How To Reduce Application Security Risk?

Survey shows serious misalignment between IT Executives & Engineers

Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the respondents are employed by organizations of more than 5,000 employees.

Based on the responses, the primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.

This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities.

Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

• Application Security Standards
• Regular Security Assessments for measurement
• Training for each role in the SDLC

The mature organizations share common characteristics by:

• Writing and adopting security architecture and development standards.
• Training their development teams on application security topics based on role, platform, and technology used.
• Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
• Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

New malware "Mirage" targeting energy firms

Malware targets individuals via "spear-phishing" e-mails bearing tainted PDF files

Researchers have uncovered a new cyberespionage campaign being waged on a large Philippine oil company, a Taiwanese military organization and a Canadian energy firm, as well as targets in Brazil, Israel, Egypt and Nigeria. 

The malware being used is called "Mirage" and it leaves a backdoor on the computer that waits for instructions from the attacker, said Silas Cutler, a security researcher at Dell SecureWorks' Counter Threat Unit (CTU). Victims are carefully targeted with so-called "spear-phishing" e-mails with attachments that are "droppers" designed to look and behave like PDF documents.

However, they are actually standalone executable files that open an embedded PDF file and execute the Mirage trojan. The malware disguises its "phone home" communications to resemble Google searches by using Secure Socket Layers (SSL) in order to avoid detection, Cutler wrote in a report this week.

Researchers were able to take over domains being used in the campaign that were no longer registered or had expired and they used them to set up a "sinkhole" designed to receive any communications from infected computers. By pretending to be a command-and-control server they learned that there were about 80 unique IP addresses that appeared to be infected, involving as many as 120 individual computers.

"Deeper analysis of the phone-home requests and correlation with social networking sites allowed CTU researchers to identify a specific individual infected with Mirage. It was an executive-level finance manager of the Phillipine-based oil company," the report says.

Researchers couldn't say what data the attackers were aiming for, but it's not difficult to speculate given that countries are vying for oil and gas exploration rights in the South China Sea. It's unclear who is behind the campaign, but whoever sponsored it is "well funded and very active," said Joe Stewart, director of malware research at Dell SecureWorks.

While he declined to speculate who sponsored the campaign, the report said proxy software used on some of the command-and-control servers was created by a member of a Chinese hacker group called the "Honker Union of China." 

"We interrupted their command chain, so we don't know what documents they're looking for," he said. "Typically it's competitive information." The researchers believe that whoever is responsible also played a part an espionage campaign earlier in the year that targeted Vietnamese oil companies and government ministries, an embassy, a nuclear safety agency and others in various countries.

The command-and-control IP addresses used in the Mirage campaign belong to the China Beijing Province Network, as did three of the IP addresses used in the earlier "Sin Digoo" malware campaign, according to the researchers. This is the latest in a number of reports of international cyberespionage that have cropped up in recent years, with energy, defense and critical infrastructure firms increasingly being targeted.

11 Ways Enterprises Can Battle Malware

NIST guidelines will help you keep pace with changing Malicious Code Threat

As malicious code rapidly evolves, the National Institute of Standards and Technology is updating its guidance to reflect changes in the threat malware presents organizations.

NISTG says is the just-published draft of Special Publication 800-83 Revision 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

"Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today's malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts.

NIST, in announcing the draft revision, points out that protecting desktops and laptops remains critical even as many government agencies and companies focus on mobile security.

The guidance provides information on the major categories of malware that afflict desktop and laptop computers and furnishes practical procedures on how to prevent malware incidents and what to do when a system becomes infected.

To battle malware, the NIST guidance suggests organizations should:

1. Develop and implement an approach to malware incident prevention.
   
2. Plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used now and in the near future.
   
3. Ensure that their policies address prevention of malware incidents.
   
4. Incorporate malware incident prevention and handling into their awareness programs.
   
5. Implement awareness programs that include guidance to users on malware incident prevention.
   
6. Maintain vulnerability mitigation capabilities to help prevent malware incidents.
   
7. Document policy, processes and procedures to mitigate vulnerabilities that malware might exploit.
   
8. Apply threat mitigation capabilities to assist in containing malware incidents.
   
9. Perform threat mitigation to detect and stop malware before it can affect its targets.
   
10. Consider using defensive architecture methods to reduce the impact of malware incidents.
    
11. Sustain a robust incident response process capability that addresses malware incident handling.

NIST is seeking comments from stakeholders on the draft. Comments can be sent to 800-83comments@nist.gov by Aug. 31. A final revision is expected to be published by late summer.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

Checklist security of ICS/SCADA systems

Brief Good Practice Guidelines for ICS/SCADA Systems Security


ICS/SCADA is used in many different areas, varying from very critical systems and processes to simple applications. It is up to their owners to decide which level of security and depth of measures are necessary. This checklist makes a distinction between organisational and technical/operational measures.


A brief explanation is provided for each measure, including references to additional background information and/or tips for implementation. The checklist focuses on measures against the most frequent vulnerabilities and security problems. It is important to note that complying with all items on this checklist does not mean that your organisation is fully protected and 100% safe.


Background


Hackers and security researchers are increasingly and visibly turning their attention to the security of process control systems (ICS/SCADA). Systems that can be accessed directly from the Internet are especially at risk, although this Internet connection is not the only potential security problem for process control environments.


The National Cyber Security Centre (NCSC) has therefore developed this ICS/SCADA system security checklist. This checklist may help your organisation to determine whether the ICS/SCADA environment is sufficiently protected based on measures considered ‘good practice’.


Another publication is the NCSC Fact sheet 2012-01 entitled ‘Security risks of online SCADA systems’, including a checklist focused on reducing the risk of (undesirable) Internet connections of SCADA systems.


Context of this checklist


ICS/SCADA is used in many different areas, varying from very critical systems and processes to simple applications. It is up to their owners to decide which level of security and depth of measures are necessary.


Download


Checklist security of ICS-SCADA systems

Why Cyber Security is Critical for Smart Grid?

Critical Issues for the security requirements of Smart Grid!


Power system operations pose many security challenges that are different from most other industries. For instance, most security measures were developed to counter hackers on the Internet.


The Internet environment is vastly different from the power system operations environment. Therefore, in the security industry there is typically a lack of understanding of the security requirements and the potential impact of security measures on the communication requirements of power system operations. 


In particular, the security services and technologies have been developed primarily for industries that do not have many of the strict performance and reliability requirements that are needed by power system operations. 


Security services for instance:

• Operation of the power system must continue 24×7 with high availability (e.g. 99.99% for SCADA and higher for protective relaying) regardless of any compromise in security or the implementation of security measures which hinder normal or emergency power system operations
• Power system operations must be able to continue during any security attack or compromise (as much as possible). Power system operations must recover quickly after a security attack or compromised information system
• The complex and many-fold interfaces and interactions across this largest machine of the world – the power system – makes security particularly difficult since it is not easy to separate the automation and control systems into distinct “security domains”. And yet end-to-end security is critical
• There is not a one-size-fits-all set of security practices for any particular system or for any particular power system environment
• Testing of security measures cannot be allowed to impact power system operations
• Balance is needed between security measures and power system operational requirements. Absolute security may be achievable, but is undesirable because of the loss of functionality that would be necessary to achieve this near perfect state
• Balance is also needed between risk and the cost of implementing the security measures.

In the Smart Grid, there are two key purposes for cyber security: 


Power system reliability


Keep electricity flowing to customers, businesses, and industry. For decades, the power system industry has been developing extensive and sophisticated systems and equipment to avoid or shorten power system outages. In fact, power system operations have been termed the largest and most complex machine in the world.


Although there are definitely new areas of cyber security concerns for power system reliability as technology opens new opportunities and challenges, nonetheless, the existing energy management systems and equipment, possibly enhanced and expanded, should remain as key cyber security solutions. 


Confidentiality and privacy of customers


As the Smart Grid reaches into homes and businesses, and as customers increasingly participate in managing their energy, confidentiality and privacy of their information has increasingly become a concern. 


How can security requirements for smart grid interfaces be determined?


There is no single set of cyber security requirements and solutions that fits each of the Smart Grid interfaces. Cyber security solutions must ultimately be implementation-specific, driven by the configurations, the actual applications, and th e varying requirements for security of all of the functions in the system.


That said, “typical” security requirements can be developed for different types of interfaces which can then be used as checklists or guidelines for actual implementations. Typically, security requirements address the integrity, confidentiality, and availability of data.


However, in the Smart Grid, the complexity of stakeholders, systems, devices, networks, and environments precludes simple or one-size-fits-all security solutions. Therefore, additional criteria must be used in determining the cyber security requirements before selecting the cyber security measures.


These additional criteria must take into account the characteristics of the interface, including the constraints and issu es posed by device and network technologies, the existence of legacy systems, varying organizational structures, regulatory and legal policies, and cost criteria.


Once these interface characteristics are applied, then cyber security requirements can be applied that are both specific enough to be applicable to the interfaces, while general enough to permit the implementation of different cyber security solutions that meet the cyber security requirements or embrace new security technologies as they are developed.


This cyber security information can then be used in subsequent steps to select cyber security controls for the Smart Grid.

20 critical controls for effective cyber defence

Baseline of high-priority information security measures and controls

The Centre for the Protection of National Infrastructure is participating in an international government-industry effort to promote the top twenty critical controls for computer and network security. The development of these controls is being coordinated by the SANS Institute.

The Top Twenty Critical Security Controls are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organisational structure, personnel issues and physical security. To help maintain focus, the twenty controls do not deal with these important but non-technical aspects of information security.

The twenty controls and supporting advice are dynamic in order that they recognise changing technology and methods of attack. All twenty controls, together with a brief description, are given below. For further information, visit the SANS website.

CONTROL 1 - INVENTORY OF AUTHORISED AND UNAUTHORISED DEVICES

Reduce the ability of attackers to find and exploit unauthorised and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, mobile, and remote devices.

CONTROL 2 - INVENTORY OF AUTHORISED AND UNAUTHORISED SOFTWARE

Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorised software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorised or unnecessary software.

CONTROL 3 - SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON LAPTOPS, WORKSTATIONS, AND SERVERS

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers. Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

CONTROL 4 - CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION

Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities - with critical problems fixed within 48 hours.

CONTROL 5 - MALWARE DEFENCES

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading. Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent systems from using auto-run programs to access removable media.

CONTROL 6 - APPLICATION SOFTWARE SECURITY

Scan for, discover, and remediate vulnerabilities in web-based and other application software. Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type).

CONTROL 7 - WIRELESS DEVICE CONTROL

Protect the security perimeter against unauthorised wireless access. Allow wireless devices to connect to the network only if they match an authorised configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

CONTROL 8 - DATA RECOVERY CAPABILITY

Minimise the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process.

CONTROL 9 - SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL GAPS
Find knowledge gaps, and fill them with exercises and training. Develop a Security Skills Assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.

CONTROL 10 - SECURE CONFIGURATIONS FOR NETWORK DEVICES SUCH AS FIREWALLS, ROUTERS, AND SWITCHES

Preclude electronic holes from forming at connection points with the Internet, other organisations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.

CONTROL 11 - LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Allow remote access only to legitimate users and services. Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

CONTROL 12 - CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow known standards.

CONTROL 13 - BOUNDARY DEFENCE

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. Establish multilayered boundary defences by relying on firewalls, proxies, demilitarised zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).

CONTROL 14 - MAINTENANCE, MONITORING, AND ANALYSIS OF SECURITY AUDIT LOGS

Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines. Generate standardised logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.

CONTROL 15 - CONTROLLED ACCESS BASED ON THE NEED TO KNOW

Prevent attackers from gaining access to highly sensitive data. Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to non-public data and files.

CONTROL 16 - ACCOUNT MONITORING AND CONTROL

Prevent attackers from impersonating legitimate users. Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that follow known standards.

CONTROL 17 - DATA LOSS PREVENTION

Stop unauthorised transfer of sensitive data through network attacks and physical theft. Scrutinise the movement of data across network boundaries, both electronically and physically, to minimise the exposure to attackers. Monitor people, processes, and systems, using a centralised management framework.

CONTROL 18 - INCIDENT RESPONSE CAPABILITY

Protect the organisation’s reputation, as well as its information. Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CONTROL 19 - SECURE NETWORK ENGINEERING

Keep poor network design from enabling attackers. Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.

CONTROL 20 - PENETRATION TESTS AND RED TEAM EXERCISES

Use simulated attacks to improve organisational readiness. Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises—all out attempts to gain access to critical data and systems— to test existing defences and response capabilities.

Prioritisation of the critical controls:

The twenty controls are a baseline of high-priority ‘technical’ information security measures and controls that can be applied across an organisation to improve its cyber defence. In order for a control to be a high priority, it must provide a direct defence against attacks.

Controls that mitigate known attacks, or a wide variety of attacks, or attacks early in the compromise cycle, all have priority over other controls. Controls that mitigate the impact of a successful attack also have a high priority. Special consideration is given to controls that help mitigate attacks that have not yet been discovered.

Department of Defense Strategy for Operating in Cyberspace

"Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation"

The Department of Defense released today the DoD Strategy for Operating in Cyberspace (DSOC). It is the first DoD unified strategy for cyberspace and officially encapsulates a new way forward for DoD’s military, intelligence and business operations.

The five primary pillars of the strategy are:

1. DoD is treating cyberspace as an operational domain, like land, air, sea, and space.
2. DoD introducing new active cyber defenses. Active defenses use sensors, software and signatures to detect and stop malicious code;
3. Working with Department of Homeland Security and the private sector to protect critical infrastructure;
4. DoD building collective cyber defenses with our allies and international partners;
5. Enhance network security. A more secure and resilient internet is in everyone´s interest.

Dowload the document here: http://www.defense.gov/news/d20110714cyber.pdf