Web security

Businesses Expansion of Attack Surfaces

One of the main reasons cyber risk continues to increase exponentially is due to the rapid expansion of attack surfaces – the places where software programs are vulnerable to attack or probe by an adversary. Attack surfaces, according to the SANS Institute, can include any part of a company’s infrastructure that exposes its networks and systems to the outside, from servers and open ports to SQLs, email authentication and even employees with “access to sensitive information.” It can also include user input via keyboard or mouse, network traffic and external hardware that is not protected by cyberhardening technology.

It would be easy to blame the Internet of Things (IoT) for the expanding attack surfaces, as Intel projects two billion smart devices worldwide by 2020. But in reality, the IoT is only part of the attack surface epidemic.

According to Cybersecurity Ventures, there are now 111 billion new lines of code written each year, introducing vulnerabilities both known and unknown. Not to be overlooked as a flourishing attack vector are humans, which some argue are both the most important, but also the weakest link in the cyberattack kill chain. In fact, in many cybersecurity circles there is a passionate and ongoing debate regarding just how much burden businesses should put on employees to prevent and detect cyber threats. What is not up for debate, however, is just how vulnerable humans are to intentionally or unintentionally opening the digital door for threat actors to walk in. This is most evident by the fact that 9 out of 10 cyberattacks begin with some form of email phishing targeting workers with mixed levels of cybersecurity training and awareness.

Critical Infrastructure Protection Remains a Challenge

Critical infrastructure, often powered by SCADA systems and equipment now identified as part of the Industrial Internet of Things (IIoT) is also a major contributor to attack surface expansion. Major attacks targeting these organizations occur more from memory corruption errors and buffer overflows exploits than from spear-phishing or email spoofing and tend to be the motive of nation states and cyber terrorists more so than generic hackers.

“Industrial devices are designed to have a long-life span, but that means most legacy equipment still in use was not originally built to achieve automation and connectivity.” The IIoT does provide many efficiencies and cost-savings benefits to companies in which operational integrity, confidentiality and availability are of the utmost importance, but the introduction of technology into heavy machinery and equipment that wasn’t built to communicate outside of a facility has proven challenging. The concept of IT/OT integration, which is meant to merge the physical and digital security of corporations and facilities, has failed to reduce vulnerabilities in a way that significantly reduces risk. As a result, attacks seeking to exploit critical infrastructure vulnerabilities, such as WannaCry, have become the rule and not the exception.

To date cyber criminals are winning? 

To date, critical infrastructure cybersecurity has relied too much upon network monitoring and anomaly detection in an attempt to detect suspicious traffic before it turns problematic. The challenge with this approach is that it is reactionary and only effective after an adversary has breached some level of defenses.

We take an entirely different approach, focusing on prevention by denying malware the uniformity it needs to propagate. To do this, we use a binary randomization technique that shuffles the basic constructs of a program, known as basic blocks, to produce code that is functionally identical, but logically unique. When an attacker develops an exploit for a known vulnerability in a program, it is helpful to know where all the code is located so that they can repurpose it to do their bidding. Binary randomization renders that prior knowledge useless, as each instance of a program has code in different locations.

One way to visualize the concept of binary randomization is to picture the Star Wars universe at the time when Luke Skywalker and the Rebel Alliance set off to destroy the Death Star. The Rebel Alliance had the blueprints to the Death Star and used those blueprints to find its only weakness. Luke set off in his X-Wing and delivered a proton torpedo directly to the weak spot in the Death Star, destroying it. In this scenario, the Death Star is a vulnerable computer program, and Luke is an adversary trying to exploit said computer program.

Now imagine that the Galactic Empire built 100 Death Stars, each protected by RunSafe’s new Death Star Weakness Randomization. This protection moves the weakness to a different place on each Death Star. Now imagine you are Luke, flying full speed toward the weakness in the Death Star, chased by TIE fighters, only to find that the weakness is not where the blueprint showed. The Rebel attack fails, and the Galactic Empire celebrates by destroying another planet. Similar to the Death Star scenario above, code protected with binary randomization will still contain vulnerabilities, but an attacker’s ability to successfully exploit that vulnerability on multiple targets becomes much more difficult.

 

Cyber-Digital Task Force

The Department of Justice’s internal “Cyber-Digital Task Force,” created by Attorney General Jeff Sessions in February, will release its first-ever public report later this month at the Aspen Institute’s annual Security Forum, a department spokesperson told CyberScoop.

The report is expected to detail a series of security recommendations that the government should consider to protect future U.S. elections from a myriad of different threats, including foreign hacking attempts.

A statement by the DOJ previously explained that the Task Force will “prioritize its study of efforts to interfere with our elections; efforts to interfere with our critical infrastructure; the use of the Internet to spread violent ideologies and to recruit followers; the mass theft of corporate, governmental, and private information; the use of technology to avoid or frustrate law enforcement; and the mass exploitation of computers and other digital devices to attack American citizens and businesses.”

When Sessions launched the group earlier this year, he requested that an initial report be completed by June 30. The recommendations were submitted ahead of time, according to DOJ spokesperson Ian Prior. The answers are currently being reviewed ahead of publication.

The DOJ’s disclosure was made hours after the Democratic National Committee (DNC) issued a press release criticizing the department and Trump administration for missing various cybersecurity policy deadlines, including the June 30 submission. The agency contends that it in fact made the deadline, although the publication won’t occur for a few weeks. The Aspen Security Forum begins on July 18.

The creation of the Cybersecurity Task Force on Feb. 20 came less than a week after Special Counsel Robert Mueller indicted a group of Russian internet trolls for interfering in U.S. politics. The Russians allegedly ran an extensive social media campaign that worked to trick American voters in the run-up to the 2016 presidential election, the indictment claims.

Deputy Attorney General Rod Rosenstein is expected to make “an exclusive policy announcement” on July 19 at the Aspen Institute event.

Data Protection Officer- Consultants

Why do I need a Data Protection Officer?

While the desire to protect company, customer, and vendor information isn’t new, there are new laws that are requiring organizations to take a more active role in protecting their data.  The EU recently passed the General Data Protection Regulation that requires certain businesses to have a Data Protection Officer.  In order to comply with the rule, it has been estimated that nearly 28,000 DPOs will be needed by the end of 2018.

Specifically, the General Data Protection Regulation requires companies that process data with a public authority or that regularly monitor data subjects on a large scale to have a DPO and a plan in place to protect that data.  It’s important to note that the rule not only effects companies that are biased in the EU, but also those that conduct business with its partner countries.

Because of the non-specific wording of the GDPR, one of the first steps that any company operating within the EU will need to take is to determine whether or not they are subject to the regulations in the law.  It may be necessary to hire a security consultant on a short-term basis to determine this.  Fortunately,  CyberSecOp has plenty of experience in helping companies comply with EU law and IT security background that this position would require.

What is a Data Protection Officer?

In order to comply with the new regulation, a Data Protection Officer must have, “expert knowledge of data protection law and practices”.  Additionally, the DPO must have a good understanding of the organizations' technical structure, organization, IT infrastructure, and technology.

It’s important to note that as long as an employee is capable of performing the basic functions of the role, there is no formal training requirement.  This means that the job can be assigned to an existing employee.  It is also permissible for an organization to hire an outside consultant or security firm to take on this role.

How will this affect my company?

Due to the massive penalties involved with ignoring the new GDPR, any company that meets the criteria and operates in at least some capacity in the EU will need to appoint a Data Protection Officer.  For larger companies, this role is most likely already filled by a data security team.  Small companies will most likely find it to be the most cost-effective to hire an outside company to handle its data security issues.

Mid-size companies, however, will likely struggle to come into compliance with this rule.  Keeping a full-time Data Protection Officer on staff might prove to be cost prohibitive, but it’s also possible that contracting with an outside firm may also run up costs beyond a sustainable level.  In many cases, the solution might be to find a professional with multiple skill sets who could act as the company’s Data Protection Officer while also performing other duties. CyberSecop have a team of security professionals dedicated to helping an organization in comping with GDPR and other data security frameworks.

Secure all networks, from the Internet?

In the coming years in 2019-2020, the active mobile users will cross the 5 billion mark globally, and add to this the number of tablet user will also increase. When we analyze these figures it is not difficult to estimate that there are more than 20 million IoT devices in the pipeline ready to hit the base by 2020. It means the above-given figures are all set to be part of the connected world.

All these devices mean lots of valuable data, and where there’s valuable data there are hackers trying to get access to it. Not only do we need to wrestle with new kinds of networks, many of them wireless, but we need to tackle the security of these networks while simultaneously tackling the massive scale of the problem.

Now imagine the kind of valuable data that will be churned out from these devices, and how it will be a gala time for the hackers to break into these devices and get access. No doubt we need to bring such device in our daily life, but the challenge is to get them all secured taking into account the massive breach in the line.

We asked vendors and resellers how they approach security of the WAN in this challenging environment

The internet is the network

The data center is no more the enter of the universe, but it is the Internet that new network that brings all the network closer to each other.

Mobile phone networks are rapidly being repurposed as a general-purpose data network over which voice calls are just one more application. Inside the telcos themselves, the core networking is already running over IP networks, and consumers are very comfortable with messaging applications that talk over IP networks instead of SMS. Devices in the field are adding LTE interfaces as a cheap and easy way to add networking capability to what were once disconnected devices.

“We have to rethink how we approach things,” Kopelke says. “We need to change our thinking from ‘How do I secure and protect the network?’ to ‘How do I secure and protect the data and applications?’”

Gavin Wilson, Asia-Pacific managing director at Cradlepoint “People expect to always be connected. Increasingly the connection is a mix of technologies, rather than a single layer-1 or layer-2 approach.” Instead of a loose collection of isolated technologies, the network is now an abstraction operating at a higher level, and there is no longer a functional difference between “the internet” of decades past and what all these modern mobile devices use to connect”.

The connected world and benefits

This ubiquitous networking is enabling associations to do things that basically weren’t conceivable previously. Without a system to send the information, gadgets in trucks or conveyed by field laborers would need to store information for later use. Presently they can stream a lot of information back to a server farm or straight into the cloud, and they can be inconsistent contact with different parts of the framework.

“The ability to get information out to remote people is a massive benefit, and, if a truck roll over on a delivery, an immediate duress notification can let others know the driver is in trouble,” says Michael Dyson, general manager at Advanced Mobile IT‌

“We also have digital signage that can be remotely updated,” Dyson says. “You can receive diagnostics from remote locations without having to send a technician out to the site and there are buses in New Zealand that can do on-board ticketing and have a GPS for accurate next-stop announcements.”

As it turned out to be consistently more steadily and reasonable, the requirement for the specialist like; satellite telephones, CB radios have dropped abruptly. These more seasoned technologies are turning into a fallback — as opposed to the essential strategy for building up correspondences. The generously higher transfer speed access, combined with the across the board accessibility of the supporting framework, influences the cost/to profit examination straightforward: you’d be distraught not to.

Security

Obviously, simply being associated isn’t sufficient. We likewise need to keep information and applications secure when they’re interfacing with an indistinguishable web from each content kiddie and solidified digital crime with a hunger for other individuals’ data.

“The traditional way to secure the WAN was using firewalls at each branch or backhauling branch traffic to a datacenter and use firewalls there to protect the traffic,” says Stree Naidu, vice president. Asia-Pacific and Japan for Cato Networks. “As long as we think about the firewall as a box that sits somewhere, that box defines the perimeter. But what if the perimeter was defined by a firewall that is everywhere? This is the notion of Firewall as a Service (FWaaS).”

Moving from the physical system of security that is as pervasive as the availability itself is it all about. “Systems that are secured from commencement is the name of the diversion. Rather than being a bit of hindsight or an extra, security in a world with no border implies heating it in from the start.

“It has to be about more than taking an appliance and virutalizing it,” says Zscaler’s Kopelke. “We say that’s just cloud-washing.”

Cato Networks’ Scree agrees. “The challenge most organizations face is how to extend enterprise-grade security to all their branches and mobile users globally,” he says. “Cloud networks with built-in network security can offer a way forward.”

“With users expecting a higher standard of service, these standalone appliances won’t cut it anymore,” says Dell EMC’s Elmarji. “You need to be able to provide full security on all connected devices, fast access to data, and 24/7 connectivity.”

While it’s still relatively early days for software-defined networks, it’s clear where the momentum is. Customers and resellers alike should be investigating how they can move to using software-based networking to create the secure, ubiquitous networks of the future

BENEFITS OF IMPLEMENTING AN INFORMATION SECURITY

THE BENEFITS OF IMPLEMENTING AN INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

 

SECURES YOUR INFORMATION IN ALL ITS FORMS

An ISMS helps protect all forms of information, including digital, paper-based, intellectual property, company secrets, data on devices and in the Cloud, hard copies and personal information.

INCREASES RESILIENCE TO CYBER ATTACKS

Implementing and maintaining an ISMS will significantly increase your organisation’s resilience to cyber attacks.

PROVIDES A CENTRALLY MANAGED FRAMEWORK

An ISMS provides a framework for keeping your organisation’s information safe and managing it all in one place.

OFFERS ORGANISATION-WIDE PROTECTION

It protects your entire organisation from technology-based risks and other, more common threats, such as poorly informed staff or ineffective procedures.

HELPS RESPOND TO EVOLVING SECURITY THREATS

Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.

REDUCES COSTS ASSOCIATED WITH INFORMATION SECURITY

Thanks to the risk assessment and analysis approach of an ISMS, organisations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.

PROTECTS CONFIDENTIALITY, AVAILABILITY AND INTEGRITY OF DATA

An ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.

IMPROVES COMPANY CULTURE

The Standard’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.

 

PGP vulnerability? Exposes PGP Encrypted Email

German researchers have found a major vulnerability in PGP (Pretty Good Privacy), a popular email encryption program, which could reveal past and present encrypted emails.

Sebastian Schinzel, professor of computer science at Münster University investigated the flaw, tweeting that full details of the vulnerability will be available from 15 May. 

He said: "they might reveal the plaintext of encrypted emails, including encrypted emails sent in the past."

PGP Ecryption.png

We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the 

Anyone using PGP to encrypt their email could have their messages exposed thanks to a severe vulnerability for which there's no proper fix. That's according to researchers in Germany, who said anyone using plug-ins allowing simple use of PGP should stop using them entirely and possibly delete them too.

The warning came from Sebastian Schinzel, lead of the IT security lab at the Münster University of Applied Sciences, who noted attacks exploiting the vulnerability "might reveal the plaintext of encrypted emails, including encrypted emails sent in the past." Though he isn't revealing the full details until Tuesday May 15, the findings have spooked security-conscious folk.

We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

The Electronic Frontier Foundation (EFF) said it had reviewed the research and could "confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."

"Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email," the EFF wrote in a blog post.

The EFF has also offered guidance on how to remove plug-ins associated with PGP email, which users can find on the blog. Those plug-ins include ones for clients Apple Mail, Thunderbird and Outlook.

It appears the vulnerability (which some have dubbed eFail) resides in such email clients, rather than a fundamental problem with the PGP standard, according to Werner Koch, the man behind GNUPrivacyGuard (GnuPG), the free and open source PGP software suite. In a post, Koch said he believed the EFF's comments on the issue were "overblown" and that he hadn't been contacted about the vulnerability.

This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad. #efail

They figured out mail clients which don't properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation.

PGP was long seen as the standard for encrypted messaging and it remains the most popular method of sending private email. Increasingly, however, mobile apps like Signal, Apple's iMessage and Threema have provided simple methods for end-to-end encrypted communications.

Schinzel hadn't responded to a request for comment at the time of publication. He's done significant work on cryptographic weaknesses in the past; in 2016, he co-created an attack dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), which could decrypt people's web connections on 33 per cent of all HTTPS websites.

A trick to decrypt

The researchers explained in a website for the eFail vulnerability that it required the attacker to be able to intercept and email and tamper with it to reveal the plaintext of messages. "In a nutshell, eFail abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs," they wrote.

"The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker."

The full technical paper is available here.

An old flaw

A spokesperson for ProtonMail, a webmail service that uses PGP, confirmed its services were not affected. The spokesperson also eFail wasn't exactly new. "It has been known since 2001. The vulnerability exists in implementation errors in various PGP clients and not the protocol itself," the spokesperson added.

"What is newsworthy is that some clients that support PGP were not aware of this for 17 years and did not perform the appropriate mitigation.

"As the world's largest encrypted email service based on PGP, we are disappointed that some organizations and publications have contributed to a narrative that suggests PGP is broken or that people should stop using PGP. This is not a safe recommendation."

Apple gets fixing

An Apple spokesperson said partial fixes to eFail were released in iOS 11.3, which shipped March 29. The remaining fixes for affected Apple products being developed and will be with customers soon, they added.

Microsoft said it had no comment on the matter.

Corporate Information Security Steering Committee

Organizations are becoming increasingly aware that if they fail to implement successful security management processes, it could expose them to untenable risk.

The role of the corporate information security steering committee has become an important tool in the quest for a coordinated corporate security strategy, for reducing duplication in security spending, for taking control of complex infrastructures and ultimately, for reducing security risk. 

One of the first steps for many organizations has been to set up a common security team and to embark on enterprise-wide information security programs. However, many of these teams have struggled to align corporate business objectives with strategic security investment.

META Group's research indicates that the majority of new security teams struggle to define and establish their corporate missions, scope, influence and power bases. Furthermore, these security teams have poorly defined executive charters and operate without effective communications plans. The unfortunate result of such poor grounding is the temptation for newly established teams to immerse themselves in technology quests, searching for elusive enterprise-wide technical solutions.

In contrast, the most effective security organizations are those with clear responsibilities and well-defined processes, based upon five primary organizational roles:

  • Leadership - this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures
  • Analysis/design - these security analysts help information owners develop meaningful security policy as well as effective security solutions
  • Security administration - these people look after the day to day administration of access rights, passwords, etc
  • Security operations - resources that continuously monitor the security status of the organization, and manage incident response procedures.
  • Awareness communication - resources that design and manage ongoing security awareness and training programs. 
    Executive custody and governance -represented by an information security committee

The role of the corporate security steering committee is to coordinate corporate security initiatives at the executive level and thus enable an organization to optimize spending, manage their infrastructure and minimize security risk. Obtaining consensus and support for corporate-wide security initiatives is especially difficult in highly decentralized and multinational organizations with a high level of devolved authority and autonomy. In this type of organization, an executive governance body becomes essential.

Corporate information security steering committees (CISSC) must have a clear charter with a range of functions that should include:

  • Managing the development and executive acceptance of an enterprise security charter.
  • Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral policy). A major objective of this function is ensuring that business requirements are reflected in the security policy, thus ensuring that the policy enables rather than restricts business operations.
  • Assessing any requests for policy exceptions from individual business units.
  • Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure), as well as requests to be excluded from common investment.
  • Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.
  • Acting as custodian and governance body of the enterprise security program by ensuring visible executive support, as well as monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.
  • Assessing and approving the outsourcing of common security services, as well as coordinating investment in appropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.
  • Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost of common security initiatives, and advising the committee with appropriate recommendations.
  • Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.
  • Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.
  • Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).
  • Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).
  • Tracking major line-of-business IT initiatives to identify opportunities for synergy or to leverage security investment.
  • Governing trust relationships with major e-business partners.

It is very important that steering committee members can make decisions at meetings. This requires the active participation of senior executive business managers or it must be a permanent subcommittee of an executive information board. To prevent the committee becoming an ineffective 'debating society' or forum for driving political agendas, the scope, powers and objectives of the committee should be clearly documented and measured.

Typical members of an information security steering committee include: line of business managers, application owners, regional managers, IT managers, the IT director, the chief security officer, the corporate risk manager and the chief internal auditor. A clear distinction must be made between the role of the CISSC (i.e., executive custody and governance) and the leadership role (i.e., day-to-day management of the security team) of the chief information security officer.

By developing the emerging role of the chief security officer (CSO) and the security team, enterprises can foster a holistic approach to information security - one that recognizes that policy, process, and communication are as important as technology.

Ransomware campaign up around the world

A new email ransomware campaign is spreading around the world. Researchers at Fortinet say it’s a spam effort, meaning the messages are not targeted. Instead they are addressed generally, like “Dear customer.” The subject line in the email would be something like “Document number…”, “Your order number” or “Ticket number.” With the email is a malicious attachment that leads to the installation of malware. The initial targets are corporate mail servers used to forward this email. These have been found in Canada, the U.S. the United Kingdom and other countries. 

ransomware-cbyersecurity-consulting.jpg

The best defense against ransomware – or any email-delivered malware – is to watch out for it. Be cautious about unsolicited emails, especially those with attachments. And it’s vital you always have a separate backup of your data made it a way that can’t be infected, just in case you make a mistake.

Meanwhile McAfee reports some Canadian organizations have been victimized by a separate operation. A group security that researchers call Hidden Cobra, believed to be backed by North Korea, has been putting surveillance software on the systems of companies. The suspicion is the Canadian victims have been used as listening or data relay points. The malware that this campaign has installed has not stolen financial or sensitive data but appears to be there find out what’s on a computer, and be ready to launch further attacks.

Companies have to make sure their systems have the latest security patches. In addition, because the malware appears to be distributed through email, employees have to be reminded to be careful on what they click on.

For more on this see my story today on ITWorldCanada.com.

The U.S. National Security Agency has just suffered a black eye from an international standards body. According to a blog on Bitdefender, the International Organization of Standardization – known more commonly as ISO – rejected two new encryption algorithms suggested by the NSA to secure Internet of Things devices. The algorithms would scramble information on Internet-connected devices like home surveillance cameras and toys. But the NSA’s reputation for creating tools to hack into applications apparently give it a bad name at the ISO. One ISO delegate accused the NSA of telling half-truths and lies in its presentation.

If that allegation is accurate, it isn’t good. Internet of Things devices badly need better security. People and companies around the world buy tens of thousands of them a year. Insecure devices don’t improve security.

That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.

CISO Roles Expanding - Global Risk Management

Traditionally, the mission of the CISO has been to convince the CEO of the capabilities the organisation must put in place to prevent and follow-up on threats and manage crises. At the helm of IT security, CISOs are in their element overseeing the security operations centre (SOC), incident response teams and forensics experts to address threats. But now, many are being forced outside of their comfort zone. With global attacks dominating television news and headlines in Europe, US and the UK, cybersecurity is top of mind for CEOs and their Boards. And this means that the role of the CISO is expanding.

The Evolving Role of the CISO: Handling a Crisis When You Aren’t Under Attack

The Evolving Role of the CISO: Handling a Crisis When You Aren’t Under Attack

According to Aon’s 2017 Global Risk Management Survey, cybercrime is now number five among the top 10 concerns for risk decision-makers globally, above failure to innovate, failure to attract and retain top talent, business interruption, political risk/uncertainties and third-party liability. Each time a high-profile attack happens, the CISO gets a phone call from the CEO asking questions like: Are we at risk? Should we be doing something? It is no longer enough to let the CEO know that the organization has not yet been attacked. CISOs need to expand their leadership role and actively engage in risk management.

I have had the opportunity to speak with many CISOs who validate that their jobs are changing.

“Before, we had to fight to explain to the CEO that it would be interesting to know what was coming in and out of our systems,” said Benoit Moreau, CISO of the French ministry of national education and research. “Now, we are expected to have a fine perception of each element of our ‘information ecosystem’ and the interactions that drive it to succeed to predict, almost in real time, the consequences of any stimulus. Our systems have undergone a dazzling Darwinian evolution, driven by new technologies and uses. They went from monocellular organisms that were individually secured to complex protean organisms close to life.”

Today, when the external threat landscape changes and the CEO inevitably calls, CISOs need to respond differently. They need to have situational understanding, be prepared to make decisions on the spot and communicate how they will ensure risk remains at an acceptable level. Moreau explains, “The CISO must equip himself to have ‘awareness’ of the security infrastructure as a whole – to feel the problems, to detect the symptoms. He must understand weaknesses, threats and health risks. He must strengthen his defenses, have the means to carry out further analysis in case of doubt, to inoculate or provide other treatments, and even to amputate in the event of the spread of deadly agents. It is no longer a question for the CISO to deploy some white blood cells, but to be the healthy mind in a healthy body, a robust organism with an effective immune system.”

As a CISO, what does it take to embrace this important change in your role? To begin with, you need instant access to as much information as possible about an attack or campaign. This includes an adversary’s targets and motivations; their tools, techniques, and procedures (TTPs) including tactics and vulnerabilities that may put the organization at risk; as well as the countermeasures available.

Most organizations already have much of this information, but it is spread across many different departments, in multiple external threat data feeds, in your layers of security products, in your SIEM that store logs and events and in analysts’ brains. What you need is a single source of truth – a centralized repository for all this data that you can continuously augment and enrich so that it is contextualized, relevant and prioritized. With a hub for storing, updating and accessing threat intelligence, your teams can learn and share knowledge to assess whether a threat poses short-term danger and determine the appropriate actions. But barriers remain.

Traditionally, siloed teams work independently and in a vacuum without the ability to collaborate throughout the analysis process and execute a coordinated response as needed. Working on parallel tasks, they can miss key commonalities. All teams must be able to work together in a single shared environment for a greater understanding and focus throughout the situation analysis and response process. Using visualization and documentation they can quickly see threat data, evidence, and actions across all the various departments and individual involved in the investigation.

With visibility into this collaborative environment and the situation analysis as it unfolds, CISOs can coordinate between teams and actions taken. A global picture provides the information you need to reply with greater confidence to your CEO’s questions. You can gauge if you’re adequately prepared to withstand an attack and let your CEO know. Or, if not, you can direct the appropriate action faster and assure your CEO you’re taking the right actions to mitigate risk.

Reacting to massive, global threats is a new phenomenon and a new responsibility added to CISOs’ day-to-day tasks. The moment you become aware of a potential new attack, you must be able to assess risk, anticipate potential impact and start crisis management. When a threat is detected, you must be able to respond quickly and comprehensively while maintaining business continuity. It’s no longer enough to protect the organization from an attack – you must be able to handle a crisis even if you aren’t under attack.

(NIST) Framework Cyber Security Updated

Four years after the initial iteration was released, the National Institute of Standards and Technology (NIST) has released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity.

The framework was developed to be a voluntary, risk-based framework to improve cybersecurity for critical infrastructure in the United States. It’s the result of a President Obama-issued executive order calling for the development of a set of standards, guidelines and practices to help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyberattack. 

Like the first version, Version 1.1 of the framework was created through public-private collaboration via a series of recommendations, drafts and comment periods. Changes to Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure, among other changes.

For one, the update has renamed the Access Control Category to Identity Management and Access Control, to better account for authentication, authorization and identity-proofing.

It also has added a new section: Section 4.0 Self-Assessing Cybersecurity Risk with the Framework explains how the framework can be used by organizations to understand and assess their cybersecurity risk, including the use of measurements.

On the supply-chain front, an expanded Section 3.3 helps users better understand risk management in this arena, while a new section (3.4) focuses on buying decisions and the use of the framework in understanding risk associated with commercial off-the-shelf products and services. Additional risk-management criteria were added to the Implementation Tiers for the framework; and a supply-chain risk-management category has been added to the Framework Core.

Other updates include a better explanation of the relationship between Implementation Tiers and Profiles; added clarity around the term “compliance,” given the variety of ways in which the framework can be used by an organization; and the addition of a subcategory related to the vulnerability disclosure lifecycle.

“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things (IoT).”

Its goal is to be flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.

NIST-framework-300x281.png

              Nist > 1.1

The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges

“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Walter Copan, NIST director. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia.”

So far, adoption of the framework has been fairly widespread: PwC’s 2018 Global State of Information Security Survey (GSISS) for instance found that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries. The report also found that financial institution clients were widely embracing benchmarking of their cyber risk management programs against the NIST Cybersecurity Framework.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEOs.”

Efforts to expand its influence are continuing: In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directs all federal agencies to use the Cybersecurity Framework. Also, corporations, organizations and countries around the world, including Italy, Israel and Uruguay, have adopted the framework, or their own adaptation of it, NIST noted.

Meanwhile, to help ease the process of adoption, the Information Security Forum (ISF) has mapped the framework and its annual Standard of Good Practice for IT security professionals. Last year, IT governance organization ISACA launched an audit programaligning the NIST framework with COBIT 5, designed to provide management with an assessment of the effectiveness of an organization’s plans to detect and identify cyber-threats, and protect against them.

“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Barrett.

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”

Small Business Benefits from Cybersecurity Consulting Services

Cybersecurity news stories are becoming more and more prevalent, especially over the last few years. Whether the stories are about stolen emails or huge data breaches, it has been virtually impossible to ignore them.

While the major stories about compromised corporations and hacked email accounts make the news, cybersecurity is something that concerns everyone who uses a computer. Even small business owners can become victims of cybercrime. In fact, small business owners, in particular, need to be concerned with cybersecurity so they can protect their intellectual property. No matter whether the intellectual property is research or recipes, it is one of the greatest assets a small business has. Intellectual property is a prime target for hackers, whether they are stealing information for a competitor or running a ransomware scheme where a hacker demands something in return for the stolen information.

The trouble is that protecting that intellectual property and keeping other sensitive information, such as client and customer data, isn’t cheap. Many small business owners may not have the available capital to afford a cybersecurity system. Although this puts an owner in a tough spot, you can’t put a price on peace of mind, and neither can a small business owner afford the losses associated with becoming the victim of a cybercrime.

As with most things for small-business owners, cybersecurity comes down to a cost analysis. A cybersecurity system can be a big expense. On the other hand, a small business owner has to consider the cost of not having their systems protected from hackers. It’s hard enough for a large corporation to recover from a cyber attack, even with all the resources and infrastructure they have. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses fold within six months of a cyber attack.

Ultimately, each business owner has to decide if and when a formal data security protection plan is necessary. A consultation with an expert may help you better weigh the pros and cons of taking on this type of business expense. Start with this list of Cybersecurity Consulting Providers as a jumping off point for your research. After comparing the benefits of these companies’ plans, set up a few consultations to see if and how these providers can best help protect your business, and what it costs to do so. You may find that it’s worth the investment.

 

Cyber Security Developments

Cyber Security Is The Backbone Any Online Businesses – Here Are Some Quick Tips To Keep Yourself Informed About The Latest Threats Surrounding Your Business.

                                    Cyber Security Developments

                                    Cyber Security Developments

Within a standard nine to five working day, it’s said that there are almost two million data records lost or stolen. Cybercrime has become something of an epidemic in recent years – and it’s no exaggeration to say that everyone is at risk.

Hackers operate in an increasingly complex way and are happy to target small businesses and individuals, who are most likely to be vulnerable to attack. The nature of the threat changes as technology advances and so the only way to stay safe is to stay up to date.

But that’s easier said than done, right? How do you keep up to date with the latest cybersecurity developments?

Follow The News

When it comes to cyber security, ignorance is not bliss – it’s a recipe for disaster. It’s imperative that you identify and follow a news feed that you can trust. By doing so, you can keep on top of any fresh threats that have emerged, learn lessons from other cyber attacks and pick up the latest tips and advice from influencers and experts in this field.

News from this sector really shouldn’t be seen as the preserve of IT specialists – the scale and nature of the threat suggest that this should be of interest to everyone. There’s a burgeoning band of podcasts available on the subject for people who prefer to digest content in this way too.

Bring Up The ‘Security Question’

If you think that installing an anti-virus program is enough, then you’re mistaken. Don’t just presume that you’re safe because you have this because this is merely the first line of defense to root out attacks. By adopting a safety first mindset you can ensure that the way you handle your data is less risky.

Whether it’s securing your Wi-Fi network at home, managing and updating your passwords on a regular basis or the way you collect, collate and analyze data throughthe point of sale software at work, continually ask yourself ‘is this safe?’ Just as ignorance isn’t bliss, complacency could prove your undoing. Place ‘security’ high on the list of credentials to consider when buying new software or hardware, don’t just go for the cheapest option.

Training

Even the experts are constantly having to refresh their understanding of the threat posed by cyber attacks. It pays to search out training opportunities, especially if you’re a business. You are, after all, only as safe as the people operating your software and systems and you don’t want to put the security of your business in the hands of someone who is unsure about what they are doing. Individuals and businesses alike can find free learning materials on Cybrary to help plug any knowledge gaps they have.

It’s Good To Talk

Cyber attacks are incredibly common – but people don’t often enough talk about their experiences. Perhaps you’re afraid or embarrassed to have been caught out? There’s no need to be. In fact, talking with friends and colleagues could really help you to stay safe. Pass on tips about new apps, good software, neat tips and tricks and any new cyber attack tactics you have come across and you can help to do your own bit to combat the criminals.

By keeping up to speed with security news, refreshing your training, sharing tips and tricks and adopting a safety first attitude you’ll give yourself the best possible chance of staying on top of cyber security developments and, best of all, safe.

Cisco Switches vulnerable to remote hacking

2018-01-30-image-26.jpg

 

Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic.

The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.

Embedi has published technical details and Proof-of-Concept (PoC) code after Cisco today released patch updates to address this remote code execution vulnerability, which has been given a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical).

Researchers found a total of 8.5 million devices with the vulnerable port open on the Internet, leaving approximately 250,000 unpatched devices open to hackers.

To exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default.

"To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg" and "because the size of the data copied to a fixed-size buffer is not checked, the size and data are taken directly from the network packet and are controlled by an attacker," Cisco explain in its advisory.

The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices.

Researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.
 

Affected Hardware and Software:


The vulnerability was tested on Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches devices, as well as all devices that fall into the Smart Install Client type are potentially vulnerable, including:
 

  • Catalyst 4500 Supervisor Engines
  • Catalyst 3850 Series
  • Catalyst 3750 Series
  • Catalyst 3650 Series
  • Catalyst 3560 Series
  • Catalyst 2960 Series
  • Catalyst 2975 Series
  • IE 2000
  • IE 3000
  • IE 3010
  • IE 4000
  • IE 4010
  • IE 5000
  • SM-ES2 SKUs
  • SM-ES3 SKUs
  • NME-16ES-1G-P
  • SM-X-ES3 SKUs


Cisco fixed the vulnerability in all of its affected products on 28th March 2018, and Embedi published a blog post detailing the vulnerability on 29th March. So, administrators are highly recommended to install free software updates to address the issue as soon as possible.

Security Specialist

CyberSecOp cyber security consulting services was founded by two information security professionals, and a Managed Services IT firm, For more information call us: 866-973-2677 or visit us: https://www.cybersecop.com

 

Security Consulting

Many people who sell security products call themselves security consultants and they are part of the security field, but there are also security consultants who don't sell products. These individuals are paid on an hourly or project basis to help clients, usually, corporations, protect their personnel and property. Property security embraces both real estate and tangible equipment as well as other assets like client lists and proprietary technology. Employee and customer theft, as well as piracy, are possible focuses for a security consulting practice. Technical security consultants are knowledgeable about products, such as electronic security systems, including their development and how to apply them. The work may involve system design as well as drafting plans and documents.

Computer Security


While virtually all security consultants employ computer technology in their work, the computer security niche specifically involves protecting computer systems and networks themselves against unauthorized use and abuse. A computer security consultant often specializes in particular operating systems such as UNIX, LINUX or Windows.

Site Consulting


Whether it's new construction or remodeling, virtually every building and office-be it a high-tech industrial complex, retail franchise, distribution center, self-storage facility, housing development, hotel, resort, casino, parking lot or law firm-is interested in some aspect of site security. Security site consultants evaluate the physical design of such buildings and spaces, determine what security problems a sites poses and recommend countermeasures, such as guards, electronic security with cameras and electric lights, or a combination of methods and policies.

System Design


Security system designers develop specifications and provide architectural or engineering support in the design phase of a security consulting project. System designers may also develop new electronic security tools to be used at a particular location.

Forensic Consulting


Forensic security consultants serve as expert witnesses in trials in which security breaches are at issue, such as with fires, thefts, break-ins, and so on. Forensic consultants may specialize in any of the above fields.

As a security practitioner, you can also develop niches for your work based on the type of clients you work with, such as museums or historical sites, shipyards and airports. Unlike professional investigators, security consultants don't have to be licensed by state agencies. However, there are professional associations you can join and certification programs you can complete, which may help foster a sense of trust with your clients. One of the larger associations, which provides certification.

Specializing is key to marketing a security specialty business because it will help you more easily identify and market to clients who need such services, such as architects and contractors or members of a particular industry, such as software developers or law firms. You'll be soliciting work and attracting clients by making presentations and speeches or networking in organizations where you can showcase your expertise. In addition to your knowledge of security, you must be prepared to develop your speaking skills in order to attract new business.

Security-Hi-ah.JPG

What Is Network Security?

What Is Network Security? - CyberSecOp

Network security is an organization’s strategy and provisions for ensuring the security of its assets and all network traffic. Network security is manifested in an implementation of security hardware and software. For the purposes of this discussion, the following approach is adopted in an effort to view network security in its entirety.

What Is Network Security?

What Is Network Security?

Policy
The IT Security Policy is the principle document for network security. Its goal is to outline rules for ensuring the security of organizational assets. Employees today often utilize several tools and applications to conduct business productively. Policy-driven from the organization’s culture supports these routines and focuses on safely enabling these tools for employees. Enforcement and auditing procedures for any regulatory compliance to which an organization is subject must be mapped out in the policies, and controls as well.

Types of network security

Access control

Not every user should have access to your network. To keep out potential attackers, you need to recognize each user and each device. Then you can enforce your security policies. You can block noncompliant endpoint devices or give them only limited access. This process is network access control (NAC).

Antivirus and antimalware software

"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and spyware. Sometimes malware will infect a network but lie dormant for days or even weeks. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage.

Application security

Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you buy it. Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network. Application security encompasses the hardware, software, and processes you use to close those holes.

Behavioral analytics

To detect abnormal network behavior, you must know what normal behavior looks like. Behavioral analytics tools automatically discern activities that deviate from the norm. Your security team can then better identify indicators of compromise that pose a potential problem and quickly remediate threats.

Data loss prevention

Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner.

Email security

Email gateways are the number one threat vector for a security breach. Attackers use personal information and social engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up malware. An email security application blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data.

Firewalls

Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Cisco offers unified threat management(UTM) devices and threat-focused next-generation firewalls.

Intrusion prevention systems

An intrusion prevention system (IPS) scans network traffic to actively block attacks. Next-Generation IPS (NGIPS) appliances do this by correlating huge amounts of global threat intelligence to not only block malicious activity but also track the progression of suspect files and malware across the network to prevent the spread of outbreaks and reinfection.

Mobile device security

Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years, 90 percent of IT organizations may support corporate applications on personal mobile devices. Of course, you need to control which devices can access your network. You will also need to configure their connections to keep network traffic private.

Network Segmentation

Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier. Ideally, the classifications are based on endpoint identity, not mere IP addresses. You can assign access rights based on role, location, and more so that the right level of access is given to the right people and suspicious devices are contained and remediated.

Security information and event management

SIEM products pull together the information that your security staff needs to identify and respond to threats. These products come in various forms, including physical and virtual appliances and server software.

VPN

A virtual private network encrypts the connection from an endpoint to a network, often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the communication between device and network.

Web security

A web security solution will control your staff’s web use, block web-based threats, and deny access to malicious websites. It will protect your web gateway on site or in the cloud. "Web security" also refers to the steps you take to protect your own website.

Wireless security

Wireless networks are not as secure as wired ones. Without stringent security measures, installing a wireless LAN can be like putting Ethernet ports everywhere, including the parking lot. To prevent an exploit from taking hold, you need products specifically designed to protect a wireless network.