NIST Updates Malware & Patch Management Guideines

First Revisions to Both Publications in Eight Years

The National Institute of Standards and Technology has published new guidance on malware incident prevention and handling for desktops and laptops as well as enterprise patch management technologies.

NIST Special Publication 800-83 Revision 1, "Guide to Malware Incident Prevention and Handling for Desktops and Laptops," provides recommendations for improving an organization's malware incident prevention measures. The publication also gives extensive recommendations for enhancing an organization's existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts.

SP 800-40 Revision 3, "Guide to Enterprise Patch Management Technologies," provides an overview of enterprise patch management technologies. It also briefly discusses metrics for assessing the technologies' effectiveness. The publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems.

NIST also issued SP 800-165, "2012 Computer Security Division Annual Report," which highlights the activities of NIST's Computer Security Division during fiscal year 2012, which ended Sept. 30.

6 Steps to Secure Mobile Devices

NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise

When NIST issued in 2008 its initial guidance on managing mobile device security, the Apple iPhone was just a year old and the introduction of the iPad was 15 months off. Even the guidance name, Special Publication 800-124: Guidelines on Cell Phone and PDA Security, sounds ancient to today's ears.

The National Institute of Standards and Technology on June 24 published its first revision of the SP 800-124, renaming it Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST says the revised guidance provides recommendations for selecting, implementing and using centralized management technologies, explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles.

The guidance covers enterprise-issued devices as well as the bring-your-own device trend.

Step-by-Step Approach

The revised publication offers six major steps enterprises need to take to manage mobile devices in a secure environment. According to the guidance, organizations should:

1. Have a mobile device security policy that defines which types of the organization's resources may be accessed via mobile devices, which types of mobile devices - for example, organization-issued devices vs. BYOD - are permitted to access the organization's resources, the degree of access that various classes of mobile devices may have and how provisioning should be handled.
   
2. Develop system threat models for mobile devices and the resources that are accessed through the devices. These devices often need additional protection because of their higher exposure to threats than other client devices, such as desktops and laptops.
   
3. Consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services. Categories of services to be considered include general policy, data communication and storage, and user and device authentication and applications.
   
4. Implement and test a mobile device solution before putting it into production. Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging and performance.
   
5. Secure fully each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats.
   
6. Regularly maintain mobile device security, including checking for upgrades and patches and acquiring, testing and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.

The revised guidance also recommends that organizations periodically perform assessments to confirm that their mobile device policies, processes and procedures are being properly followed. Assessment activities may be passive, such as reviewing logs, or active, such as performing vulnerability scans and penetration testing.

NIST Publishes Draft Cloud Computing Security Document for Comment

NIST Cloud Computing Security Reference Architecture provides a security overlay to the NIST Cloud Computing Reference Architecture published in 2011

The National Institute of Standards and Technology (NIST) has published a draft document on security for cloud computing as used in the federal government. The public comment period runs through July 12, 2013.

The 2011 NIST Cloud Computing Reference Architecture provided a template and vocabulary for federal cloud adopters to follow for a consistent implementation of cloud-based applications across the government.

This new addition, the NIST Cloud Computing Security Reference Architecture, contributes a comprehensive security model that supplements the NIST Cloud Computing Reference Architecture.

Using this model and an associated set of security components derived from the capabilities identified by the Cloud Security Alliance in its Trusted Cloud Initiative Reference Architecture, the NIST Cloud Computing Security Reference Architecture introduces a cloud-adapted Risk Management Framework for applications and/or services migrated to the cloud.

The NIST Cloud Computing Security Reference Architecture provides a case study that walks readers through steps an agency follows using the cloud-adapted Risk Management Framework while deploying a typical application to the cloud—migrating existing email, calendar and document-sharing systems as a unified, cloud-based messaging system.

Deadline for comments is July 12, 2013. Please use the template for comments and mail to Michaela Iorga at Michaela.iorga@nist.gov with the subject line "Comments SP 500-299."

Free eBook: 9 Steps to Cybersecurity

Explanation of Cybersecurity and How to Properly Integrate it into Your Organization

9 Steps to Cybersecurity from expert Dejan Kosutic is a free eBook designed specifically to take you through all cybersecurity basics in an easy-to-understand and easy-to-digest format.

You will learn how to plan cybersecurity implementation from top-level management perspective. Additionally, Kosutic covers all of your options and how to choose the ones that ultimately will work best.

President Obama issued “Executive Order - Improving Critical Infrastructure Cybersecurity" on February 12, 2013. 9 Steps to Cybersecurity will inform you of what you need to know at this timely and critical juncture. The goal of this book is to give you the essential information you need to make decisions that are crucial for the future of your organization. Simply fill out the short form on the right-hand side of the screen to download 9 Steps to Cybersecurity today.

Why is this Book Essential for You?

• Learn how to use risk management to make your cybersecurity a profitable investment
• Find out how cybersecurity can give your company an invaluable marketing edge
• Learn how to comply with various information security laws and regulations, including U.S. Executive Order - Improving Critical Infrastructure Cybersecurity Discover the invaluable tips for persuading upper management to act immediately
• Uncover the key elements of the CIA triad (Confidentiality, Integrity and Availability) and why it is vital to your company
• Learn everything you need to know in order to develop a cybersecurity plan and monitor the implementation by setting measurable targets

Who Should Read this Timely, Free eBook on Cybersecurity?

Anyone interested in the cutting edge of cybersecurity and what is necessary to secure information should download 9 Steps to Cybersecurity, which can be read in less than 2 hours. This free eBook will be of tremendous interest to any executives wishing to be well versed in the latest cyber safety information. CEOs, CFOs, Chief Information Security Officers and other managers will find this detailed and informative examination of the current state of cybersecurity to be a must-read book. Additionally, 9 Steps to Cybersecurity is written in completely non-technical language - Kosutic's goal was for the book to be easily accessible to all executives, regardless of whether they have technical knowledge.

Once you’ve read Dejan Kosutic's book, you will have a clear concept of cybersecurity, and the direction that your company should take. You will be able to properly implement cybersecurity and comply with the regulations and relevant deadlines. 9 Steps to Cybersecurity was specifically written to provide much-needed clarity and help you chart the most direct and most effective path for your company, period.

Download this free book today and go well beyond the jargon and the confusion.

STORM (Secure Tool for Risk Management)

Designs and keeps updated the ICT Security Policy, Disaster Recovery plans

STORM (Secure Tool for Risk Management) is a collaborative environment offering a buddle of services in order to help your business to securely manage your Information and Communication Technology (ICT) Systems.

STORM is based on web 2.0 technologies and its main characteristics are:

• Compliance with Standards
• Collaboration
• User Friendliness
• Reduces complexity
• Scalability

Some of the key features are:

Cartography:

• Identify and depict the ICT infrastructure
• ICT assets (software and hardware) identification

Impact Assessment Service:

• Recognize the impacts (business, economical, technological, legal) of upcoming incidents on the operations of the ICT

Threat Assessment Service:

• Identify threats Evaluate threats

Vulnerability Assessment Service:

• Identify Vulnerabilities
• Evaluate Vulnerabilities

Risk Assessment service:

• Collaborative support towards identifying and evaluating the impact, threat and vulnerability of each ICT asset (i.e. software, hardware, data asset).

Risk Management service:

• Select the appropriate countermeasures according to the STORM-RM algorithm in order to protect ICT assets.

Refer here for more information or here for demo.

NIST Issues Security Guidance on Wireless Local Area Networks

6 Tips to Secure WLANs

Wireless Local Area Networks often have weaker configurations and authentication processes that make them vulnerable for attackers to penetrate and gain access to sensitive information, according to the National Institute of Standards and Technology. New guidance from NIST is aimed at helping organizations meet security challenges.

NIST has released Special Publication 800-153, Guidelines for Securing Local Area Networks, that provides step-by-step recommendations from initiation to maintenance to disposal on securing WLANs. WLANs are wireless network devices within a limited geographic area, such as an office building, that exchange data through radio communications.

"Employees can use mobile devices, including laptops and smart phones, connected to the WLAN to perform tasks that could be done on desktops, but with the freedom to work anywhere in the covered area," NIST says in announcing the guidance.

While WLANs can improve productivity, they can add an additional security challenge. WLANs often have weaker configurations and authentication processes that make them vulnerable for attackers to penetrate and gain access to sensitive information.

NIST says WLAN security depends upon how well all of its components, including client devices and wireless switches, are secured. The new guide provides recommendations to improve security on such topics as standardizing WLAN security configurations, including configuration design, implementation, evaluation and maintenance.

The guide also furnishes guidelines concerning the selection of monitoring tools and the frequency of security monitoring. According to the guidance, organizations should:

1. Have standardized security configurations for common WLAN components, such as client devices and access points.
   
   
2. Consider the security not only of the WLAN itself, but also how it may affect the security of other networks when planning WLAN security.
   
   
3. Have policies that clearly state which forms of dual connections are permitted or prohibited for WLAN client devices, and enforce these policies through the appropriate security controls.
   
   
4. Ensure that the organization's WLAN client devices and APs have configurations at all times that are compliant with the organization's WLAN policies.
   
   
5. Perform both attack monitoring and vulnerability monitoring to support WLAN security.
   
   
6. Conduct regular periodic technical security assessments for the organization's WLANs.

SP 800-153 supplements other NIST publications on WLAN security and points readers to other NIST publications on system planning, development and security activities. NIST said recommendations included in SP 800-153 are applicable to the protection of unclassified wireless networks and of unclassified facilities that are within range of unclassified wireless networks.

NIST Releases Final Smart Grid 'Framework 2.0' Document

Framework will provide an expanded view of the architecture of the Smart Grid

An updated roadmap for the Smart Grid is now available from the National Institute of Standards and Technology (NIST), which recently finished reviewing and incorporating public comments into the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0.

The 2.0 Framework lays out a plan for transforming the nation's aging electric power system into an interoperable Smart Grid—a network that will integrate information and communication technologies with the power-delivery infrastructure, enabling two-way flows of energy and communications.

The final version reflects input from a wide range of stakeholder groups, including representatives from trade associations, standards organizations, utilities and industries associated with the power grid.

Refer here to read further details or here to download the document.

Learn the process of documentation writing to implement ISO 27001

ISO 27001 Video Tutorials

One of the biggest obstacles for companies starting to implement ISO 27001 is writing various documents required by this information security standard.

Information Security & Business Continuity Academy has launched ISO 27001 Video Tutorials, a new product that facilitates the process of documentation writing.

According to ISO Survey of Certifications published by the International Organization for Standardization (ISO), ISO 27001 is within the 5 most popular management standards, and is also one of the standards with the highest growth in the number of certified companies – about 20% annually.

However, the fact that a large percentage of companies that have started to implement this standard never finish the job is less known. The reason for failure is very often insufficient time or lack of knowledge for writing the documentation – ISO 27001 has very specific requirements about how the documentation should look like.

At the moment 13 video tutorials are available, and each month 2 new tutorials will be published. A total of 50 video tutorials are planned, which will cover all the steps in ISO 27001 implementation – from setting up the project all through successful certification.

Dejan Kosutic, the author of the video tutorials said:

"I've worked with quite many companies as a consultant, and most of those companies struggle with the same thing – how to fill in the documentation. I believe these video tutorials will increase the success rate of ISO 27001 projects by at least 25%, and increase the speed of implementation by 50%".

Signcryption: New Technology & Standard to improve Cyber Security

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond

Utility Cyber Security is in a State of Near Chaos

Market analysis and consulting provider Pike Research has released a report examining the current state of utility cyber security, and the prognosis is far from comforting.

The report, titled Utility Cyber Security - Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond, concludes that although a great deal of attention has shifted to protecting systems that govern infrastructure over the past eighteen months, utilities have a long way to go in protecting critical networks.

The report quotes:

"Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended,"

One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

"Cyber security solutions remain challenging to implement, especially as attackers gain awareness of the holes between point solutions," the report maintains.

The market for industrial control systems security solutions is fairly wide open, and the Pike report contends that there will be an influx of competition in the field over the next few years.

"Security vendors have finally found time to focus on industrial control system (ICS) security, not only on advanced metering infrastructure (AMI) security – although a few security vendors have focused on ICS from the outset. The utility cyber security market will be characterized by a frantic race to gain the upper hand against the attackers, while at the same time strong competitors attempt to outdo each other," the report warns.

The Pike report focuses on the following issues:

• What factors could drive smart grid cyber security investment?
• How important could industrial control system (ICS) security be?
• What has changed since Stuxnet was discovered?
• What is the effect of the lack of smart grid cyber security standards?
• What are the most promising smart grid cyber security technologies?

Last week, the National Institute of Standards and Technology (NIST) released the updated standards guidelines for converting the nation's outdated power grid structure to a modern smart grid operation.

The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0 outlines the game plan to "integrate information and communication technologies with a power-delivery infrastructure, enabling two-way flows of energy and communications," according to the NIST.

"Making such dramatic changes to the power grid requires an overarching vision of how to accomplish the task, and this updated Framework advances that vision," said NIST's National Coordinator for Smart Grid Interoperability George Arnold.

"Utilities, manufacturers, equipment testers and regulators will find essential information in the Framework that was not previously available," Arnold continued.

The updates include the addition of twenty-two standards to the previously released seventy-five issued in the standard's first edition in 2010.

5 Essential Characteristics of Cloud Computing

The NIST Definition of Cloud Computing

To employ new technologies effectively, such as cloud computing, organizations must understand what exactly they're getting. With this in mind, the National Institute of Standards and Technology has issued its 16th and final version of The NIST Definition of Cloud Computing.

"When agencies or companies use this definition, they have a tool to determine the extent to which the information technology implementations they are considering meet the cloud characteristics and models," says Peter Mell, a NIST computer scientist who coauthored the report, also known as Special Publication 800-145.

"This is important because by adopting an authentic cloud, they are more likely to reap the promised benefits of cloud: cost savings, energy savings, rapid deployment and customer empowerment," Mell says. "And, matching an implementation to the cloud definition can assist in evaluating the security properties of the cloud."

The special publication includes the five essential characteristics of cloud computing:

On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops and workstations).

Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state or datacenter). Examples of resources include storage, processing, memory and network bandwidth.

Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for the provider and consumer.

SP 800-145 also defines four deployment models - private, community, public and hybrid - that together categorize ways to deliver cloud services.

NIST says the definitions are intended to serve as a means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing.

NIST: Continuous Monitoring Guidance Issued

NIST: Also Revises SCAP Special Report

NIST made public its guidance on how best to employ continuous monitoring to assure the security of information and information systems.

Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations defines an information security continuous monitoring strategy and establishing an information security continuous monitoring program.

The National Institute of Standards and Technology said the purpose of the guideline is to assist organizations in the development of a continuous monitoring strategy and implement a program that provides awareness of threats and vulnerabilities, visibility into organizational assets and information about the effectiveness of deployed security controls.

According to the publication, the strategy:

• Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization.

• Includes metrics that provide meaningful indications of security status at all organizational tiers.

• Ensures continued effectiveness of all security controls.

• Verifies legislation, directives, regulations, policies and standards/guidelines.

• Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets.

• Ensures knowledge and control of changes to organizational systems and environments of operation.

• Maintains awareness of threats and vulnerabilities.

NIST also unveiled the final release of SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.2.

SCAP consists of a suite of specifications for standardizing the format and nomenclature in which software flaw and security configuration information is communicated, to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content and the SCAP requirements not defined in the individual component specifications.

Major changes in version 1.2 include the addition Asset Reporting Format;, Asset Identification, Common Configuration Scoring System; and Trust Model for Security Automation Data, which provides support for digitally signing SCAP source and result content.

Security analysis of Dutch smart metering systems

Smart metering must offer a security level as high as for money transfers - Dutch minister of Economic Affairs

Smart meters enable utility companies to automatically readout metering data and to give consumers insight in their energy usage, which should lead to a reduction of energy usage. To regulate smart meter functionality the Dutch government commissioned the NEN to create a Dutch standard for smart meters which resulted in the NTA-8130 specification.

Currently the Dutch grid operators are experimenting with smart meters in various pilot projects. In this project we have analyzed the current smart meter implementations and the NTA using an abstract model based on the the CIA-triad (Confidentiality, Integrity and Availability). It is important that no information can be attained by unauthorized parties, that smart meters cannot be tampered with and that suppliers get correct metering data.

It was concluded that the NTA is not specific enough about the security requirements of smart meters, which leaves this open for interpretation by manufacturers and grid operators. Suppliers do not take the privacy aspect of the consumer data seriously. Customers can only get their usage information through poorly secured websites. The communication channel for local meter configuration is not secured sufficiently: consumers might even be able to reconfigure their own meters.

Also, the communication channels that are used between the smart meter and gas or water meter are often not sufficiently protected against data manipulation. It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

Refer here to download the full report.

New PCI standard version 2.0 has been finalized

Changes Minor, But Non-Compliant Merchants Won't Get Leniency

Merchants and service provider validation requirements are the still the same. In fact, if you were compliant in the past, there was nothing terribly new. But if you had once sought shortcuts or attempted granular inferences, 2.0 may indeed prove discomforting.

Clarifications in 2.0

First and foremost, the new standard clearly spells out that the cardholder data environment includes "people, processes and technology" that touch the payments chain in any way. That means any entity that stores card data, processes or transmits card data, or touches authentication data must comply with the PCI-DSS.

If your organization ever sought to escape the stringency of the DSS by theorizing that it was only applicable to electronic cardholder data, the new guidance should clarify that even you must comply.

If your organization ever sought to escape the stringency of the DSS by theorizing that it was only applicable to electronic cardholder data, the new guidance should clarify that even you must comply.

Secondly, the standard's use of "system components" was given a more inclusive definition. System components include all virtualization components, such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops and hypervisors. Virtualization was further integrated into requirement 2.2.1's limitation to one primary function per virtual server or device, though whether or not DMZ-based and internal network zone devices could be virtualized within the same physical hardware was not clarified.

Among the 314 other clarifications included in the new version and guidance, several other points are worthy of mention:

• The standard applies to issuers and recognition was given to their need to securely store any retained sensitive authentication data.
• Requirement 3.6 allows the use of cryptoperiods, rather than solely annual key rotation. If the impact of annual rotation has proven burdensome and the risk posed by less frequent key rotation is low, this should be a welcomed change. [See NIST Special Publicaiton 800-57 for more information about the standard cryptoperiod.]
• Requirement 3.6.6 was clarified as requiring split knowledge and dual control for manual clear-text cryptographic key management operations only. For those using dynamic key management appliances, this should already be a native function.
• Requirement 6.2 included the use of risk rankings for identified vulnerabilities as a best practice until June 30, 2012, after which it becomes a requirement. To accomplish this, NIST Special Publication 800-30 are suggested resources. Further, most organizations will likely find that documenting all operating system related critical patches as being "high" risk easier than ranking each individual patch.
• Requirement 12.3.10 added the ability to copy, move or store cardholder data on local hard drives and removable electronic media for authorized individuals; presumably, however, many will be challenged by scope implications.

It may sound counter-intuitive, but 53 testing procedures were added to simplify assessment and compliance management. Most of these are breakouts of the requirement verbiage. For instance, what had been listed as bullets under 4.1.a is now broken out into 4.1.a-4.1.e.

Redundancies also found in v1.2.1, which related to internal and Web-based application requirements 6.3 and 6.5, have been consolidated. Now, 6.5 includes the SANS CWE Top 25 and CERT Secure Coding best practice references.

Nevertheless, many hot button items, such as tokenization, remain open to interpretation. Questions surrounding tokenization, virtualization and physical hardware remain unanswered?

For now, and potentially until 2013 when release version 3.0 is expected, we may be left to wonder. In the meantime, for those looking to adopt 2.0, take a look at the PCI Council's tips for understanding the guidance: Navigating PCI DSS: Understanding the Intent of the Requirements.

Do your security policies meet leading standards?

Get the free Security Policy checkup!

Information Shield’s free 15-Point Security Policy Checkup allows you to quickly assess your security policy program in 15 core areas against leading practices from standard frameworks including COBIT™, HIPAA, ISO 27002, PCI-DSS and NIST.

Get the Security Policy Checkup now: http://bit.ly/eE5I8Z

Aussie banks expose credit card details

Australia's biggest banks are posting credit card numbers in clear view on mailed customer statements in a direct violation of credit card security regulations.

Placing numbers where any mail thief could grab them is a fundamental breach of the troubled Payment Card Industry Card Data Security Standard (PCI DSS), according to sources in the industry.

The industry standard, drafted by card issuers Visa, MasterCard and American Express and enforced by banks, is a series of security rules to which any business dealing with credit card transactions must adhere.

The standard is a collaborative industry effort to reduce financial fraud by mandating baseline security measures that essentially must accompany any credit card transaction. A call centre operator, for example, would be required to destroy a paper note if it was used to temporarily jot down a credit card number, while a website that stores transaction information must ensure it is adequately secure.

Non-compliant large businesses — or Tier 1 organisations bound by strict rules — face hundreds of thousands of dollars in fines, and risk losing their ability to process credit cards. The fines scale according to the number of credit card transactions processed.

But St George and the Commonwealth Bank have breached rule 101 of the standard by sending out potentially millions of paper statements to letterboxes that clearly detail credit card numbers in full.

Refer here for more details.

Monitoring of Power Grid Cyber Security

Efforts to Secure Nation’s Power Grid Ineffective

The official government cybersecurity standards for the electric power grid fall far short of even the most basic security standards observed by noncritical industries, according to a new audit.

The standards have also been implemented spottily and in illogical ways, concludes a Jan. 26 report from the Department of Energy’s inspector general (.pdf). And even if the standards had been implemented properly, they “were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”

At issue is how well the Federal Energy Regulatory Commission, or FERC, has performed in developing standards for securing the power grid, and ensuring that the industry complies with those standards. Congress gave FERC jurisdiction in 2005 over the security of producers of bulk electricity — that is, the approximately 1,600 entities across the country that operate at 100 kilovolts or higher. In 2006, FERC then assigned the North American Electric Reliability Corporation (NERC), an industry group, the job of developing the standards.

The result, according to the report, is deeply flawed.

The standards, for example, fail to call for secure access controls — such as requiring strong administrative passwords that are changed frequently. or placing limits on the number of unsuccessful login attempts before an account is locked. The latter is a security issue that even Twitter was compelled to address after a hacker gained administrative access to its system using a password cracker.

The report is particularly timely in light of the discovery last year of the Stuxnet worm, a sophisticated piece of malware that was the first to specifically target an industrial control system — the kind of system that is used by nuclear and electrical power plants.

The security standards, formally known as the Critical Infrastructure Protection, or CIP, cybersecurity reliability standards, were in development for more than three years before they were approved in January 2008. Entities performing the most essential bulk electric-system functions were required to comply with 13 of the CIP requirements by June 2008, with the remaining requirements phased in through 2009.

The report indicates that this time frame was out of whack, since many of the most critical issues were allowed to go unaddressed until 2009. For example, power producers were required to begin reporting cybersecurity incidents and create a recovery plan before they were required to actually take steps to prevent the cyber intrusions in the first place — such as implementing strong access controls and patching software vulnerabilities in a timely manner.

The standards are also much less stringent than FERC’s own internal security policy. The standards indicate passwords should be a minimum of six characters and changed at least every year. But FERC’s own, internal security policy requires passwords to be at least 12 characters long and changed every 60 days.

One of the main problems with the standards seems to be that they fail to define what constitutes a critical asset and therefore permit energy producers to use their discretion in determining if they even have any critical assets. Any entity that determines it has no critical assets can consider itself exempt from many of the standards. Since companies are generally loathe to invest in security practices unless they absolutely have to — due to costs — it’s no surprise that the report found many of them underreporting their lists of critical assets.

“For example, even though critical assets could include such things as control centers, transmission substations and generation resources, the former NERC Chief Security Officer noted in April 2009 that only 29 percent of generation owners and operators, and less than 63 percent of transmission owners, identified at least one critical asset on a self-certification compliance survey,” the report notes.

Refer here to download the report.

Safety of the data means more than protecting information

Unplanned Security - It can be life threatening..

Imagine for just a moment that it's 6:30 a.m. and you are a patient in a hospital waiting for surgery. It's a routine operation to remove your gall bladder (one of those throw-away parts), and no big deal. What you don't know, however, is that the hospital's computer network was recently redesigned. The support staff moved all of the critical applications from the mainframe to a distributed network environment. In the rush to move from one platform to another, management never developed security policies and procedures for the new systems. So the hospital support staff never configured security. On the surface, the right-sized network is running smoothly. Underneath, however, anyone on the hospital network can steal, modify, or destroy patient information on the servers.

Yesterday, when you were admitted to the hospital, you had some pre-op testing done to make sure that you don't have an infection. They did blood work and a chest X-ray -- the standard pre-op stuff. You wake up early the nexy day, 4:00 a.m., and your surgery isn't for several hours. You wake up because you're little nervous about getting that gall bladder removed. After considering the problems it was giving you, you decide you will be better off without it. Feeling calm, you fall back to sleep and have a few pleasant dreams.

Siz a.m., rolls around. The doctor calls down from the operating room. He tells the nurse that he wants the results of your pre-op tests sent with you to the operating room. Since the results haven't come back to the floor yet, the nurse logs into the computer to get your results. They are normal. Or, atleast they are now.

What your nurse doesn't is that a hacker broke into the server and changed your test results from abnormal to normal. Before the information was modified, the results of your lung X-ray review noted a questionable shadow -- maybe just congestion, or maybe pneumonia. Results that would tell your doctor to postpone the surgery to avoid possible complications that could lead to resporatory failure.

Since your doctor doesn't get those results, he operates anyway. Your gall bladder takes the route your tonsils fell to many years ago. It appears to have been a successful operation. That is, until the anesthesiologist notifies your surgeon that he can't seem to get you off the respirator. He orders a repeat chest X-ray which shows a dense pneumonia. He then requests your pre-op X-ray that shows a smaller shadow in the same area. He calls your surgeon wanting to know why he did an elective surgery on patient with preexisting pneumonia. Your doctor can't be reached because he is busy filling out your dead certificate. Guess what? Your lungs gave out -- your are dead.

This is one case when the safety of the data means more than protecting information -- it means protecting lives. Pretty scary when you consider just how much real hospital rely on their computers. Just imagine....

Silence is not always golden

New guidance for organizations on whistleblowing arrangements

Guidelines for whistleblowers.