[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Threat Intelligence within the Risk Management Process
This is the second post in a series exploring the relationship of threat intelligence and risk management. If you missed the previous one, wherein I briefly explained why these two should âswipe rightâ and get together, read that first. If youâre wondering what qualifies me to pontificate about managing risk, donât worry; itâs on my resume. With the introductions out of the way, conditions are perfect to get down to business, and weâre going to kick it off by examining how threat intelligence fits within the risk management process.
NIST Special Publication 800-39 was developed to âprovide guidance for an integrated, organization-wide program for managing information security risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.â Note that itâs a program for managing risk, not a specific process. Furthermore, NIST SP 800-39 isnât an island to itself; SP 800-37 and 800-30 offer supporting guidance on applying the risk management framework in an ongoing process.
To be clear, SP 800-37 does make mention of threat information; itâs just buried in the details. Intelligence isnât referenced in the document except in relation to the framework being used within the intelligence community. The word âthreatâ isnât used at all in the guidance for categorizing information systems, but Iâll go ahead and make the recommendation that you should hook intel ops into this step if youâre using SP 800-37. Your categorization of the system will be more effective if you conduct it in light of what you know about adversaries that might try to exploit it. Inviting intelligence ops to the party early will also help during the next few steps, where the concept of threat knowledge is actually mentioned. That basically boils down to selecting, implementing, tracking, and updating controls based on the current knowledge of the threat environment that only an intelligence capability (whether internal or external) can provide. Iâm in full agreement there.
ISO/IEC 27005 âprovides guidelines for information security risk management in an organization, supporting in particular the requirements of an information security management system according to ISO/IEC 27001.â I prefer ISO 27005 to NIST 800-39 from a pure presentation/organization perspective, but thatâs probably just because I have more practical experience working with it. Both processes are very helpful and actually share many similarities once you learn the basic lingo of each.
Risk assessment is a sub-component of the overall risk management process. NIST 800-39 and ISO 27005 both include it and emphasize its importance. There are quite a few points of contact between threat intelligence and risk assessment â so much so, in fact, that I think it deserves separate treatment. Weâll pick this up in the next post to make sure we give it due justice. Until then, I wish you all well on your journey toward intelligence-driven risk management.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e01cbb50fe&e=20056c7556
Webinar Recap: Using Open Source Threat Intelligence to Enhance Physical Security
The first step in evaluating the value and applicability of threat intelligence stems from defining your priorities and assessing your risk profile in different areas. For example, energy producers may have significant concerns around assets and employees in far-flung locations, whereas a hedge fund might be primarily focused on the physical safety of a few key individuals and their families. Understanding your priorities, and allocating resources correctly, is a key first step to understanding where and how to best apply open source threat intelligence.
Once youâve determined your organizationâs needs and which sources are best for intelligence gathering, itâs time to put that information to work. Here are some best practices for implementing threat intelligence to enhance your physical security program:
1. Assess online exposure
2. Claim online real estate
3. Expunge personal data
4. Limit sharing
5. Educate executives and their families
6. Visualize the data
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dfae45df0b&e=20056c7556
Adobe issues urgent Flash patch to prevent hacking attacks
The bug, which affects how Flash Player plays video files, lets an attacker use a carefully made video file to seize control of a userâs computer. It was made public last week by security research firm Fireeye, who discovered the flaw and reported it to Adobe. The publisher has now made a patch available, which can be downloaded using the auto-updater included with Flash.
Installing the latest version of Adobe Flash will leave the system secure once again.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f63e34356c&e=20056c7556
Europol and Barclays Shake Hands on Cybercrime Fighting Agreement
Europol is making some serious moves in its efforts to fight cybercrime as efficiently as possible, and apart from sealing partnerships with security companies, the agency has started collaboration with Barclays financial institution.
On Monday, Europol announced that its European Cybercrime Center (EC3) signed a Memorandum of Understanding (MoU) with the company, thus taking a first formal step towards possible tighter cooperation in the future.
Troels Oerting, former head of the EC3, now CISO (Chief Information Security Officer) at Barclays Group, said that technological developments cause financial services to go through numerous changes that open the door for both opportunities and challenges.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=59d9ba9a5f&e=20056c7556
Using Actionable Intelligence to Prevent Future Attacks
Traditional approaches to security are typically âspray-and-prayâ: they provide controls that block known bad activity, usually with limited follow-up or additional investigation after a breach.
More sophisticated organizations are deploying technologies such as sandboxing that can detect and block unknown attacks which havenât been seen before. In the moments after a breach, security teams will often focus on the event itself, but not draw additional insight from the attack, or analyze the events surrounding it.
These approaches can miss a fundamental truth of advanced attacks: they are not âpoint-in-timeâ activities, but sets of events that could occur over weeks, or potentially months or years. Advanced attackers will conduct a wide range of activity, such as in-depth recognizance, initial probes, small-scale infections to deliver second- or third-stage malware, and much more. The breach itself is the culmination of a continuous set of activities conducted over an extended period of time. Each and every step in this process, often referred to as the cyber attack lifecycle, represents another chance to detect and prevent the adversary.
The good thing is you are not alone in this battle. There are a variety of public sources, information sharing organizations, vendor research releases, and analytics services to help boot-strap your adversary intelligence. The more information you gain and the better you get at analyzing it, the more you can craft your security policy to prevent the specific adversaries that are likely to go after your organizations. When a breach occurs, take it as an opportunity to step back and examine the wider context of who is attempting to breach your network and what you can do to prevent it in the future.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e922db5e86&e=20056c7556
Network And Information Security: Breakthrough In Talks With European Parliament
On 29 June 2015, the Latvian presidency of the Council reached an understanding with the European Parliament on the main principles to be included in the draft directive on network and information security (NIS). These principles will then need to be turned into legal provisions to allow for a final deal on the directive at a later stage. The presidency will present the outcome of this fourth trilogue to member states’ ambassadors at the meeting of the Permanent Representatives Committee on 30 June.
The new rules will require designated operators that provide essential services (in areas such as energy and transport) to take measures to manage risks to their networks and report incidents to authorities. Member states will identify such essential operators to be covered by the directive, based on clear criteria laid down in the text. Particular provisions will be introduced to avoid fragmentation in the identification of operators across member states. However, these are not to undermine member states’ prerogatives or security concerns.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=66452229df&e=20056c7556
Boston Police Deploy IntergraphÂź Records Management System
HUNTSVILLE, Ala., June 29, 2015 /PRNewswire/ — Boston Police Department has deployed an enterprise information management system from IntergraphÂź for all police report and crime data. The new system, featuring Intergraph’s inPURSUIT software, went live recently following a major, four-year project to plan, stage, configure and deploy the department’s first enterprise records management system.
The Intergraph solution replaces a 40-year-old, home-grown documentation system, providing police with an integrated, state-of-the-art technology for case management and reporting. Among the important capabilities enabled by the new inPURSUIT RMS system are master indices that tie individuals to multiple types of information, such as cases and addresses, providing police with more complete information regarding individuals under criminal investigation.
The integrated solution also includes Intergraph’s inPURSUIT Field Based Reporting (FBR), which allows officers to more efficiently capture report information and notes through an easy-to-use field application. The Intergraph software eliminates the need for pen-and-paper note taking and redundant data entry.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=703155d388&e=20056c7556
How to Determine Your Company’s Cyber-Exposure Profile [Slideshow]
The 2015 business environment requires enterprises to build and sustain an online presence for its customers, potential customers and partners. However, as each new Website, service or blog comes online, there opens a new potential attack surface for criminals. When cyber-thieves focus on your companyâand it’s sure to happen at some pointâwhat will they learn through your online presence? To be able to look at itself from the outside in, like a skilled adversary, an enterprise should build and maintain a thorough cyber-exposure profile. A well-designed profile provides the visibility needed to help organizations prioritize their most serious issues, remediate problematic infrastructure and protect their reputations. Development of this profile is important because it identifies an organization’s critical-resource exposure and potential attack vectors; it also prioritizes the level of risk associated with each. This eWEEK slide show discusses how to create a cyber-exposure
profile and anticipate risks before they become huge problems.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6da7119b7b&e=20056c7556
US veterans agency in cyber counterattack
With the help of a new Department of Homeland Security system that blocks certain hacks, the VA has seen the number of attempts to install malware on its computer systems cut down by half to 574.7m in May. The number of intrusion attempts stabilised to about 336.5m incidents, said Mr Warren. The VA provides services and benefits to military veterans.
As the software system is rolled out across government departments, it could help other agencies combat cyber threats more effectively as attacks against the US grow in number and sophistication. The severity of the attacks is becoming worse, as highlighted by a recent breach at the Office of Personnel Management that has been blamed on China.
The VA was one of the first civilian government agencies to obtain the latest version of Einstein, the DHS cyber protection system. The DHS has accelerated deployment of Einstein, which is now used at 15 agencies that make up about 45 per cent of the civilian government.
Einstein is a signature-based system so it can only block attacks that it already knows about. The DHS is working on another version of Einstein that would be able to block intrusions that have not previously been encountered.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d29a1bc0a5&e=20056c7556
MIT invents automatic security vulnerability fix by borrowing code from other software
The CodePhage system is able to detect dangerous bugs in software, and then repair it by importing security checks from software with similar specifications, even if the software is written in a completely different programming language.
Even better, the system doesn’t need to access the source code of other programs in order to borrow functionality so it can fix the bugs, so all source code is kept safe.
CodePhage works by taking two types of input, one that caused the program to crash, and one that works just fine, and then seeing how the donor program it is borrowing code from responds to the input.
The system analyses how the donor program deals with the input that works fine â if the program has been written in a secure way, it will perform various checks, such as seeing how big the size of input is.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=409fac944b&e=20056c7556
Apple Patches Dozens of Flaws in iOS 8.4, OS X 10.10.4
Version 8.4 of iOS contains fixes for more than 30 security vulnerabilities, including bugs in the iOS kernel, WebKit, and CoreText. Apple also patched the vulnerability that leads to the Logjam attack, an issue with servers that support weak Diffie-Hellman cryptography. To fix that issue in iOS, Apple released a patch for the coreTLS component of the operating system.
As for OS X, Apple patched many of the same bugs that were present in iOS, along with dozens of others, for a total of more than 75 flaws in all. OS X 10.10.4 includes patches for several buffer overflow vulnerabilities in the Intel graphics driver, some of which could lead to code execution. Apple also fixed a number of memory corruption bugs in QuickTime that could be used for code execution.
In both iOS and OS X Apple updated the certificate trust policy to address the CNNIC certificate issue, among other problems.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b2b5f02043&e=20056c7556
Watch Hackers Exploit A Common Crypto Cock-Up In GoPro That Leaves All User Data Vulnerable
FORBES was contacted by Pentest Partners late last week when the firm claimed it had uncovered a problem in GoPro Studio, the playback and editing tool available to GoProâs millions of users. Ken Munro, a partner at the ethical hacking firm, said heâd poked around the update mechanism for the desktop tool when an alert asked him to download the latest version of the kit, 2.5.5.
He found that after launching GoPro Studio made requests out to the web asking for the update over an unencrypted HTTP connection, allowing an outsider sitting on the same network, such as the same public Wi-Fi, to serve a response promising a higher version, even if one wasnât available. This would be recognized by the software, which would then offer the user the chance to download a new version. As the updates served by GoPro are also delivered over unencrypted traffic, an attacker could serve a fake download to launch malicious code on the victimâs PC.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c25c0df934&e=20056c7556
Mining executives wary when doing business with China due to increasing cyber security risk
Australian mining companies say they are becoming increasingly aware of hackers trying to gain access to their sensitive information, with some executives now taking extra precautions when doing business in China.
A report by Ernst & Young (E&Y) on the biggest risks faced by miners has, for the first time, listed cyber security as one of the top concerns facing the industry.
But an E&Y study carried out last year found 65 per cent of mining companies had experienced an increase in cyber threats over a 12-month period.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d99108c769&e=20056c7556
Researchers expose Dino, espionage malware with a French connection
Security researchers at ESET in Bratislava, Slovakia have published an analysis of another apparently state-sponsored cyber-espionage tool used to target computers in Iranâand potentially elsewhere. The malware, also recently mentioned by Kaspersky researchers, was named “Dino” by its developers and has been described as a “full featured espionage platform.” And this advanced persistent threat malware, according to researchers, might as well come with a “fabriquĂ© en France” stamp on it.
Based on analysis of Dino’s code from a sample that infected systems in Iran in 2013, “We believe this malicious software has been developed by the Animal Farm espionage group, who also created the infamous Casper, Bunny and Babar malware,” ESET’s Joan Calvet wrote in a blog post today. The Casper malware was part of a large-scale attack on Syrian computers last fall. “Dino contains interesting technical features, and also a few hints that the developers are French speaking,” Calvet noted.
While Dino and its cohorts don’t offer direct evidence of cyber-espionage by a specific French intelligence organization, they do suggest that France’s government is attempting to play on the same stage as the NSA and its “Five Eyes” counterparts in the United Kingdom, Australia, Canada, and New Zealand.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c63965ad28&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage2.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=923a62f069)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)