Dyson College of Arts and Sciences

the kind of controls they provide to keep their clients safe was not run (or at least run effectively) by Bit9. No installed controls on machines in their inventories meant that attackers were able to use phishing (nuisance email containing malware for those who click on some part of the graphic that sets in motion some malware to become activated) to gain access to critical servers within Bit9's systems that contained critical code used by Bit9 to certify their client's application as being safe. As a result, attackers ran malware that compromised these code-signing certificates used to authorize applications, and in doing so, were able to attack Bit9 clients by hiding behind the compromised 'whitelisted' certificates. The resolution implemented by Bit9 was to revoke certificates and issue new certificates, as well as to begin using their own software more effectively. Relevant CSC Control (2): Inventory of Authorized and Unauthorized Software Company: Facebook 8 , Attacked: January 2013 Facebook, one of the world's top social media companies, with an astounding growth rate relies primarily on its software to keep it in the top spot, is known for building highly popular software products that are quite robust while exhibiting few software flaws as compared to other firms operating in the same marketing space. As such, if any of the firm's internal workstations were to become compromised, then the attacker(s) could use this leverage point to pivot (use that workstation as a launch point to attacks on surrounding workstations and servers), which could not only threaten maintaining the confidentiality of its clients, but also the availability of its overall service. In January 2013, that's exactly what occurred when an insecure version (unpatched or misconfigured) of Oracle's Java software was the target of attackers seeking to exploit the vulnerable software to attack the firm. Developers working for Facebook visited a mobile developer website that hosted the vulnerable Oracle Java exploit, even though Facebook's own internal systems were well patched and running updated signatures on the firm's anti-malware intrusion prevention systems; nonetheless, the seemingly protected machines fell victim to the web site's exploit. Facebook did not disclose how far the successful breach penetrated its infrastructure, but did disclose that it occurred and that the compromised machines were immediately remediated. While no data was compromised, the same exploit affected Apple and Microsoft. 9 Relevant CSC Control (3): Secure Configurations of Hardware, Software, etc… Company: LinkedIn & eHarmony 10, 11 , Attacked: June 2012 Many end users of computes are aware that their passwords, when logging into their laptops, desktops or favorite web sites, are encrypted to protect the integrity of the stored password. Depending upon the application or operating system, these encrypted passwords are referred to as 'hashes' and are usually hundreds of characters long even though their plaintext equivalent (the password itself ) may only be several characters in length. The purpose behind generating the longer hashes is to make it difficult for attackers–who may stumble upon a user's password hash–to accurately guess their password. Not to be out-witted, clever hackers often use dictionaries (mostly western language versions) to generate the hashes for every dictionary word, and store the hashes in giant tables for subsequent lookup purposes. Given that a stolen hash for a password can be cross-referenced in these giant tables, hackers are able to guess many end users' passwords. For the even more clever end users who create passwords that are interleaved with numbers and 65

• Cover