Monthly Archives: August 2016

Encryption hiding malware in half of cyber attacks

Cyber attackers are using encryption to hide malicious activity, making it increasingly difficult to find as more organizations turn to encryption to protect data, a study has revealed.

Malware in nearly half of cyber attacks in the past 12 months has been sneaked into organization’s under the cover of encryption, a study has revealed.

The demand for data privacy in the post-Snowden era is driving the use of encryption, but that has security and other implications for business.

Just as organization’s are increasingly using encryption to keep their network data confidential, so cyber criminals are using the technology to mask their activities.

The hidden threat in encrypted traffic exists because SSL (secure socket layer) encryption hides everything, including malware, from most security tools, according to the study by A10 Networks and the Ponemon Institute.

This means the encryption technology that is crucial to protecting sensitive data in transit, such as web transactions, emails and mobile apps, can also allow malware hiding inside that encrypted traffic to pass uninspected through an organization’s security framework.

Encryption is also being used by cyber attackers to send information out of targeted organization’s, largely undetected.

Encrypted threats

“The Hidden Threats in Encrypted Traffic study sheds light on important facts about the malicious threats lurking in today’s corporate networks,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“Our goal is to help organization’s better understand the risks to help them better address vulnerabilities in their networks,” he said.

The report is based on a survey of more than 1,000 IT and IT security practitioners in the US, Canada, Europe, Middle East and Africa who are involved in preventing or detecting web-based attacks.

Evasion via encryption

While 80% of respondents said their organization’s had been hit by a cyber attack in the past year, nearly half said their attackers had used encryption to evade detection.

The trend is expected to grow in parallel with the greater legitimate use of encryption. Inbound encrypted traffic is expected to rise from 39% to 45% next year, and outbound encrypted traffic from 33% to 41%.

When asked about malware hiding outbound data within encrypted traffic, 74% said this was highly likely but only 16% thought their organization could identify and mitigate SSL-encrypted malware attack before data exfiltration.

When asked if traffic from an SSL-secured malware server could be spotted by their intrusion prevention system (IPS), 79% of respondents said it is highly likely this could occur in their organization; only 17% thought their organization has the ability to mitigate such an attack.

When asked if an attacker could mask outbound communications or stolen data from a command and control server, two-thirds said it is highly possible. Only 26% thought their organization could spot such behavior and prevent data loss.

Strategic way forward

“IT decision-makers need to think more strategically,” said Chase Cunningham, director of cyber operations at A10 Networks. “Instead of focusing on doing everything right 100%, IT leaders can be more effective by doing a few things very strategically with the best technology available.”

Some 75% of respondents said their networks are at risk from malware hidden inside encrypted traffic, and roughly two-thirds admitted that their company is unprepared to detect malicious SSL traffic, leaving them vulnerable to costly data breaches and the loss of intellectual property.

The main reasons cited for not inspecting decrypted web traffic were a lack of enabling security tools (47%), insufficient skills and resources (45%), and degradation of network performance (45%).

Thunder SSLi

To address the problem, A10 Networks has developed an SSL inspection tool (Thunder SSLi) designed to have minimal impact on network performance.

“It is also designed to complement and work with common existing tools to enable them to inspect traffic in the clear,” said Duncan Hughes, systems engineering director EMEA for A10 Networks.

“While there is always going to be some performance impact, SSLi minimises that impact significantly to make it practical to deploy and easy to manage,” he said.

 

via: computerweekly

1.7M Opera Sync Users Asked to Reset ALL Passwords Following Breach

The Opera browser warned 1.7 million users of its sync system to reset their synced third-party passwords following a breach.

On 26 August, developer Mark “Tarquin” Wilton-Jones announced the incident on Opera’s website:

 

“Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.”

 

The Norway-based browser says all passwords for authentication were hashed and salted, whereas synchronization passwords were encrypted.

Steve Ragan of Salted Hash reached out to Opera’s security team to learn more about the synchronization password encryption scheme. A spokesperson for the company, he reports, was a bit dodgy with their responses.

It’s unclear for what reason. In June 2015, the browser admitted it uses Nigori, a protocol which Google Chrome has also partially implemented. Opera hasn’t disclosed what process it uses for hashing the authentication passwords, however.

Out of an abundance of caution, Opera reset all synchronization account passwords. It also encouraged users to reset all of their passwords to third-party websites that they might have stored with the service.

A pain, yes. But a good idea. If an attacker managed to compromise a user’s sync account, they’d basically have access to all their stored web account credentials, which might include login information for banking sites, social media, and email services.

It’s well worth the effort to avoid a headache of that magnitude.

Wilton-Jones explains asks that all 1.7 million users of the sync service, which is less than 0.5 percent of Opera’s total user base of 350 million, can obtain a new sync password here.

“We take your data security very seriously, and want to sincerely apologize for the inconvenience this might have caused.”

News of this breach comes just a few months after the browser announced both a native VPN and a native ad-blocking feature.

 

via:  tripwire

The “l’m Too Small to be a Target” Fallacy

When retailer Target was hacked in 2013, the damage was so extensive that direct costs exceeded $250 million. To its credit, Target’s external-facing cybersecurity wasn’t too bad; the attack came through a mom-and-pop HVAC vendor with unnecessary access to the retailer’s network.

Smaller enterprises like the HVAC company are often under the illusion that they have no reason to be targeted by a cyberattack. Not only is this blatantly false, as the Target example illustrates, but for firms serving narrow vertical markets, the potential harm from such incidents is magnified.

For instance, consider a law practice that deals almost exclusively in mergers and acquisitions. Why would the firm need anything beyond rudimentary security measures? After all, its network doesn’t store much financial data, and it only maintains personal information on its several dozen attorneys and staff.

How could it possibly be a target? Cybersecurity isn’t necessary unless you’re a nation-wide retailer or a bank, right? Wrong. Hackers make their bones on that very misconception.

As it turns out, if you have something worth selling, you have something worth stealing. In the case of our law firm, the practice is at a heightened risk of a breach because investment-savvy cybercriminals are always on the prowl for the undisclosed details of a merger or acquisition. One leaked email can confirm a deal is pending: a windfall for our hacker-turned insider trader.

So while the data might not be as plentiful or yield the immediate returns that information stolen from a bank might, it’s still valuable. And not only is it valuable, but the “I’m too small to be a target” fallacy makes it easier to steal than from a bank that spends millions on cybersecurity.

This confluence of financial motive and easy access should be alarming not only for small firms but also their customers in the narrow vertical markets that they serve. A medical device manufacturer that focuses on engineering drug infusion pumps for hospitals takes care to secure machinery schematics and other intellectual property stored on its servers, but its interest in cybersecurity stops there.

Once the devices get to hundreds of hospitals nation-wide, the devices’ anachronistic software and security features jeopardize the lives of thousands of patients that interface with their own drug delivery machines.

The effects of breaches on companies serving small verticals are disproportionately severe. In the Target hack, the retailer’s sporting goods customers were just as much affected as its electronics or clothing customers. Fortunately for all of us, there are hundreds of retailers that can sell us those products. But when it comes to medical device manufacturers that can produce and sell internet-enabled drug infusion pumps at scale, the number shrinks considerably smaller.

Therefore, a serious breach at such a company can send shockwaves through the narrow vertical market that it serves, putting a strain on the crucial but often-overlooked gears that drive the modern economy forward.

Fortunately, firms serving niche markets can take concrete, actionable steps to protect themselves and their customers:

INCENTIVIZE CYBERSECURITY

Target has billions of dollars in annual revenue, and it can afford its own robust IT and security departments. Most of the companies we’re talking about don’t come close to that, so incentivizing adequate cybersecurity – through tax benefits or even regulation and non-compliance fines – can help smaller enterprises afford, at the very least, a cybersecurity partner that has the expertise and scale necessary to improve security and resiliency.

THREAT INFORMATION SHARING

While the idea of sharing information with competitors is an unnatural one, intra-industry intelligence sharing on cyber threats unique to a particular type of vertical has proven effective at forestalling attacks while fostering trust. Medical device manufacturers and hospitals, for instance, should share threat information and best practices so that the producers can build necessary security features into their next generation of products that are responsive to the actual attacks that the hospitals are seeing daily.

CULTURE REEVALUATION

A firm serving a small market will typically be small itself. A clerk at a Fortune 500 company probably can’t forward a phishing email to his CEO, but at a small device manufacturer, it’s more likely than not. That means it’s incumbent on every employee to be diligent and exercise good cyber hygiene. And get educated/stay up to date.

INSURANCE

A final step in mitigating the cyber risk to firms serving crucial narrow vertical markets is to simply pass off the risk to an insurer. Insurance companies are increasingly getting into the cyber insurance market, and for good reason. Without some indemnification, a serious breach at a small firm could lead to insolvency and send ripples through the narrow market it serves. A little bit of coverage protects not only the company but also the larger economy.

 

via: tripwire

Google Wallet debuts automatic transfers so you can skip “cashing out”

Google is stepping up its battle with Venmo, Square Cash and other person-to-person payment applications with an update to its Google Wallet mobile app, which now allows for automatic transfers to your bank account. That is, transfers will no longer require you to cash out money from your Wallet balance first. This will speed up the time it takes for Wallet users to gain access to their cash, something that has been slower in the past.

The feature was announced in the app’s update text on Friday, but we understand the feature will actually begin rolling out gradually, starting next week.

As you may recall, Google Wallet transitioned to become a peer-to-peer payments app last year following the launch of Android Pay, Google’s Apple Pay rival now used at point-of-sale and for in-app purchases on Android devices. Earlier this year, the company also dropped support for the physical, plastic Google Wallet card associated with the app, as it continued its transition to p2p payments.

Today, waiting to cash out your balance from Google Wallet can still take time, which is why Google is switching on this automatic transfers option.

Users will now be able to select a bank account or debit card for automatic transfers within the app or via the web. Once enabled, you won’t have to manually “cash out” money from your Wallet balance – it will just automatically become available.

That doesn’t necessarily mean it will be “instantly” available, however – that depends on several factors – like who you bank with, or whether you’re crediting the money back to a debit card. Transfers to debit cards will be instant in most cases, though some banks may take 24 hours to process those transactions. Meanwhile, transfers to banks should take 1 to 3 days.

This change also means that when you send money to friends, those funds will also be able to go to their bank accounts automatically, without any waiting time for them.

Of course, you’ll still be able to keep money in your Google Wallet balance if you want to – that option is not going away.

There will still be times when transfers take longer, though, as with any other payments service. Google may need to run fraud checks or may need to perform additional verification of user accounts, on occasion.

However, the move to bypass the “cash out” process could help Google Wallet better compete against the growing number of digital payment services, including PayPal and PayPal-owned Venmo, Square Cash, and even social networks like Facebook and Snapchat, which have experimented with bundling in payments to their messaging apps. Apple, too, will soon support payments in iMessage, as powered by Square Cash.

Square Cash powers Snapchat’s payment system, too, but it only this year added the option to hold a balance through an optional “Cash Drawer” setting. With the update, Google is moving like Square Cash in reverse. It already had the cash drawer option; now it can transfer the money more quickly, too.

 

via:  techcrunch

vBulletin vulnerabilities expose 27 million accounts, including gamers on mail.ru

LeakedSource disclosed 11 new data breaches.

Recently exploited software vulnerabilities in vBulletin have exposed more than 27 million accounts across nearly a dozen websites.

A majority of the compromised accounts are linked to three games on mail.ru. In addition to the gaming accounts, more than 190,000 accounts were exposed on expertlaw.com, as well as more than 100,000 accounts on gamesforum.com

Combined, the compromised mail.ru domains allowed LeakedSource to add 25,133,805 accounts to their database on Wednesday. At the time of notification, they had managed to crack 12,463,300 passwords.

The compromised mail.ru accounts were exposed recently (August 2016) and are from the gaming side of the company. CFire, Parapa, and Tanks accounts were all exposed. The Parapa forums were also compromised.

Along with passwords, the mail.ru records include usernames, email addresses, phone numbers and IP addresses. The other accounts compromised include usernames, email addresses, IP information, passwords, and birthdays.

“Not a single website used proper password storage, they all used some variation of MD5 with or without unique salts,” LeakedSource said.

All of the compromised domains were running unpatched vBulletin software, which allowed attackers to target SQL Injection vulnerabilities in the Forumrunner add-on on vBulletin installations older than 4.2.2 or 4.2.3. These problems were patched in June.

Moreover, a recent security update impacting the same software versions running on the compromised domains was issued on August 1, which if exploited would allow malicious attachment uploads.

“Sadly, this compromise is not a surprise. Too often, companies know valuable applications and systems are vulnerable yet due to the risk of disrupting operations to apply a fix, critical vulnerabilities are not properly patched. They’re behavior results in a gamble that they won’t be hacked,” said Ryan Stolte, CTO and co-founder at Bay Dynamics, in a statement.

“IT and security teams are also not coordinating and communicating with the line-of-business application owners who govern those highly valued assets so that they are held accountable for remediating vulnerabilities. In other cases, there is simply an operational disconnect where they perform a vulnerability scan, find out which applications and systems are vulnerable, but the vulnerabilities are not prioritized and routed correctly based on the value of the asset at risk and who owns that asset.”

In addition to the mail.ru domains, the remaining 2,315,283 accounts were exposed after the following domains were compromised via the same methods:

expertlaw.com
ageofconan.com
anarchy-online.com
freeadvice.com
gamesforum.com
longestjourney.com
ppcgeeks.com
thesecretworld.com (EN)
thesecretworld.com (FR)
thesecretworld.com (DE)

Salted Hash reached out to mail.ru and the others for comment.

In response to the LeakedSource disclosure, Funcom.com – the company behind TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com – issued a public notice and apologized to users.

The company has since patched their vulnerable vBulletin installations, but they’re not able to determine when the data breach occurred. As such, they’ve reset all passwords on each of the impacted forums.

“We regret to inform you that the data breach includes e-mail addresses, user names, and encrypted passwords associated with forum accounts on these forums. Even though passwords were encrypted, these can be cracked and should be considered compromised. It is important to note that forum accounts and game accounts are separate and are stored on different servers using different security systems. Game accounts have not been compromised,” the Funcom.com statement explained.In a statement to Salted Hash, a spokesperson for Expert Law said they were not able to find evidence of a successful data breach in their system logs, but they’re going to assume the worst has happened.

“I do patch the server and software and maintain security measures, and I have not found evidence of a successful intrusion, but we could be talking about an access that occurred prior to the implementation of a patch and that predates or is not reflected in my logs,” the spokesperson said in an email exchange.

“I have not yet been able to produce certain unique email addresses from the database on the hackers’ website but, as they say, tomorrow is another day and I have to operate on the assumption that the hack occurred.”

Update:

A spokesperson from mail.ru says the leaked passwords are not valid. However, the company didn’t address any of the questions sent by Salted Hash concerning the data breach. Their full statement is below:

“The passwords mentioned by LeakedSource are no longer valid. They are old passwords to the forums of game projects that Mail.Ru Group acquired over the years. All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way. “

Update 2 (8/25/16 0800 EST):

Responding to the statement made by mail.ru yesterday, a spokesperson for LeakedSource said one of the most important questions to ask when examining a data breach that includes credentials, is ‘are or were those passwords valid?’

So the statement from mail.ru is “akin to Microsoft buying Minecraft, integrating users into Microsoft Live and then the original Minecraft passwords being stolen. Yeah, that’s nice Microsoft Live wasn’t hacked but the data is still highly relevant and important.”

In response to follow-up questions from Salted Hash, mail.ru accused LeakedSource of not playing fair and being irresponsible with their disclosure.

“We found out about this episode from the media, to which LeakedSource gave this information, breaking the responsive disclosure rule. This unspoken rule is used by white hat hackers all over the world: before publicly disclosing a vulnerability or leak, inform the service of it to give an opportunity to patch it,” a mail.ru spokesperson said.

“This is how the real care for users works. Thus we presume that it’s not actually users’ protection LeakedSource is so worried about but rather publicity and commercial profit (from clients attracted to them as a result of security scandals and from subscriptions to their services they are very aggressively offering to companies involved in such episodes).”

When questioned about the risk of password reuse, mail.ru said that such a risk is always a factor and that the company will “check this database for password reuse as well and, if we find any matches, we’ll block the compromised accounts and force the owners to go through an access recovery procedure.”

Speaking to questions regarding the storage of passwords via MD5 with known salts, mail.ru referred back to their original statement.

“As we said in our official statement, the database contains legacy passwords to the forums of game projects that Mail.Ru Group acquired over the years. All Mail.Ru Group’s forums and games have been using a secure integrated authorization system for a long time by now. These passwords have never been related to email accounts and other services of the company in any way.”

via: csoonline

Why Continuous Scans Are Important to Vulnerability Management

To protect against evolving digital threats, more and more organizations are employing endpoint detection and response (EDR) systems on their computer networks.

EDR consists of six crucial security controls. The first two, endpoint discovery and software discovery, facilitate the process of inventorying each device that is connected to the network and documenting all software applications running on each device. Once organizations begin actively monitoring what is installed on their networks, they can then transition to hardening the security of those devices. An important part of that process is the decision to launch a vulnerability management program.

When it comes to vulnerabilities and exposures, attackers benefit from automation, crowdsourcing, big data, mobile, low cost cloud computing, and other resources just as much security personnel do. Only they have an advantage. Malicious actors need to find just one unpatched vulnerability, whereas security teams need to find (and patch) all hardware and software flaws every time.

Which begs the question: how can organizations leverage a vulnerability management program to gain an advantage over attackers?

Tripwire offers several answers in Endpoint Security Survival Guide: A Field Manual for Cyber Security Professionals, a guide which offers advice on how infosec professionals can implement the six security controls of EDR.

First and foremost, organizations need to remember that security is an ongoing process. Though a device might be safe today, an actor could discover a serious vulnerability in the application’s software tomorrow. Companies should therefore strive towards continuous vulnerability scans to pick up on those constant changes. Additionally, they should leverage resources like the Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities in a meaningful way.

Just as security is a process, so too is a vulnerability management program. At the outset, a company might not have the scanning infrastructure or human resources needed to conduct and analyze continuous scans of its network environment. But it’s important that it works towards that capability. Indeed, continuous scans not only help organizations determine whether they are actually fixing the flaws they discover. They also help companies identify trends in the performance of the vulnerability management program, information which security managers and other executives can use to justify budget allocation to the Board of Directors.

With more resources, organizations can strengthen their vulnerability management program by adding on digital threat intelligence feeds, authenticated/credentialed scans, and SIEM with Network Intrusion Prevention System (NIPS) logs.

Interested in getting even more out of your organization’s vulnerability management program? For more helpful tips and recommendations, please download Tripwire’s resource here.

Via: tripwire

Is Your IT Security and Risk Management Strategy Getting the Job Done?

IT decision makers have a very difficult job. They are often asked to make technology decisions on subjects for which they may only have cursory knowledge. Then when things go wrong, they are responsible for dealing with the fallout of those decisions.

It’s one thing to make a mistake when deciding on something relatively trivial, like picking out what kind of PC to buy. You can easily address shortcomings for a disappointing solution. A PC that isn’t powerful enough can get more RAM or can be upgraded to a bigger hard drive. However, when it comes to making decisions about security/risk, the stakes are much higher.

A failed security solution that leads to a data breach can’t be fixed simply by buying a part or repurposing hardware assets. Unfortunately, these design failures can only be repaired after damage has already been done.

When you find out that your firewall was insufficient and a hacker penetrated your network, you can’t reverse the clock and make up for an uninformed decision that may have been made years ago. Your only option at that point is to control the amount of damage in place.

It’s just like buying a cheap washing machine. If the washing machine can’t handle the clothes you put in it and leaks water, you have to deal with the damage caused and probably repair the machine itself. From someone who has had to deal with water damage, I can tell you that I much prefer having a robust solution up front so that I never have to worry about the problem affecting my life.

This leads to the main issue I’d like to confront in this blog: how you, as a decision maker, can know up front if your security and risk management strategy is getting the job done.

I have some good news and some bad news. The bad news is that there is no 100% positive security and risk management approach. Any solution can fail. Even when building a system with security in mind from the beginning, sometimes these solutions fail when you need them most. Even an experienced, well-educated, trusted advisor can guide you down a path that they think will protect you, and a data breach can still happen.

The problem with security threats is that they are constantly evolving. Nobody holds the crystal ball to tell you what threat you may have to deal with tomorrow, much less threats that may develop months or years from the time you build your system.

The good news, however, is that there is a tried and true way to gain a real sense of how well your current security controls are working: a risk assessment.

In addition to providing you with insight into the effectiveness of your security measures, a robust risk assessment gives you the opportunity to evolve your IT security and risk management strategy. This allows you to stay on point when it comes to knowing what threats are out there and how you need to deal with them.

Four main features must be present in a solid risk assessment:

  1. Uses thorough vulnerability and configuration scanning tools to look for weaknesses within your system.
  2. Identifies various areas of risk based on the sensitivity of data, best IT practices, and the configuration of the current system.
  3. Performs vulnerability scans on the perimeter that expose specific weaknesses from the outside.
  4. Looks at workflows and behaviors of staff to ensure they are operating in a method that is consistent with the technical security measures.

In short, a well-designed risk assessment uses metrics, best configuration practices, other compliance standards, and to some extent user behaviors to determine what data assets are worth protecting and what shields those data assets from damage or loss.

From there, you can determine if your security and risk management strategy is effective, even if it’s not perfect (which it can never be).

My philosophy is that security and compliance should be treated as a discipline rather than just another technology solution you need to buy. Deploying proper tools to manage risk and then regularly evaluating how well those tools are working is the only reasonable approach to keeping up with a world of constantly evolving threats.

Via: tripwire

Make sure your internet connection is clean: QUICK TIP

This has got to be the quickest Quick Tip of all. Literally. With just one click, it’s too easy not to do.

You know your computer can be infected. But did you know your router can, too? And because most people just aren’t aware of it, if your router is compromised, it could stay that way a long time without you ever knowing.

Unless, of course, you use our free Router Checker. No need to download anything. Just visit the page and click to start the check.

Hacking your router is just one more method attackers use to display fraudulent advertising, spread malware, or steal your private account credentials. It’s called DNS hijacking.

When you type in a website name, say “cooldomain.com,” you’re directed to a DNS server that will find the website’s IP address – say “44.567.54.69” for example, and display the website you need. But in a DNS hijack, hackers change your router’s settings to direct you to a rogue DNS server. The rogue server will give a malicious IP address, purposely directing you to a website that may look like the one you want, but it’s not.

Here’s an example: Let’s say you want to log into your bank account. But unbeknownst to you, you’re directed to a look-alike website that’s not really your bank. You enter in your bank username and password. Now the attacker has your credentials, which he (or she) can use.

F-Secure Router Checker makes sure the settings on your computers, phones, and routers connect to safe DNS servers.

So what are you waiting for?

Visit the F-Secure Router Checker page and click on “Check Your Router.”

It’s too easy not to do.

Via: safeandsavvy

Targeted Security Risk Assessments Using NIST Guidelines

What a whirlwind the past few months have been for data security, breaches and hacking events. From the Wyndham v. FTC ruling to yet another breach by a BCBS affiliate, there is increasing pressure across the information security industry to push organizations to perform those pesky security risk assessments touted by the National Institute of Standards and Technology (NIST).

No matter what country you are based in, odds are your client’s data touches, passes through, or sources from the United States. Given that, if you have not performed a security risk assessment pursuant to the NIST guidelines, now is the time.

For those of you not familiar with NIST, it draws its funding from the U.S. government and traces its origin back to 1821 (yes, really). The goal of NIST is to research, develop, standardize and push innovation forward across a broad swath of fields for the betterment of everyone, at no cost (other than taxes) to anyone.

One of NIST’s best and most useful documents is its Guide for Conducting Security Risk Assessments. The security risk assessment procedures and guidelines outlined in this document now serve as the foundation for many industry standard risk assessment methods across a wide array of fields and industries. Because why reinvent the wheel?

If you can have the risk assessment playbook the government paid NIST to create telling you how to assess risk in your organization, why not use it?

SECURITY RISK ASSESSMENT

At the core of every security risk assessment lives three mantras: documentation, review, and improvement. Security risk assessments are only as valuable as the documentation you create, the honest review of the findings, and ultimately the steps towards improvement you take.

The goal of performing a risk assessment (and keeping it updated) is to identify, estimate and prioritize risks to your organization in a relatively easy-to-understand format that empowers decision makers. With that in mind, here is a break down of a NIST Security Risk Assessment framework that would be appropriate for a targeted risk assessment (as opposed to enterprise-wide).

For each of the steps listed below, track the results in a multi-page spreadsheet, and this document will serve as the root for further analysis.


  1. Baseline the System – Create a lifecycle chart of all the data within the targeted technology or program; encompassing birth, use, and destruction.
  2. Identify Threats – All of the threats you can imagine including intentional, unintentional, technical, non-technical, and structural. After you have made this list, cluster the threats into similar types (i.e. Non-Technical Threat – Fire, Flood, or Blood Events).
  3. Identify Vulnerabilities – All of the Vulnerabilities your organization has, including: patches, policies, procedures, software, equipment, etc. It often helps to group these Vulnerabilities to more easily analyze them (i.e. Vulnerability – Un-patched Servers/Workstations).
  4. Current Controls – All of the security and privacy controls you have in place to protect against the Vulnerabilities.
  5. Likelihood of Impact – Assign a value from low to high (e.g. – .1, .5, or 1) of how likely it is that a Threat hits a Vulnerability. Here, pair each cluster of similar threats and with your major groups of vulnerabilities to create an Impact pairing.
  6. Effect of Impact – Assign a value from low to high (e.g. – 10, 50, 100) of how bad the Impact would be on your organization if the Threat hit a Vulnerability.
  7. Risk Determination – Likelihood x Impact = Risk Level (0-33 = Low; 34-66 = Medium; 67-100 = High)

At the end of this process, you should have a spreadsheet that contains sortable columns of Impact pairings and their associated Risk Level. This will allow you to sort and parse the list in a way that gives you an easy view of those items with the greatest Risk Level, thereby creating a targeted list of what threats and vulnerabilities must be addressed first. Here is an example:

TARGETED SECURITY RISK ANALYSIS – HOSPITAL CLIENT PHI DATABASE

  1. Simple Baseline: Client PHI is entered, accessed, and stored within hospital EMR.
  2. Technical Threat: Malicious hackers attempting to gain access and steal PHI.
  3. Vulnerability: Un-patched Windows 2012 Server with default administrative password.
  4. Current Controls: Password protected, behind firewall with factory settings.
  5. Likelihood: .8 (Un-patched software accounted for the vast majority of breaches in 2014)
  6. Impact: 100 (Loss or theft of PHI would catastrophic for a hospital)
  7. Risk Determination: .8 x 100 = 80 (High Risk)

POST ANALYSIS BREAKDOWN

As you can see, the organization that produced the above analysis would need to immediately prioritize a Risk Determination of 80, especially on something so basic as maintaining patch updates. That aside, once you have completed your Security Risk Assessment and prioritized your Risk Determination list, turn to the Current Controls and make decisions of how to improve those controls to eliminate or mitigate the identified vulnerabilities.

Once you document those decisions, draft a summary of the Security Risk Assessment highlighting surprises, problems, fixes, and future plans. As you implement any changes, be sure to append the Security Risk Analysis, or if enough wholesale changes are made, perform an updated Security Risk Assessment.

This process seems daunting, and it can be. That said, once you have gone through the pain of doing it once, successive assessments will be quicker, more detailed, and serve to build upon what was done before. There are also third party tools that can streamline the process, such as the HHS Security Risk Analysis Tool created in conjunction with NIST. These third party tools vary wildly in quality, so choose wisely.

Whatever risk analysis process you choose, create, or purchase, make sure it fits your needs and gives you the documentation you want, the capability to thoroughly review results, and the tools necessary to make improvements.

Prepare now, or answer later when the investigators come knocking.

Via: tripwire

Cisco to jettison 5,500 jobs, will reinvest in cloud, IoT & more

Cisco faces challenges in its core switching and routing business.

Cisco today confirmed it will lay off about 7% of its workforce – about 5,500 jobs.

Or as Cisco put it: “Today, we announced a restructuring enabling us to optimize our cost base in lower growth areas of our portfolio and further invest in key priority areas such as security, IoT, collaboration, next generation data center and cloud. We expect to reinvest substantially all of the cost savings from these actions back into these businesses and will continue to aggressively invest to focus on our areas of future growth.”

During its earnings announcement the company said total revenue actually increased 3% to $48.7 billion for its fiscal year ended July 30. Still, the company faces challenges in its core switching and routing business.

“Product revenue growth was led by Security at 16%. Collaboration, Wireless and switching product revenue increased by 6%, 5%, and 2%, respectively. Service Provider Video, NGN Routing and Data Center product revenue decreased by 12%, 6%, and 1%, respectively,” Cisco stated.

Sounding more optimistic CEO Chuck Robbins said:

“We had another strong quarter, wrapping up a great year. I am particularly pleased with our performance in priority areas including security, data center switching, collaboration, services as well as our overall performance, with revenues up 2% in Q4 excluding the SP Video CPE business,” Robbins said. “We continue to execute well in a challenging macro environment. Despite slowing in our Service Provider business and Emerging Markets after three consecutive quarters of growth, the balance of the business was healthy with 5% order growth. This growth and balance demonstrates the strength of our diverse portfolio. Our product deferred revenue from software and subscriptions grew 33% showing the continued momentum of our business model transformation.”

Reports earlier this week had the networking giant cutting as much as 14,000 jobs. Others have speculated Cisco would make a sizable cut in its workforce this year giving its growing stable of acquisitions and its shifting software emphasis. Cisco has acquired 15 companies under CEO Chuck Robbins tenure, which is now early into its second year.

Most recently the company bought cloud security firm CloudLock; other cloud-based technology from Synata; network semiconductor technology from Leaba and Software as a Service (SaaS) provider Jasper.

In recent history– the yearend earnings report which is expected today — hasn’t been kind to Cisco employees. The company has laid off a little over 11,000 employees total in late summer reductions since 2012.

Via: networkworld