[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.
* Physical Identity and Acccess Management Critical for Stopping Insider Cybersecurity Threats
* Security Think Tank: All aboard as European data regulation nears final station
* Increasing adoption of cloud services primary driver of growth in global critical infrastructure protection market: research
* IT tools aid operations technology cybersecurity
* SMEs hit with 7 million cyber crime attacks per year in £5.26 billion blow to UK economy
* Looking for cyber culprits? Check the corporate directory
* #infosec16 SecurityAffairs awarded as Best European Personal Security Blog
* Suppliers join auto industry push to block hack attacks
* Mozilla will foot the bill for your open source software security audit
* MGT Capital Investments (MGT) Creates Cyber Security-Focused Hacker Advisory Board
* TeslaCrypt Decryption Tool
* The future of intrusion detection
* NIST Cybersecurity Framework Updates, Clarification Underway
* The Illusion Of An Encrypted Internet
Physical Identity and Acccess Management Critical for Stopping Insider Cybersecurity Threats
Insider breaches can take many forms; for example, a systems administrator who has been terminated on Friday may still be able to use credentials to enter the building on Saturday and delete files on the company’s server.
This is just one of a vast number of potential insider threats which make it difficult for organizations to reduce their risk.
The challenge is compounded when enterprises erroneously view breaches as isolated incidents when they are really the culmination of patterns of activity across multiple systems.
Expanding the data sources used for threat detection to all networked systems provides a wider perspective and is one key to combating insider threat.
Collecting data from multiple sources allows organizations to develop intelligence.
However, as the number of networked systems continues to grow, the virtual mountains of data make it impossible for even an entire department to sort through it manually to identify threats that could enable proactive measures.
The first step in gleaning security intelligence is to establish a baseline with data and metrics to provide a foundation for identifying anomalies.
Once a PIAM solution with predictive analysis capability is deployed, an employee exhibiting new patterns of access will rise to the top of an audit list.
Organizational policies can be put into place to automatically dispatch a security officer on (for example) the third instance of anomalous behavior.
Armed with relevant background data, this officer could potentially observe an incident in progress, such as an employee entering another person’s office to access information on their hard drive.
Without fully understanding the role of physical security and identity management within an organization, even the most robust, wide-ranging cybersecurity program cannot be as effective as possible.
PIAM solutions with predictive analysis bridge the gap between cyber and physical.
They allow organizations to gather data from IT, physical security, identity management and other systems, and cross-correlate to generate intelligence and detect anomalies that may indicate insider threats, enabling security and management to prevent incidents.
The most effective way to identify and potentially thwart the wide variety of potentially damaging data breaches from both inside and outside of an organization is for physical and logical security to work in tandem.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1e2c3c3b13&e=20056c7556
Security Think Tank: All aboard as European data regulation nears final station
What is the role of information security professionals in helping organisations to ensure they are compliant with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018?
– Get management to take notice
– Be aware that European law crosses borders
– Learn the data protection lingo
– Know that privacy goes beyond security
– Build data protection into products and services
The clock has begun ticking on GDPR implementation.
Information professionals have a busy two years ahead of them.
When this train arrives, make sure your company is on board.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2376072676&e=20056c7556
Increasing adoption of cloud services primary driver of growth in global critical infrastructure protection market: research
Finger scan security for entry server roomResearch analysts at Technavio predicted on Wednesday that the global critical infrastructure protection market – which includes technology (cyber and physical security) and physical security (software, alarms and notification systems, surveillance systems and access control systems) – would increase at a compound annual growth rate of more than 13% between 2016 and 2020.
Technavio noted in a statement that cloud-based services are deployed for a number of applications such as authentication, video management, and storing biometrics information. “The adoption of cloud-based services is on an upsurge in small and medium-sized enterprises compared to large enterprises, due to their cost-effective nature,” the statement said. “Furthermore, cloud-based security services offer flexibility and scalability to accommodate the varying needs of consumers.”
During 2015, the Americas occupied more than 41% of the market space to become the dominant shareholder in the global critical infrastructure protection market, Technavio reported.
However, the growth of the market in this region is expected to witness a decline because of the early adoption of critical infrastructure protection solutions during the forecast period.
Currently, access control systems – which grant access to employees to protected areas only when their identity matches the information stored in the organization’s database – account for almost 40% of the overall market share to dominate the global critical infrastructure protection market.
During 2015, the physical security segment (which includes software, alarms and notifications systems, surveillance systems and access control systems) dominated the market, accounting for more than 64% of the market share. “The growth of the access control systems market can be attributed to the increased adoption of access control systems to prevent unauthorized access to data and facilities,” the statement said. “The growing adoption of advanced technologies such as multifactor authentication and multimodal biometrics is expected to further fuel growth in this segment by 2020.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9785803814&e=20056c7556
IT tools aid operations technology cybersecurity
Some of the best ways to improve security on the plant-floor come from experts in information technology.
Dicharry reports that BASF organizes and segments its networks into two main categories: IT/business that handles enterprise resource planning (ERP); and OT/engineering that includes its management execution system (MES), process control systems (PCS), communications and wireless.
To protect these networks, it uses a four-part strategy:
Prevent, including awareness and training, firewall rules, asset database and governance, risk-management and compliance (GRC) tools;
Protect, including a business systems requirements analysis (BSRA) and optimization program, solutions catalog, detailed risk analysis, Level 3 server for patch management, and an HBI cell;
Detect, including BSRA review, detailed RAs, threat intelligence, Level 3 server for vulnerability scans, and security monitoring; and
Response, including incident response and incident handling programs.
“We had some friction setting up our cybersecurity program, but it’s gotten much better in the past three years.
There’s much more understanding across the company now,” says Dicharry. “To develop our cybersecurity roadmap, we do RAs at all plants, so we’ll be ready if an incident does happen, and know our chain of command.”
Gary Williams, senior director of technology and cybersecurity at Schneider Electric, agrees that cybersecurity demands a mindset change because it isn’t a project that can be finished, and reports his company has developed a 10-step cybersecurity methodology.
Its main recommendations are:
-Adopt a standard such as ISA99/IEC62443
-Gather controls to collect and account
-Complete gap analyses
-Perform risk, threat assessment and prioritization that go beyond mitigating critical threats
-Execute mitigation
-Survey the complete system
-Store configuration files securely onsite and offsite
-Inform all stakeholders
-Verify security measures
-Educate
While it’s not easy to develop and implement cybersecurity strategies, there are a variety of system integrators and other resources that can help.
Besides adding secure hardware, Mallett adds that Russellville’s water/wastewater managers are also educating themselves and their staffs on good cybersecurity practices.
Underwriters Laboratories just started its Cybersecurity Assurance Program (UL CAP), which uses the new UL 2900 standards to offer testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls and increase security awareness.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=415382a7df&e=20056c7556
SMEs hit with 7 million cyber crime attacks per year in £5.26 billion blow to UK economy
According to a report by the Federation of Small Businesses (FSB), these attacks cost around £5.26 billion to the UK economy.
While 93 percent of small firms are trying to protect their businesses, 66 percent had been the victim of cyber crime in the last two years.
The main culprit was phishing attacks, which were reported by 49 percent of respondents.
Spear phishing, a more targeted version of phishing, was reported by 37 percent.
Malware attacks were reported by 29 percent of the respondents.
Denial of service attacks had been experience by 5 percent of respondents, while ransomware, becoming an increasing concern for businesses, hit 4 percent of respondents.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cc9f98deab&e=20056c7556
Looking for cyber culprits? Check the corporate directory
This report analyzed profiles of 750 cybercrooks investigated by forensic specialists across 81 countries, and produced what it calls “the new face of fraud”:
69% were between the ages of 36 and 55.
• 65% were employed by the company that was hacked.
• 35% were executives or directors.
• 38% had been with the company for at least six years.
• 38% described themselves as well-respected in their company.
• 62% colluded with others in their crimes.
While personal gain was the predominant overriding motivation for committing fraud (60%), the sense of “Because I can” was third at 27%, according to the report.
a joint study by Experian Data Breach Resolution and the Ponemon Institute.
The study found that 55% of the companies surveyed have already experienced a security incident due to a malicious or negligent employee.
Sixty percent of companies surveyed believe their employees are not knowledgeable or have no knowledge of the company’s security risks.
Only 35% said senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.
To be sure, the usual reports about the growing magnitude of the threat and the certitude of being attacked keep surfacing.
Interestingly, a recurring theme through some of these reports is the need for cultural change within the organization.
That makes sense.
If the threats are internal, the defenses also need to be internal.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f3b916c024&e=20056c7556
#infosec16 SecurityAffairs awarded as Best European Personal Security Blog
The awards were assigned through a public vote and votes assigned by expert judges.
This year the jury of experts included Infosecurity Europe Hall of Fame member Jack Daniel, journalists Matthew Schwartz and John Leyden.
Below the list of winners:
Best Corporate blog – blog – Malwarebytes Labs Blog
The Best European Corporate Security Blog – Sophos Naked Security
Best European Security Podcast – Securing Business
Best Security Podcast – Risky Business
Best Security Video Blog – Graham Cluley
Best Personal Security Blog – Jack Daniel’s Uncommon Sense Security
Best European Personal Security Blog – European Personal Security Blog – Security Affairs
Most Entertaining Blog – Troy Hunt
Most Educational Blog – Heimdal Security
Best New Security Blog – Info Sec Guy Blog
Best EU Security Tweeter – Mikko Hypponen
Grand Prix Prize for Overall Best European Security Blog – Bitdefender
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=95d8c56db4&e=20056c7556
Suppliers join auto industry push to block hack attacks
The Automotive Information Sharing and Analysis Centerincludes 15 automakers such as General Motors Co., Ford Motor Co., Toyota Motor Corp. and Honda Motor Co. plus supplier Delphi Automotive.
“The automotive industry understands they can’t do it alone,” acting Executive Director Jonathan Allen told The News in an interview. “You’ve got to work with the supplier community to deal with cyber risks.”
The group, which shares information on attempted hacking, hacking events and threats, also is talking to Google about joining, Allen said during the annual TU Automotive connectivity conference here.
Massimilla, in an interview on the sidelines of the conference, said a “significant amount of threat intelligence information” has been shared through the group.
Exact numbers and a breakdown of the events was not disclosed.
Massimilla said after its OnStar RemoteLink issue last summer, the automaker decided it needed a more formal way to interact with hackers or researchers, to develop relationships with them and learn of potential problems more quickly.
So it launched the GM Security Vulnerability Disclosure Program and uses the HackerOne website to receive information and to publicly recognize hackers on the site.
Massimilla said GM is the only major automaker to have such a program (Tesla Motors Inc. also does).
So far, it has received hundreds of submissions, and Massimilla said there has been “significant interaction and excellent results.” In the future as GM’s program grows, it may consider paying hackers a bounty for bringing information to the company, he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=79f7b01b1c&e=20056c7556
Mozilla will foot the bill for your open source software security audit
Mozilla has launched the Secure Open Source (SOS) Fund to give open-source software developers the revenue to pay for security audits.
The fund could play a part in preventing catastrophic security failures affecting widely-used open-source software in the future.
Heartbleed and Shellshock, for example, were dangerous vulnerabilities in Bash and OpenSSL, which affected software and libraries used in a variety of applications.
Mozilla has allocated $500,000 in initial funding, which “will cover audits of some widely-used open source libraries and programs,” according to the organization.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=75606e15f7&e=20056c7556
MGT Capital Investments (MGT) Creates Cyber Security-Focused Hacker Advisory Board
MGT Capital Investments, Inc. (NYSE: MGT) announced the formation of a Hacker Advisory Board to help steer the Company’s technology in the ever changing field of cyber security threats.
The founding members of the board will be comprised of world renowned hackers Chris Roberts, Bryce Case and Alexander Heid.
Each board member comes with unparalleled insight into the types of threats the Company aims to combat through its acquisition and evolution of cybersecurity technology.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3e21ed6e05&e=20056c7556(MGT)+Creates+Cyber+Security-Focused+Hacker+Advisory+Board/11729648.html (http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=67f3ce183e&e=20056c7556)
TeslaCrypt Decryption Tool
Talos has developed a decryption tool to aid users whose files have been encrypted by TeslaCrypt ransomware.
The Talos TeslaCrypt Decryption Tool is an open source command line utility for decrypting TeslaCrypt encrypted files so users’ files can be returned to their original state.
Version 1.0 is able to decrypt all the files encrypted by all version of TeslaCrypt and AlphaCrypt
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=475cd2ad86&e=20056c7556
The future of intrusion detection
As it becomes increasingly difficult and costly to detect intrusions and quickly neutralize them, systems that do not rely on first detecting an attack to limit damage to a company will be added to the security stack.
One method is to reduce or obfuscate the attack surface itself so that target vulnerabilities cannot be found.
We’ll see increasing use by cyber security providers of hacker-type deception techniques.
Such prevention methods can be loosely grouped in a category known as Moving Target Defense (MTD).
In contrast to NIDS and HIDS, MTD continuously and persistently changes the attack surface, preventing the enemy from entering in the first place.
Cyber insurance is something that will probably receive increased attention.
More organizations will suffer from data loss, data leakage, sabotage and espionage as a result of breaches.
The damage from such events could be much higher than that of a traditional fire or theft event.
The cyber security arena will expand in all aspects: More data, more devices around us, more attack vectors and more cyber physical threats.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3d7eb2c58f&e=20056c7556
NIST Cybersecurity Framework Updates, Clarification Underway
The NIST Cybersecurity Framework will receive a minor update, which will include updating the informative references, clarifying guidance for implementation tiers, and placement of cyber threat intelligence in the core, according to a recent NIST announcement.
Furthermore, NIST will update its guidance for applying the Framework for supply chain risk management.
The updates and clarification follow NIST gathering feedback and suggestions from various industry stakeholders over the past two years.
A draft of the next Framework version will be available for comment in 2017.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5915f846a2&e=20056c7556
The Illusion Of An Encrypted Internet
Beardsley and colleagues Bob Rudis and Jon Hart today published a report called the “National Exposure Index,” which is a deep dive into the top services being run on the Internet, and how those services are adopted on a national and regional level.
What the scan did find was a remarkably large number of telnet installations beaconing out on the Internet (15 million-six million more than a similar search on Shodan turns up) that could be used to access public-facing systems.
Old Microsoft SMB services are still alive and well on the public network as well, primarily in the United States, China, Belgium, Australia and Russia.
The data was gathered using Rapid7’s Project Sonar, which is used to scan the Internet and collect data on protocol usage.
This particular project set out to identify the top 30 most prevalent TCP ports/services on the IPv4 Internet, data on which was aggregated and compared across countries and regions worldwide.
Of the 15 million telnet nodes, 11.2 million afforded direct access to relational databases (mostly MySQL and Microsoft SQL Server) and another 4.5 million to printer services.
While an encrypted Internet is mostly an illusion, Rapid7’s data does show that SSH adoption over telnet is greater in 50 percent of the regions surveyed.
Only three of the top dozen services are encrypted (No. 2 HTTPS, No. 3 SSH, and No. 12 POP3S), while others such as No. 1 HTTP, FTP, SMTP, telnet, DNS, IMAP and others are unencrypted services.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9349d28139&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=7795be9efd)
Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)