now browsing by tag
Watch out for this iPhone call scam, prominent Germans hacked, Android spyware found and an Acrobat update.
Apple iPhone users should be on the lookout for a phone phishing scam. According to security writer Brian Krebs, it works like this: You get a call and when you look at the phone’s screen to see who it is, the Apple logo, real phone number and real address is displayed. The target in this case didn’t answer the call so a message was left asking her to call a 1-866 number. It probably led to a scammer who would have asked for personal information. So iPhone users, ignore calls purporting to be from Apple. Apple won’t phone you. And for those who use other phones, hang up on anyone who tries to get personal information or passwords.
Hackers somehow have gotten access to private emails, memos and financial information of hundreds of German politicians, reporters, comedians and artists. The information was then published through a Twitter account. At this point no one knows if this was the work of a mischievous activist or a foreign country, or exactly how it was done. But British security writer Graham Cluley suspects victims fell for a phishing lure and gave away a password to one of their email or social media accounts. The hacker then went from there. Victims may have also used the same password for different accounts, which also makes a hacker’s job easier. If so, it’s another example of why you shouldn’t use the same password on more than one site, and, where possible enable two-factor authentication to make sure someone else can’t log into your account. Two factor authentication usually sends a six-digit number to your smart phone that you have to enter in addition to your password. Check your applications’ settings to see if you have it.
UPDATE: According to the Associated Press, a popular German YouTube contributor who was victimized said the perpetrator somehow first gained access to his email account and then convinced Twitter to disable a second security check — presumably two-factor authentication — required to take control of his account on the social networking site.
Twitter didn’t immediately respond to a request for comment and it wasn’t clear how many of those affected by the leak had such “two-factor authentication” enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
As hard as Google tries to keep malware out of the Google Play store, criminals manage to find ways to evade detection. Trend Micro reports it discovered spyware hidden in six seemingly legitimate Android applications including a game called Flappy Bird, a presumably copycat called Flappy Birr Dog, FlashLight, Win7Launcher and others. All have been removed from the app store. The spyware would have stolen information like user location, text messages, contact lists and device information as well as try to phish for passwords. Owners of any computing device have to be cautious when deciding what to download, advises Trend Micro.
Finally, Adobe usually issues security updates on the second Tuesday of the month, which is tomorrow. However, it has already issued an emergency patch for Acrobat and Acrobat Reader. So if you use either of these applications check you have the latest versions.
View full post on National Cyber Security
Amidst the escalating number of high-profile hacks and cyber attacks, organizations are now embracing various forms of artificial intelligence (AI) – including machine learning technology and neural networks – as a new cyber security defense mechanism. At a time when human skills and competencies appear to be overmatched, the thinking goes, machines have a nearly infinite ability to analyze threats and then respond to them in real-time.
Is machine learning really the silver bullet?
However, putting one’s faith in the ability of machines to defend entire organizations from hacker attacks and other forms of security intrusions ignores one basic fact: cyber security is an arms race, and the same weapons that are available to one side will soon be available to the other side. Put another way, the same machine learning technologies being embraced by the world’s top corporations and data scientists will soon be co-opted or adopted by the world’s top hackers.
Moreover, there is still quite a bit of work to be done before any machine learning cyber defense is fully robust. Right now, machine learning excels at certain tasks, but still needs significant human intervention to excel at others. For example, machines are extremely good at “classification,” which enables them to label and describe different types of hacker attacks. As a result, machines can differentiate between spoofing attacks, phishing attacks and other types of network intrusions.
The idea here is simple: just show a machine many different examples of hacker attacks, and they will eventually learn how to classify them very efficiently. The more raw data and data points you show machines (think of all this data as “training data”), the faster they will learn. In many ways, it is similar to the machine learning techniques used for image recognition tools – show a machine enough photos of a dog, and it will eventually be able to pick out a dog in any photo you show it.
Thus, it’s easy to see an obvious implication for machine learning and cyber security: machines can help security teams isolate the most pressing threats facing an organization and then optimize the defenses for those threats. For example, if an organization is facing a hundred different potential threats, a machine can easily sort and classify all of those threats, enabling humans to focus only on the most mission-critical of these.
The use cases of machine learning in cyber security
One of the most obvious ways to apply machine learning in cyber security involves the creation of stronger spam filters. For many organizations, a constant security threat is the ability of hackers to get inside the organization simply by sending spam emails filled with all kinds of malware. Once an employee clicks on a bad link or opens a bad attachment that makes it past conventional spam filters, it may be possible for malware to spread throughout an organization’s network.
Thus, you can immediately see why adopting machine learning for email security makes so much sense – it can provide a first layer of defense against these spam emails laden with malware. If you frame email as a “classification” problem, then machines can play an important role in sifting out the “good” emails from the “bad” emails. You simply show a machine many, many different examples of “bad” emails as well as many, many different examples of “good” emails, and it will eventually become 99.9% efficient in sorting them out (or so one common myth about machine learning goes).
Another common use case for machine learning in cyber security involves spotting irregular activity within an organization’s network traffic. For example, an unexpected surge of network activity might signal some sort of looming cyber attack (such as a DDOS attack). Or, activity in the accounts of certain employees that is out of the norm might indicate that one or more of these accounts have been compromised. Again, it matters how you frame the problem for machines: organizations must be able to show them what “normal” looks like, so that they will then be able to spot any irregular deviations from the normal state of network affairs.
Machine learning, cyber security and the enterprise
To get cyber security executives thinking more deeply on the matter (without delving too deeply into the complex data science behind machine learning), the technology research firm Gartner has proposed a PPDR model, which corresponds to the various uses of machine learning for cyber security within the enterprise:
In short, with machine learning technology, organizations will be able to predict the occurrence of future attacks, prevent these attacks, detect potential threats, and respond appropriately. With the right machine learning algorithms, say experts, it might be possible to shield even the largest and most vulnerable organizations from cyber attacks. In the big data era, when organizations must grapple with so much data, it’s easy to see why they are turning to machines.
With that in mind, Amazon is leading the way with an application of machine learning for the cloud. At the beginning of 2017, Amazon acquired a machine learning startup, harvest.ai, for just under $20 million. The goal of the acquisition was to be able to use machine learning to search for, find and analyze changes in user behavior, key business systems and apps, in order to stop targeted attacks before any data can be stolen or compromised.
Then, in November 2017, the company’s cloud business, Amazon Web Services (AWS), unveiled a new cyber security offering based on machine learning called Amazon Guard Duty. The allure of the new offering is easy to grasp: companies with a lot of data in the cloud are especially vulnerable to hackers, and they are easy “sells” for any company that is able to promise that their cloud offerings will be safe from attack. Already, big-name companies like GE and Netflix have signed on as customers of Amazon’s new machine learning-based offering.
Clearly, there is a tremendous amount of potential for machine learning and cyber security within the enterprise. Some industry experts have estimated that, in the period from 2015-2020, companies will spend a combined $655 billion on cyber security. Other estimates have been even more aggressive, suggesting that the total could be closer to $1 trillion.
If companies are spending so much money on cyber security, though, they will want to be certain that new solutions featuring machine learning actually work. In order for machine learning to live up to the hype, it will need to offer a fully robust security solution that covers every potential vulnerability for a company – including the network itself, all endpoints (including all mobile devices), all applications and all users. That’s a tough order to fill, but plenty of organizations are now betting that machines will be up to the task.
The post Does #Cyber Security Really Need #Machine Learning #Technology? appeared first on National Cyber Security .
View full post on National Cyber Security
The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.
A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.
It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.
Though the exercise was conducted in a simulated coal plant, not a nuclear one, the tactile nature of the demonstration — the act of donning rubber boots to fix the flooding — drove home the potential physical consequence of a cyberattack on critical infrastructure. “The next step for them is to go back home and train in their real environment,” Erik Biverot, a former lieutenant colonel in the Swedish army who planned the event, told The Verge.
The drill, which took place this past October at a research facility 110 miles southwest of Stockholm, was the most technically sophisticated cyber exercise in which the UN’s nuclear watchdog — the International Atomic Energy Agency (IAEA) — has participated.
Security experts say more of these hands-on demonstrations are needed to get an industry traditionally focused on physical protection to think more creatively about growing cyber threats. The extent to which their advice is heeded will determine how prepared nuclear facilities are for the next attack.
“Unless we start to think more creatively, more inclusively, and have cross-functional thinking going into this, we’re going to stay with a very old-fashioned [security] model which I think is potentially vulnerable,” said Roger Howsley, executive director of the World Institute for Nuclear Security (WINS).
The stakes are high for this multibillion-dollar sector: a cyberattack combined with a physical one could, in theory, lead to the release of radiation or the theft of fissile material. However remote the possibility, the nuclear industry doesn’t have the luxury of banking on probabilities. And even a minor attack on a plant’s IT systems could further erode public confidence in nuclear power. It is this cruelly small room for error that motivates some in the industry to imagine what, until fairly recently, was unimaginable.
The Nuclear Threat Initiative, a Washington-based nonprofit co-founded by Ted Turner, has tallied about two-dozen cyber incidents since 1990, at least 11 of which were malicious. Those include a December 2014 attack in which suspected North Korean hackers stole blueprints for South Korean nuclear reactors and estimates of radiation exposure to local residents. The affected power company, which provides 30 percent of the country’s electricity, responded by carrying out cyber drills at plants around the country.
In another attack, hackers posing as a Japanese university student sent malicious emails to researchers at the University of Toyama Hydrogen Isotope Research Center, one of the world’s top research sites on the radioactive isotope that makes a hydrogen bomb. From November 2015 to June 2016, the hackers stole over 59,000 files, according to media reports, including research on the ill-fated Fukushima nuclear plant.
Any list of cyber incidents in the nuclear sector, however, is very likely incomplete. The US Nuclear Regulatory Commission, for example, only requires operators to report to the commission cyber incidents that affect the safety, security functions, or emergency preparedness of the plant, excluding potentially significant attacks on IT systems. It is, in general, extremely difficult for a hacker to breach a plant’s inner control systems implicated in the former category, but not nearly as challenging to penetrate the non-critical IT networks included in the latter.
“We are absolutely undercounting [the number of non-safety-related incidents] and we’re not looking so we can’t pretend that our count is accurate,” said Robert M. Lee, a former Air Force cyber officer and founder of Dragos, a firm specializing in industrial control systems (ICS) cybersecurity. By probing their networks for more of these lower-level threats, nuclear operators can bolster their security, he added.
Regulatory requirements have strengthened US nuclear plants’ cybersecurity, and most plants were built decades ago on analog systems that are shielded from direct internet-based attacks. But the growing digitization of the industry is opening up new potential vectors for hackers.
One of the first known cyber incidents at a nuclear plant took place in 1992 when rogue programmer Oleg Savchuk deliberately infected the computer system of a plant in Lithuania with a virus. Savchuk was arrested and became a precautionary footnote in the history of nuclear security. It would take a set of much more seismic events to illuminate the danger of cyber threats to nuclear operators.
In March 2007, with US energy regulators looking on, engineers at the Idaho National Lab showed how 21 lines of computer code could cripple a huge generator, as journalist Kim Zetter writes in her book. It was only through this jaw-dropping experiment, known as Aurora, that some energy industry officials came to accept that digital tools are capable of physical destruction.
Before Aurora, “there were many people who simply denied the concept that any kind of physical damage could be caused or triggered by a cyber event,” Marty Edwards, an ICS expert who helped design the experiment, told The Verge. Two years later, the destructive potential shown in Aurora became a reality. The famed Stuxnet attack injected a formidable computer worm into Iran’s Natanz enrichment facility in 2009, destroying about 1,000 centrifuges. The United States and Israel are suspected of being behind the attack, which used a USB drive to deliver malware to “air gapped” systems, or those with no direct or indirect connections to the internet. In doing so, the attackers refuted the notion that such a system was immune to hacking.
Stuxnet’s creators used four “zero-days,” or previously unknown software exploits, whereas most big cyberattacks use one at most. The attackers managed the improbable feat of breaching and manipulating a nuclear facility’s heavily protected industrial controls. In doing so, they changed the cybersecurity conversation in the nuclear industry, prompting new regulations and more investments in defenses.
As instructive as Stuxnet was, nuclear officials can only learn so much from one attack and, because successful attacks are rare, there is a small pool of data from which to learn. For some, the answer is to create your own attacks in a controlled environment.
The exercise conducted this past October took advantage of the high-tech environment provided by Sweden’s Defense Research Agency. Officials from the IAEA and at least 20 of its member countries, including the US and China, watched on TV screens as offensive and defensive cyber teams did battle. The defenders grappled with everything from straightforward denial-of-service attacks to the more insidious scenario of a contractor’s laptop exposing a facility to malware.
In one instance, they used an actual Siemens programmable logic controller. In another, they modeled one of the exercise’s attacks on the 2015 hack of the Ukrainian power grid, one of the biggest energy-sector attacks since Stuxnet.
The Swedes meticulously documented what amounted to a scientific experiment. Audio and video captured participants’ every move and may be later analyzed by a research team. The biggest early takeaway from the experiment, however, was decidedly low-tech: participants had to trust each other to navigate a stressful environment.
The IT specialists who participated normally work individually rather than as a team to handle cyber incidents, according to Biverot. For each participant, knowing that “I can give this guy a call if I’m in trouble” would be invaluable during a security incident, he told The Verge.
Security experts say there is no substitute for putting an organization’s cyber teams under the gun in an intense, credible scenario. “It’s very important to understand the link between what’s happening in cyberspace and what’s happening in real life,” said Dennis Granåsen, a senior scientist at the Defense Research Agency. “If you don’t do that, it’s very easy to just think of these exercises as a game where you need to perform and get a good score and that’s it.”
The less that exercises seem like a game to participants, the better prepared they’ll be for the real thing. The challenge, however, is that exercises as technically rigorous as the Swedish one have not been the norm across the global nuclear sector. They can be expensive, take many months to plan, and may require bringing in outside cyber expertise to drill plant personnel. Exercise programs are growing in maturity and are including more red-teaming, but experts say more work is needed.
Without outside help, many operators will struggle to keep pace with cyber threats, according to Roger Brunt, a former top official at the UK’s Office for Nuclear Regulation. For that reason, Britain’s larger nuclear operators have recently begun hiring security firms to probe their computer networks for vulnerabilities, he said.
While safety and security are paramount at nuclear plants, business considerations also come into play as many plants, including the vast majority of the 61 in the US, are privately owned. The financial and reputational damage that a successful cyberattack could wreak has led some executives to walk through them in advance.
Two weeks before the Swedish exercise, a group of lawyers, insurers, and nuclear executives huddled in central London to consider an alarming scenario: malware had hit a workstation at a nuclear plant, triggering a shutdown of the reactor and a power cut for nearby residents during a dangerous heatwave.
Whereas the Swedish drill was geeks and computer code, the London one was lawyers and the lofty words of judges and defendants.
A fictional power company was on mock trial for decisions its executives had taken leading up to the made-up incident. They had failed to ensure that software on the plant had been updated and that employees were trained in security. Despite an eloquent defense from executives, the judges found the company criminally and civilly liable for the $1.7 billion in economic and other damages incurred by the power cut, and for the 10 people who died in the heat wave.
Howsley said he was surprised at the criminal verdict, thinking the bar for damning security practices would be higher. But that may be where legal norms are headed, given that companies like Uber and Anthem have been sued for allegedly shoddy cybersecurity regimes.
Among nuclear executives, “accountability is going to drive better behavior” on cybersecurity, said Kathryn Rauhut, a lawyer and nonresident fellow at the Stimson Center, which hosted the exercise.
Rauhut said that when drawing up the exercise, she considered several scenarios that might spur strong interest from nuclear executives. Nothing resonates like the threat of a civil or criminal lawsuit for bad security practices. “The CEOs said, ‘Whoa, this is huge. I didn’t know I was liable,’” she told The Verge.
Howsley, a 35-year veteran of the nuclear industry, has seen the industry adapt its safety standards after the 1986 Chernobyl disaster, its security standards after the September 11th attacks, and its cybersecurity standards after Stuxnet. The guessing game of where the next threat might come from can be maddening.
“Someone once said to me, ‘The future is actuarial, history is forensic,’” said Howsley, a cerebral Englishman with a PhD in botany. “If something awful happens at 3 o’clock this afternoon, people will look back and say, ‘How did we allow this to happen?’ But we forget all the things that we worried about and didn’t happen.”
As training in the lab and boardroom continues, hackers in the real world are sharpening their skills. The years since Stuxnet have seen an uptick in advanced hacking operations targeting energy infrastructure. The Ukrainian power grid has been a playground for hackers, some of whom analysts have traced to Russia.
A year after the December 2015 attack, which cut power for 225,000 people, the Ukrainian grid was hit again in what Dragos says was an even more sophisticated operation. “Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt,” states the firm’s analysis of the attack.
Just last week, energy software giant Schneider Electric acknowledged that hackers had exploited a flaw in its safety system software, known as Triconex, at an industrial plant, causing the plant to shut down. The company has declined to identify the plant. Triconex systems are used at a variety of plants, including oil, gas, and nuclear.
This changing digital landscape is prompting governments and energy companies to get more ambitious in how they drill for attacks. The goal is tighter communication and unalloyed trust between the government and operators of critical infrastructure, the vast majority of which is privately owned in the US.
In the event of a serious cyberattack, nuclear operators would need to have agencies on speed dial to mitigate the damage. In the waning days of the Obama administration, US and British officials tested these lines of communication in an unprecedented exercise they called Ionic Shield.
On a conference call in November 2016, officials at the White House and Downing Street watched as a piece of malware hit the administrative networks of hypothetical nuclear plants in the US and Britain. Participants tested how well they could pass the word of a spreading attack through the chain of command and take corrective action. Communication between the two governments and between government and industry went well, according to Caitlin Durkovich, a former official for the Department of Homeland Security (DHS).
However, Durkovich told The Verge, “I think we walked away with the sense we need to improve how the industry here [in the US] is communicating with the industry there [in Britain], especially as it relates to sharing threat information.”
In June 2017, DHS officials warned the energy industry that hackers had targeted the computer network of the Wolf Creek nuclear facility in Kansas. The threat was limited and did not involve safety or other critical systems, security experts told The Verge, but it served as a reminder that nuclear facilities are still very much in hackers’ crosshairs.
“The threat is not going to go away,” Howsley said. “It will get more subtle.”
Some hackers play the long game, lingering on peripheral networks for months in the hope of gaining a foothold into more critical systems. For network defenders, maintaining urgency in the absence of regular, successful attacks can be difficult. The shock value of events like Aurora and Stuxnet can only last so long as those who study them fall back into their routines. Rigorous exercises based on unnerving scenarios are critical to keeping engineers and cyber specialists on their toes.
The post HACKING #NUCLEAR SYSTEMS IS THE #ULTIMATE #CYBER THREAT. ARE WE #PREPARED? appeared first on National Cyber Security .
View full post on National Cyber Security
Mimecast Limited today announced it has acquired cyber security training and awareness platform Ataata The acquisition aims to allow customers to measure cyber risk training effectiveness by converting behavior observations into actionable risk metrics for security professionals.
According to research Mimecast conducted with Vanson Bourne, 90 percent of organizations have seen phishing attacks increase over the last year, yet only 11 percent responded that they continuously train employees on how to spot cyberattacks.
The acquisition of Ataata will offer customers a single, cloud platform that is engineered to mitigate risk and reduce employee security mistakes by calculating employee security risk based on sentiment and behavior, while connecting them with relevant training that is content based on their score and recommended areas for improvement.
“Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn’t work. As cyberattacks continue to find new ways to bypass traditional threat detection methods, it’s essential to educate your employees in a way that changes behavior,” said Peter Bauer, chief executive officer and founder of Mimecast.
“According to a 2017 report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020. The powerful combination of Mimecast’s cyber resilience for email capabilities paired with Ataata’s employee training and risk scoring will help customers enhance their cyber resilience efforts.”
The post Mimecast acquires Ataata to improve #cyber #security #training appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Ferris State University – Big Rapids, MI
The IT Cyber Security Manager is responsible for managing the IT Cyber Security Services team, development and implementation of security strategies, coordinating incident response activities, applying best practices and monitoring compliance with IT procedures, University policy and applicable law. The IT Cyber Security Manager will work with leadership and IT Services staff to ensure university devices and data are appropriately protected.
Posting Date 04/13/2018 Initial Application Review Date 04/29/2018 Closing Date Open Until Applicants are Selected, Selected for interview, or Position Filled Yes Special Instructions to Applicants
Required Work Experience
Five years of professional work experience in IT cyber security with a strong working knowledge of operating systems, network utilities, and security software. Knowledge of classified and open source research and data analysis methods and techniques. Knowledge in the collection, analyzing, and dissemination of criminal intelligence information.
Required Licenses and Certifications
Additional Education/Experiences to be Considered
Additional Education/Experiences to be Considered
Preferred: Bachelor’s or Master’s degree in information security or related degree. Previous management and/or project management experience. Experience in hardening server operating systems and servers. CHFI, CEH, Security+, or Network+ certifications.
View full post on National Cyber Security Ventures
The cyber security skills gap has been growing for years, and the problem is particularly bad in the UK. A report by job listings site Indeed found that the UK has the second largest demand for skilled IT professionals in the world. But what effect is this having on organisations, and how can it be mitigated?
The most obvious effect is that it’s increasing the workload of existing staff. In many cases, employees’ time and resources are spread so thinly that the quality of the work suffers. Employees often say that they spend too much time on incident response and not enough on planning ways to prevent incidents from recurring and to mitigate the risk of serious incidents.
Organisations that know that they are understaffed are often forced to hire people who lack the necessary skills and experience. Although these new recruits can help with routine work, senior staff will need to provide on-the-job training, which prevents them performing their own tasks.
All of this means that organisations are unprepared for major security incidents, which could cause substantial damage and affect business operations.
There’s another problem. The increased demand for cyber security staff has given those with the right skills considerable leverage over employers. Someone with the right skillset could find work practically anywhere, so organisations need to give them a reason to choose them. This typically means generous pay rises, with the average cyber security wage increasing by 10% in 2017.
Filling the skills gap
Commenting on Indeed’s report, Mariano Mamertino, economist for Europe, the Middle East and Africa at the organisation, said: “The problem is fast approaching crisis point and British businesses will inevitably be put at risk if they can’t find the expertise they need to mitigate the threat.
“This should serve as a wake-up call to Britain’s tech sector – it must pull together to […] attract more people into cyber security roles.”
However, some cyber security experts believe the skills shortage is a “myth”. They argue that there are plenty of people with the skills to work in the field, but because we treat cyber security as a standalone discipline, rather than placing it under the much wider umbrella of IT, many people don’t consider it a career they are equipped to pursue.
Some organisations have begun to address this. A 2017 survey by (ISC)2 found that hiring managers were exploring new recruitment strategies and attempting to entice previously unqualified people.
The report states: “Individuals with non-technical previous careers often rise to become key decision makers in their organizations: globally, 33% of executives and C-Suite professionals began in a previous non-technical career.”
It adds: “It will be important, if not essential, to consider the relevant educational foundations, training and professional development opportunities that support the breadth of people with potential to enter the field in order to fill the worker shortage.”
If you’re interested in a career in cyber security, you’ll need to demonstrate your knowledge by way of professional qualifications. Cyber security is a complex, multidisciplinary field and has careers to suit any number of skills, so it’s worth taking some time to research which specialties are right for you.
For example, if you’re interested in the way you can use hacking skills for good, you might want enrol on our Certified Ethical Hacker (CEH) Training Course. An ethical hacker is someone that an organisation hires to look for vulnerabilities in its systems or applications, allowing it to address problems before they are exploited.
The Certified Ethical Hacker (CEH) certification is globally recognised as the vendor-neutral qualification of choice for developing a senior career in penetration testing and digital forensics. Our course is led by an information security consultant with over ten years’ experience.
You might also be interested in our Managing Cyber Security Risk Training Course. This three-day course helps practitioners formulate plans and strategies for improving cyber risk management in their organisations. It draws on real-life case studies and provides insights that will enable you to create a blueprint for a plan that includes the implementation of technical measures and accounts for the people, processes, governance, leadership and culture in your organisation.
The post Why the #cyber #security #skills #gap is so #damaging appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
General Cybersecurity Conference
July 27 – 28, 2018 | Sao Paulo, Brazil
Cybersecurity Conference Description
Companies around the world face major cyber threats. An astonishing array of malicious interests fall on them, ranging from cases of fraud, theft of personal identity or intellectual property to industrial espionage, service interruption, physical damage, blackmail, among others.
Cyber Security Summit Brazil, a cybersecurity conference in Brazil, will bring together senior professionals (CEO, CIO, CISO, CTO, CRO), government officials, directors, IT managers and analysts, security and technology experts to discuss the challenges of the current threats in cyberspace.
The intent of the Cyber Security Summit 2018 conference – brought to you by CyberEdTalk is to promote a forum among corporate experts, IT and technology managers, software companies, public sector organizations, consultants and research institutes to discuss the great issue of day: How to protect or continue online with corporate systems, communications and information from cyber attackers?
View full post on National Cyber Security Ventures
Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack
Former U.S. Director of National Intelligence and Navy Vice Adm. Mike McConnell advocated today for stronger protection of digital data transfers and for universities to play a key role in filling cyber security jobs.
McConnell was among the keynote speakers at the 2018 SEC Academic Conference hosted by Auburn University. The conference, which is ongoing through Tuesday, is focused on the topic of “Cyber Security: A Shared Responsibility” and brings together representatives from the SEC’s 14 member universities along with industry experts in the area of cyber security.
McConnell is encouraging the use of ubiquitous encryption as a solution for stronger data protection.
“As we go to the cloud…ubiquitous encryption of some sort would be used so that if anybody accessed that data, you can’t read it. If you’re moving [the data] from point A to point B, it scrambles so you can’t read it,” he said.
McConnell understands that stronger data security can come at a cost for others, including law enforcement who may need to access data within a device during a criminal investigation.
“What I’m arguing is the greater need for the country is a higher level of [data] security. If that’s the greater need, then some things of lesser need have to be sacrificed. So when I say ubiquitous encryption, that’s what I’m attempting to describe. It is protecting the data that is the very lifeblood of the country,” McConnell said.
McConnell also addressed how academia can help in securing the nation from cyber attacks.
“We have about 300,000 job openings across the United States for which there are no cyber security-skilled people to fill those jobs,” he said. “Universities are debating academically ‘What is cyber security?’ and ‘How do you credit the degrees?’ and ‘How do you get consensus on what it is and what it should do?’”
He urged universities to move more quickly on coming to a consensus so they can get certified and accredited to start producing students who can fill those jobs.
Glenn Gaffney, executive vice president at In-Q-Tel, also spoke to the role higher education institutions can play in cyber security during his keynote address at the conference.
“It is at the university level where we don’t have to take a top-down approach,” Gaffney said, adding that universities can work together, through research and student involvement, to create proactive solutions to cyber security. “This is where the next generation of leaders will be developed. It’s here that these dialogues must begin. This is the opportunity.”
Ray Rothrock, CEO and chairman of RedSeal Inc., was the day’s third speaker, presenting on the topic of “Infrastructure: IoT, Enterprise, Cyber Physical.” Rothrock also held a signing for his new book, “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?”
Attendees at the conference are exploring computer and communication technology; the economic and physical systems that are controlled by technology; and the policies and laws that govern and protect information stored, transmitted and processed with technology.
Students at each SEC member university participated in a Cyber Challenge and presented posters displaying their work in the area of cyber security.
The post Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Sarasota, FL (WorkersCompensation.com) – When a claim is initiated in the work comp process, there is personal information that becomes an integral component in ensuring that the claim is handled properly. The personal information is distributed among interested parties such as court officials, lawyers, employers and medical professionals through technological devices. Even with thorough due diligence and treatment from the interested parties involved, personal information can be obtained by sources that should not have access to this important data.
“Anyone can be a target. It is a huge undertaking to protect the integrity of data especially where it has human identifiers such as a social security number, date of birth, medical information,” Judge David Langham said. Langham serves as the deputy Chief Judge of the Florida Office of Judges of Compensation Claims. “Cyber security is a subject that everyone wants to talk about.”
Judge Langham and his colleagues keep a close eye on the marketplace to be informed of any changes to cyber security as well as the rumbling of any potential threat that could harm data collection for workers’ compensation. The office has been collaborating with other judges throughout the United States to increase their awareness of cyber security. “We try to stay ahead and be proactive to maintain proper security protocols,” Judge Langham said.
Since 2017, the Department of Homeland Security (DHS) has been given the task of tracking any potential breach of security both nationally and internationally. It has been reported that more than 1 million people within the United States have fallen victim to a cyber scam. From skimming money from a personal bank account to running up a credit card bill at the local food store, hackers have found a way to invade someone’s personal privacy.
In the case of a work compensation claim, a potential threat can affect the distribution of monetary support for an injured worker. With respect to employers or medical professionals who have access to workers’ compensation data, the DHS encourages these users to be trained on how to protect and maintain critical data. The training is outlined in the DHS-sponsored “Stop.Think.Connect” program.
The program highlights various ways to enhance the security of databases and servers. Some tips from the program include:
Change passwords frequently and do not reuse the same passwords.
Once the information is received by the third party through email or another electronic transmission, the original documentation should be destroyed or deleted.
Wipe clean any digital devices with spyware frequently to get rid of any new viral activity.
Use a specific database or encrypted software to receive or transmit electronic data.
Lawyers that are involved in workers’ compensation claims are trying to keep up with ever-changing facets of cyber security.
“Nothing is uniform. It is a big crossword with so many pieces coming into play, “ Jon Gelman said, a New Jersey-based attorney with a primary focus on workers’compensation.
In a seminar for the New Jersey Institute of Continuing Legal Education, Gelman discussed how the National Institute of Standards and Technology (NIST) has developed a concept how new federal regulations on cyber security will protect everyone involved with workers’ compensation.
“The NIST framework for cyber security is gaining notoriety and is being used by several entities,” Gelman said. For example, the Employment and Health Service Department in Contra Costa County, CA is utilizing the NIST Cyber security framework to provide data protection on their databases.
Despite the current efforts of the federal government to provide cyber security for national and international threats on public and private information, Gelman believes that this is a tip of the iceberg in maintaining the integrity of personal data.
“There is always a potential threat in security. We need to be diligent in protecting personal information,” he said.
View full post on National Cyber Security Ventures
Companies in the UK are being fined by the government for not properly securing their data. Is this a model the U.S. and other countries should adopt?
News broke recently that there would be fines of up to £17m in the UK for companies that have poor or inadequate cyber security measures in place. Specifically, if a company fails to effectively protect themselves from a cyber security attack, they could be subject to a large fine from the government as a “last resort” according to Digital Minister Matt Hancock. The U.K. also placed industry-specific regulations on essential services. Essential services industries such as water, health, energy and transportation are expected to have stronger safeguards against cyber attacks.
Cyber Security Inspections to Take Place
In order to keep companies compliant with cyber security regulations, the UK government will now have regulators inspect cyber security efforts in place. Essential services (think water, healthcare, electricity, transportation, financial) will face more scrutiny than other companies. If a regulator finds a company does not have security safeguards in place, the company will have to come up with a plan for beefing up cyber security. Fines will be brought down on companies that continue to fail at implementing the proper securities.
Cyber Attacks Becoming More Dangerous
The essential services people use every day are being targeted by cyber attacks at an increasingly high rate. This can make for extremely dangerous situations, such as the WannaCry attack that hit several National Health Service (NHS) facilities and impacted several hospitals’ abilities to admit patients. It was later found that this attack could have been prevented with proper cyber security efforts in place. It also means that services people depend on every day — from electricity, to water, to industrial safety systems — could all be at risk.
This makes it clear why the UK government has chosen to regulate cyber security, particularly among companies who provide services they deem essential to the public. It also begs the question as to if the United States should follow suit. U.S. companies have fallen victim to their fair share of cyber attacks. These attacks have disrupted the lives of Americans who depend on the services affected or who are having sensitive information accessed by the attackers.
What Safeguards are Currently in Place?
While it is obviously in a company’s best interest to have cyber security precautions in place rather than cleaning up the mess of an attack afterwards, that doesn’t mean everyone invests as much as they should in cyber security. In the U.S. there are a few federal regulations in place to establish a bare minimum for cyber security in certain essential industries.
HIPAA (1996): HIPPA introduced provisions for data privacy and data security of medical information. All companies and establishments dealing with medical information must have specific cyber security measures in place.
Gramm-Leach-Bliley Act (1999): The Gramm-Leach-Bliley Act states that financial institutions in the U.S. must share what they do with customer data and information and what protections they have in place to protect customer data. Noncompliance means hefty fines for financial institutions and could lead to customers taking their business elsewhere.
FISMA (2002): FISMA was introduced under the Homeland Security Act as an introduction to improving electronic government services and processes. This act ultimately established guidelines for federal agencies on security standards.
Critics state that these three regulations are good for establishing minimum security, but do not go far enough. Compliance with all of these regulations have not been robust enough to safeguard against advanced cyber attacks in recent years. There have been clear breaches of cyber security measures that have occured in the medical, financial and government sectors over the past years. While some state governments have put additional regulations in place, the general consensus is that individual companies should be responsible for beefing up cyber security as they see fit.
Cyber Security Investments Should be Increased
At the end of the day, U.S. companies will need to make the decisions that are best for their businesses and customers about what level of cyber security protection is necessary. Marcus Turner, Chief Architect at Enola Labs Software, often discusses cyber security measures with his clients, stating:
“Ultimately, high levels of cyber security are a necessary and worthwhile investment for businesses that care about protecting their customers and safeguarding their businesses. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business”.
This year we are expecting a much higher investment in cyber security, so it will be interesting to see if this is enough to hinder government intervention or if additional U.S. government regulation of cyber security becomes necessary.
The post Should #Companies be #Fined for Poor #Cyber Security? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures