Monthly Archives: March 2016

Rise of the CISO: Why the C suite needs a security chief

Posted on March 9, 2016 | Leave a comment

The CISO role is growing in popularity, but what does it actually mean for your business? Here’s what the role is responsible for and why CISOs are multiplying in the enterprise.

Businessman Showing A Shield Symbol

The latest c-suite executive role to step into the spotlight is the chief information security officer, or CISO. Even more focus was put on the CISO role when, in February, President Obama announced that the US government was planning to hire its first ever Federal CISO.

Obama’s announcement further justified what many organizations were already doing, which was assigning a specialized executive over security issues, instead of leaving them to be handled by the CIO or CTO, whose top priorities are typically a mix of innovation and operations. And, while the CISO is not a new role, it is still gaining popularity in the enterprise.

So, we’re going to break down what it is and why you might need one. Let’s start with defining the role.

What is a CISO?

Simply put, the goal of the CISO is to protect the business at all costs against present and future digital security threats.

Andrew Hay, CISO at DataGravity, said, “The CISO role is a true hybrid role that is responsible for implementing, defending, measuring, and communicating the security and privacy strategy of the organization to all of its stakeholders.”

And that “all stakeholders” bit is key—the CISO isn’t going to hold court with the executive team only. True CISOs will be working with employees, customers, and other partners as well, Hay said.

Additionally, the CISO role isn’t the typical “vision caster” most people associate with a CXO title. The CISO role is a mixture of strategy/big picture thinking and tactical skills. Most CISOs are coming from an IT security background, so they know how to directly implement and work with the systems they are recommending.

 In terms of who they report to, Entertainment Partners CISO John Tooley said that he believes the majority report to specific executives, and not just the CEO. In his tenure, he said he has reported to the CIO and CTO. Other CISOs may report to the COO or the CFO.

What does a CISO do?

In a broad sense, the CISO’s functions revolve around risk—identifying risk, assessing risk, presenting risk, and implementing programs to combat it. The difficulty in the role, Tooley said, is doing these things in a way that makes sense to the business, but is also effective in driving real change.

Identifying and assessing risk are skills that are typically developed as a combination of the training a CISO has received throughout his or her career and the sense of intuition that develops over a long time spent in the industry. Presenting the risk becomes a bigger challenge in that it requires specific communications and sales skills to get other leaders on board with a solution.

“As opposed to other C-level executives, I think there is more of a communication challenge, taking highly technical language and translating it into business value and need. There is also the balance that needs to be struck between empowering employees and securing the enterprise, since insider threats represent one of the biggest security concerns,” said Ari Lightman, director of the CISO Program at Carnegie Mellon University’s Heinz College.

The CISO must champion the organization’s security in all that he or she does, setting security goals and milestones to help measure the success of that strategy. Lightman said some of the day to day functions that comprise the role may include the following:

  1. Secure the enterprise’s digital assets
  2. Educate and train employees and the extended ecosystem on security best practices and procedures
  3. Define and monitor access and permissions
  4. Hire and train security personnel
  5. Define budgets for security equipment and training
  6. Work with other C-level executives to ensure compliance with security procedures

And, that above list is not exhaustive. Ultimately, a CISO’s role will also be shaped, in part, by the needs of the industry they operate in and the needs of their employer.

The rise of the CISO

So, why are we seeing the CISO rise to prominence now? For starters, security is no longer purely a technological issue, and can no longer be constrained solely to IT.

“So there is awareness among senior management now that information security is really a risk issue, and risk is a business challenge that needs broader solutions.,” Tooley said.

Another big issue is growth—there’s just more technology in the workplace than there has ever been before and it’s affecting organizations in new and interesting ways. The addition of DevOps, cloud, IoT, BYOD, and big data mean that the attackable surface is growing as well, and it needs a guardian.

“As a result, industry guidance, regulatory compliance standards, and the realization that security is a key component in business continuity and operational excellence, has led to the realization that the safety, security, and compliance of a company’s IT and information assets require an advocate at the highest level,” Hay said.

The 3 big takeaways for TheDigitalAgeBlog readers

  1. The CISO is an executive role that combines technical expertise with strategic vision to champion a security strategy for an organization.
  2. The CISO is responsible for acknowledging, analysing, and presenting risk. The communication of risk requires specific skills to help “sell” the solutions to mitigate against potential threats.
  3. The role itself is growing because the breadth of technology being implemented in business continues to grow. A CISO must understand how security risks affect the bottom line as well how they impact IT operations.

Leave a comment

Posted in Cyber Security, Encryption, Forensic, Security, Technology

Tagged , ,

Why Accidental Disclosure of PII Can Be Disastrous

Posted on March 9, 2016 | Leave a comment

Dollars

We focus a lot on finding and redacting PII while data is being prepared for opposing counsel, but what are the consequences of sensitive data being produced and ending up in the wrong hands?

Federal Rule of Civil Procedure 5.2 stipulates four categories of information to be protected: Social Security numbers, names of minors, birth dates, and financial account numbers. Let’s say you work for Corporation A, which is being sued by Corporation B for work performed by a specific team at Corporation A. Each individual on that team at Corporation A becomes a relevant custodian in discovery. In compliance with Rule 5.2, you cull all the HR documents of the team members for PII to redact. What you don’t realize is that one of the team members has saved a tax document on their desktop to fax to their accountant during work hours. That information is stored on your servers, so it becomes part of the case, and you’ve missed it. You send your documents to opposing counsel for review.  They won’t spend their time looking for information to redact on your behalf, so the information makes it through discovery and is brought in as a court document. Now it’s a part of the trial record, which is publicly accessible, and that individual’s information has been compromised.

So what happens when there’s a data breach? Well, that depends on which state you’re in, which federal statute the case falls under, and what the existing data breach laws are. For example, in a case regulated by the strict rules of HIPAA and in a state as diligent as Connecticut, where any information that can potentially have an association with a particular individual is considered private, PII leaks during litigation are subject to data breach notification requirements, meaning you must disclose your mistake to anyone affected, explain to them what they can do to protect themselves, and offer a solution to fix the breach. Beyond notification requirements, you can also be subject to monetary penalties, sanctions, and/or disciplinary actions against the litigators. That would mean Corporation A is subject to a wide range of possible repercussions. In one scenario, Corporation A might have to sue the contract review firm they hired to ensure that they go back to re-review their data, securing any compromised sensitive information. Perhaps there are no punitive sanctions on Corporation A in this instance, but you’ve just lost a lot of time and money in re-review.

In another scenario, the case may be ruled a mistrial because of negligence or non-compliance. Again, Corporation A has lost a lot of time and money, but now you’ve also sullied your reputation because of a mistake in basic litigation processes, risking the loss of future clients and future revenue. But let’s also say that over the course of litigation, the employee whose information has been compromised has left Corporation A. When you notify the former employee of the data breach, they sue you for leaking their private information. Now Corporation A has lost a lot of time and money, your case was thrown out as a mistrial, your reputation is damaged, and you’re caught up in yet another lawsuit. There might be penalties to pay out to the client and possible ethics sanctions handed down from the judge with monetary fines attached. Corporation A decides to sue the review firm for their litigation costs. Now two extra lawsuits have come out of what was supposed to be just one. A tangled legal web has been woven because of Corporation A’s lack of precaution at the onset of the lawsuit with Corporation B.

A data breach can have considerable fallout for firms and clients alike, so ensuring that proper measures are taken to secure sensitive data is a crucial first step in the discovery process. There are technologies that can automate and expedite the process of identifying and removing sensitive data to ensure that nothing falls through the cracks. By incorporating the right legal technologies, money is saved rather than wasted, and reputations remain sterling.

For further reading on this topic, check out the following resources:

http://www.insidecounsel.com/2013/07/18/litigation-sanctions-for-spoliation-of-evidence

http://www.theediscoveryblog.com/2015/09/18/a-light-in-the-dark-protecting-pii-in-ediscovery/

http://searchsecurity.techtarget.com/news/4500247249/IRS-breach-shows-the-importance-of-PII-security

https://www.altep.com/blog/preventing-disclosure-of-pii

http://blog.kcura.com/relativity/blog/not-so-peachy-pii-a-cautionary-tale-of-sensitive-e-discovery-data

http://www.attorney-myers.com/2014/04/privacy-and-security-in-court/

Leave a comment

Posted in Data Breach, eDiscovery, Forensic, Security

Tagged , ,

U.S. military spending millions to make cyborgs a reality

Posted on March 8, 2016 | Leave a comment

Washington (CNN) – The U.S. military is spending millions on an advanced implant that would allow a human brain to communicate directly with computers.

If it succeeds, cyborgs will be a reality.

The Pentagon’s research arm, the Defense Advanced Research Projects Agency (DARPA), hopes the implant will allow humans to directly interface with computers, which could benefit people with aural and visual disabilities, such as veterans injured in combat.

The goal of the proposed implant is to “open the channel between the human brain and modern electronics” according to DARPA’s program manager, Phillip Alvelda.

In January, DARPA announced it plans to spend up to $62 million on the project, which is part of its Neural Engineering System Design program.

The implant would be small — no larger than one cubic centimeter, or roughly the size of two stacked nickels — according to DARPA.

The implantable device aims to convert neurons in the brain into electronic signals and provide unprecedented “data-transfer bandwidth between the human brain and the digital world,” according to a DARPA statement announcing the new project.

DARPA sees the implant as providing a foundation for new therapies that could help people with deficits in sight or hearing by “feeding digital auditory or visual information into the brain.”

A spokesman for DARPA told CNN that the program is not intended for military applications.

RELATED: U.S. military is on its way to getting its Iron Man

But some experts see such an implant as having the potential for numerous applications, including military ones, in the field of wearable robotics — which aims to augment and restore human performance.

Conor Walsh, a professor of mechanical and biomedical engineering at Harvard University, told CNN that the implant would “change the game,” adding that “in the future, wearable robotic devices will be controlled by implants.”

Walsh sees the potential for wearable robotic devices or exoskeletons in everything from helping a medical patient recover from a stroke to enhancing soldiers’ capabilities in combat.

The U.S. military is currently developing a battery-powered exoskeleton, the Tactical Assault Light Operator Suit, to provide superior protection from enemy fire and in-helmet technologies that boost the user’s communications ability and vision.

The suits’ development is being overseen by U.S. Special Operations Command.

In theory, the proposed neural implant would allow the military member operating the suit to more effectively control the armored exoskeleton while deployed in combat.

However, Steven Pinker, a cognitive scientist and professor of psychology at Harvard, was skeptical of the proposed innovation, calling the idea a “bunch of hype with no results.”

He told CNN, “We have little to no idea how exactly the brain codes complex information” and cited the problems from foreign objects triggering brain inflammation that can cause serious neurological issues.

Pinker described “neural enhancement” for healthy brains as being a “boondoggle,” but he suggested that there could be some benefit for people suffering from brain-related diseases such as amyotrophic lateral sclerosis (ALS), also known as Lou Gehrig’s disease.

In its announcement, DARPA acknowledged that an implant is still a long ways away, with breakthroughs in neuroscience, synthetic biology, low-power electronics, photonics and medical-device manufacturing needed before the device could be used.

DARPA plans to recruit a diverse set of experts in an attempt to accelerate the project’s development, according to its statement announcing the project.

Pinker remained skeptical, however, telling CNN: “My guess is that it’s a waste of taxpayer dollars.”

Leave a comment

Posted in Big Data, Cyber Security, Security, Technology

Tagged , ,

Security Concerns That Entrepreneurs Should Address

Posted on March 8, 2016 | Leave a comment

db6056bb-94d8-44e3-8369-de8ce117d89f-mediumWhen it comes to running your own business, there is no end to the number of obstacles and obligations that today’s busy entrepreneurs need to take care of. However, one of the most important things that every entrepreneur needs to remember has to do with security. In today’s market, security has become a major challenge for all types of entrepreneurs, in all different industries and from all different walks of life. Understanding what these security threats are and why they are important is essential information for every entrepreneur to know. After all, the more you understand, the better equipped you will be to ward off these security threats moving forward.

Cyber Security
There is perhaps no more dangerous type of security threat present in our market today than cyber security. There are so many entrepreneurs who simply don’t have enough of a tech background to really understand cyber security, what it is, what it entails and why it is so risky. Hackers from anywhere in the world can easily hack into your computer system and steal important information from you and from your clients and customers, without you ever knowing. This is why it is so important to hire a cyber security professional to make sure your networks and your systems are safe.

Security Personnel
You can never put too much emphasis on security within your business. If you want to make sure that your customers and your employees are always safe, particularly if you live in a busy area, then you need to have security guards on staff. You would be surprised by how many threats and issues that can be resolved by simply having security personnel on the grounds. Many business owners underestimate their need for security personnel at their place of business; however, Dave Ngo of AlertSecurityandPatrol.com says, “People have a sense of security when a security officer is present.  They are an extra set of eyes for personal, property, and asset protection.  Customer’s would feel more comfortable with security present which will enhance their work, entertainment, or shopping experience.”

Surveillance Systems
Surveillance systems are some of the most important features to have in your business. Whether you are looking to find out who broke into your business or if an employee is jeopardizing your company or your money, there is no better way to do it than with live video footage. Installing a surveillance system in a building is actually easier and more cost effective than many people think. Make sure to have a sign somewhere in your business letting people know that you have cameras on the premises, many times, the sign alone can do a great deal of good in preventing incidents from happening.

Implement Mobile Security Systems
Today, it seems as though people use their mobile phones more than they use virtually any other piece of technology. Yet, very few entrepreneurs take the time to make sure that their mobile devices, and the mobile devices of their entire staff are safe from mobile apps. A recent study found that most organizations allow their employees to download apps to their work devices without vetting them first, this means that there could be a number of viruses coming through to your work devices. Mobile security is about more than just devices though. Mobile content, apps and sharing data through mobile devices can all put your company at risk.

While most entrepreneurs likely feel that they already have more than enough on their plates with running their own business, it is important that they also take the time to take additional security measures to keep their business, their money and their employees as safe as possible.

Leave a comment

Posted in Cyber Security, Encryption, Public Cloud, Security, Technology

Tagged , ,

Apple v. FBI: How to Sound Smart about Encryption

Posted on March 8, 2016 | Leave a comment

Encryption

Apple v. FBI has started a serious debate about the line between security and privacy. The FBI says this is a case about the contents of one specific iPhone 5c. Apple says this is a case about securing data for everyone.

No one seems to want to have a civil, Socratic discussion about what it means to evolve the governance of a digital democracy. Instead, most people want to voice their opinions about terrorism, the law, and Apple. People also want to know if this particular iPhone 5c (or any iPhone) can be hacked, and if offers to hack it from white hat hackers, such as John McAfee, are real.

The Apple v. FBI subject device, an iPhone 5c, can be hacked. This is true because of iOS 8 (the operating system running on the subject device) and the way all iPhone 5c’s were manufactured. Current vintage iPhones (5s, 6, 6s) could not be hacked the same way, so we should not be talking about this particular phone; we should be talking about encryption writ large, and how it is used in our daily lives.

What Is Encryption?

Encryption is the process of using algorithms to encode information with the specific goal of preventing unauthorized parties from accessing it. For digital communication, there are two popular methods of encryption: symmetric key and public key.

  • Symmetric key encryption requires both the sending and receiving parties to have the same key – hence the term “symmetric.”
  • Public key encryption is far more popular because the encryption key is publicly available, but only the receiving party has access to the decryption key.

How Can There Be Such a Thing as a “Public” Encryption Key?

One of the most popular ways to create public encryption keys is to use a mathematical problem known as prime factorization (aka integer factorization). You start with two relatively large prime numbers. (Quick 6th Grade Math Refresher: A prime number is only divisible by 1 and itself.) Let’s call them P and P. When you multiply them, the product is a composite number we’ll call “C.”

(P x P = C)

C is a very special number with very special properties. It’s called a semiprime number. Semiprime numbers are only divisible by 1, themselves and the two prime factors that made them. This special property enables the number to be used for public key encryption.

You use C for the public key and you keep P and P as the private key pair. While it is very easy to generate C, if the number is large enough and thoughtfully generated, it can take thousands, millions or even billions or trillions of tries to factor. (There are mathematical strategies to speed up the process, but in practice, prime factoring must be done by trial and error.)

Pretty Good Privacy, the Encryption We Mostly Use

The OpenPGP standard is one of the most popular versions of public key encryption, aka Pretty Good Privacy or PGP. There is a very good chance that your corporate IT department uses some version of PGP to encrypt your files – after all, it’s pretty good.

How good? Using current computer technology, a 2048-bit OpenPGP encrypted file cannot be decrypted. Someday it might be possible with a fully functional quantum computer, but these are still, for all practical purposes, theoretical devices.

Now, you’re going to push back with an argument that goes something like this: “Hey Michael, you may think that a file encoded with 2048-bit OpenPGP encryption is unbreakable, but you don’t know that for sure. You have no idea what the NSA can or cannot do! How do you know that quantum computers don’t exist? Nothing is impossible!”

Yeah … no. 2048-bit OpenPGP encryption can’t be decrypted without a key because of the way computers work today. In the future, with new hardware and processor and bus speeds that are currently undreamt of, the computation may be able to be done in reasonable time – but not today. Without your private key, the computational time required to break a 2048-bit key in a secure SSL certificate would take over 6.4 quadrillion years.

How Can the “Now Famous” iPhone 5c Be Hacked?

For the iPhone 5c in question, you don’t need to hack the encryption key; you need to “make” the encryption key. It is generated from a combination of the user-created PIN or password and a unique key that Apple embeds in each iPhone 5c when it is manufactured. The FBI is asking Apple to create a new operating system with the ability to disable certain security protocols – specifically to defeat the limit on failed passcode attempts and to remove the delay caused by failed attempts. With this new weaker security protocol and forensic software written to try every possible PIN or password combination, the FBI hopes to regenerate the unique key required to open the phone.

It is important to note that this whole idea is only possible on iPhones older than the 5c running iOS 8 or earlier. iPhones with fingerprint scanners such as the 5s, 6 and 6s use a second processor called “secure enclave.” Even Apple can’t hack an iPhone that includes a secure enclave processor – not without creating a “backdoor.”

This is what Apple is worried about. You should be too. If the government served Apple with a lawful writ or subpoena to deliver the key to an iPhone 6s, it would not be able to comply. This case asks the question, should the government be allowed to compel any company that creates a digital security product to create a “backdoor” and make it available for any reason (lawful or other)?

The important thing about an iOS 9 “backdoor” in Apple’s case is that it could not be guessed or randomly generated; it would have to be an actual file – a metaphorical “skeleton key.” There’s a problem with skeleton keys, even digital ones: they can be copied. Importantly, they can be copied or stolen without the owner’s knowledge. The idea of creating a “skeleton key” defeats the purpose of encrypting it in the first place. If a key exists, it will be copied by both good and bad actors – that’s just a fact of digital life.

So again, I find myself begging you to engage in a civil, Socratic discussion about what kind of future we want to live in. Encryption enables banking (commercial and consumer) and commerce. Without it, our digital lives would be very, very different. How do you want to evolve the governance of our digital democracy? Where is the line between security and privacy? What do we want to ask our lawmakers to do? Hopefully this short story will inspire you to learn more about encryption so you can draw your own conclusions and join this techno-political debate.

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Forensic, Hacking, Security

Tagged , , ,

Cyber Hygiene, it’s about the basics

Posted on March 6, 2016 | 1 comment

Cyber

In today’s interconnected world, phishing emails and malware infections caused by attachments and links to hacked web sites are just some of the digital flotsam that have become common occurrences. However, in the disparate enterprise environments found in many small businesses, cities, and industrial networks these types of attacks can be catastrophic due to the inherent blending of old and new technologies. The repercussions of new malware attacks on these intertwined infrastructures can result in loss of critical services to the business and its customers. To counter these ever-evolving threats, I believe we must focus on doing the basics well. Organizations must lay the equivalent of a digital foundation on which they can then build their networks and provision data and applications to their employees securely. The methodologies that businesses would follow to do the basics are commonly referred to as “cyber hygiene”. There are numerous approaches to implementing cyber hygiene, there also is numerous ideas for what should be considered cyber hygiene. In this article I will discuss five basic steps that I use to protect my organization: Count, Configure, Control, Patch, and Protect.

  • The first step to implement cyber hygiene, Count,” you would think should be pretty simple, however having an accurate inventory can be extremely difficult. It is very hard to protect an organization and understand its technology risk if there is poor visibility into what is connected to its networks. I normally start with collecting information about the standing policies and procedures for how cybersecurity is managed in the business. I then collect information on previous asset inventories for both hardware and software, and any current network documentation. Then with this information, I use tools such as Solarwinds or Netbrain to map and monitor the networks for better views into its inherent data flows. What you will want to do here is put together an accurate map of the organizations enterprise networks, an accurate list of its applications and data types that are in use and an accurate list of what hardware is required by your organization. This collected information will become the technology and application portfolios of the business and will be critical for implementing the following steps.
  • The next step we would use for cyber hygiene, “Configure,” is about understanding what settings all of your connected devices have enabled. To do this properly it is standard to use recommended industry security settings as a baseline, then adjust to making them “more secure” depending on the criticality of your business operations and its data. Typically, organizations will have a standard operating system image preconfigured with all required security settings and required applications. What is important in this step is flexibility, you will need to change any default security passwords because they can be easily found on the Internet. You will also need to change default security settings to ones that are not easily discoverable and make sure all configurations and operating system images are backed up and maintained. This step ensures you have a level of maturity with how the organization employs technology in its enterprise environment. I would also suggest you use a solution such as Tenable’s Nessus PSV to continually scan your environment for assets that are misconfigured. This will ensure you are only deploying assets for your organization that meet your predefined requirements.
  • The third step in building a cyber hygiene program, “Control,” is about managing who has access to the settings that were implemented in “Configure”.  It is also about gaining insight into the employee’s and vendors within the organization that have administrator privileges. These “admin” privileges can make enterprise changes, access critical data and implement system wide policies that would affect the businesses ability to operate effectively. In this step, I would recommend you first conduct an audit to see who has administrative privileges. Once you have created this list, I would then recommend you speak with the users to understand their business reasons for why they require elevated privileges. Once you clean up that list to only essential personnel, you then need to make sure those same individuals who have these administrator accounts only use them for specific business reasons and they conduct all normal work with their standard user accounts. Once you have these admin accounts documented, you will need to periodically audit them to properly manage who has administrative rights to the organizations enterprise assets. Don’t be surprised, that over time the number of personnel with these accounts will grow which is why you must periodically audit them to reduce the risk exposure to your business.
  • The fourth step in the cyber hygiene process, “Patch,” is critical and all mature organizations must standardize this process for how updates will be regularly tested and applied to its applications, software, operating systems and hardware. There are many documented cyber breaches to organizations that when triaged can trace the vector of attack to a software patch not being properly installed or not installed at all. What is important for an organization to understand is that in cyber hygiene this step impacts all others, you must have a standardized process in place so patches are installed in a timely manner, correctly the first time. There is numerous articles and books on how to create a patch management program, just remember you need this in place for all of your other steps to function correctly.
  • The fifth and final step in creating a cyber hygiene toolbox, Protect,” is about using basic security applications and controls to set the first layer of protection that a mature cyber-security program can be built upon. It is in “Protect” that a security team will ensure end point protection is installed and updated on all desktops, laptops, servers and mobile devices, if possible. You should also ensure desktop firewalls or their equivalent are turned on and configured, hard drives have full disk encryption installed and there is a password management program in place. This password management program should ensure there is some level of complexity to passwords and if possible use two-factor authentication for an additional level of authentication. Some of the last services you would find managed in this step is verifying all devices are generating some type of log to be collected by a SIEM, such as Splunk, to be analyzed for abnormalities and all critical data is backed up and the backups are periodically tested.

Remember once you build these processes you will need to continually monitor and assess their level of maturity. Networks are dynamic, they continually change over time as updates are installed, configurations are enabled or new technologies are implemented. I have found that using these tools together enables organizations to manage the baseline risk of their installed technology portfolio’s and establish an understanding of what risk is acceptable for business operations. These tools give businesses visibility into how their enterprise environments are built, how data is actually used by their stakeholders and which older technologies may need to be updated or replaced. In the end, these five tools are just that, tools that can be used together to create a basic methodology for protecting an organizations IT assets. Once you have them in place, you will then want to step to the next level and use a mature cyber-security/risk management framework to create an enterprise wide security program to protect your organization.

Some sites that would prove helpful for organizations establishing a security program are as follows:

http://csrc.nist.gov/publications/PubsSPs.html#800-101

  • 800 Series Special Publications, general interest to the computer security community

http://www.digitalgov.gov/digitalgov-university/

  • Federal government’s training program for digital media and citizen engagement

https://www.us-cert.gov/ccubedvp

  • Critical Infrastructure Cyber Community or C³ (pronounced “C Cubed”) Voluntary Program

https://www.us-cert.gov/ccubedvp/getting-started-business

  • Resources available to businesses and aligned to the five NIST Cybersecurity Framework Function Areas (Identify, Protect, Detect, Respond, & Recover)

 https://www.us-cert.gov/security-publications

  • Great documents from General Internet Security to Technical Publications (ICS users, Gov’t Users, Home & Business Users)
    • Site for best practices on providing security assurance within Cloud Computing

About the Author:  Gary Hayslip is Deputy Director, Chief Information Security Officer (CISO) for the City of San Diego, California. As CISO he is responsible for developing and executing citywide cyber security strategy and leading teams focused on Enterprise Risk Management, Security Engineering, Application Security, Cyber Security Operations, & Cyber Security Resiliency. His mission includes creating a “risk aware” culture that places high value on securing city information resources and protecting personal information entrusted to the City of San Diego.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.

 

1 Comment

Posted in Cyber Security, Data Breach, Encryption, Hacking, Security, Technology

Tagged , , ,

John McAfee Reveals To FBI, On National TV, How To Crack The iPhone (RT Interview)

Posted on March 6, 2016 | 1 comment

YouTubeYes, it has gotten this bad. In language simple enough for even a child to understand, John McAfee explains for the world and for the FBI how to hack…

Not as easy as John says, but it can be done !!!

Actually about that encryption. What’s the key? Salt of the key depends on unique device ID. Another part of the key must depend either on the fingerprint ID (which is easy enough, you don’t need the guy alive to get his fingerprints, people even leave fingerprints everywhere), or on a 4-digit PIN. Once you have code injection and can hack out the try counter and have a more direct path to inject the PIN numbers into the key generation algorithm, you can brute force them in a matter of minutes.

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Hacking, Security, Technology

Tagged , ,

First known hacker-caused power outage signals troubling escalation

Posted on March 5, 2016 | Leave a comment

Highly destructive malware creates “destructive events” at 3 Ukrainian substations:by

powerline-640x480
Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.

The outage left about half of the homes in the Ivano-Frankivsk region of Ukraine without electricity, Ukrainian news service TSN reported in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to “destructive events” that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.

“It’s a milestone because we’ve definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout,” John Hultquist, head of iSIGHT’s cyber espionage intelligence practice, told Ars. “It’s the major scenario we’ve all been concerned about for so long.”

Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by “BlackEnergy,” a package discovered in 2007 that was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.

“Perfectly capable”

Until now, BlackEnergy has mainly been used to conduct espionage on targets in news organizations, power companies, and other industrial groups. While ESET stopped short of saying the BlackEnergy infections hitting the power companies were responsible for last week’s outage, the company left little doubt that one or more of the BlackEnergy components had that capability. In a blog post published Monday, ESET researchers wrote

Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.

Over the past year, the group behind BlackEnergy has slowly ramped up its destructive abilities. Late last year, according to an advisory from Ukraine’s Computer Emergency Response Team, the KillDisk module of BlackEnergy infected media organizations in that country and led to the permanent loss of video and other content. The KillDisk that hit the Ukrainian power companies contained similar functions but was programmed to delete a much narrower set of data, ESET reported. KillDisk had also been updated to sabotage two computer processes, including a remote management platform associated with the ELTIMA Serial to Ethernet Connectors used in industrial control systems.

In 2014, the group behind BlackEnergy, which iSIGHT has dubbed the Sandworm gang, targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries. iSIGHT researchers say the Sandworm gang has ties to Russia, although readers are cautioned on attributing hacking attacks to specific groups or governments.

According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it’s distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It’s also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.

Ukrainian authorities are investigating a suspected hacking attack on its power grid, the Reuters news service reported last week. ESET has additional technical details about the latests BlackEnergy package here.

While Saudi Arabia’s largest gas producer was also infected by destructive malware in 2012, there’s no confirmation it affected production. iSIGHT’s report suggests a troubling escalation in malware-controlled conflict that has consequences for industrialized nations everywhere.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Malware, Security

Tagged , , ,

Six Strategies for Achieving Connected Security

Posted on March 4, 2016 | 3 comments

7838.security.png-550x0

A Holistic Approach is Critical for Securing Your Network

But a holistic approach is probably most critical when it comes to securing your network. Just when you think you have your network secured, there is always another threat — from outside or from inside. These threats have many names: spear phishing, botnets, zero-day threats, distributed denial-of-service (DDoS) attacks, insider threats and former employees. They are determined to exploit disconnected security — security tools, processes, user profiles and information that are separated in silos, leaving dangerous gaps in between.

The increasing complexity of IT environments only increases these gaps, providing attackers with many new opportunities to exploit. Consider the number of operating systems you are now slated to secure and the number of BYO devices that are a normal part of your organization’s operation, from smartphones and tablets to network-connected devices such as printers, scanners and kiosks. Yet BYOD is still in its infancy — just 24 percent of organizations say that BYOD is widely used and supported. And the Internet of Things (IoT) promises complexity on a scale that’s difficult to fathom, with analysts predicting that 6.4 billion connected things will be in use worldwide in 2016, and that the number will swell to 20.8 billion by 2020.

There’s no turning back. Your users want the mobility and flexibility BYOD provides, and your organization needs to remain agile and attractive to both current and prospective talent. But neither can you ignore the security threats that continue to grow in both number and sophistication.

6 Strategies for Achieving Connected Security

By abolishing technology tunnel vision and adopting a holistic, connected approach to security, you can embrace BYOD and new technologies while also protecting your IT network and systems from attackers. Here are the six key strategies:

  1. Discover and inventory all devices — Establish a complete and accurate inventory of all connected devices and keep it current with IT asset management software. You can’t secure what you don’t know about.
  2. Keep software up to date — Make sure that you are patching your operating systems and applications regularly. Using the latest versions of software is the starting point for eliminating vulnerabilities. Gartner, Inc., reports that nearly a third (30 percent) of system weaknesses can be resolved through patch management.
  3. Maintain antivirus software on all endpoints — Antivirus software was once considered the only line of defense against attackers. Although today you need other strategies as well, it’s still imperative that current antivirus software be in force on all of your managed systems.
  4. Deploy a modern firewall — Next-generation firewalls are no longer just for larger organizations. They offer critical new technologies that provide added protection and peace of mind, and they can be both affordable and easy to manage for organizations of any size.
  5. Conduct regular IT security audits and vulnerability assessments — With OVAL and SCAP scanning, you can get ahead of the curve in finding and remediating security holes in your IT endpoints.
  6. Encrypt your data — Security from the data level to the cloud is today’s mantra. Start with endpoint data encryption, which provides a solid defense against data loss from lost or stolen devices.

3 Comments

Posted in Cyber Security, Encryption, Hacking, Network, Security

Tagged , , , , ,

APTs – Understanding the Ghost in the Machine

Posted on March 3, 2016 | 1 comment

APT_Attacks
One of the biggest threats to all businesses is an APT attack. This means that the attacker has gathered enough sensitive information, weighed out all the possible outcomes, and is ready to attack at a moment’s notice. APT (Advanced Persistent Threat) is a form of cyber attack in which the attacker gains access to a network and finds a way to remain there hidden for a long time. Virtually undetected gathering information and waiting to attack. It is usually not an easy process to do, in a usual hack, the intruder will want to get in and get out as fast as possible with whatever data they can get. With an APT attack, the intruder wants to get in and stay in without being detected.
Once the attacker is in, there are many of things they can do to damage your internal network. Some of the most common ones are spear fishing attacks(sending false emails internally to try and wire money or get information) and social engineering attempts to get actual full network access. With this access, the attacker will try and set up a back door to come in and out when they please.

Now these APT attacks are hard to identify upfront and usually companies do not detect until the intruder is already on the inside. The most common way to detect an APT attack is to monitor the outgoing data with your IDS (intrusion detection system). This will catch the culprit if they are trying to send out any data prematurely. Below are some clear cut signs that you may be a victim of an APT attack.

  • Unexpected information flows inbound or outbound
  • Finding of backdoor Trojans
  • Increased activity with information movement or logins late at night
  • Detecting unexpected data packets or toolkits

There are several ways to limit the threat of an APT attack. As a security team you need to sit down with your manager and discuss which approach you would like to take.

  • Eliminate Low-hanging fruit vulnerabilities
  • Ensure end users do not have admin access to reduce social engineering attacks
  • Effective use web and email reporting to consistently scan the network for anomalies
  • Implement SIEM capabilities

Lastly one of the most important steps you can take is to understand that not all threats can be stopped, and the best way to prepare is to have a fast turnaround time as far as remediating the active threats once they do occur. Insuring that it is always aware of any threats, then have the ability to respond second is key. When you are reacting learn to make it as fast as possible to eliminate as much of the damage to you internal networks. Overall an APT prevention measure should be in your information security plan.

1 Comment

Posted in Data Breach, Hacking, Hacks, Network, Security

Tagged , , ,