Tuesday, January 27, 2015

I/T Definition: Social Engineering

I/T language can be confusing. BIT can help!

Social Engineering – manipulating individuals to provide confidential information, perform actions or allowing access to secured locations.  Purposely “conning” individuals for the purpose of obtaining information or access to allow for nefarious cyber activities. The tendency of our culture in South Dakota is to be helpful and thus makes us very vulnerable to being socially engineered.

Monday, January 26, 2015

A Better Option of File Hosting Services

Services like Dropbox and Google Drive are very convenient for our personal use of files and photos. Yet, they are not acceptable for storing state data for a number of reasons.  They store data in unknown data centers around the globe managed under varying laws and by different groups.  The State prefers knowing where the data will be stored and what laws govern the data center they will be stored in.  In addition, their terms of usage often violate state legal requirements and good business practices.  A better choice for this type of service is the state’s OneDrive service that runs under SharePoint.

The service allows:

  • Remote access of your data;
  • Sharing of your state data only to specific individuals;
  • It is housed in South Dakota;
  • It is backed up regularly; 
  • And best of all, it’s available at no added cost to you.  

For more information or a demonstration of this service, please reach out to your BIT Point of Contact.

Thursday, January 22, 2015

I/T Definition: Infrastructure

I/T language can be confusing. BIT can help!

Infrastructure – The technology (hardware and software) that comprise the computer network, phone network, and connections to the Internet.

Wednesday, January 21, 2015

Gone Phishing

In the pre-Internet era, con men, also known as confidence men, would gain victims’ confidence through the use of deception, to defraud them. The same principles are being used today, only now to an even greater efficiency through the use of online scams.

One of the most prolific means for online scamming is phishing. When using email, it is difficult to know, with certainty, with whom you are communicating. Scammers will utilize this uncertainty to pose as legitimate businesses, organizations, or individuals, and gain the trust of users. If a scammer is able to gain the trust of victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. 

To gain users trust, scammers will appear like legitimate businesses or organizations, by spoofing the email address, creating a fake website with legitimate logos and even providing phone numbers to an illegitimate customer service center operated by the scammers.

Two Common Types of Phishing Attacks 

  1. Phishing scams are perhaps one of the best-known forms of email scams. This type of scam involves a scammer pretending to have a fortune that he or she is incapable of accessing without the help of someone trustworthy, which happens to be you! The scammers will try to obtain the user’s financial information using an empty promise of sharing the wealth in exchange for their help.
  2. Spear-phishing is a targeted and personalized attack in which a specific organization or an individual is the target. These attacks will utilize information about the user email addresses, which are similar to those of their acquaintances to entice the users to either divulge sensitive information or download a malicious file. This often requires a lot of information gathering on the targets and has become one of the favored tricks used in cyber espionage.
If you are mindful of potential phishing traps and observant of the telltale signs of a scam, you can better defend against a phishing attack.
  • Be cautious about all communications you receive including those purported to be from "trusted entities" and be careful when clicking links contained within those messages. If in doubt, do not click. 
  • Don’t respond to any spam-type e-mails. 
  • Don’t send your personal information via email. 
  • Don’t input your information in a pop-up; if you are interested in an offer that you see advertised in a pop-up ad, contact the retailer directly through its homepage, retail outlet or other legitimate contact methods.
Keep an eye out of these simple telltale signs of a phishing email:
  • The email has poor spelling or grammar.
  • For secure transactions, look for a lock icon in the URL.
  • The use of threats or incredible offers is a common tactic that tries to elicit an emotional response to cloud the user’s judgment.
  • The URL does not match that of the legitimate site. Scammers cannot use the same URL associated with the legitimate websites, so they will tweak the address of their spoofed website so that at a quick glance it looks legitimate.
    • The URL may use a different domain name (e.g., .com vs .net)
    • The URL may use variations of the spelling of the actual address
Don’t trust a file based on its extension either. There are a variety of tricks to hide the nature of the file. Lastly, make sure you have an up-to-date anti-virus software program installed. Enable the feature to scan attachments with the anti-virus program before downloading and saving them to your computer.

Wednesday, January 7, 2015

Security Scanning Requirements: But Why!?

Protecting web applications is an around-the-clock job. These days nearly everything that is connected to the Internet can be considered a target. Targeted attacks are designed to gather intelligence, steal citizen's information, disrupt operations or even destroy critical infrastructure. As the threat landscape continues to worsen, government divisions are doing all they can to keep their web properties available and secure—this is where the security scanning requirements come into play.

While various network security technologies are good at protecting the network layer, a web application can be considered a point of entry for a potential attacker. Web applications are programs ran through an Internet browser to allow people to fill out forms or to perform specific actions such as applying for hunting licenses. An insecure application can be used to compromise more than the information managed by that system alone.  The insecure application can also be used to pivot the attack onto other systems and compromise information completely disconnected from that application’s scope.  Hackers now target the web application layer by injecting attacks through the forms and fields that are open to citizens.

The South Dakota Bureau of Information and Telecommunication (BIT) requires the scans to not only protect the application in question but to protect the state infrastructure as a whole. (State infrastructure refers to the technology (hardware and software) that comprise the computer network, phone network, and connections to the Internet.) That is why BIT performs security scans for every web application or website deploying in a production environment (available for the public to use). These scans consist of attempts to gain control of the system or to gain access to the State’s data using a variety of tools and manual methods designed with one objective: attempt to exploit security vulnerabilities in an application in a safe test environment before it is deployed to the public.

As a general guideline, BIT normally (but does not always limit itself to) tests for the Open Web Application Security Project (OWASP) Top 10 vulnerabilities published at: https://www.owasp.org/index.php/Top_10_2013-Top_10. This is not an all-inclusive list— cyber security is a never-ending battle. The bad guys advance, security professionals counter, bad guys cross over—and so the cat and mouse game continues. There are always new threats and attack vectors and BIT adjusts in real time to confront these new threats.

The need to properly secure web applications is absolute. Knowing what vulnerabilities exist within a web application helps government divisions contain possible points of exposure and safe guard citizen's data. 

A special thanks goes out to Miguel Penaranda for providing us with this article!

Monday, January 5, 2015

BIT Development Team adds a New Member to their Team

Dan Roggenbuck
Please give Dan Roggenbuck a warm welcome as he joins Development Team 1 A as a Software Engineer!

As a Software Engineer, Dan’s duties include developing software applications using C#.NET, VB.NET and ASP.NET. Before joining the Bureau of Information and Telecommunications team, he spent the last two years as a Java Developer at Eagle Creek Software Services.

On a more personal level, Dan and his wife, Robin, have been married for over 14 years. Together they have three children (15, 10, 5) which keep them very busy! In his spare time he enjoys reading, fishing and playing games with his children.

Welcome to the BIT team, Dan. We look forward to spending time working beside you and learning more about you in the future!

Friday, January 2, 2015

Security Tip: Protect Your Personal Information

The accounts on your computer can contain large amounts of personal information. It is important to take the necessary steps to protect the information about you, and in some cases, others.

STOP. THINK. CONNECT., the global cybersecurity awareness campaign, gives us the below tips to keep our personally identifiable information protected while helping all digital citizens stay safer and more secure online.

  • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you to verify who you are before you conduct business on that site.
  • Make passwords long and strong: You have heard it all before, now put it to use! Combine capital and lowercase letters with numbers and symbols to create a more secure password. 
  • Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals.
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that is stored in a safe, secure place away from the computer.
  • Own your online presence: Set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how and with whom you share information.