Cyber Security Caucus: August 2015

Monday 31 August 2015

Is Ashley Madison Hack Story More About Cybersecurity Or Infidelity?

The long-awaited Ashley Madison data release came Tuesday as hackers dumped some 9.7 gigabyte’s worth of user information on the dark web.

A lot of files – which includes user account credentials, billing records and sexual fetishes for some 37 million customers of the infidelity site – has been circulating online Tuesday in the form of a massive, 10-gigabyte torrent.

A separate analysis of the data found that the city with the highest concentration of Ashley Madison users was Washington DC, and that some 15,000 email addresses involved were hosted on US government and military servers.

“We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort”, said social media director Anthony Macri.

“We have explained the fraud, deceit, and stupidity of ALM and their members….” Sony had to cancel the much-anticipated release of the comedy film The Interview previous year after hackers threatened action if the film was released theatrically.

But he stressed that an email address on the dating database is not proof the person associated with it ever registered with or visited the site, because Ashley Madison did not use an email verification system to check users are linked to that address.

Up to 700 Australian government and police workers have been revealed as account holders on the Ashley Madison dating web service, following a leak by hacking group Impact Team. “Now everyone gets to see their data”, the group wrote in its data dump.

According to Trustify’s Danny Boice, he claims that they are getting about one search per second, and that there are just as many men using the tool as there are women. “If that distinction matters”.

Avid Life has once hoped to raise up to $200 million by going public in London in 2015. “Then move on with your life”, the statement read. However, Ashley Madison does not require users verify their addresses, so conceivably, anyone can sign anyone else up.

“This dump appears to be legit”, said David Kennedy, CEO of information security company TrustedSec, which monitors cyber attacks, in a blog post. In its statement, Avid Life Mediaaccused the hackers of seeking to impose “a personal notion of virtue on all of society”

View the original content and more from this author here: http://ift.tt/1O30uNh

from cyber security caucus http://ift.tt/1KxPKaO
via IFTTT

The CryptoLocker virus and cybersecurity

Cody Gough, Brian’s producer, tells the tale of how his computer was infiltrated by a CryptoLocker virus, a ransomware trojan that resulted in a Bitcoin ransom, conversations with federal authorities, and more drama than you would ever expect from your average computer virus. Learn about the Cryptolocker virus, ways to protect yourself from it, and what happened to Brian’s intrepid producer! Plus, hear a more detailed background on the situation on Cody’s podcast on WGN Plus.

View the original content and more from this author here: http://ift.tt/1O30uNe

from cyber security caucus http://ift.tt/1KxPKaM
via IFTTT

OMERS Ventures looking at cybersecurity

OMERS Ventures, the venture capital arm of Ontario Municipal Employees Retirement System (OMERS), announced the successful closing of Fund II earlier this month, with $260 million in commitments.

“We are proud to be working with BMO and Cisco Investments, our valued co-investors in Fund II. The closing of the fund is a positive signal for Canada’s tech sector, and shows the strong interest of private capital in partnering with innovative technology entrepreneurs,” said John Ruffolo, CEO of OMERS Ventures.

Speaking to Techvibes, OMERS Ventures Managing Director Jim Orlando and Director Sid Paquette discussed the vision behind the fund, opportunities and domains of interest for them, and their thoughts on the Canadian tech sector.

Paquette spoke about the potential of financial technology sector and said, “If you were to take a holistic view and look at Canada as a whole, areas of opportunity where we could be world-leading from a tech perspective, is in the FinTech sector… There is a need and a desire amongst our banking groups now to actually expedite that process and incorporate a lot more technology than they have historically, and given our position globally in the financial sector, there are many opportunities for entrepreneurs.”

Pointing out OMERS Ventures’ interest in cybersecurity, Orlando said, “Cybersecurity is another area we have been looking at, specifically in FinTech as Sid mentioned, and in particular what bitcoin and block chain capability bring in terms of differentiated opportunities. We hope to find a couple of investments for Fund II related to bitcoin and the block chain, and the security side of that whole paradigm.”

© EconoTimes 2015. All rights reserved. The EconoTimes content received through this service is the intellectual property of EconoTimes or its third party suppliers. Republication or redistribution of content provided by EconoTimes is expressly prohibited without the prior written consent of EconoTimes, except for personal and non-commercial use. Neither EconoTimes nor its third party suppliers shall be liable for any errors, omissions or delays in content, or for any actions taken in reliance thereon.

View the original content and more from this author here: http://ift.tt/1O30uNa

from cyber security caucus http://ift.tt/1KxPMiT
via IFTTT

The Top Ten Hacker Tools of 2015

List of top ten hacker tools of 2015

Every task requires a good set of tools.This because having right tools in hand one can save much of its energy and time.In the world of Cyber Hacking (“Cyber Security” formally) there are millions of tools which are available on the Internet either as Freewares or as Sharewares.

If you are security researcher, pentester or a system admin, you need to have this on your PCs/laptops to find the vulnerabilities and plug them. Concise Courses conducted an online poll to determine top ten hacking tools out of some of the famous ones. Here is the list which came out the winner on the poll.

1. Nmap: Network Mapper

Abbreviated as nmap is a versatile tool for Network Security, plus it is free and open source.It is largely used by network administrators for network discovery and security auditing. System admins use nmap for network inventory, determining open ports, managing service upgrade schedules, and monitoring host(A term used for “a computer on a network”) or service uptime. The tool uses raw IP packets in many creative ways to determine what hosts are available on the network, what services (application name and version) they offer,which type of protocols are being used for providing the services,what operating systems (and OS versions and possible patches) and what type and version of packet filters/ firewalls are being used by the target.

2.Metasploit:

A tool for exploiting (Utilising network weakness for making a “backdoor”) vulnerabilities (Weak Points) on Network. This tool is neither free nor open source. But when it comes to features offered it deserves the price it claims. The Metasploit Project is a hugely popular pentesting (penetration testing) or hacking tool that is used by cybersecurity professionals and ethical hackers. Metasploit is essentially a computer security project that supplies information about known security vulnerabilities and helps to formulate penetration testing and IDS testing.

3.Cain and Abel:

Cain & Abel is a password recovery tool that is mostly used for Microsoft Operating Systems. This popular hacking tool allows the user to seek the recovery of various kind of passwords by sniffing the network(capturing some of the data packets), cracking encrypted passwords using Dictionary, Brute-Force(Generation of hashes out of words and then comparison of encrypted hash with the generated one,this method takes less time than dictionary attack method) and Cryptanalysis attacks. Cain, as it is often referred to, can also record VoIP(Voice over IP protocol,used for making calls over using internet) conversations, decode hashed scrambled passwords, recover wireless network keys and more.It can crack various types of hashes including NTLM,MD2,MD5,SHA-1,SHA-2 and many more.These functionalities make Cain and Abel one of the best password recovery tool.

4.Angry IP Scanner:

Angry IP Scanner, also known as ‘ipscan’ is a freely available (open-source and cross-platform) hacking network scanner that is both fast and easy to use. The main purpose of this hacking tool is to scan IP addresses and ports to find open doors and ports. Worth noting that Angry IP Scanner also has a bunch of other uses as well. Common users of this hacking tool include network administrators and system engineers.

5.John The Ripper:

John the Ripper is a popular password cracking pentesting tool that is most commonly used to perform dictionary attacks. John the Ripper takes text string samples (from a text file, referred to as a wordlist, containing popular and complex words found in a dictionary or real passwords cracked before), encrypting it in the same way as the password being cracked (including both the encryption algorithm and key), and comparing the output to the encrypted string. This tool can also be used to perform a variety of alterations to dictionary attacks.Including Brute Force and Rainbow attacks.

6.THC Hydra:

Although often considered as yet another password cracker, THC Hydra is hugely popular and has a very active and experienced development team. Essentially THC Hydra is a fast and stable Network Login Hacking Tool that will use dictionary or brute-force attacks to try various password and login combinations against an log in page. This hacking tool supports a wide set of protocols including Mail (POP3, IMAP, etc.), Databases, LDAP(Lightweight Directory Access Protocol),SMB, VNC, and SSH(Secure Shell,used by VPN Softwares).

7.Burp Suite:

A pentesting tool,Burp Suite has several features that can help the penetration tester or ethical hacker. Two commonly used applications used within this tool include the ‘Burp Suite Spider’ which can enumerate and map out the various pages and parameters of a web site by examining cookies and initiates connections with these web applications, and the ‘Intruder’ which performs automated attacks on web applications.

8.Snort:

Snort is an awesome hacking and network tool that can be configured in one of three modes: it can either be used as a sniffer, packet logger, or within network intrusion detection. In the (more commonly used) sniffer mode, this hackers program will read (sniff) network packets and display them on a GUI(Graphical User Interface). In the packet logger mode, Snort will audit and log packets to the disk. In intrusion detection mode, Snort monitors network traffic and analyzes it against a rule set defined by the user.

9.Ettercap:

Ettercap has a huge following and is widely used by cyber security professionals. Ettercap works by placing the user’s network interface into promiscuous mode and by ARP poisoning(ARP : Address resolution protocol is used to determine a host’s MAC address (address of its Network Interface Card) by knowing its IP address. ARP poisoning is a process where a hacker gives wrong information of either its MAC or IP address to the network.) the target machines, i.e. facilitating a ‘Man In The Middle’ or MITM attack. Once successful Ettercap (and the hacker) can deploy various attacks on the victims. A popular feature about Ettercap is its’ ability to support various plugins.

10.Wapiti:

Wapiti has a very loyal following. As a pentesting tool (or framework) Wapiti is able to scan and detect hundreds of possible vulnerabilities. Essentially this Multi Purpose Hacker Tools can audit the security of web applications by performing “black-box” scans, i.e. it does not study the source code of the application but will scan the HTML pages of the application seeking scripts and forms where it can inject data.

If you have any favourite tool of your own which we have not mentioned in the article, kindly mention it in the comments so that we can include it in our next list.

View the original content and more from this author here: http://ift.tt/1LEMLfl

from cyber security caucus http://ift.tt/1KxPKaD
via IFTTT

Editorial: Bolstering Cyber Security

The cyber criminals are succeeding because they have developed tremendous collaboration with each other—they share tools, expertise and information around the world.

With increase in the quantity and value of electronic information that lubricates our system of government and economy, there has been a dramatic escalation in the efforts of the malicious actors in launching sophisticated cyber attacks. More and more attacks are coming to fruition, producing a steady stream of high-profile, sophisticated breaches. A growing array of state and non-state actors are compromising, stealing, changing, destroying information, and causing critical disruptions to our system of government and economy.

In future, the cyber attacks are likely to increase in frequency and ferocity. Yet when it comes to cyber-preparedness, India is not in the best position. It is a challenge to get all users in the government and the private sector, even the sophisticated ones, to become aware of the threats and do all that is needed for improving security on an ongoing basis. Technical and public policy measures have to be put in place to create incentives for the major stakeholders in the Internet economy to invest in security.

Cyber criminals succeed because they have developed tremendous collaboration with each other—they share tools, expertise and information around the world. In face of such complex criminal rings, the traditional systems of protection—antivirus, firewall, secure logging systems—may not work. It is important to deploy advanced network and analytics based security tools for identifying and preventing unknown attacks, or those that use advanced malware. There has to be the capability of detecting minor and major anomalies, and responding quickly in case a security incident is detected.

Among the good guys there is talk of better collaboration for improving security, but not enough is being done to achieve the objective. The IT teams in most companies and even the security agencies in the government rely on unverified threat data. They lack the credible information to recognise the critical incidents, which can indicate the trend for future attacks. It is important to breakup of the silos and ensure that there is real-time collaboration between the private companies and the government’s cyber security agencies.

Also, there is serious shortage of cyber security specialists in the government and the private sector. Recruiting cyber experts and plugging them into the right slots is a key challenge that we face. We can’t win the battle for securing the cyber space when the good guys lack real-time information and sophisticated technology, and are outnumbered.

View the original content and more from this author here: http://ift.tt/1O30uwR

from cyber security caucus http://ift.tt/1Fbmel6
via IFTTT

Saturday 29 August 2015

Court ruling leads to fears of FTC litigation on cybersecurity

Industry groups are worried that an appeals court ruling giving the Federal Trade Commission permission to sue for shoddy cybersecurity will result in overregulation.

Earlier this week, the 3rd Circuit U.S. Court of Appeals ruled unanimously that the FTC can go forward with a lawsuit alleging that the Wyndham Worldwide Corp. did not do enough to safeguard its customers’ personal data.

The hotel company suffered three significant breaches between 2008 and 2010, resulting in the theft of credit card information for more than 600,000 patrons.

Some are concerned that Monday’s ruling will open the floodgates to more punitive action by the agency.

“We are concerned that Monday’s decision will exacerbate the unfortunate trend over the last 10 years of ad hoc litigation and overregulation when it comes to cybersecurity,” Steven Lehotsky, vice president and chief counsel for regulatory litigation at the U.S. Chamber Litigation Center, toldThe Christian Science Monitor.

The FTC has brought more than 50 lawsuits against companies over lax cybersecurity, most of which have resulted in settlements.

Its cases rely on the assumption that poor cybersecurity can be considered an unfair or deceptive trade practice, outlawed by the 1914 Federal Trade Commission Act.

Experts say that many companies already consider the FTC to be the cop on the beat and work to ensure their cybersecurity practices don’t draw enforcement attention.

The decision simply “confirms what everyone operating in the field already knew or took for granted,” said Scott Vernick, partner and head of the data security and privacy practice at Fox Rothschild.

Critics of the FTC’s claim to cybersecurity authority say that the agency has failed to lay out clear regulations for companies to follow. They say it relies instead on a vague requirement that companies provide “reasonable” protection to their customers.

The business community says the companies are also victims and has condemned the agency for inappropriately punishing them.

“Excessive enforcement by agencies relying on decades-old laws that were not meant to address cybersecurity is not the solution to [a] national security problem,” Lehotsky said.

But fears that the FTC will take Monday’s ruling as license to crack down on companies are overstated, others say.

“From a practical standpoint, I don’t see the FTC deciding that the Third Circuit has now given it a blank check to go out after every company that has a breach,” said Kristine Devine, a communications attorney with Harris, Wiltshire & Grannis.

She characterized the FTC’s cybersecurity actions to date as “judicious,” noting that it has largely limited itself to cases like Wyndham’s, where the allegations, if true, represent a clear case of deceptive trade practices.

The agency’s case against the hotel chain hinges on its privacy policy, which says that it takes “commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards,” including encryption.

The regulatory agency claims that, contrary to its policy, Wyndham neither encrypted data nor used firewalls, a violation that would be fairly cut-and-dry, experts say.

Devine also points out that the 3rd Circuit’s decision would only be valid in that jurisdiction.

“I think the 3rd Circuit’s reasoning is pretty sound. I don’t necessarily think another court would strongly disagree,” Devine said. “[The ruling] is not precedential, but it’s persuasive.

View the original content and more from this author here: http://ift.tt/1Ucu1v5

from cyber security caucus http://ift.tt/1PEoLK5
via IFTTT

CAN US CYBER NERVE CENTER HOLD ONTO ITS NEW LEADERS?

On May 6, Department of Homeland Security Secretary Jeh Johnson announced a hotshot hire shortly would be at the helm of the nation’s 24-hour cyber watch floor.

The position had been vacant since last September.

It was not until August that Johnson named a respected, in-house assistant secretary and a low-profile HP security chief to jointly head the National Cybersecurity and Communications Integration Center, or NCCIC.

A history of employee burnout at Homeland Security might have factored into the difficulty of recruiting leadership, says a former DHS official who once oversaw the NCCIC (pronounced “N-kick”).

“This is the pot calling the kettle black. I contributed to it as much as anyone else,” said Mark Weatherford, who joined DHS from industry, served as deputy undersecretary for cybersecurity and returned to industry after less than two years. “The churn over there within DHS has been problematic.”

Two top DHS cyber leaders have already stepped down this year. John Streufert, director of federal network resilience, departed in May after joining the department in January 2012. Bobbie Stempfley left in February, after serving as deputy assistant secretary for cybersecurity strategy and emergency communications since April of last year.

Homeland Security likely wanted a person who would commit to a long run at an operation recently thrown into the spotlight, said Weatherford, now a principal at the Chertoff Group consultancy.

President Barack Obama visited the nondescript Arlington office space earlier this year to promote the administration’s cyber agenda. The 2014 Federal Information Security Modernization Act positioned the facility as a “central federal information security incident center” and situated it within DHS.

In May, at a meeting of the President’s National Security Telecommunications Advisory Committee, Johnson said the next NCCIC director “will have a direct reporting line to me in terms of information sharing and threat reporting…We’re making an effort to attract a real all-star to that position well known to you.”

On Aug. 10, Johnson announced Andy Ozment, currently assistant secretary of the Office of Cybersecurity and Communications, will assume overall responsibility of the venture, while John Felker, HP Enterprise Services director of cyber and intelligence strategy, will manage daily operations there.

Weatherford said the new bosses will have to endure political tensions, cross-government coordination issues and a responsibility for keeping the U.S. Internet afloat.

“It’s an incredibly challenging job,” Weatherford said. “You are working with all the other federal agencies. You are working with Congress. You are working with the White House. You are working with the intelligence community, and you are working with all 16 critical infrastructures. It may be one of the biggest leadership jobs in the nation from a security perspective.”

And there are no days off, Weatherford said quite seriously. “This is 24-by-7-by-365,” he said.

The new management structure might also take some getting used to. Ozment will retain his assistant secretary title, while reporting straight to Johnson on certain security matters, a DHS official told Nextgov.

This means, in some situations, he might have to go over the heads of his undersecretary and two deputy undersecretaries, Weatherford said.

“So, you have basically pulled out a huge piece of the organization and now an assistant secretary is reporting directly to the secretary,” he said. “I think it could work well — but this is a huge organizational shift for DHS.”

Ozment brings to the table academic and policymaking chops, while Felker possesses expertise in supervising an organization.

“Dr. Ozment and Mr. Felker will provide a combination of operational experience, leadership, and strategic insight needed to take the NCCIC to the next level for our cybersecurity,” Johnson said in an Aug. 10 statement.

Felker, a 30-year Coast Guard veteran, served as deputy commander of Coast Guard Cyber Command, where he helped stand up the organization. He also led the Coast Guard Cryptologic Group. At HP, Felker worked on business strategies for work with DHS, the Pentagon and the intelligence community.

Ozment, a former political appointee and cyber researcher, came to DHS from the White House, where he served as Obama’s senior director for cybersecurity. He constructed and executed a landmark presidential executive order that yielded a data protection roadmap for businesses of all stripes. A component of that 2013 policy also tasked DHS with sharing unclassified and classified tips about threats with industries vital to the nation, like energy producers.

At MIT Lincoln Laboratory, Ozment published papers on user-friendly online protections and the economics of cybersecurity, among other subjects. As a Marshall scholar, he earned a master’s degree in international relations from the London School of Economics, and a Ph.D. in computer science from the University of Cambridge.

View the original content and more from this author here: http://ift.tt/1EnztUC

from cyber security caucus http://ift.tt/1PEoLK0
via IFTTT

Labor Department CIO Defends Security Efforts

A senior IT official at the Labor Department is defending its cybersecurity efforts in the wake of a critical report by the department’s inspector general’s office.

Chief Information Officer Dawn Leaf, in a letter to the Labor Department’s assistant inspector general released this week, expressed “concerns with the completeness and accuracy” of the federal watchdog’s July 2015 cybersecurity report

In the letter, Ms. Leaf said that despite a $4.1 million budget cut to the Labor Department’s IT modernization funding for the 2015 fiscal year, as of Aug. 14 the agency has implemented two-factor authentication for 80% of its system’s privileged users and 78% of its general users. She expects to achieve full compliance by the end of September.

Those efforts required assistance from multiple agencies and “diverted substantial resources, amounting to thousands of hours of staff time,” she said.

A Labor Department spokesperson declined to comment on the letter.

Among other issues, the inspector general July report chided the agency for not implementing stronger system access controls sooner, despite repeated warnings of security weaknesses over the past five years. The report said the agency didn’t start beefing up access control until a massive data breach at the U.S. Office of Personnel Management came to light.

A spokesperson for the inspector general’s office told CIO Journal on Friday it stands by the report.

The OPM disclosed in early June that hackers had accessed personnel records as part of at least two 2014 cyberattacks. OPM director Katherine Archuleta resigned in early July after damage reports grew to include the theft of more than 21 million Social Security numbers and 19.7 million forms that detailed mental-health histories and other background material on current and former employees, job applicants and their families. Some federal lawmakers have since called for the resignation of agency CIO Donna Seymour.

Referring to the use of Personal Identity Verification cards – smartcards issued to federal employees to access government facilities and information systems – the report said the Labor Department “only recently began implementing this requirement” to boost card security measures after the OPM breach.

“Had DOL implemented the requirement earlier, it could have prevented unauthorized access to DOL’s computer networks and systems by 11 separated employees who still had active accounts after their departure,” the report said, based on a review of the agency’s access controls.

In her letter, Ms. Leaf said agency officials were briefed on access-control and other risk management strategies back in August 2012, as part of an agency-wide Identity and Access Management program launched in 2011, which sought to automate account management processes and “enable user-based PIV Card authentication for all users to all DOL systems, including DOL cloud-based system,” such as cloud email.

The program was chartered and approved by the agency’s IT Project Review Board last year, she said.

More recently, Ms. Leaf said the agency scrambled to meet broad security goals set by the so-called Cybersecurity Sprint, a government-wide initiative launched in June 2015 by Federal CIO Tony Scott that gave government agencies a 30-day window to shore up IT vulnerabilities, identify threats and tighten access controls.

View the original content and more from this author here: http://ift.tt/1PXKY6J

from cyber security caucus http://ift.tt/1Ucu1uX
via IFTTT

Uber Hires the Hackers Who Wirelessly Hijacked a Jeep

IF IT’S POSSIBLE to wirelessly attack an Internet-connected Jeep to hijack its steering and brakes, what could hackers do to a fully self-driving car? A pair of the world’s top automotive security researchers may be about to find out, with none other than Uber footing the bill.

Starting Monday, the ridesharing startup’s Advanced Technology Center will employ Charlie Miller and Chris Valasek, two hackers who have devoted the last three years to developing digital attacks on cars on trucks. Their work culminated last month in a full, over-the-internet takeover of a 2014 Jeep Cherokee, (with me behind the wheel) including the ability to turn off its transmission or engine, and even disable its brakes at low speeds. Their demonstration led Chrysler to recall 1.4 million affected vehicles, the first known automotive recall for a cybersecurity vulnerability.

According to Reuters, which first reported the move, Miller and Valasek will help Uber with its future-focused efforts to develop its own fleet of self-driving cars, and keep them secure from more malicious hackers. The company’s autonomous vehicle ambitions are no secret: It’s already hired more than 40 robotics engineers from Carnegie Mellon and partnered with the University of Arizona to further develop the technology. Uber board member Steve Jurvetson recently commented that if Tesla developed an autonomous vehicle, Uber would buy half a million of them in 2020.

An Uber spokesperson wrote in a statement to WIRED that “Charlie and Chris are joining the team at Uber’s Advanced Technologies Center, and will also work closely with Chief Security Officer Joe Sullivan and Chief Information Security Officer John Flynn to continue building out a world-class safety and security program at Uber.” Miller and Valasek declined to comment. Miller had previously been employed as a security engineer for Twitter. Valasek had been the director of automobile security research for the security consultancy IOActive.

For car hackers, autonomous vehicles could someday soon represent a juicy new target. In previous car hacking demonstrations by Miller, Valasek and others, security researchers have shown that they can exploit existing computerized functions to control a car’s steering and brakes. If the car has an automated braking feature, hackers can trigger it to stop the car on command, for instance, or use lane-assist or self-parking steering features to move the car’s steering wheel. An insecure autonomous vehicle, in which every feature is computerized, could be a hacker’s ideal playground.

“[Autonomous vehicles] have broader attack surfaces, more sensors, [and] the computer has the ability to control the steering,” says University of California at San Diego computer science professor Stefan Savage, who helped develop the first known wireless car hacking technique in 2010 and 2011. “It just makes the problem worse.”

In other words, if Miller and Valasek’s new mission is to secure Uber’s self-driving car of tomorrow, they’ll have their work cut out for them.

View the original content and more from this author here: http://ift.tt/1NYGn2O

from cyber security caucus http://ift.tt/1Ucu3mL
via IFTTT

Companies put cybersecurity experts on boards

The board of directors at construction and engineering company Parsons Corp. needed to fill a seat two years ago.

Naturally, they wanted someone with communication and leadership skills. They also needed someone new: an expert to help them battle computer hackers, cyberthieves, electronic spies, digital vandals and anybody else out to wreak havoc in a connected world.

The privately held firm’s latest board member is Suzanne Vautrinot, a retiredAir Force major general who helped create the Department of Defense’s U.S. Cyber Command and led the Air Force’s IT and online battle group.

Parsons, in Pasadena, is at the forefront of a fast-expanding trend in corporate governance: the elevation of cybersecurity experts to the boardroom, traditionally occupied by former CEOs and specialists in marketing and finance.

In the past few months, AIG, BlackBerry, CMS Energy, General Motors and Wells Fargo have added a board member with computer-security knowledge. Delta Air Lines and Ecolab did the same in recent years.

The reasons are clear. Cyberattacks on large companies skyrocketed 44 percent last year from 2013. Cybercrime costs businesses more than $400 billion a year, according to Lloyd’s of London.

Boards are responsible for advising CEOs on setting goals and making plans to achieve them, and to question the challenges standing in the way. Not adequately addressing a cybersecurity risk could prove costly — in money, reputation, legal bills, lost time and lost customers.

View the original content and more from this author here: http://ift.tt/1N1mDyy

from cyber security caucus http://ift.tt/1PEoLJS
via IFTTT

Friday 28 August 2015

The US-China cyberwar needs detente

THE REALMS OF cybersecurity and cyber foreign relations are still relatively new — and often poorly understood by many policy makers. Unfortunately, the digital world continues to be treated as a highly specialized area of policy, despite the huge role it already plays in most aspects of everyday life.

Since cybersecurity has such a large impact on world affairs, officials are desperately struggling to find both strategies to manage it and the right vocabulary to talk about it. To resurrect a term only a few decades old, it is no exaggeration to say that a world power detente in cyberspace is vital to stability and safety. It is a term that’s apropos, not least because the command and control of nuclear-armed missiles depends in part on a securable digital space.

Detente was forged between the United States, Western Europe, and the Soviet Union after decades of Cold War tension, and under the threat of a nuclear exchange. Today — with the stakes less deadly, but nonetheless important — detente is badly needed between the United States and China. Both powers say they want dialogue and cooperation on cyberspace issues, yet the two countries are still worlds apart. Chinese President Xi Jinping’s first visit to the United States this fall will put this issue front and center yet again.

Recent news headlines — in particular the theft of personal data of more than 20 million US citizens in the records of the federal government’s Office of Personnel Management — make it appear to the American public that the frosty relations on cyber issues are all China’s fault.

To be sure, as the US government reports credibly, China is engaged in an unceasing and highly successful cyberespionage campaign against the United States, its government and economic interests.

Yet, this public tension with China is an international outlier. China and the European Union get along quite well on cyber issues, including joint research through the OpenChina-ICT project. Russia and China, for their part, have signed an agreement to limit hacking against each other. This is quite surprising, given that Russia trusts China even less than it trusts the United States on cyberspace issues. Beyond Russia, China’s relations with India and Japan are not so bad in this field either.

If China has been able to keep business-like relations with all other partners on cyber issues, in spite of its rampant cyberespionage against them, then why is its cyber relationship with the United States so much worse than with other major powers?

The challenge from here? To unravel this entanglement of influences and to base future cyber diplomacy on a more sophisticated notion of the world as it is.

Quote Icon

At one level, the answer is obvious: The United States can afford to be more strident in its diplomacy than any other Western country because it is more powerful. In addition, relative to most countries that are getting along better with China in cyber affairs, the United States also puts more stock in certain issues of principle, such as human rights protections in cyberspace or theft of intellectual property.

Washington also believes that it needs to stand up to China on such issues, not least because of the way in which China’s power is disturbing American allies in the Pacific. This is, after all, one motivation of the rebalance in US strategic policy.

Even so, the style and tone of current American cyber diplomacy toward China looks surprisingly messy. This is unexpected: US diplomacy toward China under Obama has generally been very impressively organized and thought through.

US perceptions about China in cyberspace hinge on a few mistaken beliefs. They include the notion that there are unambiguous norms in cyberspace that China is flagrantly violating; a failure to appreciate China’s deep insecurity in cyberspace; a lack of knowledge of America’s extensive cyberespionage and cyber military operations against China; and an inflation of the threat from China’s theft of intellectual property.

Of course, the US cybersecurity industry as a lobby group is very alert to all of the above and plays it for commercial gain. Yet officials rarely note that most cybersystems are inherently vulnerable and cannot be secured against a determined cyber adversary.

This is not to say by any means that China is without fault. Far from it. But what is equally undeniable is that the impact of the China cyberthreat relative to other threats is exaggerated by the US cybersecurity community.

All of this is particularly ironic, given the deep integration of the cyberindustry sectors of the two countries. China depends on the United States for its own cyber power. Meanwhile, leading American suppliers of communications and information technology are heavily dependent on China in their supply chain or even as a source of final manufacturing. Their level of involvement in China is so deep that they have even lobbied against US sanctions on China for cyber espionage.

The challenge from here? To unravel this entanglement of influences and to base future cyber diplomacy on a more sophisticated notion of the world as it is.

The Soviet-US detente in the Cold War era suggests that less outrage about mutual espionage, and cultivating a more nuanced appreciation of its limited impacts relative to the larger military threats, could lead to better — more realistic — relations.

View the original content and more from this author here: http://ift.tt/1F2BuRh

from cyber security caucus http://ift.tt/1PCMLNG
via IFTTT

U.S. government resources for cybersecurity

The subject article in your July 2015 issue of Control Design by Dan Herbert (“Tear Down This Wall,” Control Design, July 2015, p20), has given me cause for concern as it ignores fundamental security issues that can be introduced when connecting control system environments to other environments such as business networks. While the world is becoming more and more interconnected and “connecting machines to IT systems provides a number of benefits,” such connectivity, if not installed properly, can introduce many security challenges. These inter-connections can enable security vulnerabilities and potential pathways for compromise of the control environment by malicious threat actors.

The mission of the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center (NCCIC), and specifically the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is to assist critical infrastructure asset owners to reduce cyber risks to control systems and processes that operate the nation’s critical infrastructure. ICS-CERT responds to cybersecurity incidents on a daily basis, almost all involving compromises of control system environments via connections to the corporate network. Once on the network, intruders often move laterally looking for other connected zones or networks. Without proper network segmentation and monitoring of communications, the control system environment can potentially be compromised, in some cases providing the ability for the intruder to take control of the process.

When it comes to protecting control system networks from these types of incidents, ICS-CERT recommends three basic principles.

1. Do not allow direct connectivity from the Internet into your ICS network.

2. Never allow any machine on the control network to talk directly to a machine on the business network or Internet. This means controlling communications flows through intermediary networks such as de-militarized zones (DMZs), virtual private networks (VPNs), thorough access controls and in some cases utilizing one-way traffic devices.

3. Configure firewalls to allow only required and specific devices/ports to communicate with one another through the firewall. Block everything else by default.

In 2014, ICS-CERT responded to two malware campaigns launched by sophisticated threat actors specifically targeting control systems: Havex and BlackEnergy. Following the principles above would have prevented these intrusions along with other potential compromises of industrial control systems. ICS-CERT is concerned with the recent rise in targeted and successful malware campaigns against industrial control systems (ICSs).

Also read: How to link machine controls to IT systems

These campaigns were associated with sophisticated threat actors with demonstrated capabilities to compromise control system networks. The depth of intrusion into the control system network provided the threat actors with the ability to potentially manipulate control system settings, control the process and even potentially destroy data and/or equipment.

Havex

Havex is an ICS-focused malware campaign that uses multiple vectors for infection. These include phishing emails containing redirects to compromised websites and, most recently, compromised software installers on at least four software vendor websites, which were delivering malware to unsuspecting customers when they downloaded software updates to their systems. These are known as watering hole-style attacks where the attacker “poisons the well” and all visitors to the website could potentially be infected with a virus or trojan.

“In 2014, ICS-CERT responded to two malware campaigns launched by sophisticated threat actors specifically targeting control systems: Havex and BlackEnergy.”

The malware is a remote access trojan (RAT) with demonstrated capabilities to access control system environments. Once infected, the threat actor has ready access to the victim’s network and can intrude at will to steal data and, if access is obtained to the control system environment, manipulate the process.

BlackEnergy

The BlackEnergy malware targets the human-machine interface (HMI) directly. All of the known victims of the BlackEnergy malware campaign were infected via Internet-facing HMIs. With access to the HMI, an intruder can turn on/off equipment, see the status of the process and, in some cases, change the set points of the system such as the allowable level of a tank or the maximum temperature of a batch. This depth of intrusion into a control system poses a serious threat to the stability of the process and the potential for physical consequences.

Analysis of the threat actor’s techniques used in the BlackEnergy campaign reveals a focused effort to find and exploit previously unknown vulnerabilities in control system devices and software. This effort required specific research into control system devices/software, along with testing to gain the capability to launch a successful intrusion.

Scanning modules within the BlackEnergy malware

Once a network is infected, the malware sets up communications back to a command and control server to download additional capabilities, referred to as modules. ICS-CERT is aware of two separate modules designed to scan the victim’s network looking for control system devices. These two modules are of concern because they are the first ICS-specific modules (capabilities) that ICS-CERT is aware of post-Stuxnet. In 2010, the Stuxnet virus was discovered and became known as the first sophisticated malware directly targeting Siemens Step 7 programmable logic controllers used to operate variable speed drives in industrial processes. The following provides a brief description of these modules.

OPC module: Open platform communications (OPC) is a communications protocol (communications language) that allows different ICS devices from multiple vendors to share information. There are two versions: OPC Classic and a newer version called OPC Unified Architecture (UA). The BlackEnergy malware targeted the older and less secure version. This module used the OPC protocol to scan the compromised network, looking for types of control-system devices running OPC on the network.

Network scanning module: This module scans specific ports on the victim’s network. The ports that the modules scan are specifically used for control-system software and protocols: RSLinx is a Rockwell ICS server; Modbus is a heavily used ICS protocol; Siemens and Inter-Control Center Communications Protocol (ICCP) are used heavily in the electrical subsector; Measuresoft is a SCADA server; and 7-Technologies is a server now owned by Schneider Electric.

All this points to the fact that the threat actors have knowledge of control systems, of how they operate and of how they communicate. And they’ve developed tactics to find them on the compromised network.

Long-term threat

Sophisticated threat actor groups will continue targeting ICS using unique methods and unknown vulnerabilities. The targeting of ICS by both campaigns was undetected by the asset-owner community and the security industry for one to three years. It’s difficult to anticipate the methods and vulnerabilities that will be used in the next campaign; however, the best defense is to use proven security best practices for a sound defensive posture.

ICS-CERT has many resources and services available to assist critical infrastructure asset owners. Most of the cyber incidents ICS-CERT responds to could have been prevented by the use of basic cybersecurity principles and practices. Most sectors have information sharing and analysis centers (ISACs), which provide up-to-date information about emerging threats and vulnerabilities impacting that sector. Every sector has an assigned sector specific agency (SSA) that coordinates risk reduction efforts for that sector. We continue to encourage asset owners to assess their risks and begin the process of continuously improving their cybersecurity posture.

View the original content and more from this author here: http://ift.tt/1F2BvVh

from cyber security caucus http://ift.tt/1MZNECg
via IFTTT

Thune says cybersecurity is significant U.S. concern

Industry leaders moving rapidly into a data-driven economy say cybersecurity is what keeps them awake at night — with good reason, Sen. John Thune says.

Speaking Thursday at a Chamber of Commerce conference focusing on technology and its impact on the South Dakota economy, Thune said cyber threats “are front and center” with national military commanders and are only superseded by concerns over the nuclear agreement with Iran.

“There isn’t a day goes by that state actors like China, like Russia, and non-state actors, terrorists, are trying to hack into our systems in this country. … financial services, our electric grid … and trying to do great damage to America’s economy,” he said.

That makes cybersecurity increasingly important, Thune said, and why he not only intends to push that subject at a hearing on the Dakota State University campus next week in Madison, but when the Senate reconvenes in September as well.

While acknowledging those concerns, local business leaders outlined how data and technology are rapidly transforming their industries at Thursday’s conference.

In 2010, his bank handled just more than 3 million debit card transactions, Dana Dykhouse, president and CEO of First Premier Bank, said. In 2014, it did 4.7 million transactions. The number of customers depositing checks by taking photos of them on their smartphones is increasing exponentially as well, he added.

“Our operations now are driven by our customers, not by the industry,” Dykhouse said. “If I was to predict anything, I’d say that within 10 to 15 years, almost all of our financial transactions will take place on a device, whether it’s a phone or whatever that device is. … we will hold some device that will do all of our financial transactions, opening up accounts, applying for loans.”

Dr. Allison Suttle, chief medical officer for Sanford Health, said her health system’s patients have been conducting video chats on their smartphones with health care providers for the last year. That has driven down health care costs, saved patients’ time and resulted in people being able to get prescriptions for such common maladies as strep throat, sinus infections and more.

Technology and video chats allow providers to keep better tabs on their diabetes patients, Suttle says, and to connect with them more often. It allows providers to study electronic medical records and weather reports to predict when asthma sufferers might have episodes because of things like ragweed.

All of that enables health systems to “reach out to those patients before something is going to happen,” Suttle said. “What this allows us to do is provide the right care and the right amount of care to the right patient at the right time.”

Sherrie Peterson, director of Good Samaritan Society’s Living Well@Home program, said her organization provides clients monitoring technology that keeps track of their blood pressure, their pulse, their weight, their blood oxygen saturation and their glucose levels.

Monitoring data can also tell their team members about clients’ sleep habits, bathroom usage, even when they’re opening and closing doors. That can be especially important for the elderly, or for people with chronic physical or mental illnesses.

“All of that information comes into our team, where then they see it together,” Peterson said. If they see spikes in behavior out of the routine, say in bathroom activity, “we might jump to some conclusions that they might have something going on. So maybe the monitoring team reaches out to the individual, asks prompting and probing questions to find out what’s going on with that person. If there is reason for concern, we can elevate that to a professional care giver.”

Such technology is only going to become an even greater part of the fabric of South Dakota life in the future, conference participants said. Because of that, Thune, who chairs the Senate Commerce Committee, said government leaders need to spend even more time making sure that privacy and security concerns are addressed.

“Cybersecurity is a huge issue from a national security standpoint. Obviously it’s a huge issue from an economic standpoint,” he said. “One of the bills that we’ll take up in the Senate soon after the Iran nuclear agreement debate is the cybersecurity bill that will enable and promote the kind of information sharing that is necessary … to prevent cyberattacks, or at least do our best to minimize the damage that the cyberattacks are going to do to our economy.”

View the original content and more from this author here: http://ift.tt/1NLCtwd

from cyber security caucus http://ift.tt/1KpSHdx
via IFTTT

Global cyber-security skills shortage leaves Australia open to attack

The Commonwealth Bank warns that a global cyber-security skills shortage could pave the way for additional high-profile computer attacks in Australia.

As the cyber-threat to government and corporate computer systems grows, the bank called for a reorganisation in universities. They feel cyber-security courses should focus less on theory and more so on experience.

Luke Anderson, lecturer of computer security at the University of Sydney, said attacks were growing because computer security was not a primary thought.

“Today, in 2015, it’s much harder than it was even five years ago to break into stuff, but it’s still quite achievable because there’s a lot of technologies that are hanging over from times past. By getting into the universities and really showing the students why stuff is getting broken into, how you can code better so that this doesn’t happen, how to introduce these mitigating factors, we’re going to be able to protect ourselves from the security issues of tomorrow,” Anderson noted.

David Whiteing, chief information officer at the Commonwealth Bank, said the only way to solve the problem was by getting better at attacks. Whiteing agrees that more trained people are needed before that can happen. “If you do the analysis globally, there is a cyber-skills shortage,” he warned.

Governments and large corporations are aware of the threat and doing everything in their power to try and stop their systems from being attacked. The Commonwealth Bank has been working with the Federal Government to make Australia an exporter of cyber-capability as it says that the demand for cyber-security skills will grow by close to 10,000 jobs over the next five years.

View the original content and more from this author here: http://ift.tt/1LzI5HA

from cyber security caucus http://ift.tt/1IoC2Rj
via IFTTT

A BARRAGE OF BREACHES LATER, CYBERSECURITY REQUIRES A RETHINK

It’s a good time to bet against cybersecuritywhen everyday headlines are made of breached dating websites; stolen federal employee records; pilfered private health care records of patients – all of which affects millions of people. It’s time, perhaps, that fundamental cybersecurity policies in corporations, the government and other predictable targets vulnerable to hackers, requires a rethink.

An example as recent as the $100 million insider trading ring involving Wall Street traders and Ukrainian hackers looking into corporate press releases addresses the vulnerabilities in no uncertain terms. In an age where companies can distribute information through corporate websites, social media outlets, and mailing lists, one might assume newswires are outdated and offer little value. Still, newswires are necessary. Companies are mandated by the Securities and Exchange Commission (SEC) to put out press releases in the interest of fair disclosure. Hence, PR agencies are predictable targets for opportunists and hackers for their ill-gotten gains.

The FBI dismantled the illegal insider ring and released their own press release, claiming the accused had stolen approximately 150,000 confidential press releases since 2010. It’s baffling that, with such massive stakes, PR wire agencies and companies aren’t investing in a better cybersecurity infrastructure.

Rick Spurr, Chairman and CEO of Zix Corporation – an email encryption services provider, says that companies and services that are not prioritizing the latest security measures risk embarrassment and are jeopardizing customer trust.

“Anyone in security shouldn’t be surprised by incidents like the hack of newswire services. Data breaches are common and have occurred for years, but often they’ve gone undetected,” Spurr told Hacked.

“These incidents show that all companies – both public and private – have valuable data that is vulnerable to theft and, therefore, require data protection.”

While certain industries like healthcare and finance adopted security solutions early, a majority of the rest were slow to implement protection, adds Spurr.

The Greatest Vulnerabilities Are Also the Most Obvious Ones

The reality is that no corporation, government or person is truly secure against the threat of hacking. Mitigation strategies and cyber-defenses are routinely the focus of cybersecurity experts, and yet the biggest vulnerabilities in companies remain its employees.

“Employee behavior risks” remain the greatest concern as a vulnerability facing companies, asserts Spurr. Social engineering scams such as email and phone spear phishing, lack of encryption binding sensitive data sent outside the corporation and other routine errors contribute to failing cybersecurity.

There has been a concentrated focus on embracing encryption by trendsetting tech giants recently. The U.S. Govt recently mandated that all federal websites are required to adopt HTTPS encryption by Dec 31, 2016. At the time of writing this, only 29% of federal websites are compliant with the mandate. Small business owners have also expressed concerns about current cybersecurity and encryption measures.

The other significant vulnerability stems from the “interception of unencrypted data as it travels across the public Internet,” Spurr contends.

There are many insecure channels of communication being used to send confidential information. Unencrypted email and file sharing services are the first that come to mind. Communication via mobile devices should also be a concern for business executives.

Immediate Solutions for Curbing Threats

The human element in any situation always represents the probability of error(s), and it is no different in companies. Even the best employees will inevitably make mistakes, explains Spurr. The best course of action would be to embrace and prioritize automated cybersecurity systems that are further elaborated upon here andhere. Email encryption is a necessity and recommended because it is automated to scan instantly and secure data in real-time.

Furthermore, Spurr notes that it is imperative that employees are educated about the dangers of targeted spear phishing schemes. Regular training routines are also recommended to understand and be vigilant against social engineering schemes that will always better the best-automated security and encryption possible.

The Bigger Picture

While HTTPS encryption and better cybersecurity practices will help with greater safety, the means to combat or even resist the threat of state-sponsored hacker groups is a far more daunting task. For instance, the latest State of the Internet report (Q2 2015) indicates the originating source for the highest number of DDoS attacks is China.

State-sponsored hackers from China have long been suspected and accused of targeting U.S. institutions bybreaching records of over 30 million federal employees; infiltrating universities; stealing airline manifests by hacking United Airlines; performing cyber espionage on Forbes among other clandestine operations.

It isn’t all one-way, either. Edward Snowden revealed that the U.S. targeted and hacked Chinese Universities and mobile phones. In what is essentially a high-stakes game of cat and mouse to preserve their self-interests, the subject of cybersecurity, state-sponsored hacking, and cyber espionage were discussed at length during bi-lateral talks between the two nations earlier this year.

It has to be reiterated that every security system, company or government can be hacked. However, better standards of cybersecurity will ensure that the privacy and confidential information of millions that are stored online are better preserved. Otherwise, it’s one long and open season for malicious hackers.

View the original content and more from this author here: http://ift.tt/1F2BuR9

from cyber security caucus http://ift.tt/1KpSGGj
via IFTTT

Wednesday 26 August 2015

OMB Provides Financial Boost to Help Federal Agencies Improve Cybersecurity

The OMB is shelling out more money to help agencies invest more in cybersecurity.

Security breaches are jolts of reality for federal government agencies, forcing them to quickly think about how they can prevent similar attacks from happening in the future and swiftly address areas of vulnerability. To ensure that this happens, the Office of Management and Budget (OMB) is opening its wallet.

The OMB plans to provide the Internal Revenue Service (IRS) with $242 million to boost cybersecurity. In May, hackers gained access to the personal information of 100,000 taxpayers by utilizing the Internal Revenue Service’s “Get Transcript” platform. According toFedScoop, IRS commissioner John Koskinen said this could result in up to $50 million in lost revenue. Yet the breach proved to be worse than originally projected, as the agency revealed that the actual number was over 220,000, ZDNet reports. The IRS reached this conclusion after conducting more comprehensive research.

“Following this review, the IRS has identified more questionable attempts to obtain transcripts using sensitive information already in the hands of criminals,” the agency explained in a statement. “As a result, the IRS is moving immediately to notify and help protect these taxpayers.”

The increased budget will give the IRS new information sharing systems, help victims of tax fraud, enhance international tax fraud investigation, and strengthen attack detection and prevention. As FedScoop explains, the incident forced the IRS to take a deeper interest in security, despite financial obstacles:

The White House report says the IRS has “substantially increased” its investment in combating identity theft and tax fraud, despite severe agencywide funding cuts. Koskinen told the finance committee as much in June, saying the IRS is always working to upgrade systems but is hamstrung by the recent loss of several staffers from its IT department, along with constrained budgets and the unfunded mandate to align its systems with the tax penalties related to Healthcare.gov.

In addition to increasing the IRS’ budget, the OMB wants to assist other agencies with their cybersecurity endeavors. FedScoop reports that the OMB wants to give the Department of Health and Human Services (HHS) $262 million to keep a watchful eye over agency networks and make sure employees are trained to guard the most sensitive information. A little over $180 million would go to the Department of Veteran Affairs (VA) to do the same.

View the original content and more from this author here: http://ift.tt/1MT82ox

from cyber security caucus http://ift.tt/1Ifh0EL
via IFTTT

State Agencies Aren’t Complying with Cybersecurity Standards

SACRAMENTO — Dozens of state agencies have not fully complied with security standards designed to protect Social Security numbers, health records, income tax information and other sensitive data from hackers, according to a report released Tuesday by Auditor Elaine Howle.

The audit found that 37 executive branch agencies that told the Department of Technology they had met security requirements had not actually done so. In fact, eight of those agencies won’t finish all the necessary tasks until 2020, the report said.

The troubling findings were included in a 75-page “high risk update” that Howle submitted to lawmakers. The audit, which does not identify reviewed agencies by name, raised questions about the technology department’s oversight in light of high-profile breaches elsewhere that have exposed confidential records maintained by public agencies.

“If unauthorized parties were to gain access to the state’s information systems, the costs both to the state and to the individuals involved could be enormous,” Howle wrote to the governor and lawmakers.

In a response to the audit, Department of Technology Director Carlos Ramos wrote that he agreed with most of Howle’s recommendations.

“The department has a strong commitment to improving its existing oversight activities and to improving the state’s overall information security posture,” Ramos wrote.

The state agencies that were scrutinized frequently cited a lack of resources and competing priorities as reasons for not completing various required tasks, such as maintaining an inventory of their digital records and developing procedures for responding to a cyberattack or recovering from a disaster.

Compounding the problem, the report said, is a technology department that allowed agencies to self-certify their compliance with security standards without requiring any documentation. The department does have an audit program, but it is so small and slow moving that “it would take the technology department roughly 20 years to audit all of the 114 reporting entities,” the audit concluded.

The report recommends that the Legislature require each state agency to be assessed at least once every two years for its data-protection efforts. The technology department must also offer more guidance and training to agencies while beefing up its audit program and demanding proof of compliance, Howle wrote.

The report noted that a number of departments run by constitutional officers, such as the Secretary of State’s office, as well as the judicial branch are not subject to the technology department’s oversight. In a separate review released in December 2013, the auditor identified “significant deficiencies” in how the Administrative Office of the Courts and trial courts protected their information systems.

Howle said she plans to study the security risks associated with government agencies that don’t fall under the technology department’s purview and to consider expanding the high-risk watch to include them.

View the original content and more from this author here: http://ift.tt/1MT828i

from cyber security caucus http://ift.tt/1Ifh3k6
via IFTTT

World Body Declares Cyber Security Top Issue

Sovereign nations around the globe have clearly defined borders, but as attendees were shown at a UN Conference several years ago, cybercrime is a borderless phenomenon. In 2011 Norton Security released statistics that showed that every 14 seconds an adult is a victim of cybercrime and the numbers are growing. As internet use grows, so does the amount and type of information streaming across the web. This information crosses transnational lines, public and private sectors.

The UN conference in 2011 noted that with the expansion of global trade across the internet and the ability of persons to cross borders to steal information without leaving the comfort of their own home or the border of their own country, global cooperation is necessary to stem the crime wave that is enriching criminals and devastating victims.

The Problems

The major areas of concern mentioned were computer crimes such as copyright infringement, fraud, child pornography, network security breaches and even hate crimes. Experts from each of these areas spoke about the types of crime that could be perpetrated as well as the challenges that security professionals and law enforcement encounter when combating them.

Protecting children online from predators was high on the list of issues faced by the professionals that deal with not only the crimes themselves, but the aftermath it leaves on its young victims. Though education was considered the best way to combat these crimes, a common theme in the conference was the lack of uniform laws across the globe that can be used to punish or catch the cybercriminals.

Protecting your network infrastructure is paramount to ensuring that your company’s data and the data of your customers, vendors and partners is safe from cybercrime. Nothing can devastate a business more than a widely publicized data breach. Aside from the negative publicity and the loss of trust that people will associate with your brand is the financial consequences of the breach itself. In some instances, you will be required to provide identity theft protection for those whose data was stolen, and if you aren’t required by law to provide this service, simply good business sense will prompt you to take on this additional financial burden.

The difference between the infrastructure and technical capacity of developed versus developing countries was also brought into play. The economic disparity between developed and developing nations makes cybercrime a particularly attractive method of financial gain for cyber criminals. The lack of uniform laws enables the cyber criminals to take advantage of legal loopholes and enable them to get away with their crimes. The lack of strong security structures in developing nations make the cybercrimes easier to enact and far easier to detect and trace.

The Fix

To address the issues brought before the world body, a partnership between Great Britain and India was formed to establish a research lab find ways to combat cybercrime and strengthen global security. This lab will work with similar research centers around the globe to develop security technologies that will lead to marketable technologies as well as internships for students.

The Centre for Secure information Technology is an open model that is also working with IBM, Infosys, McAfee and others to develop roadmaps to follow in the development of new technology for the future. These roadmaps will focus on network infrastructure, SCADA, network security, mobile malware, cloud computing, homomorphic encryption, cryptology and biometrics. It is hoped that these types of partnerships will be able to address the current problems and forge the ability to work on global threats in the future as technology evolves and new threats emerge.

What You Can Do Now

Though technology continues to change and while the world governments work on solutions that will seamlessly cross international borders, you can take steps to minimize the risks to yourself, your families and your businesses. Solutions will only work if people apply them as they arise. Right now solutions exist and should be implemented until better ones are developed.

Educate yourself and your children about the warning signs of cyber fraud and exploitation. Learn to delineate the difference between a legitimate request for data and a fraudulent one. Learn the signs that your computer or network is under attack. Always install cloud based antivirus program on your system like Panda security, Immunet free antivirus, Comodo internet security; preferably one that updates around the clock as new threats are identified or suspected. Loss of data can be as devastating as theft of data and other can result from virus attacks. Anti-malware software is a must as malware can easily be used to gain information from your computer systems. Protect your email from questionable attachments and don’t be quick to provide information that should be kept secure such as passwords, bank account numbers and other personal information. All of these methods can help protect you from becoming a victim of cybercrime.

View the original content and more from this author here: http://ift.tt/1JuPtAa

from cyber security caucus http://ift.tt/1NAOl53
via IFTTT

Consultants Seek to Bridge ‘Valley of Death’ to Stop Hacking

Anti-hacking technology developed by the U.S. will be offered to banks and other businesses under an initiative to promote cutting-edge research, even as some security specialists question its value in the private sector.

For the first time, cybersecurity technology developed at Los Alamos National Laboratory in New Mexico will be made available to private companies by the New York consulting firm Ernst & Young LLP, the two organizations announced Tuesday.

“Government organizations and private companies are all experiencing the same cyber threats,” said Siobhan MacDermott, a principal for cybersecurity at EY. “But they’re still seeking ways to work together to improve collective cybersecurity.”

The partnership comes as government and companies face increasingly sophisticated hacking attacks. The head of the National Security Agency, Navy Admiral Michael Rogers, has estimated that the U.S. loses as much as $400 billion a year through hacks that steal trade secrets.

Some security analysts, however, question how successful the model will be because technology developed over the course of years at government facilities may not be relevant or useful to current company needs. Government researchers also operate in controlled environments, whereas the networks of corporations can be messy and sprawling.

“The premise is based on the idea that the government is somehow better at doing cybersecurity than the private sector,” said Frank Dickson, a research director for information and network security for consulting company Frost & Sullivan. “I think that’s a flawed concept.”

University Grants

The government might be more effective by providing grants to help universities train cybersecurity experts, Dickson said.

The relationship between Los Alamos and EY is unique in that cybersecurity technology being developed and used at the lab hasn’t easily reached the private sector.

The U.S. spends about $1 billion a year on unclassified cybersecurity research. However, it often goes unnoticed in the private sector because federal researchers don’t have expertise in marketing and communicating to companies. The inability to transfer the expertise is known as “the valley of death,” said Michael Fisk, chief information officer at Los Alamos.

That’s where EY comes in. The giant consulting company has been investing and growing its own cybersecurity practice.

Abnormal Activity

The first technology that will be transfered by EY is called PathScan, which detects abnormal activity on networks that indicates the presence of hackers. Uncovering hackers on networks has been a struggle for many companies. On average, attackers operate inside a victim’s network for more than 200 days before being detected, according to FireEye Inc., a network security company.

PathScan is being tested at five companies and already proving valuable, according to EY. The firm believes the relationship with the lab will be successful because technology being transferred has market value and will be combined with its other services and expertise, MacDermott said.

The process that led to the licensing agreement for PathScan took about three years. The technology was first identified as being valuable to commercial ventures by the Department of Homeland Security’s Science and Technology Directorate. It is the fourth to be transferred under a program managed by the agency.

It remains to seen how useful and relevant the technology currently is, said Vikram Phatak, chief executive officer and chairman of the board at NSS Labs Inc., a private company that independently tests cybersecurity technology.

Hacking attacks have become more sophisticated since 2012, including assaults on JPMorgan Chase & Co., Sony Corp. and the U.S. Office of Personnel Management.

Phatak said NSS Labs plans to test PathScan. Phatak said he wasn’t aware of any cybersecurity technology coming from the government that has had major commercial success.

“I wouldn’t bet the farm on it but it’s great that they’re trying to help,” he said. “It’s kind of like mother-made apple pie. Who’s going to be against that?”

A section on a Bloomberg website about corporate governance, called the Bloomberg Board Directors’ Forum, is sponsored by EY’s Center for Board Matters.

View the original content and more from this author here: http://ift.tt/1MT7ZcB

from cyber security caucus http://ift.tt/1V9ojY3
via IFTTT

Cybersecurity: The glitch in the U.S.-China relationship

Hong Kong (CNN)Chinese President Xi Jinping is going to Washington next month — and it’s not shaping up to be a pleasant visit.

Tensions are rising on a number of fronts: The global impact of China’s market meltdown; island building in the South China Sea; and that persistent glitch in the U.S.-China relationship — cybersecurity.

The massive data breach at the U.S. Office of Personnel Management (OPM) made headlines for its sheer size. Targeting the data for almost 22 million people, it’s been called the worst breach of government-held personal data in U.S. history.

U.S. Director of National Intelligence James Clapper said that China is the “leading suspect” in the breach, though if the tables were turned the U.S. would have carried out a similar hack on China: “If we had the opportunity to do the same thing, we’d probably do it.”

Fair game?

Let’s face it, OPM was an easy target.

U.S. cyber defenses were down. And in this era of digital “spy versus spy,” a cyber-breach of government data is often regarded as fair game.

Cyber espionage has become such an expected reality in geopolitics that U.S. Secretary of State John Kerry recently admitted that it’s “very likely” China — along with Russia — is reading his emails.

But that’s not the case with corporate espionage.

The U.S. pushes back harder — a lot harder — against the cyber theft of company data and trade secrets. “It is far more firm and that’s the line that the U.S. is trying to draw — ‘It’s okay to spy on governments, everybody does that. It’s not okay to spy on company secrets’,” Washington Post Beijing bureau chief Simon Denyer tells me in the latest episode of CNN’s “On China.”

READ: Study: China cybercensors attack outside its borders

What kind of corporate data is China going after?

“Trade secrets, it could be business plans, marketing plans, it varies. We’ve seen many, many industries targeted,” said Wias Issa, Asia-Pacific senior director of the computer security firm FireEye.

Two years ago, Mandiant — now a FireEye company — issued a landmark report that tracedcyberattacks against 141 U.S. companies, across 20 industries, to a secret Chinese military unit.

READ: How China could have hacked U.S. government in 10 steps

Mandiant uncovered what is claimed was widespread Chinese state-sponsored cyber theft of trade secrets — a practice that could be rationalized by Beijing as a matter of state security.

The economy is so central to the Communist Party’s legitimacy that spying for the sake of benefiting state-owned companies for example is part of the government’s national strategy,” said Denyer.

According to that analysis, China is hacking American companies to strengthen its economy and the Party. But that equation doesn’t sit well with Peking University scholar Zha Daojiong, who believes cyber theft should never be a shortcut for economic growth.

“Spying may be a part of the world for a company to cut corners in advancing itself, but for me as a scholar if I had a chance to inform political debate within China, it’s not the so-called loss of face, it’s not the pursuit of GDP growth and the cost, it’s whether or not you want to have a society of thieves.”

China a victim too?

Chinese authorities have long called the hacking accusations unfounded and repeatedly stress that it too is a victim of Internet attacks — albeit more of the diplomatic espionage variety, as opposed to corporate theft.

With both sides talking past each other on the high-stakes issue of cybersecurity, Zha recommends a reset in the relationship in the form of setting a new common cyber goal.

“When Mr. Xi and Mr. Obama meet in September, they should make a joint announcement of working toward setting up a working group to define cyber crime and to find ways of collaborating in dealing with cyber crime.

“There has to be a common template of what’s not acceptable behavior… like dealing with climate change.”

Aiming for an agreed set of cyber “road rules” is a lofty goal, but a tough one to carry out as the U.S. presidential election season kicks into gear. Like in previous election cycles, China bashing on the campaign trail is well underway.

On the prospects for a U.S.-China cyber agreement, FireEye’s Issa was not overly optimistic. “I hope we can get there one day,” he said.

“But as long as there are nations, and those nations have diverse interests, they will continue to gather intelligence about each other.”

Because this is what countries do. They spy on each other.

View the original content and more from this author here: http://ift.tt/1Ifh0oc

from cyber security caucus http://ift.tt/1NAOl4Z
via IFTTT

Tuesday 25 August 2015

Two Decades in, DC-Based Thycotic Goes on a Tear

The cybersecurity firm has been largely operating under-the-radar until now

Thycotic, a cybersecurity company that focuses on password and privileged account management, was until recently one of the D.C. tech scene’s best-kept secrets. But the word is now out about the longstanding company: a ranking on the Inc. 5000 list of fastest-growing private companies showed Thycotic with 2014 revenue of $10.5 million. And now, CEO and founder Jonathan Cogley has told DC Inno that revenue for 2015 is expected to grow by 40 to 60 percent over last year.

The revenue reveal followed close on the heels of Thycotic’s first outside investment round, announced last month, coming nearly two decades into the company’s history—making the company a unique tech company story all around.

On the rise

In terms of market competition, the account credential security space is still something of a niche sector within cybersecurity. Though larger, “one-stop-shop” security companies often offer a version of it, Cogley said that Thycotic is among the few to specialize in this type of security software.

Founded in 1996, Thycotic began as a software product consultancy agency that catered to businesses wanting to improve their IT departments. Over time, however, Cogley noticed a market demand for a specific suite of security products. In the early 2000s, he began to shift his consultancy businesses into a software development company.

“When comparing Thycotic to other privileged account management offerings, IT administrator teams across the globe prefer our solution because it’s faster to deploy, takes significantly fewer resources to manage and offers comprehensive security for their most sensitive credentials,” Cogley said.

In early August, Inc. published its annual Inc. 5000 fastest growing companies list, where it included Thycotic and ranked it #1646 in the nation. With some back-of-the-envelope calculations, it can be estimated, based on what Cogley told us, that Thycotic’s expected 2015 revenue will be somewhere between $14.7 million and $16.8 million. And the company now employs 65, up from 40 at the start of 2014.

Positioned to grow

In July, Thycotic got some validation for its approach by taking its first-ever investment—from Insight Venture Partners, a prominent New York-based firm. Neither Insight nor Thycotic has disclosed any financial details on the deal.

However, Cogley did say the raise was “substantial” and more importantly, it positioned Thycotic to achieve exponential market growth in the coming years.

“For us, it was a big milestone because they courted us. It was a long process and raising money is not easy. But we’re very happy they [Insight] are our partners,” Cogley told DC Inno.

The raise also followed another announcement that former PHD Virtual Technologies President and CEO James Legg would be joining Thycotic as its President and COO. Prior to PHD Virtual Technologies, Legg headed Texas-based Idera Software’s sales division as its vice president of world sales.

Structure

Thycotic’s customer base is roughly 92 percent commercial with the remaining 8 percent being split between federal and local government clients, and other defense clients, Cogley told DC Inno.

Current Thycotic clients include the University of Central Florida, TechAssist, Kirkland and Rapid7. Customers can choose from either a cloud-based or on-premise software platform to help defend against hackers who are looking for passwords and privileged account information on their systems.

Right now, the company has five job openings ranging from marketing and sales to programming positions. By the end of 2015, Thycotic expects to add approximately 10 new staff members.

“I believe we’re on the path towards being a 100-person company, but the truth is that we’re still 18 to 24 months way from getting there,” Thycotic’s CEO told DC Inno.

Cogley told DC Inno that he is also currently in the planning phase of renting out another floor in the company’s current office building, located at 1101 17th St NW, to keep up with Thycotic’s projected hiring pace.

“As we continue to add customers we must also continue to hire to keep up with that demand. Obviously with all of that, office space naturally becomes something you need to account for,” he said.

As time progresses and the company works to fulfill its potential, Cogley said that there will be a few key challenges he anticipates that Thycotic must overcome. Among them, it will be important to attract talented and experienced executives (similar to Legg) who can, as Cogley described, cut down on “trial and error.”

Another key goal will be the expansion of Thycotic’s foreign business. Roughly 30 percent of total sales come from customers outside of the U.S., currently, and it’s expected to be a growth area in the future.

View the original content and more from this author here: http://ift.tt/1KgOoRC

from cyber security caucus http://ift.tt/1KgOmZV
via IFTTT

NIST draft report: international cybersecurity standardization needed

An interagency working group led by The National Institute of Standards and Technology (NIST) and The Department of Commerce recently published a draft report (the “Report”) recommending that the U.S. government increase its efforts to develop international cybersecurity standards by coordinating with other governments and the private sector.

Historically, U.S. standard setting efforts have been led by private organizations, with invited participation from government officials, industry and academia. With the Cybersecurity Enhancement Act of 2014 and President Obama’s executive order directing NIST to coordinate with other federal agencies on cybersecurity strategies, NIST has been at the forefront of cybersecurity standards development in the U.S. For example, the private sector is using and quoting the principles for the development of proper information security practices that were developed by NIST for the federal government. Meanwhile, in the Report and elsewhere, NIST continues to advocate for more participation and collaboration between government and the private sector on cybersecurity standards.

The Report advocates for international cybersecurity standards to be developed through active participation and collaboration among the U.S. government, foreign governments and domestic and foreign private industry. The Report identifies four key reasons why the U.S. government should want to develop and use international cybersecurity standards:

• To enhance national and economic security and public safety

• To ensure standards and assessment tools for the U.S. government are technically sound

• To facilitate international trade

• To promote innovation and competitiveness

The Report includes a helpful supplement (the “Supplement”) which summarizes current international cybersecurity standardization efforts and catalogues U.S. government and private-sector engagement in these efforts. The Working Group also makes suggestions on how federal agencies can more effectively participate in these ongoing international efforts.

Public comments on the Report are due by September 24, 2015. The Report and the Supplement can be found on the NIST website. http://www.nist.gov.

View the original content and more from this author here: http://ift.tt/1LwDad8

from cyber security caucus http://ift.tt/1EgQ250
via IFTTT

Greenberg Traurig Lands Cybersecurity, Data Privacy Expert

Law360, New York (August 24, 2015, 8:26 PM ET) — Greenberg Traurig LLP has shored up its privacy and data security practice in Silicon Valley by hiring the author of a leading treatise on these increasingly important information technology topics, the firm announced Monday.

Francoise Gilbert, the founder and former managing director of the IT Law Group in Palo Alto, focuses her practice on domestic and global data privacy and security issues, as well as cloud computing and information technology law.

“Francoise is a renowned international privacy and cybersecurity attorney,” said Alan Sutin, co-chair of Greenberg’s…

View the original content and more from this author here: http://ift.tt/1EgQ24U

from cyber security caucus http://ift.tt/1Jt1W7A
via IFTTT

PwC partners with US based cyber security firm Tanium

PwC and IT services firm Tanium signed a strategic alliance to combine PwC’s security expertise with Tanium’s technology. The deal sees PwC introduce new Tanium Accelerators to its Cyber Security Practice in a bid to provide its clients with enhanced capabilities to combat cybercrime.

Tanium was founded in 2007 to “deliver a new and innovative approach to endpoint management and security.” The IT services firm serves as a ‘central nervous system’ for its clients to provide them with the power to secure, control and manage millions of endpoints across their enterprise, allowing them to protect against modern day threats, while also realise cost efficiency in IT operations. The US-based firm has over 200 experts working from its six offices around the world.

With the aim to help their clients battle cyber-attacks and insider threats, professional services firm PwCand Tanium decided to partner up. Under the strategic alliance, PwC’s threat intelligence and consulting practices will be coupled with the endpoint security and systems management software platform of Tanium as the firm will introduce new Tanium Accelerators to its cyber security practice, including threat intelligence, content development, remote hunt team and incident response services, consulting and integration, and data privacy impact assessments.

The technology will enable PwC’s clients with 15-second visibility into and control over all of the globally distributed endpoints across the organisation, allowing them to quickly assess, identify and manage the threats and vulnerabilities they face on a daily basis.

David Damato and Kris McConkey “PwC’s Tanium Accelerator services have already helped their clients better detect, respond to, and resolve advanced attacks,” explains David Damato, Chief Security Officer at Tanium. “Having spent years on the front lines of cyber-crime investigations for Fortune 500 companies, it’s clear that the combination of PwC’s Cyber Security practice capabilities and Tanium’s platform enabling 15-second endpoint visibility and control will bring immense value to organisations.”

Kris McConkey, Cyber Security Partner at PwC, adds: “Cyber security remains one of the leading concerns for today’s CEOs given the risk to their businesses from the increasing prevalence of cyber and insider threats. By combining PwC’s global incident response, intelligence and security consulting teams with the speed and flexibility of the Tanium platform we are making a real difference to the security challenges our clients are facing. Organisations now have the ability to act faster and smarter at scale to identify and resolve malicious activity, minimise their attack surface and establish facts about their environment in 15 seconds which previously took days or weeks.”

View the original content and more from this author here: http://ift.tt/1Lx6kJf

from cyber security caucus http://ift.tt/1Jt1TZa
via IFTTT

Monday 24 August 2015

Automakers form alliance to bolster cybersecurity

WASHINGTON — By the end of the year, automakers will have a new layer of defense in the fight against would-be car hackers.

Through the Alliance of Automobile Manufacturers and the Association of Global Automakers, automakers are working to establish an Information Sharing and Analysis Center to act as a secure, industrywide clearinghouse for intelligence about cyberthreats to vehicles and their networks. It would also facilitate sharing of best practices for how to safeguard against and respond to threats.

Cybersecurity is a new issue for the industry, one handled by automakers in different ways. That varied and still-developing approach has fueled industry critics, including some lawmakers, who say the industry lacks a comprehensive solution to safeguard their customers.

The immediate threat of malicious hackers wreaking havoc on connected cars appears to be relatively remote. The researchers who remotely controlled some Jeep Cherokee vehicle systems — as chronicled by Wired magazine in July and widely reported elsewhere — were highly sophisticated security experts who spent years developing the tools needed to complete the hack.

Hackers seeking monetary gain have little current incentive to target cars. Even though vehicles can collect huge amounts of data, the auto industry has yet to monetize it in a major way, according to a recent white paper by consultancy Frost & Sullivan.

But that could change.

“Is it dire right now? I wouldn’t say so, but now is the time to form the ISAC so the infrastructure and trust is there when they need an ISAC,” said Denise Anderson, chair of the National Council of ISACs and a former vice president of the financial services industry’s ISAC. “You don’t want to be caught unprepared. Health care is being heavily targeted right now, but in the past they weren’t.”

Sharing security info

Many other industries have launched such centers, known as ISACs, since the first were formed following a presidential directive decision by Bill Clinton in 1998.

The auto industry’s ISAC is scheduled to be operational by the end of the year, Rob Strassburger, vice president of safety at the Alliance of Automobile Manufacturers, said in July.

Every major automaker will participate in the automotive ISAC, with suppliers and telecommunications companies expected to join down the road. Member companies will be able to share information about vulnerabilities and attacks anonymously through the ISAC. The auto industry’s ISAC is expected to have a dedicated professional staff with analysts to diagnose and respond to threats, and disseminate information to members.

Executives from the Auto Alliance and Global Automakers say that many of the details of how the center will operate are still being worked out. But other ISACs provide a hint of the auto industry security hub’s capabilities.

Financial institutions were able to respond to a rash of attacks that knocked the websites of dozens of major banks offline in 2012 and 2013 in part because of that sector’s ISAC, Anderson said.

She said the center set up a dedicated portal where information about the distributed denial-of-service attacks, in which hackers seek to crash or disrupt a website by flooding it with traffic, was shared in real time and updated as attacks evolved.

Anderson says the attacks waned as the banks developed effective countermeasures. And one of the ISAC’s members was able to thwart an attack well enough that its website was unaffected, she said.

Hacking a Jeep

As reported by Wired, security researchers Charlie Miller and Chris Valasek accessed a Jeep Cherokee’s central computer that controls many vehicle functions via a loophole in the SUV’s Internet-connected radio head unit. Fiat Chrysler Automobiles and Sprint, which provides cellular service to Chrysler vehicles, addressed the loopholes exploited by Miller and Valasek.

But before that, the two were able to crank up the Cherokee’s radio, turn on the windshield wipers, blast the air conditioning and even disable the transmission by entering commands into their laptop from miles away.

These and other vehicle-system vulnerabilities are under mounting scrutiny in Washington from lawmakers and regulators alike.

Attacking a vehicle through its cellular data connection is one of 11 types of potential attacks facing modern vehicles that were identified in an October 2014 report by the National Highway Traffic Safety Administration. The report was one product of a 2012 reorganization of NHTSA’s research arm to increase the agency’s focus on vehicle electronics, including cybersecurity.

Recent legislation proposed in the U.S. Senate would direct NHTSA and the Federal Trade Commission to write minimum rules for cybersecurity. That proposal followed a February report by Sen. Edward Markey, D-Mass., that found the industry’s cybersecurity measures to be inconsistent from company to company, calling the disparate approaches “for the most part … insufficient to ensure security and privacy for vehicle consumers.”

Meanwhile, the House Energy and Commerce Committee is conducting a review of its own. It is following up with automakers after receiving responses to cybersecurity questions sent in May to top U.S. officers at 17 automakers and NHTSA.

“With more-and-more connected automobiles on the road every day, members are looking to better understand the state of the market today and where it’s headed in the years to come,” an Energy and Commerce Committee spokesman said in a statement.

Absent a robust approach to cybersecurity by the industry, Frost & Sullivan says the government could push the industry toward a new set of regulations.

Said the consultancy: “The government appears to be taking action, while automakers are slower to respond. These roles must be reversed.”

View the original content and more from this author here:
http://ift.tt/1I6iRvq

from cyber security caucus http://ift.tt/1Edrfyk
via IFTTT