Collaboration among various sectors is must for protection against cyber-attacks

Information sharing can facilitate, the more effective fighting efforts against cyber-attacks

Sharing information about cyber-attacks is making a difference in the banking sector, helping bring criminals to justice and curbing fraud losses. And other sectors should learn from banking's example.

It's important for information security professionals to continue their efforts to get senior executives to buy in to the need for cross-industry collaboration. Informal sharing of cyber-intelligence has for years been a common practice among cybersecurity warriors in the trenches.

This type of information sharing, however, often has gone on in the background without the knowledge of upper management. That's because many executives are fearful of revealing too much or sharing with competitors their security vulnerabilities. But that attitude is, slowing but surely, changing.

What's more, the intelligence the financial industry has gathered over the last 12 months about al-Qassam and other attackers was shared with law enforcement, government and others. In fact, much of the information federal investigators gather about cyber-espionage and cyber-attacks comes from the financial sector first.

Those kind of partnerships are needed in other industry sectors as well. Cyber-attacks affect numerous industries, from hospitality and retail to healthcare and government. The more information sharing these sectors can facilitate, the more effective fraud-fighting efforts will be.

Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Vulnerability in Building Control Systems

Vital buildings such as hospitals, universities and government offices are vulnerable to hackers

You're in intensive care at a hospital when the lights go out and the heating turns up. Meanwhile, doctors trying to get you to an operating theatre have been trapped in elevators for almost an hour as hackers take control.

The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

A search engine Shodan, indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. This makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.

Please refer here for a good technical webcast explaining "How the information in SHODAN is put together and correlated".

The incident does highlight the need for sensitive systems (not just SCADA) to be isolated from hostile networks like the internet.

Hopefully, this incident will gain some more traction outside the security community.

4 Ways to Defend Against State Sponsored Attacks

Enterprises Challenged to Safeguard Their Infrastructure

With reports - the latest one issued this past week from the Defense Department - that document the Chinese military and government targeting key government, military and business computer systems in the United States and elsewhere, operators of those systems face a challenge of defending their IT assets.

Security experts generally agree that the best defense against nation-state attacks needn't be tailored to a specific attacker. No one solution will help organizations to defend against nation-state attacks, whether from China, Iran, Russia or elsewhere. Still, knowing who's attacking IT systems can help organizations better plan their defenses.

One of the key differences between state-sponsored espionage and organized crime or hackers is their level of persistence and determination to break through defenses.

Security experts say fundamental cybersecurity and risk management practices, if implemented properly, should reduce the damage done from all types of attackers, including those from nation-states.

Here are four steps organizations can take to shore up their defenses against nation-states cyber-attacks, although not all of these approaches would be appropriate for each organization:

• Avoid acquiring technology from companies based in nations that pose a threat;
  
• Isolate internal networks from the Internet;
  
• Share cyberthreat information with other organizations;
  
• Enhance employee cybersecurity awareness programs, including testing worker' knowledge of best IT security practices.

Reputation Is A New Target For Cyber-Attacks

How organizations can protect their credibility in the midst of an incident?

Organizations have to equip themselves much better to deal with this whole attack on reputation. The Information Security forum recently issued its annual threat report, Threat Horizon: New Danger from Known Threats, which provides recommendations on protecting reputation, an area which is a high area of interest for attackers.

Word of a cyber-attack spreads fast these days and that viral impact can be a major issue. Criticism that was levied ... and fueled by social media, disgruntled employees and a whole collection of real viral traffic [causes] a major reputational hit. 

The faster an organization is able to respond, the more it knows about the particular issues that are being raised by hacktivist groups and can say credibly what their position actually is, then the less severe the impact is. 

To ensure they can respond effectively, organizations need to have clear ways of collaborating internally. They have to have honest relationships with the media in order to combat these things, plus an understanding of exactly where things are sitting from a data perspective across their own organizations.

Organizations also have an opportunity to get security and business departments together to get their arms around how they're going to deal with the issue of reputational risk because "it's very real."

Understanding threats is fundamental to enterprise risk management. Every organization needs to evaluate threats within the context of their own business to determine risks. The Information Security Forum advises that one of the key things that was noticed this year is that threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to organizations, simply because they've had that degree of maturing. That increase in the sophistication of the people who are behind the attacks, behind the breaches, has increased significantly.

The Information Security Forum has that criminals have developed and we've called that "crime as a service," having upgraded to version 2.0 which gives you some view as to how we're seeing that.

It's a real opportunity for security departments and business departments to combine within organizations to get their arms around how they're going to deal with this issue of reputational risk because it's very real and we've seen some examples of it already this year.

What's your personal Disaster Recovery Strategy?

After the Storm Comes a Rainbow

If you've ever had a computer device unexpectedly fail on you, you know how it feels - like a flash flood, taking you by surprise and washing away everything you need.

Lets say, you have an external hard drive which stopped. Completely. Unexpectedly.

Did you had backups of that data? Do you make backups of your data regularly?

Here are some recommendations to help you from feeling the pain of a failed hard drive:

• Invest in an external backup drive for storing your backups. You can see some good guidance here.
  
• For data that is especially valuable (income tax data, photos, business data), make another copy on a different external drive and store at a different, secure location, such as a bank safety deposit box.
  
• Back up your email at least once a week; more often if you depend on it for business and would be lost without it.
  
• Most external hard drives can be configured to automatically make backups at specified intervals; look for external hard drives with these capabilities.
  
• If personal information is on your backup drive, encrypt it!
  
• If you want to use a cloud service to store your backups, make sure they will encrypt your data, and that they have terms of service that will allow you ample time to remove your data, completely, if there is ever the need.
  
• Regularly test backups to ensure the backup data is actually good.

7 Key Duties Of CISOs

CISO's Responsibilities 

The CISO's responsibilities would include: 

1. Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and enterprise information systems;
   
2. Developing, maintaining and overseeing an enterprise-wide information security program;
   
3. Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;
4. Training and overseeing personnel with significant responsibilities for information security;
   
5. Assisting senior agency officials on cybersecurity matters;
   
6. Ensuring the enterprise has a sufficient number of trained and security-cleared personnel to assist in complying with cybersecurity law and procedures;
   
7. Reporting at least annually to enterprise executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.

The CISOs should posses the necessary qualifications, including education, training, experience and the security clearance needed to do the job.

STORM (Secure Tool for Risk Management)

Designs and keeps updated the ICT Security Policy, Disaster Recovery plans

STORM (Secure Tool for Risk Management) is a collaborative environment offering a buddle of services in order to help your business to securely manage your Information and Communication Technology (ICT) Systems.

STORM is based on web 2.0 technologies and its main characteristics are:

• Compliance with Standards
• Collaboration
• User Friendliness
• Reduces complexity
• Scalability

Some of the key features are:

Cartography:

• Identify and depict the ICT infrastructure
• ICT assets (software and hardware) identification

Impact Assessment Service:

• Recognize the impacts (business, economical, technological, legal) of upcoming incidents on the operations of the ICT

Threat Assessment Service:

• Identify threats Evaluate threats

Vulnerability Assessment Service:

• Identify Vulnerabilities
• Evaluate Vulnerabilities

Risk Assessment service:

• Collaborative support towards identifying and evaluating the impact, threat and vulnerability of each ICT asset (i.e. software, hardware, data asset).

Risk Management service:

• Select the appropriate countermeasures according to the STORM-RM algorithm in order to protect ICT assets.

Refer here for more information or here for demo.

What Is Future of Information Security?

Hackers will and always be ahead of us!

It has become extremely hard for fraudster to make money from stealing credit cards, internet banking details, personal information etc due to increase in security measures by majority of the banks.

Now they are hacking, encrypting data and requesting for ransom money before they release the data. They're doing their calculations right, they are requesting the ransom amount which is way less to what it would cost company to recover/decrypt. The senior management finding this approach much easier to recover.

THIS IS THE FUTURE OF INFORMATION SECURITY!

I have been saying this for ages that bad guys will and always be ahead of us. They motive is to make money, for years and years financial crime was the easiest way for them to make money. Due to increase security technologies deployed by banks such as two-factor authentications, chip readers, proactive fraud detections systems etc, it is extremely difficult for fraudsters to make money.

The wider phenomenon of data ransoming is overwhelmingly that of Trojans infecting individual PCs in order to encrypt consumers’ private data, but the latest Australian attack could be an example of a separate trend to target and attack specific types of business.

I believe we will continue to loose the battle with the bad guys because we are not proactive in information security. We always wait for bad guys to setup a trend so we can follow :)

We will take few years to protect their latest tactics and by that time they will already come up with a new way to make money. 

Here are my suggestions:

• We have to change our strategy, we need to be more proactive!
• We need to consider security in each and everything!
• We need to ensure disaster recovery and business continuity is considered in every business!
• We should stop relying on technologies!
• We need to understand process and people are more important then technology
• We need to find innovative ways of protecting our data tailored to business needs

How to Audit Business Continuity

It's Not About the Process; It's About the Plan

Although business continuity is in many ways relatively straightforward, it is not really a technical or scientific discipline compared with security or quality. Auditors need fixed points of reference for comparisons. Standards (in various guises) provide them with a route map to follow. This allows them to check the process, but not really the effectiveness, of the program.

For example, it is easy to check the number of employees who have been through a business continuity management induction, but much more difficult to determine if this has had any impact upon corporate resilience. This factor has often caused full-time BC practitioners to claim that they alone can properly audit a BC plan or program.

There might be some justification for this. An auditor, for instance, could successfully audit a hospital for its compliance against pre-agreed hygiene standards, but would not be credible at determining a surgeon's technical competence at performing a difficult operation. However, few BC practitioners have the formal audit skills that colleagues in internal audit possess.

Many consultants try to gain these skills by undertaking various audit training courses, but often find the concentration on process and compliance frustrating. To be successful in auditing a business continuity program, both professional knowledge of BCM and appropriate audit skills are required.

The goal of a BCM program is to protect the organization, to ensure adequate levels of resilience exist to withstand the consequences of disruptions and to ensure that there is company-wide BCM awareness and operational consistency.  

To continue with the medical analogy, there is little value in a surgeon claiming an operation was a technical success if the patient died of poor aftercare. Similarly, there is little point in an organization gaining BCM certification from compliance authority if it goes out of business as soon as a serious problem occurs.

Resilience, not process consistency, is the ultimate measure of success. So given these warnings and caveats, what must an auditor do to add value to a BCM program?

First, he or she must understand the business fully. There are some good places to start, such as the company's annual report, to understand missions and values; the external auditors report to highlight weaknesses or exposures; as well as risk registers, previous business impact analyses and other available management reports.

It is rarely useful to start with the business continuity plan itself. The second stage is to familiarize oneself with the BCM process that is in place. 

• Does it follow any recognized standard (internal or external)?
• How well has it documented? Do people know about it and their role in it?
• Conducting selective interviews with senior management and other interested parties can help judge how serious they are in supporting BCM.

Remember: A significant budget for commercial IT recovery capability does not in itself demonstrate management commitment to an embedded business continuity culture. Having acquired this level of contextual understanding, auditors can start to ask questions and review the applicability of the responses. 

Many of the questions are basic, but often throw up uncomfortable issues. Typical areas to cover include:

• Do you have plans for all critical systems, processes and functions, and how do you know which are the most critical?
  
• Are the plans accurate, complete and up-to-date? Is the documentation easy to follow in an emergency?
  
• Have roles and responsibilities been defined?
  
• Are the response strategies devised appropriate to the potential level of disruption?
  
• Are the plans tested? If so, how, when and by whom?
  
• Are the test results evaluated, lessons learned and plans enhanced?
  
• Are the initial response structures well-known and fully tested?
  
• Are appropriate communications with external parties defined and tested?
  
• If pre-defined alternate locations are designated, do staff know how to access them?
  
• Are all critical resources backed up and recoverable?
  
• Are personnel trained in their post-incident roles?

The most important thing for the auditor to reflect on is not the documentation, but the resilience capability that can be demonstrated. A poor audit is one in which the auditor treats it as a document review. It is not enough to have a well written plan unless that plan is part of a tried-and-tested process.

Key Qualities of Good Leadership During Bad Times

How to be a good crisis manager?

This is a difficult question for a business continuity practitioner to ask because generally they will be asking it of a senior executive or even a CEO, who is unlikely to believe they are anything less than excellent.

There are some aspects to a crisis which differ from day-to-day management. Unlike managing commercial and operational challenges, in a crisis the route map to follow is often unclear and the consequences of failure much more serious.

A wrong decision can potentially damage the reputation of a company beyond repair. Who now remembers what a strong and influential company Arthur Anderson once appeared? It failed not because it had a bad business model, but because in one situation it failed to take control of the crisis that eventually engulfed it. However, just because you cannot predict the exact nature of a crisis doesn't mean you cannot prepare for it. 

Because it is usually so serious, top management often plays the leading role in dealing with external stakeholders, including the media. This is good in that it shows the organization is taking it seriously, but bad if that leader is ill-prepared.

A crisis is too urgent for a consensus debating style of leadership, but conversely the biggest danger can be over-confidence. Often top managers are dealing with circumstances in which they do not know the details of what plans or capabilities are available (or at least not the details), what the latest information is relating to cause and effect and what is actually happening "on the ground." 

The two crucial elements needed to make decisions are situational awareness and up-to-date information. It is too late to work out how you get the information when the crisis has happened, so a way of monitoring potential problems needs to be constantly running. Despite this, when the crisis erupts, managers can still fail if they are not perceived as being "on top of the situation."

Some ways in which they can show this level of leadership are:

• Always tell the truth based on the facts that are available.
• If you don't know answers to a question, explain why and when you might know.
• Always follow up on what you promise.
• Do not delay making decisions and taking action.
• If you delay taking action, you almost always make things worse and are seen to be drifting.
• Concentrate on protecting reputation, not necessarily minimizing short-term financial loss.
• Ensure proper processes and systems are in place so that situation changes can be constantly monitored and responses modified as appropriate.
• Communicate with all stakeholders, regularly and often.
• Make sure technical mechanisms are in place and the correct people are involved.
• Ensure that internal and external messages are consistent.
• Do not tell the media one thing and staff something different.