Category Archive: Uncategorized

14 million customer records exposed in GovPayNow leak

GovPayNow.com, a payment system used by thousands of federal and state government agencies in the U.S. and recently acquired by Securus Technologies, has leaked 14 million customer records.

Information exposed includes the last four digits of payment cards, names, phone numbers and addresses, according to Brian Krebs, who discovered the leak.

Anyone could view the information by changing the digits in the URL of an online receipt that the service gives users when they pay parking citations, fines or make other financial transactions.

“GovPayNet [which is doing business as GovPayNow] has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” according to a company statement sent to KrebsOnSecurity, which also said there was no “indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction.”

Noting that most of the information exposed “is a matter of public record that may be accessed through other means,” the company said. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their receipts.”

Calling the breach at the Indianapolis-based company “fairly minor” compared to others over the last year, Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said, “Online payment providers, especially those doing business with the government, should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them.”

Bilogorskiy also recommended, to “avoid information disclosure and directory traversal issues,” that companies deny “anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories.”

Pravin Kothari, CEO of CipherCloud, noted the security incident – which exposed data from as far back as 2012 – isn’t the first for Securus, which bought the company in January.

“Securus has had other issues with cybersecurity over the past few years including the misuse of a service that tracked convicted felons’ cellphones, hackers penetrating this same system and subsequently stealing logins and legitimate credentials, and finally another flaw in May that allowed unauthorized access to accounts by guessing answers to the security questions,” he explained.

In the spring, a hacker swiped 2,800 logins and passwords from Securus, on the heels of Sen. Ron Wyden, D-Ore., asking the Federal Communications Commission (FCC) to investigate the wireless carriers that allow law enforcement to have “unrestricted access to the location data” of their customers after a former Missouri sheriff was indicted for, among other things, tracking the cell phones of numerous persons, including some state troopers, without the benefit of a court order.

The issues prompted wireless carriers like Verizon to review their location aggregator programs and terminate existing location data sharing agreements with third-party brokers.

Many of the “flaws are simple to find and fix. That’s not the issue,” said Kothari. “The issue is that there will always be open vulnerabilities, misconfigurations, and missing updates that attackers can exploit. You cannot fix them all.”

It’s inevitable that attackers will penetrate networks, given increasing numbers and an escalating volume of persistent attacks,” he said.

“Best practices today position safekeeping of your data, at all times, in a pseudonymized form,” Kothari said. “This makes it an order of magnitude harder for the attackers to acquire useful information which they can exploit from within your on-premise networks or your cloud services.”

GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

 

via:  scmagazine


Save pagePDF pageEmail pagePrint page

ICO Receiving 500 Breach-Related Calls a Week Since GDPR Took Effect

The United Kingdom’s Information Commissioner’s Office (ICO) has been receiving 500 calls pertaining to data breaches since the European Union’s General Data Protection Regulation (GDPR) took effect.

Speaking before hundreds of senior business leaders at the Confederation of British Industry’s (CBI’s) fourth annual Cyber Security Conference, ICO deputy commissioner James Dipple-Johnstone revealed that of the 500 breach-related calls received weekly by the Office, a third of them aren’t warranted or pertain to events that don’t qualify as data security incidents.

All of these unnecessary reports could be an indication that organizations are eager to comply. Dipple-Johnstone clarified that many of the reports tend to “over-report” the details of a perceived security incident. He attributed this phenomenon to organizations’ desire to manage their risk or a prevailing perception that they need to report everything, reported ITPro.

Despite these attempts to maintain transparency, some companies failed to comply with the ICO’s reporting requirements. Dipple-Johnstone explained that some of the data breach reports received by the Office were incomplete. In other notices, organizations mistook the mandatory reporting period of 72 hours as 72 “business” hours, not three consecutive days from the moment of discovery.

These findings came at around the same time that cloud and data firm Talend disclosed a majority of organizations’ failure to comply with certain elements of GDPR. Specifically, it found that just 35 percent of EU-based companies were fulfilling subject access requests (SARs) filed by customers looking to access their data held by controllers within the legal time frame. Outside of Europe, only a half of organizations were meeting those deadlines.

Dipple-Johnstone said the ICO will be working with organizations to help them with their data protection efforts going forward. He also made a point of indicating how the ICO doesn’t always issue fines following an investigation into a potential data security incident. As quoted by ITPro:

The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have dozens of audits, advisory visits and guidance sessions. That is the real norm of the work we do.

Data protection goes beyond implementing security technologies like encryption and machine learning. It also involves investing in those who use those solutions.

 

via:  tripwire

 


Save pagePDF pageEmail pagePrint page

Cyber attack led to Bristol Airport blank screens

 

Broken screens at Bristol Airport

The screens at the airport stopped working on Friday morning

Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.

An airport spokesman said the information screens were taken offline early on Friday to contain an attack similar to so-called “ransomware”.

They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.

The spokesman said no “ransom” had been paid to get the systems working again.

Ransomware is a form of malware in which computer viruses threaten to delete files unless a ransom is paid.

Spokesman James Gore said: “We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.

“That was done to contain the problem and avoid any further impact on more critical systems.

Out of order departure boards at Bristol Airport

A spokesman said whiteboards and marker pens had to be used in place of display screens.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.”

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

He said it had taken “longer than people might have expected” to rectify due to a “cautious approach”.

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”

No flights are understood to have been disrupted as a result.

 

via:  bbc


Save pagePDF pageEmail pagePrint page

Google, Apple and 13 other companies that no longer require employees to have a college degree

The economy continues to be a friendly place for job seekers today, and not just for the ultra-educated — economists are predicting ever-improving prospects for workers without a degree as well.

Recently, job-search site Glassdoor compiled a list of 15 top employers that have said they no longer require applicants to have a college degree. Companies like Google, Apple, IBM and EY are all in this group. But currently, EY’s non-degree requirements are applicable to candidates in the UK.

In 2017, IBM’s vice president of talent Joanna Daley told CNBC Make It that about 15 percent of her company’s U.S. hires don’t have a four-year degree. She said that instead of looking exclusively at candidates who went to college, IBM now looks at candidates who have hands-on experience via a coding boot camp or an industry-related vocational class.

Check the list below to see what other top companies you can score a job at if you don’t have a college degree:

Google has expanded its Google for Jobs initiative, launched last summer, to feature a job search tool that uses AI technology. The company believes it will radically change the online job-seeking experience.

Bloomberg | Getty Images

Google has expanded its Google for Jobs initiative, launched last summer, to feature a job search tool that uses AI technology. The company believes it will radically change the online job-seeking experience.

1. Google

Glassdoor company rating on a five-point scale: 4.4

Current openings include: product manager, recruiter, software engineer, product marketing manager

Hiring locations include: Mountain View, CA; Austin, TX; San, Francisco, CA

Click to view openings

Ernst and Young building in Berlin, Germany.

Patti Domm | CNBC

Ernst and Young building in Berlin, Germany.

2. Ernst & Young (EY)

Glassdoor company rating on a five-point scale: 3.7

Current openings include: assurance services senior, risk advisor, experience management manager, tax services senior

Hiring locations include: Alpharetta, GA; San Francisco, CA; Boston, MA

Click to view openings

Penguin and Random House in Deal Talks

Joseph Devenne | Getty Images

3. Penguin Random House

Glassdoor company rating on a five-point scale: 3.8

Current openings include: marketing designer, publicity assistant, senior manager of finance, production assistant

Hiring locations include: New York, NY; London, England; Colorado Springs, CO

Click to view openings

jetcityimage | iStock Editorial | Getty Images

4. Costco Wholesale

Glassdoor company rating on a five-point scale: 3.9

Current openings include: cashier, stocker, pharmacy sales assistant, bakery wrapper

Hiring locations include: Baton Rouge, LA; Vallejo, CA; Kalamazoo, MI

Click to view openings

Vehicles drive through the parking lot outside a Whole Foods Market Inc. location in Willowbrook, Illinois.

Daniel Acker | Bloomberg | Getty Images

Vehicles drive through the parking lot outside a Whole Foods Market Inc. location in Willowbrook, Illinois.

5. Whole Foods

Glassdoor company rating on a five-point scale: 3.5

Current openings include: grocery team member, cashier, bakery team member, whole body team member

Hiring locations include: Napa, CA; Petaluma, CA; Tigard, OR

Click to view openings

The New York Hilton midtown hotel is show in this December 2013 photo.

Victor J. Blue | Bloomberg | Getty Images

The New York Hilton midtown hotel is show in this December 2013 photo.

6. Hilton

Glassdoor company rating on a five-point scale: 4

Current openings include: event manager, front office manager, housekeeper, hotel manager

Hiring locations include: San Rafael, CA; Napa, CA; Indianapolis, IN

Click to view openings

0554M919

John Greim | Getty Images

7. Publix

Glassdoor company rating on a five-point scale: 3.7

Current openings include: pharmacist, retail set-up coordinator, maintenance technician, job fair

Hiring locations include: Lakeland, FL; Atlanta, GA; Deerfield Beach, FL

Click to view openings

Apple CEO Tim Cook greets guests at the grand opening of Apple's Chicago flagship store on Michigan Avenue in Chicago, Illinois. 

Scott Olson | Getty Images

Apple CEO Tim Cook greets guests at the grand opening of Apple’s Chicago flagship store on Michigan Avenue in Chicago, Illinois. 

8. Apple

Glassdoor company rating on a five-point scale: 4

Current openings include: design verification engineer, engineering project manager, iPhone buyer

Hiring locations include: Santa Clara, CA; Austin, TX; Las Vegas, NV

Click to view openings

1006_29_peru120115118.jpg

Jeff Greenberg | Getty Images

9. Starbucks

Glassdoor company rating on a five-point scale: 3.8

Current openings include: barista, shift supervisor, store manager

Hiring locations include: Dublin, GA; San Francisco, CA; Compton, CA

Click to view openings

Pedestrians walk past a Nordstrom Inc. store.

Ben Nelms | Bloomberg | Getty Images

Pedestrians walk past a Nordstrom Inc. store.

10. Nordstrom

Glassdoor company rating on a five-point scale: 3.6

Current openings include: retail sales, cleaning, stock and fulfillment, bartender

Hiring locations include: Phoenix, AZ; Las Vegas, NV; Scottdale, AZ

Click to view openings

A cashier scans a customers purchases at a Home Depot store in New York.

Mark Kauzlarich | Bloomberg | Getty Images

A cashier scans a customers purchases at a Home Depot store in New York.

11. Home Depot

Glassdoor company rating on a five-point scale: 3.5

Current openings include: department supervisor, customer service sales, store support

Hiring locations include: Colonial Heights, VA; South Plainfield, NJ; San Diego, CA

Click to view openings

Pedestrians walk in front of the IBM building in New York.

Scott Mlyn | CNBC

Pedestrians walk in front of the IBM building in New York.

12. IBM

Glassdoor company rating on a five-point scale: 3.4

Current openings include: financial blockchain engineer, lead recruiter, contract and negotiations professional

Hiring locations include: San Francisco, CA; Raleigh-Durham, NC; Austin, TX

Click to view openings

Pedestrians pass in front of a Bank of America Corp. branch in New York, U.S., on Wednesday, Oct. 12, 2016.

Mark Kauzlarich | Bloomberg | Getty Images

Pedestrians pass in front of a Bank of America Corp. branch in New York, U.S., on Wednesday, Oct. 12, 2016.

13. Bank of America

Glassdoor company rating on a five-point scale: 3.5

Current openings include: client service representative, client associate, analyst, executive assistant

Hiring locations include: Tulsa, OK; Wilmington, DE; New York, NY

Click to view openings

Diners eat at a Chipotle restaurant in Chicago, Illinois.

Getty Images

Diners eat at a Chipotle restaurant in Chicago, Illinois.

14. Chipotle

Glassdoor company rating on a five-point scale: 3.4

Current openings include: district manager, kitchen manager, service manager

Hiring locations include: Sandy, UT; Woburn, MA; Pleasant Hill, CA

Click to view openings

Lowes Retail Store Sign

Getty Images

15. Lowe’s

Glassdoor company rating on a five-point scale: 3.3

Current openings include: plumbing associate, commercial sales loader, lumber associate

Hiring locations include: Westborough, MA; Omaha, NE; Mooresville, NC

 

 

 

via:  cnbc


Save pagePDF pageEmail pagePrint page

Amazon S3 Security Step-by-Step

Bucket Policies and Defense-in-Depth: Amazon S3

Excellent paper by Rajat Ravinder Varuni and Rafael Marcelino Koike. I read it and it will help me when I have to talk with “people whose heads are in the cloud”.

In this blog post, we show you how to prevent your Amazon S3 buckets and objects from allowing public access. We discuss how to secure data in Amazon S3 with a defense-in-depth approach, where multiple security controls are put in place to help prevent data leakage. This approach helps prevent you from allowing public access to confidential information, such as personally identifiable information (PII) or protected health information (PHI).

via:  Stephen Northcutt


Save pagePDF pageEmail pagePrint page

Configuration Hardening: Proactively Guarding Systems Against Intrusion

The concept of configuration hardening has nice imagery to it. When we use it to describe battle-hardened soldiers who have been tested in combat, a grim, determined image invariably leaps to mind. The same thing happens when we speak of hardened steel that’s been repeatedly quenched and tempered or of hardened fortifications and bunkers.

But what does this state of “being hardened” mean in the context of information systems? What do we mean when we talk about operating system hardening techniques to repel exploits and withstand intrusions? Much of this is captured in three simple concepts:

  1. Ensure a system’s security configurations are appropriately set given the job it needs to do.
  2. Ensure operating system software, firmware  and applications are updated to stay ahead of exploits that attack flaws in the underlying code.
  3. Ensure this process runs continually, leveraging and employing as much automation as possible.

What is Configuration Hardening?

Configurations are, in an almost literal sense, the DNA of modern information systems. “Configuration settings” are the attributes and parameters that tell these systems—from servers to network devices and from databases to desktops and applications—how to act and how to behave.

Unfortunately, these systems are made to “do work” and not to “be secure.” In other words, they’re shipped infinitely capable but effectively insecure. Modern computer systems have over 1,000 well-known ports with which to get work done. They also have another 40,000 or so “registered” ports and yet another 20,000 or so “private” ports. These in turn support a vast number of services and processes.

There’s a nice analogy that helps us get our arms around this: If we translate a server’s “ports and processes and services” to the “doors and gates and windows” in a house, we see information systems as unimaginably large, fundamentally porous houses.

Security configuration management

Security configuration management becomes the job of determining which of these doors and gates and windows should be open, closed or locked at any given time.

Of course, this notion of whether something should be “open or closed or locked” is very conditional—it depends on circumstances like “when” or “where.” If I’m going away for a week, I double-check that everything in my house is locked down tight.  If I’m only going to be gone for an hour, I may leave the back door unlocked.

And if it’s the height of summer, I may have an air conditioner in a window that comes right off the front porch. In this case, I’ve knowingly traded an inherent security weakness (I can’t lock that window until autumn!) for comfort.

To drag this analogy back to the modern computer network, we need to amplify our numbers exponentially. The first thing we note is that the number of “configuration items”—doors and gates and windows that need to be monitored and assessed just to achieve a basic level of security—becomes staggering:

  • Network device configurations can have an average of 2000 lines of code for each device.
  • Each device configuration can contain hundreds of parameters for about 20 different IP protocols and technologies that need to work together.
  • A Fortune 1000 enterprise can have over 50 million lines of configuration code in its extended network.
System hardening best practices

At the device level, this complexity is apparent in even the simplest of “vendor hardening guideline” documents. These are vendor-provided “How To” guides that show how to secure or harden an out-of-the box operating system or application instance. Some examples:

  • The hardening guide for Oracle Solaris v11 has 55 of these critical configuration items. (My house has just 30 doors and windows, by comparison.)
  • The vmWare guide for vSphere 5 highlights 60 critical security items that must be checked
  • For Windows 2008, the Microsoft guide for minimal system hardening includes 158 settings that need to be immediately secured out of the box (it’s is a big house).

This still falls short of a number of settings that need to be managed in prescriptive guides for information security. Prescriptive guidance comes from sources like the Center for Internet Security’s (CIS) “Benchmarks,” the Defense Information Systems Agency’s “Security Technical Implementation Guides” (DISA STIGs) or NIST 800-53 and the National Institute of Standards and Technology’s “Recommended Security Controlsfor Federal Information Systems and Organizations.”

The degree of “prescriptive-ness” in these standards refers to the level of specific guidance they provide: a non-prescriptive guide like SOX might say “Passwords should be complex.” But prescriptive guidelines like the ones above provide specific values that must be attained for each control.

Compared to the simple SOX standard for passwords, CIS requires passwords that:

  • Are at least 8 characters in length for standard enterprises servers
  • Are at least 11 characters for critical systems
  • Are changed every 90 days but not more often than once a day
  • Are different from the previous 24 passwords created by the user
  • Contain characters from multiple classes: alphabet, numeric, special characters, etc.
  • Are not saved or stored in any form of reversible encryption

Because of this level of control, prescriptive standards like CIS tend to be more complex than vendor hardening guidelines. Some standards, like DISA or NIST, actually break these down into more granular requirements depending on Hi/Med/Lo risk ratings for the systems being monitored.

It’s worth mentioning, too, that there are dozens more—a veritable alphabet soup of acronyms and abbreviations – that provide guidance across industry segments and areas of interest. “NERC CIP” requirements provide standards for critical infrastructure protection in the energy space, while HIPAA requirements govern systems that store or transmit patient health records. The list is long and covers virtually every industry and nearly every region or country.

In any industry or setting, the discipline of security configuration management seeks to find a balance between security and usability: somewhere between “server passwords are allowed to be blank” and a ridiculous work-stopping requirement like “the system needs to have a new, never-used, complex 30-character password that’s changed every 48 hours” rests that ongoing balance.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

Bomgar to Acquire BeyondTrust

Announcement email:

 

I am excited to announce that BeyondTrust is being acquired by Bomgar, a global leader in privileged access management solutions. The acquisition is scheduled to be complete in October 2018, and the integration into Bomgar will happen over the coming months.

Read the press release: https://www.beyondtrust.com/resources/press-release/bomgar-announces-acquisition-beyondtrust/

This acquisition is a great fit for both companies. The combination of Bomgar and BeyondTrust creates a global leader in Privileged Access Management that protects organizations against today’s biggest cybersecurity threats, while empowering them to push their businesses forward. The resulting company, which will be called BeyondTrust, will:

  • Deliver the world’s most comprehensive privileged access security solution, combining BeyondTrust’s market-leading privileged access management platform with Bomgar’s advanced privileged session and endpoint protection solutions.
  • Enhance and accelerate innovation to more quickly deliver innovative software that improves your security posture without forcing you to compromise business agility or productivity.
  • Create an expansive partner ecosystem to scale and improve how we reach and support our more than 19,000 combined customers.

I assure you that there will be no immediate changes to BeyondTrust’s products, support, or services in conjunction with this acquisition. However, if you do have questions related to this acquisition, please read the FAQ article here:https://www.beyondtrust.com/faq-bomgar-acquisition-beyondtrust/

If you have any additional questions, please contact us via the website at www.beyondtrust.com/contact/.

Regards,
Kevin Hickey
President & CEO, BeyondTrust


Save pagePDF pageEmail pagePrint page

How to dictate text and speak commands in Windows 10

Need an alternative way to work in Windows 10 beyond your keyboard and mouse? Try your voice.

Using your voice to control Windows can be a helpful option if you physically can’t or don’t want to use your mouse and keyboard. You can dictate text to create emails, documents, and more.

Windows has long provided its own Speech Recognition tool to set up and use voice dictation. Windows 10 adds to the mix with its own speech settings. The trick is to get Windows to understand you clearly enough so the process is worth the effort. Learn the best way to set up and use voice recognition in Windows.

In any supported version of Windows, including Windows 10, you can set up voice dictation in Windows through Control Panel. To do this, open Control Panel in icon view and click the icon for Speech Recognition. At the Speech Recognition screen, click the link to Start Speech Recognition (Figure A).

 

Figure A

windowsdictationfigure-alancewhitneyjuly2018.jpg

Choose the type of microphone you’re using, and then dictate the displayed words to teach Windows your voice. After you’re finished, the Speech Recognition bar pops up at the top of the screen. You can immediately begin dictating text.

Open a document, email, or other file in which you want to dictate. Click the microphone icon on the Speech Recognition bar to start listening mode. Dictate your text. You can dictate punctuation, symbols, and other parts of speech as well as specific actions such as “new line” and “new paragraph.” To find out what you can say, right-click the Speech Recognition bar and select Open Speech Reference Card. When you’re finished, click the microphone icon again to turn off listening mode (Figure B).

Figure B

windowsdictationfigure-blancewhitneyjuly2018.jpg

If Windows is having trouble understanding your words, right-click the Speech Recognition bar, move to Configuration, and select Improve Voice Recognition. Windows takes you through a lengthy series of screens where you dictate certain sentences to help it better pick up your speech (Figure C).

Figure C

windowsdictationfigure-clancewhitneyjuly2018.jpg

You can also view and modify certain settings for speech recognition. From the Speech Recognition Control Panel window, click the link for Advanced Speech Options. From here, you can opt to create a new voice profile, take the training for your current profile, opt to run Speech Recognition each time Windows starts, give Windows permission to review your documents and emails to better understand the words you use, and configure your microphone (Figure D).

Figure D

windowsdictationfigure-dlancewhitneyjuly2018.jpg

The Control Panel applet is an effective way to set up speech recognition, but it is time consuming. In Windows 10, you can also get started by accessing the relevant options in the Settings app. Open Settings. Go to Ease Of Access and click the setting for Speech. Scroll down the page and enable the switch to Turn On Speech Recognition. That action displays the Speech Recognition bar (Figure E).

Figure E

windowsdictationfigure-elancewhitneyjuly2018.jpg

As an alternative to activating the Speech Recognition bar, you can use the speech recognition built into Windows 10. At the Speech setting in Ease Of Access, click the link to Get More Info About Dictation—a Microsoft support page explains how to use dictation and what commands you can say in Windows 10. In Settings, go to Privacy and select Speech, Inking & Typing. If this option is turned off, the button will say Turn On Speech Services And Typing Suggestions—click that button to turn on this service (Figure F).

Figure F

windowsdictationfigure-flancewhitneyjuly2018.jpg

To use the Windows 10 speech recognition, open a document, email, or other file into which you want to dictate. Hold down the Windows key and press H to trigger the dictation toolbar. You can now dictate your text. When you’re done, press Win key + H to turn off the dictation toolbar (Figure G).

Figure G

windowsdictationfigure-glancewhitneyjuly2018.jpg

 

 

via:  techrepublic


Save pagePDF pageEmail pagePrint page

How to Cultivate Security Champions at the Workplace

Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them?

The answer to this is not simple and is realistically beyond the scope of one simple article written by a SOC analyst. I do, however, have a suggestion to help.

The Human Factor

Everyone at a company effects, for good and bad, the security of the company for which they work. Clicking on phishing emails. Posting a file to a public Dropbox so you can work from home. Coding in that backdoor to make debugging an application easier. Putting convenience above security. These are just a few examples of how anyone can adversely affect the overall security of a company.

The worst part is that many times the person is not trying to be malicious. Their intentions can be good, but their lack of focus could breed horrible consequences.

On Security Champions and Why We Need Them

What if, as the security team, you could have people throughout your organization that positively affect the overall security? We’ll call them security champions. (Full disclosure: I stole the security champions term from somewhere but do not remember where.)

Security champions (my definition) are non-security professionals that promote and practice good security. These people help educate others to identify phishing emails. They do not belittle others for asking what might be considered simple security questions. They bake security into their development process and try to get others to do so. They think about security versus convenience. All without the security team having to tell them to do so.

Think of the time this could save you, a member of the security team. Heck, just a few less clicks on phishing emails would be worth it. Wouldn’t it be great to have your business partners, even just a couple, bring up security-related issues without prompting? How about having developers push for good secure coding practices without you having to beg them?

Yes, you will probably end up with a few security champions that actually create more work for you. But in the end, the more people you have thinking about, practicing and implementing good security, the more time you will save the security team. Not to mention the resources that might be willing and maybe even eager to help when you have questions or are looking into a possible event.

Security champions are not meant to replace security engineers, or whatever title you use, but to augment them.

Best Practices for Cultivating Security Champions

How, you ask? Well, that depends on your organization.

Start small with the people you work with every day. Find out which of them have a security mindset and cultivate that. Send them articles that they might find interesting and see if they take the bait and run with it. If they do, make sure they and their management know the value they are providing. Leverage your existing security awareness and education program. Present security topics. Presenting what a firewall does might motivate some, but I am guessing those are rare.

How about demonstrating how the last penetration tester you had (You are having regular penetration tests, correct?) got your crown jewels? How about something as simple as getting a Meterpreter shell on a box and showing what can be done, like taking control of the camera and installing key loggers. Keep it simple and light but accurate. Keep in mind, not everyone has your level of knowledge.

Some things you consider simple are things that can make a big impact on people. Think even smaller, visiting with people one-on-one as time and events present themselves. Last note, there is no better time than an incident debrief to educate users one-on-one or in a group.

The point is to get people’s attention. Show them why security is important. Show how easy it really can be for malicious actors to reign havoc in your environment. Show how they can have a direct impact in helping to prevent that. A few people will take it to heart and develop a security mindsight.

Many people in information security are problem solvers. Approach it that way. Demonstrate to them how a malicious actor could easily attack your AD / Kerberos infrastructure. (Kerberoasting, anyone?) See how many ask what can be done to mitigate it. Instead of answering, ask them what they would do, what they can think of. Make it a problem for them to solve. Just keep your audience in mind. What will entice one audience, say demonstrating the intricacies of Kerberoasting to your server administrators, will be lost on business partners.

This will take work. It is not a one and done. You will have to be an evangelist. Like most things, it requires careful care and feeding. Overdoing it can backfire. People will tune out. Put thought not only to your message but also to the audience. In the end, the time savings not to mention the more intangibles are well worth it.

 

via:   tripwire


Save pagePDF pageEmail pagePrint page

The Role of Incident Response in ICS Security Compliance

The data-driven nature of IR can provide many of the reporting requirements governing industrial control system safety, finance, consumer privacy, and notifications.

Regulatory compliance in industrial environments poses unique challenges not found in traditional IT settings. A leading source of this complexity stems from the pre-Internet, largely proprietary nature of industrial control system (ICS) networks, specifically their lack of open computing standards, which are taken for granted in IT networks. These closed ICS networks are extremely hard to update, and even harder to maintain in compliance with state, federal, and industry regulations.

In addition, most ICS networks lack built-in security components, notably automated asset management, proactive security monitoring, and real-time threat analysis and prevention. Plus, most of the applicable regulations and guidelines apply specifically to verticals such as healthcare and energy, and cover ICS only either indirectly or at a very high level. Consequently, the responsibility for security and incident response (IR) falls primarily on those who implement and utilize ICS, namely operational technology personnel, not the security team.

5 Core Elements of ICS Compliance
Although specific regulations and standards vary, there are five key elements to consider when developing an ICS compliance program:

Asset management: Identifying and classifying ICS assets and the data they contain.

Identity and access management: Using role-based access control (RBAC) and authentication, authorization, and accounting (AAA) to manage ICS assets.

Risk assessments, vulnerability management, and change management: All of these functions involve identifying risks and vulnerabilities, and patching ICS assets, which can be challenging because different vendors provide varying levels of support and maintenance.

Security controls: Isolating the ICS network from the rest of the organization’s networks. The key tool is encryption — of data at rest and in transit — to ensure the integrity of applications as well as data. Other important tools are monitoring and logging network activity.

Physical security: Mostly, this means restricting physical access to the ICS devices. Because internal security capabilities of most ICS devices are often very limited, organizations must ensure that proper external controls are in place to fill gaps.

ICS Compliance Frameworks
US ICS-CERT has some of the most detailed recommendations for security and compliance specific to ICS, specifically, Recommended Practice: Creating Cyber Forensics Plans for Control Systems (2008) and Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (2009).

Another good source of information for all organizations is the National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems. It provides recommendations and best practices.

Most verticals have specific guidelines for what organizations should do in incident response. Generally, organizations should familiarize themselves with all existing frameworks, laws, and regulatory and compliance standards so they can use them to create effective plans, policies, and procedures.

Incident Response & ICS Compliance
Because meeting ICS regulatory compliance requirements involves documenting processes and procedures, the data-driven nature of IR provides many of the reporting elements to comply with the strictest regulations regarding finance, safety, consumer privacy, customer notifications, and so on.

For example, the foundation of ICS compliance is built on auditing of assets. Without proper auditing, an organization is forced to assume the worst when a breach or attack occurs — that everything has been infected.

Detection, also a central element IR, is tightly aligned with compliance. Being able to detect and respond to a breach when it occurs, instead of weeks or months later, enables organizations to limit or avoid regulatory sanctions, as well as public relations nightmares.

IR investigation and threat hunting, meanwhile, provide the audit trail for satisfying compliance mandates. If an organization suffers a breach it must be able to quickly determine when it happened, what damage was caused, and whether it has been remediated or not.

Finally, IR’s ability to document workflows and findings can play a central role in complying with disclosure requirements and help meet the short deadlines for notifying all internal and external stakeholders.

 

via:  darkreading


Save pagePDF pageEmail pagePrint page