November 23, 2015 By Pamela Cobb 3 min read

So a kitten and an information security analyst walk into a bar…

It’s a great setup for a joke, right? (Unless you consider that kittens are way too young to drink and shouldn’t even be in a bar in the first place.) Let us also consider that an information security analyst probably doesn’t have the luxury of time to go to a bar given the year we’ve seen in Internet security, what with ransomware, insider threats and onion-layered attacks running rampant, according to the latest security research report from IBM X-Force.

The fact of the matter is that the information security analyst might be trying to forget some of the very silly things his colleagues do despite best practice lists and common sense. Let’s dissect some of those bad choices, with the help of our little kitten friend.

Download the 4q 2015 IBM X-Force Threat Intelligence Quarterly

K Is for Kiosk Charging

We’ve all seen those charging stations at conferences, airports and even on airplanes, enticing you to just plug in and relax while devices charge. In the old days, power and data flowed through separate cables, but modern mobile devices require that both charging and data flow through a single cord. Without seeing what’s on the other end of that charging kiosk, plugging your phone in can mean that you are allowing access to the data on your phone and possibly even the injection of malicious code, which is known as juice jacking.

To protect yourself, carry a USB charger and plug into an electrical outlet, invest in a USB prophylactic that will allow power flow but block data flow or charge only through a power bank.

I Is for Installing Patches Late

Nearly 75 percent of cyberattacks use publicly known vulnerabilities in commercial software, but only about 10 percent of organizations have the capacity to apply patches on the same day they’re released. Do your best to be part of that 10 percent, for catnip’s sake!

T Is for Thoughtless Clicking

There are many wonders to behold on the Internet. Whether it’s an email with a link proclaiming “cutest kitten picture ever!” or a click-bait headline on social media, think before clicking.

Do you know the sender of the email? Is the destination site or publication a reputable one? At best, you’ve wasted time clicking through to another weird corner of the Internet, and at worst, you’re clicking through to a malware host for a drive-by download. Think before you click.

T Is for Third-Party Access to Personal Data

Do you know why that game app needs access to your contacts? Or why that navigation app wants access to your health data? Be mindful of the permissions you grant to apps on your mobile devices and what data they may be sharing on your behalf. If you’re suspicious of an application and its need for permissions, compare it to others in the same category to see if there’s a consistency for a particular permission type or if it’s an indicator of data gathering for potentially illicit purposes.

E Is for Egregious Password Practices

Password hygiene continues to be problematic and was one of the key factors cited in the X-Force Threat Intelligence Quarterly as contributing to insider threats. Whether it is shared accounts, easy passwords or passwords that never expire, this lack of accountability on user provisioning and privileges is leaving major holes in corporate networks.

Even with effective termination procedures, having shared admin accounts or unexpired passwords leaves doors open to disgruntled ex-employees if they take advantage of remote administration tools like LogMeIn or TeamViewer before their departure.

N Is for ‘Not Me’ Thinking

There’s a certain haughtiness that an information security analyst and others in the industry can adopt in thinking that they are too well-versed in security practices to ever be the victim of an attack. Social engineering has evolved to such levels of sophistication that even the most seasoned practitioner can be fooled.

There is no universal security karma that prevents those of us in this industry from being infected, just that poorly defined Alanis Morissette-esque sense of irony when there’s a fly in your chardonnay.

More for an Information Security Analyst

To learn more about the top security trends in 2015, download the latest IBM X-Force Threat Intelligence Quarterly.

You can also watch our on-demand webinar, titled “Security Preparedness from the Server Room to the Boardroom: Latest Security Research from IBM X-Force” — kittens not included.

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today