Cybersecurity is about more than technology

Securing Supply Chains Beyond Vendors and Service Providers

Securing supply chains is becoming a more crucial aspect of information risk management. But the definition of the supply chain is evolving.

The supply chain, from an IT security perspective, often is perceived as the hardware and software an organization acquires from vendors as well as online offerings furnished by service providers.

According to control SA-12: Supply Chain Protection, organizations use acquisition and procurement processes to require supply chain entities to implement necessary security safeguards to reduce the likelihood of unauthorized modifications at each stage in the supply chain and protect information systems and their components, before taking delivery of such systems and components.

But that's not quite how it works with shadow suppliers. Those running IT and IT security at government agencies and businesses don't always know that a system or component has been acquired. That's because the technology was not acquired through the normal procurement process.

We see organizations acquiring a service such as Dropbox, which allows individuals to easily share documents through a public-cloud service: 

Colleagues sitting around a conference table want to share a document, but the document owner, after five attempts, can't access Microsoft SharePoint, a document management system that operates on the internal corporate network. 

Frustrated, the document owner uploads the document to Dropbox, where his colleagues can easily access it. Suddenly, Dropbox is a supplier, and the business or government agency doesn't even know it. This is a huge area of the supply chain that now exists that is completely shadowed.

Of course, NIST offers other controls to deal with cloud services, such as requiring that information stored on the cloud be encrypted for added security. And many organizations have implemented controls to limit or ban the use of employee-owned devices and cloud services, such as Dropbox.

But as long as employees can find better technology than their employers offer, they will concoct ways to use them. Even if there is a policy against doing it, people are naturally doing it anyway, not to be rebellious but just to be more productive.

Organizations must be more agile in developing policies and adopting controls because there are too many choices in the marketplace. Years ago, organizations provided their employees with the best technology; not so today.

4 Ways to Defend Against State Sponsored Attacks

Enterprises Challenged to Safeguard Their Infrastructure

With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets.

Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.

One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses.

Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states.

Here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:

• Avoid acquiring technology from companies based in nations that pose a threat;
  
• Isolate internal networks from the Internet;
  
• Share cyberthreat information with other organizations;
  
• Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.

Key Qualities of Good Leadership During Bad Times

How to be a good crisis manager?

This is a difficult question for a business continuity practitioner to ask because generally they will be asking it of a senior executive or even a CEO, who is unlikely to believe they are anything less than excellent.

There are some aspects to a crisis which differ from day-to-day management. Unlike managing commercial and operational challenges, in a crisis the route map to follow is often unclear and the consequences of failure much more serious.

A wrong decision can potentially damage the reputation of a company beyond repair. Who now remembers what a strong and influential company Arthur Anderson once appeared? It failed not because it had a bad business model, but because in one situation it failed to take control of the crisis that eventually engulfed it. However, just because you cannot predict the exact nature of a crisis doesn't mean you cannot prepare for it. 

Because it is usually so serious, top management often plays the leading role in dealing with external stakeholders, including the media. This is good in that it shows the organization is taking it seriously, but bad if that leader is ill-prepared.

A crisis is too urgent for a consensus debating style of leadership, but conversely the biggest danger can be over-confidence. Often top managers are dealing with circumstances in which they do not know the details of what plans or capabilities are available (or at least not the details), what the latest information is relating to cause and effect and what is actually happening "on the ground." 

The two crucial elements needed to make decisions are situational awareness and up-to-date information. It is too late to work out how you get the information when the crisis has happened, so a way of monitoring potential problems needs to be constantly running. Despite this, when the crisis erupts, managers can still fail if they are not perceived as being "on top of the situation."

Some ways in which they can show this level of leadership are:

• Always tell the truth based on the facts that are available.
• If you don't know answers to a question, explain why and when you might know.
• Always follow up on what you promise.
• Do not delay making decisions and taking action.
• If you delay taking action, you almost always make things worse and are seen to be drifting.
• Concentrate on protecting reputation, not necessarily minimizing short-term financial loss.
• Ensure proper processes and systems are in place so that situation changes can be constantly monitored and responses modified as appropriate.
• Communicate with all stakeholders, regularly and often.
• Make sure technical mechanisms are in place and the correct people are involved.
• Ensure that internal and external messages are consistent.
• Do not tell the media one thing and staff something different.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

Facebook Email: What You Need to Know!

Facebook Knocks Your Email off the Podium


Facebook is receiving a decent amount of backlash from its most recent privacy misstep. The social media giant recently forced their @facebook.com email addresses upon all users who had not previously signed up to use it - and did so without their permission.


If you don't want this default email used by your Facebook friends, read this article to learn how to change your email back to the preferred address.


From a privacy standpoint, I'd recommend you not use the @facebook.com email address at all. That is unless you want to give everyone at Facebook (and possibly their third parties) access to your email messages.

Typical duties of an Incident Handler / Incident Response Teams

Seven Typical Tasks of Incident Handling

The typical areas of performance by an incident handler are found in most incident response (IR) teams. The following are the primary responsibilities of the handler personnel and describe a typical day (if that actually exists) for an IR team member:

Analyzing reports—All incidents are usually reported to the IR team after or, hopefully, during the incident. These reports are analyzed to identify the type of activity, its potential impact, its scope, how many systems are involved, whether it’s local or larger, and whether it’s a known type of attack. These areas are all analyzed first during the initial response efforts.

Analyzing logs—Evaluating any logs, suspect files or artifacts is a prime responsibility of incident handlers. The network logs, system logs, router logs, firewall logs, sniffer logs, application logs, any supporting information and possibly even the incident artifacts are analyzed to help identify the systems, possibly other sites involved in the incident, and the methods of ingress and attack.

Researching background information—What were the first steps taken by the attackers? When was the affected system last patched? When and where did the attackers enter the network? Identifying the hosts, systems and IP addresses from the attack location or attack vector provides important support information to help prevent future attacks and to isolate potential vulnerabilities in the security posture of the compromised system or network.

Monitoring system and network logs—Watching the system or network once the attack or compromise is discovered can add to the data and information needed to further secure the system in the future. A handler could determine if the compromise is still active by evaluating the logs currently being recorded and may possibly catch the perpetrator in the act.

Technical assistance—Providing technical assistance, whether it is over the phone or by sending an e-mail with a source document and suggestions or steps for recovery, is part of the handler’s duties.

The team may have a web site with all the necessary documentation or there may be a repository of defined information for the organization; in either case, the handler would update this as part of his/her technical assistance responsibilities.

Coordinating and sharing information—The handler will coordinate information with the various affected units within the organization and, possibly, with outside organizations.

Collaboration improves response efforts, and information sharing helps the responders react and contain at a much faster rate than what was seen in the past, so this part of the handler’s job has become much larger in recent years. Tracking of tasks, contacting software and hardware vendors for data research, and preparing briefings and reports are all part of this task.

Other duties—Typically, if the incident warrants it, the handler will assist law enforcement with incidents that involve the criminal element. The handler can be, and is often, called upon to provide detailed expert testimony on previous cases and incidents. He/she also could be tasked with supporting the notification activities of victims of unauthorized release of data.

Index of Cybersecurity

New Index Measures Cyberspace Safety

Quantifying the safety or danger of cyberspace is tough. But a highly respected IT security practitioner and an experienced risk management consultant have teamed to develop an index they contend reflects the relative security of cyberspace by aggregating the views of information security industry professionals.

"We don't have much to compare to in this field because hard numbers are very hard to get", advised by Mukul Pareek developed the Index of Cybersecurity, a sentiment-based measure of the risk to the corporate, industrial and governmental information infrastructure from a range of cyberthreats.

The index of Cybersecurity launched in April, and in an interview with Information Security Media Group's GovInfoSecurity.com say it could be months before its value to government and private-sector information security officers will be known.

The developer of the index "Mukul Pareek" suspects the index will serve as a baseline for information security officers to compare their organizations' performance against the general state of IT security. "An information security officer has among other questions the perpetual one of: Am I being targeted, am I different, what are other people seeing, is there a baseline I can compare myself to?". "And, it's a constant problem. In fact, unless you do some sort of information sharing, there is little way to tell whether your observations are unique or typical or altogether ordinary except for one feature or the like."

The cybersecurity index features 15 sub-indices that measure malware threats, intrusion pressures, insider threat, industrial espionage, information sharing and media and public perception, to name a few.

In the interview, Geer and Pareek also explain how the index works and ways it could be employed, such as a metric to assess cybersecurity insurance policies.

Pen-Testing: Learn your target, Understand your target, Develop your attack specifically around your target

Would it cripple the organization as a whole? What hurts them the most?

Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.

Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:

• Good hackers don't need to utilize expensive vulnerability scanners.
  
  
• Good hackers don't use automated penetration testing.
  
  
• Attackers don't have a scope or timeframes.
  
  
• Attackers don't stop after they get root.
  
  
• Attackers don't have portions taken out of scope.

The reality of the current situation with pentests is that the true purpose of a testing is completely wasted. For one, your incident response team doesn't get a true attack against a focused attack. If you are at the point where you can't detect automated scans against your network then these traditional methods are right up your alley and your security program is still immature in nature which is fine, you'll get there. The most important element is there is no true representation of impact or financial loss due to a breach.

In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.

Penetration testing has to be something that measures the organizations business risk and impact if a breach were to occur. When attacking an organization you have to understand what is sensitive and what hurts the company the most. Intelligence gathering is one of the most important elements of a penetration test as well as understanding and learning the network.

Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.

Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?

We're also significantly challenged with the basic penetration tests, how do you go against a cheap vulnerability scan penetration test to something that will cost significantly more than that and be done right. Businesses don't understand the difference, they just go with the cheapest buyer, they don't know what they are about to purchase sucks.

We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.

Securing our Confidential Information

How to protect confidential information?

Even when an organisation has state-of-the-art technology, strict security policies, and a highly skilled IT staff to manage policies, some organisations are not as secure as they could be. In fact, a recent survey conducted at Interop New York 2010 showed 40 percent of IT managers surveyed reported that their organisation had experienced at least one security breach in the last year.

Protecting confidential information plays a key part in suitability of any organization. With the proliferation of critical information in digital format, the risks of a security breach have increased, both to the company and individuals.

We've all seen media reports highlighting a leak of customer personal information like ID numbers, account data, credit-card information, addresses, customer information etc. The identity theft can be devastating to the individual and both embarrassing and costly to the company where the confidential data leak occurred.

The 2009 Australian Cost of a Data Breach study, conducted by US-based Ponemon Institute on behalf of data encryption specialist PGP, examined the actual financial losses incurred by 16 organisations from different industry sectors following a data loss, with breaches ranging from around 3300 to 65,000 lost or stolen records.

Other key findings in the study:

Ø Organized crime is now going after corporate data.

Ø Data breaches are now being caused by malware.

Ø Increased use of mobile devices is leading to increasing data security issues.

Ø Third-party mistakes with outsourced data were involved in 42% of the breaches.

Confidential information is not only restricted to customer or employee personal information, though that is important. It also applies to intellectual property that generates the tactical and strategic competitive advantage.

Employees can unknowingly pose security risks to the organisation they work for in a number of ways:

Ø Poorly designed passwords may increase the risk of network attack.

Ø Improper handling of confidential documents can lead to the loss of proprietary information.

Ø Leaving the confidential documents unattended on the desk and photo copier.

Ø Sharing the confidential information with friends, relatives and sometimes strangers knowingly or unknowingly.

Ø Falling prey to a social engineering attack may lead an employee to divulge confidential information.

How to protect confidential information?

Ø Never leave documents out even if they will only be away from your desk a short time. Just open the secure drawer and lock it. It is a habit every employee needs.

Ø If you are shipping sensitive data off-site use a secure package and a shipping method that allows you to track the package.

Ø Employees with company laptops should secure them in their car and in their home.

Ø Encourage employees to use strong passwords, the longer and more sophisticated the better.

Ø Never open an email attachment from someone you do not know. Even if they know the person employees should always be wary of attachments.

Ø A study last year found that 67% of employees use removable media such a personal USB thumb drives at work. Not only does this put our IT systems at risk from a potential virus but also increase the risk of data-leakage.

Social Media: Business Benefits and Security

Tips for Addressing Social Media Risks

Does your organization use social media? How do you know for sure? Social media usually require no special technology, little or no involvement from IT, and no official project plan or explicit permissions to get started. Social media involve the creation and dissemination of information through social networks using the Internet. Social media tools include blogs, product review sites, Twitter, Facebook, LinkedIn, YouTube, Wikipedia and many other outlets.

Any Internet site that allows individual users to supply content can be considered a type of social media. Managing the risks from social media requires that the organization have a social media strategy, sound policy and a plan to address the risks that accompany social media technology. Here are some considerations for using social media in your organization:

1) Understand that blocking access to social media sites is not sufficient to prevent their use since many organizations use the tools to interact with customers or prospective employees. Blocking access also does not preclude the use of social media on employee-owned equipment.

2) Conduct a risk assessment to map the risks to the organization from the use of social media. The top five risks from social media as identified include:

• Viruses/malware
• Brand hijacking
• Lack of control over content
• Unrealistic customer expectations of “Internet-speed” service
• Noncompliance with record management regulations

3) Develop policies to address the risks of social media. Existing policies on conflict of interest, professional conduct, acceptable use, privacy, client confidentiality, intellectual property and similar issues can and should be extended to apply in the context of social media. Things to cover in these policies include:

• Whether these sites are allowed for business use
• Personal use in the workplace and personal use outside the workplace
• The process to gain approval for use
• Standard disclaimers if the organization is identified
• Copyright or other content rights to information posted to these sites
• Scope of business-related content allowed
• What is inappropriate
• Escalation procedures for customer issues
• Disciplinary procedures for violation of policy

4) Ensure that the business processes that utilize social media are aligned with the policies and standards of the organization.

5) Social media are just other forms of electronic communication. Understand the retention regulations or e-discovery requirements. Poor policies governing the use of social media increase the costs of social media forensics coming from an external inquiry, litigation or audit request and may result in regulatory sanctions, fines or adverse legal actions.

6) Include social media training in the organization’s regular awareness communications or information security training curriculum. Users need to understand what is (and is not) appropriate and how to protect themselves and the organization when using social media.

Leadership Lessons in Disaster Recovery

BP and Toyota

No career is without its hiccups. No company goes straight up and to the right. Every successful executive and every company that’s been around has been to the brink of disaster at some point. What distinguishes the great ones is the way they handle it. Few are proactive and decisive. They recover. The rest, well, don’t.

Survivors see disaster as a wakeup call, an opportunity to learn and change. The rest try to sweep it under the rug, sugarcoat the truth, or make believe it isn’t really happening. Here are three anecdotes about companies and executives in crisis. Executives, leaders, managers, indeed everyone, listen up. Your time will come. You can count on it.

Toyota, once the king of quality, has recalled over 8.5 million cars and trucks over the past six months due to a laundry list of quality and reliability problems. And in J.D. Power’s annual Initial Quality Survey of new vehicles, Toyota fell to a dismal 21st place overall. I’d call that a wakeup call.

The situation is even more dire for embattled oil giant BP. The gulf oil spill has cost the company $100 billion in market valuation and the price tag for cleaning up the mess will likely be upwards of $20 billion. Throw in the global destruction of the BP brand and you can bet that top executive heads will roll when the leak is finally stopped and the crisis abated.
 
Each example provides a takeway for how companies and individuals can best recover from disaster:

1. Leave no stone unturned in determining how to restructure. Nothing is sacred. Don’t decry lost efficiency, productivity, profits, or anything you have to sacrifice to get back on track. You can deal with that later. If you don’t fix what’s wrong, there won’t be any later.
2. Wakeup calls can save your career, your company, your industry, but only if you actually wake up. That means being honest with yourself about your failure. That takes humility, courage, and perseverance, not coincidentally, all basic qualities of successful leaders.
    
3. The sooner you realize what’s going on, the quicker you react, the better the recovery. Almost every company (and everybody) reacts tenuously or takes a wait-and-see approach. In virtually every case, that’s a bad idea. Be decisive and be quick about it. If you need to cut, cut early and cut deep. You can build back up as conditions improve.

When Your Trusted Business Partners Are the Threat?

Insider Crimes

Crimes divide into two groups: those committed by people with an individual relationships with an organization, and those with an organizational relationship. Those insiders from organizational relationships committed more insider fraud and were after financial gain. Sabotage was most often perpetrated by insiders who had individual relationships with an organization.

Organizational Relationships

Insiders with organizational relationships are typically in non-technical positions and have authorized access to those databases that they use to do their work. For these perpetrators, the crime is usually done at the business location -- most commonly fraud. Typically, there is more money associated with these relationships and so there is a greater motivation for fraud.

Individual Relationships

Insiders with individual relationships generally hold positions that are technical in nature, system administrators and the like. Their insider crimes utilize unauthorized access to the organization's systems.

The typical consultant or contractor individual insider gets mad, they were released from their relationship with the institution, they were fired, or maybe their contract expired, and this upsets them. The individual insider uses their technical knowledge to cause damage to the systems, either by planting a logic bomb or installing back doors before they were forced to leave, so they can come back afterward to perpetrate damage.

The individual insider typically attacks from a remote location, using the back doors they installed before leaving. There are many different ways they can damage an organization, destroying data on databases -- they can do real harm to the organization.

Another area of growing concern is the theft of intellectual property (IP). Where IP is concerned, client lists and databases are taken shortly before the insider leaves. IP data is usually taken within a month of the employee leaving. So monitoring what they downloaded, emailed or printed out during their final days may uncover what they have taken with them.

Other types of valuable IP for financial services firms could be proprietary software code used to run a trading platform, as well as trading algorithms.

Cracking Down on Crime

How to prevent insider crimes by trusted business partners? Having clear contractual measures drawn up can help set new standards of doing business with the institution, including some of the security requirements. This is especially key when dealing with global partners.

In many instances the overseas contractor and consultants aren't as security-conscious as an institution would like them to be. The stronger one can make the contractual agreement that holds the trusted business partner to strict security controls, the better the opportunity to keep possible insiders from doing harm.

Screen Employees -- It doesn't have to be DOD level clearance, but a screening of personnel should be required. In one case, CMU's research found where a person who had a criminal record was handling data as a trusted business partner's employee.

Reinforce Policies -- Security procedures and policies should be at least at the same level of the institution, and all employees should be aware and comfortable using them.

Monitor Exits -- Termination policies of the trusted business partners should be scrutinized and strengthened, if need. Moore says in many cases of sabotage, the insider was getting back into the organization's networks via backdoors installed on servers, causing damage, often without the business contractor knowing they had access. If the trusted business partner isn't tracking access of its employees, it won't be able to disable it when the employee leaves the company. Reviewing logs upon an employee's departure may help spot where a back door was installed on a system, most of the sabotage events are done within a month of an employee's termination or resignation.

Enforce Separation - insiders can't do fraud if someone else is doing part of the work. For critical transactions, a system of checks and balances should be a familiar process for institutions. People who are entering transactions shouldn't be able to approve them, too.

Measure Access -- Be able to monitor the intellectual property to which employees and business partners have access. Go with the least privilege access level, give only what they need in order to do their job.

Use the best tool to convert WMA/MP3 audio files

How to change a Windows Media music file to an MP3 file?

One of the best tools for converting a Windows Media file — wma, .wmv, .asf, etc. — to the .mp3 format is WinFF. It's a free, multiplatform tool available from the WinFF site. The program can handle a range of conversions and is supported by an online discussion board, a wiki, and more.

Well-known tech author Jake Ludington has a how-to page for WinFF on his MediaBlab site. Jake even provides a video clip showing how to use WinFF. The info is good, but the page is somewhat cluttered with ads for other audio tools, most of which have nothing to do with WinFF, so read (and click) carefully.

By starting with a free tool that I know is a good one, you can gain experience with audio conversions safely and without paying a fee — or taking a shot in the dark with unknown software.

WinFF may turn out to be all you need. If not, at least you'll have a rock-solid basis for comparison when you look at alternative tools. Happy converting!