Mykola Srebniuk, Head Of Information Security, MacPaw Vira Tkachenko, CTO, MacPaw
MacPaw has been operating in Kyiv since the start of a full-scale war in Ukraine. This session will outline how the organization prepare its infrastructure for the Russian invasion, how plans were implemented, and the company’s security and Business continuity were ensured. This session will be helpful for businesses in various cases of natural and cyber disasters, from hurricanes and typhoons to cyberattacks.
Cyber Wars gives you the dramatic inside stories of some of the world’s biggest cyber attacks. These are the game-changing hacks that make organisations around the world tremble and leaders stop and consider just how safe they really are. Charles Arthur provides a gripping account of why each hack happened, what techniques were used, what the consequences were and how they could have been prevented.
Cyber attacks are some of the most frightening threats currently facing business leaders, and this book provides a deep insight into understanding how they work and how hackers think as well as giving invaluable advice on staying vigilant and avoiding the security mistakes and oversights that can lead to downfall. No organization is safe, but by understanding the context within which we now live and what the hacks of the future might look like, you can minimize the threat. Â
A cyber espionage group targets governments and state-owned organizations in multiple Asian countries since early 2021.
Threat actors are targeting government and state-owned organizations in multiple Asian countries as parts of a cyber espionage campaign that remained under the radar since early 2021.
âA distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries.â reads an analysis published by Symantec Threat Hunter team, part of Broadcom Software. âThe attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.â
The attackers employed a broad range of legitimate tools to deliver malware in attacks aimed at government institutions related to finance, aerospace, and defense, as well as state-owned media, IT, and telecom firms.
The attackers used Dynamic-link library (DLL) side-loading to deliver the malicious code. The technique sees threat actors placing a malicious DLL in a directory where a legitimate DLL is expected to be found. Then the attacker runs a legitimate application that loads and executes the malicious payload.
The attackers target old and outdated versions of security solutions, graphics software, and web browsers that lack of mitigations for DLL side-loading attacks.
âOnce a malicious DLL is loaded by the attackers, malicious code is executed, which in turn loads a .dat file. This file contains arbitrary shellcode that is used to execute a variety of payloads and associated commands in memory. In some cases, the arbitrary shellcode is encrypted.â continues the report.
The attackers also leverage these legitimate software packages to deploy additional tools (credential dumping tools, network scanning tools such as NBTScan, TCPing, FastReverseProxy, and FScan, and the Ladon penetration testing framework), which are used to perform lateral movement.
Once the attackers have established backdoor access they use Mimikatz and ProcDump to harvest credentials and obtain deeper access to the target network. In some instances, threat actors also dump credentials via the registry.
Experts also observed attackers using PsExec to run old versions of legitimate software to load off-the-shelf RATS.
The cyberspies also use a number of living-off-the-land tools such as Ntdsutil to mount snapshots of Active Directory servers in order to gain access to Active Directory databases and log files and the Dnscmd command line tool to enumerate network zone information.
Experts also shared details about an attack against a government-owned organization in the education sector in Asia. The intrusion lasted from April to July 2022, during which the adversary accessed machines hosting databases and emails, before accessing the domain controller.
The attackers also use of an 11-year-old version of Bitdefender Crash Handler (âjavac.exeâ) to run a Mimikatz and the Golang penetration testing framework LadonGo.
The experts did not attribute the cyber espionage campaign to a specific threat actor, however, they noticed the use of the ShadowPad backdoor which is commonly used by China-linked APT groups.
âThe use of legitimate applications to facilitate DLL side-loading appears to be a growing trend among espionage actors operating in the region. Although a well-known technique, it must be yielding some success for attackers given its current popularity. Organizations are encouraged to thoroughly audit software running on their networks and monitor for the presence of outliers, such as old, outdated software or packages that are not officially used by the organization.â concludes the report that includes Indicators of Compromise (IoCs).
The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security.
The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.
âThe Federal Communications Commissionâs Public Safety and Homeland Security Bureau today added equipment and services from three entities â AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. â to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.â reads the FCCâs press release.
The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.
The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:
Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.
FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies.
âThe FCCâs decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nationâs communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm Americaâs interests.â said FCC Commissioner Brendan Carr. âI applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure Americaâs communications networks, I am confident that we will have more entities to add to our Covered List.â
In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.
According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.
For the past few weeks, Russia has been deploying military forces into strategic positions on Ukraineâs borders. However, there is another, virtual dimension to the escalating conflict: cyber-attacks on Ukrainian government and business websites and services.
Although it is impossible to confirm the Russian state is behind these attacks, commentators have suggested that similar tactics form part of a type of hybrid warfare that Russia has been fine tuning for the past couple of decades.
Cyber-espionage and information warfare have become an intrinsic part of recent conflicts and happen on a regular basis between conflicting powers. However, governments do not usually publicly claim responsibility for this type of activity, since this could put them in a position of declaring war against the targeted country and provoking counterattacks and sanctions from the international community. Therefore, evidence that Russia is definitely behind these attacks is hard to establish.
Cyber-attacks are often attributed to hacker groups with nationalist motivations, who justify their political agendas without explicitly verifying any state backing.
In January, there was a spate of attacks by Belarusian hackers believed to be supporting Russia. They launched a series of malware attacks against Ukrainian computer systems with many government and other websites being defaced with provocative and intimidating messages.
In mid February, there was another round of cyber-attacks, this time targeting the Ukrainian army website, ministerial websites and some of the major banks, including PrivatBank, preventing online payments and use of banking apps.
These latest attacks were mainly distributed denial of service (DDOS) attacks, where a huge number of small packets of information are sent to websites and servers from multiple sources. This information overload causes the servers and computer systems targeted to slow down or collapse because of the swarm of information requests.
Russian involvement in those cyber-attacks is suspected, but is hard to confirm. The attacks follow the pattern of similar tactics with alleged Russian backing over the past two decades in Ukraine, Estonia and Georgia, including attacks on communications infrastructures and power grids.
The US president and EU officials are now discussing increasing cyberspace defences against such attacks or imposing sanctions, if required.
Despite all of this, Ukrainian officials have refrained from explicitly mentioning the Russian state as being behind these attacks.
A searing look inside the rise of cyberwarfare as the primary way nations now compete with and sabotage one another – The Perfect Weapon
Ambassador Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.
Ambassador Bill Middendorf makes one unambiguous argument in his new book, The Great Nightfall: Why We Must Win the New Cold War. America wonât survive and thrive in an era of great-power competition without a strong, dominant military. There is one reason for that. China.
Middendorf has given a full lifetime of service to the nation, from his days at sea during World War II to diplomatic assignments and government posts. Among the latter, a turn as Secretary of the Navy. He was instrumental in designing the naval forces that completely outmatched the Soviets during the Cold War. Today, he remains Americaâs maritime Henry Kissinger, the nationâs preeminent thinker on naval modernization.
In The Great Nightfall, Middendorf deconstructs great-power competition. Regardless of how many internet trolls, little green men, bank accounts and businesses a state controls, itâs not enough to make the state a great power. That requires real military power.
Without the capacity to physically defend national interests, big states are fat banks waiting to be robbed. In contrast, nations that can defend themselves have a foundation on which to build sustainable diplomatic, economic and political policies. âThe Cold War ended,â Middendorf argues in The Great Nightfall, âbecause we were the strongest military force in the world, backed by a unified NATO and strong allies in the Pacific.â
In short, in great-power competition, force is the coin of the realm. The problem with contemporary competition, Middendorf notes, is that â[t]imes have changed.â China is on a path to challenge the United States for number one.
One of the attributes the great-power competition shares with the Cold War is that our adversaries would prefer to âwin without fighting.â In other words, they want to achieve victory without the debilitating costs and risks of direct military conflict. These opponents are predisposed to adopt indirect approaches to whittle-away at the strength and solidarity of the free world. That said, military competition plays an important role in their calculus, particularly for China. Chinese strategy envisions ultimately demonstrating sufficient military dominance that Beijing can intimidate other nations and bend them to its will.
In some ways, the new era of great-power competition resembles a new type of arms race. And, as was the case during the Cold War, there are concerns that the competition could turn into armed confrontation. Indeed, The Great Nightfallmaps out several scenariosâfrom North Korea to the South China Seasâwhere great powers could actually come to blows.
The Great Nightfall, however, is fundamentally a book about how the United States can establish conventional and strategic deterrence in the modern world. âThis book is not a call for war,â writes the author. âThe best way to prepare for war is to be prepared to win it. We need to stop underfunding the military, especially in areas of research, non-conventional war, space, cyberwar, and artificial intelligence. War is changing, and we need to change with it. We cannot expect success fighting tomorrowâs conflicts with yesterdayâs weapons.â
Middendorfâs blueprint for protecting America in the twenty-first century stands out in two ways. First, he provides a detailed assessment of how to protect the U.S. capacity to build and sustain a modern military. Here, he addresses issues from research and development, to establishing secure, âcleanâ supply chains, to ship-building. Second, he delivers a comprehensive overview of future U.S. naval needs.
It is not just his naval service and stint as Secretary of the Navy that lead the ambassador to focus on seapower. Fundamentally, Chinaâs potential as a global threat is rooted in its ability to project maritime power. And naval power, in the modern sense, is multidimensional, linking the ability to sail the seas with undersea warfare, air, space, and cyber operations.
The outstanding contribution of The Great Nightfall is its extraordinarily deep evaluation of all aspects of naval power, covering the nature of the Chinese threats and the appropriate countermeasures. In the end, Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read. Â
Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including âguestâ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was ânot a fake video.â
Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury Department and an agency that decides internet and telecommunications policy, according to people familiar with the matter.
Three of the people familiar with the investigation said Russia is currently believed to be behind the attack.
Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.
âThe United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,â said National Security Council spokesman John Ullyot.
The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.
The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.
The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.
The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.
âThe passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,â Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. âThese provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.â
The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.
The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.
A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.
Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.
Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.
The amendment also calls for developing policies to be used in the purchasing of technology products and services.
A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee
The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.
by Larry Karisny
While following the Connectivity Show in Santa Clara California, I thought I should follow-up on the at Greentech Mediaâs annual Smart Grid conference in Palm Springs last week. I wanted to focus this article on Smart Grid security so I thought I should find some clear explanation of where we are now and then add my thoughts on where we need to be in smart grid security. To get an indication of where we are I couldnât pass up this simultaneously humorous and cautionary anecdote opening panel discussion from Smart Grid security guru, Massoud Amin of University of Minnesota, drawn from his most recent whitepaper:
Now with all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand alone power facilities and substations connected with point to point microwave communication links (many times upgraded to their own dark fiber point to points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on your own island with your own power and communications grid and every thing was just fine. Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumersâ homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs begin learning this who knew an complex smart grid system (See: Inside PGEâs Smart Grid Lab Chris Knudsen, director of the technology innovation center at PG&E, shows us what theyâre tinkering with).
It didnât take long for problem to occur. Again, you need to understand that even smart meters were just dusted off 20 year old designs that were lying around waiting for someone to push the power companies into the 21 century. These designs were never meant to securely send a store data real time. It wasnât long before serious security issues were found and were reported by respected security form like InGuardian and IOactive. And we are not talking about someone hacking you PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. âThe cost factor here is whatâs turned on its head. We lose control of our grid, thatâs far worse than a botnet taking over my home PC,â said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco . So now with little knowledge of the Internet and security the power companies have billions of dollars of grant in hand with one big problem. The grants mandate an iron clad security platform.
To add to the smart grid security problems some people think the power grid is the main target in the new battle in cyber wars.
Richard Clarke, the former anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent NewsWeek article Clarke was quoted as saying, âI think the average American would understand it if they suddenly had no electricity.
The U.S. government, [National Security Administration], and military have tried to access the power gridâs control systems from the public Internet. Theyâve been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. Thatâs the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures.â
So what can we do to secure the grid now while upgrading it to smart grid capabilities?
Ed Smith, CEO of WirelessWall has one word, âAttack.â Having a military background he understands that you begin an attack by crippling an enemyâs communication and critical infrastructure. His civilian background has a long history of Situational Crisis Management, using Rapid Response Teams to facilitate the successful conclusion to crisis situations. Armed with security that exceeds the DoD 8100.2 (DoD Directive on wireless security) and FIPS 140-2 End-to-End Security that was developed for the U.S. Navy to provide secure, mobile shipboard networks, Smith knows he has an immediately implementable data security solution that is simply not being recognized.
âPeople in the civilian sector are not upgrading their security for business reasons, basically to save money, not for security reasons. That can be tolerated if you are protecting data that involves a loss of money, but it is inexcusable when the lack of protection of data involves the loss of life. Let there be no doubt that an attack on critical infrastructure is an act of war and it is absolutely appropriate to use an available military solution to protect civilian lives.â
âWe canât afford not to put good enough security in our power grids. My company has offered our platform of higher security to VISA and others in the financial industry and made it clear that the retail industry POS terminals Data Security Standard (PCI DSS) has already been hacked, but nothing will be changed unless there are more attacks that cause greater losses. The PCI DSS standard will have to be raised, and ultimately will, but the Smart Power Grid protection has to be implemented now.â
âIf you are a Smart Grid Integrator offering a solution, someone that has been breached, or better yet, donât want to be breached, you have to be proactive. Where are the power companies? What are they waiting for? PG&E, Duke Power, Florida Power and Light, Progress Energy, Sacramento Municipal Utility District (SMUD), we are right here in Silicon Valley California, WirelessWall can even be installed remotely and proven in a matter of hours so there is really no excuse for not putting this in their labs and testing it. After about 10 years of real-life military testing and the only wireless protection allowed by the DoE to secure nuclear sensors for the last 6 years, there is not a lab test that can come close to disputing the protection capabilities of WirelessWall. It is a time and situation proven solution and our Rapid Response Team approach is designed to install protection immediatelyâ.
Like the old David and Goliath story, the power companies need to start embracing smaller company expertise and leverage their learning curve. Like the security story of WirelessWall, the expertise of how to build these wireless network platforms resides in the companies that have had their products tested in real world municipal, public safety and military environments. Companies like Tropos Networks, Trillium (SkyPilot), Mesh Dynamics, Strix Systems and Proxim, just to name of few, they were the trail blazers that learned along the way and can now bringing tested wireless network expertise to the smart grid. With secure wireless solutions out there, power companies need to leverage the expertise of these wireless pioneers that have been there, done that and are ready to support a secure a wireless smart grid network with their tested solutions.
According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazineâs annual âState of the Netâ survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org
Uncertain economic time brings new threats and scams and most of the security experts agree that thereâs a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.
First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.
Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.
PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives donât address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.
Cybersecurity experts were at congress floor this week to discuss security strategy and threats to federalgovernment infrastructure for not having an appropriate strategy and funding.
âBut in our rush to network everything, few stopped to consider the security ramifications of this new world we were creating. And so we find ourselves in an extremely dangerous situation today â too many vulnerabilities exist on too many critical networks which are exposed to too many skilled attackers who can inflict too many damages to our systems. Unfortunately, to this day, too few people are even aware of these dangers, and fewer still are doing anything about it.â Rep. Yvette Clarke, D-N.Y., who chairs the subcommittee
Amit Yoran said that research and development must be bolstered, standards for securing systems must be reformed, and a legal analysis of the governance, authority and privacy requirements is needed. cybersecurity focuses on monitoring adversaries, determining their methods and techniques, tracking their activities to a point of origin, and determination of compromise scope, intent and objective.
Detection of cyber attacks and emergency response plan is a paramount to be successful against cybersecurity attacks. I think federal government needs a new proactive paradigm for cybersecurity, which inspect the packet (deep packet inspection) to distinguish malicious packet from normal packet. This way malicious packet can be dealt appropriately at perimeter before it create a havoc at inside network or at end user desktop.
Cyber warfare poses a serious threat to critical infrastructure of a country. It has been a major challenge for DoD officials, cyber attackers have already stolen tera byte of data from their infrastructure.
Â
Most of the security expert and FBI agree that cyber attacks pose biggest threat to US vital infrastructure. âCybergeddonâ our daily economy which depend on inter connected vital network infrastructure is hacked by cyber attacker.
SCADA (Supervisory Control and Data Acquisition – control power grids in all the utilities) âsystems are used in industry to monitor and control plant status and provide logging facilities and are highly configurableâ. SCADA system is a connection between control systems and the switches.
Cyber attackers have already led to multicity power outage outside of US. Recent attacks show that cyber attackers are getting more knowledgeable about SCADA system. In the past SCADA use to be exclusive system but now slowly getting integrated with the rest of the infrastructure and utilizing IP addressing scheme. Both introduce new threats and raise the risk of cyber attack.
Utilities are the most critical infrastructure in a sense because of other vital infrastructure dependency on power supply. Cyber attack on SCADA system has a potential of cybergeddon and should be protected as a very critical asset by both public and private sectors. Security through obscurity is not the answer for SCADA anymore.
Â
In SCADA system, reasonable security can be achieved by embracing ISO 27k standard as a policy and eventually acquiring ISO 27001 (ISMS) certification. Organizations may start the certification process with limited scope (of critical processes) in the beginning, and increment the scope in each recertification attempt based on the resources available and management risk appetite. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of SCADA. ISMS as a process in-place provides reasonable security safeguard to zero day attacks.
In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, itâs simply an enterprise management issue.
In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.
[TABLE=12]
ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.
âThe 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various teamâs questions about the biggest threats to data confidentiality, integrity and availability,â to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.
The World Bank controls the Worldâs banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.
Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumersâ data during these crisis might not be the first priority for many suffering financial institutions.
âIt is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.â
âIn total, at least six major intrusions â two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. â
The World Bankâs technology and security expert states that the incident is an âunprecedented crisis.â Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.
Alan Calder wrote about âData protection and financial chaosâ and mentioned that âWhen financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?â
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutionsâ demise if they let their guards down now and do not make a priority to protect customersâ data.
During this turmoil, some financial institutionsâ upper management doesnât have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.
Glassner âI donât know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the shipâ [quoted in âWachoviaâs Golden Parachutesâ story in S.F. Chronicle of 10/10/08 pg. C1].
Bill Gates âI’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.â
Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related