Cybersecurity is about more than technology

Securing Supply Chains Beyond Vendors and Service Providers

Securing supply chains is becoming a more crucial aspect of information risk management. But the definition of the supply chain is evolving.

The supply chain, from an IT security perspective, often is perceived as the hardware and software an organization acquires from vendors as well as online offerings furnished by service providers.

According to control SA-12: Supply Chain Protection, organizations use acquisition and procurement processes to require supply chain entities to implement necessary security safeguards to reduce the likelihood of unauthorized modifications at each stage in the supply chain and protect information systems and their components, before taking delivery of such systems and components.

But that's not quite how it works with shadow suppliers. Those running IT and IT security at government agencies and businesses don't always know that a system or component has been acquired. That's because the technology was not acquired through the normal procurement process.

We see organizations acquiring a service such as Dropbox, which allows individuals to easily share documents through a public-cloud service: 

Colleagues sitting around a conference table want to share a document, but the document owner, after five attempts, can't access Microsoft SharePoint, a document management system that operates on the internal corporate network. 

Frustrated, the document owner uploads the document to Dropbox, where his colleagues can easily access it. Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it. This is a huge area of the supply chain that now exists that is completely shadowed.

Of course, NIST offers other controls to deal with cloud services, such as requiring that information stored on the cloud be encrypted for added security. And many organizations have implemented controls to limit or ban the use of employee-owned devices and cloud services, such as Dropbox.

But as long as employees can find better technology than their employers offer, they will concoct ways to use them. Even if there is a policy against doing it, people are naturally doing it anyway, not to be rebellious but just to be more productive.

Organizations must be more agile in developing policies and adopting controls because there are too many choices in the marketplace. Years ago, organizations provided their employees with the best technology; not so today.

Cyber Infrastructure Protection Guidelines by Strategic Studies Institute

It provides the foundation for long-term policy development and a roadmap for cyber security

Increased reliance on the Internet and other networked systems raise the risks of cyber attacks that could harm our nation’s cyber infrastructure.

The cyber infrastructure encompasses a number of sectors including: the nation’s mass transit and other transportation systems; banking and financial systems; factories; energy systems and the electric power grid; and telecommunications, which increasingly rely on a complex array of computer networks, including the public Internet.

However, many of these systems and networks were not built and designed with security in mind. Therefore, our cyber infrastructure contains many holes, risks, and vulnerabilities that may enable an attacker to cause damage or disrupt cyber infrastructure operations.

Threats to cyber infrastructure safety and security come from hackers, terrorists, criminal groups, and sophisticated organized crime groups; even nation-states and foreign intelligence services conduct cyber warfare.

Cyber attackers can introduce new viruses, worms, and bots capable of defeating many of our efforts. Costs to the economy from these threats are huge and increasing. Government, business, and academia must therefore work together to understand the threat and develop various modes of fighting cyber attacks, and to establish and enhance a framework to assess the vulnerability of our cyber infrastructure and provide strategic policy directions for the protection of such an infrastructure.

This book addresses such questions as:

• How serious is the cyber threat?
• What technical and policy-based approaches are best suited to securing telecommunications networks and information systems infrastructure security?
• What role will government and the private sector play in homeland defense against cyber attacks on critical civilian infrastructure, financial, and logistical systems?
• What legal impediments exist concerning efforts to defend the nation against cyber attacks, especially in preventive, preemptive, and retaliatory actions?

Refer here to download the book.

4 Ways to Defend Against State Sponsored Attacks

Enterprises Challenged to Safeguard Their Infrastructure

With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets.

Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.

One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses.

Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states.

Here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:

• Avoid acquiring technology from companies based in nations that pose a threat;
  
• Isolate internal networks from the Internet;
  
• Share cyberthreat information with other organizations;
  
• Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.

Reputation Is A New Target For Cyber-Attacks

How organizations can protect their credibility in the midst of an incident?

Organizations have to equip themselves much better to deal with this whole attack on reputation. The Information Security forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area which is a high area of interest for attackers.

Word of a cyber-attack spreads fast these days and that viral impact can be a major issue. Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit. 

The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is. 

To ensure they can respond effectively, organizations need to have clear ways of collaborating internally. They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.

Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk because "it's very real."

Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. The Information Security Forum advises that one of the key things that was noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly.

The Information Security Forum has that criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that.

It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.

No Room For Guessing Games in Information Security

The Global Cost of Cyber Security?

The information security industry, for the large part, has been working hard to reshape how users think about security. Before this reshaping took place, security was a nuisance for enterprises, was overlooked by developers (i.e., security-as-a-fix instead of security-at-inception), and was unknown to end users.

Fortunately, the trend is changing. For example, CXOs are now less reluctant to approve those line items in the budget related to securing their enterprises and end users are becoming more aware of cyber security and its consequences. 

For me, trying to estimate the global cost associated with cybercrime is one of those ‘somethings’. The inherent complexity associated with the global space of cybercrime events prevents us from calculating a reliable cost estimate with respectable accuracy and precision.

Not so long ago, Symantec asserted that cybercrime was costing us about $110 billion per year. Around the same time, McAfee stated that cybercrime was instead costing us approximately $1 trillion per year. I wonder which one is right? It’s a conundrum, indeed.

For years, I have watched these sorts of global cost estimates travel across the wire, and yet I have found little use of the information because the data points are, with absolute certainty, all over the board.

Nowadays I simply ignore these ‘informationals’ when they cross my path—long term exposure to them has desensitized me. However, these changes would not have occurred if our industry was desensitizing our target audience with inaccurate information.

The moral of this story—we as security professionals need to focus on relaying relevant information to the rest of the world and to do so as accurately as possible. There is no room for guessing games in our industry.

10 Great Online Privacy Guides

Best Practice Guidelines for Maintaining Your Privacy Online

I've stumbled across so many great privacy resources online lately, that I just can't keep them to myself. Here's a good collection for you to consider bookmarking.

1. Facebook Privacy Settings Guide   
2. 4 Tips to Keep Your Privacy on LinkedIn 
3. Security and Privacy Tips for Twitter Users 
4. 3 Tips to Keep Your Privacy on Twitter 
5. 3 Tips to Keep Your Privacy on Google+ 
6. Snap Chat Privacy Issues 
7. Help Avoid Instant Message Viruses 
8. Using Instant Messaging and Chat Rooms Safely 
9. A Renter's Guide to Privacy: Top 5 Privacy Tips for Renters 
10. 10 Online Privacy Tips for Librarians (that can be used by anyone)  

"Likes" provide an incredible amount of insight into our private lives

Your 'Likes' Lead to Snap Judgments, False Assumptions

Much of our online behavior leaves a trail. Sometimes we are aware of it; sometimes we aren't. "Liking" on Facebook (or "+1-ing" on Google+, and all the other clickable options allowing you to show your appreciation for posts) may be one such behavior done with reckless abandon. Often a user will "Like" something only because a friend asked him or her to. These users may not be aware of the picture those "Likes" can paint.

The Wall Street Journal has written a fantastic article that may change mindless "Liking" behavior somewhat. The article highlights a recent study that revealed our "Likes" provide an incredible amount of insight into our private lives. Individually, the "Likes" may not reveal much; but monitored and analyzed overtime, they can shed light on very personal, private details. One example:

The researchers found that "Likes" for Austin, Texas; "Big Momma" movies; and the statement "Relationships Should Be Between Two People Not the Whole Universe" were among a set of 10 choices that, combined, predicted drug use.

Whoa. How's that for crazy assumptions? Or scarier, how's that for accuracy? You can bet this research is only the beginning and that the algorithms these researchers used are soon to be commercialized and sold to any number of entities... with any number of intentions.

The takeaway for now? Watch what you "Like," and keep up-to-date on the privacy settings that can prevent others from tracking your online trail. 

TIP

If you use the Chrome browser, you can go "incognito" and hide many of your online activity trails  automatically collected. To do this, press <CTRL><SHIFT><N>. See this Google resource for more information.  

How You Can Get Hacked at Starbucks?

Be extra careful when using free public Wi-Fi

For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin' Donuts, you're likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.

But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.

According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.

Cybercriminals can also use video cameras on a mobile device to capture what you're doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so. Creepy, right?

More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and "hotspot honeypots" which intercept a user’s Internet connection and give full access to that network.

Here's a look at what to keep your eyes peeled for when cozying into a coffee shop near you. 

Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a ‘‘backdoor’’) that will allow the intruder to easily gain access at a future time.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

• Communications attempted from unauthorized or unusual addresses and
• An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion. In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few.

Users will soon learn to ignore the output of an IDS that announces too many spurious events. There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.

Summary

In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy.

Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

• Preventing intrusions from occurring, and
• Recovering from them when they occur.

Industrial Control Systems (ICS) Security Awareness Poster

Control Systems Are A Target, Need Some Awareness?

One of the challenges we face in the Industrial Control System (ICS) community is awareness. People maintaining our critical infrastructure do not realize how fragile and targeted the supporting cyber systems are, including PLCs, Relays, RTUs and entire SCADA networks.

This poster was developed by a community team of industry ICS experts to help ICS Engineers and Operators understand just how much they are a target and why. As always, the first step to changing behaviors is engagement, and the first step to engagement is ensuring people know they are a target. 

Feel free to download, print and distribute this poster amongst your organization and peers. This poster is just the first in a series of resources and training to be released by the SANS new ICS group.

Download now a high-resolution version from our Security Awareness Posters section.

Australian Government is getting serious about Information Security?

DSD's top 4 infosec strategies now mandatory for Australia government

The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".

These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.

The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements. 

In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".

This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month. As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures.

From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.

Can Enterprise rely on MDM to achieve Mobile Security?

mRAT spyware bypasses mobile enterprise controls

Mobile remote access Trojan (mRAT) infections are increasing and bypassing mobile enterprise security controls, putting businesses at risk of cyber espionage, research has revealed.

mRATs are capable of intercepting third-party applications such as WhatsApp, despite guarantees of encrypted communications, the study of 2 million smartphone users by Lacoon Mobile Security found.

The research also showed that mRATs are similarly able to bypass security controls in mobile device management (MDM) systems, which a growing number of businesses rely-on for mobile security.

mRATs are designed to carry out cyber espionage and typically enable eavesdropping on calls and meetings, extracting information from email and text messages and location tracking of executives.

The spyware requires a backdoor for installation, through the rooting of Google Android or the jailbreaking of Apple iOS devices.

The research found that mRATs can bypass rooting and jailbreaking detection mechanisms installed on handsets, with 52% of infected devices found running iOS and 35% running Android.

The attacks undermine the basic notion of a secure container on which most MDM systems are based, according to Lacoon Mobile Security.

MDM systems create secure containers that separate business and personal data on the mobile, in an attempt to prevent business-critical data from leaking.

However, the research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it.

Mobile best practices and technologies include:

• Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications;
• Calculate the risk associated with the device's operating system vulnerabilities and usage;
• Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers;
• Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high.

Australian Feds charge 17 year-old 'Anon' with four crimes

17-year-old suspected member of ‘Anonymous’ charged with unauthorised access to computer data

A 17-year-old youth appeared in Parramatta Children's Court on Friday (5 April 2013) to face charges relating to unauthorised access to computer data. The juvenile is suspected to be a member of the online issue motivated group "Anonymous" and allegedly committed serious offences on their behalf.

Commander Glen McEwen, Manager Cybercrime Operations, said the AFP takes any computer intrusion offences very seriously and remains committed to investigating offences that occur in cyberspace. "Protesting through computer intrusions and website defacements is not an appropriate method to raise public awareness about any issue," Commander McEwen said. "The AFP investigates various types of cybercrime and will continue to take a strong stance against these perpetrators."

Refer here to read more details.

Think someone may be reading your emails?

Encrypt them, and they can't

Are you sending confidential information in your email, text and instant messages? If so, you could be exposing it to a lot of peeping eyes...and they may decide to do bad things with it!

Here are some ways to encrypt your digital messages:

• In Outlook, within your message, go to File, Properties, Security Settings, and click the box for "Encrypt message contents and attachments."
  
• If you use some type of webmail, most good ones offer SSL as a security option; use it. It encrypts the messages *while they are traveling through the Internet.*
  
  However, it is not the same as encrypting the message itself. Your messages are still in clear text within the mail box storage, and when forwarded elsewhere not using an SSL-encrypted transmission method.
  
• For webmail, consider getting an add-on tool, such as Armacrypt.
  
• Another email option is Hushmail.
  
• Consider using an up-to-date version of PGP.
  
• Here's a pretty good discussion of encrypting text messages on Android devices.
  
• Here are some smartphone encryption apps to consider.

Useful TIP! Don't send any sensitive or confidential information using social network messaging systems, such as Facebook mail. While you can have the *connection* (meaning while it is traveling from you to your recipient) encrypted using SSL, it does not encrypt the message itself, leaving it in clear text within the many Facebook repositories.

What's your personal Disaster Recovery Strategy?

After the Storm Comes a Rainbow

If you've ever had a computer device unexpectedly fail on you, you know how it feels - like a flash flood, taking you by surprise and washing away everything you need.

Lets say, you have an external hard drive which stopped. Completely. Unexpectedly.

Did you had backups of that data? Do you make backups of your data regularly?

Here are some recommendations to help you from feeling the pain of a failed hard drive:

• Invest in an external backup drive for storing your backups. You can see some good guidance here.
  
• For data that is especially valuable (income tax data, photos, business data), make another copy on a different external drive and store at a different, secure location, such as a bank safety deposit box.
  
• Back up your email at least once a week; more often if you depend on it for business and would be lost without it.
  
• Most external hard drives can be configured to automatically make backups at specified intervals; look for external hard drives with these capabilities.
  
• If personal information is on your backup drive, encrypt it!
  
• If you want to use a cloud service to store your backups, make sure they will encrypt your data, and that they have terms of service that will allow you ample time to remove your data, completely, if there is ever the need.
  
• Regularly test backups to ensure the backup data is actually good.