[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* How to safely access and navigate the Dark Web
* SWIFT to Banks: Who You Gonna Call?
* Hackers bombard aviation sector with over 1,000 attacks per month
* Main issues involved in the EU’s cybersecurity agenda
* Malware on ATMs: Dh7.3 million gone
* Why lawmakers are trying to make ransomware a crime in California
* Five tips for convincing your CEO to focus on business continuity
* GSA Accidentally Releases Google Drive Items Premium Content
* FCC Rules Reconcile Speech and Privacy, Must Support Security Research
* EU Approves Revised Pact For Data Transfer With US
* Data security and breach notification in Austria
* 5 Big Data Security Mistakes Your Startup Must Avoid
* How to close the PLC security gap
* Shadow IT: Friend or Foe?
* Which non-technical skills are most important to a career in security?
* Software Defined Security: Going Beyond Traditional Measures
* DOE proposes $15M fund to fight energy sector hacks
How to safely access and navigate the Dark Web
Here’s how to safely access and browse the Dark Web:
Step 1: Plan ahead.
Step 2: Obtain a new USB flash drive.
Step 3: Prepare your local machine.
Step 4: Download Tails and TOR.
Step 5: Browse safely.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7bcd63c5e1&e=20056c7556
SWIFT to Banks: Who You Gonna Call?
The bank-owned, Brussels-based SWIFT cooperative, formally known as the Society for Worldwide Interbank Financial Telecommunication, announced the launch of the new team on July 11 as part of a customer security program unveiled by CEO Gottfried Leibbrandt in May.
The program was a reaction to persistent security criticism leveled at SWIFT in the wake of the $81 million heist from Bangladesh Bank earlier this year – in which attackers used fraudulent SWIFT messages to drain funds from the bank’s Federal Reserve of New York account – and several other, similar incidents involving other banks.
SWIFT says its new forensics and customer security intelligence team will gather and feed anonymized intelligence to SWIFT-using banks to help them spot and block attacks.
The team will also offer assistance to any banks conducting internal investigations on attacks that appear to be related to SWIFT’s products or services, in part, by conducting in-depth digital forensic investigations, backed by the two cybersecurity firms that have extensive experience in offering post-breach incident response services to hacked organizations.
o share attack intelligence, however, SWIFT first needs more hacked banks to come clean.
To date, at least six banks that have confirmed or suspected SWIFT-related hack attacks have come forward, although anecdotal reports say that a dozen or more related investigations may now be ongoing.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cc9f7c9170&e=20056c7556
Hackers bombard aviation sector with over 1,000 attacks per month
In the US, Turkey, Spain, Sweden and recently in Poland, aircraft infected with malware or security breaches have provoked delays, loss of information and a wave of growing concern among public authorities, regulators and the industry.
In one of the clearest indications to date of the magnitude of the challenge, Tytgat said aviation systems were subject to an average of 1,000 attacks each month.
Brian Moran, Boeing’s Vice-President of Government Affairs for Europe, highlighted the “importance” of transatlantic cooperation on the matter.
At European level, the response will take shape in EASA’s new cybersecurity centre, Tytgat indicated.
The Aviation Computer Emergency Response Team (AV-CERT) will help understand the nature of the threats, collect evidence of previous cyber attacks, identify security flaws and vulnerabilities, analyse and develop responses to cyber incidents or vulnerabilities – whether workarounds, recommendations, or technical solutions.
According to Tytgat, the EASA and the FAA are drafting a common position “very urgently” as a contribution to ICAO’s proposal.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bb466cf96e&e=20056c7556
Main issues involved in the EU’s cybersecurity agenda
Three main issues are combined in the modern EU cybersecurity agenda: stepping up cooperation among EU states, creating European cybersecurity single market and cybersecurity public private partnership.
Commission clarified EU cybersecurity issues concerning all member states for a long-term period.
the Commission proposed a new series of measures to reinforce cooperation to secure Europe’s digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU.
The Commission’s measures to further strengthen Europe’s cyber resilience and its cybersecurity industry will include:
– Step up cooperation across Europe
– Support the emerging single market for cybersecurity products and services in the EU
– Establish a contractual public-private partnership (PPP) with industry
Three main issues combine the modern EU cybersecurity agenda: stepping up cooperation among EU states, creating EU’s cybersecurity single market and cybersecurity public private partnership.
I. Cybersecurity cooperation.
The Commission has already proposed steps on cybersecurity cooperation: e.g.
EU Cybersecurity Strategy and the forthcoming NIS Directive lay the groundwork for improved EU-level cooperation and cyber resilience.
However, the threat level is constantly evolving and handling a large-scale cyber incident involving several EU states simultaneously will be challenging.
EU level cooperation is therefore essential for dealing with both a possible large-scale cyber-attack in several EU states and smaller-scale but potentially more frequent cyber incidents.
Currently knowledge and expertise on cybersecurity is available in a dispersed and unstructured way.
To support the NIS cooperation mechanisms, the aim of an information hub is to pool this information and make it more easily available on request to all EU states.
This hub would become a central resource allowing efficient information exchange among EU institutions and the states.
The Commission, supported by ENISA, CERT-EU and with the expertise of its Joint Research Centre, will facilitate the creation and ensure the ongoing sustainability of the hub.
The Commission also proposed the cybersecurity training: according to different estimates the demand for the cybersecurity workforce will rise to 6 million globally by 2019, with a projected shortfall of 1-1.5 million workers.
Public authorities have a role to play in verifying the integrity of key public network infrastructures such as telecoms or energy smart grids, to detect issues, inform the party responsible for these networks and, if needed, provide assistance in fixing known vulnerabilities.
II. Cybersecurity single market.
The European Commission proposes market measures related to cybersecurity, as Europe needs high-quality, affordable and interoperable cybersecurity products and solutions.
However, the supply of ICT security products and services within the single market remains very fragmented geographically.
On the one hand, this makes it difficult for European companies to compete on the national, European and global level; on the other, it reduces the choice of viable and usable cybersecurity technologies that citizens and businesses have access to.
No single EU country alone can overcome this fragmentation to help the industry achieve the economies of scale on a European level.
Therefore it is relevant to have an EU certification framework for ICT security products as certification plays an important role in increasing trust and security in products and services.
National initiatives are emerging to set high-level cybersecurity requirements for ICT components on traditional infrastructure, including certification requirements.
The cybersecurity sector depends a lot on innovative SMEs, and the problems affecting investment in this area weigh heavily on the capacity to develop the European cybersecurity industry.
The innovative SMEs in the field are often unable to scale up their operations because of a lack of easily available funding to support them in the early phases of development.
Companies also have limited access to venture capital in Europe and their available budget for marketing to improve their visibility, or to deal with different sets of standardisation and compliance requirements, is inadequate.
About 75% of respondents to the recent public consultation on cybersecurity felt they lacked sufficient access to financial resources to finance cybersecurity projects and initiatives.
III. Cybersecurity Public Private Partnership.
Establishing a Public-Private Partnership (PPP) on cybersecurity in the area of technologies and solutions for online network security is one of the 16 initiatives put forward in the Commission’s Digital Single Market strategy.
Specific gaps persist in the fast-moving area of technologies and solutions for online network security and a more joined-up approach can help step up the supply of more secure solutions by industry in Europe and stimulate their take-up by enterprises, public authorities, and citizens.
The PPP on cybersecurity will:
· build trust among Member States and industrial actors
· align the demand and supply sectors for cybersecurity products and services
· develop common, sector-neutral and replicable building blocks
The European Cyber Security Organisation (ECSO) was launched on 13 June 2016 in Brussels.
ECSO is a fully self-financed non-for-profit association (ASBL) under Belgian law.
It is industry-led, with members including large European companies, SMEs and startups, research centres, universities, clusters and associations as well as local, regional and national administrations from the EU and European Economic Area (EEA) and the European Free Trade Association (EFTA) and Horizon 2020 associated countries.
The founding members are the European Organisation of Security, Alliance pour la Confiance Numérique, Guardtime acting for the Estonian Association of ICT, and Teletrust.
The partnership agreement is signed today in Strasbourg.
Further information about the association will be made available at http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b95d079ac0&e=20056c7556.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f23df50f04&e=20056c7556
Malware on ATMs: Dh7.3 million gone
Thieves suspected of installing a computer programme that got cash machines in Taiwan to churn out more than $2 million (Dh7.34 million) were being hunted by police on Tuesday, officials said.
The masked robbers ransacked more than 30 ATMs at the Taipei-based First Commercial Bank, walking away “with bags packed with cash”, the bank said in a statement.
Surveillance images showed “two men wearing face masks and hats walking away with bags packed with cash directly withdrawn from ATMs”, First Commercial said in the statement.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=544968f59e&e=20056c7556
Why lawmakers are trying to make ransomware a crime in California
State legislation to outlaw ransomware is drawing broad support from tech leaders and lawmakers, spurred by an uptick in that type of cybercrime and a series of recent attacks on hospitals in Southern California.
The bill, authored by state Sen.
Bob Hertzberg (D-Van Nuys), would update the state’s penal code, making it a felony to knowingly use ransomware, a type of malware or intrusive software that is injected into a computer or network and allows a hacker to hold data hostage until money is paid.
So far, the bill has faced no opposition in the Assembly, and must be sent to Gov.
Jerry Brown’s desk by the time the Legislature adjourns at the end of August.
But security researchers said the cases would be difficult for any one law enforcement agency to pursue — attacks can be launched from servers spread across multiple countries.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9b9c3b87a6&e=20056c7556
Five tips for convincing your CEO to focus on business continuity
1) Competitors: ‘They’re doing it…’
Your CEO isn’t going to take lightly to his/her key competitor having a better business continuity plan than theirs, so exploit that: show them the facts.
Just as Steve Jobs once said, “a lot of times, people don’t know what they want until you show it to them”.
2) Case studies
When it comes to business continuity, we’re talking about presenting hard facts and real life situations on what happened to the company down the road during that emergency.
3) Desktop simulation
A really great way to introduce some tests and first-hand experience is via desktop.
If your CEO is the sort of person who loves seeing results straight away, this is the way to go.
4) Flaunt your intranet!
If your company has adopted the intranet (whether it’s in active use or not), this is a fantastic platform for you to promote your ideas and message around resilience: and for free.
It’s also going to be a way to get the team using the platform for news and information themselves.
5) From the floor boards up
Nothing says ‘listen to me’ like a good old fashion viral campaign.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4098e56a16&e=20056c7556
GSA Accidentally Releases Google Drive Items Premium Content
Between October 2015 and March 2016, more than 100 Google Drive items in use by 18F, part of the General Services Administration, were accidentally made available to people both inside and outside GSA, according to a May report by the Office of the Inspector General at GSA.
ccording to 18F, in October 2015, one of its Slack administrators enabled an option in the program that would let it automatically generate document previews when employees share Google Drive documents and items on Slack.
The option is commonly used in many organizations.
However, for the previews to be created and made searchable, Slack puts the files in its databases.
The report characterizes the incident as a data breach.
The 18F blog post says, “Enabling this integration was a mistake, but the consequences were not a data breach or hack.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7167f0a54e&e=20056c7556
FCC Rules Reconcile Speech and Privacy, Must Support Security Research
Last week, CDT submitted its second set of comments to the Federal Communications Commission (FCC) as it considers a new rulebook for protecting consumer privacy in the use of broadband.
The FCC’s Notice of Proposed Rulemaking (NPRM) on this issue is an important first step towards providing broadband consumers with the assurance they need that their ISP will not track their online activities – the websites they frequent, the apps they download, the searches they perform – or sell that information to third parties without their knowledge and consent.
CDT previously submitted comments in this rulemaking process.
While the proposed rule permits sharing customer data for network management purposes without opt-in consent, it does not provide security researchers with sufficient access to CPNI and PII in order to protect customers’ safety and security online.
CDT argues that a narrow exemption for researchers to access CPNI and PII without customer approval is necessary to keep the Internet in good health.
Such an exemption could be narrowly crafted to limit the amount of sensitive data accessed by researchers and requiring researchers to protect research data, ensuring that broader consumer privacy rationales are not undermined.
We think it’s important for the FCC to provide an explicit security research exception to send a clear signal that protecting our broadband network infrastructure and applications is valuable and should continue in the future.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f95bcb2a59&e=20056c7556
EU Approves Revised Pact For Data Transfer With US
A new commercial data transfer pact between the US and European Union was given the green light from the EU, replacing the earlier accord known as Safe Harbour, reports BBC News.
It will now be formally adopted early next week, said European Commission Justice Commissioner Vera Jourova.
The approval of Privacy Shield has ended months of uncertainty for many tech companies including Google, Facebook and Apple.
However, there are concerns from some quarters over the revised pact: digital rights group Privacy International (PI) says “the new Privacy Shield remains full of holes and hence offers limited protection to personal data.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f61c9f15e8&e=20056c7556
Data security and breach notification in Austria
The Data Protection Act sets out technical and organisational measures that data controllers must undertake to secure personal data against:
unauthorised access;
accidental or unlawful destruction, manipulation, disclosure and transfer; and
other unlawful processing.
The data controller must inform the data subjects concerned in an appropriate manner as soon as it becomes aware that data under its control has been systematically and seriously misused and such misuse may cause the data subjects to suffer damages.
The disclosure obligation does not apply if only minor damage is likely to occur and the costs of disclosure would require disproportionate effort.
The data controller must inform only the natural and legal persons whose data is affected by the breach; there is no general obligation to notify the Data Protection Authority.
However, telecommunications operators are obliged to directly inform the Data Protection Authority in such event.
In general, the DSB is competent for the enforcement of Austrian data protection law.
Anyone may submit a claim to the DSB for a violation of privacy or data protection law by a data controller or processor.
The DSB may conduct onsite audits (although these are uncommon) or request clarification from the data controller or processor in order to verify the concerns (the most common course of action).
To ensure compliance with the Data Protection Act, the DSB may issue recommendations to remedy the violation within a reasonable period.
If a DSB recommendation is not met within this period, the DSB may:
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8920a105b6&e=20056c7556
5 Big Data Security Mistakes Your Startup Must Avoid
Mistake #1: Relying on Antivirus and Firewalls Only
Mistake #2: Not Understanding the Threat
Mistake #4: Assuming That a Data Center Isn’t Right for You
Mistake #5: Not Using Encryption
Data protection needs to be a primary concern of any startup from day one.
It is not something that can be dealt with “later,” or managed with consumer-grade tools.
To ensure the success of your business and prevent unnecessary costs that could irreparably harm your company, make data security and protection a priority and avoid these major mistakes.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=92f425fbb4&e=20056c7556
How to close the PLC security gap
About the author
Alan Morris is consulting engineer at Morris and Ward in Chevy Chase, Maryland.
Contact him at morris.ward@verizon.net.
An industrial control system (ICS) is used to control equipment in a local area such as a production plant, while a supervisory control and data acquisition (SCADA) system is used to control equipment in a wide geographical area such as an electric power grid.
A SCADA system may be thought of as a subset of ICS.
Malware has been developed by hackers to attack the ICS of critical facilities, such as by the Dragonfly and the Havex malware hacker groups, to destroy equipment and threaten human life.
The attacks can be carried out by nation-state and non-state hacker teams with little or no risk of detection or attribution.
Critical facilities include, for example, nuclear power plants, hydroelectric dams and oil/gas pipelines.
An example of a destructive malware incident is the 2010 Stuxnet malware attack on the ICS of the Natanz nuclear enhancement plant in Iran.
There, Stuxnet was designed to alter the programming stored on the memories of the PLCs of the Natanz ICS, to cause dangerous changes in rotational speeds of the refining centrifuges, causing 1,000 centrifuges to destruct.
Facilities seek to protect their control systems against malware attack with defensive software, including firewalls and whitelisters.
Hacker teams have computerized methodologies, such as fuzz testing and using Shodan, to find connectivity paths and zero-day faults through which to reach their targets of rewriteable PLC memories.
The rewriteable memories of PLCs are fixed in place on a circuit board of the PLC, are programmed in place and are reprogrammed in place.
When, instead, non-rewriteable memories are utilized in PLCs, the PLC must be configured such that a programmed non-rewriteable memory can be inserted into or removed from an exterior socket on the PLC.
The non-rewriteable memories of a new-design PLC must be removable and insertable, using connecting sockets in the PLC.
The memory connecting socket is necessary because, once programmed, the program stored on the non-rewriteable memory cannot be rewritten.
If change of programming for the memory in a PLC is needed, a new non-rewriteable memory will need to be programmed and taken by the technician to the PLC, for insertion in the socket of the PLC.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=616ffaa224&e=20056c7556
Shadow IT: Friend or Foe?
Shadow or stealth IT doesn’t really lurk in the darkest corners of our organizations.
On the contrary, shadow IT hides in plain sight.
We see it every time one of our colleagues pulls out their personal smartphone or tablet and uses a free mobile app to share confidential business information across an unsecured network.
At that moment your business is completely exposed to hackers, cybercriminals and your competitors.
You’re almost certainly in breach of data protection legislation.
Worst case scenario, you find yourself on the wrong end of a lawsuit when angry customers take you to task because you failed to protect their personal data.
In truth, the biggest threat to a company’s data security comes from its own staff.
Careless employees, easy access to technology and lack of corporate guidance leaves many organizations dangerously and needlessly exposed to data breaches.
Identity governance tech firm SailPoint says that 71% of company employees have access to data they shouldn’t. 80% of data is unstructured and resides in multiple locations.
In 2015 the average organisational cost of a single lost file or stolen data record was $154 according to research by IBM and the Ponemon Institute.
That’s an increase of nine percent on the year before.
However, some data is worth considerably more to cybercriminals for identity theft and fraud purposes.
To maximize the potential gains from shadow IT and mitigate the risks businesses need to be smarter and more adaptable.
As more staff and businesses adopt Cloud solutions it only makes sense to keep your anti-malware and anti-virus software updated.
Rather than resisting the tide, businesses and IT departments should look at how they can safely embrace BOYD/BYOA (that’s Bring You Own Device/Bring Your Own App) policies and procedures.
Companies must make more of an effort to communicate the benefits and dangers of using consumer-grade apps for work purposes.
Similarly, employees need to take a greater burden of responsibility for the technologies they bring into the workplace.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3f0076e6a2&e=20056c7556
Which non-technical skills are most important to a career in security?
As another school year comes to a close, I find myself reminiscing about the people I’ve interacted with over the last nine months, as they explored their interest in Information Security careers.
I’ve had the privilege of interacting with quite a few exceptional students who will be exceptional assets to any companies that are lucky enough to attract them.
While they all have excellent technical chops, there was something more that truly made them “sparkle”.
What is it these people had in common that made me feel that the industry would be so enriched by their presence?
-Thirst for knowledge
-Willingness to ask questions
-Loving the work for its own sake
-Creative self-promotion
-Communicating empathetically
-The courage to break stuff
-Willingness to say no
-The desire to help people
[ A bit of self promotion, if you want to see Paul’s skill matrix for SOC teams, let me know.It includes Security, IR and soft skills]
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c4108e0179&e=20056c7556
Software Defined Security: Going Beyond Traditional Measures
Organizations today are evolving and rapidly adopting new technologies.
Whether introducing flexibility to their employees or new services to their customers, companies are redefining the organizational boundaries.
But what this brings is an increase in their threat footprint.
Organizations now need to look towards leveraging emerging technologies such as Software Defined Networking (SDN) in order to efficiently and dynamically address security threats and attacks.
The SDN controller can also make use of Network Function Virtualization (NFV) concepts, which allow for the deployment of sophisticated network functions in commodity hardware, managed through the application of service chaining.
This ensures that the traffic flows are dynamically directed to the right network elements if and when needed.
This overall model is described as Software-Defined Security (SDSec).
By leveraging technologies like SDN and NFV – and therefore advancing to an evolved security architecture – organizations can take advantage of the benefits and opportunities that were either not possible in the past, or were too expensive to be justified.
– Central management of security
– Efficient and dynamic mitigation of security threats and attacks.
– Hardware cost reduction.
– Use of existing network appliances.
– Dynamic configuration of existing network nodes for the mitigation of an attack.
– Harmonized view of logical security policies.
– Visibility of information from one source.
– Integration with sophisticated applications.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4228efa36d&e=20056c7556
DOE proposes $15M fund to fight energy sector hacks
A proposed $15 million Energy Department fund announced Tuesday looks to improve the cybersecurity posture of the sector’s most vulnerable companies: smaller utility firms that typically supply energy to municipalities that operate with fewer resources than their bigger counterparts.
“We need game changing innovation in the [electrical grid cybersecurity] space,” Deputy Energy Secretary Elizabeth Sherwood-Randall said Tuesday at a Bloomberg cybersecurity conference in Washington, D.C., Tuesday.
Industry competitors are already sharing threat intelligence data and other security information amongst themselves and with the federal government, explained Marcus Sachs, senior vice president and chief security officer for the nonprofit North American Electric Reliability Corporation.
The next step is to include more voices in this ongoing and important conversation concerning the physical and digital security of critical U.S. infrastructure, said Suzanne Spaulding, Department of Homeland Security under secretary for the National Protection and Programs Directorate.
The proposed DOE fund, which is subject to congressional appropriations and could be as much as $15 million, will be managed and employed by prominent industry advocacy groups the American Public Power Association and the National Rural Electric Cooperative Association.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=638531b204&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=fe55969d00)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)