All about Facebook data breach

Privacy Issues of Facebook

In this 2018 Facebook (FB) received severe criticism due to its major data breach occurred. The company’s chief Mark Zuckerberg was asked to testify before the U.S. Congress about a major data breach or leak of private user information. For this even Mark admitted the company made mistakes that led to private data being shared with a third party firm, a British research company. 

In their own post FB have clearly stated that, the attackers or hackers controlled a set of accounts with access to many personal identifiable information (PII) data.

They used an programmed technique to visit from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on to multiple profiles. As of total they were able to steal information about 400,000 people. In this process, however, this technique automatically loaded those accounts FB profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. Such as using a “View As” button sometimes we use.

That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Although message content was not available to the attackers, with one exception. If a person in this group was a page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.

The attackers used a segment of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information including name and contact details (phone number, email, or both, depending on what people had on their profiles). 

For 14 million people, the attackers accessed the same two sets of information, as well as other information user had in their profiles. This included username, gender, language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access FB, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. 

The breach comes as FB has been  struggling to crack down on data misuse and privacy issues on its platform, particularly since the Cambridge Analytica scandal that broke out in March.

However, that vulnerability was fixed by FB later. 

Other things to know:

Access Token: Access Token are used in a token based authentication to allow an application to access an API. It is a string that identifies a user, app or page. 

API: Application Programming Interfaces (API) give operators the opportunity to customize their application and where two application can talk to each other (integrate). Every time we are using applications such as Facebook and send messages using messenger, we are using API. 

PII: Personal Identifiable Information are the information by which a person can be identified or contacted such as name, address, date of birth, Vehicle number, Full face photo, Biometric data, Account number, Social security number, Aadhaar Number, mobile number etc. 

-DR 

NIST Cyber Security Framework

NIST Cyber Security Framework for Critical Infrastructure

Cyber Security threats exploit the increased complexity and connectivity of critical infrastructure systems, which is turning the Nation’s security, economy, and public safety and health at risk.

NIST Cyber Security Framework V1.1 published on April 2018 is a flexible, risk based approach and is designed to manage Cyber security Risk in organizations. 

The framework basically consists of five functions as mentioned below:

Identify

Develop an organizational understanding to manage cyber security risk to system, people, assets, data and capabilities.

Example:

Asset Management, Risk Assessment, Risk Management, Governance

Protect

Develop and implement appropriate safeguards to ensure delivery of critical services.

Example:

Identity Management and Access Control, awareness and training, Data Security practices, Maintenance etc.

Detect

Develop and implement appropriate activities to identify the occurrence of a Cyber Security event. The Detect Function enables timely discovery of Cyber Security events.

Example:

Anomalies and Events, Security Continuous Monitoring  and Detection Processes.

Respond

Develop and implement appropriate activities to take action regarding a detected Cyber Security incident.

Example:

Response Planning, Communications, Analysis,  Mitigation and Improvements.

Recover

Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a Cyber Security incident.

Example:

Recovery Planning, Improvements and Communications.

 

How to Use the Framework

An organization can use the Framework as a key part of its systematic process for identifying, assessing, and managing Cyber Security risk. The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current Cyber Security risk approach and develop a roadmap to improvement. Using the Framework as a Cyber Security risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.

The Framework is designed to complement existing business and Cyber Security operations. It can serve as the foundation for a new Cyber Security program or a mechanism for improving an existing program. The Framework provides a means of expressing Cyber Security requirements to business partners and customers and can help identify gaps in an organization’s Cyber Security practices.

Below are basic steps to improvise the Cyber Security and Implement the framework across organization.

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

Step 7: Implement Action Plan

Below is a framework core just highlighted for reference. To understand it more easily, each component of the Framework Core is given a unique identifier such as ID.AM, PR.AC etc.

(Image made from Source: NIST CSF document)

For more detailed overview of above implementation steps you can refer to the Framework document. I have just summarized the information in single page. Please visit to NIST site for more details. 

The Publication is available online freely at below mentioned site.

Reference:

https://doi.org/10.6028/NIST.CSWP.04162018

Thanks

-DR

 

Incident Response Plan

Incident Response

The ability to respond to events, incidents, threats that pose a negative effect on our network is known as Incident response.

The primary goal is to limit the disruption to the network, services and business processes.

The incident response should be planned prior to any incident happen. Below are some of key considerations to keep in mind;

• There should be a Incident response team formed and trained with adequate knowledge of incident management.
• There should be formal policies and procedures drafted and communicated to all stakeholders.
• Necessary tools should be identified and kept with easy access.
• There should be Senior Management Support obtained before the team planning and operation. 
• The escalation matrix should be documented and shared with stakeholders.

Incident Response Life Cycle

 

 

 

Preparation Phase:

In preparation phase, the response team need to check the capability of incident response. There should be coordination and planning how to identify the requirements. There should be plans for implementation such as:

• Developing policies, process, and procedures.
• Define and establish incident handling criteria.
• Classification of risk and criticality.
• Define post incident review process and change management process.

Identification Phase:

 In this phase, there should be identification of suspicious activity or any unusual behavioral activity that might affect or compromise the infrastructure or business. There should be proactive detection, reactive detection and monitoring implemented to detect the intrusions, analyse network traffic, review audit logs, Use of Honey pots etc.

Contain Phase:

In this phase the detected incidents, intrusions should be sorted, categorized. There should be correlation and prioritization of incidents. Response team should also isolate the infected system as on immediate basis such as pull network cables, isolate from router/VLAN.

NB: Forensic evidence should be kept intact.

Eradicate and Remediate Phase:

In this phase core team have more responsibility to restore or rebuild the system, restore from saved media, backups to its baseline configuration. Team should work more proactively to scan the system once again, remove the malware, and do the system hardening.

Lessons Learned Phase:

In this phase, team should document all the findings, process to remediation, take feedback from the team. This post incident activity is also important and it help to protect and defend the future incidents or events. All the process should be kept information for KEDB and future reference.

Every organization should also use certain frameworks such as NIST Cyber Security Framework for a systematic process approach which can help in overall risk management process. Later we will cover the Cyber Security Framework (CSF) in an another blog.

Please share your feedback. Thanks!

 -DR

 

 

Incident Management

Incident Management

An incident is any kind of disruption to an organization's IT services as well as to other services that affects a single user/ a team or the entire business operation. It hampers the normal business continuity. An incident is an unplanned disruption. It can happen anytime without prior notice. 

An incident can be ideally divided in to two types such as system generated incident or user logged incident. System generated incident are automatic in nature. 

Example of System generated incident

• Virus detection by antivirus software.

Example of user logged incident

• An user suddenly noticed there is an unauthorized access to a system or someone rushed in to office premise intentionally. He immediately informs the internal incident response team about the matter.

Example of Incidents can be range from civil repair work to cyber attacks. An incident can be many types such as;

• UPS failure
• Air conditioning failure
• Network devices failure
• Hard disk failure
• Access control failure
• Internet failure
• Software issue
• DDoS attack
• Cyber attack
• Backup failure
• System failure
• Virus attack
• Printer issue
• Natural calamities such as Fire outbreak, cyclone, flood, earthquake.

Incident Management is compromises of set of processes and principles adopted to return a service operation in to normal functioning after the incident occurs and ideally should complete it within the SLA (Service Level Agreement) time frame.

So an incident need to be identified, prioritized based on its impact and urgency, then accessed to resolve. An Incident management covers every aspect of an incident throughout its life cycle.

Process brief

The entire incident management process should be documented prior to implementation. There must be some key roles and responsibilities defined for the core team members such as Incident Manager, Incident Process owner, Process operator, etc. 

An incident management process has different steps with different approach. Below are the general steps;

Incident identification

Identify an Incident, type of incident etc.

Incident Logging or incident recording

Log or record the incident, log the time stamp, occurrence place, affected area, any root cause. Many automation software are there to do this task. Earlier manually people record the incident in registers or excel sheets. Assign a ticket/token to an incident with Incident number.

Incident Categorization and prioritization

Categorize the incident based on risk and severity level such as High, Medium, Low. Prioritize the incident based on how urgency to resolve it. Or we can say, Prioritization helps the Incident Management team to examine and understand the importance of the incident and the timelines within which the issue needs to be resolved.

There must be incident priority matrix established. An incident priority matrix is a documented guide where the incident priority level is set before, such as critical, high, medium, low, no impact.

In incident priority matrix, the urgency to resolve the issue, response time, resolution time, MAT (maximum allowable time) need to be defined as per the defined SLA (Service level agreement) or MSA (Master Service Agreement).

Incident assignment to team or owner

Create task for resolve, Provide resolution

Technical Team or subject matter experts (SME) to work on the incident, research, diagnosis, investigate on the issue or recorded incident. 

SLA adherence during resolution

Follow SLA timelines for resolution process.

Escalation if further investigation required or failure in resolution at L1 level.

Escalate in case of it is a major incident and L1 support cannot support it. 

Provide resolution

The goal of the Incident Management is to restore the business or services as soon as possible, hence resolution is very important. The resolution provided could either be a work in progress / a temporary fix or a permanent resolution.

Close the incident

Close the incident once resolution is carried out. In case, If post providing the resolution to the customer no feedback or further escalation received on the issue within 24 hours from the resolution time, then the issue will deemed as closed. 

Take user feedback on the closure and document all the process for the incident

Need to check with customer, client how they are happy with the resolution process. And collect if any feedback is there. 

Finally add the incident resolution process to KEDB.

KEDB:

KEDB is nothing it is Known error data base and it is very useful one in terms if incident management. 

During an incident occurs, initially KEDB is referred in that case to check as if any previous similar incident occurred in past and the process to resolve this is available in the database. So that it will minimize the time of resolution process. Hence KEDB should be updated in regular intervals to record all the incidents and problems. KEDB can further be categorized based on domains. 

Similarly there is Problem Management Process, i can provide a little brief on it;

A problem is nothing, it is unresolved incident or when an incident happens frequently in the system or organization. Problems can be identified from major incidents, combination of multiple incidents.

The problem management process is a similar kind of incident management process. However a change management process is an additional process which is linked to problem management process.

For example, during a problem investigation and root cause analysis (RCA) stage, it was finalized that the problem cannot be solved until we have to change it. It may be involved as buying a new hardware, software, hire new resource, and change in scope. So here change management process will act how to change the process.

So this is a basic understanding about incident and problem. If you have further questions or comments please provide.

Thanks!

-DR

Cyber Forensics

Basic understanding about Cyber Forensics

Cyber forensic, sometimes known as computer forensic refers to the practice of extracting information, analyzing the data and gaining intelligence into activities that involve the use of technology as a structured chain of evidence that can be presented in the court of law or identify a cyber crime.

In other ways, it is also known as Digital forensics and is the process of gathering evidence in the form of digital data during cybercrime cases. Digital forensics is the process through which skilled investigators identify, preserve, analyze, document, and present material found on digital or electronic devices, such as computers and smart phones.

The type of information retrieved from the cyber analysis are mentioned as below:

• Information logs and understanding of ethical and legal issues related to data and data acquisition.
• Metadata details such as time, file type, size and volume of data.
• Contents such as text, audio, video.
• Technology data such as sms, email, social media files, chat history, deleted files etc.
• Password recovery, login details recovery, typewritten document examination.
• Call history of mobile, sim card data recovery, mirror imaging, hashing.
• Ability to gather information from network servers, databases, smart phones, tablets, hard disk, memory card, SD card and other digital devices.

Digital Forensic Process

The digital forensic process generally consists of five steps: identification, preservation, analysis, documentation, and presentation.

Identification: Identify the purpose of investigation and the resources required.

Preservation: Ensure that Data is isolate, secure and Preserved for further study and analysis purpose.

Analysis: Identify tools and techniques to use, process data, logs and interpret results.

Documentation: Documenting the crime scene along with evidence such as photographs, sketch, screenshot etc.

Presentation: Process of summarizing and explanation of conclusion with facts about the analysis.

Digital Evidence:

Digital evidence is any data that is stored or transmitted using a computer over internet or offline that supports or counter a theory of crime. So Digital evidence must be handled carefully to preserve the integrity. Digital triage is a pre-digital-forensic phase that sometimes takes place as a way of gathering quick intelligence. Although effort has been undertaken to model the digital forensics process, little has been done to-date to model digital triage.

Keep in Mind always:

Be Careful! THIS COMPUTER HAS NO BRAIN. USE YOUR OWN!!

There are several professional tools widely used for the Digital Forensic analysis by Spy agencies, law enforcement agency, FBI, CBI, Cyber Police, ethical hackers, forensic examiners etc.

• FTK Imager
• Nagios
• Autopsy Forensic
• Redline
• Snort
• Accessdata
• Magnet, Axiom
• Helix
• Wireshark
• OpenText Encase

These tools come with a variety of features so it can be used as per specific requirements such as Windows forensic, Linux forensic, Disk forensic, network forensic, wireless forensic, email forensic etc.

In windows forensics investigators, ideally Collect Volatile Information and Non-Volatile information from the Operating System.

Volatile information is information that is lost the moment a system is powered down or loses power. This Volatile information usually exists in physical memory or RAM. It holds data for a temporary time.

Non-Volatile information is kept on secondary storage devices and persists after a system is powered down. It holds data for permanent time.

Difference between a volatile memory and non volatile memory

(Image source: PEDIAA.COM)

So for further reference you can visit below links; Please do comment and suggest your views. 

Reference

https://www.splunk.com/en_us/blog/learn/cyber-forensics.html

https://www.exterro.com/basics-of-digital-forensics

https://www.magnetforensics.com/products/magnet-axiom-cyber/

https://www.sans.org/digital-forensics-incident-response/

https://www.nist.gov/digital-evidence

Thanks

-DR