Industrial Control Systems (ICS) Security Awareness Poster

Control Systems Are A Target, Need Some Awareness?

One of the challenges we face in the Industrial Control System (ICS) community is awareness. People maintaining our critical infrastructure do not realize how fragile and targeted the supporting cyber systems are, including PLCs, Relays, RTUs and entire SCADA networks.

This poster was developed by a community team of industry ICS experts to help ICS Engineers and Operators understand just how much they are a target and why. As always, the first step to changing behaviors is engagement, and the first step to engagement is ensuring people know they are a target. 

Feel free to download, print and distribute this poster amongst your organization and peers. This poster is just the first in a series of resources and training to be released by the SANS new ICS group.

Download now a high-resolution version from our Security Awareness Posters section.

Australian Government is getting serious about Information Security?

DSD's top 4 infosec strategies now mandatory for Australia government

The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".

These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.

The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements. 

In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".

This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month. As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures.

From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.

Can Enterprise rely on MDM to achieve Mobile Security?

mRAT spyware bypasses mobile enterprise controls

Mobile remote access Trojan (mRAT) infections are increasing and bypassing mobile enterprise security controls, putting businesses at risk of cyber espionage, research has revealed.

mRATs are capable of intercepting third-party applications such as WhatsApp, despite guarantees of encrypted communications, the study of 2 million smartphone users by Lacoon Mobile Security found.

The research also showed that mRATs are similarly able to bypass security controls in mobile device management (MDM) systems, which a growing number of businesses rely-on for mobile security.

mRATs are designed to carry out cyber espionage and typically enable eavesdropping on calls and meetings, extracting information from email and text messages and location tracking of executives.

The spyware requires a backdoor for installation, through the rooting of Google Android or the jailbreaking of Apple iOS devices.

The research found that mRATs can bypass rooting and jailbreaking detection mechanisms installed on handsets, with 52% of infected devices found running iOS and 35% running Android.

The attacks undermine the basic notion of a secure container on which most MDM systems are based, according to Lacoon Mobile Security.

MDM systems create secure containers that separate business and personal data on the mobile, in an attempt to prevent business-critical data from leaking.

However, the research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it.

Mobile best practices and technologies include:

• Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications;
• Calculate the risk associated with the device's operating system vulnerabilities and usage;
• Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers;
• Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high.

Australian Feds charge 17 year-old 'Anon' with four crimes

17-year-old suspected member of ‘Anonymous’ charged with unauthorised access to computer data

A 17-year-old youth appeared in Parramatta Children's Court on Friday (5 April 2013) to face charges relating to unauthorised access to computer data. The juvenile is suspected to be a member of the online issue motivated group "Anonymous" and allegedly committed serious offences on their behalf.

Commander Glen McEwen, Manager Cybercrime Operations, said the AFP takes any computer intrusion offences very seriously and remains committed to investigating offences that occur in cyberspace. "Protesting through computer intrusions and website defacements is not an appropriate method to raise public awareness about any issue," Commander McEwen said. "The AFP investigates various types of cybercrime and will continue to take a strong stance against these perpetrators."

Refer here to read more details.

Think someone may be reading your emails?

Encrypt them, and they can't

Are you sending confidential information in your email, text and instant messages? If so, you could be exposing it to a lot of peeping eyes...and they may decide to do bad things with it!

Here are some ways to encrypt your digital messages:

• In Outlook, within your message, go to File, Properties, Security Settings, and click the box for "Encrypt message contents and attachments."
  
• If you use some type of webmail, most good ones offer SSL as a security option; use it. It encrypts the messages *while they are traveling through the Internet.*
  
  However, it is not the same as encrypting the message itself. Your messages are still in clear text within the mail box storage, and when forwarded elsewhere not using an SSL-encrypted transmission method.
  
• For webmail, consider getting an add-on tool, such as Armacrypt.
  
• Another email option is Hushmail.
  
• Consider using an up-to-date version of PGP.
  
• Here's a pretty good discussion of encrypting text messages on Android devices.
  
• Here are some smartphone encryption apps to consider.

Useful TIP! Don't send any sensitive or confidential information using social network messaging systems, such as Facebook mail. While you can have the *connection* (meaning while it is traveling from you to your recipient) encrypted using SSL, it does not encrypt the message itself, leaving it in clear text within the many Facebook repositories.

What's your personal Disaster Recovery Strategy?

After the Storm Comes a Rainbow

If you've ever had a computer device unexpectedly fail on you, you know how it feels - like a flash flood, taking you by surprise and washing away everything you need.

Lets say, you have an external hard drive which stopped. Completely. Unexpectedly.

Did you had backups of that data? Do you make backups of your data regularly?

Here are some recommendations to help you from feeling the pain of a failed hard drive:

• Invest in an external backup drive for storing your backups. You can see some good guidance here.
  
• For data that is especially valuable (income tax data, photos, business data), make another copy on a different external drive and store at a different, secure location, such as a bank safety deposit box.
  
• Back up your email at least once a week; more often if you depend on it for business and would be lost without it.
  
• Most external hard drives can be configured to automatically make backups at specified intervals; look for external hard drives with these capabilities.
  
• If personal information is on your backup drive, encrypt it!
  
• If you want to use a cloud service to store your backups, make sure they will encrypt your data, and that they have terms of service that will allow you ample time to remove your data, completely, if there is ever the need.
  
• Regularly test backups to ensure the backup data is actually good.

Free eBook: 9 Steps to Cybersecurity

Explanation of Cybersecurity and How to Properly Integrate it into Your Organization

9 Steps to Cybersecurity from expert Dejan Kosutic is a free eBook designed specifically to take you through all cybersecurity basics in an easy-to-understand and easy-to-digest format.

You will learn how to plan cybersecurity implementation from top-level management perspective. Additionally, Kosutic covers all of your options and how to choose the ones that ultimately will work best.

President Obama issued “Executive Order - Improving Critical Infrastructure Cybersecurity" on February 12, 2013. 9 Steps to Cybersecurity will inform you of what you need to know at this timely and critical juncture. The goal of this book is to give you the essential information you need to make decisions that are crucial for the future of your organization. Simply fill out the short form on the right-hand side of the screen to download 9 Steps to Cybersecurity today.

Why is this Book Essential for You?

• Learn how to use risk management to make your cybersecurity a profitable investment
• Find out how cybersecurity can give your company an invaluable marketing edge
• Learn how to comply with various information security laws and regulations, including U.S. Executive Order - Improving Critical Infrastructure Cybersecurity Discover the invaluable tips for persuading upper management to act immediately
• Uncover the key elements of the CIA triad (Confidentiality, Integrity and Availability) and why it is vital to your company
• Learn everything you need to know in order to develop a cybersecurity plan and monitor the implementation by setting measurable targets

Who Should Read this Timely, Free eBook on Cybersecurity?

Anyone interested in the cutting edge of cybersecurity and what is necessary to secure information should download 9 Steps to Cybersecurity, which can be read in less than 2 hours. This free eBook will be of tremendous interest to any executives wishing to be well versed in the latest cyber safety information. CEOs, CFOs, Chief Information Security Officers and other managers will find this detailed and informative examination of the current state of cybersecurity to be a must-read book. Additionally, 9 Steps to Cybersecurity is written in completely non-technical language - Kosutic's goal was for the book to be easily accessible to all executives, regardless of whether they have technical knowledge.

Once you’ve read Dejan Kosutic's book, you will have a clear concept of cybersecurity, and the direction that your company should take. You will be able to properly implement cybersecurity and comply with the regulations and relevant deadlines. 9 Steps to Cybersecurity was specifically written to provide much-needed clarity and help you chart the most direct and most effective path for your company, period.

Download this free book today and go well beyond the jargon and the confusion.

Hackers steal photos, turn Wi-Fi cameras into remote surveillance device

Electronic manufacturers need to start putting some real thought into securing the devices and protecting privacy!

With so many people seizing the convenience of using their smartphone cameras to point, shoot and share, embedded GPS location and all, digital camera manufacturers have been offering more "social" options such as built-in Wi-Fi capabilities and camera apps to quickly share photos and videos.

In fact, if a digital single-lens reflex (DSLR) camera isn't Wi-Fi enabled, some photographers go the Wi-Fi SD card route and others create hacks to give that camera wireless file transfer capabilities.

While there have been plenty of researchers working on ways to exploit smartphones for remote spying, such as the scary PlaceRaider, an Android app that remotely exploits the camera and secretly snaps a picture every two seconds, there has not been as much research into exploiting DSLR Wi-Fi-enabled cameras. However, security researchers from ERNW changed that by showing how to exploit vulnerabilities in order to steal photos and turn a DSLR camera into a spying device.

In the presentation Paparazzi over IP, Mende and Turbing explained that there are four ways that the Canon EOS-1D X can communicate with a network via FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the EOS Utility Mode.

They were able to attack and exploit all four, saying, "Not only did we discover weak plaintext protocols used in the communication, we've also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the 'upload to the clouds' feature resulted in an image stealing Man-in-the-Imageflow."

 

Refer here to read further details.

7 Key Duties Of CISOs

CISO's Responsibilities 

The CISO's responsibilities would include: 

1. Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and enterprise information systems;
   
2. Developing, maintaining and overseeing an enterprise-wide information security program;
   
3. Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;
4. Training and overseeing personnel with significant responsibilities for information security;
   
5. Assisting senior agency officials on cybersecurity matters;
   
6. Ensuring the enterprise has a sufficient number of trained and security-cleared personnel to assist in complying with cybersecurity law and procedures;
   
7. Reporting at least annually to enterprise executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.

The CISOs should posses the necessary qualifications, including education, training, experience and the security clearance needed to do the job.

Beware of "Facebook Black"

"Facebook Black" malware spreading fast on Facebook

A new virus is hitting Facebook users with an Fake Facebook Black template which would allow the users to use an black template instead of the known white template.

The malware is spreading crazy on Facebook as it asks the users to click on a link that will install an application. This Black Facebook scam uses the trust of the Facebook users and then forwards the malware to their network and friends.

So please be warned do not click on the Facebook black template.

Revoke access

This malware uses an Facebook API to gain information. If you wish to revoke the access of the Facebook Black template virus then you have to do the following:

• Navigate to the following url: http://www.facebook.com/settings?tab=applications
• Search for the Facebook Black malware and delete it.

STORM (Secure Tool for Risk Management)

Designs and keeps updated the ICT Security Policy, Disaster Recovery plans

STORM (Secure Tool for Risk Management) is a collaborative environment offering a buddle of services in order to help your business to securely manage your Information and Communication Technology (ICT) Systems.

STORM is based on web 2.0 technologies and its main characteristics are:

• Compliance with Standards
• Collaboration
• User Friendliness
• Reduces complexity
• Scalability

Some of the key features are:

Cartography:

• Identify and depict the ICT infrastructure
• ICT assets (software and hardware) identification

Impact Assessment Service:

• Recognize the impacts (business, economical, technological, legal) of upcoming incidents on the operations of the ICT

Threat Assessment Service:

• Identify threats Evaluate threats

Vulnerability Assessment Service:

• Identify Vulnerabilities
• Evaluate Vulnerabilities

Risk Assessment service:

• Collaborative support towards identifying and evaluating the impact, threat and vulnerability of each ICT asset (i.e. software, hardware, data asset).

Risk Management service:

• Select the appropriate countermeasures according to the STORM-RM algorithm in order to protect ICT assets.

Refer here for more information or here for demo.

Are Personal Password Database Sites Safe & Secure?

Basic tips & techniques for your daily password management!

Earlier this month, there was an expert on a popular U.S. morning news show advising people to use personal password database sites to keep track of their passwords. I couldn't disagree more.

While I commend the expert for advising people to use multiple, diverse and difficult-to-guess passwords for their different online accounts, I do not believe storing these passwords in the cloud is the best idea.

Here are four password-keeper services I saw recently being promoted for use within this Payment Systems post. Here are my thoughts on each of the four: 

KeePass: If you want to use this service, use it with a USB instead of Dropbox, which has had some security breaches in the past year. Although Dropbox recently announced improved security, I still don't want to entrust my passwords to a cloud service of any kind (Keep in mind lots of folks working for the cloud service have access to the info, simply as a matter of supporting the service.)

1Password: I'm leery. If someone else gets my computer, will the service's web integration allow them to access all my accounts? I pass on 1Password. 

LastPass and RoboForm: Many security folks approve of LastPass and RoboForm. Indeed, the services have been around for a few years. But I do not like the lack of information about how they secure their sites. I would not use these services, as they are cloud-based, and I simply do not want to share my passwords with others in this way. If you want to use them for managing the passwords for your websites with non-sensitive information, that's an option. However, keep your banking and other financial passwords with you and don't share with an online site.

It continues to be important to have multiple and varied passwords. At a minimum, your social networking passwords should be vastly different from your financial and banking passwords.

As for how to keep a record of these sites, if you don't want to use a password management service like KeePass to store your passwords on your own devices, try an encrypted Excel file, or even a good old-fashioned notebook that you keep locked away.

These alternatives may not be high-tech, but given the password management cloud services sites' vulnerabilities, it's much safer right now than relying on cloud-based services, which are major targets for hackers.

Is It Safe & Secure To Use Free Email Service?

If a government wants to peek into your Web-based e-mail account, it is surprisingly easy, most of the time not even requiring a judge’s approval

Ever wonder what Google has planned for all of the information it's collecting on its users? Well, their intentions may be completely irrelevant. As it turns out, Google has been compelled to give over their user data by law enforcement at an increasing and alarming rate.

In the second half of 2012, the tech giant received more than 21,000 requests for information, which represents a 70-percent increase over three years. The majority of the requests came from the federal government, who was hoping for a peek into users' email accounts. In most cases, the Feds didn't need a judge's okay.

Google is fighting back, trying to rally support against government access to personal data. In this professional's opinion, however, that's a bit ironic considering Google's own policies on collecting user information.

Just remember, anytime you are using a webmail site like Gmail for communication, understand your email is absolutely not protected and is not private.

Do not send sensitive information or conduct business using these types of free webmail services.

If you must use these sites, gather the emails through an off-cloud software system, like Microsoft Outlook. Then, configure your Outlook settings to delete the emails from Gmail, Yahoo, Hotmail or whatever cloud email service they are coming from, as soon as Outlook downloads them.

Sex Tape Scam Featuring Rihanna and `His’ Boyfriend Hits Facebook

Popular celebrities used by cyber-criminals for hoaxes and fraud

BEWARE! Facebook users are being hit by yet another alleged sex tape featuring Rihanna, one of the most popular celebrities used by cyber-criminals for hoaxes and fraud on the social network.

This time, the scam alleges the American singer was caught with `his boyfriend’ [sic] during sexy times.

Check out how the #scam works and how to protect your Facebook account here: http://bit.ly/Rihanna_Sex_Tape_Scam

Dishing-Off Your Old Device?

Did you know that in the wrong hands that "old" device can mean "new" problems for you?

Have you, like many adults, given a child in your life a hand-me-down mobile device? Maybe it's a "disabled" cell phone or your old iTouch that you let them play around on.

Savvy criminals are increasingly targeting mobile devices (even outdated ones) because they are very often loaded with personal data, including bank and credit cards numbers cached on mobile browsers, passwords, contact information, email and GPS histories.

If you are dead-set on letting your children play with these devices, be sure they have been wiped completely clean of your personal and business information. For tips on how to do this, give this eHow Tech post a thorough read.