Cyber Security Caucus: July 2015

Friday 31 July 2015

SAFETY Act: Promoting And Incentivizing Cybersecurity Best Practices

Amid fears that a “cyber 9/11” is only a matter of time, cybersecurity experts and lawmakers are looking at a number of new ways to strengthen the nation’s cyber defenses including incentivizing market-driven solutions to enhance the resilience of critical infrastructure, including power grids, air traffic control and banking systems.

Earlier this week, the House Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing to examine the potential benefits of expanding the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act to include cybersecurity.

“Right now the SAFETY Act can only be triggered by an act of terrorism,” said subcommittee chairman John Ratcliffe (R-Texas). “However, for cyber attacks attribution is extremely difficult to determine. Regardless of whether the hacker was a terrorist, nation state, cyber criminal or hacktivist, the impact of a devastating cyber attack would be the same.”

Ratcliffe said the “SAFETY Act coverage for cybersecurity will not solve all our cybersecurity challenges but it has the potential to make a significant improvement in our Nation’s cyber defenses.”

As part of the Homeland Security Act of 2002, Congress enacted the SAFETY Act, a voluntary program that provides incentives for the development and deployment of anti-terrorism technologies. The purpose of the law is to ensure the threat of liability does not deter potential manufacturers or sellers of anti-terrorism technologies from developing and commercializing technologies that could save lives.

To qualify for the protections afforded by the SAFETY Act, companies must demonstrate on an on-going basis that they have a comprehensive risk management plan in place. Applicants must submit to a rigorous and thorough vetting process by the Department of Homeland Security (DHS) SAFETY Act Office. In return, the act limits the company’s liability in the event of an act of terrorism.

The panel convened to discuss the merits of expanding the SAFETY Act to protect companies that make cybersecurity technology as well as critical infrastructure providers like banks, electric utilities and transportation companies.

“Much of our nation’s critical infrastructure is privately owned, and in the 21st Century, there now exists an interconnectedness of physical security and cybersecurity,” Ratcliffe stated. “This means that someone sitting at a keyboard can now initiate a physical injury by issuing commands to an office building, air traffic control system, or someone’s automobile, resulting in loss of life — not just the theft of personal information from a database.”

“Many products and services weren’t built with cybersecurity in mind,” Ratcliffe said.

Clarifying the SAFETY ACT

Brian E. Finch, senior fellow at the George Washington University Center for Cyber and Homeland Security, told the panel the US desperately needs to promote and incentivize new cybersecurity technologies, policies and best practices.

According to Finch, not only can the SAFETY Act be used to improve cybersecurity, but it already has. With a few “statutory tweaks,” he said he believes the SAFETY Act would be exceptionally helpful in expanding its use in the private sector.

“These minor tweaks will permanently clarify that the SAFETY Act applies to cyber attacks committed by a variety of actors, as well as attacks where attribution is unclear or impossible,” Finch said.

As the SAFETY Act is currently drafted, the secretary of homeland security must declare an “act of terrorism” has occurred in order to trigger the protections of the act. Nothing in the SAFETY Act statute or Final Rule though requires that there be a finding of a “terrorist” intent in order for the secretary to declare an “act of terrorism” occurred.

In fact, the only discussion of “intent” is that the attack must have used a weapon or other instrument “intended” to cause some form of injury. Congress did not explicitly, or implicitly, limit qualifying “acts of terrorism” to politically, religiously or other ideologically motivated actions by specifically defined groups or persons.

For purposes of the SAFETY Act, an “act of terrorism” was simply an intentional unlawful act intended to cause harm to US persons, property or economic interests.

It follows, Finch explained, that, “The SAFETY Act statute can (and is) interpreted to include cyber attacks as an act that can be considered an “act of terrorism” and may serve as a trigger for the protections of the SAFETY Act.

Finch continued, saying, “This point is readily demonstrated by the fact that DHS, through its Office of SAFETY Act Implementation, has already approved a number of cybersecurity products and services. By that measure alone, we know that the SAFETY Act applies to a variety of cybersecurity products and services.”

Consequently, Finch said he believes there is no question that cyber attacks, as well as cyber products and services, are eligible to receive SAFETY Act protections under the plain language of the SAFETY Act statute and the Final Rule as originally drafted.

Hence, the SAFETY Act needs to be clarified, not amended.

“Clarifying – but not amending – the SAFETY Act so that it explicitly covers cyber incidents and cybersecurity technologies is not only appropriate given the seriousness of the cyber threat,” Finch said. “It is also appropriate given the general misunderstanding of how the SAFETY Act works and the need to provide flexibility to the Homeland Security Secretary when determining whether to let the protections of the SAFETY Act be applied.”

Opposition: incentivizing or stifling innovation?

Andrea M. Matwyshyn — Microsoft Visiting Professor at the Center for Information Technology Policy at Princeton University, a professor of law at Northeastern University and a faculty affiliate of the Center for Internet and Society at Stanford Law School — told the subcommittee that cybersecurity awareness has dramatically increased over the past decade as high-profile incidents have continued to dominate headlines. Unfortunately, the nation’s cybersecurity measures are failing to keep pace with the increasing number and sophistication of attacks.

Further complicating the situation is the reality that the field of information security is still in its infancy, which means there are no tried and tested practices on how best to respond to security failures and improve the data stewardship capablilities of both the private and public sectors.

This is the context framing the current discussion of extending the SAFETY Act to cybersecurity. Although the US must stimulate improved information security practices, Matwyshyn fears the SAFETY Act will stifle the very innovation it is trying to create.

Limited liability, Matwyshyn argued, could unintentionally create incentives for lower quality in information security products and services. Currently, the market for information technology products and services is booming and has matured significantly over the years with some estimates putting sales of digital security products and services at $80 billion worldwide in 2015. This number could rise to $93 billion in the next two years.

However, decision makers could be lured into choosing older, potentially more vulnerable, certified technologies simply because of a lower price point. This creates a huge problem, since technologies are continually being updated to meet the demands of the ever-evolving cybersecurity threat landscape.

“Because of the fast pace of innovation in information security, it is likely that the liability protection offered to certified products by the SAFETY Act will outlive the optimal technical efficacy of those certified products,” Matwyshyn explained. “Yet, any technology deployed during the period of designation is protected for the lifetime of designation.”

If companies begin to shift away from purchasing based primarily on technical efficacy toward purchasing information security products based on whether they are certified under the SAFETY Act—even if the products are not a good fit—the SAFETY ACT could end up hindering the adoption of new information security technologies in favor of older ones.

“Selectively granted limitations of liability through the SAFETY Act will hinder innovation in information security and negatively disrupt the information security marketplace,” Matwyshyn said. “They are also likely to indirectly damage national security and stifle consumer protection efforts of other agencies.”

In his Homeland Security Today cover report, System Shutdown, G. I. “Dutch” Forstater, CEO, COO and chief engineer of Professional Systems Engineering LLC nationally known for his expertise in design and engineering of integrated systems for complex critical infrastructure projects, warned that, “Obsolescence through time is proceeding to shut down existing security systems from further product or technical support right before our very eyes. By 2015, the computerization of electronics will have increased the capacity of integrated circuits one million fold in just 30 years’ time.”

“Electronic chips are already more than three million times lighter and 10,000 times cheaper than an equivalent device 30 years ago. But even with this substantial increase in miniaturization, memory management, memory capacity, cloud services and virtualization of the legacy personal computer (PC), the basic X86 processor is still the same old device of 40 years ago,” Forstater wrote.

And, “This will pose serious and fundamental problems for access control and other security systems by 2018 because of this simple reality of life cycle and the consequent costs to continue interim software development until the next X86 version processor is developed,” he stated.

Matwyshyn argues instead for a tax incentive approach. SAFETY Act funding could be repurposed to provide tax benefits to enterprises that are operating on tight budgets to invest in information security education, hire security personnel and purchase information security goods and services.

On the flip side of the coin, Raymond B. Biagini, partner at Covington & Burling LLP and original author of the core liability protection provision of the SAFETY Act, argued that DHS’s continued requirement that a technology have a record of “proven effectiveness” will likely spur higher quality technology.

Biagini believes the real challenges will be for the DHS SAFETY Act Office to have sufficient qualified resources to conduct meaningful and timely reviews in an atmosphere of rapidly changing technology and threats.

“In the end, this amendment, like the original SAFETY Act, should be driven by a common spirit and intent: to take proactive legislative incentivizing steps now — to avoid a catastrophic debilitating incident involving a major critical infrastructure or economic sector of the US,” Biagini concluded. “This proposed discriminate amendment of the SAFETY Act is a step in the right direction.”

View the original content and more from this author here: http://ift.tt/1SmLLTw

from cyber security caucus http://ift.tt/1SmLxM6
via IFTTT

FBI admits understaffed to tackle cybersecurity concerns

WASHINGTON, July 31 — The FBI is struggling to attract computer scientists to its cybersecurity programme mainly due to low pay, a report by the US Department of Justice showed, highlighting weaknesses in a flagship initiative to tackle growing cyber threats.

As of January 2015, The Federal Bureau of Investigation had only hired 52 of the 134 computer scientists it was authorised to employ under the Justice Department’s Next Generation Cyber Initiative launched in 2012, the report showed.

Although cyber task forces have been set up at all 56 FBI field offices, five of them did not have a computer scientist assigned to them, the report by the Office of the Inspector General found.

Cyber security threats are among the Justice Department’s top priorities and there has been a slew of damaging cyberattacks against private companies and US government agencies in the last couple of years.

The FBI budgeted US$314 million (RM1.2 billion) on the programme for the 2014 fiscal year, including 1,333 full-time employees, the report by the internal watchdog said.

Lower salaries compared to the private sector made it difficult for the FBI to hire and retain cyber experts, the Office of the Inspector General said in the report.

It also said extensive background check procedures and drug tests excluded many otherwise qualified candidates.

For example, the FBI is unable to hire anyone who is found to have used marijuana in the previous three years or any other illegal drug in the past ten years, it said.

The report follows the disclosure by the US government’s personnel management agency that up to 22.1 million people were affected by a breach of its computer networks that was discovered in April, or almost 7 per cent of the US population.

The United States has privately accused China for the cyber attack, but Beijing has denied responsibility.

A previous hack on Sony Pictures Entertainment in November 2014 was pinned on North Korea by FBI investigators.

The FBI said in a letter to the Office of the Inspector General responding to the report that “the cyber workforce challenge runs throughout the federal government” and that it would continue to develop “aggressive and innovative recruitment and retention strategies”. — Reuters

View the original content and more from this author here: http://ift.tt/1SmLKiC

from cyber security caucus http://ift.tt/1SmLxvO
via IFTTT

Secret surveillance bill? Senate could pass CISA info-sharing bill with barely any debate

With about one week to go before Congress’ August recess, the Senate signaled that it could rush through debate to vote on a controversial information-sharing bill that critics have dubbed “a surveillance bill masquerading as a cybersecurity bill.”

On Thursday, Senate Majority Leader Mitch McConnell (R-Kentucky) said that if the chamber cannot move forward on a vote to defund Planned Parenthood – an effort that is likely doomed by opposition from Democrats – it will look to pass the Cybersecurity Information Sharing Act (CISA), the National Journal reported. The bill would grant companies more protections when it comes to gathering potentially threat-related data and allow them to share that information with government departments like the National Security Agency.

McConnell’s comments were something of a surprise considering that just two days earlier, reports suggested consideration of CISA would slip past recess and be delayed for at least another month.

Following the majority leader’s comments, Senator Patrick Leahy (D-Vermont) attacked the plan, saying any movement on CISA, and cybersecurity in general, “requires a thoughtful and bipartisan response from Congress.”

“If the Majority Leader is serious about improving our nation’s cybersecurity,” Leahy added, he will allow for a “meaningful amendment process.” Such a move would allow critics a chance to strengthen the bill’s privacy protections.

“If [McConnell] wants yet another political stunt, he will try to jam this bill through the Senate just days before the August recess. That is not the responsible way to legislate about our nation’s cybersecurity.”

Passage of some kind of cybersecurity bill has been on the minds of lawmakers, as well as President Barack Obama, ever since hackers breached the internal networks of Sony last year. The most recent hack, against the federal Office of Personnel Management, saw the records of more than 21 million government workers pilfered by hackers.

Obama has specifically called for more information sharing between the public and private sectors, and supporters of CISA say it will help officials detect cyber threats and potentially stop them before they hit.

Yet critics of the bill have come up with a litany of objects. Senator Ron Wyden (D-Oregon) has led the charge, arguing recently that “CISA will do little to protect you from hackers, and it may even make things worse.”

In a clear reference to the OPM hack, Wyden said, “The government can’t keep its own data safe. Giving more of your information to the government creates a huge new target for hackers.”

View the original content and more from this author here: http://ift.tt/1SmLIY0

from cyber security caucus http://ift.tt/1SmLyQp
via IFTTT

Business cybersecurity is a team sport

A company’s cybersecurity is a team effort. Coordination is critical because criminals will try to exploit weak links, especially in small businesses.

Think teamwork for a moment. Any company’s cybersecurity defenses involve a group effort of managers, employees and outside vendors.

Whether it’s cloud services, information technology, human resources, payroll, maintenance or other departments or functions, cooperation is needed to thwart the bad guys. With personal and business information flowing back and forth in so many areas, criminals are looking for sweet spots to exploit.

The role played by vendors or outside service providers is a critical one, especially for small and midsized businesses. Vendors and consultants supply expertise that many businesses don’t have, allowing the latter to focus on core activities that drive growth and profitability.

Regarding the entities that play a role keeping a company’s information networks safe, here are some questions to ask:

— Does a vendor have liability insurance tied specifically to cyber attacks?

— How would it respond to a data breach?

— Does it have an overall plan on information security?

Data breaches at giant retailers, financial companies and government entities grab the headlines, but small businesses also are a target of hackers and ID-theft criminals.

According to this year’s Verizon Data Breach Investigation Report, hackers commonly use automated attacks to infiltrate the weak defenses of small businesses and their vendors. The attacks happen quickly. Sixty percent of companies that experienced a data breach were compromised by attackers within minutes, the report states.

Many businesses that suffer a breach might think criminals made sophisticated, multipronged probes, but the reality is that most of the 80,000 incidents reviewed by Verizon fell into one of nine attack patterns. Three of these stood out:

— The use of crimeware or malicious software designed to steal sensitive information.

— Cyber espionage tactics, also designed to extract data from business or government computers.

— Point of sale intrusions, especially involving unauthorized access to credit and debt cards in retailing.

Other efforts involved misuse of insider information or access, attacks on Internet applications and attacks tied to service denials.

It’s critical to view your managed-service providers as integral partners on your cybersecurity team, and that means evaluating which of them are best prepared to handle a data breach. This is an opportunity for suppliers and consultants to gain a competitive advantage by taking cyber risks seriously. Businesses also can benefit from putting information security at the top of their list of concerns.

Mark’s most important: Find out which vendors or other service providers are ready to join your cybersecurity team, with strong policies and plans to back up their claims.

View the original content and more from this author here: http://ift.tt/1UbsjGR

from cyber security caucus http://ift.tt/1UbsfqG
via IFTTT

Thursday 30 July 2015

CISA 2015: Privacy Groups Wage Fax Warfare To Kill Cybersecurity Bill As Senate Vote Approaches

If you hear a loud rumble coming from Capitol Hill this week, don’t be alarmed. It might just be the sound of 100 fax machines.

In an effort to kill a controversial cybersecurity bill working its way through Congress, privacy groups and civil rights advocates are using 1980s technology to make a point about the folly of ill-conceived legislation, and it might actually be working.

Through a campaign called Operation: Fax Big Brother, petitioners are able to send faxes to all 100 members of the U.S. Senate with the click of a mouse. The purpose? To convince legislators to put the brakes on the Cybersecurity Information Sharing Act, or CISA, which is supposed to encourage better data sharing between technology companies and the government, but which critics say would give the government unprecedented authority to monitor users and violate privacy.

“It’s a regressive piece of legislation,” said Drew Mitnick, policy counsel for Access, an advocacy group that opposes the bill.

So why encourage critics to bombard senators with reams of angry faxes? “We wanted to demonstrate how this is not a modern piece of legislation, just like faxing your members of Congress is like an ancient way of communicating,” Mitnick added.

The Senate was expected to vote on CISA before August recess, but Mitnick and other advocates now say they’re hopeful that the vote will be postponed. Access is holding a press call on Thursday along with other critics of the legislation, including Sen. Ron Wyden, R-Ore.

The Fax Big Brother campaign was spearheaded by Fight for the Future, an Internet advocacy group based in Boston, which set up a website allowing visitors to type their fax into a field and blast faxes to Congress instantly. Users can also send faxes via Twitter by using the hashtag #FaxBigBrother.

Evan Greer, the group’s campaign director, said faxes are coming in faster than the system can send them. As of Wednesday, there were more than 6 million sitting in the queue and about 100,000 faxes actually sent, she said.

“We have eight phone lines running with a dedicated server and modems, and so we’re trying to scale up the number of faxes we can send,” she said. “At this rate, it will take almost a year for all of them to get to Congress.”

CISA, which has bipartisan support, has already passed the Senate Intelligence Committee. The bill was introduced by Sen. Dianne Feinstein, D-Calif., in July 2014 and reintroduced by Sen. Richard Burr, R-N.C., in March 2015. Representatives for the two senators’ offices could not immediately confirm if they had seen an influx of faxes this week.

Either way, the bill has faced widespread criticism from privacy groups, including the Electronic Frontier Foundation. In a blog post this week, EFF activist Nadia Kayyali, called the proposal “fundamentally flawed because of its broad immunity clauses for companies, vague definitions, and aggressive spying powers.”

Mitnick credited the grassroots activism as one of the reasons why the Senate may now postpone the vote. “They’ve been making statements for months about prioritizing this piece of legislation and how critical it is, but it seems like they’ve lost some of their mojo,” he said.

Greer called CISA an “end run” around the privacy protections that enable Internet users to express themselves online without fear of being watched. “Privacy isn’t just about our secrets,” she said. “It’s about our ability to be ourselves and express ourselves freely in the world without feeling like there’s someone constantly watching over our shoulder. This would undermine the Fourth Amendment and prevent us from truly being ourselves on the Internet, which I don’t think is something that anyone wants.”

View the original content and more from this author here: http://ift.tt/1eBwn3b

from cyber security caucus http://ift.tt/1DQWyJJ
via IFTTT

Barack Obama puts cronyism above cybersecurity

It’s the most far-reaching scandal in Washington that no one wants to talk about: Tens of millions of federal employees had their personal information hacked as a result of Obama administration incompetence and political favoritism.

Ethnic community organizer-turned-Office of Personnel Management head Katherine Archuleta recklessly eschewed basic cyber-security in favor of politically correct “diversity” initiatives during her disastrous crony tenure. This Beltway business-as-usual created an irresistible opportunity for hackers to reach out and grab massive amounts of sensitive data — compromising everyone from rank-and-file government employees to CIA spies.

Could it get worse? You betcha.

Amid increasing concerns about these massive government computer breaches, the Defense Department is expected to announce the winner of a lucrative high-stakes contract to overhaul the military’s electronic health- records system this week.

The leading finalist among three top contenders is Epic Systems, a Wisconsin-based health-care software company founded and led by top Obama billionaire donor Judy Faulkner.

Thanks in significant part to President Obama’s $19 billion stimulus subsidy program for health-data vendors, Epic is now the dominant EMR player in the US health IT market.

According to Becker’s Hospital Review, CVS Caremark’s retail clinic chain, MinuteClinic, is now adopting Epic’s system, and “when the transition is complete, about 51 percent of Americans will have an Epic record.”

Other major clients include Kaiser Permanente of Oakland, Calif., Cleveland Clinic, Johns Hopkins Medicine in Baltimore, Arlington-based Texas Health Resources, Massachusetts General Hospital in Boston, Mount Sinai Health System in New York City and Duke University Health System in Raleigh, NC.

As I’ve reported previously, Epic employees donated nearly $1 million to political parties and candidates between 1995 and 2012 — 82 percent of it to Democrats.

The company’s top 10 PAC recipients are all Democratic or left-wing outfits, from the Democratic Congressional Campaign Committee (nearly $230,000) to the DNC Services Corp. (nearly $175,000) and the America’s Families First Action Fund Democratic super-PAC ($150,000).

Faulkner received a plum appointment to a federal health IT policy panel in 2011. Brandon Glenn of Medical Economics noted that “it’s not a coincidence” that Epic’s sales “have been skyrocketing in recent years, up to $1.2 billion in 2011, double what they were four years prior.”

Stunningly, Epic “has the edge” on the gargantuan Pentagon medical-records contract, The Washington Post reported Monday.

This favored status comes despite myriad complaints about the interoperability, usability and security of Epic’s closed-end proprietary software.

Just last week, the UCLA Health system run by Epic suffered a cyber attack affecting up to 4.5 million personal and medical records, including Social Security numbers, Medicare and health-plan identifiers, birthdays and physical addresses.

The university’s CareConnect system spans four hospitals and 150 offices across Southern California.

The university’s top doctors and medical staff market their informatics expertise and consulting services to other Epic customers “to ensure the successful implementation and optimization of your Epic EHR.”

Will they be sharing their experience having to mop up the post-cyber-attack mess involving their Epic infrastructure?

UCLA Health acknowledged that the hack forced it to “employ more cybersecurity experts on its internal security team, and to hire an outside cybersecurity firm to guard its network,” according to CNN.

Now another Obama crony is poised to cash in on her cozy ties and take over the mega-overhaul of millions of Pentagon and Veterans Affairs medical records to the tune of at least $11 billion.

Can you say “Epic fail”?

View the original content and more from this author here: http://ift.tt/1Myuwef

from cyber security caucus http://ift.tt/1DQWpGc
via IFTTT

Congressman Henry Cuellar hosts cybersecurity conference

WASHINGTON, D.C. (KGNS) - With so many people online these days, we’re almost all exposed to cyber threats.

People and small business owners got the chance to learn how to protect their computers, smart phones and business information against some of those threats.

Congressman Henry Cuellar hosted a free public cyber security video conference from Washington, with representatives from the Department of Homeland Security.

View the original content and more from this author here: http://ift.tt/1DQWoC3

from cyber security caucus http://ift.tt/1Mz5uvs
via IFTTT

Quarter of firms on FTSE350 not confronting cyber risks

In a survey recently carried out on secretaries working for UK 350 companies, results revealed that firms are concerned over risks from cyber security, but 25% are not doing anything about it.

The recent FT/ICSA Boardroom Bellwether survey shows that 75% of firms perceive cyber security risk to be on the rise, and over 65% are taking action to minimise any susceptibility they may have to cyber threats, according to the report. However, 25% are doing nothing to lower the risk.

The Institute of Directors chair, Lady Barbara Judge, said that boards cannot turn a blind eye to the risk. Speaking to the Financial Times, she said:
“Although it is creeping into the remit of some risk committees, I think the whole issue [of cybersecurity] is so overwhelming to boards that often they put it in the ‘too difficult’ category.”
Included in other findings was the news that firms are showing an increasing amount of optimism regarding Britain’s growth potential. There was a 30% increase from the end of 2013, with 74% expecting improved conditions within the next year.

The survey results regarding cybersecurity show a recurring theme in that business owners are not taking enough action, in spite of the fact that they are fully aware of the risks. Should they decide to confront the issue, they can start by making information security jobs available to trained cyber professionals.

View the original content and more from this author here: http://ift.tt/1Mz5uvp

from cyber security caucus http://ift.tt/1DQWppO
via IFTTT

How to establish Best Practices in cybersecurity

With cyber risks increasing year-on-year, and regulators such as the Securities and Exchange Commission (`SEC’) taking an increasingly prominent role in assessing the preparedness of broker-dealers and registered investment advisors, establishing cybersecurity best practices is not only useful; it’s a necessity.

Cybersecurity is a complex web and as such there are many areas to consider. The best place for any manager to start is to take a step back and assess the risk of their overall business environment.

“It should be woven into business process and supported by senior management. It should not be relegated as being just an IT issue,” says James Tedman, Managing Director, ACA Aponix (Europe). “It’s all very well having sound processes but you need to make sure you can evidence that. When it comes to risk assessment, firms should create and manage prioritised issue lists and demonstrate how they are working through these. They should maintain inventories of all devices, and create data maps, so that they can show where data resides and how it flows through the organisation and externally to vendors.”

Rather than cybersecurity becoming a Sisyphus-like challenge, managers can partner with outsourced technology specialists who spend their working days keeping on top of this ever-changing landscape. As Mike Asher, CIO, Richard Fleischman & Associates – a leading New York-based outsourced technology consultancy – comments: “Our R&D department is constantly testing new products to determine what is viable and what we should be paying attention to.”

“There’s no silver bullet solution. But at least managers should make a breach as difficult as possible,” adds Grigoriy Milis, chief technology officer at RFA. “If it does occur, they need to know about it as soon as possible. Those are the two goals that we are trying to achieve for our clients, and which any hedge fund should try to accomplish.”

At a high level, Milis briefly summarises some of the key components to establishing a solid cybersecurity programme. Firstly, managers are advised to implement next generation firewall solutions “combined with a managed security service that can monitor the intrusion detection aspect of the firewall on a continuous basis”.

“Secondly, we recommend a next generation end point solution. End point still remains one of the most unprotected parts of any infrastructure in the hedge fund space. Regular detection rates with antivirus solutions are somewhere in the region of 35%, which is clearly not sufficient,” states Milis.

Thirdly, implement a data governance policy. This helps managers to not only identify sensitive information on the company’s servers but also shows who has access to that information; that can be an invaluable tool if they need to determine the extent of a cybersecurity breach event.

“We also recommend encryption solutions as the last line of defence to protect the most sensitive information in the company,” adds Milis.

Data management & data fraud

One of the best lines of defence in any cybersecurity programme is establishing a robust data management solution. Cybersecurity does not simply mean nefarious forces trying to infiltrate the network; it is also about data loss within the firm, which represents a significant reputational risk.

Hedge funds are unique in that they transfer data to multiple sources – their prime brokers, their fund administrators, etc – and as such it becomes a difficult task to keep track of that data and guard against data fraud or internal failings. “It’s important for hedge funds to understand exactly what data their service providers have access to, how and where this is stored, and how it is secured. That’s vital,” stresses Tedman.

Richard Anstey is CTO at Intralinks (EMEA). He points out that there is still an over-reliance on transmitting data via email and is an issue that needs addressing. There are technologies out there that can, in a relatively friction-free way, provide a more secure means of information transmission.

“Information Rights Management (IRM) is one such technology that we recommend for the transmission of any kind of secure information between parties,” says Anstey. “It can still be facilitated and notified by email but the actual delivery of data is secure. With IRM steps can be put in place to make it difficult for someone to print out information or photograph the screen by using watermarks in documentation.

“Moreover, you can remotely revoke access to the data at some later date. It’s like having an electronic remote version of a paper shredder. You can destroy data that you’ve shared with someone that you think is no longer relevant using IRM technology.”

Vendor appraisal

Vendors are often the firm’s weakest link when it comes to cyber risk. Firms should take heed of the FCA’s “Dear CEO” paper, which was released last year and apply a robust vendor management programme as part of cybersecurity management.

Not all hedge funds have sufficient visibility of processes within the vendors they partner with. SOC 2 and ISO 27001 are all perfectly valid certifications that are hard to earn “but we recommend to our clients that they go beyond that. They should build a clear understanding of the vendor, their process, people, and be comfortable that policies are being followed in practice,” comments Tedman.

In other words, managers shouldn’t take blind faith that their vendors – and this includes their key service providers such as prime brokers – are doing all that they can to uphold the security and integrity of a fund’s data. Rather than take their word for it, managers should seek independent verification.

“One telling statistic is that 69 per cent of breaches are detected by an external party (Mandiant M-Trends 2015). This highlights the value of an independent audit – you can’t check your own homework. It does not mean that the IT team or service provider is doing a bad job, it’s just that an extra set of eyes gives independence and avoids conflict of interest,” says Tedman, adding:

“Reviews should be undertaken at least annually and the questions that you ask of your vendors should be tailored to the role that they play and the data that they are privy to. Use searching questions that avoid simple Yes or No answers.”

RFA’s Asher points out that prime brokers are working hard to identify the weakest links and establish secure communications with all their clients; partly because many have been breached already, partly because they do not want to suffer any further reputational damage.

“They are providing alternative asset managers with helpful questionnaires that can be shared with their vendors to make sure they are compliant with SEC guidelines, as well as providing guidance on what firms need to do to secure themselves to an acceptable baseline level,” says Asher.

Bob Guilbert is Managing Director at Eze Castle Integration. In his opinion, the vetting of third party vendors is becoming essential; not only as best practice, but also because investors themselves want to know what business continuity plans and incident response plans these vendors have in place.

“Investors are getting a lot more savvy and asking detailed questions to ensure that the end providers themselves have the proper cybersecurity plans in place as well as the manager.

Asking questions on BCPs, etc, should become a thorough part of a manager’s own due diligence process when selecting their service providers. Thereafter, the manager should conduct annual due diligence checks. We advocate going to visit them in person. For example, we use top-tier data centres for the protection of the Eze Private Cloud and we encourage clients to go and visit one as part of their annual periodic review.

“We ourselves are constantly making adjustments to respond to this changing landscape. The funds themselves should be asking for updated BCPs and updated WISPs, to reflect this changing landscape,” comments Guilbert.

Written policies

Establishing cybersecurity best practices should not only be about prevention from external threats but having the necessary internal policies and procedures to recover from a breach attack. This should not be confined to the minds of the CTO or senior IT staff; rather, firms should look to build out an incident response plan.

In a white paper written by Capital Support Limited in May 2015 entitled Cybersecurity Threats and Vulnerabilities, they point out that an IR plan should include the following six components:

• Incident classification

• Data classification

• Performance targets

• Operating models

• Identify weaknesses

• Tools and guidelines.

Asher states that confusion arises within hedge funds when it comes to understanding what needs to be done when a breach occurs and how it should fall into the manager’s overall business continuity plan (BCP).

“There’s no hesitation invoking a disaster recovery component when there’s a technology issue i.e. a power outage. It’s a well-defined practice. But reporting a cybersecurity breach to a third party vendor that might then be required to relay information during a regulatory investigation means that there is still hesitation. It is uncharted territory and that’s where the confusion stems from.

“It’s an educational process from our end, explaining what needs to be included as part of a comprehensive business continuity plan that is actionable and allows the manager to proceed with their operations even if a breach is detected,” says Asher.

One document that is becoming an important tool is the Written Information Security Plan (WISP). As Guilbert explains: “The WISP covers both administrative and technical safeguards as well as the incident response plan, third party risk assessments and employee guidelines. It allows us to look through all facets of a hedge fund manager’s operations, from a cybersecurity perspective.

“The WISP should be periodically reviewed and shared with investors when requested.”

Recently, the SEC found that 83 per cent of advisors have adopted a WISP but Tedman warns that not all of them pass muster. Typically, he says, there is minimal data governance, the incident response plan is weak or non-existent, and all too often the WISP template has simply been lifted off the internet.

“Policies should be specific to the organisation and based upon a deep understanding of the environment such that they are practical and demonstrable as well.

“They should, in short, reflect the culture of the firm. Going forward we expect to see much more interrogation of security processes with regulators looking for clear evidence that firms are adhering to best practices, not just asking them whether they are or not,” says Tedman.

Staff training

The majority of cybersecurity issues that arise are preventable and typically result from human error. As such, training and educating staff are an obvious way to mitigating this risk. As Guilbert states, the first line of defence is “preparedness, awareness and education”.

“It’s the concept of having multiple locks on the door to dissuade potential cyber hackers. We are seeing more attacks happening at the individual level through phishing attacks and targeted phone calls. Padlocking the door means properly educating employees as to who is responsible for validating emails, using tools to validate email links, looking at phishing attempts and teaching sound practices on avoiding social engineering techniques,” says Guilbert.

Anstey points out that one of the strengths of information rights management is that it means managers have a technology solution in place that help them to recover from accidental data loss. “The advantage of IRM is that you retain control even after the content has left the organisation,” says Anstey.

Tedman says that staff training is a major issue, noting that the vast majority of attacks involve some form of phishing or social engineering as this is the easiest route into an organisation.

“Building staff awareness of cybersecurity threats and educating them on best practices is extremely important and will substantially reduce a firm’s vulnerability to attack. As part of our process we run employee training sessions and phishing tests. In the phishing tests we undertake with our clients, we are typically able to harvest around 40 per cent of the user’s credentials and gain access to email or the file system.”

By thinking about some of the above considerations managers will better understand their threat matrix and be able to create solutions to address the most likely attack scenario.

As Milis concludes: “It’s being cognisant that the landscape is changing and the need to take proactive measures to stay protected.”

View the original content and more from this author here: http://ift.tt/1DQWdqx

from cyber security caucus http://ift.tt/1LSrKPk
via IFTTT

Wednesday 29 July 2015

Behavior Analytics takes center stage in DC

Securonix was recently invited as an ICIT fellow and industry leader to participate in an advisory meeting with senate staffers on the benefits of Behavior Analytics and to help describe the extensive ways in which it can be leveraged for insider and cyber threat detection and risk reduction.

As we sat waiting for our appointment in the senate cafeteria, senators and political figures walked by and the realization on what type of impact our discussion could have began to set in. The opportunity to help set the bar higher for cyber threat detection through data analytics and educate a room – possibly a nation – on the next generation of insider threat detection and mitigation capabilities.

The discussions were engaging, dialog flowed freely, and an appetite to learn and absorb could be felt throughout the room. With the OPM breach and Anthem still showing fresh scars, the importance and need for these discussions is bigger than ever.

Insider threat awareness has dramatically increased over the last 18-24 months, but organizations still focus on external threats, when the very access and data these actors are striving to obtain is available to your internal user population and the modus operandi for the external attackers is to compromise existing internal credentials to obtain access to the data.

The importance of peer analysis, volume spikes, and establishing a baseline of normal behaviors play a pivotal foundation to all conversations around behavior analytics. The complexities of technical vs. non-technical control points, data aggregation and catering to different industries and company sizes all provide their own unique challenges.

It is hard not to feel a great sense of satisfaction at times like these. There is a sense of pride when your daily job includes providing objective analysis that helps other organizations identify how existing technologies can address their insider threat needs. Securonix is leading the innovation for these problems.

To our Securonix partners, customers, and family: we consider these types of moments a reminder that together we are part of a dramatic change in the cyber security space.

View the original content and more from this author here: http://ift.tt/1glQjIU

from cyber security caucus http://ift.tt/1H1VX8e
via IFTTT

Expert: Credit card companies ’embarrassingly behind’ in cybersecurity

PROVIDENCE, R.I. (WPRI) — Someone falls victim to identity fraud every two seconds, according to a recent study, and often, it’s without the victim’s knowledge.

Cassandra Tang, who lives in New York City, found that a card that was still in her wallet had been used to take out $200 at an ATM she’d never been to.

“We use our credit cards or debit cards or whatever every day,” she said. “And it’s scary to know that my card could be compromised.”

Her credit card company said she probably fell victim to card skimming – thieves stole her information as she swiped her card, then made a copy, complete with a new PIN number.

This is not uncommon now, according to Scott Schober, Cyber Security Expert and CEO at Berkeley Varitronics Systems. Thieves can take the personal information on your card just by swiping, which can wind up on the “dark net,” the underbelly of the Internet.

There is something new that card companies are moving towards: “chip and PIN” technology. Cards have a more secure chip, which, combined with a PIN number, makes them harder to skim. Many European countries put that in place years ago to combat fraud, Schober said, and it’s working, but the U.S. is years behind.

“It’s not just a little bit behind. It’s embarrassingly behind,” he said.

Even though credit card companies are moving to chip cards this year, most retailers still need to buy the machines to make them work.

View the original content and more from this author here: http://ift.tt/1Sfa2uF

from cyber security caucus http://ift.tt/1KxrztW
via IFTTT

Facilities cybersecurity protects against threats you may not think about

HUNTSVILLE, Ala. (WHNT)– Experts say the range of cyber threats is growing and federal facilities aren’t immune.

In Huntsville, the US Army Corps of Engineers center in Huntsville is working to protect against those threats in ways you may not realize are key parts of national security. They’re taking a look at facility cybersecurity, dealing with threats in infrastructure like heating and cooling systems and utilities. One of those experts, branch chief Daniel Shepard, tells us those things rely on networks, and networks can be hacked.

An Information Assurance and Information Technology Branch has been established in the Huntsville Center Engineering Directorate, and this year USACE designated Huntsville Center as the Industrial Control Systems Cybersecurity Technical Center of Expertise.

That’s a mouthful.

But basically, it means they do a good job protecting and advising customers how to protect against facility cybersecurity threats, and understand cybersecurity requirements.

“This is a new facet and a new capability the Corps of Engineers is sponsoring by making this a center of expertise,” said Shepard.

Facility cybersecurity is important, he said, because “it can create mission downtime, and create irreplaceable damage” if someone were to be able to hack into a piece of equipment on a network and start to control it.

“While there’s a ton of expertise in cybersecurity for traditional IT platforms across the Army, there is not yet a lot of expertise in our niche area of cybersecurity for facilities,” Shepard said. “We are trying to be that voice with a facility engineering focus for the Army. The Corps of Engineers brings that to the Army; no one else in the Army does that.”

View the original content and more from this author here: http://ift.tt/1H0Fst1

from cyber security caucus http://ift.tt/1Sf7mgI
via IFTTT

‘If nations collaborate, bad guys have no place to hide': Cyber security solutions vendor

Ms Nicole Eagan – the CEO of a UK cybersecurity start-up’s who was part of Prime Minister’s trade delegation to Asia – says government-level cooperation, together with cybersecurity tech, will help make the digital space a safer place to be.

SINGAPORE: On the back of the Cyber Security Agency of Singapore (CSA) and the Cabinet Office of the United Kingdom signing a Memorandum of Understanding on cybersecurity cooperation on Wednesday (Jul 29), the chief executive officer of Darktrace – a Britain-based IT security vendor – said: “If nations collaborate, bad guys have no place to hide.”

Ms Nicole Eagan echoed the words spoken by British Prime Minister David Cameron during a speech he gave here on Tuesday, saying that technology such as those provided by her company and other security vendors help “shine bright lights” on the bad guys, which would restrict the digital space they can operate in.

In an interview with Channel NewsAsia on Wednesday before the MoU was announced, Ms Eagan said her company would help “implement aspects of the MoU”, but declined to elaborate.

The MoU covered cooperation in four areas, according to the CSA press release:

Cooperation between Computer Emergency Response Teams (CERTs) and exchanges to enhance cybersecurity incident response

Extension of joint cyber research and development (R&D) collaboration between the UK’s Engineering and Physical Sciences Research Council and Singapore’s National Research Foundation, with the doubling of funding from S$2.5 million to S$5.1 million for academic research over three years

Talent development and awareness building by collaborating with the UK Cyber Security Challenge for a Singapore edition of a new Massive Multiplayer Online Game (MMOG) – the UK’s first international partner to licence an area of the MMOG

Sharing of best practices for business and industry in the protection of systems, quality of cybersecurity products and services and technical services

More details of the cooperation will be finalised during the next UK-Singapore Cyber Dialogue planned for later this year, and the CERT agreement scheduled in September, CSA added.

FUNDAMENTAL NEW APPROACH NEEDED

Ms Eagan noted that while sharing of information has value, whether at the corporate or government level, sometimes it is “limited”. Threat intelligence shared tend to be updates from the day before, and most cyberattackers can simply change a line of code to evade detection, she noted.

Furthermore, such information cannot inform companies or organisations of unusual activities or “unknown bads”, or threats, lying dormant within one’s network, she added.

As such, a “fundamental new approach” is needed when it comes to cybersecurity, and this can be achieved through machine learning, she said.

Darktrace’s product is in essence a software that passively monitors the network. Ms Eagan likens it to the human body’s immune system – it will not know when an attack will take place, but “because it has a sense of self”, it is able to detect activities or patterns that are out of the ordinary.

“There are no rules or assumption made beforehand, unlike other security products in the market,” she said. “It is also passively, and not actively, monitoring so it doesn’t affect sensitive operations such as a bank’s financial trading.”

The CEO said the company started with enterprise networks, before moving to industrial control systems such as SCADA. It got its big break when telecom operator BT engaged its service in 2015, allowing Darktrace to scale its service to half a million devices that were on the client’s network.

“For a company like BT to take a chance on a start-up like us gave us the confidence to move beyond the usual academic projects associated with machine learning and scale up,” Ms Eagan said. The company was founded in 2013 by machine learning specialists and government intelligence experts.

She also felt the company’s product could prove to be a good fit for the Republic’s Smart Nation initiative, as it adheres to privacy laws in Europe, which are known to be one of the strictest globally. Its product passively monitors network traffic, and does not look into the data packet’s content – something that she said is the “most straight-forward and safest” for implementation.

Darktrace Managing Director for Asia Pacific Sanjay Aurora told Channel NewsAsia that the company is in talks with government organisations and other corporations with regard to the Smart Nation initiative, but stopped short of giving more details.

Ms Eagan added that while the company does not have a product specific to the Internet of Things, it is involved with companies in this area on a project basis. Just like its enterprise and industrial control system products, having an IoT-specific product is a case of “tweaking the algorithm” to suit the relevant environment, she said.

View the original content and more from this author here: http://ift.tt/1KxaO1U

from cyber security caucus http://ift.tt/1Sf7k8t
via IFTTT

Black Vine: Anthem hackers share zero-days with rival cyberattackers

Android phones can get infiltrated by a single text message, cybersecurity firm says

A recent study published by Zimperium on Monday says Android phones can get infected through a single text message received.

The cybersecurity company claims its researchers have found “the mother of all Android vulnerabilities,” which is also considered as a flaw in the most popular mobile operating system that could give away millions of users’ personal information to hackers.

According to CNN, the problem begins with the process of analyzing incoming text messages within the Android phone’s OS. The phones are automatically processing incoming files including pictures, audio, or videos — that is, before a user has the chance to open these.

The auto-processing move means malware-infected files can actually start spreading its viruses to a phone soon as the files are received. The flaw is somehow similar to Apple’s text hack. However, Zimperium says this major flaw is even worse as it allows a hacker to “gain complete control” of the phone. Processes that can be controlled by hackers include: wiping the device, accessing apps, and even secretly turning on the camera.

Google has since admitted to the Android issue in a statement to CNNMoney. It did assure users that Android has its installed systems that limit a hacker’s access to separate apps and phone functions. However, hackers have infiltrated these systems before.

The security company’s report says the huge bug is able to affect any phone that uses Android software developed within the past five years. This means devices running Android’s Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat, and Lollipop iterations are included in the virus-prone zone.

Zimperium claims it has warned Google about the flaw it discovered on April 9 and even provided the giant tech with a solution. Google responded the next day, assuring them that a patch will be developed and rolled out to its clients soon.

A 90-day grace period is usually given to companies in such situations, but more than 100 days have passed and Google was not able to roll out the patch to all its users, thus Zimperium has gone public to warn all Android users.

View the original content and more from this author here: http://ift.tt/1JuoPfq

from cyber security caucus http://ift.tt/1KyoHtU
via IFTTT

Tuesday 28 July 2015

Israel focusing more on cybersecurity as it faces nonstop attacks

Israel understands the importance of building a strong cybersecurity defense, as attacks on its critical infrastructure greatly increased over the past few years.

Israel Electric, responsible for more than 80 percent of Israel’s power production and infrastructure, saw cyberattacks increase from a few hundred per hour in 2013 – up to 20,000 per hour in 2014, according to reports. The Israeli government and major businesses are on a cybersecurity hiring spree, trying to help defend against evolving threats.

“You can’t be a good defender unless you understand the offense,” said Amos Yadlin, former military chief and head of the Tel Aviv University Institute for National Security Studies, in a statement to Bloomberg News. “Therefore, defensive efforts must overlap to some degree with offensive efforts, including those of intelligence collection.”

It’s a complicated effort for nations, especially the United States and Israel, which face large numbers of cyberattacks every day. During Israel’s offensive in Gaza, the country faced up wards of 2 million cyberattacks per day – and trying to keep data secure from outside threat is overly difficult.

View the original content and more from this author here: http://ift.tt/1JNwKjV

from cyber security caucus http://ift.tt/1U3yrRx
via IFTTT

NIST cybersecurity center proposes best practices for mobile EHR security

The National Cybersecurity Center of Excellence, part of the U.S. Department of Commerce’s National Institute of Standards of Technology, is circulating a draft guidance on best practices for securing healthcare data on mobile devices.

The draft, entitled, “Securing Electronic Health Records on Mobile Devices,” is the first in a planned series of guidances on improving cybersecurity across many industries with the help of standards-based technology, the three-year old center announced.

NCCoE developed the draft by running a simulated primary care environment to test the interactions between users, an EHR system and mobile devices. The center then applied commercially available technologies to build tighter controls for mobile EHR security and privacy.

“Using the guide, your organization may choose to adopt the same approach. Commercial and open-source standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments,” the document stated.

The draft guide maps security practices and characteristics to the HIPAA security rule and other standards, then details the technical requirements for addressing security issues before offering how-to advice for health IT professionals.

“This guide can help providers protect critical patient information without getting in the way of delivering quality care,” NCCoE Director Donna Dodson said in a prepared statement.

“We know from working with them that healthcare organizations want to protect their clients’ personal information and themselves from the high costs associated with breaches,” Dodson added. “This guide can be an important tool among the many they use to reduce risk.”

The NCCoE is taking public comments on the draft through Sept. 25 at this link, or by e-mail that should be addressed to HIT_NCCoE@nist.gov.

In health IT, NIST already is responsible for certifying the certification bodies in the context of Meaningful Use.

View the original content and more from this author here: http://ift.tt/1KuNAH2

from cyber security caucus http://ift.tt/1LPeCdU
via IFTTT

Temasek Polytechnic, IBM open SOC to enhance cyber security skills of students

IBM and Temasek Polytechnic (TP) have opened the TP-IBM Security Operations Centre (SOC) as part of the launch of TP’s IT & Security and Forensics course.

Over the next five years, it is estimated that the SOC will train 500 students to fight cybercrime using IBM technology.

The TP-IBM SOC marks IBM’s third partnership with TP, aimed at further enhancing students’ expertise and employability in the market for skilled cyber security professionals. Previous collaborations include the TP-IBM IT Service Management Centre and the TP-IBM Retail Analytics Centre.

“The IT Security & Forensics Hub is a place where students can deepen their skills and gain mastery under the mentorship of industry experts and skilled staff,” said Boo Kheng Hua, Principal & Chief Executive Officer, Temasek Polytechnic. “Our students receive training in industry best practices and work in an environment that prepares them well to meet the needs and demands of Industry.”

The new SOC joins IBM’s network of Security Operations Centres globally as a premier training centre, which will leverage IBM’s Global Academic Initiative, a programme that offers more than 100 technologies for teaching staff to build course curriculums.

The programme has been rolled out in the Middle East and Africa (MEA) since 2014 as part of the MEA University programme, with an aim to teach 35,000 students by 2017 through an outreach of 80 universities.

Faculty and students will have access to IBM’s operational processes, products and technologies such as the IBM QRadar Security Intelligence Platform, IBM X-Force Threat Intelligence and Research feeds, IBM Security Advanced Threat Prevention Platform and IBM Control Desk for ITSM process integration.

Students will learn IT and security fundamentals, and competencies in security, ranging from network, system and application to cloud security and mobile security. They will also learn how to monitor networks in an attempt to proactively prevent, manage and investigate security threats under the mentorship of IBM Security professionals.

In their final year, students will receive internship opportunities to work alongside IBM security professionals on security projects locally or overseas to gain hands-on experience in all aspects of cyber security monitoring and analysis.

Upon completing the course, students also have the option of sitting for an IBM examination to attain the IBM Security Intelligence Specialist Certificate, which will uniquely position them as top technical talent in the global market.

“IBM’s recent Cyber Security Intelligence Index found that in 2014, the average organisation monitored by IBM Security Services experienced approximately 81 million security events. That’s more than 12,000 attacks and 109 incidents. This highlights the need for skilled resources otherwise organisations will face a huge challenge in enhancing their ability to limit new risk and apply intelligence to stop attacks and threats,” said Tim Greisinger, Managing Director, IBM Singapore.

Globally, Ponemon’s 2014 IT Security Jobs Report revealed that 36 per cent of staff positions and 58 per cent of senior staff positions in IT security went unfilled in 2013. The Ponemon 2015 Cost of a Data Breach Study has also found that the average total cost of a data breach has increased by 23 per cent since 2013 to $3.79 million.

View the original content and more from this author here: http://ift.tt/1girYDO

from cyber security caucus http://ift.tt/1U3yoFm
via IFTTT

Gov. Otter creates Cybersecurity Cabinet Task Force

IDAHO ( KMVT – KSVT ) Governor Otter is trying to ensure Idaho becomes more vigilant in the face of worldwide cybersecurity threats.

Monday he signed an executive order creating the Idaho Cybersecurity Cabinet Task Force.

It’s all in an effort to protect Idahoans from what he considers a growing threat.

Members of the task force will be charged with developing policies, programs and strategies to detect vulnerabilities and prevent attacks.

It will also be charged with promoting a culture of awareness in which all Idahoans are vigilant and aware of vulnerabilities and cyber risks.

View the original content and more from this author here: http://ift.tt/1JNwKjC

from cyber security caucus http://ift.tt/1U3yrRn
via IFTTT

Busting cybersecurity jargon: 20 need-to-know terms to protect your enterprise

Laurance Dine, Managing Principal at Verizon Enterprise Solutions, goes from detection deficits to VERIS in this guide to cybersecurity jargon.

Do you know what a detection deficit is? Do you know the difference between a malware and crimeware? These cybersecurity terms might not mean much to you now, but when your enterprise organization is faced with a potential data breach (and it’s typically not a matter of if you get breached, but when), you will want to be able to understand what’s going on.

To help, here are 20 key cybersecurity terms that you should know to secure your enterprise systems.

Detection deficit – Time it takes to discover a breach from the time of compromise.

Malware – Categorical term for various forms of malicious software designed to damage or access computers without knowledge of the owner.

Crimeware – A specific classification of malware designed for the sole purpose of conducting illegal activity.

RAM-scraping malware – Memory-scraping malware that helps attackers find sensitive data that isn’t available through other processes.

Keylogger malware – This malware installs as a result of clicking when browsing the web or downloading software. Once installed, it tracks all of the user’s keystrokes and sends that information to a remote service. This may include logins, emails and anything else typed in to the keyboard.

Exploit kits – Think of it as a pre-packaged cyberattack for dummies. Varying in complexity and targeted vulnerability the key characteristic is the easy-to-use nature of the kit. Unsophisticated attackers who lack expertise in IT or cybersecurity will typically find a user-friendly interface to initiate and manage the attack.

CVE – Common Vulnerabilities and Exposures is a dictionary of publicly known information about security vulnerabilities and exposures.

CVSS – Common Vulnerability Scoring System is designed to provide an open and standardized method for rating IT vulnerabilities.

JBOH – Java-Script-Binding-Over-HTTP, which enables an attacker to execute code remotely on Android devices that have affected apps.

IDS or IPS – Intrusion Detection Systems or Intrusion Prevention Systems may come in the form of a software application or device used to monitor a specific system or network for signs of malicious activities.

VERIS – Vocabulary for Event Recording and Incident Sharing is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.

POS intrusions -Point-of-sale intrusions are attacks that occur on the device transacting a sale. The device may be various forms of digital cash registers used across many industries.

Payment Card Skimmers – Malicious card readers that cybercriminals place on payment terminals, ATM’s or anywhere a credit card swipe occurs to copy the data from the magnetic strip on the card.

Web App Attack – A web-based cyberattack that can take various forms but is commonly defined by its use of the https or http protocol. The attack typically targets the website’s security or performance and, in some cases, can take the entire site down.

DDoS Attack – A distributed denial-of-service attack is an attempt to make an online resource unavailable to users by overwhelming the resource with maliciously generated traffic.

Phishing – An attempt to fraudulently obtain confidential information by posing as a legitimate company, usually a financial organization, via an email message.

Cyberespionage – The act of stealing confidential information digitally stored on computers or networks within a government or organization.

Botnet – Malware infected computers grouped together to form a network and controlled remotely. These networks can be recruited by the controller in a DDoS attack or to send spam emails.

Ransomware – Malware specifically designed to block access to systems or information until a ransom is paid.

Clickfraud – The act of registering artificially inflated clicks within a pay-per-click (PPC) online advertising campaign. Clicks are typically generated through the use of a person or computer program.

View the original content and more from this author here: http://ift.tt/1girYnt

from cyber security caucus http://ift.tt/1U3yoFe
via IFTTT

Monday 27 July 2015

HP Fortify finds 100% of tested smartwatches contain significant security vulns

By StephanieWisdom (HP)

Smartwatches—they’re growing in popularity for both their convenience and capabilities (plus, they look pretty cool). But, as they become more mainstream, they’ll continue to store more sensitive information, and through connectivity with mobile applications, they may soon enable physical access functions—unlocking cars and homes. It truly is the era of Internet of Things (IoT).

As part of an ongoing series looking at IoT security, HP has unveiled results of a recent study which confirms that smartwatches with network and communication functionality represent a new and open frontier for cyberattack. The study conducted by HP Fortify found that 100 percent of the tested smartwatches contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.

The study questions whether smartwatches are designed to store and protect the sensitive data and tasks for which they are built. HP Fortify on Demand assessed 10 smartwatches, along with their Android and iOS cloud and mobile application components, uncovering numerous security concerns.

You can read the report here, as well as see actionable recommendations for secure smartwatch development and use—both at home and in the office!

View the original content and more from this author here: http://ift.tt/1et5i1T

from cyber security caucus http://ift.tt/1VIHTLT
via IFTTT

Balancing Innovation and Risk: Pluribus Networks CFO George de Urioste

In the entrepreneurial culture of Silicon Valley, one of a CFO’s most important roles is to ensure that risk assessment and management are part of the innovation process, says George de Urioste, CFO of Pluribus Networks. Leveraging his high-tech company experience as a CFO, COO, CEO, board member and audit committee chair, Mr. de Urioste describes challenges of being a Silicon Valley CFO and how he is able to ask the tough questions concerning business innovation without being a “No CFO.” He also explains how CFOs can catalyze efforts to address cybersecurity threats across the enterprise and in the boardroom.

Q: What are some of the challenges of being a CFO in the heart of the high-tech industry, Silicon Valley?

George de Urioste

George de Urioste: There’s an “evolve fast or die” mentality in Silicon Valley. The hyper focus on business innovation and constantly changing business models and strategies place a lot of pressure on CFOs in two places in particular. One area is managing expectations from investors and Wall Street. This can be especially challenging in the high-tech industry these days because of the recent trends in technology company valuations. Doing that well, managing expectations, is about establishing trust and credibility with external stakeholders.

In Silicon Valley, you want to have a CEO who’s willing to leap tall buildings in a single bound and is confident in the company’s ability to do so. But you also need a CFO who will say, “Yes, we can make that leap, but it might take two or three jumps to get over that building rather than just one.” Investors appreciate CFOs whom they can trust to give them an honest assessment, whether it concerns good news or bad. I have always worked hard at building a reputation as a CFO who, if you ask me a straight question, I will give a straight answer whether I think you are going to like my answer or not.

The second challenge concerns playing the pragmatist’s role at the strategy table when you’re surrounded by people with a highly entrepreneurial mindset. We are operating in an industry where it’s so important to say “Yes” to innovation. However, the equation for innovation success needs to include risk assessment. This is not risk aversion, but rather the “CFO art form” of asking the right questions to be risk intelligent. For example, a company is ready to bring a new product to market and is contemplating a large expenditure. Have the entrepreneurs asked: “What customer behaviors are necessary to drive wide-spread adoption?” If the CFO gets deer-in-the-headlights stares, it’s likely the company isn’t ready to market the product, regardless of the innovation.

Q: How does the business typically respond to that honest and direct truth-teller mentality of a CFO?

George de Urioste: You have to earn the credibility with the business as a collaborator, so that when you ask tough questions, you’re not viewed as an adversary to innovation. I view my role as a servant-leader, so I’m always asking myself, “Am I doing everything I can to support the success of others?” When you project that attitude and back it up in your actions, the trust follows. The VP of marketing sits across the hall from me and is constantly coming into my office to bounce ideas off of me. He feels comfortable having me as a sounding board because he trusts that I understand that the company wins if he accomplishes his goals.

Q: What do you consider the biggest challenges when it comes to cybersecurity and preparedness?

George de Urioste: It’s only recently that senior management and boards have begun to grapple with the reality that individuals or loosely organized criminal hackers no longer represent the major threat. Rather, the biggest threat is coming from sponsored nation-state and organized crime efforts to penetrate networks to disrupt business and/or steal intellectual property. Defending against those actors requires a much bigger effort than just investing in cybersecurity products to defend the network at the perimeter.

To think we can prevent intrusion by locking all our network windows and doors is to engender a false sense of security. Why? Because intruders will get in, whether a company knows it or not. There is a need to broaden a company’s perspective to understand that the cybersecurity threat is on par with economic warfare, even when there is no apparent military consequence or human harm element. A major challenge to that is employees’ mindset when it comes to their role in cybersecurity. Cyber tools can be strong at the perimeter, but employees are inside the network perimeter; the choices they make on what to trust, what to question and what to be wary of are the critical link in the chain of security.

Q: What can CFOs do to help their companies take on those challenges?

George de Urioste: CFOs can make sure the IT organization has the resources available to take cybersecurity measures necessary to protect the network, IP and the company. Ensure that cybersecurity spending is a priority. CFOs can also assess the company’s preparedness for cyberbreaches by asking the CIO questions like, “What would be the result of a vulnerability assessment, if done by a third party? How would you know if someone is inside our network right now? How do you limit the attack surface once intruders are in the network? How do you prevent exfiltration, that is, preventing valuable information from getting out?”

On the people side, I champion the understanding that each employee is important to maintaining cybersecurity. Make sure everyone knows how they can be part of the solution to defending company value against cyberattacks by adhering to security and compliance measures. I also communicate that I won’t tolerate people who make themselves part of the problem by not complying.

Q: What can CFOs do to help their boards understand the importance and challenges of being cyber-prepared?

George de Urioste: Many boards have awakened to it and have raised the priority of cybersecurity. The challenge is getting more board members to recognize they should obtain advice from experts to enable risk-intelligent decisions. It’s good to know the perspective from the CIO. But just as a CFO has the financial statements audited, it’s time for a board to require audits of data center and network operations.

The CFO needs to be the transformation agent. Describing the paradigm of network security and related threats can be like trying to predict the timing of the next earthquake–no one knows when it will happen, but that doesn’t mean you should not invest in being prepared. The astute board respects being risk intelligent. Just as boards came to prioritize disaster recovery and business continuity, they now need to raise the priority on cyber breach and how to handle it once it occurs. CFO should assume a cyberbreach will happen, then demonstrate to the board the repercussions when it does. This can frame the discussion as a wake-up call. Specifically, describe to the board the potential intellectual property losses, legal expenses, property losses, reputational loss, time loss and administrative expenses.

Q: How has serving as a board member helped you as a CFO and vice versa?

George de Urioste: My board member experience has driven home for me that when it comes to communicating with the board as a CFO, it’s about the people first, the data second. Reading the dynamics of boardroom interactions is key to how I time and position the topics I want to discuss with the board. When it comes to helping my board interpret and calibrate financial risks, I make sure to frame the issues to enable quick absorption and help create priority, rather than get too deep into the weeds. For example, if I’m there to discuss a specific financial issue, I’ll focus on why it might be key to, or impact, our growth strategy, or how it could represent a risk to the enterprise.

My CFO experience comes into play in my role as a board member by enabling me to deep-dive the details that many board members may not have the financial acumen to understand. I’ve found that providing insight into how financial issues impact business value can be essential to determine if management is fully considering relevant financial matters in a new business strategy, and whether risks are being appropriately weighed. I can ask questions about a big investment or a proposed deal that only someone with a strong finance background would know to ask, and that’s a valuable tool to have in discussions with management.

View the original content and more from this author here: http://ift.tt/1DIzRY6

from cyber security caucus http://ift.tt/1IAK5RH
via IFTTT

The Pursuit of Cybersecurity

CFOs in North America view cybeattacks as a serious threat, but many have doubts about their organization’s level of preparedness, according to findings from Deloitte’s Q2 2015 CFO Signals™ survey. Nearly 25% of the 101 CFOs surveyed, most of whom work for companies with more than $1 billion in annual revenue, say they are insufficiently prepared for such crises, and just 10% say they are well-prepared.

The reality is that cyber risk is not something that can be avoided; instead, it must be managed. By understanding what data is most important to an organization, management can then determine what investments in security controls might be needed to protect those critical assets. By adopting a program to become secure, vigilant and resilient, organizations can be more confident in their ability to reap the value of their strategic investments.

Ed Powers

Addressing Cyberthreats with Business Decisions

Cybersecurity has moved from the firewall to the keyboard. Every person with a mobile device, a laptop or sitting at a desktop is an organizational vulnerability. What has changed is that implementing cybersecurity strategies comes down to business decisions. For example, organizations have to make a decision about whether allowing employees to plug thumb drives into company computers is worth the risk of infecting the network with malware.

When a security breach occurs, it’s important for management to follow a prearranged cyber- incident response plan. Strong plans include detailed processes for coordinating efforts between different front-line functions, such as the general counsel’s office, public relations and the CIO’s office. Some of the most effective plans are designed by a committee comprising those in the organization with the best understanding of how the organization works with respect to technology, as well as risk. The design plan can then be socialized across the organization, including the board. The board not only should be aware of the plan, but also understand its role in it.

During the design phase, board members should consider asking management two overarching questions: “How is the organization securing its systems,” and “Has the organization conducted a risk assessment of its crown jewels, the assets they have to protect most, realizing that not everything can be protected?” From a vigilance perspective, boards should consider asking if management is establishing risk and threat awareness across the enterprise and how the company detects violations and anomalies. Questions about resilience can focus on whether the organization has the ability to handle a critical cyber-incident and quickly return to normal operation.

Mary Galligan

Information Sharing

Without appropriate information-sharing, it’s almost impossible to detect systemic attacks early enough to contain them. Yet despite increased interest in cyberthreat information- sharing, challenges remain. Private sector organizations, especially those in heavily regulated industries, are understandably concerned that disclosure of cyberthreats may expose them to lawsuits or regulatory fines and penalties. To address private sector anxieties about litigation while bolstering national cybersecurity, President Barack Obama unveiled several policy proposals, including one that would offer “targeted liability protection” to companies that share information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and various industry-run cybersecurity groups.

The proposed liability protection may remove a significant barrier to information-sharing. However, giving the private sector some degree of safe harbor from litigation and regulatory action while simultaneously allowing regulators to exercise their duty to protect the public and financial markets remains the federal government’s ongoing challenge with respect to promoting information-sharing.

Cyber Insurance

The ever-evolving cyber risk landscape also is driving interest in cyber insurance as a complementary element of a cyber risk management program, allowing organizations to transfer some of the risks associated with cyber incidents to their insurance provider. Many early adopters were financial services companies, retailers and health care organizations with large amounts of personally identifiable information.

Cyber insurance policies provide a variety of coverage options and pre-conditions for management to consider. First-party coverage protects against losses incurred directly by the company in response to a cyber incident (direct expenses), and typically includes theft and fraud, forensic investigation, business interruption, extortion, and computer data loss and restoration. But overall, the cyber insurance market remains immature.

COSO Framework for Cybersecurity

Companies developing a cybersecurity controls and monitoring program may want to consider using as a guide the 2013 internal controls framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Using the COSO framework enables boards and senior executives to communicate business objectives, and define critical information systems and related risk tolerance levels. Once objectives and risk tolerances are defined, others within the organization, including IT personnel, can perform a detailed cyber risk analysis by evaluating information systems most likely to be targeted by attackers, as well as likely attack methods and intended points of exploitation. In turn, appropriate control activities can be put into place to address the risks.

View the original content and more from this author here: http://ift.tt/1JK022A

from cyber security caucus http://ift.tt/1I4dleg
via IFTTT

Temasek Polytechnic opens new IT security and forensics hub

SINGAPORE – Students from Temasek Polytechnic (TP) now have an integrated centre for hands-on cyber-security training and learning – at the new IT security and forensics hub.

The hub, which comes under TP’s School of Informatics and IT, comprises information technology centres that are run in collaboration with industry partners, such as the TP-Cisco Internet of Everything centre and the TP-IBM Service Management Centre.

Students will be able to work and learn in an industry environment. They will be apply their knowledge of cyber-security and information technology in a practical setting. About 1,500 students from the School of Informatics and IT will benefit from the hub.

Minister for Communications and Information Yaacob Ibrahim launched the hub officiallyon Monday. The latest cybersecurity addition to the hub, the TP-IBM Security Operations Centre, was also opened by him.

Final-year students from the diploma in cyber and digital security, and from digital forensics, will have a chance to undergo a six-month internship at this centre.

They will learn from and work with TP staff and IBM security experts on how to monitor, analyse and deal with cyber threats.

Dr Yaacob said that as cyber innovation continues to grow in Singapore, more cyber-security professionals will be needed to keep important networks safe from cyber attacks.

“There will be a need to produce a sufficient pool of cyber security professionals to support a growing cyber-security industry. Practitioners will also need to constantly upgrade their skills to deal with cyber threats of growing sophistication,” said Dr Yaacob.

A new centre, the TP-RSA Security Operations Centre, will be operational in October . Students will gain experience in gathering intelligence on cyberthreats and how to manage them in a real-world setting.

Students in both centres will gain professional certifications at the end of their internships from either IBM or RSA.

View the original content and more from this author here: http://ift.tt/1DIyrwL

from cyber security caucus http://ift.tt/1IAHA1N
via IFTTT

Businesses to Congress: An industry-led approach to cybersecurity can succeed

The Senate is nearing its first major cybersecurity debate since 2012, opening the floodgates for amendments on issues ranging from consumer data-breach notification requirements to the security of federal computer networks.

There is tremendous pent-up demand among senators to weigh in on cyber policy after years of costly hacks and chilling cyber attacks.

Majority Leader Mitch McConnell, R-Ky., hasn’t announced his plans, and some senators are clamoring for an early start to the August recess.

But a growing chorus of senators say the Cyber Intelligence and Sharing Act, or CISA, will come to the floor next week and be the last matter of significant business before the summer break.

The substance of the information-sharing bill produced by Senate Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., will be debated, particularly around whether it would adequately protect privacy rights and civil liberties.

But that will be just a start.

Last week, a bipartisan group of senators announced they would offer an amendment to address the breaches at the Office of Personnel Management by giving the Department of Homeland Security clear, direct authority to drive cybersecurity upgrades at other agencies.

Some senators believe they already did that in legislation signed into law last year called the Federal Information Security Modernization Act.

“I’m glad to see my colleagues engaged on such an important issue,” Sen. Tom Carper, D-Del., said in a statement. “It’s my understanding that this legislation attempts to build on the FISMA modernization bill that the Homeland Security and Governmental Affairs Committee worked so hard to pass last year. I look forward to reviewing the bill and working with all the sponsors on improving security of our federal networks, including overseeing the implementation of my FISMA legislation that became law in December.”

Sen. Sheldon Whitehouse, D-R.I., wants to push an amendment creating a national consumer breach notification requirement, and another strengthening criminal law to fight cyber crooks.

There could be attempts to put in some mandatory cybersecurity requirements for industry, including a possible amendment by Sen. Susan Collins, R-Maine, to require companies in designated “critical infrastructure” sectors to report attempted cyber breaches.

But there almost certainly won’t be any serious efforts to attach mandatory security performance standards for industry, unlike the last time the Senate ventured into cyberspace.

The main Senate vehicle on cybersecurity in 2012 was a bill by Collins and then-Sen. Joseph Lieberman that included security requirements for operators of critical infrastructure including power plants and gas pipelines.

Despite Collins’ presence on that bill, it generated broad opposition from Republicans who rallied around an alternative by Sen. John McCain, R-Ariz.

Ultimately, the Lieberman-Collins bill was blocked on the floor and the McCain alternative died with it.

Now, some key elements of the McCain proposal on information sharing are back in play, while the idea of setting rigorous security rules for industry is off the table. Collins’ reporting requirement proposal is probably the closest this debate gets to discussing government controls on industry.

A key reason why? A framework of cybersecurity standards, released 18 months ago by the National Institute of Standards and Technology, has become the main point of interaction between government and industry.

The Gaithersburg-Md.-based agency has a strong reputation on Capitol Hill, and its framework has nurtured a powerful response in the business sector, which is eager to demonstrate that a voluntary, industry-led approach to cybersecurity can succeed.

“I think it will continue to play the chief organizing role,” said one trade association lobbyist. “The framework embodies the key business security risk management principle. It’s probably the best thing government has done in this space. And we’re only going to be successful in this space if business is enthusiastic about it.”

Financial, manufacturing, energy, transportation and many other industry sectors have mapped their cybersecurity policies to the framework.

“Industry is farther along than I thought they’d be 18 months ago,” NIST’s Adam Sedgewick said in an interview with InsideCybersecurity.com. “They reach out to us and show us how they’re using the framework.”

NIST is also spending an extensive amount of time speaking with colleagues in government about the purpose of the framework and its voluntary nature.

“People wrapped themselves around the axle about the regulatory threat,” said an energy-sector source. “That wasn’t the intent and it didn’t happen.”

“A lot of our message to government folks — whether they are regulators or not — is that making something mandatory actually moves it out of security operations and into the compliance mode,” said Matthew Barrett, NIST’s framework program manager.

There are lingering questions, even among industry groups.

“The metrics are unclear on who’s implementing the framework or how it’s being implemented,” a technology industry source said. “I’m not sure we’ve determined what success looks like.”

NIST puts the question this way, according to Barrett: “Has this helped you improve risk management and security?”

Congress late last year ordered the Government Accountability Office to report on the uses and effectiveness of the framework. That report is due at the end of the year.

For now, most lawmakers seem satisfied to supplement the framework-driven, voluntary approach with additional tools such as enhanced information sharing.

The Senate debate may veer in any number of directions, but thanks in part to the credibility of NIST’s handiwork, it almost certainly won’t bog down in an old-time debate over regulation.

View the original content and more from this author here: http://ift.tt/1ImJlt4

from cyber security caucus http://ift.tt/1IAHzLs
via IFTTT