Saturday, December 31, 2011

2011 - Year of the HACK and DATA Breaches

This year’s headlines have been made up of data breaches, hacks, APT attacks and mergers and acquisitions

Like a sleeper agent, it embeds itself in key industrial systems and waits, gathering intelligence and biding its time. It studies design documents to find weak spots for future attacks that could bring a nation to its knees.

It is the description by US security firm Symantec of the newly discovered Duqu worm in its report ‘W32.Duqu: The precursor to the next Stuxnet.

Duqu is based on the sophisticated Stuxnet worm that shut down an Iranian nuclear fuel processing plant and set back its nuclear program by years. Duqu has so far infected industrial systems in eight countries: France, the Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam.

While at this point Duqu is only able to gather intelligence, Symantec judges that it is “essentially the precursor to a future Stuxnet-like attack” against industrial control systems. These systems are used to control everything from nuclear power plants and the electricity grid to oil pipelines and large communication systems.

The discovery of Duqu was a major security event in 2011; not exactly because of the effect that the worm has had, but for its potential. Duqu signals a growing trend of malware developed not to steal identities and profit financially, but to disable and destroy critical infrastructure – the life blood of modern society.

News of Duqu was followed by a (now-mistaken) malware attack on a US water utility network that destroyed the industrial control system of a key water pump.

Destruction of critical infrastructure has been the elephant in the room for the information security profession. Many recognize the danger, but it is seen as too esoteric and remote to worry about. It is someone else’s (i.e., the government’s) problem.

But if major critical infrastructure collapses from a cyberattack, whether your boss’s iPad makes the company’s network less secure is not going to matter all that much.

Cyber Wasteland

From the mega breach at Sony to the annoying self-righteous breaches perpetrated by Anonymous et al., 2011 was a wasteland of data loss.

In March, RSA – the company that ensures its elite customers are water-tight – sprang a leak when it was penetrated by a spear-phishing attack that hooked one of its employees and resulted in a huge catch for cyberattackers.

In an open letter to RSA customers, executive chairman Art Coviello said that a sophisticated “advanced persistent threat” (APT) attack had extracted valuable information related to its SecurID two-factor authentication product used by remote workers to securely access their company’s network.
"Destruction of critical infrastructure has been the elephant in the room for the information security profession"

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, Coviello said.
Coviello, it turned out, was wrong about this assumption, as numerous SecureID token customers – including US defense giant Lockheed Martin – reported attacks resulting from the RSA breach. In an effort to limit the damage, RSA agreed to replace the tokens for its key customers.

In response to the RSA breach, APT became the new catchword for cyberattacks. “It’s not our fault our networks were breached and our data stolen, it was an APT. What could we do?”, whined many companies in the ‘year of the breach’.

April was the Cruelest Month

April was indeed a cruel month for Sony, which admitted that hackers had gained access to names, addresses, email addresess, birth dates, passwords and IDs for over 100 million PlayStation Network, Qrocity, and Online Entertainment customers.

The massive size of the breach, as well as the delay in informing customers, attracted the attention of the US Congress. A House Commerce Committee panel held a hearing on the breach, but Kazuo Hirai, chairman of Sony Computer Entertainment America, declined to appear.

Panel chairman Mary Bono Mack (R-Calif.) criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”

More Breaches!

Marketing firm Epsilon had a breach of its extensive database, which contained the names and emails of customers at such high-profile partners as BestBuy, Walgreens, Marriott, Lacoste, Marks & Spencer, JP Morgan Chase, Barclays, Citibank, US Bank, and Capital One.

While Epsilon initially downplayed the breach, its partners could not. They began issuing warnings to millions of their customers about the breach, cautioning them to be on the lookout for subsequent spam and phishing attempts as a result of the compromised email addresses. Reuters put a $100 million price tag on the incident, which falls directly on Alliance Data Systems, Epsilon’s parent company.

And for much of 2011, Anonymous and its offspring were claiming credit for what seemed like a breach a week – in the name of improving security by showing how incredibly bad many organizations’ information security really is.

Not with a Whimper, but a Bang

In the arena of mergers and acquisitions, 2011 started off with a bang, with Dell’s acquisition of SecureWorks, an Atlanta-based security-as-a-service provider with 3,000 clients worldwide, and Verizon’s $1.4 billion purchase of Terremark, a Miami-based managed IT infrastructure and cloud service provider with advanced security offerings.

Also early in the year, Sourcefire bought Immunent, a cloud-based anti-malware startup, for $21 million, and Google agreed to acquire Zynamics, a Germany-based forensic specialist, for an undisclosed consideration.

In April, storage giant EMC acquired NetWitness, a Herndon, Va.-based network monitoring specialist, and added it to RSA. While the purchase price was not disclosed, some estimates put the price tag as high as $500 million. Too bad RSA did not have network monitoring in March!

After the April showers, there was a spurt of acquisition activity in May. In that month, Symantec acquired Clearwell Systems, a provider of e-discovery, data archiving, and data backup products, for $390 million, augmenting its information management and governance portfolio.

In addition, cloud provider VMWare purchased Shavlik Technologies, a Minnesota-based patch management and cloud-security firm; Thoma Bravo bought Tripwire, a Portland, Ore.-based network security firm; and Sophos acquired Astaro, a Germany-based private network security firm.

Other noteworthy information security acquisitions in 2011 included: IBM’s purchase of Q1Labs, a Waltham, Mass.-based provider of security event and log management software; McAfee’s purchase of NitroSecurity, a Portsmouth, N.H.-based security information and event management firm; and Check Point’s acquisition of Dynasec, an Israeli-based governance, risk, and compliance firm.

“Prediction is very difficult, especially about the future.”

Despite the wisdom of those great minds, I will venture to make some predictions for 2012. First, I predict that the world will not end. If I’m wrong about that, then no need to read further.

Certainly, Stuxnet, Duqu, and their heirs will increasingly plague governments, critical infrastructure operators, and information security professionals. It’s time to take these threats as seriously as the mundane security problems of everyday life in the 21st century.

The explosion of mobile device use, particularly in the workplace, will increasingly concern information security staffs for years to come. Malicious mobile malware has become widespread, and this trend is likely to accelerate.

Enterprises will have to come to grips with social media, particularly as cybercriminals find it a fertile ground for mischief. Should employees be banned from using it at work or is it the next great efficiency tool? The answer is: Yes.

Of course, the cloud – companies will likely accelerate cloud adoption to improve the bottom line, while security professionals will struggle with the implications of giving up control over key corporate information assets.

And the boldest prediction of all: there will be more data breaches in 2012.

Friday, December 30, 2011

Hackers could shut down train lines?

Hackers who have shut down websites by overwhelming them with Web traffic could use the same approach to shut down the computers that control train switching systems, a research conducted by a security expert.

Stefan Katzenbeisser, professor at Technische Universität Darmstadt in Germany, advised that switching systems were at risk of "denial of service" attacks, which could cause long disruptions to rail services.

"Trains could not crash, but service could be disrupted for quite some time," Katzenbeisser told Reuters.

"Denial of service" campaigns are one of the simplest forms of cyber attack: hackers recruit large numbers of computers to overwhelm the targeted system with Internet traffic.

Hackers have used the approach to attack sites of government agencies around the world and sites of businesses.

Train switching systems, which enable trains to be guided from one track to another at a railway junction, have historically been separate from the online world, but communication between trains and switches is handled increasingly using wireless technology.

Katzenbeisser said GSM-R, a mobile technology used for trains, is more secure than the usual GSM, used in phones, against which security experts showed a new attack at the convention.

"Probably we will be safe on that side in coming years. The main problem I see is a process of changing ... keys. This will be a big issue in the future, how to manage these keys safely," Katzenbeisser said.

The software encryption 'keys', which are needed for securing the communication between trains and switching systems, are downloaded to physical media like USB sticks and then sent around for installing -- raising the risk of them ending up in the wrong hands.

Tuesday, December 27, 2011

DDoS Testing Methodology

A methodology to measure the resiliency of network infrastructure against DDoS and botnet attacks

Distributed denial of service (DDoS) attacks are rampant, successfully targeting Fortune 100 businesses, not to mention government, news media, communication and financial networks throughout the world. It has become more important to assess network equipment and application servers using these same attacks. Only through realistic attack simulation can organizations visualize their own weaknesses and vulnerabilities within the IT infrastructure and how resilient these elements are when under attack.

DDoS Testing Methodology

BreakingPoint has created a definitive DDoS testing methodology that creates a variety of attacks to help users find their network weaknesses before others do. Such attacks include the following:
  • DDoS designed to consume all available bandwidth, all disk space or all available CPU cycles

  • DDoS designed to disrupt important information flow such as routing tables by injecting false routes, thus causing packets to be misrouted

  • DDoS designed to break the physical layer of the network and obstruct the communication between the end-point and the user

  • Botnets designed to send large quantities of unsolicited e-mail to trigger Delivery Server Notifications to spoofed originating email addresses
To download the methodology please refer here (registration may be required)

Thursday, December 22, 2011

SC Webcast: Top cyber threat predictions for 2012

Learn about the top (internal and external) security predictions of 2012

With the tremendous growth of workforce mobility, telecommuting, and enterprise social networking, 2012 is again likely to pose some complex cyber security challenges for businesses worldwide.

As such I thought you might be interested in SC’s upcoming webcast which will get to grips with what the experts predict to be the top cyber threats in the year ahead.

You can secure your complimentary place here - http://www.scwebcasts.tv/?btcommid=40027

LIVE WEBCAST: CYBER SECURITY IN 2012 – TOP 5 THREAT PREDICTIONS
Streamed live to your desk: 26th January 2012, 3pm GMT
http://www.scwebcasts.tv/?btcommid=40027

This webcast will enable you to:
  • Learn about the top (internal and external) security predictions of 2012 (from mobile threats to spear phishing)
  • Understand the impact of social networking's impact on enterprise security in 2012 to help you prioritise your response
  • Develop ideas for a 360 degree cyber security strategy that keeps up with the sophistication of attacks in the year ahead
Speakers:

Aaron Sheridan, Senior Security Engineer, FireEye
Clive Longbottom, Founder and Industry Analyst, QuoCirca
View more information at http://www.scwebcasts.tv/?btcommid=40027

Tuesday, December 20, 2011

CSET™ Version 4.0.1 Available for Download

The Cyber Security Evaluation Tool (CSETTM) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets.

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has released an interim Version 4.0.1 of the Cyber Security Evaluation Tool (CSET™). This new version of the tool can be downloaded from the CSSP website:

http://us-cert.gov/control_systems/satool.html.

This interim Version 4.0.1 release addresses some minor issues identified in report formatting and corrects a problem with Zone Security Assurance Level (SAL) calculations.

Additionally, this release incorporates a new sub-report to isolate and show user comments in a single location, includes modifications to clarify how firewall analysis is performed, and improves upon the gap analysis for pass/fail standards.

Purpose of CSET

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.

The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others.

When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits of CSET
  • CSET contributes to an organization's risk management and decision-making process
  • Raises awareness and facilitates discussion on cybersecurity within the organization
  • Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
  • Identifies areas of strength and best practices being followed in the organization
  • Provides a method to systematically compare and monitor improvement in the cyber systems
  • Provides a common industry-wide tool for assessing cyber systems

Sunday, December 18, 2011

Five reasons not to jailbreak your iPhone

Crackers are reported to be making inroads into jailbreaking iOS5

Even though the iPhone 4S jailbreak is on the way - and while many users are excited about the ability to customize and do more with the iPhone 4S - there are a number of reasons you shouldn’t jailbreak your new iPhone.

While an iPhone 4S jailbreak will deliver the iPhone experience many have been looking for, jailbreaking is not for everyone.
  1. The biggest issue is that users will be voiding their warranty and, even though the jailbreaking process was ruled legal in 2010, Apple was very clear that doing so voids users’ warranties.

    And, whilst there are many times you can restore to a standard Apple iOS version before going in for repair, this is not always going to be the case.

  2. Users will also lose Genius Bar support on the iPhone – in the past some users have been able to get support by not mentioning that their iPhone is jailbroken, but again, if the Genius finds out that the handset is jailbroken, you may lose out on support.

  3. The third issue with jailbreaking is that there are usually no more is fast upgrades to new releases of iOS.

    If you are waiting for the jailbreak, you should also avoid installing iOS 5.0.1 to your iPhone 4S. This isn’t as big of an issue for small upgrades like this, and in the case of [earlier versions] a jailbreak was available very quickly.

    But, when it comes to major upgrades that bring new features, you may be forced to wait a while, or go back to a stock iPhone experience.

  4. Apple has many controls in place to keep apps from slowing down your iPhone, but jailbroken apps don’t need to stick to these guidelines.

    Many users who have gone back from jailbreaking cite a poor user experience and buggy nature of their jailbroken iPhones as a reason for going back to normal. If you know exactly what you are doing, or don’t mind troubleshooting to find out what is causing an issue, you will be OK, but many iPhone owners don’t want to hassle with things like this.

  5. Finally, consider the security risks. If you have a jailbroken iPhone and are installing apps from various sources, one of them could contain malware.

    The threat of malware has caused concern for Android users, and so far we haven’t seen a large number of malware infested jailbreak apps, but the threat remains. If you do jailbreak, be vigilant about what you download.
Ultimately, jailbreaking your new iPhone 4S is up to you. If you know what you are doing, you can follow these instructions to jailbreak your iPhone 4, and stay tuned for how to jailbreak the iPhone 4S and iPad 2 as soon as the tools are available.

Friday, December 16, 2011

What does it really take to exploit a printer?

Printer Hack: Researchers Can Set Media’s Pants on Fire

In the past couple of weeks, there has been quite a bit of press and blogging about a security vulnerability in HP printers that was discovered by researchers in the Intrusion Detection Lab at Columbia University.

In a nutshell, the researchers found a way to replace the operating firmware on an HP printer with firmware of their own design that can do bad things, and they also found a way to do it to a printer that is on a private network behind a firewall.

MSNBC ran an “exclusive” story about it calling it a “devastating attack” to which “millions of printers” could be subjected. Its lede suggested that hackers could cause the printer to catch fire, or be used for identity theft, or be used to take control of entire networks.

In practice, this isn’t an easy vulnerability to exploit on a large scale.

Let me explain:

First, you need to target a printer that supports PJL and its largely undocumented remote firmware update (RFU) function. Many printers support PJL, but RFU is less commonly supported. Many printers don’t have any mechanism for remote updates, and many others use something other than PJL’s RFU function for remote updates.

Once you've found a printer that supports PJL and its RFU function, you'll need to make sure that it will apply a firmware update without checking its authenticity. I can’t speak for other manufacturers, but my employer’s products have been using digital signature verification for firmware updates for at least the seven plus years that I have worked for them.

Next, you need to be able to create new firmware to do your bidding. To do that, you need to know what is the manufacturer and model of your target. The researchers demonstrated exploitation of a victim’s printer that was on a private, firewalled network, but didn’t mention how they determined which make and model of printer would be used by a particular victim. They would need to know that in order to send the correct firmware image to the victim.

And then there is the matter of reverse-engineering printer firmware. It is certainly possible, but not very practical when you consider that there are thousands of different printer models to contend with.

The researchers say that “rewriting the printer’s firmware takes only about 30 seconds”, but they are referring to the time it takes for the printer to update its flash memory and not how long it takes for someone to reverse-engineer a printer to do something malevolently useful.

Next, you need to get the victim to print a document that contains the firmware update code, and of course they need to print it on the printer that you targeted. I don’t know if it is possible to embed an RFU in a printable document in such a way that isn’t obvious when the document is viewed, as most people do before they print something. Perhaps they will disclose that detail at the Chaos conference.

Now, finally, you own the victim’s printer.

Wednesday, December 14, 2011

U.S. power grid is a big & soft target for cyberattack

MIT study report shows security gaps widening, risk increasing as power nets improve

The "malicious attack from Russian hackers that cracked security on an Illinois water utility and destroyed one of its main pumps turned out to be what Wired called a "comedy of errors" after interviewing the prime suspect for a story that ran last week.

That doesn't mean utilities in the U.S. – especially electrical utilities – are not desperately vulnerable to attack.

The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.

U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.

The risk of a Stuxnet-like attack on utilities was dismissed by many security experts after the revelation that reports of a successful attack on the Illinois water utility hack were mistakes, the possibility that it is possible was not.

Current risks of cyberattack on electric utilities
  • Loss of grid control resulting in complete disruption of electricity supply over a wide area can occur as a result of errors or tampering with data communication among control equipment and central offices.

  • Consumer-level problems ranging from incorrect billing to interruption in electric service can be introduced via smart meter tampering.

  • Commuting disruptions for electric vehicle operators can occur if recharging stations have been modified to incorrectly charge batteries.

  • Data confidentiality breaches, both personal and corporate, can provide information for identity theft, corporate espionage, physical security threats (for example, through knowing which homes are vacant), and terrorist activities (for example, through knowing which power lines are most important in electric distribution).
"Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011"

With rapidly expanding connectivity and rapidly evolving threats, making the grid invulnerable to cyber
events is impossible, and improving resilience to attacks and reducing the impact of attacks are important…
… For the electric grid in particular, cybersecurity must encompass not only the protection of information but also the security of grid equipment that depends on or is controlled by that information. And its goals must include ensuring the continuous and reliable operation of the electric grid…
…We believe the natural evolution of grid information technologies already points toward such an approach: the development and integration of increasingly rapid and accurate systems control and monitoring technologies should facilitate quicker attack detection—and consequently, shorter response and recovery times.

Cyberattack response and recovery measures would be a fruitful area for ongoing research and development in utilities, their vendors, and academia. – Future of the Electric Grid, MIT Energy Initiative, Dec. 5, 2011

U.S. utilities – electric, water and others – are so vulnerable and so insensible to security concerns that using passwords only three characters long doesn't raise a huge stink among companies that largely either refuse to believe there's a target painted on their backs or believe it's too expensive to do anything about it.

Monday, December 12, 2011

The top 5 information security certifications

Recent Security Incidents Push Demand for Information Security Professionals

The top 5 information security certifications include the CISSP, CISM, GIAC, CEH and vendor credentials offered by companies such as Cisco and Microsoft. These certifications are in demand not only for their demonstration of IT security proficiency, but also because certified candidates go through training that reflects a higher standard of ethical conduct - a topic that has renewed focus by hiring managers.

In 2012, the rise in security incidents and mobile devices creates hot demand for certifications such as the GIAC, which are technically focused in specific areas of forensics, incident response and application security.

Top 5 Certifications

Based on a review of job boards and various research conducted by IT security recruiters and employers, here is the list of the top five security certifications:

CISSP

The Certified Information Systems Security Professional continues to be the gold standard in certifications.

The CISSP, which is known for its high-level overview on the profession, has recently opened the certification for further specialization in areas such as architecture and management.

The push for this credential is also coming from the U.S. Department of Defense 8570.1 Directive, which requires all government and contract employees working on DoD IT projects to carry an approved certification for their particular job classification.

CISSP certification is usually for mid and senior management IT security positions. This certification is offered through (ISC)2, the not-for-profit consortium that offers IT security certifications and training.

The CISSP examination is based on what (ISC)2 terms the Common Body of Knowledge (or CBK). Candidates interested in taking the exam must possess a minimum of five years of direct full-time security work experience in two or more of the 10 (ISC)2 information security domains (CBK), and agree to abide by their codes-of-ethics and policy for continuous education.

In addition, they need to pass the exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple-choice, consisting of 250 questions with four options each, to be answered over a period of six hours.

For further information please refer here.

CISM

Certified Information Security Manager is in demand, as organizations increasingly need executives to focus on governance, accountability and the business aspects of security.

As with the CISSP, the 8570 Directive requires CISM certification for senior managers that particularly focus on governance, compliance and risk management issues.

CISM is ideal for IT security professionals looking to grow their career into mid-level and senior management positions. CISM is offered by ISACA, an international professional association that deals with IT Governance.

The CISM designation is awarded to individuals with an interest in security management who meet the following requirements: They need to successfully pass the CISM exam; adhere to ISACA's code of professional ethics; agree to comply with the continuing education policy.

They also must submit verified evidence of a minimum of five years of IT security work experience, including a minimum of three years of management work experience; and submit an application for CISM certification.

For further information please refer here.

GIAC

Global Information Assurance Certification is rising in demand specifically in areas of incident handling, forensics, intrusion detection and reverse malware engineering.

Many organizations are seeking such experts for their IT security teams because of the growing threat landscape and rise in security incidents. Usually, professionals turn to GIAC certifications to get further expertise in a particular discipline.

The GIAC is essentially geared toward mid-level security professionals who are looking to carve out a niche career path for themselves. The certification is offered by Sans Institute, a cooperative research and education organization.

There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge may take the exam. Candidates can pursue GIAC exams with or without purchasing SANS training.

The exam fees usually include two practice exams and one proctored exam. Each exam has an expiration date of 120 days accessible from their SANS Portal Account. Exams are taken online, however SANS now requires that a proctor be present when candidates take their test.

For further information please refer here.

CEH

Certified Ethical Hacker is gaining popularity as companies seek experts to perform web application and penetration testing to ensure their infrastructure is secure.

A blooming field is security testing, and certifications like CEH are challenging technically and very valuable. This certification is useful for entry-to-mid-level practitioners that are looking to conduct vulnerability assessments.

CEH is offered by the International Council of Electronic Commerce Consultants(EC-Council), a professional certification body. EC-Council's goal is to certify security practitioners in the methodology of ethical hacking. It largely demonstrates an understanding of the tools used for penetration testing.

To obtain the CEH, candidates can choose a path of self-study or complete a training course offered by EC-Council. Candidates must have at least two years of security experience and must sign an agreement to not misuse the knowledge acquired.

For further information please refer here.

Vendor Certifications

Securing an organization's infrastructure and keeping up-to-date with emerging technologies are critical. Vendor certifications, including Cisco's Certified Network Associate Certification (CCNA) and Microsoft's Certified Systems Engineer (MCSE), with focus on security and Check Point's Certified Security Expert (CCSE), are particularly in demand.

The top information security certifications Dice has tracked for 2011 include Cisco CCNP Security and Check Point Certified Expert. These certifications are also on the rise because of their in-depth technical focus.

They help in understanding the technical skills associated with what professionals are trying to defend, and the inherent security capabilities of the infrastructure.

For most entry-level positions requiring one-to-two years of experience, employers seek vendor certifications, Security+ and the CEH credential. Mid-to-senior positions demand more mature training in CISSP, CISM and GIAC.

Other certifications in demand include Security+, Offensive Security Certified Professional, Cloud Security Alliance's new Certificate of Cloud Security Knowledge, Systems Security Certified Practitioner and Certified in Risk and Information Systems Control.

Certifications cannot be a substitute for on-the-job experience, but they are turning out to be a good measure for both proficiency and character.

Saturday, December 10, 2011

Beware of SCAMMERS on dating websites!

Heartless SCAMMERS

Don't give your heart away online, at least not before you've met that special somebody in person. Some Aussies have been stung for more than $100,000 in online dating and romance scams by "lover" claiming to be desperate for money because of an accident or robbery overseas.

A common scenario is to pretend to be a soldier or aid worker on an overseas mission in need of extra cash to pay costs and get a "leave pass" to visit.

The Australian Competition and Consumer Commission (ACCC) is working to create new guidelines to combat scams. They received more than 1600 complaints about online dating scam relating to more than $17 million in losses between January and October this year.

And of those, more than 200 people have lost $10,000 or more. ACCC deputy chairman Dr. Michael Schaper said more people lost money in dating scams than any other type of scheme.

If you have been talking or communicating with them (Scammers) for a period of time, it can be hard to say no. Please beware of such scams and never give money or share private information. Other red flags can include bad punctuation and spelling.

Dating website operators have until December 16, 2011 to comment on draft guidelines before they are launched next year.

Thursday, December 8, 2011

Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond

Utility Cyber Security is in a State of Near Chaos

Market analysis and consulting provider Pike Research has released a report examining the current state of utility cyber security, and the prognosis is far from comforting.

The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that although a great deal of attention has shifted to protecting systems that govern infrastructure over the past eighteen months, utilities have a long way to go in protecting critical networks.

The report quotes:
"Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended,"
One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.
"Cyber security solutions remain challenging to implement, especially as attackers gain awareness of the holes between point solutions," the report maintains.
The market for industrial control systems security solutions is fairly wide open, and the Pike report contends that there will be an influx of competition in the field over the next few years.
"Security vendors have finally found time to focus on industrial control system (ICS) security, not only on advanced metering infrastructure (AMI) security – although a few security vendors have focused on ICS from the outset. The utility cyber security market will be characterized by a frantic race to gain the upper hand against the attackers, while at the same time strong competitors attempt to outdo each other," the report warns.
The Pike report focuses on the following issues:
  • What factors could drive smart grid cyber security investment?
  • How important could industrial control system (ICS) security be?
  • What has changed since Stuxnet was discovered?
  • What is the effect of the lack of smart grid cyber security standards?
  • What are the most promising smart grid cyber security technologies?
Last week, the National Institute of Standards and Technology (NIST) released the updated standards guidelines for converting the nation's outdated power grid structure to a modern smart grid operation.

The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 outlines the game plan to "integrate information and communication technologies with a power-delivery infrastructure, enabling two-way flows of energy and communications," according to the NIST.

"Making such dramatic changes to the power grid requires an overarching vision of how to accomplish the task, and this updated Framework advances that vision," said NIST's National Coordinator for Smart Grid Interoperability George Arnold.

"Utilities, manufacturers, equipment testers and regulators will find essential information in the Framework that was not previously available," Arnold continued.

The updates include the addition of twenty-two standards to the previously released seventy-five issued in the standard's first edition in 2010.

Tuesday, December 6, 2011

Securing Smartphones in the Bring-Your-Own-Device (BYOD) Era

5 Security Challenges BYOD Presents

Most organizations remain uncomfortable in letting their employees use their own mobile devices to access their IT systems. Yet, in many instances, those charged with securing their enterprises' IT understand that it's just a matter of time before they must grant workers permission to employ those devices.

BYOD stands for bring your own device, and it's one of the hottest challenges IT security organizations face as a growing number of employees use their own BlackBerrys, iPhones, iPads and Droids to access their employers' IT systems. In instances where such practices are banned, employees are demanding that the prohibition be lifted.

That's causing much reflection among IT security professionals. Executives and managers charged with IT security have identified five challenges that must be surmounted before their organizations can allow secure access to their systems by smartphones and tablet computers owned by their employees. These challenges include policy enforcement, physical theft, malware prevention, IT support and employee education.

Policy Enforcement

Many IT security leaders aren't sure if their teams are ready to take on additional responsibilities of continuously monitoring these devices and people's behavior.

Physical Theft

Think about it: Chances of losing a mobile device owned by an individual - or having it stolen - is a lot greater than one owned by the employer. A personally owned device goes everywhere with its owner; that's not necessarily true with a company-owned device. That provides little comfort for IT security managers responsible for safeguarding sensitive corporate data.

Except for BlackBerrys, most other mobile devices don't readily support encryption. Someone steals an iPhone or an Android smartphone, the unencrypted data on those devices could be exposed to the thief.

But by placing proper controls on user-owned devices, gaining access by unauthorized individuals to sensitive data can be prevented. If employees want to use their own smartphones or tablet PCs for work, they must agree to seven security controls (see 7 Steps to Secure Mobile Devices), including strong passwords and remote wipe.

Such an approach places part of the security burden on the employee. And, half of the employees who had been using their own devices to access the state network decided not to so when the Delaware implemented its BYOD policy a year ago.

Malware Prevention

Devices used for personal activities are more prone to malware; after all, they're accessing a number of consumer sites that don't necessarily provide the security as do many sites designed for business-to-business transactions.

Many CIOs worries not only about insecure applications downloaded on these devices, but so-called jail-broken smartphones and tablets that are opened and altered to permit use of software the manufacturer didn't architect the device for.

Many banks scrutinizes all employee-owned devices before it allows them to access its networks to ensure they're safe and not jail broken. The bank also makes sure all personally owned devices contain anti-malware software that includes features to alert bank security personnel should a virus surface.

IT Support

Letting employees use their own devices presents a nightmarish scenario for many organizations, supporting a wide range gadgets, operating systems and software. Organizations must define which devices to support based on how they'll be used. It may be OK to limit certain devices to access specific applications, such as e-mail, and restrict their access to other programs behind the firewall.

Employee Education

Getting employee to know about the policy and why it's important for them to implement security controls requires education.

Indeed, security awareness and training is a crucial element in allowing employees to use their own mobile devices, and it's important that IT security leaders prepare their staffs - and themselves - for the advent of widespread adoption of BYOD.

Sunday, December 4, 2011

How can a person remove personal information from the Internet?

A Concerned Reader Wants to Know...

First, the bad news. As soon as any kind of information, including personal information, is online, anyone can copy and store or post it elsewhere. What's worse, there are tools that are constantly searching the Internet for specific types of data.

Once they find it, they can grab it, copy it, post it and store it - for any number of purposes.

4 steps you can take if something gets online that you don't want:
  1. Delete what you can yourself as soon as possible.
  2. Contact the website(s) where it is located and ask them to remove it.
  3. Enlist the help of a lawyer or online data removal service (e.g. Reputation Defender, Reputation Changer) to remove what you can't, or what the website won't.
  4. Remain diligent and check often (for instance, by setting a Google Alert) to ensure you catch any reposting of the information.

Saturday, December 3, 2011

Norway hit by major data-theft attack

Industrial secrets from companies were stolen and "sent out digitally from the country

Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

"This is the first time Norway has unveiled such an extensive and widespread espionage attack," it said.
Spokesman Kjetil Berg Veire added it is likely that more than one person is behind the attacks.

The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients' entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said.
Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year's Nobel Peace Prize winner, Norway's Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments.

Refer here to read further details.

Thursday, December 1, 2011

DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack

Apparent cyberattack destroys pump at Illinois water utility

A pump at a public water utility in Springfield, Illinois was destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who obtained an official report on the incident.

CS-CERT has released the following statement saying that DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack.

ICS-CERT is assisting the FBI to gather more information about the separate Houston incident.

>UPDATE - Recent Incidents Impacting Two Water Utilities
ICSJWG Communications [ICSJWG.Communications@HQ.DHS.GOV]


Greetings:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.

Regards,

ICS-CERT
E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org