Jan 14 2014

What to Log for Authentication and Access Control

Category: Access Control,Log ManagementDISC @ 10:30 am

Authentication and access control plays a critical role in web application security.  Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If  we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the contrary, let’s say only failures are logged, a legitimate or valid user may misuse, corrupt, harm or simply abuse the system without any detection. Besides that all other authentication and access control related events (such as account lockout) are important and must be logged.

  • Failed log in
  • Successful log in
  • Account locked /disable
  • Account unlocked / enabled
  • Account created
  • Password changed
  • Username changed
  • Logged out

Logs should include the resources involved in the web application (IP address, URL, user name, http method, protocol version, etc…) and document the reason why access was denied for the failed event. Some application provides much better logs than others. generally log entries should contain (user ID, timestamp, source IP, Description of the event, error code, priority).

All error conditions should be logged including simple stuff as sql query errors, which can help to detect sql injection attack. Some errors related to the availability of the application are important for early sign to trigger BCP. Availability is one of the main pillar of information security, so it should be logged and monitored. Log error conditions should include but not limited to (failed queries, file not found and cannot open error, unexpected state, connection failure and timeout)

Besides the inherent benefits of log management, a number of laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizations’ needs for log management – ISO 27001, ISO 22301, FISMA, GLBA, HIPAA, SOX, and PCI-DSS.

Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology: Special Publication 800-92

Security Log Management

 

Tags: Access Control, authentication, Log Analysis, logging, Security, Site Management


Aug 07 2013

vsRisk – The Cyber Security Risk Assessment Tool

Category: ISO 27k,Security Risk AssessmentDISC @ 9:09 am

vsRisk – The Cyber Security Risk Assessment Tool

httpv://www.youtube.com/watch?v=M8acvay4FmU

It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.

There’s just one risk assessment tool that IT Governance recommends; the vsRisk™ v1.7 – the Cybersecurity Risk Assessment Tool.

It’s so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.

5 reasons why vsRisk is the definitive risk assessment tool:

  • This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
  • Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets – as required by ISO27001
  • Gives comprehensive best-practice alignment
  • It’s easy and straight-forward to use
  • Cost-effective route to assessing risks within your business

Download the definite risk assessment tool >>

 

Tags: Information Security, Information Security Management System, ISO/IEC 27001, Policy, Risk Assessment, Risk management, Security, Standards


Jan 04 2013

Controls against industrial Malware

Category: MalwareDISC @ 11:43 pm

Malicious software is called a malware and malware may include viruses, worms and trojans. A virus is a piece of code which is capable of replicating itself and mainly it depends on a host file (a document) to reach its target. However worm does not rely on the host file to reach the target but it does replicate. Main property of Trojan is concealment of code and ultimately used to get control of target system.

Modern day malware Stuxnet can manipulate Programmable Logic Controllers (PLCs) of critical infrastructure. Industrial Control System (ICS), SCADA, and manufactruing insdutry infrastructure is controled by the PLCs. Another malware, named Duqu, Flame by its discoverers, is similar to Stuxnet in many respects. Like modern trojans Duqu communicates with a command and control server in encrypted form which gives you an idea of sophistication to develop this malware. In the past year the discovery of the Stuxnet malware – and subsequently of the Flame, Duqu and most recently Gauss malware – has brought the issue of state-sponsored cyberwarfare into sharp focus in security community which are simply known as modern day (WMD) weapon of mass destruction.

The discovery of these modern day malware caused an uproar among the security community when it was found that these malware had been specifically designed as a highly targeted industrial espionage tool. Perhaps this create a frenzy out there to deveop these kind of tools but that bring out some questions which I’m unable to answer. Is it legal for a state to develop these tools? Is it legal for a state to use these tools in offense? do we have any international charter on the legality of these tools, otherwise Stuxnet, Duqu and Flame may set a wrong legal precedence of what’s good for the goose is good for the gander.

Main sources of malware infection may be USB drive, CD Rom, internet and unaware users but basically malware can install itself on your computer by simply visiting an infected/implanted website (pirated software, web sites with illegal content)

An organization should perform a comprehensive risk assessment on their malware policy to determine if they will accept the risk of adobe attachment and other executable files to pass through their perimeter gateway. Organization may need to consider all the possible sources of malware threats in their risk assessment which may include but not limited to spyware.

Malware Controls:
• High level formal malware policy and procedure. There should be a formal policy and procedure for USB drives if risk assessment determines that USB drive risk is not acceptable to business. Then there is a need to implement a control (policy, procedure, technical or training) or multiple of these controls to mitigate this risk to acceptable level.
• Anti-Virus policy which makes it mandatory to install, and signature file updates should take place on a regular interval (daily)
• Patch policy for all the latest patches, fixes and service packs that are published by the vendors
• Regular audit or review of anti-malware software and data file on the system
• All email attachment, software downloads should be checked for malware at the perimeter and adobe attachment and executable treated based on the risk assessment (drop, pass)
• User awareness training to possible infected email, spyware and infected website
• There should be a business continuity plan to recover from a possible malware attack

Related Books

Malware Titles from DISC InfoSec Store
Anti-Malware Software from DISC Infosec store
Anti-Virus software from DISC InfoSec Store
Anti-Malware Titles from eBay

Free Online Virus Scan

Norton Virus Scan | McAfee Virus Scan | Analyze suspicious files

Tags: anti virus, Malicious Software, Malware, Security, Spyware and Adware, trojan, Trojan Horses, Viruses


Nov 01 2012

10 reasons to ponder before using your smartphone for banking

Category: Smart PhoneDISC @ 11:55 am


 

Mobile Payment Security

01) There is no clear legislation that sets out your rights to receive a refund if your bank account is fraudulently emptied due to mobile bank app insecurity. The burden of proof seems to be on the user to protect their handset, operating system, software, mobile operator infrastructure and everything else in the “chain” of the transaction.

02) Of course you want to be able to use WiFi hotspots, this means you are in most cases operating on an insecure wireless network. It’s so easy for “bad guys” to sniff the air with a free utility and read your details.

03) Most users have not even set up a basic passcode on their devices (smartphones). Therefore if some gets access to the device, they have potentially access to their bank account.

04)  Most app stores do not test the security of apps. It is very easy for the “bad guys” to put Malware in the apps that can steal information from your device or other apps on your phone/device (e.g. banking app). Or it can happen when the app updates.

05) Most Smartphone device users have not installed security software on their device. Therefore they have less security than comparing to a laptop or PC with security software installed.

06) The average Smartphone users does not regularly perform OS (Operating System) updates. Many of these updates are critical security patches.

07) Due to performance issues, many of the lower cost handset manufacturers are disabling security features in order to improve performance of the device.

08) Malware on the Android platform smartphone alone has gone up over 400% in the last year

09) The technology that keeps apps separate on device does not separate them out into private sandboxes. This means that one app can read the details stored in another app without much difficulty.

10) ) If you check the T&C’s (terms and conditions) from  local  banking app and they may  want you to grant permission for the app to know your phone location (GeoIP).

Tags: Android, Geolocation, Malware, Operating system, Personal computer, Security, Smartphone, Wi-Fi


Oct 23 2012

The Rise of Malicious Traffic on Networks and how it Infect

Category: MalwareDISC @ 4:12 pm

 

Malware logo Crystal 128.

Malware logo Crystal 128. (Photo credit: Wikipedia)

Sophisticated malicious attacks can go largely undetected by most antivirus software.  Defense in depth approach requires organizations to monitor for malicious activity, malware (bot traffic) at various levels of the network, perimeter layer, application level and subsequently at critical data level.

How an end user might become infected, the obvious scenario being possibly our less educated users who could potentially be clicking in links in email messages from senders they might not be aware of or people visiting some high-risk sites such as those offering free downloads. The second scenario which is less obvious is where a user may click a link from a known good site which may contain a link to a bad site. The most common situation here is where advertising may have been purchased and site owners may not have been able to perform the due diligence to make sure a reputable company has purchased the ad space. Finally we’ve got our third and scarier scenario where a trusted site has actually been compromised and infected with some kind of malware.

According to Symantec‘s most recent Internet Security Threat Report, Global networks faced more than 286 million cyberthreats in 2010, as attackers employed more sophisticated methods that make malware harder to detect and more difficult to remove. Furthermore, the number of Web-based attacks increased 93% in 2010, and malware writers have been turning their attention to social-networking sites such as Twitter and Facebook, where it’s estimated that 17% of links are connected to malware.

So the malicious activity is on the rise based on the Symantec report, which emphasis the point to monitor and evaluate the harmful traffic into your network.  Malicious activity monitoring also requires an effective incident handling procedures to analyze, evaluate and taking appropriate actions with malicious events at hand.  An incident handling procedures also differentiate the event from incident meaning when an event turn into an incident.

Real time malicious activity monitoring at perimeter will work nicely with ISO 27001 (ISMS) process. It will not only satisfy the auditor need for monitoring and maintaining of certain controls in the standard  but also new threats to the organization will serve as a feed to required risk assessment process which can be evaluated against relevant vulnerabilities.

Below are some of the famous malicious attacks which can be used to breach network:

SQL injection—By analysing the URL syntax of targeted websites, hackers are able to embed instructions to upload malware that gives them remote access to the target servers.

Exploiting system vulnerabilities in another method—In many cases, laptops, desktops, and servers do not have the latest security patches deployed, which creates a gap in the security posture. Gaps or system vulnerabilities can also be created by improper computer or security configurations. Cyber-criminals search for and exploit these weaknesses to gain access to the corporate network and confidential information.

Targeted malwareCybercriminals use spam, email, and instant message communications often disguised to come from known entities to direct users to websites that are compromised with malware. This section includes several different approaches that cybercriminals leverage to infect systems with malicious code.

Tags: anti virus, facebook, Internet security, Malware, Security, Symantec


Oct 11 2012

Make October YOUR Cyber Security Month

Category: cyber security,Information SecurityDISC @ 12:50 pm

 

The US Government has declared this October is the National Cyber Security Awareness Month (NCSAM).

The aim of this campaign is to:
 • Promote cyber security awareness amongst citizens and businesses
 • Educate individuals and businesses through a series of events and initiatives
 • Raise cyber awareness and increase the resilience of the nation in the event of a cyber incident

Cyber security is not just about protecting your critical assets, it can also help improve your internal systems and help you win new business.

 

Make October YOUR Cyber Security Month with these essential reads:

Above the Clouds: Managing Risk in the World of Cloud Computing

Assessing Information Security: Strategies, Tactics, Logic and Framework

IT Governance: An International Guide to Data Security and ISO27001/ISO27002 

21st Century Chinese Cyberwarfare

CISSP All-in-One Exam Guide, 6th Edition

More than 50 InfoSec topics in books available at DISC InfoSec store

Find out more on National Cyber Security Awareness month at Homeland Security's website

DISC online store for recommended InfoSec services/products

 

 

Additional online safety information:

What Teens Shouldn’t Put in Their Social Media Profiles


Child Safety Guide: How to Keep Kids Safe When They're Home Alone


Ways to Check if You’re Visiting a Safe Site


Internet Safety Tips for Seniors


How to Shop Safely Online


Things You Should Never Post Online but Probably Are


11 Photos You Should Never, Ever Post on Social Media

 

Online Safety tips for kids:

Less screen, More Green: Outdoor Safety Tips for Kids

 

The Parents’ Guide to Teaching your Teen Online Safety
 
 

Keeping Kids Safe Outdoors as the World and the Roads Reopen

Tags: Computer security, Federal government of the United States, Homeland Security, National Cyber Security Awareness Month, NCSAM, October, Security, U.S. government


Sep 10 2012

5 Reasons Why Patch Management Is Vital To Your Information Security

Category: Information SecurityDISC @ 10:53 am

Related Patch Management titles

Patching is a critical part of systems administration. I don’t think anyone would argue that. But if your patching regimen consists of turning on Automatic Updates and calling it a day, or staying up until the middle of a Saturday night logging on to each server at a time to apply patches, you are missing the point. Patching is a task; patch management is how to perform that task easily, completely and in a scalable way. Patch management is vital to your information security because it is the only way to be sure you have taken care of all of the patching needs in your environment, and that you can audit and confirm that. Let’s look at some of the reasons why patch management is so important.

1. Patch management is about more than just operating systems
While it’s extremely important to ensure you have patched your operating systems, there are dozens of other applications out there that your users are running, which could be exploited by an infected attachment, a malicious script, and/or a compromised web page. Patch management applications can go beyond a Windows Update, addressing patches for operating systems, Microsoft and other third party applications, web browsers, media players and more. Patch management helps you ensure that no vulnerable apps are on your network.

2. Patch management is the most efficient way to handle both servers and workstations
You could probably manage to patch by hand all of your servers, and there’s a limited number of apps running on them, but trying to patch all your workstations and all the third party apps would be an impossible task without a patch management application to assess all the systems and their software, delivering those critical updates to each and every system that needs it. 100% compliance is the surest way to avoid incidents.

3. Patch management makes testing easy
Patching involves testing, and that’s why so many admins don’t patch regularly. They fear a patch might introduce an incompatibility, and would rather take their chances since they don’t have to time test. Patch management applications make it easy to push a patch to a group of systems for testing, before deploying to the rest of the network.

4. Patch management makes rollbacks easy
Sometimes, a patch needs to be rolled back, and doing that manually is out of the question. You are much more likely to deploy patches fully and on time if you can easily roll back if something turns out to be incompatible with a critical app, and a patch management application can uninstall patches from any or all systems just as easily as it can push them out.

5. Patch management makes reporting easy
One of the scariest things about relying on Automatic Updates is that you have no idea whether or not systems are actually patched, until you check them, one by one. With a patch management application, you can quickly and easily run reports to confirm that critical update for the zero day exploit really did get out to all your servers and workstations, and if one was missed, you can immediately identify and remediate it, before something bad happens.

Patch management is not a silver bullet. It won’t stop users from sharing passwords and it cannot prevent an admin from leaving a default configuration in place, but what it will do is enable you to keep your workstations, servers and critical applications up-to-date, fully patched and as secure as possible from hackers looking to exploit vulnerabilities in the software. That way you can spend more time on training users and verifying configs, and less time running around trying to update Flash for the tenth time this year.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.




Tags: GFI, Patch (computing), Security, Windows Update


Jun 09 2011

Citi credit card security breach discovered

Category: Security BreachDISC @ 10:42 am

Citigroup

Image via Wikipedia

“Citigroup says it has discovered a security breach in which a hacker accessed personal information from hundreds of thousands of accounts.

Citigroup said the breach occurred last month and affected about 200,000 customers.”

“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” said Citigroup, in a prepared statement. “A limited number — roughly 1 percent – of Citi bankcard customers’ accounting information (such as name, account number and contact information including email address) was viewed.”

According to its annual report, Citigroup has about 21 million credit card accounts in North America, where the breach occurred.

The statement went on to say that the customers’ Social Security numbers, dates of birth, card expiration dates and card security codes “were not compromised.”

Well the routine monitoring discovered the Citi Group incident which clearly shows that intrusion was not discovered during the incident but after the incident had happened.
Cyber intrusion cost will increase and depend upon how late the incident was detected. The organizations should change their corporate strategy to more proactive approach where they can maintain, monitor and improve security controls based on the current value of the information asset.

If you’re a Citibank customer, we suggest you take a look at your account and immediately report any irregularities.

Stopping Identity Theft: 10 Easy Steps to Security

http://www.youtube.com/watch?v=KH0zno_6d9M




Tags: Citigroup, Credit card, Customer, Financial Times, Online service provider, PlayStation Network, Security, Social Security number


Jun 02 2011

Google blaming Chinese hackers for security breach

Category: cyber security,CybercrimeDISC @ 10:49 am

Image representing Gmail as depicted in CrunchBase

Image via CrunchBase

For the second time in 17 months, Google is pointing its finger at China for a security breach in one of its systems.

This time, Google says Chinese hackers were responsible for breaking into the personal Gmail accounts of several hundred people _ including those of senior U.S. government officials, military personnel and political activists.

The latest cyber attack isn’t believed to be tied to a more sophisticated one that originated from China in late 2009 and early last year. That intrusion went after some of Google’s trade secrets and triggered a high-profile battle with China’s Communist government over online censorship. (AP, ccg)

This seems pretty intrusive and targeted incident. I’m curious, what is a threshold trigger for declaring a cyber war between two countries. I understand this was not a very prolong incident but these small incidents here and there can certainly achieve some long term objectives for the other side. It is very difficult to prove the correct source of these incidents in the wild west of internet and also there is a lack of international law to pursue these cases as a criminal offense.

Apparently the pentagon recently concluded that computer sabotage can constitute an act of war and justify the use of military force, the wall street journal reported this week.

Well before the use of military force you have to prove beyond reasonable doubt that you are targeting the correct culprit nation. Well if this is the criteria to declare a war against other nation we better buy a good error and omission insurance. In cyber world it hard to prove and easy to spoof, where some groups will be eager to setup an easy victim to justify the use of military force…

Clinton: China hacking charge “Vey Serious

Cyber War: The Next Threat to National Security and What to Do About It




Tags: Activism, china, Chinese language, CrunchBase, Gmail, Google, Jinan, Official, Security


May 06 2011

NSA publish list of recommendations for Keeping Networks Secure

Category: cyber securityDISC @ 10:27 am

National Security Agency seal

Image via Wikipedia

‘Best Practices for Keeping Your Home Network Secure’ is a new guide published by the National Security Agency. This document provides home users directions for keeping their systems secure and protected.

Users are faceing lots of security issues now a days, and trying to apply all the required security measures is complicated due to the fast pace of changes in technology and new vulnerabilities that may leave them open to new attack. Thess controls are industry best practice and mitigate most risks to safeguard your information assets.

The document is divided in 4 parts:
■ Host-Based Recommendations:
■ Network Recommendations:
■ Operational Security (OPSEC)/Internet Behavior Recommendations:
■ Enhanced Protection Recommendations:

To be safe on the internet, use these recommendaions as a best practice to reasonably safeguard your information assets. These best practice information controls may also help you to invest wisely and justify cost on security.


NSA titles for IAM and IEM implementation and certification




Tags: Best practice, Industry Standard Architecture, IPad, Microsoft, National Security Agency, Operating system, Security, United States


Feb 28 2011

Does hacker insurance make your business a bigger liability?

Category: Cyber InsuranceDISC @ 11:44 am

by Davey Winder

It’s a scenario that every small online business fears: site security is compromised, hackers steal customer data including credit-card details, and your brand and your reputation are left in ruins. No wonder then, that many small online businesses are looking to insure against hackers and the resulting financial impact of a security breach. But is insurance really the answer and could it even be part of the problem?

The insurance brokers are, naturally, presenting such insurance as pure common sense. A chap who works in the insurance business used car insurance as a counter argument to my suggestion that surely the best IT security insurance policy was to remain secure in the first place.

“We all appreciate the need for car insurance” he told me. “No matter how careful a driver you may think you are. The simple fact is that you never know when a drunken idiot is going to crash into you”.

The argument being, as with all insurance policies, you are paying a premium to cover you for that worst-case scenario should it ever happen. “When it comes to online security,” Mr Insurance assured me, “the chances of the worst-case scenario becoming a reality are increasing day by day, as criminals develop ever more sophisticated methods of hacking your site. To not insure against the risk of being hacked is bad business, and that’s the bottom line”.

“Unlike driving a car, running a secure web business is pretty much about how safe you are, rather than how unsafe other people are”

To read the reamining article …..

How to manage the gaps of Cyber Insurance




Tags: hacker, Hacking, Insurance, Security, Small business


Jan 06 2011

Security 2020: Reduce Security Risks This Decade

Category: Information SecurityDISC @ 10:59 am

 

Security 2020: Reduce Security Risks This Decade

Identify real security risks and skip the hype. After years of focusing on IT security, we find that hackers are as active and effective as ever. This book gives application developers, networking and security professionals, those that create standards, and CIOs a straightforward look at the reality of today’s IT security and a sobering forecast of what to expect in the next decade. It debunks the media hype and unnecessary concerns while focusing on the knowledge you need to combat and prioritize the actual risks of today and beyond.

IT security needs are constantly evolving; this guide examines what history has taught us and predicts future concerns
Points out the differences between artificial concerns and solutions and the very real threats to new technology, with startling real-world scenarios
Provides knowledge needed to cope with emerging dangers and offers opinions and input from more than 20 noteworthy CIOs and business executives
Gives you insight to not only what these industry experts believe, but also what over 20 of their peers believe and predict as well

With a foreword by security expert Bruce Schneier, Security 2020: Reduce Security Risks This Decade supplies a roadmap to real IT security for the coming decade and beyond.

Order this book for advice on how to reduce IT security risks on emerging threats to your business in coming years. Security 2020: Reduce Security Risks This Decade

From the Back Cover
Learn what’s real, what’s hype, and what you can do about it
For decades, security experts and their IT peers have battled the black hats. Yet the threats are as prolific as ever and more sophisticated. Compliance requirements are evolving rapidly and globalization is creating new technology pressures. Risk mitigation is paramount. What lies ahead?

Doug Howard and Kevin Prince draw upon their vast experience of providing security services to many Fortune-ranked companies, as well as small and medium businesses. Along with their panel of security expert contributors, they offer real-world experience that provides a perspective on security past, present, and future. Some risk scenarios may surprise you. Some may embody fears you have already considered. But all will help you make tomorrow’s IT world a little more secure than today’s.

Over 50 industry experts weigh in with their thoughts

Review the history of security breaches

Explore likely future threats, including social networking concerns and doppelganger attacks

Understand the threat to Unified Communication and Collaboration (UCC) technologies

Consider the impact of an attack on the global financial system

Look at the expected evolution of intrusion detection systems, network access control, and related safeguards

Learn to combat the risks inherent in mobile devices and cloud computing

Study 11 chilling and highly possible scenarios that might happen in the future




Tags: Bruce Schneier, Computer security, Consultants, Doug Howard, Intrusion detection system, Kevin Prince, Security, United States


Jan 03 2011

New virus threatens phones using Android

Category: MalwareDISC @ 5:39 pm
it's real :)
Image via Wikipedia

Mobile Malware Attacks and Defense

WASHINGTON (AFP) – A virus infecting mobile phones using Google’s Android operating system has emerged in China that can allow a hacker to gain access to personal data, US security experts said.

A report this week from Lookout Mobile Security said the new Trojan affecting Android devices has been dubbed “Geinimi” and “can compromise a significant amount of personal data on a user?s phone and send it to remote servers.”

The firm called the virus “the most sophisticated Android malware we’ve seen to date.”

“Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone,” Lookout said.

“Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities.”

The motive for the virus was not clear, accoring the Lookout, which added that this could be used for anything from “a malicious ad-network to an attempt to create an Android botnet.”

But the company said the only users likely to be affected are those downloading Android apps from China.

The infected apps included repackaged versions sold in China of Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

“It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected,” the security firm said.

Mobile Malware Attacks and Defense




Tags: Android, china, Google, Malware, mobile phone, Security, Servers, Trojan horse


Oct 20 2010

Incidence Of Cybertheft Surpasses Incidence Of Physical Theft

Category: cyber securityDISC @ 1:17 pm
私は No Click!
Image by mie_journal via Flickr

Fraud-related losses rose 20 percent to $1.7 billion in the past year, Kroll study says

Incidence of theft of information and electronic data at global companies has overtaken physical theft for the first time, according to a study released yesterday.

According to the latest edition of the Kroll Annual Global Fraud Report, the amount lost by businesses to fraud rose from $1.4 million to $1.7 million per $1 billion of sales in the past 12 months — an increase of more than 20 percent.

The findings are the result of a study commissioned by Kroll and conducted by the Economist Intelligence Unit, which surveyed more than 800 senior executives worldwide.

To read more: Incidence Of Cybertheft Surpasses Incidence Of Physical Theft




Tags: Computer crime, crime, Economist Intelligence Unit, fraud, Identity Theft, Security, Theft, United States


Sep 21 2010

ArcSight offers $49.00 entry-level audit logging package

Category: Security ComplianceDISC @ 9:25 am
Image representing ArcSight as depicted in Cru...
Image via CrunchBase

Security Log Management: Identifying Patterns in the Chaos

Arcsight offer $49 entry level logging solution – a monumental change from the SIEM vendors, since they were trouncing their clients at price of 200K and up.

Data security and compliance specialist ArcSight has taken the wraps off a slew of product updates – Enterprise Security Manager 5.0, Identityview 2.0 and Logger 5.0 – with the offer of a $49.00 version of Logger, its universal log management software.

For more detail on the article: ArcSight offers $49.00 entry-level audit logging package




Tags: ArcSight, Consultants, General and Freelance, Identityview 2.0, Logger 5.0, Security, Security event manager


Sep 09 2010

DHS Cyber security Watchdogs Miss Hundreds of Vulnerabilities on Their Own Network

Category: cyber securityDISC @ 8:36 am
Seal of the United States Department of Homela...
Image via Wikipedia

By Kevin Poulsen @wired.com

The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of “physician, heal thyself,” the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.

Einstein, the government’s intrusion-detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.

In an appendix to the report, which is dated Aug. 18, the division wrote that it has patched its systems since the audit was conducted.

DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented “a software management tool that will automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities.”




Tags: Adobe Acrobat, Computer security, Intrusion detection system, Microsoft, National Cyber Security Division, Security, United States, United States Computer Emergency Readiness Team


Jul 05 2010

Risky business

Category: hipaaDISC @ 11:02 pm
Information Security Wordle: NIST HIPAA Securi...
Image by purpleslog via Flickr

By Mary Mosquera

Last year’s HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.

Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.

Without sound security policies and practices, privacy “will be just a principle,” said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.

OCR-draft-guidelines-for-security-risk-analysis

“We want it to be a reality for consumers,” she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.

One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.

OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.

“When you say, ‘do a security risk assessment’, people’s eyes glaze over,” said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. “But really, it’s asking, ‘what are the risk areas?’, ‘how could someone get to it?’ and ‘what controls can you put in place to protect it.’”

In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.

“For a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, it’s things that they already do,” said Pat Toth, a computer scientist in NIST’s computer security division.

“What small providers need to do is get an understanding of the framework and break down each step,” she said. “It is something that’s going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.”

NIST has developed a quick-start guide, a “Cliff’s Notes” of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.

For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.

Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.

The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.

System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.

“A lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,” he said at the OCR and NIST conference. “Most systems don’t have the functionality.” Moreover, IT security folks he works with have logging activated, “but they are still manually digesting them,” McMillan said, adding that manual audits are a time-consuming and imprecise process.

Even so, such practices must now be the order of the day under the new privacy and security framework. “The security rule says wherever you have electronic health information, you need to protect it,” said HIMSS’s Gallagher. “You may not even apply for meaningful use incentives. But if you’re keeping data in electronic form, you have to comply with the security rule.”

Related articles

hitech-act-increases-hipaa-security-requirements

healthcare-organizations-may-not-be-prepared-for-hitech-and-other-security-challenges




Tags: arra and hitech, Civil and political rights, Computer security, Consultants, Electronic health record, General and Freelance, hipaa security, hitech, National Institute of Standards and Technology, Risk management, Security


Jun 30 2010

Security glitch exposes WellPoint data again

Category: hipaa,pci dss,Security BreachDISC @ 11:53 am
WellPoint
Image via Wikipedia

By Tom Murphy

INDIANAPOLIS – WellPoint Inc. has notified 470,000 individual insurance customers that medical records, credit card numbers and other sensitive information may have been exposed in the latest security breach of the health insurer’s records.

The Indianapolis company said the problem stemmed from an online program customers can use to track the progress of their application for coverage. It was fixed in March.

Spokeswoman Cynthia Sanders said an outside vendor had upgraded the insurer’s application tracker last October and told the insurer all security measures were back in place.

But a California customer discovered that she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a Web site and password to track their applications.

WellPoint learned about the problem when the customer filed a lawsuit about it against the company in March.

“Within 12 hours of knowing the problem existed, we fixed it,” said Sanders, who declined to identify the outside vendor.

WellPoint is the largest commercial health insurer based on membership, with nearly 34 million members. It runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.

Sanders said the insurer notified customers in most of its states. That includes about 230,000 customers of its Anthem Blue Cross subsidiary in California.

About 356 million records of U.S. residents have been compromised or exposed due to security breaches since 2005, according to Privacy Rights Clearinghouse, a consumer advocacy group that tracks such reports.

WellPoint’s security breach doesn’t crack the top 10 in terms of number of people who may have had information exposed, said Paul Stephens, the organization’s director of policy and advocacy. Even so, he labeled the breach “very serious” because it possibly involved both financial and medical information.

“There are obviously multiple concerns there for consumers,” he said.

Two years ago, WellPoint offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.

WellPoint’s latest breach affected only individual insurance customers and not group coverage or people who buy Medicare Advantage insurance. Sanders said the company believes a “vast majority” of the unauthorized access of customer information came from the plaintiff and her attorneys.

The insurer notified all individual insurance customers who had information in its application tracking program from October through March. It will provide a year of free credit monitoring.

WellPoint shares fell 69 cents to $50.10 in Tuesday afternoon trading, while broader trading indexes slid more than 2 percent.




Tags: Anthem (insurance), Blue Cross and Blue Shield Association, Business, Insurance, Privacy Rights Clearinghouse, Security, WellPoint


Jun 08 2010

U.S cybersecurity policies update

Category: Information Warfare,Security Risk AssessmentDISC @ 12:47 am

Breakdown of political party representation in...
Image via Wikipedia

By Greg Masters

The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.

The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.

The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.

“The passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,” Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. “These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.”

The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.

The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.

A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.

Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.

Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.

The amendment also calls for developing policies to be used in the purchasing of technology products and services.

A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee

The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.




Tags: Diane Watson, Federal government of the United States, Federal Information Security Management Act of 2002, FISMA, Information Security, Security, Senate, United States


Jun 01 2010

The Smart Grid needs to get smart about security

Category: Information Security,Information WarfareDISC @ 6:17 pm

A terminus of the Nelson River HVDC system, no...
Image via Wikipedia

by Larry Karisny
While following the Connectivity Show in Santa Clara California, I thought I should follow-up on the at Greentech Media’s annual Smart Grid conference in Palm Springs last week. I wanted to focus this article on Smart Grid security so I thought I should find some clear explanation of where we are now and then add my thoughts on where we need to be in smart grid security. To get an indication of where we are I couldn’t pass up this simultaneously humorous and cautionary anecdote opening panel discussion from Smart Grid security guru, Massoud Amin of University of Minnesota, drawn from his most recent whitepaper:

Now with all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand alone power facilities and substations connected with point to point microwave communication links (many times upgraded to their own dark fiber point to points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on your own island with your own power and communications grid and every thing was just fine. Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers’ homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs begin learning this who knew an complex smart grid system (See: Inside PGE’s Smart Grid Lab Chris Knudsen, director of the technology innovation center at PG&E, shows us what they’re tinkering with).

It didn’t take long for problem to occur. Again, you need to understand that even smart meters were just dusted off 20 year old designs that were lying around waiting for someone to push the power companies into the 21 century. These designs were never meant to securely send a store data real time. It wasn’t long before serious security issues were found and were reported by respected security form like InGuardian and IOactive. And we are not talking about someone hacking you PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. “The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco . So now with little knowledge of the Internet and security the power companies have billions of dollars of grant in hand with one big problem. The grants mandate an iron clad security platform.

To add to the smart grid security problems some people think the power grid is the main target in the new battle in cyber wars.

Richard Clarke, the former anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent NewsWeek article Clarke was quoted as saying, “I think the average American would understand it if they suddenly had no electricity.

The U.S. government, [National Security Administration], and military have tried to access the power grid’s control systems from the public Internet. They’ve been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That’s the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures.”

So what can we do to secure the grid now while upgrading it to smart grid capabilities?

Ed Smith, CEO of WirelessWall has one word, “Attack.” Having a military background he understands that you begin an attack by crippling an enemy’s communication and critical infrastructure. His civilian background has a long history of Situational Crisis Management, using Rapid Response Teams to facilitate the successful conclusion to crisis situations. Armed with security that exceeds the DoD 8100.2 (DoD Directive on wireless security) and FIPS 140-2 End-to-End Security that was developed for the U.S. Navy to provide secure, mobile shipboard networks, Smith knows he has an immediately implementable data security solution that is simply not being recognized.

“People in the civilian sector are not upgrading their security for business reasons, basically to save money, not for security reasons. That can be tolerated if you are protecting data that involves a loss of money, but it is inexcusable when the lack of protection of data involves the loss of life. Let there be no doubt that an attack on critical infrastructure is an act of war and it is absolutely appropriate to use an available military solution to protect civilian lives.”

“We can’t afford not to put good enough security in our power grids. My company has offered our platform of higher security to VISA and others in the financial industry and made it clear that the retail industry POS terminals Data Security Standard (PCI DSS) has already been hacked, but nothing will be changed unless there are more attacks that cause greater losses. The PCI DSS standard will have to be raised, and ultimately will, but the Smart Power Grid protection has to be implemented now.”

“If you are a Smart Grid Integrator offering a solution, someone that has been breached, or better yet, don’t want to be breached, you have to be proactive. Where are the power companies? What are they waiting for? PG&E, Duke Power, Florida Power and Light, Progress Energy, Sacramento Municipal Utility District (SMUD), we are right here in Silicon Valley California, WirelessWall can even be installed remotely and proven in a matter of hours so there is really no excuse for not putting this in their labs and testing it. After about 10 years of real-life military testing and the only wireless protection allowed by the DoE to secure nuclear sensors for the last 6 years, there is not a lab test that can come close to disputing the protection capabilities of WirelessWall. It is a time and situation proven solution and our Rapid Response Team approach is designed to install protection immediately”.

Like the old David and Goliath story, the power companies need to start embracing smaller company expertise and leverage their learning curve. Like the security story of WirelessWall, the expertise of how to build these wireless network platforms resides in the companies that have had their products tested in real world municipal, public safety and military environments. Companies like Tropos Networks, Trillium (SkyPilot), Mesh Dynamics, Strix Systems and Proxim, just to name of few, they were the trail blazers that learned along the way and can now bringing tested wireless network expertise to the smart grid. With secure wireless solutions out there, power companies need to leverage the expertise of these wireless pioneers that have been there, done that and are ready to support a secure a wireless smart grid network with their tested solutions.

SP AusNet selects GE for world’s first 4G communications smart grid solution, delivering revolutionary security and reliability benefits.(CONTRACTS): An article from: Home Networks




Tags: Business, Electrical grid, Federal government of the United States, Sacramento Municipal Utility District, San Francisco, Security, Smart Grid, United States


Next Page »