Wednesday, 30 September 2015

Is the cybersecurity field sexist?

Women account for just one out of 10 cybersecurity professionals, as the gender gap widened over two years in a male-dominated field with a drastic workforce shortage, a survey showed.

ISC2, the largest organisation that certifies cyber professionals, said that a poll of nearly 14,000 information security professionals in developed countries found that just 10% were women. That is down from 11% two years ago, said ISC2 official Elise Yacobellis.

“It is certainly alarming to see it go down to 10%,” Yacobellis said in interview.

One reason for concern is a talent shortage. ISC2 reported earlier this year that 62% of respondents said their organisations did not have enough security professionals.

“We have a huge workforce shortage. If we brought more women into this field, I believe that gap would lessen,” Yacobellis said.

The survey also found pay inequalities. Some 47% of men reported annual salaries of at least US$120,000 (RM532,680), compared to 41% of women.

It comes amid a broader debate about the lack of women in the technology industry, especially high-profile firms like Google Inc and Apple Inc. Women account for roughly a third of workers at many tech firms, with fewer in leadership and technology roles.

Entrepreneur Georgia Weidman said some women do not want to work in a field where they lack the same opportunities as men.

“I can totally understand why people would want to pursue a career path where they feel their contributions are more appreciated,” said Weidman, who worked at several technology firms including IBM Corp before starting two companies.

Unequal treatment is the result of unconscious bias, said Joyce Brocaglia, an executive recruiter and founder of the Executive Women’s Forum for information security professionals.

“Companies are saying that they want to hire more women in information security and have more women at the most senior levels, but I don’t often see them making the investments they need to ensure that,” she said.

Katie Moussouris, a former Microsoft Corp security manager, earlier this month filed a gender bias lawsuit against the software maker. Microsoft said it reviewed her claims and could not substantiate them.

Mary Galligan, director of Deloitte Advisory Cyber Risk Services, said the pool of female job candidates is small because women have historically dropped out of technical programs early.

“This trend will hopefully slow in the next decade as more girls stay in science, technology, engineering and math programs,” she said. — Reuters

View the original content and more from this author here: http://ift.tt/1O6AqnZ



from cyber security caucus http://ift.tt/1QKAdo2
via IFTTT

Dalrymple starts up cybersecurity task force

North Dakota Gov. Jack Dalrymple has assembled a task force to address the potential threats that cyber attacks pose to state government.

The Cybersecurity Task Force has 15 members, including directors and information technology experts from a number of state agencies.

Lt. Gov. Drew Wrigley will facilitate its work, the governor announced Monday.

The team will review the state’s current cybersecurity policies and practices and make recommendations on what’s needed to ensure the security of state networks and systems.

Members also will identify ways to enhance the use of network defense and monitoring tools, implement training and awareness programs for state employees and develop a cyber-incident response strategy.

The task force will have its first meeting in October.

View the original content and more from this author here: http://ift.tt/1RfrcnJ



from cyber security caucus http://ift.tt/1VmpTJr
via IFTTT

Cyber Kill Chain: How To Keep Network Intruders At Bay

New York Cybersecurity Company Licenses ORNL’s Data Diode

Newswise — OAK RIDGE, Tenn., Sept. 29, 2015 – Lock Data Solutions has licensed a technology from the Department of Energy’s Oak Ridge National Laboratory designed to protect a company’s data from internal and external threats.

Data Diode, developed by ORNL’s Lawrence MacIntyre and Nate Paul, uses a defense-in-depth computer network strategy to create an environment in which an organization’s approved users can work freely inside an enclave of protected data but restricts file transfers outside the network.

Donald McGuire, CEO of Lock Data Solutions, said the technology is a perfect fit for his company, noting that his management team is made up of professionals who have enjoyed commercial success with various technologies, including a secured wireless communication technology for the Navy. He is looking forward to bringing to the market Lock Data CounterX, a software suite that includes ORNL’s Data Diode technology.

“Lock Data Solutions appreciates the opportunity to partner with ORNL in the creation of a company that can work to protect vital data resources in a manner that represents the cutting edge in cybersecurity,” McGuire said. “With the help of the technology being licensed today, we expect to create a sea change in the balance of power between those protecting data and those seeking to steal it.

“As it grows, Lock Data Solutions will not only protect data with its products, but expects to contribute to the U.S. economy by creating jobs in the technology sector.”

Armed with CounterX, an intruder who has penetrated the network can see the protected information but cannot download the actual data, McGuire said. And during the time it takes the intruder to search for a way around the obstacle, the network’s detection can locate and thwart the malicious intent of the intruder.

“Hackers are going to get in,” said Paul, a member of ORNL’s Cyber and Information Security Research group. “Employees can accidentally put confidential data at risk. The ORNL Data Diode addresses this problem by restricting important data from being copied out of network, thereby alleviating and alerting such specific and unauthorized activities.”

Paul noted that banks are particularly vulnerable and have trusted consumer data that includes social security numbers, addresses and birth dates. A recent breach compromised data for 76 million households.

Lock Data Solutions LLC, located in New York City, is a technology company dedicated to bringing cutting edge solutions to cloud and network cybersecurity. Development of this technology was made possible by funding from the Intelligence Advanced Research Projects Activity (http://ift.tt/1u8Z8dY).

UT-Battelle manages ORNL for the DOE’s Office of Science. The Office of Science is the single largest supporter of basic research in the physical sciences in the United States, and is working to address some of the most pressing challenges of our time. For more information, please visit http://ift.tt/1eNnDBm.

View the original content and more from this author here: http://ift.tt/1Rfrc7p



from cyber security caucus http://ift.tt/1VmpQ0l
via IFTTT

Raytheon: Ho hum, another day, another $1bn cyber-security contract with Uncle Sam

Defense contractor Raytheon said it will be providing IT security for more than 100 US government agencies in a deal valued at upwards of $1bn.

Raytheon said the billion-dollar contract, reportedly set to run for five to seven years, will include development and support of cybersecurity protections for the Department of Homeland Security (DHS) and all of the federal agencies under its umbrella.

Raytheon said it will also become the prime contractor for the DHS’ Network Security Deploymentdivision.

“Today’s cyber threats are increasingly pervasive and serious, and our government and private sector institutions require the best protection possible,” Raytheon intelligence, information and services president Dave Wajsgras said in a canned statement.

Well known as a military and government defense contractor working with both the US and UK, Raytheon has built up its cyber-security chops with a rash of acquisitions, most recently Websense in a deal that cost Raytheon more than $1.5bn. Raytheon claims it has spent $3.5bn to acquire a dozen cyber security companies over the last ten years.

The announcement of the contract comes less than two months after the DHS was given a new head of information security in NSA veteran Andy Ozment.

The deal also comes as the US government looks to recover from one of its worst-ever data breaches, as hackers were able break into systems at the US Office of Personnel Management (OPM) to make off with the personal information of more than 25 million people who were given background checks by the federal government.

View the original content and more from this author here: http://ift.tt/1RePVsr



from cyber security caucus http://ift.tt/1VmpQ0f
via IFTTT

Tuesday, 29 September 2015

New federal assessment tool highlights the importance of threat intelligence for financial institutions

By HP Security Strategist Stan Wisseman

In a previous post, I’ve encouraged use of frameworks to help determine a cybersecurity baseline capability and  roadmap to reach the goals for your information security programs. This summer, the Federal Financial Institutions Examination Council (FFIEC) introduced a new tool to assist financial organizations in following this approach.

In 2014, the FFIEC piloted a cybersecurity examination program at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. On June 30th of this year, the FFIEC published a Cybersecurity Assessment Tool to provide ALL financial institutions with a repeatable and measureable process to inform leadership of their organization’s cyber risks (Inherent Risk Profile) and cybersecurity preparedness in relation to that risk (Cybersecurity Maturity). If the level of preparedness is inadequate, the organization may take action either to reduce the level of risk or to increase the levels of maturity (a “target” state). The Tool is mapped to both the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook), as well as to the NIST Cybersecurity Framework.  Initially, the Tool will be voluntary but in the long term is expected to be incorporated into the FFIEC IT Handbook and used in regular examinations. The Tool identifies five domains, as shown above.

I’m going to focus on the Threat Intelligence & Collaboration domain in this post. I’m a strong proponent for threat intelligence sharing and am pleased that the FFIEC added this domain to their Assessment Tool. Timely sharing of intel about new or ongoing cyberattacks and threats should help avoid or minimize major breaches from an attack. I recognize that there’s still some controversy around private sector organizations sharing their threat intel with US Government agencies. Some of the potential negative consequences to this sharing was discussed at the 2nd annual Senior Executive Cyber Security Conference I attended in Baltimore earlier this month. Efforts are underway to craft legislation to address some of these concerns (see ICIT brief), though it’s unclear whether the US Congress will finalize these legislative efforts this year. Independent of the legislation, I still think that harnessing the collective wisdom of peer organizations we trust should be a win-win and is necessary to survive within our evolving threat landscape. The bad guys collaborate. We also need to.

Returning to the Assessment Tool, each domain and maturity level has a set of declarative statements (e.g., requirements) organized by the assessment factor. I’ve extracted some of the declarative statements from the Advanced and Innovative maturity levels for the Threat Intelligence & Collaboration domain below:

  • Threat intelligence is automatically received from multiple sources in real time.
  • A threat analysis system automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management.
  • Emerging internal and external threat intelligence and correlated log analysis are used to predict future attacks.
  • The institution uses multiple sources of intelligence, correlated log analysis, alerts, internal traffic flows, and geopolitical events to predict potential future attacks and attack trends.
  • IT systems automatically detect configuration weaknesses based on threat intelligence and alert management so actions can be prioritized.
  • Relationships exist with employees of peer institutions for sharing cyber threat intelligence.
  • A network of trust relationships (formal and/or informal) has been established to evaluate information about cyber threats.
  • A mechanism is in place for sharing cyber threat intelligence with business units in real time including the potential financial and operational impact of inaction.

I think the Tool encourages the building of effective threat collaboration partnerships through trust. HP has a taken a similar approach with its Threat Central service. Threat Central enables organizations to collaborate via a community-sourced security intelligence platform that incorporates dynamic threat analysis scoring to produce relevant, actionable intelligence to combat advanced cyber threats. Use of Threat Central can help you achieve some of the Advanced and Innovative declarative statements called for in the Assessment Tool.

Learn more about HP Enterprise Security.

Figure source: http://ift.tt/1FFBXhJ

View the original content and more from this author here: http://ift.tt/1KOHSwT



from cyber security caucus http://ift.tt/1KOJlmU
via IFTTT

U.S. threat of sanctions against Chinese firms leads to cybersecurity agreement

NEW YORK–The United States threatened to impose economic sanctions against at least 25 Chinese companies if Beijing failed to take cybersecurity issues more seriously, sources said.

The strong warning was issued by Susan Rice, U.S. President Barack Obama’s national security adviser, during her visit to China in late August. The visit then led to an agreement on cybersecurity issues between Washington and Beijing, according to multiple U.S. and Chinese sources.

Obama and visiting Chinese President Xi Jinping agreed in Washington on Sept. 25 that their respective governments would not engage in or support cyber-attacks aimed at stealing economic secrets.

According to several sources knowledgeable about U.S.-China negotiations, Rice presented Chinese officials with a list of about two dozen Chinese companies suspected of being engaged in cyber-attacks against the United States. The list was compiled mainly by a special unit within the U.S. military dealing with cybersecurity.

The sources said Rice told her Chinese counterparts about specific sanctions being considered against the Chinese companies, including freezing their assets in the United States.

Although China had not placed much emphasis on cybersecurity until then, the Rice visit appears to have given momentum to discussions between officials of the two nations.

U.S. government officials had argued that cyber-attacks by China caused several billions of dollars in losses to U.S. companies over the course of a year which translates into an annual loss of several hundred billion yen.

In June, a massive cyber-attack against the United States led to the leaking of personal information of several million U.S. government officials, including those in the military and intelligence services. Washington suspects China was behind that attack.

According to sources, the special cybersecurity unit that was established in 2010 spent several months compiling the list of Chinese state-owned and other companies that stole information, including intellectual property, from U.S. companies.

Pentagon officials and other U.S. government officials had pushed for sanctions against those companies, including a limit on their business activity in the United States, before Xi’s arrival in the United States on Sept. 22.

According to a former high-ranking Pentagon official, Rice issued an extremely stern warning about the cyber-attacks to Xi and Chinese State Councilor Yang Jiechi, who oversees Chinese diplomacy.

She explained details of the proposed sanctions to Chinese researchers involved in the policy-making process and high-ranking corporate executives during a meeting held at the official residence of the U.S. ambassador to China.

In response, China dispatched Meng Jianzhu, secretary of the Central Politics and Law Commission of the Chinese Communist Party and a Politburo member who oversees cybersecurity issues, to the United States on Sept. 9 as Xi’s special envoy.

An agreement was then reached to begin Cabinet ministerial-level discussions between the two nations on cybersecurity issues, sources said. Much distrust remains on both sides. Rand Institution’s Deputy Director for the Center for Asia-Pacific Policy Dr. Scott W. Harold said, “It is right to be skeptical that the U.S.-China Summit list of accomplishments on cyber will eventuate in the real world within some reasonable period of time.”

View the original content and more from this author here: http://ift.tt/1iYh9Iw



from cyber security caucus http://ift.tt/1iYh73q
via IFTTT

Governor Dalrymple forms Cybersecurity Task Force

BiSMARCK – North Dakota Gov. Jack Dalrymple has assembled a task force to address the potential threats that cyber attacks pose to state government.

The Cybersecurity Task Force has 15 members, including directors and information technology experts from a number of state agencies.

Lt. Gov. Drew Wrigley will facilitate its work, the governor announced Monday.

The team will review the state’s current cybersecurity policies and practices and make recommendations on what’s needed to ensure the security of state networks and systems.

Members also will identify ways to enhance the use of network defense and monitoring tools, implement training and awareness programs for state employees and develop a cyber-incident response strategy.

The task force will have its first meeting in October.

View the original content and more from this author here: http://ift.tt/1h6dExN



from cyber security caucus http://ift.tt/1h6dCpF
via IFTTT

Tanium, the world’s hottest cybersecurity startup, has raised $300 million

The alpha unicorn adds another $30 million from Franklin Templeton and Geodesic Partners.

In the white-hot venture capital market for cyber security, Tanium is unquestionably the alpha “unicorn.”

Investors have valued the company at $3.5 billion, a person familiar with its last funding round previously told Fortune.That Series G round—which cemented Tanium’s lead as the world’s hottest cybersecurity startup—initially comprised $120 million with the option to raise tens of millions in additional funds.

Fortune has now learned that David and Orion Hindawi—the company’s father-son co-founder duo—last week agreed to accept an additional $30 million from Franklin Templeton and Geodesic Partners (the final round total is $147.5 million, suggesting some rounding on either the first close or the extension–or both).

The company, which began as an IT management platform, has now raised a total of $301.5 million since being founded in 2007.

Chief tech officer Orion Hindawi, who Fortune last weekranked at no. 21 on its newest 40 Under 40 list, says the money will enable the company’s leadership team to focus on running and growing the business rather than fund-raising.

View the original content and more from this author here: http://ift.tt/1h5l7xb



from cyber security caucus http://ift.tt/1iYh8Er
via IFTTT

Accounting And Finance Professionals Play Increasing Role In Cybersecurity

Accounting and finance professionals are increasingly finding themselves on the forefront of their organization’s cybersecurity efforts, according to a new survey. As cyber criminals continue to target sensitive financial data, those who deal with this information day-in and day-out have been called on to play a role in their organization’s efforts to protect and improve their cybersecurity posture.

“The growth of cybercrimes across our nation and world has risen to astronomic and unprecedented levels in recent years,” said Warner Johnston, head of the Association of Chartered Certified Accountants (ACCA). “As technology advances, so has the threat of silent attacks that strike at the core of our technological infrastructure.”

Johnston continued, “An initial step to implementing stronger controls is first understanding the seriousness of such cyberthreats, existing weaknesses in our infrastructures, and remedies that represent more than stopgap measures.”

The ACCA’s second annual cybersecurity best practices survey, undertaken by the Seidenberg School of Computer Science and Information Systems at Pace University, revealed accounting and finance professionals are adapting to meet the challenges of the ever-evolving cybersecurity landscape. The increasing number of damaging cyber attacks is prompting concern over how to respond to sophisticated threats.

Survey respondents included chief financial officers, managing directors, senior vice presidents and practicing accountants.

The ACCA and Pace University unveiled the new survey at a recent cyber crime symposium and panel discussion, “Cybercrime in the World Today 2015: Emerging Threats,” held earlier this month. The event aimed to provide business leaders and law enforcement officials with a clearer understanding of the technologies, methods, and origins behind the growing threat to our nation’s cybersecurity.

“I’d like to thank the Association of Chartered Certified Accountants for co-sponsoring this Symposium and working with us to raise the visibility of this very important issue,” said Pace President Stephen J. Friedman. “We don’t discuss it enough – and the uncertainty and lack of confidence that secrecy engenders transforms the impact of crime into a form of terror. A lack of public discussion is highly unwise; it impedes our ability to protect ourselves and diminishes our confidence in our leaders.”

The past few years have seen a number of high profile security breaches, including this year’s attack on the Office of Personnel Management, which compromised the sensitive personal information of millions of individuals. As cyberattacks continue to increase, it is now a widely-held belief that data breaches are inevitable—a matter of when rather than if—for organizations in both the public and private sectors.

The number and severity of damaging cyberattacks has brought to the forefront the importance of providing the finance profession with the tools they need to protect the personal and corporate financial information they handle. With the amount of sensitive information they handle, accounting professionals are at the center of the fray, making it critical that they are prepared to prevent and respond to cyber threats.

“For accountants, measures must be taken to ensure that the sensitive personal and corporate financial information they handle is safe: accountants need to be at the forefront of cybersecurity,” said the report’s author, Dr. Jonathan Hill, Interim Dean at Pace’s Seidenberg School of Computer Science and Information Systems. “This is particularly true today, as clients and consumers are more aware than ever of the cyber vulnerability of all businesses.”

The survey featured a number of key findings:

  • Nearly 50 percent indicated it was somewhat or very likely that consultants would be hired after a breach;
  • Nearly 70 percent said they had a high or very high level of awareness of their company’s cyber risk management policies and procedures;
  • 57 percent said their IT systems were well-protected against cyber threats;
  • 32 percent had no knowledge of company policy on data encryption in transit or in storage;
  • Auditors are more concerned about cybercrime today than a year ago (58 percent for auditors compared with 48 percent for accountants); and
  • 27 percent of accountants felt their firms adhered to Control Objectives for Information and Related Technologies (COBIT 5) standards whereas 43 percent of auditors believed their firms followed the standards.

“This survey generated data that is reflective of a profession that is adapting to a serious external attack on its processes and systems,” Johnston said. “The responses and needs of the main stakeholder groups – the financial profession, the IT profession and concerned government regulatory and law enforcement bodies – are evolving in response to progressing, ever more sophisticated threats.”

View the original content and more from this author here: http://ift.tt/1iYgS8s



from cyber security caucus http://ift.tt/1LLQGc7
via IFTTT

Will the US-China Cybersecurity Pact Work?

The new cybersecurity agreement signed by U. S. President Barack Obama and his Chinese counterpart Xi Jinping last week marks a significant first step for both governments to join forces in clamping down on commercial espionage in the cyberspace, analysts say. But many remain skeptical if concrete actions will follow.

President Obama told a joint news conference on Friday that both countries had “affirmed the principle that governments don’t engage in cyber espionage for commercial gain against companies” while President Xi stressed such cooperation would be mutually beneficial.

Both nations agreed to investigate online malicious activity toward one another that take place within their respective borders “in a manner consistent with their respective national laws and relevant international obligations.” The investigating nation will keep the victim nation updated “as appropriate” during such processes while the victim country won’t be involved in any of the investigations, according to the fact sheet from the White House.

Overseeing the investigative commitments are top-level officials from both countries who will meet for the first time by the end of 2015 and biannually every year after that.

A Win for President Obama

From the outset, the pact heralds a triumph for the Obama administration because China has, for the first time, admitted that cybercrime perpetrated by Chinese companies or individuals does exist and action should be taken. Yet it remains to be seen how China will curb hacking activities originated from its territory said Alexander Neill, a Shangri-La Dialogue senior fellow for Asia Pacific security at the International Institute for Strategic Studies.

China has repeatedly claimed it’s as much a victim as a perpetrator for hacking attacks but rarely made public specific hacking incidents.

Empty Promises?

The deal’s significance, he adds, lies in substance, not in form, as it may turn out to create few tangible results, such as the Chinese government’s prosecution of perpetrators.

“Evidence that it’s been successful is that China publicizes its companies or individuals who are perpetrating and successfully prosecutes them. Once we start to see that, then, that would show that China is putting its money where its mouth is,” the Singapore-based researcher said.

Neither will the newly-established hot line in the U.S.-China cyber dialogue guarantee real investigation by Chinese authorities into the theft of intellectual property or trade secrets on its soil argued Nicholas Thomas, associate head of the City University of Hong Kong’s department of Asian and International Studies, sharing similar skepticism.

US President Barack Obama and China's President Xi Jinping (R) walk from the White House to a working dinner at Blair House, on Sept. 24, 2015 in Washington, DC.

US President Barack Obama and China’s President Xi Jinping (R) walk from the White House to a working dinner at Blair House, on Sept. 24, 2015 in Washington, DC.

That’s because China has not come anywhere close to matching the U.S. government’s crackdown on intellectual property infringements. He also said that tracing cybersecurity attacks remains complicated and difficult, and could reveal the methods and capabilities of U.S. cyberdefenses.

“Now they do have this hot line that’s been set up to register complaints. But you’ve got to back up the complaints with evidence, which means, America will have to reveal its ability, in terms of tracking cyber intrusions,” said professor Thomas.

The professor believes that the U. S. Justice Department’s indictment of five Chinese military officers last year, charged with hacking into U.S. companies, as well as the White House’s recent threat of imposing trade sanctions on China, put pressure on Xi to step up efforts in addressing the U.S. government’s cybertheft concerns.

A Win For Whom?

President Xi has given little ground to critics on issues such as China’s human rights record or its military actions in the South China Sea. But the U.S. threats of sanctions over cybertheft may have gotten the attention of leaders who are already concerned over the performance of the Chinese economy.

“If Xi Jinping had been confident of the resilience of his leadership, then, he may not have offered such concession. So, the deal on cyber [security] may be an indicator that [there is] some degree of vulnerability in the Chinese system at this point,” he says.

Even though China says that it too suffers from cybertheft, there have been no publicized cases of companies that have suffered the theft of intellectual property by U.S.-based hackers.

“How much of China’s commercial information is stolen is difficult to assess. It is very difficult for us to defend IPR (intellectual property rights) in cyber space,” Teng Jianqun, director of China Institute of International Relations’ department of American Studies, told the All China Journalist Association on Monday. “Both countries will benefit from the new agreement.”

Many more believe U.S. firms will gain more than their Chinese rivals. A 2013 estimate by the Commission on the Theft of American Intellectual Property estimated annual losses of $300 billion, more than 50 percent of which was attributed to Chinese hackers.

“The fact that a lot of U.S. companies are much more advanced than Chinese companies, they do have upper hands because there’s not much confidential information for them to steal or access for them to move forward. And so, you can easily see that it’s going one direction,” Peter Yu, law professor at Texas A&M University, said prior to the Obama-Xi summit talks.

View the original content and more from this author here: http://ift.tt/1iH4F7g



from cyber security caucus http://ift.tt/1MD1kRd
via IFTTT

Monday, 28 September 2015

Cyber whistleblowing pivotal in ensuring corporate transparency and accountability in the IoT era

Whistleblowing isn’t a new phenomenon, and has been recognized and protected under SOX, GLBA, Federal and State laws, as well as industry-specific regulatory frameworks. The Dodd-Frank Act has ensured additional protections for corporate officers who come forward with evidence of misconduct or wrongdoing, and created financial incentives for whistleblowers to report securities violations and fraud.

You may be aware of a recent decision by the Third Circuit Court of Appeals in FTC v. Wyndham Resorts, which affirmed FTC’s standing as a Federal cyber enforcer under the Court’s intentionally broad – and unanimous – interpretation of the “fair trade” doctrine. What this means is that the FTC will increase its scrutiny of cyber security issues which affect US commerce and involve US consumers, surely to add to its list of approximately 50 recent enforcement actions taken against a variety of firms thus far.

However, FTC can only act upon known issues. A breach affecting millions of consumers, such as the Wyndham case or the Target and Home Depot incidents, comes into FTC’s view only after the proverbial horse has left the barn. While FTC seeks to encourage responsible behavior through punitive action meant to act as a deterrent for the rest of the field, the retroactive nature of its action leaves much to be desired on the preventive side of the equation.

Despite a positive step in the right direction, the Commission’s post hoc enforcement scope creates a potential incentive for firms to conceal information security breaches at all costs in a bid to prevent additional scrutiny and likely punishment for failure to do adequately secure their information operations. In many cases, the firms are successful. As reported in the New York Times, a massive breach of a major industrial automation firm shortly after its $2-billion acquisition went unreported to the markets and regulators, remaining under wraps until a confidential customer memo was leaked to a well-known security blogger.

Wrapped in non-disclosure agreements and contract confidentiality clauses, manufacturers get to operate in secrecy, largely making the public disclosure of a breach a choice rather than an obligation (in cases not involving regulated consumer data such as credit cards and PII).

Transparency is difficult to come by in a field cloaked in what I call the “Three M’s” of cyber security: myth, mystique, and mystery. Confidentiality for confidentiality’s sake prevails throughout corporate organizations, stifling information sharing, discovery, and open debate – internal or external, – on cyber deficiencies and vulnerabilities.

CEO’s don’t want to hear about problems which they would be compelled to solve – if they actually heard about them. Integrity of internal controls, after all, is a serious matter well within the regulatory purview of the SEC. The logical answer, in the unscrupulous organizations at least, becomes rather obvious: keep the CEO and the Board from hearing about cyber issues they’d be forced to fix. With information security, that’s all too easy given the inherent complexity and difficulty in assessing the true state of cyber posture and maturity in global organizations.

This obfuscation doesn’t have to appear all that malicious, either. A simple omission, a confused statistic, an “honest mistake” in reporting threat or vulnerability data – all plausible enough to filter the information about known or suspected deficiencies in the enterprise security program.

How do we pierce this veil of corporate secrecy and obfuscation, designed to immunize and absolve the power structure while allowing cyber negligence to remain the accepted status quo? If internal reporting is suppressed, and those who speak out find themselves ostracized – or worse, – what channels are available for communicating internal issues tantamount to corporate misconduct and malfeasance?

The answer: Whistleblowing.

Encouraging and protecting those who come forward is essential to the functioning of markets and societies. Transparency, Integrity, and trust are non-negotiable. As our world continues to become “smarter”, more connected, more integrated, as our transactions become more distributed and rapid, as machine learning and automation become more mainstream by the day – it is fundamental we as consumers, and the regulators on our behalf, insist on total integrity and trustworthiness on the part of those who seek to populate our world with “smart” machines.

The manufacturers and suppliers competing for the lucrative space on our wrists, in our pockets, our kitchens, cars, and office buildings, must prove to us their technologies are safe, secure, and resilient before we allow them to take over our lives to the tune of 50 billion connected devices projected to surround us by the year 2020 (Gartner).

Whistleblowers are crucial in ensuring that no matter how complex an organization, how powerful or aloof the management, or how lucrative the business venture – consumers get to know the truth, and to make their choice in the marketplace based not only on the features of a product or service, but its maker’s trustworthiness and integrity.

Cyber whistleblowers have a pivotal role to play in the upcoming battle to connect our world. Let us encourage them and protect them.

In a recent article in CIO Magazine, the nation’s premier whistleblower attorney Debra S. Katz of Katz Marshall Banks provides an overview of the unique challenges faced by cyber whistleblowers, and the dangers for companies who retaliate against them:

View the original content and more from this author here:  http://ift.tt/1GbQEEi2985780/staff-management/changing-the-whistleblower-retaliation-culture.html



from cyber security caucus http://ift.tt/1MTRhdh
via IFTTT

If shutdown is averted, cyberbill faces smooth sailing

If Congress can get past the threat of a government shutdown this week, the prospects for Senate floor action on cybersecurity legislation would brighten appreciably.

But opponents of the Cybersecurity Information Sharing Act, which is primed for Senate consideration this fall, are promising to make the process as painful as possible for senators and companies that back the legislation.

A large bipartisan majority in the House has already passed info-sharing legislation, so the Senate is now the focus of intense lobbying efforts.

How painful could opponents make it? A recent show of support for legislation on info-sharing by 13 technology companies prompted a sharp-edged social media campaign denouncing the firms for “betraying” online privacy principles.

By the middle of last week, the digital rights group Fight for the Future was claiming 15,000 “angry emails” had been sent to companies that signed a Sept. 14 letter to congressional leaders calling for action on info-sharing.

The industry letter was orchestrated by BSA/The Software Alliance and signed by Microsoft, Apple, Adobe Systems, IBM, Oracle, Siemens, Symantec, Altium, AutoDesk, CA Technologies, DataStax, MiniTab and Salesforce.

Of note, the industry letter cited the potential benefits of “cyberthreat information sharing legislation” without specifically mentioning the Senate Intelligence Committee-passed cyberbill or similar House-passed measures. Further, it buried the endorsement within a laundry list of tech-sector legislative priorities.

It was a relatively mild call for action, especially in comparison to the pro-cyberbill campaigns undertaken by the U.S. Chamber of Commerce and other industry groups. The U.S. Chamber has been going toe-to-toe with online privacy activists in the social media battle over the bill.

Many industry groups say improved information sharing among companies and between industry and government is essential to better understanding and responding to a fast-changing cyberthreat environment.

The pending cyberlegislation contains extensive elements to protect “personally identifiable information” within the sharing process, supporters say.

Tech companies risk far greater political blowback for endorsing cyberlegislation than do groups representing the energy or banking sectors, for example.

The digital rights activists were particularly offended by the declaration of support for cyberlegislation by companies like Microsoft, which famously dropped their backing for similar House legislation in previous years over privacy concerns.

Privacy groups announced they would boycott web-hosting and other services provided by companies that endorse CISA.

According to Fight for the Future, “The public backlash has come with a simple message: ‘You betrayed us.'”

The group wrote: “Fight for the Future plans to continue exposing companies that support anti-user legislation like CISA, and will work to get every popular website and tech company on the record about this crucial legislation. Many popular companies have opposed bills like CISA including Reddit, Imgur, Namecheap, WordPress and Mozilla.”

Is the social media campaign having an impact?

“Vocal minorities,” commented one Senate staffer in an office actively pushing to get the bill to the floor. “It sure hasn’t reached the level of a couple of years ago.” The source said protests pale in comparison to the online “blackout” organized in 2012 in opposition to the “Stop Online Privacy Act.”

And yet, if and when the info-sharing bill makes it to the floor, the digital rights groups’ position will be amplified by Sen. Ron Wyden, D-Ore., who delivered what amounted to a manifesto against info-sharing legislation during an early August floor speech.

Wyden said the “voluntary” info-sharing process in the bill was a sham, because individuals would have no say in whether their personal data was shared between industry and government.

The Oregon Democrat said the liability protection offered under the bill strips citizens of their right to seek legal redress when their personal information is mishandled.

And, Wyden said, leading technologists believe the bill just wouldn’t do much to improve cybersecurity.

Despite this determined opposition, it’s difficult to see opponents being able to block the bill if it does reach the floor.

Based on past comments and procedural votes, more than a dozen Democrats seem inclined to vote for an info-sharing bill as long as the process is seen as fair and senators have a chance to adjust the measure through amendments.

No more than a handful, and perhaps only two or three, Republicans are seen in the “no” camp. And the White House is encouraging Senate passage, which would lead to negotiations over a final version of the legislation.

The calendar is still probably the biggest obstacle.

The short-term government funding agreement likely to pass this week will probably carry over until Dec. 11, giving lawmakers two months to work on other legislative business as they seek a final deal on funding for the rest of fiscal 2016, which begins on Oct. 1.

The Senate has other priorities, including the defense authorization bill, highway funding, Toxic Substances Control Act reform and the assorted legislative wish-lists of 100 senators.

But Senate Majority Leader Mitch McConnell, R-Ky., and Minority Leader Harry Reid, D-Nev., agreed in August on the basic outlines of a cybersecurity debate, specifying that a total of 22 amendments could be offered for consideration.

The leaders still must reach a time agreement on the overall debate, a procedural step that has consistently foiled efforts to get the measure to the floor. That could involve a tricky effort to get senators on board for paring down the amendment list to a more manageable number.

But if the threat of a government shutdown goes away this week, the possibility of a thorough cybersecurity debate on the Senate floor, the first in three years, seems increasingly likely.

View the original content and more from this author here: http://ift.tt/1WsIhxi



from cyber security caucus http://ift.tt/1iVCbHH
via IFTTT

Opinion Our Say Our say: Academy part of effort to defend US online

The U.S. government’s already-dismal record on computer security was recently topped off by word that the number of federal employees whose fingerprints were stolen by hackers from the computers of the Office of Personnel Management was 5.6 million — more than five times the previously announced 1.1 million. Altogether, some 21.5 million federal employees are believed to have been affected by the theft of background investigation records that include addresses, birth dates and Social Security numbers.

There’s only one bit of good news we can extract from this fiasco, and we reported it Sunday: The government knows the right place — or at least one of the right places — to get help.

Development of methods to quickly detect a cybersecurity breach is the focus of one of five projects in a pathbreaking research partnership between the Naval Academy and the University of Maryland, Baltimore County. The work is being funded with $2 million from the Office of Naval Research and will involve midshipmen.Karl Steiner, the vice president for research at UMBC, explained that the idea of the anti-hacking project is to enable systems to better monitor themselves and raise a red flag when there is an “anomaly” — that is, a possibility someone unauthorized is rummaging around in the database. The four other projects involve better protecting cellphones, strengthening the security of cloud-storage systems, building hardware to detect anomalies and signal a breach, and fortifying the defenses of social media networks.We trust this is just one of many federally funded research projects going on now. In the area of computer security, hackers who are likely in the pay of unfriendly foreign governments are not only eating Uncle Sam’s lunch, but his breakfast, dinner, late-night snacks and leftovers. The government needs to get the best and brightest to work on these problems — and it’s evidently not going to find them at OPM.

We know some of that talent is right here in Annapolis. The academy is going all-out on cybersecurity — the first graduates to major in it will be in the Class of 2016. The last major addition to the Yard will be a $120 million cybersecurity center.
The academy’s program, said Academic Dean Andrew Phillips, includes the ethics of cyberwarfare. Unfortunately, it’s just as well midshipmen talk about when a computer intrusion could actually be considered an act of war. Given the recent pattern of events, the issue may not remain an academic one much longer. The next Pearl Harbor or 9/11 may be online.

We’re not sure what John Paul Jones — or even Bull Halsey — would have made of this, but it’s certainly in keeping with the academy’s mission of training midshipmen to combat threats to this nation.

View the original content and more from this author here: http://ift.tt/1YJDrOv



from cyber security caucus http://ift.tt/1GbDhUr
via IFTTT

China reach cybersecurity agreement, commit to regular dialogue

Obama told Xi after a 21-gun salute at a morning welcoming ceremony that the United States would continue to speak out over its differences with China, but he reiterated that the United States welcomes the rise of a China that is “stable, prosperous and peaceful”.

During my current visit, I think it’s fair to say that the two sides, concerning combatting cyber-crimes, have reached a lot of consensus.

The president also raised the prospect of sanctions of China, saying the USA would use “tools we have in our tool kit to go after cybercriminals, either retrospectively or prospectively”.

On September 25, Friday, the United States President Barack Obama and Chineseleader Xi Jinping met to avoid military misunderstandings and desist from cybertheft for commercial gain.

“It has to stop”, Obama said at the news conference, leveling only an indirect charge of wrongdoing against the Chinese.

Obama expressed “significant concerns” about Beijing’s apparent expansion in the South China Sea and encouraged China to adopt a policy that will dissipate the rising tensions there, while Xi vehemently defended the actions taken by his country.

“Confrontation and friction are not the right choice for both sides”, Xi said, through a translator.”I indicated it (cyber theft) has to stop”.

“The historic climate change announcements that we made last year in Beijing have encouraged other countries to step up, as well, increasing the prospects for a strongerglobal agreement this year“, Mr. Obama said. China is also a victim of hacking attacks. If China wants an equal relationship with the United States and a position as a major power in the worldwide community, it should fulfill its share of responsibility for securing regional stability. At the same time, the USA has officially ruled out ever publicly blaming China for that attack, so their options in that regard were limited.

US President Barack Obama said during a press conference Friday with visiting Chinese President Xi Jinping that the two countries have reached a “common understanding” not to conduct theft of trade secrets and intellectual property in cyberspace.

The two countries also announced other, broader agreements about cybersecurity.

And if that wasn’t clear enough, there’s China’s construction of artificial islands in theSouth China Sea, terrifying America’s allies in the region, as well as a recent military exercise to demonstrate China’s capacity to penetrate Taiwan’s coastal fortress system.

And, President Xi, could we expect prosecutions of Chinese people and organizations who have hacked American businesses?

The investigating nation will keep the victim nation updated “as appropriate” during such processes, according to the fact sheet from the White House. But his approach was tempered because the USA and Chinese economies are so closely bound together.

It was President Xi’s first state visit to Washington, and it began with all the pageantry the White House can muster.

Professor Robert Sutter, of George Washington University, said Xi was increasingly seen as “playing a double game, as duplicitous and untrustworthy”.

View the original content and more from this author here: http://ift.tt/1WsIjW7



from cyber security caucus http://ift.tt/1iVC9j2
via IFTTT

Cybersecurity agreement reached between US, China only ‘small step’, say analysts

Analysts have said that the recent agreement reached between the United State and China on cybersecurity issues is only a small step in the right direction. According to The Washington Times, analysts also said that the agreement does not guarantee either nation will cease all forms of spying or cybertheft.

Obama said, during a press conference with Chinese President Xi Jinping, that China had promised to crack down on cybertheft and will actively pursue hackers who steal intellectual property and other sensitive information from U.S. firms.

The agreement comes at a time of high tension between the two nations on the issue of cybersecurity.

http://ift.tt/1YJDtWE



from cyber security caucus http://ift.tt/1GbDfMw
via IFTTT

Cisco to Demonstrate How Digital Business Transformation will deliver Secure IoE Strategies to Drive Smart City Implementation at GITEX Technology Week 2015

Cisco announced today, that it is participating in the 35th anniversary edition of GITEX Technology Week 2015 with an expanded and focused presence this year. As part of its GITEX plans Cisco will showcase how implementing a digitization strategy will enable Middle East countries and organizations to reap the full benefits of the Internet of Things (IoT) today and the new era of Internet of Everything (IoE) in the future.

Cisco Bringing Digitization to Life at GITEX 2015:

Once again taking up a presence at Stand numberZ-B40, Zabeel Hall, Cisco will demo ‘real life’ Smart City scenarios including a full demo of an augmented reality city as well as a government transportation demo. Other areas of the stand will showcase the key business architectures and solutions that will be important for digital transformation including Security, Cloud, Data Center and Analytics, Mobility, Application Centric Infrastructure and Collaboration.  Cisco will also use the platform to demonstrate how these technologies are and will play an increasingly important role in improving the quality of life, not just for upcoming generations, but for everyone today. The Cisco Stand for the first time will also feature an interactive Social Media Wall with multiple live streams that will showcase video content and enable visitors to submit their social messages based on hashtag. The messages will then be displayed in real time on the Wall with accompanying profile pictures within the boxes surrounding the screen.

“As we move into an era of complete digitization, where technology connects everything from people, processes and data to things, governments and organizations in the Middle East are rethinking how they approach national infrastructure on a grand scale. GITEX 2015 will create a great opportunity for Cisco to demonstrate how digitization has the potential to create sustainable and positive impact for every area of society with the demo’s on our stand highlighting real life scenarios that demonstrate how Cisco’s technology solutions will play a part.  At its core, digitization is the process of planning, and ultimately building, a sophisticated and forward-thinking IT network ecosystem that will allow for greater connectivity, productivity and security to drive this positive impact,” commented Rabih Dabboussi, General Manager, Cisco, UAE.

Security – Key to Digital Transformation:

Another major focus for Cisco during GITEX 2015 will be cyber security. With security issues surrounding the Internet now the number 1 priority in the digital era, more and more organizations in the Middle East are increasingly seeing the value of adopting an end to end security approach that is as pervasive as the Internet of Everything (IoE) itself. At GITEX, Cisco will showcase how physical and cyber-security solutions can work intelligently together to protect the networks, devices, applications and data that make up the Internet of Everything.

With every company becoming a technology company, every company is also becoming a security company in the way that it protects its business, its data and its people. Cybersecurity solutions need to protect not just networks and devices, but also critical applications and data. Identity-based user and device authentication is critical to securing applications and data across mobile and cloud deployments.

“To create meaningful change, we must make sure that every entity can participate in a secure Digital Economy. When done right, security can not only help to protect the Digital Economy, but can also be a growth engine for each individual organization and, ultimately, for the global economy”, said Rabih Dabboussi.

Cisco will also have a presence at the Lancope Stand no C1-11 in the Network & Security section at GITEX 2015.  As well as launching ‘Network as a Sensor and Enforcer”, demonstrating how the network can be used as a security monitoring system to provide visibility into the network and everything that connected to it,  the company will also showcase its wider, threat centric security portfolio designed to support organizations before, during and after and attack. There will also be various complimentary security focused workshops and seminars taking place at the booth theatre for show attendees throughout the 5 days.

Strategically Partnering With Industry Leaders at GITEX 2015

Cisco will be partnering with the following companies at GITEX 2015 who will also have a presence at the Cisco Stand:

  • Intel – Technology Sponsor
  • GBM – Titanium Sponsor
  • Alpha Data – Platinum Sponsor

‘We are looking forward to yet again participating in what is now established as the Middle East’s  biggest and most influential technology event in the calendar providing a great forum for industry players, like Cisco, Intel, GBM and Alpha Data, to showcase our  latest technology offerings that will shape the next phase of growth in the Middle East region. As digitization accelerates, cutting edge infrastructure will increase a country’s GDP, reduce spending and create jobs. It will allow governments to extend the reach and impact of public services by converting insights into action. It will enable new and diverse groups of entrepreneurs to build businesses that will shape the world, whilst providing more accessibility and opportunities for education and technology-based careers. As a result, it will ensure that Middle East countries become more competitive on the global stage,” concluded Dabboussi.

View the original content and more from this author here: http://ift.tt/1Fv8abY



from cyber security caucus http://ift.tt/1iVCbrh
via IFTTT

Friday, 25 September 2015

Intel urges car industry to improve cyber security

There are more than 100 different computer systems used by modern cars. And most of them can connect to a phone or directly to the Internet, so the opportunities for hackers are widening, according to Intel.

The security vendor last week announced the formation of an Automotive Security Review Board (ASRB) in the US with the mission of making ‘security-by-design’ a part of the car production process.

The review board will look at what could be compromised in modern cars, including the emerging category of driverless cars.

It has also published a white paper that identified security measures for cars such as secure boot, trusted execution environments, tamper protection, isolation of safety critical systems, message authentication, network encryption, data privacy, behavioural monitoring, anomaly detection, and shared threat intelligence.

There have already been documented examples of cars being compromised remotely. In the US, security researchers Charlie Miller and Chris Valasek remotely hacked their way into a Jeep’s Uconnect navigation and entertainment system via its connection to Sprint’s wireless network, taking control of it while a reporter for Wired magazine was driving.

Intel Security CTO Mike Sentonas said the formation of the board was timely given that South Australia is moving to make driverless car tests legal .

“If you start to think ahead about driverless cars, you don’t have that failsafe of someone realising while they are in the car that this doesn’t look right and making changes accordingly.”

The outcome from the driverless car tests would be looked at with interest by Intel, the CTO said.

The state’s transport minister, Stephen Mullighan, this week introduced the Motor Vehicles (Trials of Automotive Technologies) Amendment Bill to the state’s parliament to allow tests of driverless cars to be conducted on public roads.

The bill will introduce exemptions to current laws to allow the on-road testing of driverless vehicles.

View the original content and more from this author here: http://ift.tt/1R4Yl5p



from cyber security caucus http://ift.tt/1R4YfLc
via IFTTT

Pentagon Fails to Offer Small Firms Cyber Security Resources

A report by GAO shows that the Pentagon’s Office of Small Business Programs has failed to offer cybersecurity options to protect the companies it does business with.

WASHINGTON (Sputnik) — The US Department of Defense (DOD)’s Office of Small Business Programs (OSBP) has failed to offer cybersecurity options to protect the companies it does business with, the US Government Accountability Office (GAO) said in a report.

“(A)s of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defend small businesses,” the report, issued on Thursday, said.

OSBP officials acknowledged that cybersecurity is an important and timely issue for small businesses and therefore the office is considering incorporating cybersecurity into its existing outreach and education efforts, the GAO pointed out.

“GAO identified 15 existing federal cybersecurity resources that DOD OSBP could disseminate to defend small businesses,” the report said.

OSBP officials were not aware of existing cybersecurity resources, it noted.

“Small businesses, including those that conduct business with DOD, are vulnerable to cyber threats and may have fewer resources, such as robust cybersecurity systems, than larger businesses to counter cyber threats,” the report warned.

The Government Accountability Office is an independent, nonpartisan agency that works for Congress and investigates how the federal government spends taxpayer money.

In recent years, US businesses and government agencies have come under attack from a variety of cyber actors, with criminal, economic or political motivations.

Millions of dollars have been lost in the United States as a result of cyber theft, according to the Federal Bureau of Investigation (FBI).

View the original content and more from this author here: httvp://sputniknews.com/us/20150925/1027502876.html#ixzz3mjw6UJGC



from cyber security caucus http://ift.tt/1NY81QR
via IFTTT

Sensitive issues on menu during ‘private time’ at Xi Jinping and Barack Obama’s working dinner

President Xi Jinping and his US counterpart President Barack Obama took advantage of some “private time” together for some “real exchange” during a working dinner in Washington on Thursday night (Friday morning HK time) – soon after the Chinese leader arrived in the US capital.

View the original content and more from this author here: http://ift.tt/1MMhUks



from cyber security caucus http://ift.tt/1R4YfLa
via IFTTT

More regulations necessary for APAC cybersecurity

5 women leading the way in cyber security

List: Women working in cyber security you really need to know about.

Women are still hugely under-represented in cyber security, with recent research showing that only 10% of those working in the field are female. However, here are some women blazing a trail for the security sisterhood.

1. Jenn Lesser Henley

Lesser Henley had a communications background, but is now director of security operations at Facebook. Given the amount of data the firm stores, this role makes her one of the biggest security players in Silicon Valley. S

he joined Mark Zuckerburg’s social media giant in September 2011 as operations manager, and has been in overall charge of the security team since September 2013. Before joining Facebook, Lesser Henley held senior roles at PayPal.

2. Dr. Carrie Gates

Gates’ title at Dell is Senior Distinguished Engineer and Chief Scientist in Dell Research. In practise this means she formulates Dell’s security across the board, taking in both its hardware and software divisions. Indeed the company credits her as one of the factors for its growing presence in cyber security.

Gates is also a highly regarded academic, with 40 peer reivewed papers to her name on computer and network security. She has also served as director of research for CA Labs.

3. Christy Wyatt

The Good Technology chairman and chief executive is at the head of a company trying to make security less painful for businesses, and improve mobile security. Blackberry recently said it was taking over Good Technology, a personal success for the Wyatt as the firm’s boss.

Wyatt’s career has also taken in major firms such as Citi, and Motorola, as well as Apple, where she worked as an evangelist with developers.

4. Meagan Kruman

Another Facebook employee, Kruman is an eCrime investigator, and regularly speaks on how non-technical women can build a career in cyber security. Recognising that not all problems come in the form of viruses or malware, she uses a background in international relations and language to asses threats, and was involved in tracking the Hong Kong Umbrella protest at the social network.

5. Angela Knox

Knox is the engineering director at Cloudmark, with extensive experience in the security field. She is in charge of research and development at the firm. She also contributes to itsThreat Report researchm and blog, and has spoken on the issue of women in security.

The firm recently detailed an investigation into an email exchange discussing payment of 1.05 Bitcoin, around $250 to not release hacked Ashley Madison data, to see if such a blackmail would be successful.

View the original content and more from this author here: http://ift.tt/1NY84fu



from cyber security caucus http://ift.tt/1R4Yhml
via IFTTT

Thursday, 24 September 2015

Applying Data Science to Advanced Threats

The Problem

The cyber security industry is now over 30 years old. And just like people, with each passing decade, we realize that what worked for us in our 20s, simply won’t work for us now or going forward. In fact, carrying forward the mindset and behaviors of those first 20 years exposes us to countless problems in health and long term solvency. We learn that to survive in the world we must adapt and evolve to a higher form of existence. The antiquated and archaic practices of our past limit our visibility into the future in detecting, and thereby avoiding, maliciousness. Consequently they have given rise to a freight train sized hole of opportunity for the cyber criminals, nation states and cyber miscreants that wish to exploit our blindspots in the cyber world.

Blacklisting (and Signatures) Can Be Compromised

Blacklisting technologies rely almost 100% on signature based techniques for detecting bad files have been at the heart of our industry since the beginning when we had only rare outbreaks like Michelangelo, Stoned and the Morris Worm. The grossly unfortunate fact is that they remain the predominant form of detection (and thereby prevention) in the market today. Signature based approaches to security served us well then when the number of bad objects (files, network traffic, and vulnerabilities) was small and the techniques to alter those files to bypass detection were non-existent or at least non-trivial.

Today however, countless techniques exist to avoid these once stalwart protection technologies, including packers, mutation engines, obfuscators, encryption and virtualization bypass techniques.

Within milliseconds, a once easily detected malicious file can be altered to be completely invisible to even today’s best detection technologies while remaining functionally identical to its original maliciousness. This allows the bad guys to easily bypass security infrastructure that once detected them with ease.

The sheer numbers of files submitted to security vendors today for analysis (over 100k daily) is so overwhelming that most vendors simply cannot handle the volume. Their methods and manpower become easily avalanched over. The scale of the problem outnumbers the industry’s capacity for maintenance. As a result we have rampant miss rates.

Whitelisting Can Be Compromised

Whitelisting technologies developed in response to what the Blacklisting world is victim to: low detection rates. In other words, blacklisting alone detects only 5-10% of malicious files out there. The reason whitelisting was so promising for so long was that it effectively did the opposite of blacklisting: rather than stopping everything known bad (which is large and hard to do), whitelisting only allowed to run those files which are known good (which is much smaller and presumably easier to do). This technique has been applied to security through identification of permissible URLs and files that are known (or perceived) to be clean and safe. But these solutions have some fundamental problems as well.

The first challenge with solutions that rely heavily on whitelisting is that one must simply “trust” what the vendor (or your operations staff) has designated as “good”. We have seen this model fall down time and again with security and software vendors who have their development environments compromised and their private signing certificates stolen (e.g. Adobe, Bit9 and Opera Software). When these attacks occurred it allowed the thief to sign their own malicious files as if they came from the “trusted” vendor. And because whitelisting solutions rely so heavily on this “trust” model, it allows the bad guys to easily bypass the technology.

Trust Can Be Compromised

As a consequence to the identified gaps of blacklisting and whitelisting, numerous technologies have crept up to fill in the gaps of signature technology including host intrusion protection systems (HIPS), heuristics, behavioral, and both hardware and software sandboxing. But all of these techniques have two core weaknesses: 1) foundational signature elements, and 2) reliance on “trust”.

Technologies such as HIPS, heuristics and behavioral engines remain at their core, signature based. They rely on “knowing” what is bad and creating a signature for that “badness”. Even sandboxing technologies which claim no signatures are involved to autodetonate captured files and binaries, still rely on signatures to enable alerting and blocking the next time it sees it.

For these technologies to know if something is good or bad, they must map them to a list of known good or bad behaviors which can take minutes, hours, or days using manual verification. Even then, the attack has already happened and the detonation may not discern the maliciousness of the malware.

Can we simply “trust” our vendors to show us what is “good”?

Bad guys have the advantage in more resources and time to outwit the various detection schemes of security vendors. Additionally, many security models (like signatures) require the engagement of a human. Human involvement is fallible and limited in scale to the speed and sophistication of advanced threats.

Can we simply “trust” our security vendors to show us what is “bad”?

We as an industry must evolve from this outlived model to a new and ever-evolving technique; one that abandons signatures and blind trust; one that relies on a mathematical, algorithmic and scientific approach to better effectiveness and measurable accuracy. In short, we must evolve to “Trust the Math” and science of Cylance’s Infinity.

Introducing Cylance Infinity

Infinity is a fundamental and epic shift from traditional security methods of detecting good and bad. It is a highly intelligent, machinelearning, data analysis platform.

As battle tested security industry veterans, we know that the previous approaches can never cope with the volume and variety of advanced threats. So we designed Infinity to make intelligent decisions without relying on signatures. It does this by taking a predictive and actuarial approach to data on a network to determine good from bad.

This model exists in many other industries. Insurance companies use actuarial science to determine the likelihood of a risk event for the insured person at a surprisingly high rate of accuracy. This concept relies on advanced models of likely outcomes based on a variety of factors. For a standard insurance policy, they may consider twenty to thirty facts to determine the most likely outcome and charge appropriately. Infinity uses tens of thousands of measured facts harnessed across millions of objects to make its decisions, in near real-time.

Infinity, at its heart, is a massively scalable data processing system capable of generating highly efficient mathematical models for any number of problems.

Cylance uses these models applied to ‘big data’ to solve very hard security problems with highly accurate results at exceptionally rapid rates. It’s done by applying data science and machine learning on a massive scale. Coupled with world class subject matter experts, cyber security is able to leap ahead of threats.

While Infinity is problem agnostic, correctly designing solutions to hard problems takes time, knowledge and effort. The Cylance Infinity Labs team has focused all of their efforts on detecting advanced threats, in near real-time, correctly, without signatures.

While Infinity is problem agnostic, correctly designing solutions to hard problems takes time, knowledge and effort. The Cylance Infinity Labs team has focused all of their efforts on detecting advanced threats, in near real-time, correctly, without signatures.

What is Machine Learning?

Machine Learning (ML) is a formal branch of Artificial Intelligence and Computational Learning Theory that focuses on building computer systems that can learn from data and make decisions about subsequent data. In 1950, Alan Turing first proposed the question, “Can computers think?” However, rather than teaching a computer to “think” in a general sense, the science of machine learning is about creating a system to computationally do what humans (as thinking entities) do in specific contexts. Machine Learning (ML) and big data analytics go hand-in-hand so ML focuses on prediction, based on properties learned from earlier data. This is how Infinity identifies malicious versus safe or legitimate files. Data mining focuses on the discovery of previously unknown properties of data, so those properties can be used in future ML decisions. This means Infinity learns on a continual basis, even as attacker methodologies change over time!

How it Works

Infinity collects data, trains and learns from the data, and calculates likely outcomes based on what it sees. It’s constantly getting smarter from environmental feedback and a constant stream of new data from all around the world. To achieve its magic, Infinity performs the following steps. First it COLLECTS vast amounts of data from every conceivable source. Second, Infinity EXTRACTS FEATURES that we have defined to be uniquely atomic characteristics of the file depending on its type (.exe, .dll, .com, .pdf, .java, .doc, .xls, .ppt, etc.). Third, Infinity constantly adjusts to the realtime threatscape and TRAINS the machine learning system for better decisions. Finally, for each query to Infinity, we CLASSIFY the data as good or bad.

Infinity – The Rubber Meets the Road

Infinity be used to supercharge decision making at endpoints, and woven tightly into existing security systems via a variety of integration options. It is cloud enabled (but not cloud dependent) to support advanced detection on a global scale in limited form factor environments, or can operate autonomously while still achieving a stunning rate of protection.

The breadth of deployment options helps to solve several fundamental problem points on a modern network.

CylanceV and CylanceV Local

CylanceV is a REST SSL Application Programing Interface integration to Infinity’s intelligent cyber security decision making. Through the API and specially developed utilities, IT departments executing incident response and forensics can take the tedium out of tracking down malware and determining what is truly bad.

CylanceV enables a starting point for forensic analysis and timely remediation through an automated and highly efficient approach.

Tying other security tools like SIEM, Log analysis, host and network monitoring, HIPS/NIDS and investigation tools including anti-virus, anti-malware and forensics, into CylanceV provides contextual intelligence for more accurate and effective malware identification.

The CylanceV API allows utilities to be developed in most popular frameworks (.NET, Python, etc.) and invoked through HTTPS using tools such as CURL or WGET in order to make the data segmentation easier and more efficient.

CylanceV Local is an on-premise version of CylanceV that allows for use in restricted and sensitive environments.

Integrating 3rd party functionality, like Python scripts, Splunk, C# to Infinity quickly determines what is safe and what is a threat, making smart security smarter. Together, they reduce the total number of prospective compromised machines to something manageable.

Infinity On the Endpoint

CylancePROTECT is our host based security solution built on Infinity technology. It leverages algorithmic science to greatly increase the speed and accuracy of host protection without reliance on signatures, heuristics or behavior modeling. It offers a real-time protection layer on the endpoint that can make decisions about the nature of malware independent of connecting to Infinity and at a stunningly low performance impact. PROTECT offers a powerful front line of defense, whether your assets are behind your corporate firewall or in a coffee shop. Its extensive management capabilities easily blend the pervasive protection into your existing security workflow.

Summary

With Infinity, we can definitively determine good or bad file objects milliseconds, with extraordinarily high detection accuracy and extremely low false positive rates. Because the system is self-collecting, self-training, and selflearning, we always stay ahead of the changes and unknowns attempted by the bad guys. With such a mathematical approach, we may change the game of security… forever.

About Cylance

Cylance is a global cyber security products and services company headquartered in Irvine, California. Its founders, Stuart McClure and Ryan Permeh, know that today’s network and operations infrastructure is inadequately protected by flawed security.

Stuart is a leading authority in information security and lead-author of “Hacking Exposed: Network Security Secrets and Solutions”. Stuart launched the vulnerability assessment leader Foundstone, Inc. and served as Global CTO at McAfee as well as EVP/GM of the Security Management Business Unit.

Ryan is a leading expert in development of security technologies who, with Stuart, built TRACE, McAfee’s elite threat team, and unique detection technologies. Both have witnessed the security industry’s evolution firsthand over the past 25 years and know that the security infrastructure for today and tomorrow’s threats is fundamentally broken.

Cylance is driven by an impressive team of veteran Security executives, board of directors and advisors, and deeply talented security professionals to achieve a simple mission: Solve the world’s most difficult security problems

Cylance, Inc.

+1 (877) 973-3336

sales@cylance.com

www.cylance.com

West Coast Office: 46 Discovery, #200 Irvine, CA 92618 USA

East Coast Office: 11710 Plaza America Drive, # 2000 Reston, VA 20190 USA

To learn more about Cylance visit their website at www.cylance.com



from cyber security caucus http://ift.tt/1gQsjgo
via IFTTT

CYBERSECURITY LEADS AS CHINA’S PRESIDENT VISITS US TECH HUB

All eyes were on Seattle on Sept. 23 as Chinese President Xi Jinping prepared to deliver a speech to a group of Silicon Valley’s top executives.

But many experts doubted how much progress will actually be made from the meeting, CNBC reported.

As part of Xi’s weeklong U.S. tour, which will include stops at the White House and New York, he will meet with corporate CEOs at an Internet industry forum hosted by Microsoft.

“I expect a lot of diplomatic wording about how we’re learning to work together, but not a lot of progress,” Adam Segal, a senior fellow for China studies and director of the digital and cyberspace policy program at the Council on Foreign Relations, told CNBC.

Many are speculating Xi may discuss the allegations against his country for cyber spy actions, urge companies to oppose rumored sanctions from the White House or request that the firms comply with China’s government-mandated security policy.

Last week reports surfaced that American tech companies hoping to do business in the People’s Republic of China were reportedly being coerced into complying with an intrusive data and security policy.

According to The New York Times, Beijing sent a confidential letter to heads of U.S. tech companies asking the companies to ensure that their products and services released in China are “secure and controllable,” which could potentially lead to backdoors into smartphones, Internet services and any other tech products released for Chinese consumers.

But during a Sept. 21 speech about U.S.-China relations earlier this week, U.S. National Security Advisor Susan Rice warned China to put an end to its own threatening cyber activities, The Wall Street Journal reported.

“This isn’t a mild irritation,” she said in her speech at George Washington University. “It is an economic and national security concern to the United States. It puts enormous strain on our bilateral relationship, and it is a critical factor in determining the future trajectory of U.S.-China ties.”

For several years, U.S. authorities have expressed concerns over the level and frequency of attacks believed to be originating in China. The country has been linked to some massive cybersecurity breaches recently, making it no stranger to cyberfraud accusations.

From the attack on health care provider Anthem, which comprised the data of as many as 78.8 million customer records, to the more recent data breach at the U.S. Office of Personnel Management that led to cybercriminals accessing over 21 million Social Security numbers, 19.7 million forms with data and 5.6 million fingerprint records, Chinese hackers seem to always be on the list of likely suspects.

In an interview this week with WSJ, Xi denied China’s involvement in the high-profile online data breaches, emphasizing a need for the global community to collaboratively work to “build a peaceful, secure, open and cooperative cyberspace on the basis of the principles of mutual respect and mutual trust.”

View the original content and more from this author here: http://ift.tt/1KAxvwI



from cyber security caucus http://ift.tt/1Fh9Cyp
via IFTTT

Businesses make moves in cybersecurity war

ALBANY, GA (WALB) –More South Georgia businesses are concerned about recent computer breaches, and are looking for ways to protect themselves from criminals.

Several businesses had their and their customers’ financial information recently stolen through computer hacks.

Now more business owners are taking steps to make sure it doesn’t happen to them.

Tommy Padgett of Dasher & Padgett Financial Advisors says criminal computer hacking in businesses has become “overwhelming”, and they are being proactive.

“It can happen anywhere and to anybody,” he warned. “What we’re trying to do is find out some additional ways to protect ourselves and to protect our clients.”

Padgett was one of dozens of business owners who attended a seminar by HighTide Technology, a cyber security company.

They said Albany small businesses are at risk.

High Tide Technology president Norman Chandler said

“Identities stolen through the fraudulent filing of tax returns.  We’ve had people here locally that have had credit card information stolen.  We’ve had health records stolen. All this has happened here locally.”

Chandler says businesses need to become aware of cyber crimes, and learn how to protect their and their customers’ data.

“Doing a penetration type test, assessing your network, things of that nature. Those are all things that you should do at least once a year,” said Chandler. “Of course in a perfect world you would want to do it continuously.”

Padgett said he hopes all businesses will start to get serious about cyber crime and security.

“We depend on the people we give our information to to protect it,” said Padgett. “And we want those businesses to protect the information we give them.”

Chandler warned business owners that most insurance will not cover cyber crimes and their damage. He said owners need to increase their security, because cyber hackers are targeting companies here.

These kind of cyber security companies are some of the fastest growing in the industry because officials said hackers are targeting businesses of all sizes.

View the original content and more from this author here: http://ift.tt/1G4ppeD



from cyber security caucus http://ift.tt/1KDdk20
via IFTTT

The challenges of Cyber Security

We are living in a digital age, and that means the way we work, socialise and communicate has changed drastically. We now have to protect ourselves in ways that were unheard of 20 years ago, with the term “cyber security” instilling fear into the hearts of individuals business alike. However, one thing’s for sure; it is something that can no longer be ignored. So what are the key challenges and issues for businesses when it comes to cyber security?

Not just a jargon word

Sounds obvious, but it’s important to understand exactly what the term cybersecurity entails, and appreciate that it’s not just an empty jargon word. Cyber security is defined as “the protection of systems, networks and data in cyberspace.” It’s a critical issue for all businesses and will only become more important as more devices become connected to the internet.

Regulations

Most companies, especially those in the finance sector, spend a large chunk of their budgets on regulatory compliance. Yet because cybersecurity is a fairly new problem, regulations governing what companies need to do are yet to evolve. This inevitably poses challenges over what measures – if any – are appropriate to take.

Priorities

Companies – especially SMEs – don’t always see a need – or want – to invest a lot of money on cyber security measures when they could use that money for equipment and services that will directly increase profits. But is that a false economy? What would the impact be on their business if they were victim of a security breach? This risk needs to be considered against the investment required to safeguard a business.

Fast and furious

Cyber threats are incredibly difficult to foresee and can change too quickly for security experts to predict and find solutions. Staying one step ahead can be a time-consuming and expensive task.

A man (or woman) is only as good as their tools

After reviewing and tweaking security policies, companies need to figure out what new measures they need to take to beef up their security. This could be anything from regularly changing passwords, through to establishing sensors to send alerts when a communication network is compromised. Whatever it is, it is essential to use the appropriate tools for the job, and invest properly. A chain is only as strong as its weakest link, after all.

Risk management

It is common sense that a company should develop best practice guidelines, especially when it comes to collecting and handling sensitive data. But coming up with a fail-proof plan is easier said than done, and it often means modifying employees’ behaviour and adding to the number of tasks they have to perform. Education and communication is paramount; if a company’s staff are on board then a business is half way there.

Constant vigilance!

Given that cybersecurity breaches are unpredictable and could lead to disastrous consequences, businesses have to constantly evaluate and tweak their security policies. For smaller businesses in particular, managing this process can be time-consuming and onerous. Could outsourcing the task be more efficient?

Learn from your mistakes

A company must have policies and step-by-step guides that detail what happens after a security breach. No matter how minor it might seem, it is key to assess what went wrong, why it went wrong, and how to prevent it in the future.

Anything is better than nothing

Remember, just by reading this, at least your thinking about the threats posted by a security breach. Your IT vendor will be able to tell you more, and offer you a suite of products and services to get you started.

View the original content and more from this author here: http://ift.tt/1YCQT6G



from cyber security caucus http://ift.tt/1L7NTez
via IFTTT

The Forthcoming (?) China-U.S. Agreement on Cybersecurity

Press reports suggest that China and the United States are likely to come to an agreement to refrain from cyber actions that intentionally damage each others’ critical infrastructure.  It’s worth unpacking what such an agreement might entail, though of course speculation in the absence of specific language is always dangerous.

According to the New York Times, the United States and China are negotiating “a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime.”  A provision of the June 2015 report of the Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security stated that in paragraph 13(f) that “A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.”  Signed by representatives of 20 nations including the United States and China, this report asked member states of the United Nations to actively consider their recommendations that this and other norms of behavior.  Another press report indicated the United States and China would probably not address directly the point regarding critical infrastructure, but rather would announce a “generic embrace” of the GGE’s recommendations.

Several observations stand out to me.

  • This agreement would not address the major irritant in U.S.-China cyber relations today—that of cyber-enabled espionage regarding trade secrets and other intellectual property or regarding traditional intelligence gathering for military and/or foreign policy purposes.  This point, noted by a variety of press reports, is entirely true, and yet the agreement does try to address what is in fact a far more serious issue—the threat to critical infrastructure.  In the long run, maintaining the security of critical infrastructure is almost certainly an objective of higher priority than preventing cyber-enabled espionage.
  • The agreement would prohibit “intentional damage” to critical infrastructure but not intelligence-gathering activities involving critical infrastructure.  An interesting question then arises—how is one nation to distinguish between cyber activities conducted by the other nation that may on one hand be damaging or on the other hand for intelligence-gathering?
  • The agreement would be inherently unverifiable, or more precisely, as unverifiable as an agreement to refrain from using kinetic weapons to target ambulances on the battlefield.  This is not necessarily a reason for opposing the agreement—the United States is a party to certain agreements, such as the Geneva Conventions, that constrain its behavior without regard for whether another party’s compliance can be assured.  That is, we will not deliberately violate the laws of war even if other signatories to the Geneva Conventions do.  Regardless of the other side’s behavior, we find value in a commitment to observe the laws of war, and there may be similar value in this case.
  • An explicit embrace by Presidents Xi and Obama of the GGE 2015 recommendations would be both desirable and remarkable–desirable because it would be a step forward in improving cyber relations between the two nations, even if only symbolically, and remarkable in light of the lingering doubts about China’s commitment to the consensus achieved in the GGE.  I have been quite skeptical of that commitment, and I eagerly await tangible evidence that China is not seeking to back away from that putative agreement.

 

None of these comments negate Jack Goldsmith’s view that we shouldn’t get too excited about the reported agreement.  As Jack points out, the devil is in the details of how the two nations define the prohibited activities.  Jack’s comments regarding verification are also right on the money, and as an arms control agreement, what is being discussed falls far short of, for example, the Iran deal.  But even if that is true, and the forthcoming agreement merely represents better atmospherics, that’s better than a summit that breaks down because of mutual recriminations over the cyber issue.

View the original content and more from this author here: http://ift.tt/1KwdLxi



from cyber security caucus http://ift.tt/1KDdhU7
via IFTTT

Tech Report: Cybersecurity experts warn WiFi-enabled baby monitors are vulnerable to hackers

SAN LEANDRO (KRON) — Imagine being spied on in your own home.

Cybersecurity experts are warning that WiFi-enabled video baby monitors are being targeted by hackers. Tech reporter Gabe Slate met with a security firm to find out how you can protect yourself.

“Very scary, definitely feel violated,” said Jacqueline Arrizon, who is the mother of 2-year-old Phil.

Arrizon is reacting to the recent reports of video baby monitors being hacked to spy on children, and other dark deeds.

“You’re always kind of on edge with your kids,” she said. “You want to know where they are at and what they are doing. And to have somebody watching with you and not know that. It’s very scary”

“You won’t know,” Travis Moss of Safe Security said. “They won’t follow you around with the camera. They won’t talk through the mic. They are not going to alert you that they now have access to your network because they got other plans in mind for you.”

Travis, a cybersecurity expert, said there are peeping toms who will just watch you and listen to you through the baby monitors — and yeah — that’s creepy.

But the real danger is the hackers using the baby monitors as a gateway into your network and critical information.

“Any device that is WiFi enabled allows them into your network,” Moss said. “It’s like a Trojan Horse. They are going to use that to get to the real information, your identity and banking info etc..”

To protect yourself, make sure your home WiFi network has a strong password.

Change your user names and passwords often that are associated with your WiFi-enabled baby monitor. Make sure to run software updates for your baby monitor software or app.

View the original content and more from this author here: http://ift.tt/1G4poYk



from cyber security caucus http://ift.tt/1KDdhU3
via IFTTT