Cyber Security Caucus: June 2015

Tuesday 30 June 2015

China’s hackers become its cyber gatekeepers

CHINA, long accused by the US of rampant cyber aggression, may be synonymous with hacking exploits these days, but that does not mean every Chinese hacker is out to pilfer and destroy.

As Chinese companies grapple with a sharp increase in the number of cyberattacks, many hackers are finding it increasingly lucrative to go above board and join the country’s nascent cybersecurity industry.

Zhang Tianqi, a 23-year-old Beijinger, cut his chops in high school trying to infiltrate foreign websites, skirting domestic law by probing for vulnerabilities on overseas gaming networks.

Now, after a stint working at internet blue chip Alibaba Group, he is the chief technology officer of a Shanghai-based cybersecurity firm that owns Vulbox.com, a site offering rewards for vulnerability discoveries, and internet security media site FreeBuf.com.

National priority

“I’d been messing around in the field in my early years, but luckily it just so happens now that there’s this trend of China taking information security very seriously,” Zhang said on June 18.

China’s President Xi Jinping has made cybersecurity a national priority as the country starts to feel the impact of rapid economic growth occurring without a corresponding development in data protection.

In May, China’s National Computer Network Emergency Response Technical Team, a non-profit agency, said it had recorded 9 068 instances of data leaks in 2014, three times as many as in 2013, reflecting the “grim challenges” of Chinese cybersecurity, according to the official Xinhua news agency.

To try and tackle this, dozens of cybersecurity companies are cropping up across China according to industry observers, populated by young techies with genuine security skills and work experience at firms like Alibaba, Tencent and Baidu.

China is hoping that domestic cybersecurity groups will provide most of its companies with defences against hacking, rather than them relying on foreign firms like Symantec, Kaspersky and EMC Corporation’s RSA.

The gradual professionalism of China’s bedroom hackers traces the country’s rise as an economic and technological force, and its sometimes conflicted position in the escalating global data security arms race.

The US government has attributed sophisticated attacks – including the large-scale data theft this month from the Office of Personnel Management (OPM) – to increasingly advanced state-affiliated teams from China.

But former hackers say the majority of their peers are joining a burgeoning industry to help China firms fend off the numerous attacks they face.

China has denied any connection with the OPM attack and little is known about the identities of those involved in it.

Crackdown

The Cyberspace Administration of China told Reuters in a June 19 fax that it opposed “any form of network attack” and did “not allow any groups or individuals to engage in network-attacking activities” within its borders.

The cybersecurity industry’s growth was partly spurred by a government crackdown on China’s hacking community five years ago – around the same time Beijing passed a series of laws banning hacking and spamming tools and requiring telecom operators to help suppress attacks.

Government sweeps largely silenced once-raucous online forums like kanxue.com, where hackers traded tips and boasted about their conquests.

Many chose to shift from “black hat” activities to “white hat” ones, using their skills to find network vulnerabilities so that they can be fixed.

China’s government has also been working to ramp up the data security of the country as a whole. Agencies, including the Cyberspace Administration of China, have led educational efforts around promoting data security.

Zhang said China was still playing catch up with the US on both the cyber security, and cyber espionage fronts. – Reuters

View the original content and more from this author here: http://ift.tt/1GM5kdh

from cyber security caucus http://ift.tt/1GM5kdj
via IFTTT

Should Investors Take A HACK At This Idea?

Summary

The latest case of cyber espionage has resulted in the theft of personal information of more than 4 million government employees.
The sophistication, scale and frequency of cyber-attacks has only increased, and threats are becoming more and more complicated.
Let’s get a lay of the land of companies that are poised to help put down such criminal behavior, and how investors can play this secular theme.
You may be surprised by our favorite idea in this space.

“The new generation of cyber-attacks on organizations, including large and small enterprises and governments worldwide, is characterized by an unprecedented escalation in the complexity and scale of advanced malware created by criminal organizations and nation-states. These modern attacks are built on dynamic, stealthy and targeted malware that penetrates defenses in multiple stages and through multiple entry points of an IT network. These highly targeted, “single-use” cyber-attacks easily circumvent legacy security solutions that rely on pattern-matching detection technologies. Additionally, because legacy solutions reference outdated signatures of past threats, they also generate a high number of false-positive alerts.” – FireEye (NASDAQ:FEYE) Annual Report, 2014

The statistics are striking.

According to a 2011 survey of ~580 US IT experts by research center Ponemon Institute, an estimated 90% of organizations have at one time suffered a cybersecurity breach. Believe it or not, the Pentagon said in a 360+ page report that as of 2014, nearly every US weapons program that was tested showed “significant vulnerabilities” to cyberattacks. The news reminds us of the 1980s flick WarGames. It flat-out irks us that there’s a chance that hackers can access US weapons programs.

Just this week, US officials announced that it believes China was behind a breach affecting the information of at least 4 million federal employees. This was allegedly the second intrusion by the country in the past few months, andthe largest breach of federal employee data in some time. Russia has also been tied to cybercrimes against White House computers. It appears the US is fighting yet another war – not one with guns, and bullets but one against cyber adversaries. The plot of that 1980s teenage Matthew Broderick movie can’t happen in real life, can it?

The world is simply not prepared for the latest round of criminal activity… in cyberspace.

The sophistication, scale and frequency of cyberattacks, coupled with the complexity of new technologies from cloud computing and virtualization to enterprise mobility and social networking have made it incredibly difficult to keep important information and data safe. Reports from the Snowden documents, for example, contend that China stole “many terabytes” of data about Lockheed Martin’s (NYSE:LMT) F-35. China’s new J-31 Gyrfalcon doeslook a lot like the F-35. In 2014 alone, there were 20 major data breaches, with Home Depot (NYSE:HD), Target (NYSE:TGT), and JPMorgan (NYSE:JPM) perhaps making the biggest headlines, but even companies such as Staples (NASDAQ:SPLS), Bebe (NASDAQ:BEBE), and Sony (NYSE:SNE) were impacted. Sony’s network was taken hostage by a grinning skull.

Some estimates peg the cyber security market to surpass $150 billion by 2019 from under $100 billion today, but the reality is that the changing and evolving landscape could make this figure much larger. Traditional players such as Hewlett-Packard (NYSE:HPQ), Cisco (NASDAQ:CSCO), Check Point Software Technologies (NASDAQ:CHKP), Computer Sciences Corp. (NYSE:CSC), IBM Corp. (NYSE:IBM), Booz Allen (NYSE:BAH), Lockheed Martin, Northrop Grumman (NYSE:NOC), Trend Micro (OTCPK:TMICY), Fortinet (NASDAQ:FTNT), Barracuda Networks (NYSE:CUDA), and Symantec Corp. (NASDAQ:SYMC) will be vying for share. But there are others as well. FireEye, Palo Alto Networks (NYSE:PANW), Imperva (NYSE:IMPV), VASCO Data Security (NASDAQ:VDSI), Zix Corp. (NASDAQ:ZIXI), Qualys (NASDAQ:QLYS), Proofpoint (NASDAQ:PFPT), AVG Tech (NYSE:AVG), and CyberArk Software (NASDAQ:CYBR) will be looking to capture a piece of the pie (potential industry earnings). Many of these firms are losing money hand over fist at the moment.

From an investment standpoint, it’s simply too early to pick the long-term winners. But even if we we’re pinned down to selecting just one or two potential winners, we’d maintain that the best consideration for investment exposure to rapidly expanding cybersecurity demand is via the PureFunds ISE Cyber Security ETF (NYSEARCA:HACK), which seeks to track the investment results of the ISE Cyber Security Index (the ETF’s holdings can be downloadedhere). Our investment thesis on HACK rests not on identifying which company will capture the greatest share of industry earnings, but on the view that spending on cybersecurity will increase considerably more than current expectations – a far “safer” bet.

View the original content and more from this author here: http://ift.tt/1Ip8pEI

from cyber security caucus http://ift.tt/1CGzuNg
via IFTTT

Most Singapore auditors want more time for cyber security

Some 62% of audit committees(ACs) members in Singapore and 55% worldwide feel that more agenda time should be devoted to cyber security in 2015, a KPMG survey shows.

The study covers about 1,500 AC members in 27 markets, including Singapore, each represented by at least 20 responses.

The ACs of other ASEAN nations surveyed – Thailand, Indonesia and the Philippines – are less concerned with spending more time on cyber security, including data privacy and protection of intellectual property in 2015.

Less than half (47%) of Thailand’s AC members, want to spend more time on cyber security, while 36% in Indonesia and 35% in the Philippines said the same.

Half of Singapore respondents also categorize the quality of information they receive about cyber security, data privacy risks and their potential impact on the company as needing improvement. This was above the global average of 41%.

Only about a third of respondents in Indonesia and the Philippines thought the information they receive about cyber issues were in need of improvements.

Thailand was the most satisfied of the ASEAN nations, with only 18% of AC members surveyed said they wanted better quality cyber information.

Of the ASEAN nations, Singapore had the highest percentage of respondents – 52% – who indicated that the AC’s communications with the CIO were insignificant or not applicable.

More than a third of respondents from Indonesia and Thailand also indicated the same, while only 18% of AC members surveyed in the Philippines said interactions were insignificant.

Globally, 28% of respondents said that the full board was responsible for the oversight of cyber security and data privacy risks.

The AC was next in line, with 22% of respondents indicating that the group was accountable for the majority of tasks to do with cyber security and data privacy.

For Singapore, 31% of respondents – above the global average – assigned cyber and data risk to the full board. Another 31% said the risk committee was responsible.

View the original content and more from this author here: http://ift.tt/1U3xwBt

from cyber security caucus http://ift.tt/1GJNcj2
via IFTTT

The OPM Breach and Cybersecurity Sprint– How far will they get?

With the end of the 30 day Cybersecurity Sprint that U.S. CIO Tony Scott announced on June 12th rapidly approaching, I thought it would be a good time to look both the 30 day goals as well as the goals of the Cybersecurity Sprint team that will report out at the end of the sprint.

ClickToTweet: What will result from the Cybersecurity Sprint? http://bit.ly/1Jlabp0

Four focus areas that must be reported on to the Department of Homeland Security (DHS) and to the Office of Management and Budget (OMB) by the date are:

Fix all critical vulnerabilities within 30 days (from the issuance of the May 21 directive from the Department of Homeland Security)
Tighten policies for privileged users
Accelerate the adoption of multi-factor authentication – especially for privileged users but also for wider employee sets
Immediately deployment of indicators supplied by DHS to scan systems/logs to detect attack or the possibility of a breach (possibly this is the Einstein 3A software discussed here)

I have to think that most of what we’ll see is “reporting” at the end of the sprint. Given the scope of these changes, we can’t realistically expect that organizations will meet all of these requirements in time for the deadline.

Fix all critical vulnerabilities. This is harder than it looks, unless machines are enrolled in with a configuration management system. OS patches can be easily enough done with standard patch and update software, but application and configuration vulnerabilities depend on application software, and on organizations understanding how to find, and deploy security level patches for the apps. If the definition of “critical vulnerabilities” is narrow enough, the window can be met. But software and processes have to be in place for applications as well. It isn’t enough to just roll out changes as they come in from the application vendor, as there are too many dependencies in production systems. A full change management process has to be followed to reduce the risk that untested patches to application level software will crash a critical application. There is a good chance that internet facing systems (as the most critical ones) can have the majority of critical vulnerabilities found and fixed, but full compliance for all internet facing systems, and then all systems connected behind them on the network will be longer than a 30 day process.

Privileged users – Privileged user “policies” for how they operate (on paper) for instance, can change, but enforcement requires selection, purchase and deployment of solutions to the problem. What’s more, implementing the hardware and software required for multi-factor authentication of privileged user accounts has the dual problem of getting enough hardware and enforcement on the software platforms. While the software side is more easily done for domain level roles, system level roles (such as that of root users on UNIX and Linux systems) will require a different approach. So while a start can be made, fully implementing these policies will be time consuming and expensive.

Multi factory authentication – While it is “somewhat” more feasible to at least get the hardware for privileged users, It also isn’t realistic to expect that the millions of federal employees without smart cards or other multi-factor authentication solutions can have something in place by the deadline. Just the hardware purchase and procurement problems prevent it. Something simple along the lines of what Google does with account access – requiring an authentication code sent by via a text might happen sooner, but definitely is not as secure.

View the original content and more from this author here: http://ift.tt/1LSiWa9

from cyber security caucus http://ift.tt/1R1mzRY
via IFTTT

OPM hit by class-action suit over breach of federal employee data

A federal employees union has filed a lawsuit against the U.S. Office of Personnel Management, its leadership and a contractor, alleging that their negligence led to a data breach that compromised the personal information of millions of current, former and prospective government employees and contractors.

IT Resume Makeover: How to add flavor to a bland resume

Don’t count on your ‘plain vanilla’ resume to get you noticed – your resume needs a personal flavor to

Since at least 2007, the OPM has been warned by its Office of Inspector General of significant deficiencies in its cybersecurity protocol, according to the proposed class-action suit filed Monday by the American Federation of Government Employees in the U.S. District Court for the District of Columbia.

However, OPM failed to take measures to correct these issues, despite handling massive amounts of federal applicants’ private, sensitive and confidential information, it added. The data handled by the OPM included a 127-page form, called Standard Form 86, which requires applicants for security clearances to answer questions on their financial histories and investment records, children’s and relatives’ names, foreign trips and contacts with foreign nationals, past residences, and names of neighbors and close friends, according to the filing.

The lawsuit names the OPM, its director, Katherine Archuleta, and its chief information officer, Donna Seymour. Also charged is KeyPoint Government Solutions, a provider of investigative and risk mitigation services to the OPM.

The federal personnel agency announced on June 4 that it had been the victim of a massive cyberattack that could have compromised the personally identifiable information of up to 4 million persons. It said that as the investigation was ongoing, other exposures of personal information could come to light. Some accounts have put the figure of people that could be affected as high as 18 million.

When KeyPoint, which handled the majority of federal background checks, announced in December that it had faced a computer network breach, a spokeswoman of the OPM said there was “no conclusive evidence to confirm sensitive information was removed from the system” but that the OPM would notify 48,439 federal workers that their information may have been exposed, according to the complaint.

But after the OPM hack became public, Archuleta and the OPM identified the misuse of a KeyPoint user credential as the source of the breach, it added.

Despite knowing about the KeyPoint breach and explicit warnings about shortcomings in its cybersecurity protocol and the dangers associated with those deficiencies, the OPM leaders chose not to shut down the agency’s software systems, according to the employees.

“The combination of KeyPoint’s cyber security weaknesses and the OPM’s cyber security failures caused the massive scope of the OPM Breach,” according to the filing by the AFGE jointly with one current and another former employee of the federal government, who had both received notifications that their personal identifiable information may have been exposed in the OPM data breach.

The petition asks the court for certification of the case as a class action and appropriate relief to the plaintiffs and class members, including actual and statutory damages. It also wants a ruling that KeyPoint “breached its duty to implement reasonable security measures to safeguard and protect” the personally identifiable information of the plaintiffs and the class members that was compromised in the OPM breach. The employees have asked for a jury trial.

KeyPoint and OPM could not be immediately reached for comment.

The woes of the OPM continue to mount after it was reported that a second breach compromised a database containing copies of Standard Form 86 questionnaires that’s used by people seeking a national security clearance. The agency has come under scathing criticism from lawmakers and experts over its handling of the crisis.

On Monday, OPM said it was temporarily suspending its E-QIP system, a Web-based platform used to complete and submit background investigation forms, as a proactive security measure after a vulnerability was found in the system. The OPM said there was no evidence that the vulnerability had been exploited.

View the original content and more from this author here: http://ift.tt/1RPiJGE

from cyber security caucus http://ift.tt/1KmP8nq
via IFTTT

Monday 29 June 2015

U.S. Panel Aims to Shield Planes From Cyberattack

U.S. aviation regulators and industry officials have begun developing comprehensive cybersecurity protections for aircraft, seeking to cover everything from the largest commercial jetliners to small private planes.

A high-level advisory committee set up by the U.S. Federal Aviation Administration—including representatives of plane makers, pilots and parts suppliers from around the globe—was scheduled to meet for the first time this month amid rising concern over potential industry vulnerability to computer hackers. The panel’s meetings are private.

On June 21, operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines said was a cyberattack on flight-planning computers. Ten LOT flights were canceled and some 15 others were grounded for several hours, affecting roughly 1,400 passengers. Though airline officials said safety was never affected, LOT’s chief executive was quoted saying that such a cyberattack “can happen to anyone, anytime.”

The goal of the FAA initiative, according to Jens Hennig, the panel’s co-chairman, is to identify the seven or eight most important risk areas and then try to reach consensus on international design and testing standards to guard against possible cyberattacks. “The industry needs a set of graduated requirements,” he said in an interview, based on the types of software and various aircraft models.

The overall level of concern is reflected in Boeing Co.’s decision to pay outside experts dubbed “red hat testers”—essentially authorized hackers—to see if built-in protections for onboard software can be defeated. Mike Sinnett, vice president of product development for Boeing’s commercial-airplane unit, said certification of the flagship 787 Dreamliner required Boeing to purposely allow such teams inside the first layer of protection to demonstrate resilience.

When it comes to protecting flight-critical software from hackers, Mr. Sinnett said, the systems can accept only “specific bits of information at specific preordained times, and it is all preprogrammed.” As a result, he added, “there’s no way for the flight-control system to pull in something” from an unauthorized source.

Such software and cockpit interfaces aboard commercial jets are tested extensively and have such a wide array of embedded safeguards that they are considered virtually impregnable to direct attack by industry outsiders, according to these experts.

Yet that hardly means airliners are beyond the reach of hackers. The biggest current risks, experts believe, stem from aircraft links to ancillary ground networks that routinely upload and download data when planes aren’t flying—including information used for maintenance, sending various software updates and generating flight plans before takeoff like those that affected LOT earlier this month.

“Where we are weak,” says Patrick Ky, executive director of the European Aviation Safety Agency, is in ensuring that a maintenance or air-traffic control system can’t be hacked and used as a conduit to get at aircraft. “What is not being done today,” he said, “is to have a view of aircraft operations in their entirety,” recognizing all the potential outside hazards.

Airbus Group SE and most of its suppliers continue to rely on a secure computer platform to protect their manufacturing operations, with some European experts advocating more aggressive efforts to expand the network to additional companies. “Every time you introduce another connection” in the form of a new supplier, “it’s another way to potentially attack the aircraft itself,” says Alain Robic, a partner in Deloitte Consulting’s French unit who works with industry clients on data security.

Mr. Robic says that ideally all of the different levels of security among suppliers to Airbus and Boeing would conform to an information-system policy self-regulated by industry leaders.

Neither LOT nor Polish authorities have identified the source of this month’s disruption. Prosecutors may also be looking at internal-software failures or other explanations for the problem, which was resolved after roughly five hours.

Whatever the exact cause, the incident points to the kind of computer problem that security experts worry about most in aviation and consider among the hardest to prevent: Attacks on maintenance or air-traffic control systems, which routinely interface with aircraft, as opposed to direct intrusions by outsiders on computers aboard planes.

Ground-based computer networks, including those between traffic-control operations, are considered less secure against hacking than those installed on aircraft, largely because onboard flight-critical systems have more internal protections and multiple redundancies to filter out intrusions. Hardware used for passenger Wi-Fi connections and entertainment options, for example, is physically separated from onboard-safety-system servers, and even electrical conduits are designed so that information doesn’t bleed between the two.

In interviews at the Paris International Airshow days before the Warsaw incident, more than a dozen international cyber experts and industry officials stressed that despite various high-profile and public allegations, they weren’t aware of a single verified instance of hackers breaching flight-control or engine-control systems on any modern jetliner while it was in the air. The current system is “working pretty well” and aviation software generally has been “pretty difficult to infiltrate,” Mr. Hennig, vice president of operations for the General Aviation Manufacturers Association, said.

But most cyberprotection systems for planes are certified using case-by-case risk assessments requiring regulators to expend a lot of resources, rather than the industrywide technical standards the FAA and Mr. Hennig foresee. European regulators are expected to eventually create a similar advisory board to coordinate future standards.

Still, with cybersecurity issues gaining more prominence throughout aviation, various initiatives are already under way. Michael Huerta, who heads the FAA, is stressing the importance of sharing details about cyber events the same way specifics of safety incidents are now distributed and analyzed world-wide. “One of the things that is absolutely critical is to have very robust mechanisms for information sharing” among regions, including threats, potential incidents and mitigations, Mr. Huerta said in an interview. “The specifics of the cyber threat require us to be sharing on a broader scale than we have done in the past.”

Industry officials at all levels are increasingly vigilant about chasing down any suspicions or allegations of unauthorized attempts to penetrate computer systems.

Today, “people try to get in your cellphone … they like to test the security of all kinds of electrical devices,” according to Carl Esposito, a senior aerospace official at Honeywell International Inc., who emphasized that aviation designs understand that trend.

A major question is whether the global industry, which relies on software development cycles that sometimes stretch into years, can remain nimble enough to stay ahead of hackers who can shift quickly from region to region and work on much shorter timelines.

“I see a lot of sharing [of data security threats], maybe not between countries but at least within countries,” said Marc Darmon, head of the cybersecurity unit for France’s ThalesSA, which helps safeguard banking and a huge chunk of the world’s credit-card transactions. In the past, he said, aircraft makers and airlines believed it was enough to ensure that safety systems were isolated from accidental intrusions, but now almost every industry has adopted identification and responses to cyberattacks as major design criteria. “That was not the case 10 years ago,” he said. “It has to be the case today.”

View the original content and more from this author here: http://ift.tt/1HpRpgO

from cyber security caucus http://ift.tt/1g1NgVZ
via IFTTT

Stealthy Va.-based Cybersecurity Startup Verodin Raises $2M

A stealthy Mclean, Va-based cybersecurity startup by the name of Verodin has raised $2 million in equity from a total offering of $2.6 million, according to an SEC filing.

The financial round first appeared via an SEC form on June 26 and names former ArcSight (acquired by Hewlett-Packard) Chief Architect Christopher Key, D.C.-based Palindin Capital Group Partner Matt Bigge and inventor Benito Cianciaruso as company executives.

For the moment, there is limited information available about Verodin. It is not entirely clear if Paladin led the funding but it seems that the D.C. venture capital firm is most likely involved in Verodin’s seed round due to Bigge’s mention in the filing.

Verodin is not currently listed as part of Paladin Capital Group’s portfolio.

An accompanying website by the name Verodin (verodin.com) was last updated in November 2014 and created in November 2013, according to domain name registration data.

Key, who is listed as the company’s CEO and founder, updated his LinkedIn profile to account for the new company in January 2014. Verodin.com is also the top web hit among Google search for the term Verodin. It is not clear if verodin.com is associated with Key’s company.

The static website page shows a single quote from Sun Tzu and reads, “To know your enemy, you must become your enemy.”

View the original content and more from this author here: http://ift.tt/1TYJxIq

from cyber security caucus http://ift.tt/1FK5GiM
via IFTTT

SINGAPORE AUDIT COMMITTEE MEMBERS MORE CONCERNED ABOUT CYBER SECURITY THAN ASEAN PEERS

Some 62 percent of audit committees (ACs) members in Singapore surveyed in a recent KPMG study of ACs said that more time should be devoted to cyber security in 2015.

However, the ACs of other ASEAN nations surveyed – Thailand, Indonesia and the Philippines – are less concerned with spending more time on cyber security, including data privacy and protection of intellectual property in 2015.

Less than half, or 47 percent of Thailand’s AC members, want to spend more time on cyber security, while 36 percent in Indonesia and 35 percent in the Philippines said the same.

Shortfall in quality of cyber information received?

Half of Singapore respondents also categorize the quality of information they receive about cyber security, data privacy risks and their potential impact on the company as needing improvement.

Again, results from the other ASEAN nations did not fully correspond with findings from Singapore.

Only about a third of respondents in Indonesia and the Philippines thought the information they receive about cyber issues were in need of improvements.

Thailand was the most satisfied of the ASEAN nations – only 18 percent of AC members surveyed said they wanted better quality cyber information.

“The Singapore results reflect heightened concerns about cyber security,” said Irving Low, Head of Risk Consulting at KPMG in Singapore. “Global cyber breaches and attacks highlight that Singapore companies are not immune. The establishment of the Singapore Cyber Security Agency also demonstrates Singapore’s commitment to monitoring and mitigating national cyber threats.

“Based on our observations, the cyber-related information provided to Boards and ACs here has not kept pace with the increasing risk cyber is posing to organizations. This is partly because of the complexity involved. Cyber security risks exist as a result of not just technological factors, but also human and cultural factors.”

Communication with CIOs

Of the ASEAN nations, Singapore had the highest percentage of respondents – 52 percent – who
indicated that the AC’s communications with the CIO were insignificant or not applicable.

More than a third of respondents from Indonesia and Thailand also indicated the same, while only 18 percent of AC members surveyed in the Philippines said interactions were insignificant.

Where communication between the CIO and AC existed, 19 percent of Singapore AC members felt
that improvements were needed; 23 percent felt that communications were good with periodic
issues, while only six percent chose excellent.

In comparison, Thailand, Indonesia and the Philippines seemed more satisfied, with just five
percent, seven percent, and six percent respectively indicating that the quality of communications need improvements.

“As many ACs delegate responsibility for overseeing risk management and internal controls, they are correspondently overseeing more non-financial reporting risks such as compliance, operational and information technology (IT) risks and controls.

“Given how technology risks feature far more prominently in organisational risk profiles these days, the AC should engage more actively with the CIO by requesting for regular updates on an organization’s IT risk profile,” said Low.

Oversight of cyber and data risks limited to specific groups

Globally, 28 percent of respondents said that the full board was responsible for the oversight of cyber security and data privacy risks.

The AC was next in line, with 22 percent of respondents indicating that the group was accountable for the majority of tasks to do with cyber security and data privacy.

For Singapore, 31 percent of respondents – above the global average – assigned cyber and data risk to the full board. Another 31 percent said the Risk Committee was responsible.

The majority of the ASEAN AC members surveyed indicated that cyber and data risk tended to be more assigned to specific groups, rather than the full board.

Some 41 percent of respondents from the Philippines assigned cyber security and data privacy to the Technology Committee, 36 percent of respondents from Indonesia said the Risk Committee was responsible while 22 percent of respondents in Thailand pointed to Audit & Risk or Finance Committee.

“The board committee structure required to adequately and effectively oversee cyber and technology related risks depends on the nature, size and complexity of the organization,” says Low.

“We are certainly seeing a trend in the establishment of Board Risk Committees (separate from the AC) to enable deeper discussion and debate on key risks. We are seeing Boards taking more interest in specific risk areas, such as cyber security, given the potential for operational disruption, financial loss and reputational damage.”

View the original content and more from this author here: http://ift.tt/1CE32uT

from cyber security caucus http://ift.tt/1QYL0zf
via IFTTT

Chinese hackers take up white hats, become internet gatekeepersv

China, long accused by the United States of rampant cyber aggression, may be synonymous with hacking exploits these days, but that doesn’t mean every Chinese hacker is out to pilfer and destroy.

READ MORE:

* US government vs Deep Panda: hunt for hackers closes in
* Chinese hackers accused of making off with millions of US employees’ details
* Chinese hackers target US experts on Iraq

Zhang Tianqi, a 23-year old Beijinger, cut his chops in high school trying to infiltrate foreign websites, skirting domestic law by probing for vulnerabilities on overseas gaming networks.

CARLOS BARRIA/REUTERS

Part of the building of ‘Unit 61398′, a secretive Chinese military unit, is seen on the outskirts of Shanghai in this February 19, 2013 photo.

Now, after a stint working at internet bluechip Alibaba Group Holdings, he is the chief technology officer of a Shanghai-based cybersecurity firm which owns Vulbox.com, a site offering rewards for vulnerability discoveries, and internet security media site FreeBuf.com.

In May, China’s National Computer Network Emergency Response Technical Team, a non-profit agency, said it had recorded 9068 instances of data leaks in 2014, three times as many as in 2013, reflecting the “grim challenges” of Chinese cybersecurity, according to the official Xinhua news agency.

To try and tackle this, dozens of cybersecurity companies are now cropping up across China according to industry observers, populated by young techies with bona fide security skills and work experience at firms like Alibaba, Tencent Holdings Ltd and Baidu Inc.

China is hoping that eventually domestic cybersecurity groups will provide most of its companies with defences against hacking, rather than them relying on foreign firms like Symantec , Kaspersky and EMC Corp’s RSA.

But former hackers say the majority of their peers are joining a burgeoning industry to help China firms fend off the numerous attacks they face themselves.

China has denied any connection with the OPM attack and little is known about the identities of those involved in it.

The Cyberspace Administration of China told Reuters in a June 19 fax that it opposes “any form of network attack” and does “not allow any groups or individuals to engage in network-attacking activities” within its borders.

CRACKDOWN

Government sweeps largely silenced once-raucous online forums like kanxue.com, where hackers traded tips and boasted about their conquests.

Many chose to shift from “black hat” activities to “white hat” ones, using their skills to find network vulnerabilities so that they can be fixed.

“Many people feel that now white hats have some space to do things, or make money, while hackers can’t do bad things anymore,” said one hacker who asked not to be identified because of his former work with the government.

Aside from companies like Alibaba, Tencent and Baidu beefing up their defences, China’s government has also been working to ramp up the data security of the country as a whole.

Agencies including the Cyberspace Administration of China have led educational efforts around promoting data security.

Still, many “white hats” say Chinese companies continue not to take the matter of information security seriously enough, neglecting to hire enough people in-house to protect themselves.

“I hope we can give people a wake-up call,” said the former government hacker.

Even with the current progress, it’s likely to be a long and laborious effort, with China saying it is often the target of sophisticated attacks from overseas.

Last month, Chinese security company Qihoo 360 Technology issued a report saying it had discovered a series of cyber-intrusions against important Chinese targets that lasted for years. These include a government maritime agency, research institutions and shipping companies.

Zhang says that while the finger is often pointed at China for hacking attacks, the country is still playing catch up with the United States on both the cyber security, and cyber espionage fronts.

“When China’s measured up against the American giants, the level of their hacks, their data security, the scale and the harm they can do is all much greater.”.

View the original content and more from this author here: http://ift.tt/1IFLH72

from cyber security caucus http://ift.tt/1HpKhkw
via IFTTT

Florida Center for Cybersecurity offers veterans ‘New Skills for a New Fight’

After spending months overseas defending their country, some student veterans could now spend a career defending organizations from cyberattacks back home.

On Wednesday, experts in military affairs and cybersecurity met at JPMorgan Chase in Tampa to announce a new program for student veterans at the Florida Center for Cybersecurity (FC2) located at USF.

Currently in development, the 36-week cyber academy named “New Skills for a New Fight” will aim to prepare student veterans for long-term, high-paying jobs in the cybersecurity field.

Larry Braue, director of USF’s Office of Veterans Services, said the program is a great opportunity for teaching veterans transitioning from the military to civilian employment about getting a job as a cybersecurity professional.

“There are still a lot of opportunities (in cybersecurity) that our students aren’t aware of,” he said. “Who’s ever heard of an ethical hacker that (companies) are hiring for a pay of six figures?”

Beginning next spring, FC2 will select 20 student veterans to create the academy’s pilot cohort at the USF Tampa campus. The academy’s first class will act as a proof of concept for the program, where veterans will develop the skills necessary to prevent and respond to real-world cyberattacks against businesses and organizations.

The pilot class is fully funded by a $300,000 grant from JPMorgan Chase, which will pay for course development costs, tuition fees and building a lab to support the academy at FC2.

Adam Sheffield, FC2’s program manager, said one of the reasons the center created the new program is because of the sheer demand for cybersecurity professionals. As the number of high-profile cyberattacks increases, like those on Sony and U.S. Central Command, the need for people who can defend against them also increases.

“There’s a big supply-and-demand gap when it comes to security professionals in the United States and worldwide,” Sheffield said. “Regionally in Florida, you’re looking (at a demand) anywhere between one and two thousand for this type of skill set.”

Because of this high demand, Sheffield said it is important for the private sector and academia to develop new methods for quickly training security professionals to fill entry-level positions and increase employee supply.

He said veterans are a clear choice for this approach because of the skills they have already developed from their time in the military, which significantly reduce the time it takes to train them.

“In an incident-response role, (these skills are) discipline, a teamwork mentality (and) the fact that a fair amount of them hold security clearances coming out of the military,” he said. “They have a baseline of technical training from their time in service that is very easy to build on to rapidly field cyber practitioners in a short amount of time.”

Sheffield said this demand also plays a role in JPMorgan Chase’s willingness to fund the academy’s pilot class, as the company is looking to increase its own security personnel and will double its security budget in the next year.

“It’s one thing to have an idea,” Sheffield said. “We can think this is the best program out there and that it’s going to be successful … but it’s really not worthwhile to pursue a program if there’s not going to be use for it in the marketplace.”

The cyber academy itself is made up of three phases divided over 36 weeks. Phase one is traditional course work in class, and veterans will take four undergraduate level courses in networking and programming with a focus on security.

These classes are meant to develop the veterans’ skills for phase two of the academy, where they will have five weeks of hands-on training — Monday through Friday — in labs set up for veterans to practice responding to simulated cyberattacks using the tools they would have while working for real-world companies.

Veterans who finish both phases will graduate with an undergraduate certificate and an industry certification before moving onto phase three of the academy — a 12-week internship with one of FC2’s industry partners.

Student veterans who complete the program will also have the ability to work with FC2 to pursue a bachelor’s degree online while working full-time as a cybersecurity professional.

In the future, Sheffield said FC2 will pursue additional funding to continue the academy, as well as increase its class size and offer training for different job roles in the years to come.

Braue said the academy has also led to a partnership between the Office of Veterans Services and FC2, and the office will assist future veterans in the academy with eliminating financial issues and other problems that would interfere with veterans’ completion of the program.

For now, Sheffield said the program will begin accepting applications in the beginning of the fall and will notify applicants of their acceptance in the middle or end of the fall semester.

View the original content and more from this author here: http://ift.tt/1GHsSin

from cyber security caucus http://ift.tt/1g1ss0G
via IFTTT

Saturday 27 June 2015

Dungarvan to host international forum on cyber security

It will include discussions on the most recent innovations in business intelligence, best practices for security analysis, global cyber-security threats and the impact of social media in security and intelligence management. It is being hosted by the Ridge School of Intelligence Studies and Information Science at Mercyhurst University,

Considered by many as the ‘Davos of Intelligence’, the event will run over three days, attracting people from the business community, academia, security specialists, technology companies, and global corporations as well as government representatives and those involved in the area of business intelligence.

Kevin Giblin, executive manager at Mercyhurst College Ireland, said: “The forum has an incredible line-up of expert speakers that will provide the latest insights and innovations in security, business intelligence, data management and the use of technology to counter criminal and intelligence threats.

“This is a unique opportunity to engage with leaders on diverse topics such as corporate risk management, advanced data analysis, anticipatory intelligence, cybercrime and real-time forensic analysis, among others.”

Garda Commissioner Noirín O’Sullivan will also address the event along with recent White House official for cybersecurity, Howard Schmidt, and former director of the US Secret Service Lewis Merletti.

Moderated by Dean James Breckenridge of The Ridge School, forum participants will also hear from Europol’s strategic analyst for the European Cybercrime Centre Jaroslav Jakubcek, Nama chairman Frank Daly, and several academics, among them Liam Fahey of Babson College; Matt Whelan and Stefan Hyman of the State University of New York at Stony Brook and Patrick Gibbons of UCD.

It is expected that the event will bring more 300 people to the region from July 13-15.

View the original content and more from this author here: http://ift.tt/1JcCp55

from cyber security caucus http://ift.tt/1BVkC2P
via IFTTT

Saturday Letters: Cybersecurity, Confederate battle flag

Regarding “Online umpire” (Page B13, June 21), the editorial says “we need political leaders who are ready to run a marathon on cybersecurity” and makes reference to the many failures of the Obama administration. Yet, it fails to mention the NIST Cybersecurity Framework, the result of President Obama’s Executive Order 13636.

This Framework, produced by the National Institute of Standards and Technology, is the first step in the cybersecurity marathon to which the editorial refers.It helps organizations identify where they are and where they need to be in cybersecurity management. It also helps create a common vocabulary that can help organizations like the OPM quantify their cybersecurity risk in terms that decision-makers understand and thus secure much needed investment from an extremely stretched budget.

The NIST Cybersecurity Framework is one of many initiatives that are underway to secure the nation’s critical infrastructure. Those involved know there is much to be done, but the marathon has begun.

Steve Mustard, Spring

Battle flag

Regarding “Stop waving the battle flag. Start talking about race” (http://ift.tt/1LMFpFH), I am the descendant of a Texas Confederate veteran who was imprisoned in a Union prisoner of war camp in Illinois and his younger brother died in the Red River Campaign. And yes, they did own slaves. I agree that this flag has become a symbol of racism and needs to be removed.

View the original content and more from this author here: http://ift.tt/1Hn7mWX

from cyber security caucus http://ift.tt/1LMFpFK
via IFTTT

Cybersecurity breaches have Midlanders looking for answers

WASHINGTON — Massive government cybersecurity breaches have left Stan Stearns wondering if hackers on the other side of the globe have his personal information at their fingertips.

The Air Force contracting officer from Papillion is frustrated at the lack of information about what exactly happened.

And while Stearns and others affected by the breaches are being signed up for fraud alerts and other protective measures, those don’t cover his wife or children whose data also could have been stolen. And the protections only last so long.

“They’re patient,” Stearns said of the hackers. “This is only protection for 18 months.”

The theft of personal information belonging to more than 4 million current and former federal employees also is drawing outrage from members of Congress. In four sometimes-contentious hearings in recent weeks, lawmakers have targeted the federal Office of Personnel Management for a cascading series of embarrassing failures.

The hearings have helped expose serious shortcomings in OPM’s ability to protect critical information and in its support of employees after their Social Security numbers and other personal data were pilfered.

Anyone seeking a national security clearance must first fill out the Standard Form 86. It’s a 127-page exercise in laying your life bare before the federal government.

Applicants are expected to disclose detailed information about themselves, their relatives, friends, neighbors and co-workers. It includes where the person has lived and worked. It probes for information about substance abuse, marital infidelity and mental illness.

Stearns echoed concerns many have voiced about the potential for key individuals to be blackmailed on the basis of that information or for covert operatives overseas to be exposed.

Lawmakers from Nebraska and Iowa have picked up on those concerns and are running with them.

“It’s quite astounding that the administration doesn’t know the range of how many records have been compromised,” Sen. Ben Sasse, R-Neb., said this week.

Katherine Archuleta remains standing, or at least sitting, in the director’s chair despite her agency’s massive cyber breakdown.

One of her Capitol Hill appearances came Thursday alongside other administration officials in front of the Senate Committee on Homeland Security and Governmental Affairs.

Sasse and Joni Ernst, R-Iowa, both members of the panel, pressed for answers about how the breaches could have occurred.

Earlier, Sasse had penned a 10-page letter to Archuleta and other key officials.

“Protecting our nation’s secrets and most sensitive information is among the government’s highest priorities and a vital component of its national security mission,” Sasse wrote. “Yet over the last five years, Americans have watched with growing concern as government records have been leaked or stolen by our adversaries.”

Sasse said there is an urgent need for more clarity from the administration.

He identified three major concerns: how the breaches undermine national security, the extent to which Americans have had their privacy violated and the potential economic hit from identity theft.

“It is not clear whether OPM’s decisions in the aftermath of the breaches have been effective to protect its networks going forward or whether it is moving fast enough,” Sasse wrote.

View the original content and more from this author here: http://ift.tt/1TU73pP

from cyber security caucus http://ift.tt/1GQKcoj
via IFTTT

Threat Situational Awareness- Navigating The Flood Of Security Data

One of the top challenges facing security practitioners today is not simply defending themselves from the risk of attack, but prioritizing the constant stream of threat data they receive from security tool designed to protect them. “Too Much Information” is the new reality for many organizations and the question has now become how to identify important incidents from low-priority events.

During this interview with ICIT Fellow Danyetta Magana, Parham Eftekhari (Sr. Fellow, ICIT) will explore these topics and more as the two identify solutions to overcome this growing challenge.

View the original content and more from this author here: http://ift.tt/1JcobB6

from cyber security caucus http://ift.tt/1TUjstP
via IFTTT

Proposed Cyber Legislation And Their Impact On The Security Community

As the number of breach incidents continues to climb, the importance of a highly skilled cybersecurity workforce on protecting our nation’s critical infrastructure sectors continues to grow. But how does proposed legislation impact the cyber communities ability to do their job?

During this podcast with ICIT Fellow Dan Waddell (Managing Director, National Capital Region, (ISC)2) we asses this question and look at issues including net neutrality and threat information sharing.

View the original content and more from this author here: http://ift.tt/1KhjIP3

from cyber security caucus http://ift.tt/1e9ttmk
via IFTTT

Friday 26 June 2015

Keeping Smart Cities Smart Preempting Emerging Cyber Attacks in U.S. Cities

The Institute for Critical Infrastructure Technology, working closely with IOActive and other Fellows, has published its latest legislative briefing titled “Keeping Smart Cities Smart: Preempting Emerging Cyber Attacks in U.S. Cities“. As more and more U.S. cities adopt ‘smart’ technologies, America finds its urban centers increasingly at risk for cyber-attacks which could bring entire cities to a standstill, wreak havoc for citizens and cost billions for governments and the private sector.

In this analysis, ICIT identifies the various types of technologies that are used in smart cities and how each type of technology is vulnerable to an attack (including likely attack scenarios). The report closes by making recommendations on what vendors and policy makers must do to ensure that the technologies manufactured for use in smart cities are adequately secure.

This brief was sent to members of the House of Representatives Homeland Security Committee and Cybersecurity Caucus, presented to Representatives and Senators including Senators Markey and Alexandar and Congressmans Marchant, Ratcliffe and Langevin, federal agencies and select ISACs and DHS Sector Coordinating Councils.

The following experts contributed to this brief:

Author:

Cesar Cerrudo, ICIT Fellow (CTO, IOActive)

Contributions by:

James Scott (ICIT Senior Fellow – Institute for Critical Infrastructure Technology)
Drew Spaniel (ICIT Visiting Scholar, Carnegie Mellon University)
Chris Schumacher (ICIT Fellow – Sr. Technology Consultant, New Light Technologies)

GO HERE TO DOWNLOAD BRIEF

View the original content and more from this author here : http://ift.tt/1BS7ziF

from cyber security caucus http://ift.tt/1RD1Ui1
via IFTTT

Securing Federal Data Post OPM : Lunch and Learn

This week the Institute for Critical Infrastructure Technology held a Lunch and Learn called “Securing Data for Today’s Federal Agency” which focused on the increasingly daunting task of protecting federal data in an age of information sharing and increased threats both inside and outside an agency. An all-star cast of current and former federal agency leaders along with ICIT Fellows and industry partners shared cutting edge strategies, technologies and best practices to guide agencies through the uncertainty they face as they work to protect their assets.

Some of the key takeaways from the session included:

1. The importance of encrypting your data using technologies that enable the data owner to revoke access

2. Understanding the difference between secure information sharing and creating cultures of trusted information sharing

3. Accepting that there is no way to prevent data leakage from happening, so the mindset must change to ‘how do I gain better control over data knowing I will eventually lose control?”

4. The importance of integrating the various security products an agency uses into one security system, and taking the knowledge gleaned from that system and delivering it into the hands of end users who can use it to make decisions to protect the network and its assets

5. The emergence of predictive technologies like Behavioral Analytics which are providing agencies the ability to foresee breaches and prevent them from occurring

A special thanks to our Fellow Dan Skinner (Federal Practice Manager, WatchDox by Blackberry) and to Richard Spires (CEO, Resilient Networks; Former CIO, U.S. Department of Homeland Security) for hosting the Luncheon.

View the original content and more from this author here: http://ift.tt/1FF151i

from cyber security caucus http://ift.tt/1RCQ6fC
via IFTTT

The Cybersecurity 500 Top Defense Contractors

Eleven of the top defense contractors showed up on the Q2 Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies.

The cybersecurity industry is growing from $71 billion in 2014 to more than $155 billion in 2019, according to consolidated estimates by IT research firms and analysts cited in the Cybersecurity Market Report, published quarterly by Cybersecurity Ventures.

There are many new entrants as well as mergers and acquisitions, investment and IPO activity that is constantly changing the vendor and service provider landscape. The Cybersecurity 500 creates awareness and recognition for the most innovative cybersecurity companies – ranging from the largest and most recognizable brands, to venture capital-backed start-ups and emerging players, to small firms with potentially game-changing technologies, to solution providers poised for growth around productized or vertically focused services, and federal agencies.

The defense contractors, in the order in the order in which they are listed on the Cybersecurity 500 list are:

#10, Lockheed Martin

#81, Leidos

#170, Raytheon

#238, Northrop Grumman

#257, HP

#269, CACI

#281, General Dynamics

#370, BAE Systems

#374, CSC

#378, Booz Allen

#391, SAIC

Boeing, which was on the Q1 list, was notably absent from the most current compilation.

The Wall Street Journal reported in early 2015 that Boeing was exiting the commercial cybersecurity business and that Symantec was acquiring staff and technology licenses from Boeing’s Narus unit.

Other media depicted the transaction as an “acquisition.” But further research indicated Symantec only hired some of the Narus staff. It appears Boeing retained ownership of the Narus intellectual property (software) and customer base.

“To be clear, Boeing has most definitely not exited the cybersecurity business,” said Andrew Lee, senior manager and division communications lead, Boeing Electronic & Information Solutions. “We continue to support a variety of defense, government and security customers with cybersecurity and data analytics products and services. It is correct that with the divestiture of Narus, we are not focusing on commercial cybersecurity for the time being.”

Hmm … Boeing has not exited the cybersecurity business, but they are not focused on it.

Defense contractor Raytheon made the biggest news in recent months. They are investing $1.57 billion to create a new cybersecurity company with private-equity firm Vista Equity Partners LLC. The new firm will combine Raytheon Co.’s cyber products unit with Websense Inc., which Raytheon agreed to acquire from Vista.

View the original content and more from this author here: http://ift.tt/1FEQ7ZA

from cyber security caucus http://ift.tt/1HjIfUI
via IFTTT

Cleaning Up the Federal Cyber Debacle

America’s digital infrastructure is under constant attack. I know this not only from reading the news, but also from spending nine years as an undercover CIA officer and four years as a senior adviser with FusionX, the cybersecurity firm where I worked before being elected to Congress. The U.S.’s adversaries are constantly trying to steal its private-sector innovations and military and intelligence secrets.

The recent theft of millions of federal-employee personnel records from the Office of Personnel Management is only the latest in a string of high-profile data breaches. It is also a perfect example of the federal government’s prevarication and hypocrisy when it comes to handling cybersecurity incidents.

On June 4, federal authorities confirmed a data breach at the OPM that not only compromised the computer systems but also may have resulted in the exfiltration of highly sensitive information. The OPM initially reported that the personally identifiable information, such as Social Security numbers, of more than four million current, former and retired federal employees was compromised. The estimate has since been revised to 18 million.

It gets worse: The White House a week later confirmed a second intrusion, into the database that houses the highly personal data of those with, or who are pursuing, security clearances. As this newspaper reported on Wednesday, the security-clearance theft “was disclosed a week later, even though investigators knew about it much earlier.” At this point, the administration appears unable to say how many Americans have had their data compromised.

OPM Director Katherine Archuleta appeared before my colleagues and me at a recent hearing of the House Committee on Oversight and Government Reform. She declined to apologize for, or even acknowledge, her agency’s refusal to implement security best practices recommended for several years by the OPM’s own inspector general, Patrick E. McFarland. In report after report going back to 2010, the OPM’s Office of the Inspector General had identified insecure, outdated and poorly managed IT systems and practices that left the agency’s information vulnerable.

The hypocrisy is that while the government leaves its networks and the data of millions of Americans at risk, it fines private companies for security breaches. Last year the Department of Health and Human Services levied a $4.8 million fine against New York Presbyterian Hospital and Columbia University Medical Center for a security breach that left 6,800 people’s medical records open to the Internet and visible from search engines. In its 2014 review, the Federal Trade Commission boasted that it had brought more than 50 cases against companies that put consumers’ personal data at unreasonable risk.

When FusionX conducted cybersecurity assessments of private firms, I saw how companies placed a priority on protecting their digital infrastructure. If our review found a vulnerability that needed immediate remediation, we would alert our customer of the issue and it would be resolved. Often high-risk problems were fixed even before our final report was written. Why? Because the private sector is held accountable—by shareholders and the public, by civil or criminal litigation, and by the market forces that drive the economy.

After last year’s hack of the giant retailer Target, which compromised the information of an estimated 70 million customers, the CEO and chairman of the board stepped down. This was in part because Target acknowledged that warning signs related to the attack were ignored before the breach became public.

If federal agencies wish to provide effective oversight of the private sector, then they should start by looking in the mirror. Despite clear warnings provided to the OPM, and its failure to heed them, no one has been held accountable.

This needs to be a watershed moment for cybersecurity in the federal government. Other agencies have the same problems as the OPM, deploying outdated legacy systems and exercising poor cyberhygiene. In the wake of this data breach, the heads of other agencies should pull out their own inspector-general reports and begin to address their vulnerabilities.

A strong message must be sent to the public and the employees of the federal government that we take cybersecurity seriously.

Earlier this year, I asked Gene Dodaro, the long-tenured head of the Government Accountability Office, if he could recall ever seeing any federal government employee fired for delays or cost overruns on IT projects. After a long pause, he could not name a single instance. This “do as I say, not as I do” culture runs rampant in Washington. Our government demands accountability from others but offers little itself.

Until the leaders of our federal agencies implement solid cybersecurity measures—such as strong authentication, network monitoring, state-of-the-art data encryption and robust system hygiene—we will continue to play catch-up to our highly sophisticated and well-funded adversaries. The refusal at the Office of Personnel Management to take responsibility and move swiftly to address significant deficiencies leads to only one conclusion. Accountability starts at the top. It’s time for a change in leadership at the OPM.

View the original content and more from this author here: http://ift.tt/1HjFTFj

from cyber security caucus http://ift.tt/1HjFTFk
via IFTTT

U.S. intelligence chief: China top suspect in government agency hacks

U.S. intelligence chief James Clapper said on Thursday that China was the top suspect in the massive hacking of a U.S. government agency that compromised the personnel records of millions of Americans.

The comments from Clapper, the director of National Intelligence (DNI), were first reported in The Wall Street Journal and marked the first time the Obama administration has publicly accused Beijing of the hacking attacks on the Office of Personnel Management.

“You have to kind of salute the Chinese for what they did,” given the difficulty of the intrusion, the Journal quoted Clapper as saying at a Washington intelligence conference.

In a statement, Clapper’s office confirmed that he had identified China as a leading suspect, although it said the U.S. government investigation was ongoing.

U.S. officials have previously blamed the attacks on Chinese hackers, though not publicly. White House spokesman Josh Earnest on Thursday declined to comment on any potential suspects.

OPM Director Katherine Archuleta told the Senate Homeland Security Committee on Thursday that personnel data of 4.2 million current and former federal employees was compromised in one security breach and that another attack, targeting those applying for security clearances, had affected millions more.

Some media have reported that as many as 18 million Americans could have been affected.

Clapper’s comments came a day after the conclusion of three days of high-level talks between China and the United States in Washington at which cybersecurity figured prominently.

U.S. Secretary of State John Kerry said on Wednesday there had been no U.S. “finger-pointing” during those meetings about cybertheft “and whether or not it was actioned by government, or whether it was hackers, or individuals the government has the ability to prosecute.”

Kerry also said, however, the U.S. side had made “crystal clear” that cybertheft was not acceptable. He said the United States believed there was a need to work with China to develop a “code of conduct” on state behavior in cyberspace and that China had agreed.

“It’s something that we agreed needs to be addressed and hopefully it can be addressed soon,” State Department spokesman John Kirby said on Thursday.

White House spokesman Earnest cautioned against guessing at what response the United States might take against those responsible for the attacks. “If there is a response, it’s probably not one we are likely to telegraph in advance,” he said.

The Journal cited Clapper as saying the U.S. government and American companies would continue to be targets until policymakers addressed the “lack of deterrents.”

Clapper said the absence of a U.S. threat to respond to hacking attacks meant Washington had to put its focus instead on defense, the newspaper reported.

China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the hacking. China’s top diplomat, State Councillor Yang Jiechi, said after Wednesday’s talks that the two countries should work together on cybersecurity.

(Reporting by Timothy Ahmann, Mark Hosenball, Emily Stephenson, Megan Cassella andDavid Brunnstrom; editing by Susan Heavey, Bill Trott Andrew Hay and G Crosse)

View the original content and more from this author here: http://ift.tt/1NkYUq2

from cyber security caucus http://ift.tt/1GNcSyt
via IFTTT

Students learn about cybersecurity at Cyber Sciences Summer Academy

Rackley Wren said one of the most striking things he learned at Georgia Regents University’s Cyber Sciences Summer Academy was that he “cannot tell a lie at all.”

Wren, an 18-year-old Augusta Preparatory Day School student, volunteered for a polygraph test as his camp group toured a National Security Agency facility earlier this week. While connected to the machine and answering his “interrogator’s” questions, Wren said he discovered an aspect of the cybersecurity field unknown to him.

“I asked the employees there what I would have to do to work there or join their study program… So they offered to show us the polygraph test,” Wren said. “As they were doing the test, I realized just how important cybersecurity is to our nation… It was an awesome experience. This was far more in-depth than any other computer camp and I really have a grasp on the culture now.”

Wren was one of 38 Georgia and South Carolina students who attended the Cyber Sciences Summer Academy this week, an effort by GRU not only to pique teenagers’ interest in the rapidly growing field but to also show them how important the field was to their everyday lives.
Developed from a partnership between GRU, the National Security Agency and the National Science Foundation, the camp is part of a larger university initiative meant to introduce high school students to the cybersecurity field. Attendees spent the week learning
techniques commonly used in cybersecurity and applying those skills in specially designed virtual computer networks.

GRU Director of Cybersecurity Education Initiatives Joanne Sexton said many of the 30 “skill challenges” students worked on during the week were designed to be “engaging for youth,” often taking the form of games and lectures containing references to popular culture. Students worked through basic code breaking, played an electronic version of “capture the flag” and practiced fortifying and infiltrating computer networks.

Well-known pioneers of the cybersecurity field, including NSA Director Adm. Michael Rogers, visited with the students during the camp to offer firsthand accounts of the realities of the job.

Many of the students participating in the event said the camp introduced them to new concepts while building team spirit.

Rebecca Helling, a 16-year-old Greenbrier High School student, said the camp not only sparked her interest in cryptography and code breaking, but also introduced her to new friends.

“Cryptography is like solving a logic puzzle. I’ve never really encountered cryptography before, but I found out I was good at it. It takes creative thinking, and it’s a really fun challenge for me,” Rebecca said. “I also met a few other Greenbrier students here that I really didn’t know existed, but now I really want to hang out with them… I wouldn’t have learned about any of this without the camp, and I’d tell anyone interested in the field to come visit.”

View the original content and more from this author here: http://ift.tt/1dkv6wB

from cyber security caucus http://ift.tt/1BRhWTH
via IFTTT

Facebook Hires Yahoo’s Cyber Security Chief Alex Stamos As Its Chief Security Officer

After having served Yahoo for little more than a year, Alex Stamos, Yahoo’s cybersecurity Chief has moved to Facebook, according to reports.

According to a report on CNET, Alex Stamos has joined Facebook as its Chief Security Officer. He joined Yahoo in March 2014 as its chief information security officer and on June 24, he revealed his decision through a post on Facebook. Before joining Yahoo in 2014, Stamos was the chief technology officer for security firm Artemis, as per the CNET report.

Stamos will fill up the vacancy that was last held by Joe Sullivan who took over as the first Chief Security Officer at Uber in April this year. Besides Stamos, other top level executives who moved out of Yahoo include Mike Kerns, a senior executive who was previously in charge of Yahoo’s homepage and Ned Brody, Head of Americas, reports CNET.

Stamos said he is joining Facebook to create secure products that will help in providing personal, educational and economic opportunities, especially to the underserved population across the world, reports CNET. Through his Facebook post, Stamos said, “There is no company in the world that is better positioned to tackle the challenges faced not only by today’s Internet users but for the remaining [two-thirds] of humanity we have yet to connect,” quoted CNET. “The Facebook security team has demonstrated a history of innovation as well as a unique willingness to share those innovations with the world, and we will build upon that history in the years to come.”

According to a report on ZDNet, with more than 1.14 billion users across the globe, the privacy and security concerns of the social networking giant are quite prominent and ever increasing. Stamos will take over his new role from June 29, reports ZDNet.

View the original content and more from this author here: http://ift.tt/1GMm5Hi

from cyber security caucus http://ift.tt/1GBwEd1
via IFTTT

Thursday 25 June 2015

US raises cyber security issue with Chinese, who pledge cooperation

US President Barack Obama on Wednesday raised US concerns about China’s cyber behaviour during a White House meeting with Chinese officials at the end of two days of talks on strategy and economy.

A Chinese official indicated that China was willing to cooperate with the US on the issue.

Cyber security has been at the top of the US agenda over past weeks amid revelations that hackers have stolen millions of files on current and former US government employees.

During a hearing Wednesday, House Oversight Committee chairman Jason Chaffetz suggested that the hack has put up to 32 million people at risk – some of them for sensitive information submitted to obtain security clearances.

While there has not been an official charge that the hacking came from private or official sources in China, unidentified officials widely quoted in news reports have indicated as much.

In comments at the State Department late Wednesday, Chinese State Councilor Yang Jiechi vowed that China will “crack down on all forms of cyber hacking.”

Yang also said China was ready to cooperate with the United States on cybersecurity issues and improve cyber relations – but only “on the basis of mutual respect and equality and mutual benefit.”

Kerry said there had been no confrontations on the cyber issue during the meetings, but added: “We made crystal clear this is not acceptable.”

“China also has an interest to make sure everybody is behaving by a certain set of standards,” Kerry said. “President Obama made that very clear at the meeting at the White House.”

Obama “urged China to take concrete steps to lower tensions” not only on the cyber issue but also on maritime behaviour, according to a readout provided by the White House after he met with the Chinese officials.

China has been expanding tiny disputed islands and reefs in the South China Sea with landfill, and has built ports, airstrips and other facilities on them.

The activity is at the center of growing tensions within the region and with the US.

Yang insisted that his country’s activities posed no threat to navigation in the South China Sea and that it was important for the United States to “respect China’s sovereignty and territorial integrity [and] the development path chosen by China’s people.”

The meeting was the sixth annual such session and served as the setup for President Xi Jingping’s visit to Washington in September.

On other issues, the US and China indicated increased cooperation on climate change, ocean preservation and people-to-people exchanges.

They also agreed to work toward establishing a marine protected area in the Antarctic’s Ross Sea – “one of the world’s last remaining pristine marine environments,” Kerry said.

Treasury Secretary Jacob Lew said “enormous” progress had been made over the past year on the currency exchange issue. The US has charged that China artificially deflates its currency valuation in order to keep down the price of its exports.

China was prepared to be “more transparent” on the issues of monetary policy and interventions, Lew said.

“The real test is going to be when there is upwards pressure on the renminbi,” he said. It was an open question whether China would refrain from intervening, he said.

Lew said China’s efforts to change to a more consumer-driven economy had slowed China’s economic growth, and Chinese officials have been “very candid” about that fact.

While the US believes reforms should move ahead with more urgency, the Chinese “for understandable reasons” are concerned about disruption if they move too quickly, Lew said.

View the original content and more from this author here: http://ift.tt/1Lw7ioC

from cyber security caucus http://ift.tt/1GsPWCp
via IFTTT

Editorial: At OPM, hackers expose government’s lack of cybersecurity

No matter what form it takes, the prospect of cyber thievery compromising your personal information is a stomach-churning experience. Maybe it’s that big-box store, like Target or Home Depot, whose customer credit card information was filched, or maybe a major health insurer, like Anthem, which so many people have used and provided with their personal medical and identification information.

Or maybe it’s the U.S. Office of Personnel Management, which was hacked not once, but twice in recent years. The latest breach may have affected as many as 14 million federal workers, many of whom live in Virginia and right here in the Fredericksburg region.

When these alleged China-based hackers are able to infiltrate OPM, they gain access to individual as well as military and intelligence data. They obtain all the deeply personal information that federal job applicants provide—particularly those seeking security clearances. That suggests implications for not only their private lives but their careers as well. Some must even provide information for their spouses or partners. The tentacles are many and far-reaching.

There is surely plenty of blame to go around here, and much of it reflects on the federal government itself. With OPM the example at hand, it is largely a victim of its own massive size and bureaucracy. Its inspector general and other top officials have cited the agency’s aged and decrepit technology. But warnings mean little if there’s a 10-ton boulder in the way.

When the latest breach took place, OPM was already pursuing a $91 million computer overhaul that has been cited for violating bidding and management protocols. OPM officials counter that the urgency of the situation demanded that the program be expedited, meaning that bureaucratic shortcuts were purposely taken. As a result, critics say, the program will end up failing to accomplish what it was designed to do and exceed the cost and timetable estimates OPM has intended.

Now, federal officials are saying that the technology that detected the OPM breach—but couldn’t prevent it—may itself be susceptible to hacking.

Even under the best possible circumstances, the government’s ability to protect itself in a timely and comprehensive fashion is suspect from the outset, especially given the scope and complexity of this issue.

The solution, perhaps for the long term, is for individuals to protect themselves. On Tuesday, Sen. Mark Warner, D–Va., asked the Internal Revenue Service to work with OPM breach victims to prevent the stolen information from being used to file false tax returns. That would involve broadening the IRS Identity Protection Personal Identification Number (IP PIN) program, which is designed to protect your tax information and the Social Security number associated with it. Yes, it’s another number, another layer, but under the program the IP PIN changes every year, requiring you to confirm you are who you say you are.

Our dependence on technology has set us up to be victimized by its porous nature, and warnings since the beginning of the Internet age have been largely ignored. The cat-and-mouse game of having to plug this hole and then that appears endless.

Perhaps it’s up to the private sector to come up with a failsafe method of individual identity protection while the government considers its options.

In the meantime, studying up on the best ways to protect yourself from hackers and the damage they can inflict might be your best bet.

View the original content and more from this author here: http://ift.tt/1LEp6uA

from cyber security caucus http://ift.tt/1LwMRb3
via IFTTT

A ‘defensive shield’ for legal cybersecurity risks

The top lawyers in the UK’s largest companies have recently come together and recommended a “defensive shield” strategy to deal with their companies’ legal cybersecurity risks.

The top lawyers in the UK’s largest companies have recently come together and recommended a strategic framework that maps well to New Zealand.

The strategic framework maps well to New Zealand, to what other cybersecurity specialists are doing, and to what senior managers and boards are or should be doing.

It is good stuff too to help get the attention of CEOs, boards and lawyers: although they know cybersecurity is an issue, they don’t necessarily have all the tools and detail on these increasingly bet-the-bank issues, as we outline here.

The report, Cyber security law and practice, was produced by the GC100, the association for GCs of the UK’s largest 100 companies.

View the original content and more from this author here: http://ift.tt/1RyCQc2

from cyber security caucus http://ift.tt/1QRsx7Q
via IFTTT

Arkansas Electric Picks OnPage for Cybersecurity Intrusion Compliance.

“OnPage solved a mandatory requirement we had in our data center for regulatory cybersecurity intrusion compliance. To cover physical or cyber intrusions, we have OnPage notifications sent out to the group on an on-call rotation for incident response.” – Philip Huff – Director of IT Security Compliance. OnPage delivered simple on-call scheduling, cybersecurity compliance, secure messaging, reduced downtime and solved several critical needs for the entire IT Team. Onset Technology, creator of OnPage® priority messaging, announced today that one of the nation’s largest electric cooperatives, Arkansas Electric, has chosen OnPage to help prioritize, critical, time-sensitive messaging. After testing two competing products, Director of IT Security Compliance, Philip Huff and his team evaluated OnPage and decided it was far easier to implement, more efficient and highly cost effective. Judit Sharon, CEO of Onset Technology said: “We are very pleased to have Philip and his entire team trust their mission critical […]

View the original content and more from this author here: http://ift.tt/1GJMVzO

from cyber security caucus http://ift.tt/1fEoHOP
via IFTTT

A failure to communicate – The top 5 ways to improve the weakest link in information security

By HP Security Strategist Stan Wisseman

In a previous post, I highlighted five primarily technology-based actions you can take to greatly enhance your security program. However, as we’ve heard many times, people are the weakest link in the security chain. “What we have here is failure to communicate.”

This line from “Cool Hand Luke” sums up the challenge we have in the information security field. We all need to think differently on how to have business success with the constant threat of attack (or as Luke would say, you’ve got to “get your mind right”). That includes users, partners, executive management and board members. Raising the collective security IQ of the workforce can be one of the most cost effective, proactive security controls you can implement.

The recent SANS Security the Human: 2015 Security Awareness Report had 3 key findings:

Support is essential: It is clear that security awareness programs will continue to fail until they get the same emphasis and support as technical controls. To address this, we have to better educate senior leadership that cyber security is far more than just bits and bytes; it also includes the human element.
Soft skills are lacking: The majority of those in charge of security awareness programs have highly technical backgrounds and lack the necessary communication or human behavior skills. The importance of communication skills for information security professionals was also emphasized in the 2015 (ISC)2 Global Information Security Workforce Study results.
Security awareness is still in its infancy: Majority of programs surveyed were immature. The report notes that if we are

To effectively change behavior regarding information security, employees and executives must feel a sense of urgency and understand not only that they are targets, but also that their actions play a key role in securing the organization. Effective organizations:

1. Have an engaged, security aware workforce. General security awareness activities (newsletters,security awareness month, etc.) are important to remind the workforce of security best practices and of imminent threats. Testing users for their ability to avoid phishing scams will help reduce the threat of this common attack vector to the enterprise. Role-based security training programs are essential as well. For example, the 2015 HP Cyber Risk Report found that “…most vulnerabilities stem from a relatively small number of common, well-understood software programming errors.” Developers need training on software security best practices to effectively build more secure applications. Provide workforce incentives (e.g., spot bonuses, reward points) to put a spotlight on examples of security awareness behaviors you want to see. Likewise, it’s necessary to penalize those that place your organization at risk;

2. Have clear policies and procedures that prioritize the protection of data and IT assets and which foster compliance with security standards. Policies and procedures are always important, but they are essential for information security. You need to create and publish your policies to gain consensus on how you will handle specific security issues. Policy rules need to be clear, simple, understandable, and achievable by the workforce;

3. Have the support of executive leadership. Translate information security issues into terms of risk – that’s the language they understand. Make it personal and show how they’ll be impacted. Stage realistic security incident exercises that brings in other stakeholders like outside council, communications, solution providers to participate. The annual renewal of cybersecurity insurance can also drive a useful discussion.

4. Have learned to work together and respond to security incidents, collaborating effectively. Practice makes perfect and you should exercise the Incident Response team on a regular basis to ensure that roles are understood and they aren’t learning on the job during an incident. The Incident Response plan needs to be accessible to all parties (e.g., on a mobile app). Don’t forget to communicate with employees, key business partners, and customers in a timely manner post-incident;

5. And, is obtaining critical intelligence by sharing information externally, with trusted partners and government agencies. Holistic threat intelligence is not a single player sport – we need to collaborate just like our adversaries are doing. US government agencies like the FBI and DHS want to partner with private industry in dealing with the cybersecurity threats (e.g., InfraGard andInformation Sharing and Analysis Organizations (ISAOs)). While there are concerns with sharing incident and threat information with the government, as reflected in this ICIT brief, sharing IoC data with others may help them, and you, avoid an incident. You can also leverage commercial platformsto establish your own trusted communities to share threat intelligence data.

A cultural mind shift on cyber security is needed similar to the one that had to take place for auto safety. It took decades to understand the risks, pass appropriate legislation and then change human behaviors to reduce the risk factors and associated injuries. I still recall being a passenger in the 60’s without a seat belt in the back of my family’s station wagon – something I certainly wouldn’t allow today with my kids (wouldn’t own a station wagon, either!) Real change started when Ralph Nader, an early advocate for auto safety, wrote a book and spoke to Congress of auto safety in terms the general public and legislators could understand.

With regards to Detroit engineers, Nader said they had a “…general unwillingness to focus on road-safety improvements for fear of alienating the buyer or making cars too expensive.” Sound familiar? Once regulations were imposed, auto companies complied and there were massive advertising campaigns to convince the public to buckle up – efforts to enhance auto safety continue to this day.

Significant security incidents like the ones that have recently hit Sony Pictures and OPM can raise security awareness and spawn some remediation actions. However, reactions like the US Federal government’s 30-day sprint won’t change the underlying mindset or behavior of the workforce. A concerted effort over a longer period of time will be required.

HP Enterprise Security University has a wide range of eLearning and stand-up security courses available. HP recently released Security User Awareness training based on theSANS Critical Security Controls. HP also has an Executive Breach Response framework available to ensure that executive stakeholders can respond confidently to security incidents.

Learn more about HP Enterprise Security and http://ift.tt/1LwzAPC.

from cyber security caucus http://ift.tt/1dhRyqc
via IFTTT

Wednesday 24 June 2015

Silicon Valley cyber security guru forms new company with Arizona roots

from cyber security caucus http://ift.tt/1BAtxX4
via IFTTT

New report blasts personnel office cyber security management

Sooner or later the Office of Personnel Management (OPM) is bound to have some good news.

Just not this week.

This week is reserved for the congressional grilling of OPM Director Katherine Archuleta. Members of the House and Senate want answers to questions about the digital data breach that resulted in the theft of personal information belonging to more than 4 million current and former federal employees. Archuleta endured antagonistic questioning at the House Oversight and Government Reform Committee last week and she is scheduled for three more hearings this week.

[OPM chief berated at hearing; chairman calls for her head]

On Tuesday she faced the Senate Appropriations financial services and general government subcommittee. Though the senators treated her relatively gently, their hearing set the stage for what could be a more aggressive session when Archuleta returns to the House panel Wednesday. Then it’s back before the Senate on Thursday for the Homeland Security and Governmental Affairs Committee hearing.

Archuleta has defended her agency’s program to protect its computerized records and her initiatives to improve systems since she entered office. “Over the last 18 months, OPM has undertaken an aggressive effort to upgrade its cybersecurity posture,” she said.

But not long before she took her seat at the witness table in 124 Dirksen Senate Office Building Tuesday, OPM’s inspector general released a “flash audit alert” that sharply criticized her agency’s management of a project to overhaul its technical infrastructure.

For House members who like their red meat raw, this latest report will be a full plate.

“In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure,” Inspector General Patrick E. McFarland wrote in the flash audit.

Ironically, that project includes the “new, more stringent security tools,” Archuleta said OPM has implemented and without which “we would have never known that malicious activity had previously existed on the network.”

View the original content and more from this author here: http://ift.tt/1HdKiIe

from cyber security caucus http://ift.tt/1e3gQZX
via IFTTT