. Many states also require voters to mail in paper ballots separately. Only Alaska allows for any registered voter to ask for and submit ballots electronically.

    Another threat to the ballot box would be if hackers were able to delete voters from the database entirely, meaning when they arrived at the polls, their names wouldn’t appear in the system. In this case, however, voters could still cast a provisional ballot and then follow up to verify their registration in the days following the election. The process would be tedious, but not prohibitive.

    While public officials continue to reassure us that the idea that someone could actually hack in any meaningful way into the election system so as to skew the result of the presidential election is far-fetched, rumors of hacking – even if not successful – or even one small case of electronic tampering or manipulation on November 8 could seriously undermine confidence in the election and play into a losing politician’s claim that the election was “rigged.”

    So, what can citizens, state administrators, and federal officials do to ensure the confidentiality and integrity of these elections?

    State boards of elections and law enforcement officials have been hard at work to safeguard elections, and the Department of Homeland Security is working with election officials to monitor suspected breaches on voting systems and bolster security in general. In particular, election officials should continue to implement proper security controls, scan all systems for flaws, test all equipment prior to the election, assure a chain of custody for voter records, maintain up-to-date master files of voter records separate from the public facing online system, put adequate physical security measures in place to prevent unauthorized access, and introduce contingency measures in case of equipment failure.

    As a citizen, if you see anything suspicious such as signs of tampering with voting machines or any sort of intimidation of voters, you should alert local authority and election observers available at all the polling locations. In addition, you should carry your voter registration card and be reassured that most states keep also frequently updated back-up copies of voting rolls offline or in hard copy. Those back-ups could be used to rectify any wrong changes made by malicious actors.

    – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • The Pell Center declares its Cyber Awareness for National Cyber Security Awareness Month

    Championing Cybersecurity Awareness Month: Picks of the Week

    Presidential Proclamation – National Cybersecurity Awareness Month, 2016 | The White House

    How Weak Cybersecurity could Disrupt the U.S. Election | Politico

    Cybersecurity is just too much trouble for the general public, claims study | TripWire

    Obama administration accuses Russian government of election-year hacking | Politico


    October marks National Cyber Security Awareness Month (NCSAM) – a time when participating governments and organizations come together to raise public awareness about cybersecurity, provide citizens and businesses alike with tools and resources needed to stay safe online, and increase the Nation’s resilience in the event of a cyber incident.

    NCSAM is a coordinated effort of the National Cyber Security Alliance (NCSA), the U.S. Department of Homeland Security (DHS), the Multi-State Information Sharing and Analysis Center (MSISAC), as well as companies, schools, and nonprofit organizations around the country. This year, the stakes are higher than ever: over 169 million personal records were exposed in the US in 2015 alone and, so far, 22% more breaches have been reported this year. The average cost of a data breach has risen to $4 million per incident, and US businesses are losing up to $300 billion in intellectual property theft alone. Hackers release a new piece of malware every 200ms (a couple thousands by the time you’re done reading this article), and hacking attempts show no signs of slowing. At the same time, the general public seems to be suffering from “security fatigue” and a feeling of helplessness when it comes to their online security, according to a new study. Compounding these issues, the integrity and legitimacy of the upcoming Presidential election seem to be hanging in the balance after the recent string of hacks of Democratic party’s organizations and voter registration systems.

    shared-responsibilityRecognizing the importance of cybersecurity issues, President Obama designated October as National Cyber Security Awareness Month in 2004, and this year kicked things off with a presidential proclamation that highlighted his new Cybersecurity National Action Plan, as well as the establishment of a Commission on Enhancing National Cybersecurity – which has been hard at work to recommend ways to strengthen cybersecurity in both the public and private sectors and promote best cybersecurity practices. “Keeping cyberspace secure is a matter of national security, and in order to ensure we can reap the benefits and utility of technology while minimizing the dangers and threats it presents, we must continue to make cybersecurity a top priority,” Obama’s proclamation reads.

    Salve Regina University is an official champion of National Cyber Security Awareness Month, and for the second year in a row, the Pell Center is supporting this national effort and is actively participating to multiple discussions and initiatives across the country. In addition, the Pell Center is posting cybersecurity tips, resources, and insights on social media throughout the month, and is hosting cybersecurity-related events around campus, including a panel discussion on “Hacking the Election.”Print

    In addressing pressing cybersecurity security issues, National Cyber Security Awareness Month has a distinct theme for each week. The overall message of this initiative is to “STOP | THINK | CONNECT” – stop to make sure security measures are in place; think about the implications of our increasingly digital and connected lives and the consequences of our actions and behaviors online; connect and enjoy the benefit of the global Internet economy. That’s actually excellent advice for any online activity, whether that’s uploading snapshots, signing up for a new online service, clicking through to a website, making an online purchase, or downloading the latest app.

    While the upcoming week of National Cyber Security Awareness Month will be dedicated to “Creating a Culture of Cybersecurity in the Workplace,” the reality is that no individual, business, or government entity is immune to cyber risks and none of them is solely responsible for securing their own Internet connectivity and digital assets. All of us have a role to play in securing our critical services, our businesses, and the information we create, store, and process through the devices and networks we use. “Cybersecurity is a shared responsibility,” reiterated President Obama in his proclamation, and he stressed that everyone should do their part to ensure “our information is more secure, our data is safer, and our families and businesses are more protected than ever before. If we work toward this goal – as individuals and as a Nation – together we can realize our full potential in the digital age.”  Indeed, individual actions have a collective impact, and when we use the Internet safely we make it more secure for everyone. If each of us does our part by implementing stronger security practices, adopting better cyber hygiene, and treating cybersecurity as an inherent component of  organization’s policies and processes, we can collectively become a more secure, safer, and resilient digital society.

    You can join in the conversation by following @PellCenter on Twitter and using the official NCSAM hashtag #CyberAware throughout the month, and can get additional information and resources by visiting Stop.Think.Connect, Stay Safe Online, and the European Cyber Security Month website.

    – Senior Fellow Francesca Spidalieri

  • An Apple keyboard with a key that says hack and is colored red, white and blue.

    Is Russia Trying to Hack American Politics? Picks of the Week

    Powell emails were leaked on a site linked to the Russian government | The Washington Post

    World Doping Agency Says Russian Hackers Stole Medical Records of Olympic Athletes | The Wall Street Journal

    How the next President can get cybersecurity right | Passcode

    The latest edition of the (almost) weekly hacks that appeared on the front pages of the newspapers this week featured the personal emails of former Secretary of State Colin Powell and the medical records of US and other Olympic athletes, both of which have been confirmed as authentic.

    The World Anti-Doping Agency’s (WADA) breach, in particular, appears to be the latest in a string of hacks by the Russian government, which has allegedly been using proxy hackers to target numerous US government agencies, political organizations, and other perceived adversaries in an attempt to undermine confidence in the US electoral system and in the integrity of the democratic process. WADA said that US law enforcement officials were able to trace this breach to a group of hackers known as Tsar Team (Fancy Bear), and that the group had illegally gained access via an International Olympic Committee (IOC)-created account.

    This latest episode may have been payback for IOC’s decision to ban numerous Russian athletes from the 2016 Rio Olympics and Paralympic in the wake of a doping scandal that cast a shadow on the country’s sporting establishment. The hackers claimed that the documents posted on the website of Fancy Bear showed the use of performance-enhancing drugs by top U.S. athletes, though they acknowledged the athletes didn’t break any rules.

    Many cybersecurity and political experts have connected the WADA breach to various previous hacks, including those of the Democratic National Committee, the White House, the US State Department, and the US Joint Chiefs of Staff (although no public attribution has been made yet). Russian officials have denied involvement in the various hacks that the experts believe to be sponsored by Russian intelligence organizations. Analysts said to have also linked Secretary Powell’s disclosures to the same hacker group Fancy Bear, although it has to be noted that similar hacks have been carried out by mischievous teens in the past.

    As I have stated before, if the recent cyber intrusions were indeed orchestrated by the Kremlin, it would be a whole new level of involvement by a foreign power in the US political system. The notion that a foreign country or third party can deliberately manipulate the American political process with targeted data breaches is both disturbing and dangerous, and it would open a new front in information warfare that could fundamentally change the value of data for national security. These hacks imperil the political process and could also yield data that can be used for other crimes as well: profiling, blackmailing, and even terrorist activity.

    The next President of the United States will need to prioritize cybersecurity to protect and defend US government agencies and other critical sectors. In a new book out this week, Larry Clinton argues that the next President should make a more aggressive use of the “cybersecurity social contract” model, which finds its origins in the impasse between a previous hands-off government approach that relied on market forces to compel businesses to improve their digital defenses and the surge in recent years of cybersecurity regulations, compliance standards, and penalties for noncompliance. The cybersecurity social contract model “recognizes that regulators can’t keep up with the fast pace of development in cybersecurity technology let alone the evolution of digital threats” and instead it “ensures more industry and government collaboration for sharing information to confront malicious hackers.” The new book includes a trove of strategic and operational recommendations for the next administration to address cybersecurity. In particular, Mr. Clinton also offers 12 specific steps for the new administration to work on collaboratively with the private sector by using the cybersecurity social contract model more actively. If we are to deter and mitigate future hacks successfully, this collaboration should begin sooner rather than later.

    – Senior Fellow for Cyber Leadership Francesca Spidalieri

  • An American flag with a cyber design.

    It’s Time for Both Parties to Get Serious about Cybersecurity: Picks of the Week


    U.S. Seeks to Protect Voting System from Cyberattacks | The New York Times

    Political Campaigns need Chief Information Security Officers | Passcode

    How to Hack the Election in 7 Minutes | Politico Magazine


    In the wake of hacks that infiltrated the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign, in addition to the political fallout and the multiple warnings from cybersecurity experts about the potential for hacking to disrupt the election, state and national leaders are finally weighing in and proposing measures to protect parties’ sensitive information and the security of the entire election system.

    Secretary of Homeland Security Jeh Johnson is said to be considering whether to designate the US election system itself as critical infrastructure, which could heighten cybersecurity at the ballot box and have significant implications on how federal officials would respond to potential cyber attacks. The DNC recently announced that it has assembled a cybersecurity advisory board in response to the recent hack “to prevent future attacks and ensure that the DNC’s cybersecurity capabilities are best-in-class.”

    Simply deeming the US election system a new critical infrastructure (the US already considers 16 different sectors as so called ‘critical infrastructures’) or hiring a few experts and a more sophisticated IT team, however, won’t be enough to ensure voters’ trust and confidence in our national security and in the integrity of our election process. If the nation’s politicians and political campaigns don’t improve their overall cyber defenses and develop new approaches and advanced techniques to strengthen our collective security, mitigate cyber risks, and help us prepare today for tomorrow’s challenges, not only will American’s personal data be at greater risk but the entire democratic process could be compromised.

    Many cybersecurity and political experts have connected the recent hacks and subsequent leak of sensitive emails back to the Russian government. If the cyber intrusions were indeed orchestrated by the Kremlin, it would be the first known state-backed cyber attack to harness the power of the Internet to manipulate a presidential election. The idea that a foreign or other power can deliberately manipulate voters and parties with targeted data breaches in an attempt to influence a presidential election would be insidious on an unprecedented level, and would open a whole new front in information warfare that could fundamentally change the value of data in national security.

    What the US government needs to do is prioritize the use of the limited resources available to first and foremost protect and increase the resilience of those critical infrastructures and services that our society and nation depend upon—power, telecommunications, and financial services—and, at the same time, make clear to any adversary that there will be serious consequences for cyber attacks that disrupt both national critical infrastructures or attempt to manipulate domestic electoral politics. As Jason Healey rightly stated, “the administration needs to be ironclad on the evidence [of the DNC hack] to convince the American people that this is about policy, not politics. This has got to be about defending a constitutional process, not a party.” Moreover, as Passcode’s contributor Bob Hansmann suggested, what “both the Democratic and Republican parties—as well as the Hillary Clinton and Donald Trump campaigns—should [do is] hire chief information security officers (CISO)” to better protect their sensitive information from unauthorized disclosure and “share intelligence on breach attempts and other malicious activity.” That’s not a cure-all by any means. But putting someone in charge of safeguarding their vast collections of sensitive data—whether on political strategies, the candidates themselves, or voters—would vastly improve their defenses against cyber criminals and the prying eyes of foreign intelligence operatives.

    Voters, donors, and the media need to keep up the pressure on politicians and candidates to work harder to prevent cyber attacks. After all, whoever the next President, Senators, and Representatives are, they will face immense challenges in updating policies, strategies, and laws to protect our country’s most valuable, sensitive information, systems, and infrastructure—including the computer networks and systems that operate our nuclear power plants, electrical grids, dams, and our democracy itself. – Francesca Spidalieri, Senior Fellow for Cyber Leadership