Saturday, December 31, 2011

2011 - Year of the HACK and DATA Breaches

This year’s headlines have been made up of data breaches, hacks, APT attacks and mergers and acquisitions

Like a sleeper agent, it embeds itself in key industrial systems and waits, gathering intelligence and biding its time. It studies design documents to find weak spots for future attacks that could bring a nation to its knees.

It is the description by US security firm Symantec of the newly discovered Duqu worm in its report ‘W32.Duqu: The precursor to the next Stuxnet.

Duqu is based on the sophisticated Stuxnet worm that shut down an Iranian nuclear fuel processing plant and set back its nuclear program by years. Duqu has so far infected industrial systems in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam.

While at this point Duqu is only able to gather intelligence, Symantec judges that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems.

The discovery of Duqu was a major security event in 2011; not exactly because of the effect that the worm has had, but for its potential. Duqu signals a growing trend of malware developed not to steal identities and profit financially, but to disable and destroy critical infrastructure – the life blood of modern society.

News of Duqu was followed by a (now-mistaken) malware attack on a US water utility network that destroyed the industrial control system of a key water pump.

Destruction of critical infrastructure has been the elephant in the room for the information security profession. Many recognize the danger, but it is seen as too esoteric and remote to worry about. It is someone else’s (i.e., the government’s) problem.

But if major critical infrastructure collapses from a cyberattack, whether your boss’s iPad makes the company’s network less secure is not going to matter all that much.

Cyber Wasteland

From the mega breach at Sony to the annoying self-righteous breaches perpetrated by Anonymous et al., 2011 was a wasteland of data loss.

In March, RSA – the company that ensures its elite customers are water-tight – sprang a leak when it was penetrated by a spear-phishing attack that hooked one of its employees and resulted in a huge catch for cyberattackers.

In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” (APT) attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.
"Destruction of critical infrastructure has been the elephant in the room for the information security profession"

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.
Coviello, it turned out, was wrong about this assumption, as numerous SecureID token customers – including US defense giant Lockheed Martin – reported attacks resulting from the RSA breach. In an effort to limit the damage, RSA agreed to replace the tokens for its key customers.

In response to the RSA breach, APT became the new catchword for cyberattacks. “It’s not our fault our networks were breached and our data stolen, it was an APT. What could we do?”, whined many companies in the ‘year of the breach’.

April was the Cruelest Month

April was indeed a cruel month for Sony, which admitted that hackers had gained access to names, addresses, email addresess, birth dates, passwords and IDs for over 100 million PlayStation Network, Qrocity, and Online Entertainment customers.

The massive size of the breach, as well as the delay in informing customers, attracted the attention of the US Congress. A House Commerce Committee panel held a hearing on the breach, but Kazuo Hirai, chairman of Sony Computer Entertainment America, declined to appear.

Panel chairman Mary Bono Mack (R-Calif.) criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”

More Breaches!

Marketing firm Epsilon had a breach of its extensive database, which contained the names and emails of customers at such high-profile partners as BestBuy, Walgreens, Marriott, Lacoste, Marks & Spencer, JP Morgan Chase, Barclays, Citibank, US Bank, and Capital One.

While Epsilon initially downplayed the breach, its partners could not. They began issuing warnings to millions of their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses. Reuters put a $100 million price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.

And for much of 2011, Anonymous and its offspring were claiming credit for what seemed like a breach a week – in the name of improving security by showing how incredibly bad many organizations’ information security really is.

Not with a Whimper, but a Bang

In the arena of mergers and acquisitions, 2011 started off with a bang, with Dell’s acquisition of SecureWorks, an Atlanta-based security-as-a-service provider with 3,000 clients worldwide, and Verizon’s $1.4 billion purchase of Terremark, a Miami-based managed IT infrastructure and cloud service provider with advanced security offerings.

Also early in the year, Sourcefire bought Immunent, a cloud-based anti-malware startup, for $21 million, and Google agreed to acquire Zynamics, a Germany-based forensic specialist, for an undisclosed consideration.

In April, storage giant EMC acquired NetWitness, a Herndon, Va.-based network monitoring specialist, and added it to RSA. While the purchase price was not disclosed, some estimates put the price tag as high as $500 million. Too bad RSA did not have network monitoring in March!

After the April showers, there was a spurt of acquisition activity in May. In that month, Symantec acquired Clearwell Systems, a provider of e-discovery, data archiving, and data backup products, for $390 million, augmenting its information management and governance portfolio.

In addition, cloud provider VMWare purchased Shavlik Technologies, a Minnesota-based patch management and cloud-security firm; Thoma Bravo bought Tripwire, a Portland, Ore.-based network security firm; and Sophos acquired Astaro, a Germany-based private network security firm.

Other noteworthy information security acquisitions in 2011 included: IBM’s purchase of Q1Labs, a Waltham, Mass.-based provider of security event and log management software; McAfee’s purchase of NitroSecurity, a Portsmouth, N.H.-based security information and event management firm; and Check Point’s acquisition of Dynasec, an Israeli-based governance, risk, and compliance firm.

“Prediction is very difficult, especially about the future.”

Despite the wisdom of those great minds, I will venture to make some predictions for 2012. First, I predict that the world will not end. If I’m wrong about that, then no need to read further.

Certainly, Stuxnet, Duqu, and their heirs will increasingly plague governments, critical infrastructure operators, and information security professionals. It’s time to take these threats as seriously as the mundane security problems of everyday life in the 21st century.

The explosion of mobile device use, particularly in the workplace, will increasingly concern information security staffs for years to come. Malicious mobile malware has become widespread, and this trend is likely to accelerate.

Enterprises will have to come to grips with social media, particularly as cybercriminals find it a fertile ground for mischief. Should employees be banned from using it at work or is it the next great efficiency tool? The answer is: Yes.

Of course, the cloud – companies will likely accelerate cloud adoption to improve the bottom line, while security professionals will struggle with the implications of giving up control over key corporate information assets.

And the boldest prediction of all: there will be more data breaches in 2012.

Friday, December 30, 2011

Hackers could shut down train lines?

Hackers who have shut down websites by overwhelming them with Web traffic could use the same approach to shut down the computers that control train switching systems, a research conducted by a security expert.

Stefan Katzenbeisser, professor at Technische Universität Darmstadt in Germany, advised that switching systems were at risk of "denial of service" attacks, which could cause long disruptions to rail services.

"Trains could not crash, but service could be disrupted for quite some time," Katzenbeisser told Reuters.

"Denial of service" campaigns are one of the simplest forms of cyber attack: hackers recruit large numbers of computers to overwhelm the targeted system with Internet traffic.

Hackers have used the approach to attack sites of government agencies around the world and sites of businesses.

Train switching systems, which enable trains to be guided from one track to another at a railway junction, have historically been separate from the online world, but communication between trains and switches is handled increasingly using wireless technology.

Katzenbeisser said GSM-R, a mobile technology used for trains, is more secure than the usual GSM, used in phones, against which security experts showed a new attack at the convention.

"Probably we will be safe on that side in coming years. The main problem I see is a process of changing ... keys. This will be a big issue in the future, how to manage these keys safely," Katzenbeisser said.

The software encryption 'keys', which are needed for securing the communication between trains and switching systems, are downloaded to physical media like USB sticks and then sent around for installing -- raising the risk of them ending up in the wrong hands.

Tuesday, December 27, 2011

DDoS Testing Methodology

A methodology to measure the resiliency of network infrastructure against DDoS and botnet attacks

Distributed denial of service (DDoS) attacks are rampant, successfully targeting Fortune 100 businesses, not to mention government, news media, communication and financial networks throughout the world. It has become more important to assess network equipment and application servers using these same attacks. Only through realistic attack simulation can organizations visualize their own weaknesses and vulnerabilities within the IT infrastructure and how resilient these elements are when under attack.

DDoS Testing Methodology

BreakingPoint has created a definitive DDoS testing methodology that creates a variety of attacks to help users find their network weaknesses before others do. Such attacks include the following:
  • DDoS designed to consume all available bandwidth, all disk space or all available CPU cycles

  • DDoS designed to disrupt important information flow such as routing tables by injecting false routes, thus causing packets to be misrouted

  • DDoS designed to break the physical layer of the network and obstruct the communication between the end-point and the user

  • Botnets designed to send large quantities of unsolicited e-mail to trigger Delivery Server Notifications to spoofed originating email addresses
To download the methodology please refer here (registration may be required)

Thursday, December 22, 2011

SC Webcast: Top cyber threat predictions for 2012

Learn about the top (internal and external) security predictions of 2012

With the tremendous growth of workforce mobility, telecommuting, and enterprise social networking, 2012 is again likely to pose some complex cyber security challenges for businesses worldwide.

As such I thought you might be interested in SC’s upcoming webcast which will get to grips with what the experts predict to be the top cyber threats in the year ahead.

You can secure your complimentary place here -

Streamed live to your desk: 26th January 2012, 3pm GMT

This webcast will enable you to:
  • Learn about the top (internal and external) security predictions of 2012 (from mobile threats to spear phishing)
  • Understand the impact of social networking's impact on enterprise security in 2012 to help you prioritise your response
  • Develop ideas for a 360 degree cyber security strategy that keeps up with the sophistication of attacks in the year ahead

Aaron Sheridan, Senior Security Engineer, FireEye
Clive Longbottom, Founder and Industry Analyst, QuoCirca
View more information at

Tuesday, December 20, 2011

CSET™ Version 4.0.1 Available for Download

The Cyber Security Evaluation Tool (CSETTM) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets.

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has released an interim Version 4.0.1 of the Cyber Security Evaluation Tool (CSET™). This new version of the tool can be downloaded from the CSSP website:

This interim Version 4.0.1 release addresses some minor issues identified in report formatting and corrects a problem with Zone Security Assurance Level (SAL) calculations.

Additionally, this release incorporates a new sub-report to isolate and show user comments in a single location, includes modifications to clarify how firewall analysis is performed, and improves upon the gap analysis for pass/fail standards.

Purpose of CSET

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.

The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others.

When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits of CSET
  • CSET contributes to an organization's risk management and decision-making process
  • Raises awareness and facilitates discussion on cybersecurity within the organization
  • Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
  • Identifies areas of strength and best practices being followed in the organization
  • Provides a method to systematically compare and monitor improvement in the cyber systems
  • Provides a common industry-wide tool for assessing cyber systems

Sunday, December 18, 2011

Five reasons not to jailbreak your iPhone

Crackers are reported to be making inroads into jailbreaking iOS5

Even though the iPhone 4S jailbreak is on the way - and while many users are excited about the ability to customize and do more with the iPhone 4S - there are a number of reasons you shouldn’t jailbreak your new iPhone.

While an iPhone 4S jailbreak will deliver the iPhone experience many have been looking for, jailbreaking is not for everyone.
  1. The biggest issue is that users will be voiding their warranty and, even though the jailbreaking process was ruled legal in 2010, Apple was very clear that doing so voids users’ warranties.

    And, whilst there are many times you can restore to a standard Apple iOS version before going in for repair, this is not always going to be the case.

  2. Users will also lose Genius Bar support on the iPhone – in the past some users have been able to get support by not mentioning that their iPhone is jailbroken, but again, if the Genius finds out that the handset is jailbroken, you may lose out on support.

  3. The third issue with jailbreaking is that there are usually no more is fast upgrades to new releases of iOS.

    If you are waiting for the jailbreak, you should also avoid installing iOS 5.0.1 to your iPhone 4S. This isn’t as big of an issue for small upgrades like this, and in the case of [earlier versions] a jailbreak was available very quickly.

    But, when it comes to major upgrades that bring new features, you may be forced to wait a while, or go back to a stock iPhone experience.

  4. Apple has many controls in place to keep apps from slowing down your iPhone, but jailbroken apps don’t need to stick to these guidelines.

    Many users who have gone back from jailbreaking cite a poor user experience and buggy nature of their jailbroken iPhones as a reason for going back to normal. If you know exactly what you are doing, or don’t mind troubleshooting to find out what is causing an issue, you will be OK, but many iPhone owners don’t want to hassle with things like this.

  5. Finally, consider the security risks. If you have a jailbroken iPhone and are installing apps from various sources, one of them could contain malware.

    The threat of malware has caused concern for Android users, and so far we haven’t seen a large number of malware infested jailbreak apps, but the threat remains. If you do jailbreak, be vigilant about what you download.
Ultimately, jailbreaking your new iPhone 4S is up to you. If you know what you are doing, you can follow these instructions to jailbreak your iPhone 4, and stay tuned for how to jailbreak the iPhone 4S and iPad 2 as soon as the tools are available.

Friday, December 16, 2011

What does it really take to exploit a printer?

Printer Hack: Researchers Can Set Media’s Pants on Fire

In the past couple of weeks, there has been quite a bit of press and blogging about a security vulnerability in HP printers that was discovered by researchers in the Intrusion Detection Lab at Columbia University.

In a nutshell, the researchers found a way to replace the operating firmware on an HP printer with firmware of their own design that can do bad things, and they also found a way to do it to a printer that is on a private network behind a firewall.

MSNBC ran an “exclusive” story about it calling it a “devastating attack” to which “millions of printers” could be subjected. Its lede suggested that hackers could cause the printer to catch fire, or be used for identity theft, or be used to take control of entire networks.

In practice, this isn’t an easy vulnerability to exploit on a large scale.

Let me explain:

First, you need to target a printer that supports PJL and its largely undocumented remote firmware update (RFU) function. Many printers support PJL, but RFU is less commonly supported. Many printers don’t have any mechanism for remote updates, and many others use something other than PJL’s RFU function for remote updates.

Once you've found a printer that supports PJL and its RFU function, you'll need to make sure that it will apply a firmware update without checking its authenticity. I can’t speak for other manufacturers, but my employer’s products have been using digital signature verification for firmware updates for at least the seven plus years that I have worked for them.

Next, you need to be able to create new firmware to do your bidding. To do that, you need to know what is the manufacturer and model of your target. The researchers demonstrated exploitation of a victim’s printer that was on a private, firewalled network, but didn’t mention how they determined which make and model of printer would be used by a particular victim. They would need to know that in order to send the correct firmware image to the victim.

And then there is the matter of reverse-engineering printer firmware. It is certainly possible, but not very practical when you consider that there are thousands of different printer models to contend with.

The researchers say that “rewriting the printer’s firmware takes only about 30 seconds”, but they are referring to the time it takes for the printer to update its flash memory and not how long it takes for someone to reverse-engineer a printer to do something malevolently useful.

Next, you need to get the victim to print a document that contains the firmware update code, and of course they need to print it on the printer that you targeted. I don’t know if it is possible to embed an RFU in a printable document in such a way that isn’t obvious when the document is viewed, as most people do before they print something. Perhaps they will disclose that detail at the Chaos conference.

Now, finally, you own the victim’s printer.

Wednesday, December 14, 2011

U.S. power grid is a big & soft target for cyberattack

MIT study report shows security gaps widening, risk increasing as power nets improve

The "malicious attack from Russian hackers that cracked security on an Illinois water utility and destroyed one of its main pumps turned out to be what Wired called a "comedy of errors" after interviewing the prime suspect for a story that ran last week.

That doesn't mean utilities in the U.S. – especially electrical utilities – are not desperately vulnerable to attack.

The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.

U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.

The risk of a Stuxnet-like attack on utilities was dismissed by many security experts after the revelation that reports of a successful attack on the Illinois water utility hack were mistakes, the possibility that it is possible was not.

Current risks of cyberattack on electric utilities
  • Loss of grid control resulting in complete disruption of electricity supply over a wide area can occur as a result of errors or tampering with data communication among control equipment and central offices.

  • Consumer-level problems ranging from incorrect billing to interruption in electric service can be introduced via smart meter tampering.

  • Commuting disruptions for electric vehicle operators can occur if recharging stations have been modified to incorrectly charge batteries.

  • Data confidentiality breaches, both personal and corporate, can provide information for identity theft, corporate espionage, physical security threats (for example, through knowing which homes are vacant), and terrorist activities (for example, through knowing which power lines are most important in electric distribution).
"Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011"

With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber
events is impossible, and improving resilience to attacks and reducing the impact of attacks are important…
… For the electric grid in particular, cybersecurity must encompass not only the protection of information but also the security of grid equipment that depends on or is controlled by that information. And its goals must include ensuring the continuous and reliable operation of the electric grid…
…We believe the natural evolution of grid information technologies already points toward such an approach: the development and integration of increasingly rapid and accurate systems control and monitoring technologies should facilitate quicker attack detection—and consequently, shorter response and recovery times.

Cyberattack response and recovery measures would be a fruitful area for ongoing research and development in utilities, their vendors, and academia. – Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011

U.S. utilities – electric, water and others – are so vulnerable and so insensible to security concerns that using passwords only three characters long doesn't raise a huge stink among companies that largely either refuse to believe there's a target painted on their backs or believe it's too expensive to do anything about it.

Monday, December 12, 2011

The top 5 information security certifications

Recent Security Incidents Push Demand for Information Security Professionals

The top 5 information security certifications include the CISSP, CISM, GIAC, CEH and vendor credentials offered by companies such as Cisco and Microsoft. These certifications are in demand not only for their demonstration of IT security proficiency, but also because certified candidates go through training that reflects a higher standard of ethical conduct - a topic that has renewed focus by hiring managers.

In 2012, the rise in security incidents and mobile devices creates hot demand for certifications such as the GIAC, which are technically focused in specific areas of forensics, incident response and application security.

Top 5 Certifications

Based on a review of job boards and various research conducted by IT security recruiters and employers, here is the list of the top five security certifications:


The Certified Information Systems Security Professional continues to be the gold standard in certifications.

The CISSP, which is known for its high-level overview on the profession, has recently opened the certification for further specialization in areas such as architecture and management.

The push for this credential is also coming from the U.S. Department of Defense 8570.1 Directive, which requires all government and contract employees working on DoD IT projects to carry an approved certification for their particular job classification.

CISSP certification is usually for mid and senior management IT security positions. This certification is offered through (ISC)2, the not-for-profit consortium that offers IT security certifications and training.

The CISSP examination is based on what (ISC)2 terms the Common Body of Knowledge (or CBK). Candidates interested in taking the exam must possess a minimum of five years of direct full-time security work experience in two or more of the 10 (ISC)2 information security domains (CBK), and agree to abide by their codes-of-ethics and policy for continuous education.

In addition, they need to pass the exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple-choice, consisting of 250 questions with four options each, to be answered over a period of six hours.

For further information please refer here.


Certified Information Security Manager is in demand, as organizations increasingly need executives to focus on governance, accountability and the business aspects of security.

As with the CISSP, the 8570 Directive requires CISM certification for senior managers that particularly focus on governance, compliance and risk management issues.

CISM is ideal for IT security professionals looking to grow their career into mid-level and senior management positions. CISM is offered by ISACA, an international professional association that deals with IT Governance.

The CISM designation is awarded to individuals with an interest in security management who meet the following requirements: They need to successfully pass the CISM exam; adhere to ISACA's code of professional ethics; agree to comply with the continuing education policy.

They also must submit verified evidence of a minimum of five years of IT security work experience, including a minimum of three years of management work experience; and submit an application for CISM certification.

For further information please refer here.


Global Information Assurance Certification is rising in demand specifically in areas of incident handling, forensics, intrusion detection and reverse malware engineering.

Many organizations are seeking such experts for their IT security teams because of the growing threat landscape and rise in security incidents. Usually, professionals turn to GIAC certifications to get further expertise in a particular discipline.

The GIAC is essentially geared toward mid-level security professionals who are looking to carve out a niche career path for themselves. The certification is offered by Sans Institute, a cooperative research and education organization.

There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge may take the exam. Candidates can pursue GIAC exams with or without purchasing SANS training.

The exam fees usually include two practice exams and one proctored exam. Each exam has an expiration date of 120 days accessible from their SANS Portal Account. Exams are taken online, however SANS now requires that a proctor be present when candidates take their test.

For further information please refer here.


Certified Ethical Hacker is gaining popularity as companies seek experts to perform web application and penetration testing to ensure their infrastructure is secure.

A blooming field is security testing, and certifications like CEH are challenging technically and very valuable. This certification is useful for entry-to-mid-level practitioners that are looking to conduct vulnerability assessments.

CEH is offered by the International Council of Electronic Commerce Consultants(EC-Council), a professional certification body. EC-Council's goal is to certify security practitioners in the methodology of ethical hacking. It largely demonstrates an understanding of the tools used for penetration testing.

To obtain the CEH, candidates can choose a path of self-study or complete a training course offered by EC-Council. Candidates must have at least two years of security experience and must sign an agreement to not misuse the knowledge acquired.

For further information please refer here.

Vendor Certifications

Securing an organization's infrastructure and keeping up-to-date with emerging technologies are critical. Vendor certifications, including Cisco's Certified Network Associate Certification (CCNA) and Microsoft's Certified Systems Engineer (MCSE), with focus on security and Check Point's Certified Security Expert (CCSE), are particularly in demand.

The top information security certifications Dice has tracked for 2011 include Cisco CCNP Security and Check Point Certified Expert. These certifications are also on the rise because of their in-depth technical focus.

They help in understanding the technical skills associated with what professionals are trying to defend, and the inherent security capabilities of the infrastructure.

For most entry-level positions requiring one-to-two years of experience, employers seek vendor certifications, Security+ and the CEH credential. Mid-to-senior positions demand more mature training in CISSP, CISM and GIAC.

Other certifications in demand include Security+, Offensive Security Certified Professional, Cloud Security Alliance's new Certificate of Cloud Security Knowledge, Systems Security Certified Practitioner and Certified in Risk and Information Systems Control.

Certifications cannot be a substitute for on-the-job experience, but they are turning out to be a good measure for both proficiency and character.

Saturday, December 10, 2011

Beware of SCAMMERS on dating websites!

Heartless SCAMMERS

Don't give your heart away online, at least not before you've met that special somebody in person. Some Aussies have been stung for more than $100,000 in online dating and romance scams by "lover" claiming to be desperate for money because of an accident or robbery overseas.

A common scenario is to pretend to be a soldier or aid worker on an overseas mission in need of extra cash to pay costs and get a "leave pass" to visit.

The Australian Competition and Consumer Commission (ACCC) is working to create new guidelines to combat scams. They received more than 1600 complaints about online dating scam relating to more than $17 million in losses between January and October this year.

And of those, more than 200 people have lost $10,000 or more. ACCC deputy chairman Dr. Michael Schaper said more people lost money in dating scams than any other type of scheme.

If you have been talking or communicating with them (Scammers) for a period of time, it can be hard to say no. Please beware of such scams and never give money or share private information. Other red flags can include bad punctuation and spelling.

Dating website operators have until December 16, 2011 to comment on draft guidelines before they are launched next year.

Thursday, December 8, 2011

Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond

Utility Cyber Security is in a State of Near Chaos

Market analysis and consulting provider Pike Research has released a report examining the current state of utility cyber security, and the prognosis is far from comforting.

The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that although a great deal of attention has shifted to protecting systems that govern infrastructure over the past eighteen months, utilities have a long way to go in protecting critical networks.

The report quotes:
"Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended,"
One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.
"Cyber security solutions remain challenging to implement, especially as attackers gain awareness of the holes between point solutions," the report maintains.
The market for industrial control systems security solutions is fairly wide open, and the Pike report contends that there will be an influx of competition in the field over the next few years.
"Security vendors have finally found time to focus on industrial control system (ICS) security, not only on advanced metering infrastructure (AMI) security – although a few security vendors have focused on ICS from the outset. The utility cyber security market will be characterized by a frantic race to gain the upper hand against the attackers, while at the same time strong competitors attempt to outdo each other," the report warns.
The Pike report focuses on the following issues:
  • What factors could drive smart grid cyber security investment?
  • How important could industrial control system (ICS) security be?
  • What has changed since Stuxnet was discovered?
  • What is the effect of the lack of smart grid cyber security standards?
  • What are the most promising smart grid cyber security technologies?
Last week, the National Institute of Standards and Technology (NIST) released the updated standards guidelines for converting the nation's outdated power grid structure to a modern smart grid operation.

The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 outlines the game plan to "integrate information and communication technologies with a power-delivery infrastructure, enabling two-way flows of energy and communications," according to the NIST.

"Making such dramatic changes to the power grid requires an overarching vision of how to accomplish the task, and this updated Framework advances that vision," said NIST's National Coordinator for Smart Grid Interoperability George Arnold.

"Utilities, manufacturers, equipment testers and regulators will find essential information in the Framework that was not previously available," Arnold continued.

The updates include the addition of twenty-two standards to the previously released seventy-five issued in the standard's first edition in 2010.

Tuesday, December 6, 2011

Securing Smartphones in the Bring-Your-Own-Device (BYOD) Era

5 Security Challenges BYOD Presents

Most organizations remain uncomfortable in letting their employees use their own mobile devices to access their IT systems. Yet, in many instances, those charged with securing their enterprises' IT understand that it's just a matter of time before they must grant workers permission to employ those devices.

BYOD stands for bring your own device, and it's one of the hottest challenges IT security organizations face as a growing number of employees use their own BlackBerrys, iPhones, iPads and Droids to access their employers' IT systems. In instances where such practices are banned, employees are demanding that the prohibition be lifted.

That's causing much reflection among IT security professionals. Executives and managers charged with IT security have identified five challenges that must be surmounted before their organizations can allow secure access to their systems by smartphones and tablet computers owned by their employees. These challenges include policy enforcement, physical theft, malware prevention, IT support and employee education.

Policy Enforcement

Many IT security leaders aren't sure if their teams are ready to take on additional responsibilities of continuously monitoring these devices and people's behavior.

Physical Theft

Think about it: Chances of losing a mobile device owned by an individual - or having it stolen - is a lot greater than one owned by the employer. A personally owned device goes everywhere with its owner; that's not necessarily true with a company-owned device. That provides little comfort for IT security managers responsible for safeguarding sensitive corporate data.

Except for BlackBerrys, most other mobile devices don't readily support encryption. Someone steals an iPhone or an Android smartphone, the unencrypted data on those devices could be exposed to the thief.

But by placing proper controls on user-owned devices, gaining access by unauthorized individuals to sensitive data can be prevented. If employees want to use their own smartphones or tablet PCs for work, they must agree to seven security controls (see 7 Steps to Secure Mobile Devices), including strong passwords and remote wipe.

Such an approach places part of the security burden on the employee. And, half of the employees who had been using their own devices to access the state network decided not to so when the Delaware implemented its BYOD policy a year ago.

Malware Prevention

Devices used for personal activities are more prone to malware; after all, they're accessing a number of consumer sites that don't necessarily provide the security as do many sites designed for business-to-business transactions.

Many CIOs worries not only about insecure applications downloaded on these devices, but so-called jail-broken smartphones and tablets that are opened and altered to permit use of software the manufacturer didn't architect the device for.

Many banks scrutinizes all employee-owned devices before it allows them to access its networks to ensure they're safe and not jail broken. The bank also makes sure all personally owned devices contain anti-malware software that includes features to alert bank security personnel should a virus surface.

IT Support

Letting employees use their own devices presents a nightmarish scenario for many organizations, supporting a wide range gadgets, operating systems and software. Organizations must define which devices to support based on how they'll be used. It may be OK to limit certain devices to access specific applications, such as e-mail, and restrict their access to other programs behind the firewall.

Employee Education

Getting employee to know about the policy and why it's important for them to implement security controls requires education.

Indeed, security awareness and training is a crucial element in allowing employees to use their own mobile devices, and it's important that IT security leaders prepare their staffs - and themselves - for the advent of widespread adoption of BYOD.

Sunday, December 4, 2011

How can a person remove personal information from the Internet?

A Concerned Reader Wants to Know...

First, the bad news. As soon as any kind of information, including personal information, is online, anyone can copy and store or post it elsewhere. What's worse, there are tools that are constantly searching the Internet for specific types of data.

Once they find it, they can grab it, copy it, post it and store it - for any number of purposes.

4 steps you can take if something gets online that you don't want:
  1. Delete what you can yourself as soon as possible.
  2. Contact the website(s) where it is located and ask them to remove it.
  3. Enlist the help of a lawyer or online data removal service (e.g. Reputation Defender, Reputation Changer) to remove what you can't, or what the website won't.
  4. Remain diligent and check often (for instance, by setting a Google Alert) to ensure you catch any reposting of the information.

Saturday, December 3, 2011

Norway hit by major data-theft attack

Industrial secrets from companies were stolen and "sent out digitally from the country

Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

"This is the first time Norway has unveiled such an extensive and widespread espionage attack," it said.
Spokesman Kjetil Berg Veire added it is likely that more than one person is behind the attacks.

The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients' entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said.
Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year's Nobel Peace Prize winner, Norway's Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments.

Refer here to read further details.

Thursday, December 1, 2011

DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack

Apparent cyberattack destroys pump at Illinois water utility

A pump at a public water utility in Springfield, Illinois was destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who obtained an official report on the incident.

CS-CERT has released the following statement saying that DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack.

ICS-CERT is assisting the FBI to gather more information about the separate Houston incident.

>UPDATE - Recent Incidents Impacting Two Water Utilities
ICSJWG Communications [ICSJWG.Communications@HQ.DHS.GOV]


After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.


Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting:

Tuesday, November 29, 2011

BEWARE: Facebook Scam threatening to delete your account!

Sending a fraud request

A Facebook scam, dubbed the cleverest yet, gets users to provide their passwords and financial details by accusing them of violating the site's policy and threatens to delete their account.

Experts said the recent assault designed to steal users' Facebook details is among the most sophisticated yet because it mimics the security procedures that sites use to defend against internet trolls and other bad behaviour online.

The scam comes in an email accusing the user of insulting or annoying another Facebook user and saying their account will be deleted in 24 hours.

The email requires Facebook login details and, for "authentication" purposed, parts of a person's credit card details. The email links to a fake account disabled page that asks for personal details, including credit card information.

The access to login details helps the scam travel farther and faster by sending it to new users from trusted friends.

Expert Advice:

The emails are entirely bogus. They are not coming from Facebook. Social media venues would not request financial information, nor would they request login details. With the credit card information, fraudsters can conduct identity theft and other malicious financial activity.

Website Hoax-Slayer discovered the scam and warned against emails with the phrase: "Last warning: Your account is considered to violated the policies that are considered annoying or insulting to Facebook users."

Sunday, November 27, 2011

Department of Homeland Security (DHS) Cyber Security Audit FAIL

The DHS US-CERT office is currently plagued by at least 600 vulnerabilities

A new report warns that the Department of Homeland Security (DHS) is falling short on some cybersecurity protocols.

The news of cybersecurity shortcomings at the agency are more than slightly concerning, as DHS has been tapped to lead information security efforts nationally for both the public and private sectors.

The report, titled DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, indicates that the DHS has failed a security audit conducted by the agency's own Inspector General:

The objective of our audit was to determine whether adequate physical and logical access controls are in place to secure the cybersecurity program systems utilized by US-CERT and safeguard the data collected and disseminated by US-CERT. Specifically, we:
  • Determined what and how cybersecurity data is collected and maintained by US-CERT

  • Evaluated the adequacy of physical security controls implemented to protect NCSD’s cybersecurity program systems

  • Determined whether US-CERT has implemented effective system security controls to safeguard the confidentiality, integrity, and availability of cybersecurity data.

  • Determined whether the system documentation for DHS’ cybersecurity program systems has been completed in compliance with DHS and FISMA requirements
"Adequate security controls have not been implemented on the [Mission Operating Environment] to protect the data processed from unauthorized access, use, disclosure, disruption, modification, or destruction," the IG concluded.
The report indicates the DHS US-CERT is grappling with more than six hundred network vulnerabilities, with more two-hundred of them having been identified as critical.

"The results of our vulnerability assessments revealed that [National Cyber Security Division] is not applying timely security and software patches on the [Mission Operating Environment]," the report continued.

DHS indicated that the agency has implemented "a software management tool [to] automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities," according to a statement by DHS spokeswoman Amy Kudwa.

Friday, November 25, 2011

The FUD: Cyber Attacks on Illinois Water Systems?

US Water System Hacked: A Community-Wide Issue

On November 17th Joe Weiss, a well-known member of the Industrial Control System (ICS) community, posted on his blog about a recent US water system hack.

Joe points out that the disclosure concerning the Nov 8th supervisory control and data acquisition (SCADA) hack was made by Illinois Statewide Terrorism and Intelligence Center on Nov 10th.

Joe's post stated that the SCADA software vendor was compromised and that customer usernames and passwords were stolen as well as possible physical damage to the utility. He further states that the IP address of the attacker traced back to Russia, which does not provide any attribution but is nevertheless interesting.

The compromise of a US water facility should be concerning for a number of reasons. Firstly, the idea of anyone or any group (nation state or not) breaking into SCADA and control systems in the US highlights a weakness in our nation's infrastructure.

What is hard to discern though is how many attacks are prevented on a daily basis by the men and women taking up the very difficult challenge of cyber defense. Regardless though, this is a fight that must continue to get support and attention in the cyber community.

Secondly, a water facility has a direct impact over the health of the citizens that it provides. A compromise of such a facility, depending on the scale of the compromise, could reasonably lead to the loss of life. This is to say that the concern for security of the ICS and SCADA community is not and cannot simply be financial.

The reported attack against this water SCADA system, although it is in no way possible to determine at this time, could be this style of attack. This is important to think about in regards to what future attacks may hold, what the motives for the attacks are, and what attacks may currently be going unnoticed.

Please refer here to read more interesting analysis.

Wednesday, November 23, 2011

Will hackers continue to dominate in 2012? Join the discussion by participating in live webinars

Hackers and Threats Summit l Free Online Event

Calling 2011 the year of hackers would not be an overstatement. With high-profile system intrusions constantly making headlines worldwide, hackers, good and bad, exposed security system vulnerabilities across every industry, proving the necessity to better protect and monitor networks and data.

Will hackers continue to dominate in 2012? Will organizations be better prepared by then? Join the discussion by participating in live webinars with industry experts to prepare for a smarter 2012.

Sign up to attend the live interactive webcasts on December 7, 2011, or view them afterward on demand here:


‘Advanced Persistent Threats - The Hacker's Latest Weapon or Just Marketing Spin?’

Ron Condon, Editor, (Moderator); Warwick Ashford, Editor,; David Perry, Trend Micro

‘Exploring the Digital Underworld: Botnets, Zero Day Threats and Phishing’
Daniel Ayoub, SonicWALL

‘Global Info Sec Landscape: Recapping 2011 and Looking Ahead to 2012’
Jay Bavisi, President, EC-Council

‘Surviving the Mobile Device Invasion – When Mobile Tries to Connect to IT’
Cameron Camp, ESET

You can view the full lineup and sign up to attend any or all presentations at

This summit is part of the ongoing series of thought leadership events presented on BrightTALK(TM). I hope you are able to attend.

Sunday, November 20, 2011

Hackers attack Norway's oil, gas and defence businesses

Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks.

Industrial secrets and information about contract negotiations had been stolen, said Norway's National Security Agency (NSM).

It said 10 firms, and perhaps many more, had been targeted in the biggest wave of attacks to hit the country.

Norway is the latest in a growing list of nations that have lost secrets and intellectual property to cyber thieves.

The attackers won access to corporate networks using customised emails with viruses attached which did not trigger anti-malware detection systems.

Targeted attacks

The NSM said the email messages had been sent to specific named individuals in the target firms and had been carefully crafted to look like they had come from legitimate sources.

Many of the virus-laden emails were sent while the companies were in the middle of negotiations over big contracts.

It said user names, passwords, industrial drawings, contracts and documents had been stolen and taken out of the country.

The NSM believes the attacks are the work of one group, based on its analysis of the methods used to target individuals, code inside the viruses and how the data was extracted.

The agency said it was publishing information about the attacks to serve as a warning and to encourage other targeted firms to come forward.

"This is the first time Norway has revealed extensive and wide computer espionage attacks," the NSM said in a statement.

Singled out

It said it found out about the attacks when "vigilant users" told internal IT security staff, who then informed the agency.

However, the NSM said, it was likely that many of the companies that had been hit did not know that hackers had penetrated their systems and stolen documents.

Security firms report that many other nations and industrial sectors have been targeted by data thieves in recent months.

The chemical industry, hi-tech firms and utilities appear to have been singled out.

Sourced: BBC News

Thursday, November 17, 2011

How Thieves Steal Your Credit Card Data?

Some tips to avoid Identity Theft and stealing of your credit card.


These days, thieves only need a minute, sometimes a second, to pilfer your credit card data.

This year criminals hacked, phished or skimmed their way into the systems of Sony, marketing firm Epsilon, Citibank and even security expert RSA, among others. In some cases, they only obtained names and emails. In the worst cases, they got credit card numbers.

Identity theft and cyber fraud cost Australia a whopping $8.5 billion every year. One in five Australians will be hit and it's getting worse every day.

The most common schemes are simpler than you think. Let's take a look at the most common ways thieves pilfer your credit card information.

Suspect 1: The Waitress At Your Local Cafe

Mode Of Operation:

When it's time to pay the waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that.

While you're scraping the last of the chocolate cake from your plate, your credit card information has been stored in the device, known as a skimmer. The waitress returns your card and performs the same magic trick on dozens of credit cards in a week.

Known Whereabouts:

The data-stealing waitress has been known to moonlight as a bartender, sales assistant or at any place where she can take your credit card out of sight.

Suspect 2: The Toy Store Trio

Mode Of Operation:

Sally, Simon and Greg walk into a toy store. Sally and Simon roam the aisles, while Greg waits in line to check out. When Greg is at the register, Simon comes running up to the shop assistant, screaming that his wife has fainted.

As Sally and Simon distract the shop assistant, Greg switches the credit card reader at the register with a modified one of his own.

For the next week, the shop assistant unwittingly collects credit card data on the modified reader until the trio returns, takes back the modified reader and restores the original terminal.

Known Whereabouts:

The trio will hit other retailers and restaurants, but sometimes the threesome will instead be a duo or a solo criminal.

Suspect 3: The Petrol Prowler

Mode Of Operation:

The Petrol Prowler parks her car in front of a petrol station off the highway. It's late. There's no one around except a sleepy shop assistant at the register inside. The Petrol Prowler attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to a laptop close by.

The Petrol Prowler pays, heads off to the motel next door and sets up her laptop to receive the data from the compromised pump over the next several days.

Known Whereabouts:

The Petrol Prowler installs skimmers over ATMs, parking meters, vending machines and any other places with unmanned credit card readers.

Suspect 4: Harry the Hacker and Phishing Phil

Mode Of Operation:

Harry the Hacker installs malware - a type of software that damages or infiltrates a computer or network - onto a legitimate website with low security. The malware instantly downloads onto your computer when you visit the site and allows Harry to access your information. In another scenario, Harry puts malware on public computers and gathers the information you share with that computer.

Phishing Phil uses malware to go after your laptop. He sends emails with attachments that promise dancing kittens or some other bait. When the user opens the attachment, malware instantly downloads onto the computer and leaves confidential information vulnerable.

Phil also sends emails from a familiar sender with a link to a contaminated website that installs malware onto your computer. Some malware, called spyware, allows Phil to capture every keystroke including passwords to your financial accounts.

What Happens To Your Information?

Mode Of Operation:

So what happens to these pieces of data when they're in no-good hands? They get sold.

The waitress, trio or Petrol Prowler may be able to sell each swipe for $20 to $40 a pop. Harry the Hacker and Phishing Phil could get $5 to $10 a card and often sell the information online at the eBay of credit card activity.

The person who buys the information verifies it and then sells it to a person who creates fraudulent credit cards with your account information attached to it. The card maker then sells it to other criminals who buy goods such as stereos or baby formula and sells them to regular consumers.

Identity Theft: How To Avoid It

  1. Set up mobile alerts for your phone if your financial institution provides the feature. That way, you can be aware of unusual activity as quickly as possible.

  2. Regularly monitor your accounts online, so you can identify fraudulent transactions faster.

  3. Avoid public computers. Don't log onto your email if your bank corresponds with you there. One idea is to set up an email account just for your finances and then only check it from safe locations.

  4. Avoid doing business with unfamiliar online vendors. Stick to established merchants and websites.

  5. If your information has been compromised, notify your financial institutions immediately and also inform the police what has happened.

Monday, November 14, 2011

Now you can DDOS SSL?

SSL DDOS tool released in to the wild with download

THC-SSL-DOS is a tool to verify the performance of SSL.Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today.

The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature Comparing flood DDoS vs. SSL-Exhaustion attack. A traditional flood DDoS attack cannot be mounted from a single DSL connection.

This is because:
  • The bandwidth of a server is far superior to the bandwidth of a DSL connection
  • A DSL connection is not an equal opponent to challenge the bandwidth of a server
  • This is turned upside down for THC-SSL-DOS
  • The processing capacity for SSL handshakes is far superior at the client side
  • A laptop on a DSL connection can challenge a server on a 30Gbit link
Traditional DDoS attacks based on flooding are sub optimal. Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack. The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are not prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for whitehats
  1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
  2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
  3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).
Counter measurements: No real solutions exists. The following steps can mitigate (but not solve) the problem:
  1. Disable SSL-Renegotiation
  2. Invest into SSL Accelerator Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.
Download SSL DDOS Tool:

Windows binary:

Unix Source : thc-ssl-dos-1.4.tar.gz

Wednesday, November 9, 2011

Guidance to Safeguard Digital Assets in Fiscally Challenged Times

12 Core Information Security Services

To help states keep their IT security robust in these tough economic times, the National Association of State Chief Information Officers has published a taxonomy of a dozen critical IT security service.

The 12 core services identified in the report, The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs, could prove useful for other government and non-government organizations working to secure their information assets under financially challenging conditions.

1. Information Security Program Management: Plans, provides oversight and coordinates all information security activities.
  • Align security program activities and staff with a generally accepted best practice framework.
  • Oversee the creation and maintenance of information security policies, standards, procedures and guidelines.
  • Create and maintain strategic and tactical plans.
  • Coordinate the movement of plans, policies, standards and other authoritative documents through a governance process.
  • Track information security risk key performance indicators.
  • Disseminate security metrics and risk information to executives and other managers for decision making.
  • Coordinate security efforts.
2. Secure System Engineering: Designs appropriate security controls in new systems or systems that are undergoing substantial redesign, including in-house and outsourced solutions.
  • Integrate information security design requirements in the system development life cycle.
  • Participate as a security consultant on significant technology projects.
  • Assist with the creation of system security plans, outlining key controls to address risks.
  • Assist with the creation of residual risk documentation for management acceptance.
  • Integrate security requirements into contracts for outsourced services.
  • Assist with the creation of information security policies, standards, procedures and guidelines.
  • Assist with the creation of secure configuration standards for hardware, software and network devices.
  • Integrate security requirements into contracts for outsourced services.
3. Information Security Awareness and Training: Provides employees at all levels with relevant security information and training to lessen the number of security incidents.
  • Coordinate general security awareness training for all employees and contractors.
  • Coordinate security training for groups with specialized needs, such as application developers.
  • Provide persistent and regular messaging relating to cybersecurity threats and vulnerabilities.
4. Business Continuity: Ensures that critical business functions will be available in a time of crisis.
  • Coordinate business impact analysis.
  • Development of appropriate recovery strategies for services.
  • Develop disaster recovery plans for identified key technologies.
  • Coordinate testing to ensure that services can be recovered in the event of an actual disaster.
5. Information Security Compliance: Validates that information security controls are functioning as intended.
  • Coordination of continuing assessments of key security controls in in-house and outsourced systems.
  • Completion of independent pre-production assessments of security controls in new systems or systems that are undergoing substantial redesign.
  • Coordination of all IT audit and assessment work done by third-party auditors.
  • Monitoring of third parties' compliance to state security requirements.
6. Information Security Monitoring: Gain situational awareness through continuous monitoring of networks and other IT assets for signs of attack, anomalies and inappropriate activities.
  • Create and implement an event logging strategy.
  • Place sensors, agents and security monitoring software at strategic locations throughout the network.
  • Monitor situational awareness information from security monitoring and event correlation tools to determine events that require investigation and response.
  • Disseminate potential security events to the information security incident response team.
7. Information Security Incident Response and Forensics: Determines the cause, scope and impact of incidents to stop unwanted activity, limit damage and prevent recurrence.
  • Manage security incident case assignments and the security investigation process.
  • Mobilize emergency and third-party investigation and response processes, when necessary.
  • Consult with system owners to help quarantine incidents and limit damage.
  • Consult with human resources on violations of appropriate use policy.
  • Communicate with law enforcement, when necessary.
8. Vulnerability and Threat Management: Continuously identify and remediate vulnerabilities before they can be exploited.
  • Strategic placement of scanning tools to continuously assess all information technology assets.
  • Implement appropriate scan schedules, based on asset criticality.
  • Communicate vulnerability information to system owners or other individuals responsible for remediation.
  • Disseminate timely threat advisories to system owners or other individuals responsible for remediation.
  • Consult with system owners on mitigation strategies.
9. Boundary Defense: Separates and controls access to different networks with different threat levels and sets of users to reduce the number of successful attacks.
  • Assist with the development of a network security architecture that includes distinct zones to separate internal, external and demilitarized-zone traffic and segments internal networks to limit damage, should a security incident occur.
  • Participate in the change management process to ensure that firewall, router and other perimeter security tools enforce network security architecture decisions.
  • Periodically re-certify perimeter security access control rules to identify those that are no longer needed or provide overly broad clearance.
10. Endpoint Defense: Protects information on computers that routinely interact with untrusted devices on the internet or may be prone to loss or theft.
  • Manage processes and tools to detect malicious software.
  • Manage processes and tools that only permits trusted software to run on a device, commonly referred to as white listing.
  • Manage processes and tools to prevent certain software from running on a device, commonly referred to as blacklisting.
  • Manage processes and tools to identity unauthorized changes to secure configurations.
  • Manage processes and tools to encrypt sensitive data.
11. Identity and Access Management: Manages the identities of users and devices and controls access to resources and data based on a need to know.
  • Maintenance of identities, including provisioning and de-provisioning.
  • Enforce password policies or more advanced multifactor mechanisms to authenticate users and devices.
  • Manage access control rules, limiting security access to the minimum necessary to complete defined responsibilities.
  • Periodically recertify access control rules to identify those that are no longer needed or provide overly broad clearance.
  • Restrict and audit the use of privileged accounts that can bypass security.
  • Define and install systems to administer access based on roles.
  • Generate, exchange, store and safeguard encryption keys and system security certificates.
12. Physical Security: Protects information systems and data from physical threats.
  • Maintain facility entry controls and badging systems.
  • Manage equipment and media destruction processes.
  • Maintain building emergency procedures.
  • Perform screening/background checks on job applicants.
  • Implement controls to mitigate facility vulnerabilities.