USB Attacks Need Physical Access Right? Not Any More

Exploiting USB Driver vulnerabilities

NCC Group Research Director Andy Davis presented 'USB Attacks Need Physical Access Right? Not Any More...' at this year's BlackHat Asia in Singapore.

Due to recent advances in a number of remote technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

It's an interesting research, refer here to download the paper and learn more about USB Bugs.

Verizon Infographic: Why PCI Compliance has to be a Business-Wife Priority?

In 2013, only 11.1% of companies were PCI compliant on their initial assessment!

Information Security Forum (ISF) Identifies 6 Major Threats for 2014

ISF report states top six security threats global business will face in 2014 include the cloud, "BYO" trends and cyber-crime

A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.

The six threats identified as major concerns headed into 2014, ISF emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.

Six: BYO

Trends Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

Five: Data Privacy In the Cloud

The cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated. While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications.

Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.

Four: Reputational Damage

There are two types of companies—those that have been hacked and those that are going to be. What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?. When the situation is something that could send stock prices plummeting, the reality of it sets in.

Three: Privacy and Regulation

Organizations need to treat privacy as both a compliance and a business risk, according to the ISF. "Furthermore," the report added, "we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input."

Two: Cyber-Crime

ISF emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army's hack into The New York Times was offered as an example. The bad guys are really great at collaboration, because there's a lot in it for them.

Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts,. "Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.

One: The Internet of Things 

High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won't make it to the airport in time for his flight—and so contact the airport to change the flight. That level of information, in the wrong hands, is concerning.

Businesses can't avoid every serious incident, and few have a "mature, structured approach for analyzing what went wrong.

By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately." 

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute

Industrial control systems continue to draw scrutiny as the risks involved in preserving aging IT infrastructures continue to escalate. Mission-critical systems in everything from manufacturing facilities to public utilities have shown to be easily breached and highly vulnerable.

A new Ponemon Institute survey, however, found that security efforts in the sector are ramping up: 51% use formal risk assessments to identify security risks – which is higher than the broader enterprise average.

Also, the survey found a majority (86%) believe that minimizing noncompliance with laws and regulations helps meet certain business objectives – and that’s also 5% higher than the average.

Risk-based security is coming onto the radar screen too: 43% measure the reduction in unplanned system downtime to assess the effectiveness of cost-containment management efforts, differing from survey average of 38%. And about half (52%) listed the “flow of upstream communications” as one of the top three features most critical to the success of a risk-based security management approach – an 8% increase over the survey average of 46%.

Even so, this is not enough to protect ICS systems against determined attackers. For instance, only 56% listed an “openness to challenge assumptions” as one of the top three features most critical to the success of a risk-based security management approach – and this is 6% lower than the survey average of 62%.

Further, It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability. But in this regard though, the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security.

Only 40% have fully or partially deployed security configuration management, differing from the survey average of 49%, and 75% have fully or partially deployed system hardening, which is 5% lower than the survey average of 80%.

When it comes to organizational culture, security still has a long way to go to permeating the business.

Most ICS respondents (69%) said security communications are contained in only one department or line of business, differing from the survey average of 63%. And 67% said security communications occur at too low a level, differing from the survey average of 62% – indicating needed oversight from the C-level is generally lacking.

Even though industrial sector organizations are actively considering security risks, they must also improve their willingness to elevate key risks to the executive level. Security risks must be considered in context with overall business risk or the entire organization’s success will be in jeopardy.

Five Generations Of Cybercrime

Now that cybercrime is in its fifth generation, prevent a security nightmare from happening on your watch

It helps to understand more about the history of hacking, when you need to defend yourself against cyber criminals. Early hacking started when guys like Kevin Mitnick became ‘digital delinquents’ and broke into the phone company networks.

That was to a large degree to see how far they could get with social engineering, and it got them way further than expected. Actual financial damage to hundreds of thousands of businesses started only in the nineties, but has moved at rocket speed these last 20 years.

Generation ONE

Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it. Relatively harmless, no more than a pain in the neck to a large extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another with a floppy disk to transfer the virus.

Generation TWO

These early day ‘sneaker-net’ viruses were followed by a much more malicious type of super-fast spreading worms (we are talking a few minutes) like Sasser and NetSky that started to cause multi-million dollar losses. These were still more or less created to get notoriety, and teenagers showing off their “elite skills”.

Generation THREE

Here the motive moved from recognition to remuneration. These guys were in it for easy money. This is where botnets came in, thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to find and easy to disinfect.

Generation FOUR

Here is where cybercrime goes professional. The malware starts to hide itself, and they get better organized. They are mostly in eastern European countries, and use more mature coders which results in much higher quality malware, which is reflected by the first rootkit flavors showing up. They are going for larger targets where more money can be stolen. This is also the time where traditional mafias muscle into the game, and rackets like extortion of online bookmakers starts to show its ugly face.

Generation FIVE

The main event that created the fifth and current generation is that an active underground economy has formed, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Cybercrime now specializes in different markets (you can call them criminal segments), that taken all together form the full criminal supply-chain. Note that because of this, cybercrime develops at a much faster rate. All the tools are for sale now, and relatively inexperienced criminals can get to work quickly. Some examples of this specialization are:

• Cybercrime has their own social networks with escrow services
• Malware can now be licensed and gets tech support
• You can now rent botnets by the hour, for your own crime spree
• Pay-for-play malware infection services that quickly create botnets
• A lively market for zero-day exploits (unknown vulnerabilities)

The problem with this is that it both increases the malware quality, speeds up the criminal ‘supply chain’ and at the same time spreads the risk among these thieves, meaning it gets harder to catch the culprits. We are in this for the long haul, and we need to step up our game, just like the miscreants have done the last 10 years!

Top 5 Tools Every Security Professional Must Learn

5 basic tools for security professionals

As the role of the information security professional continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job.

Nonetheless, Information Security Professionals need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

ARMITAGE

Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, Armitage an open source effort to bring user-friendly interface to Metasploit.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture.

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it.

Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication.

HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way.

Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way to validate the security of wireless networks.

WIRESHARK

Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network.

On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.

WireShark allows to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool.

It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.

Visualizing The World's Biggest Data Breaches

In corporate servers we trust? A beautiful interactive timeline puts the growing vulnerabilities to our personal online security in stark relief

The experience is becoming so common it’s scary. You're sitting there minding your own business, when up pops an email (or worse, a letter via snail mail) from some company you may or may not be familiar with telling you that your data has been compromised by a security breach. Change your password, post haste--if you’re lucky that a password is the worst of what was compromised.

More than 50% of CEOs surveyed by the Ponemon Institute, a cybersecurity think tank, say that their company experiences cyber attacks daily or even hourly.

These attacks are becoming more and more sophisticated, and increasingly, they are successful--to date this year, there have 343 data breaches reported in the U.S., which already exceeds the number in all of 2006, according to the Wall Street Journal. A new visualization of the world’s biggest data breaches on a timeline since 2004 puts the rise of cyberattacks in stark relief.

You can explore the graphic more here. And to protect yourself against certain kinds of data breaches, it's always good to follow good hygiene for passwords and PINs to your online accounts, like making sure you use different passwords for all sites. You can see a few additional tips on how to secure your passwords here.

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud, sponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

• Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  
• Only 19% said their organization knew how much regulated data was on mobile devices.
  
• Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  
• 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  
• Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  
• In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
   
2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
   
3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
   
4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
   
5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
   
2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
   
3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
   
4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Cyber Threats: Trends in Phishing and Spear Phishing

Phishing is a global problem for businesses as well as individuals, targeting 37.3 billion people globally in the past year

Most of us have wisened up to basic scams and know better than to accept a Nigerian prince's offer of money, or a miraculous win on a Spanish lottery that you can't quite remember entering. But cyber criminals are raising their game and have evolved their tactics to target the more cyber-aware for greater returns.

Sophisticated 'spear phishing' attacks can be hard to spot by the experts; even the largest of organisations is not immune. What chance does this provide the average company or employee, let alone those who use computers infrequently?

Spear phishing is not random – cyber criminals identify employees within a target organisation and use social engineering tactics to construct a legitimate looking email. The FBI have warned business to be more aware of spear phishing tactics, as hackers target employees with administrative rights or access to critical systems.

91% of APTs (advanced persistent threats) start with phishing attacks and success could give cyber criminals the 'keys' to bypass security and initiate further attacks. Clicking a link doesn't mean that you are immediately compromised; phishing is part of a larger attack.

Hackers need to expose a system vulnerability and be able to install software quickly and quietly. However, cyber criminals use advanced tactics to disguise malicious attachments and sites to trick users into further action.

This infographic by Via Resource highlights trends and targets in phishing attacks.

Five Ways To Plump Your Security Program Without Going Broke

Some are quick, cheap and often free! Others require a little more time and critical thinking

Addressing cyber-attacks is not just a technology issue. It requires a holistic view from the entire organization. Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach.

It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve. Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff. 

The hard stuff is in the next 30 percent." Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.

Security experts offer five tips for enhancing security that don't cost a lot of cash — and sometimes no money at all — so companies can spend their security dollars on the hard stuff.

1. Patch security holes and identify vulnerabilities

Three of the top 10 botnets reported in February 2013 were more than 8 years old, according to Fortiguard Labs, the threat-researching arm of network security firm Fortinet Inc. in Sunnyvale, Calif. In the most successful attacks, the majority of those threats had been identified and fixed by vendors years earlier, said Derek Manky, global security strategist.

Companies need to keep patches up to date.

2. Install your free firewall and antivirus upgrades

A lot of people don't realize their basic support contracts with most vendors for support, firewalls and antivirus include free upgrades. If you don't have a strategy to revisit what the available technology is that you've already paid for, then you're missing out on a lot of new features and enhancements" that could prevent a security breach. 

Call your vendor and revisit our firewall and antivirus solution contracts.

3. Keep up with BYOD

Personal devices in the business environment are here to stay. Yet 79 percent of businesses had a mobile security incident in the past year, ranging from malicious apps downloaded to a mobile device to unsecure Wi-Fi connections to lack of security patches from services providers, according to a June mobile security report by Check Point Software Technologies.

These mobile security incidents cost companies between $100,000 and $500,000 in staff time, legal fees and resolution processes.

Organizations can improve mobile device security through BYOD agreements with users to ensure they take security precautions. The checklist should include installing available upgrades and patches; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed, according to the Computer Security Division of the National Institute of Standards and Technology.

4. Define a enterprise-wide security strategy

Nine out of 10 big companies lacked defined security strategy and security plans, or they re not tied with business goals and business objectives. There's no way to know if you're supporting business objectives unless you take the time to develop the security strategy and make they're sure they're doing the most important things for overall risk reduction. 

5. Educate Employees

Successful attacks are usually ones that exploit the human mind. Humans are always the weakest link in the chain.

Education can help stop employees from falling victim to phishing attacks or pretexting schemes or careless use of login credentials, which accounted for 3 of the top 10 threat actions performed against large companies, according to Verizon's 2012 data breach investigations report.

New Targets for Hackers - Plane Cockpit/Voice Hijacking?

Criminal hackers can generally be divided into two groups - thieves and showboats

They breach secure systems either to steal or simply to demonstrate that it can be done. A few recent hacking incidents indicate the showboat sector may be picking up steam.

Smartphone used to hack into a plane cockpit

The power and rapid evolution of technology is exposed by a security researcher armed with an Android.

"By using a Samsung Galaxy handset, Teso demonstrated how to use ACARS to redirect an aircraft's navigation systems to different map coordinates. He was able to insert code into a virtual aircraft's Flight Management System, and by passing the code between the aircraft's computer unit and the pilot's display, Teso was able to take total control of what the aircrew would see in the cockpit.

Scientist's voice hijacked during high-profile presentation

Hackers accessed the computer synthesizer controlling Stephen Hawking's voice during a public speak he was making to a large audience, overriding his control and forcing him to make statements against his will.

"It wasn't until hours later when the Syrian Electronic Army - a group of hackers working in support of Bashar al-Assad - claimed responsibility for the attack, breaking into Stephen Hawking's voicebox one last time to announce "the Syrian Electronic Army was here" just as the scientist was leaving the stage."

Why Mobile Security Matters

How do Enterprises secure the increasing flow of data in and out of their doors?

The widespread adoption of intelligent mobile devices has transformed the way we work in innumerable ways. In 2012, IDC calculates that 712.6 million smartphones were shipped globally – 44.1% more than in 2011. In 2013, it predicts worldwide mobile tablet sales will reach 190.9 million, increasing the adoption of cloud and app-based solutions.

By 2016, mobile data traffic will have increased 18-fold, with smartphones, laptops, tablets and other portable devices driving around 90% of that traffic [Cisco]. Yet, alongside the countless new opportunities that these handy communications tools present for flexible workers, the continued rise in mobility also brings with it a myriad of potential security threats.

Most enterprises are already well-accustomed to protecting corporate data, including everything from commercial information to intellectual property and customer/employee information. However, the fact that mobile phones and tablets are small, portable and frequently used in public places or for downloading applications makes them particularly vulnerable to attacks and difficult to manage, especially compared with PCs.

In effect, these devices take corporate information out of the ‘safe’ corporate network and into unsecured environments, such as public Wi-Fi hotspots, and invite users to access a huge range of apps and websites.

The consequences of unwittingly falling foul of security threats can potentially go beyond the need for a simple repair to become far reaching. Whether it’s connecting to a bad Wi-Fi network in an internet café or downloading an app which contains malware, a single unintentional mobile security breach could potentially lead to financial and information loss, a privacy breach, loss of intellectual property or even damage to reputation.

As with other aspects of business, the cost of prevention is far lower than the cost of cure. For this reason, it is critical that today’s businesses assess their security environment and put the necessary protection in place to enable employees to work securely and without risk of infection, whenever and wherever in the world they may be.

Refer here to download the white paper (registration maybe required) which covers the following topics:

• Mobile security challenges and risks faced by large organisations
• Factors to consider when developing a mobile security strategy
• How to find a security solution that meets your organisational needs

Sex Matters: Men & Women differ on data security

Surprise: Women are also more likely to take steps to control what's visible to strangers on social media although they take less security precautions online!

Two Microsoft studies have found that when it comes to technology, men and women may have different priorities when it comes to staying safe and secure.

The first study, which surveyed more than 10,000 mobile and desktop users worldwide, found that 35 percent of men kept their mobile devices protected behind a passcode and used secured wireless networks to go online.

Women, the study found, took those same security precautions at a slightly lower rate of 32 percent.

Following that trend, 32 percent of men kept the software on their mobile devices up-to-date, an important defense against malware attacks. Only 25 percent of women did.

The numbers seem to show that men take mobile security slightly more serious than their female counterparts, but also that both sexes adopt these common-sense security precautions at an abysmally low rate.

Jacqueline Beauchere, chief online safety officer at Microsoft, said in a statement. "We know from earlier research that men and women practice mobile safety very differently."

Despite their slight edge in security, men appear to fall victim to mobile-based attacks more frequently than women. They receive slightly more phishing emails, intrusive pop-ups and messages from impostors.

When it comes to defending their reputations, women tend to be more cautious than men about what they're willing to share online, the study found.

Women are also more likely to take steps to control what's visible to strangers on social media. The study also found that women are less cavalier than men when it comes to the content of their text messages.

A different Microsoft survey, this one conducted on Facebook, asked more than 800 people about their mobile pet peeves.

Many respondents cited loud talkers, constant phone checking and socially inappropriate use of mobile phones as among their top annoyances.

Vulnerability in Building Control Systems

Vital buildings such as hospitals, universities and government offices are vulnerable to hackers

You're in intensive care at a hospital when the lights go out and the heating turns up. Meanwhile, doctors trying to get you to an operating theatre have been trapped in elevators for almost an hour as hackers take control.

The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

A search engine Shodan, indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. This makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.

Please refer here for a good technical webcast explaining "How the information in SHODAN is put together and correlated".

The incident does highlight the need for sensitive systems (not just SCADA) to be isolated from hostile networks like the internet.

Hopefully, this incident will gain some more traction outside the security community.

BYOD is here to stay, Why?

Should enterprise adapting to an increasingly mobile world?

Statistics from major BYOD surveys and analysts over the last year shows that the BYOD trend is strong and will only get stronger. There are already 1 billion smartphone users around the world, with 1.3 billion smartphone and tablet sales expected in 2013.

Employees are using their personal smartphones for work all over the globe. However, the trend is strongest in high growth countries, such as Brazil, Russia and India, and among the youngest workers. Employees bring their own devices because they believe they let them do their jobs better, they like the flexibility to work when they want, and they prefer to carry a single device for work and personal use. Even knowing the security risks and that their companies might be watching their online activities, isn’t stopping this trend. 

IT departments are paying attention. They are aware of the growth of BYOD and are mostly positive about it. High growth countries and the US are more positive and providing the most support. While most IT departments have been supporting BlackBerry and Apple devices, many are realizing the need to support Android and Windows Mobile as well. Not surprisingly, the most popular business applications being used on mobile are email, web browsing, contacts and calendars, however more than half of IT departments report mobile apps being used for office applications, task and project management, social media, sales force automation or CRM as well. 

By embracing the rise of BYOD and enterprise mobility, 2013 presents the opportunity for IT to change their role from service providers and technology partners to leaders and business strategists. By taking the initiative and working closely with all areas of the business, IT can lead the company into the New Age of enterprise mobility – enabling increased productivity and operational efficiencies, securely, and cost-effectively. 

See below A Visual Display of the Current State of BYOD 2013:

No Room For Guessing Games in Information Security

The Global Cost of Cyber Security?

The information security industry, for the large part, has been working hard to reshape how users think about security. Before this reshaping took place, security was a nuisance for enterprises, was overlooked by developers (i.e., security-as-a-fix instead of security-at-inception), and was unknown to end users.

Fortunately, the trend is changing. For example, CXOs are now less reluctant to approve those line items in the budget related to securing their enterprises and end users are becoming more aware of cyber security and its consequences. 

For me, trying to estimate the global cost associated with cybercrime is one of those ‘somethings’. The inherent complexity associated with the global space of cybercrime events prevents us from calculating a reliable cost estimate with respectable accuracy and precision.

Not so long ago, Symantec asserted that cybercrime was costing us about $110 billion per year. Around the same time, McAfee stated that cybercrime was instead costing us approximately $1 trillion per year. I wonder which one is right? It’s a conundrum, indeed.

For years, I have watched these sorts of global cost estimates travel across the wire, and yet I have found little use of the information because the data points are, with absolute certainty, all over the board.

Nowadays I simply ignore these ‘informationals’ when they cross my path—long term exposure to them has desensitized me. However, these changes would not have occurred if our industry was desensitizing our target audience with inaccurate information.

The moral of this story—we as security professionals need to focus on relaying relevant information to the rest of the world and to do so as accurately as possible. There is no room for guessing games in our industry.

Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a ‘‘backdoor’’) that will allow the intruder to easily gain access at a future time.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

• Communications attempted from unauthorized or unusual addresses and
• An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion. In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few.

Users will soon learn to ignore the output of an IDS that announces too many spurious events. There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.

Summary

In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy.

Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

• Preventing intrusions from occurring, and
• Recovering from them when they occur.

Can Enterprise rely on MDM to achieve Mobile Security?

mRAT spyware bypasses mobile enterprise controls

Mobile remote access Trojan (mRAT) infections are increasing and bypassing mobile enterprise security controls, putting businesses at risk of cyber espionage, research has revealed.

mRATs are capable of intercepting third-party applications such as WhatsApp, despite guarantees of encrypted communications, the study of 2 million smartphone users by Lacoon Mobile Security found.

The research also showed that mRATs are similarly able to bypass security controls in mobile device management (MDM) systems, which a growing number of businesses rely-on for mobile security.

mRATs are designed to carry out cyber espionage and typically enable eavesdropping on calls and meetings, extracting information from email and text messages and location tracking of executives.

The spyware requires a backdoor for installation, through the rooting of Google Android or the jailbreaking of Apple iOS devices.

The research found that mRATs can bypass rooting and jailbreaking detection mechanisms installed on handsets, with 52% of infected devices found running iOS and 35% running Android.

The attacks undermine the basic notion of a secure container on which most MDM systems are based, according to Lacoon Mobile Security.

MDM systems create secure containers that separate business and personal data on the mobile, in an attempt to prevent business-critical data from leaking.

However, the research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it.

Mobile best practices and technologies include:

• Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications;
• Calculate the risk associated with the device's operating system vulnerabilities and usage;
• Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers;
• Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high.

Hackers steal photos, turn Wi-Fi cameras into remote surveillance device

Electronic manufacturers need to start putting some real thought into securing the devices and protecting privacy!

With so many people seizing the convenience of using their smartphone cameras to point, shoot and share, embedded GPS location and all, digital camera manufacturers have been offering more "social" options such as built-in Wi-Fi capabilities and camera apps to quickly share photos and videos.

In fact, if a digital single-lens reflex (DSLR) camera isn't Wi-Fi enabled, some photographers go the Wi-Fi SD card route and others create hacks to give that camera wireless file transfer capabilities.

While there have been plenty of researchers working on ways to exploit smartphones for remote spying, such as the scary PlaceRaider, an Android app that remotely exploits the camera and secretly snaps a picture every two seconds, there has not been as much research into exploiting DSLR Wi-Fi-enabled cameras. However, security researchers from ERNW changed that by showing how to exploit vulnerabilities in order to steal photos and turn a DSLR camera into a spying device.

In the presentation Paparazzi over IP, Mende and Turbing explained that there are four ways that the Canon EOS-1D X can communicate with a network via FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the EOS Utility Mode.

They were able to attack and exploit all four, saying, "Not only did we discover weak plaintext protocols used in the communication, we've also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the 'upload to the clouds' feature resulted in an image stealing Man-in-the-Imageflow."

 

Refer here to read further details.