Cyber Security Institute


Tuesday, August 20, 2013

Handling Incident Management in a Virtualized Environment

Good article on Incident Response in a Virtualized Environment - summary:

In my experience, this rush to a virtualized data center assumes that either existing controls are enough or that - for some unexplainable reason - virtualized servers are isolated from common attack vectors and therefore more secure. Although this increase does not correlate to an increase in disclosed virtualization vulnerabilities, as shown in Figure 1, the overall increase of vulnerabilities does track with the increase in growth of virtualization as a strategic technology. It also indicates that the increase in the number of virtualized servers increases the attack surface for those attackers focusing on the hypervisor as a high-value breach target.



Friday, August 16, 2013

Security incident response procedures: When to do a system shutdown

At the same time, the attackers that target enterprises for their valuable information, or sometimes for political reasons, have never been more sophisticated, which has increased the pressure on enterprise security teams to be able to keep critical systems running securely and without interruption. Shutting down a system in response to an information security incident is one of the most drastic options that can be taken, but it might be the best option in certain scenarios. Occasionally, regardless of how well prepared an organization might be from a security perspective, an attack will leave the security team debating whether the risks involved with keeping a system running outweigh the potential impact of taking an infected or targeted system offline.



Wednesday, July 10, 2013

Hunting for ‘Whales’ Using Targeted Malware

Until recently, most contemporary malware was designed so it could infect the greatest number of people, regardless of who they were. This is known as the shotgun approach to malware. The problem with that method is that IT security and end-user training is beginning to erode the effectiveness of this approach. This is forcing a change in tactics to the point where criminals are now beginning to put malware into very sophisticated and convincing packages to attract a whale or two. Cyber criminals now spend a great deal of time researching their whales and mine information like place of work, job title, names of individuals they interact with, and the names of business partners. It’s not so much that the malware itself is getting more sophisticated, but the spear phishing presentation used to trick the victim certainly is.



Monday, July 01, 2013

Combating attacks with collaborative threat intelligence

Even those attackers who are deploying more targeted, advanced attacks against a specific industry or organization will reuse the same techniques and exploit code in targeted attacks against similar organizations in the same industry. Another tool in the attacker’s arsenal is that they are highly adept at sharing information with each other. Why wouldn’t defenders likewise collaborate on the source, tools and techniques used for these attacks and reap the tremendous benefits of threat sharing? Not to mention that such collaboration among defenders can also increase the costs associated with executing these attacks.


Wednesday, June 05, 2013

RSA’s Art Coviello points to Big Data approach to combat cyber security challenges

Leveraging Big Data approaches to security can help make the much-needed intelligence-driven security model – comprised of pervasive monitoring and threat intelligence sharing – a reality for organizations that face growing and sophisticated cyber-attacks. In his opening keynote at RSA Conference Asia Pacific 2013, Art Coviello, Executive Vice President of EMC Corporation and Executive Chairman of RSA, The Security Division of EMC, outlined how leveraging Big Data approaches to security can help make the much-needed intelligence-driven security model a reality for organizations in the face of growing and sophisticated cyber-attacks. While addressing the crowd at RSA Conference Asia-Pacific held in Singapore, Coviello explained that within many organizations, a lack of understanding and knowledge and unbalanced security budgets are current impediments to the adoption of an intelligence-driven security model.


Tuesday, June 04, 2013

Understanding Risk in Real-Time: Where Will Your Next Breach Come From?

Three out of four intrusions exploit weak or stolen (but otherwise legitimate) credentials, and another 13 percent result from misuse of information by privileged users, according to Verizon’s 2013 Data Breach Investigation Report. The solution is harnessing the big data in the trillions of access relationships — the ever-changing information related to who is accessing what resources for what purpose — to better understand what is really going on. As Gartner says, “[Big Data] is a class of information processing problem that, due to the volume, velocity, variety and complexity of the data, requires different approaches to support analytics to derive cost-effective, timely, business-relevant insight.” While big data has been used effectively by line of business to analyze customer purchase behavior, inventory turns, or other critical data, it also offers tremendous promise for IT security to manage business better.


Friday, May 24, 2013

AusCERT 2013: Visibility critical when selling IT security to execs, says Foxtel CSO

Hard-to-find security skills and the rapid pace of malware evolution make a strong relationship with a managed security services (MSS) provider as important as maintaining the internal tools to keep business executives apprised of IT-security risk, Foxtel information security manager Kevin Shaw has advised. Properly informing those relationships, however, remains one of the security executive’s biggest ongoing challenges: different expectations, changing technologies, malleable business objectives – and the constant dread of being the one confessing a security breach to a risk and audit committee or angry CEO – all force security executives to be as proactive as possible when it comes to managing risk. “I want to know that if someone adds a new server, that I can come back through my actionable intelligence and confirm that box has the right agents, has been hardened for the criteria we’ve mandated,” Shaw said. Under Shaw’s guidance, Foxtel has maintained a long-term MSS relationship with Symantec, which provides extra skilled staff that not only keep apprised of new threats, but monitor the company’s infrastructure 24/7 for signs of malicious activity.



Thursday, May 23, 2013

Telling the FBI Your Company Has Been Hacked

As cyber attacks against U.S. companies move markets, drain tens of millions dollars from bank accounts, siphon off trade secrets, and threaten critical infrastructure, the mantra among government officials is: sharing (information) is caring. The government’s desire to increase information sharing on cyber intrusions with the private sector is at the heart of an executive order issued in February—and it was a point underscored at a New York City Bar Association event on Monday, when Mary Galligan, who is an FBI “cyber cop,” urged corporations to come forward with information about attacks on their networks.


Sunday, May 12, 2013

The Onion reveals how Syrian Electronic Army hacked its Twitter   Read more: http://www.itproportal.

The Onion staff put their laughing-making on hold last week when the Syrian Electronic Army hacked its Twitter account — the latest in a growing list of publications invaded by the group. “In summary, they phished Onion employees’ Google Apps accounts via 3 separate methods,” the site’s tech team explained in a blog post. The slow, calculated attack began early this month, when the Syrian Electronic Army (SEA) sent emails to some of the site’s employees.  The messages (example below) implored The Onion’s reporters to “Please read the following article for its importance,” with a link to what appeared to be a Washington Post story. [Interesting, the attackers modified their social engineered email attack to be a password reset email, after the Onion IT department told everyone to change their passwords.]


Welcome to the red team!

You may not know that ‘red teaming’ refers to the practice of “viewing a problem from an adversary or competitor’s perspective.  It seems that one of the best ways to get into a system is to be the first to find a new vulnerability in the software that no-one else has spotted.  This ‘zero day’ vulnerability can be used to get malware of some kind into an organization, and, from then on, the red team own the IT system.  And that’s why it’s a good idea to pay a team of experts rather than wake up one day and find the bad guys have found their way into your IT infrastructure.


Thursday, May 09, 2013

Hacking back: Digital revenge is sweet but risky

Whether criminals are hacking our passwords, or Anonymous is simply making a statement, the disruptions and data breaches exact a heavy toll in terms of time, money, and security.How that digital revenge is wreaked, and whether any of it is legal, are issues being actively debated right now—to the extent that anyone wants to talk about it, let alone admit to trying it.  Hacking back at a cyber-assailant is tempting, but it’s just as illegal as the original cyberattack.



Information security can learn from physical security

Physical security can provide a number of guidelines when establishing an information security model, says Johann van der Merwe, global head of information security at De Beers “You can get a lot of tips from physical security when you want to get a company’s information security off the ground,” says Van der Merwe. He says it is important to remember that diamonds are at the centre of De Beers’ pipeline and that everything – including information security – essentially revolves around that.



Wednesday, May 08, 2013

Sweet Password Security Strategy: Honeywords

Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. The term “honeywords” is a play on “honeypot,” which in the information security realm refers to creating fake servers and then learning how attackers attempt to exploit them—in effect, using them to help detect more widespread intrusions inside a network. The honeywords concept is also elegant because any attacker who’s able to steal a copy of a password database won’t know if the information it contains is real or fake.   An auxiliary server (the “honeychecker”) can distinguish the user password from honeywords for the login routine and will set off an alarm if a honeyword is submitted.”



Tuesday, May 07, 2013

Too many admins spoil your security


Thursday, May 02, 2013

Effective cyber threat defence requires clear security focus

Now is the time to consider dismantling the barriers that often exist between IT and physical security teams, so that evolving cyber risks can be tackled more effectivelyFor example, Verizon’s 2012 data breach investigations report found that ten per cent of breaches involve some form of physical attack, while a further five per cent result from ‘privilege misuse’. In 2009, the US National Nuclear Security Administration (NNSA) criticised Los Alamos National Security (LANS), the contractor responsible for security at the Los Alamos National Laboratory, for its apparent mishandling of computer thefts from the facility’s weapons laboratory However, the report highlighted the risks of dealing with cyber security in isolation, where the theft of computers were treated as a standalone ‘property management issue’, which uncovered “several property management, accountability, incident reporting and cyber security concerns”.


Sailing the Seven Cs of Security Monitoring

This might be true, but a watched pot also never spills; it never allows your younger sister to stick her hand in the hot water; prevents Uncle Jack from tasting before dinner is ready; and if something unforeseen happens, there is time to mitigate the problems. If you don’t watch it, it still happens, (trees in forest fall and still make sounds), you’re simply not aware to possibly prevent the issue, to control the damage, or protect the assets for spiraling beyond your control. Once you know what needs to be monitored and the baselines (risk tolerance) of what constitutes alerts and other suspicious activity, then you can build a program and standardize that configuration and analyze the results to make adjustments.Recently the Department of Homeland Security director of federal network resilience noted: as you move to standardize configurations networks are not only more secure but they lower operational costs.


Monday, April 22, 2013

The CISO’s Guide to Advanced Attackers: Mining for Indicators

The general concept is that you want to monitor your environment, gathering key security information that can either identify typical attack patterns as they are happening (yes, a SIEM-like capability), or more likely searching for indicators identified via intelligence activities. We have been saying Monitor Everything almost as long as we have been talking about Reacting Faster, because if you fail to collect data you won’t have an opportunity to get it later.   Unfortunately most organizations don’t realize their security data collection leaves huge gaps until the high-priced forensics folks let you know they can’t truly isolate the attack, or the perpetrator, or the malware, or much of anything, because you just don’t have the data. The good news is that you have likely been collecting security data for quite some time, and your existing investment and infrastructure should be directly useful for dealing with advanced attackers.



Sunday, April 21, 2013

10 tips to secure funding for a security program

Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers — ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture.



Friday, April 19, 2013


As a crisis manager, you are responsible for the safety and security of both your employees and your organization. And when an emergency strikes, you are expected to carry out your business continuity plan effectively while keeping the big picture in mind. Among other things, you should record and share your business continuity plan with your management team, connect with local public agencies, maintain clear goals, and be prepared to ask the right questions as an incident unfolds.   Above all, you should strive to be prepared, flexible, and compassionate in all aspects of your crisis response, knowing that employees, customers, and your community are counting on your strong leadership when crises strike.


Sunday, April 14, 2013

Group of Security Experts Across Multiple Industries Discuss Practical Ways to Leverage Simulated At

Wombat Security Technologies (Wombat), a leading provider of cyber security awareness and training solutions, today released a new report from leading Chief Security Officers (CSOs) and security experts that discusses how simulated phishing attacks can be an effective security awareness and training tactic to help companies educate employees how to avoid growing cyber security threats. This report gathers and analyzes the front line observations of security leaders from the major vertical sectors—such as finance, manufacturing, health, and entertainment—who have used a relatively new approach to user awareness: simulated attack training. The report discusses how practicing CSOs from Fortune 500 companies maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users to avoid being phished: learning by experience.


Thursday, April 11, 2013

Detection, response key to effective security

While security is generally top of the IT department’s agenda, and it is the IT department’s role to secure a business’ systems and data, many security weaknesses are unwittingly caused by these same people who are responsible for securing a network. This was the result of research conducted by security software company Kaspersky Lab, says Danny Myburgh, MD of Cyanre, and is the result of the IT department’s focus on keeping IT working, and because they are caught between the business needs of securing devices and data and the increasing demands for mobility.


Sunday, April 07, 2013

Pandemic Cyber Security Failures Open An Historic Opportunity For Investors

Research conducted by the National Security Agency (NSA), in conjunction with the Department of Defense, FBI, Department of State, local law enforcement, civilian security agencies, and large security providers such as Mandiant and McAfee have shown that government and industry alike suffer from poor security practices. The result of the research, published by the Center for Strategic and International Studies at the request of Congress, led to the establishment of the Top 20 Critical Security Controls for government and private networks alike. Indeed, the NSA recommended security practices conjoin many top traditional security practices already codified in leading professional security standards such as National Institute of Standards and Technology (NIST) 800-53. The alarming aspect of the study is that while competent security standards for protecting America’s networks and systems had already been developed, the standards have been poorly implemented across the country.



Saturday, April 06, 2013

A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them.

Last month Heckman, a researcher for the non-profit IT research corporation MITRE, gave a talk with fellow MITRE researcher Frank Stech at Purdue’s Center for Education and Research in Information Assurance and Security and described a cyber war game scenario MITRE played out internally in which she and Stech tried an unorthodox defensive strategy: Instead of trying to purge a Red Team of hackers from a Blue Team’s network they were defending, Heckman and Stech let the attackers linger inside, watched them, and fed them confusing misinformation. Although both Heckman or Stech declined to talk to me about their lecture, the presentation (video here) suggests an alternative approach to what the cybersecurity industry calls “advanced persistent threat” (APT) hackers–state-sponsored, sophisticated intruders who have penetrated hundreds of corporations and government agencies in recent years and siphoned vast amounts of information.



Friday, April 05, 2013

Is There Any Real Measurement In Monitoring?

Almost as soon as “Big Data” came along, there was someone to explain that it wasn’t the size that mattered; it was how you used it. Vendors touted their “line speed” or their ability to do all their analysis in-memory (since writing to disk tends to slow down the pipe a lot). We’ve known for a long time that stateful firewalls, IDS/IPS and web application firewalls magically get a lot faster if you turn enough high-level checks off. Vendors also tout the number of inputs that go into their offerings: how many other security technologies they integrate with (where “integrate” may just mean “we consume syslog, CSV and XML”). If you want to get fancier than just saying what data formats you accept, you can say you have an API, regardless of how many other tools actually use it.


Sunday, March 31, 2013

Assurance Doesn’t Come In A Box

My colleague’s talk revolved around the need for the project to provide a suitable level of assurance; the audience sat and listened in attentive silence, seemingly fully engaged.   A lone voice called out, “This assurance, is it software we can go out and buy?” But I think the fact the question was asked reveals a lot about how cyber security is seen in many organizations. You buy a software or hardware solution to address a potential problem and that’s all there is to it. ... That idea is akin to saying windscreen wipers on your car makes it safe to drive in all weathers, then never worrying about when to use them, when to have them go back and forth intermittently or continuously, when to replace the wiper-blades or whether you can still drive at 70mph down the motorway in torrential rain and blizzards.


Monday, March 18, 2013

Security Think Tank: Context-aware security saves time

Context-aware computing is not a new idea; everything from the search engine you are probably sitting in front of to the mobile phone in your pocket uses it at its most basic level. The origin of the phrase comes from the human idea of studying a piece of text and bringing to bear the other things that you know about the words on paper; from the author’s life story to the facts about its setting. In fact, security teams are overworked generally and even very large companies are seeking to outsource some elements of the process. By embracing context-aware security devices, operational savings can be made through a reduction in response times and an increased likelihood of the correct decision being made during an incident.


Sunday, March 10, 2013

Does your Incident Response Plan include “The Dark Side of the Internet”?

Integral to this effort is the process of each client learning from the incident and updating their security incident response plans accordingly. One thing that you generally don’t yet find in most such plans is crossing over to the “dark” side of the internet – but moving forward I think it’s likely you may.


Wednesday, March 06, 2013

This Research Paper Explains How to Predict the Next Arab Spring and Cyber Attacks

James Clapper, director of national intelligence, explaining to a congressional committee in February 2011 that he believed U.S. intelligence agencies had done the best they could to track the Arab Spring protests. Here’s what we do know: Some incidents will incite violent protest, political and social upheaval, or set off a barrage of cyber attacks. Researchers at Sandia National Laboratories have developed an early warning system that will alert officials to politically motivated cyber attacks or other threatening activities around the world.


Hot security skills of 2013 - security

Most successful CSOs will tell you it was a unique mix of skills that propelled them to their current position. Technical background is important, certainly, but practice in the business and excellence in communication are paramount for any CSO truly worthy of a place in the C-suite. We don’t expect that to change any time soon. But every few years, a few super-hot skills get added to the mix, ones that will make you even more attractive (to your company and to future employers) and keep you on top of your game. Familiarity with both information and physical-security technologies is important at the highest rung of the security ladder, according to Carl Young, CSO of Stroz Friedberg, a global digital-risk-management and investigations firm.


Tuesday, February 19, 2013

Offensive Cyber: Superiority or Stuck in Legal Hurdles? | Defense News |

In recent years, offensive cyber operations have attracted significant interest from the non-Defense Department academic legal community, prompting numerous articles seeking to create a legal theory for cyber conflicts.  At a time when the United States has already lost an estimated $4 trillion in intellectual property as a result of foreign cyber espionage, not to mention the loss of military advantage, focusing on what the United States cannot do in cyberspace only hinders efforts to defend the country from future cyber attack. The theoretical framework for an emerging cyber law under development by the legal community uses analogies from international law, such as the laws of the high seas and international commercial air treaties.