Industry

now browsing by tag

 
 

#nationalcybersecuritymonth | 7 Ways Industry is Supporting National Cybersecurity Awareness Month

Source: National Cyber Security – Produced By Gregory Evans

We are headed into the final stretch of the 16th annual National Cybersecurity Awareness Month (NCSAM). The annual initiative is co-led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).

As the name suggests, it’s aimed at raising awareness around cybersecurity. Those that work in the space know we’ve all become more reliant on networks and cybercrime has proliferated – and the initiative is a way to spread the word about things everyone can collectively do to improve security. But spreading the word is a big challenge, so NCSAM is designed to be a public-private partnership.

Or, in the words of the official kickoff announcement:

“…a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the nation against cyber threats.”

That got us thinking: what are some of the ways the private sector is supporting NCSAM this year? Below are a few ways we found the industry is helping to build awareness.

1) Champions of NCSAM.

A “champion” is a simple and voluntary pledge an organization can make on the official website for NCSAM – StaySafeOnline.org. The pledge asks applicants how they will participate and how many people the applying organization thinks it will reach. Afterward, the NCSA asks participants to, “please collect and report to us any metrics you collect as a result of your NCSAM initiatives.”

Here is the list of the growing ranks of companies, nonprofits, schools and other organizations that have publicly signed onto the program.

2) Full-day workshops for employees.

Tech analyst Cynthia Brumfield cites a CISA representative for her story in CSO Online describing activities by “an unnamed science and research company in Bethesda.” The CISO at that organization held an all-day workshop complete with “expert speakers to educate employees on what they need to do to protect the information and data the company is building through its research efforts.”

It’s a pretty big deal for any organization to pause work for a full-day and encourage employees to attend training like this, but they weren’t alone, according to Ms. Brumfield’s reporting:

“Another big corporation, a retail giant that CISA requested remain anonymous, is holding a host of internal activities for their employees throughout the month, training and educating workers at every level, starting at headquarters all the way down to individual stores.”

3) Customer tips for safely banking online.

First Bank & Trust Company, a regional financial services company in Virginia published a list of security tips consumers should follow in online banking. The list includes current best practices such as monitoring your accounts, being wary of emails from people you don’t know, and enabling two-factor authentication (2FA), among many others.

Notably, it also highlights a recurring issue in financial scams driven by events such as disasters:

“Con artists take advantage of people after catastrophic events by claiming to be from legitimate charitable organizations when, in fact, they are attempting to steal money or valuable personal information.”

4) Hollywood-style, micro-learning videos.

Corporate training isn’t always fun, engaging or memorable, and therefore it’s not effective. That’s the thesis behind NINJIO, which makes “Hollywood-style, micro-learning videos.” These are basically short videos with important learning points about cybersecurity. However, the company goes one step further – the lessons in the video are “ripped from the headlines” meaning the videos are modeled after real security events.

In support of NCSAM this year, the company offered “organizations, employees, and families free access to a selection of their award-winning library of animated video content until the end of October 2019.”

The videos focus on three areas including:

  • email compromise and wire fraud;
  • social media engineering; and
  • spear phishing.

For example, one of the videos being offered is described as follows:

“Business Email Compromise and Real Estate Wire Fraud

NINJIO Season 2, Episode 2: ‘Homeless Homebuyer’ was inspired by the many wire fraud incidents that happen every day. In this episode, NINJIO educates learners about using verbal authorizations on any transfer of funds.”

If you are wondering, the company does have some real professional entertainment cache as the videos are “developed and co-produced by Hollywood writer and producer Bill Haynes, best known for CSI: NY and Hawaii Five-O.”

NINJIO has had about 50 companies, ranging from small and mid-sized businesses to mid-market enterprises, signed up in response to the company’s contribution to NCSAM this month, said Matt G. Lindley the CISO for NINJIO, in an email exchange with Bricata.

5) Networking and panel event.

Women in Security and Privacy (WISP) teamed up with Dropbox to organize a local San Francisco networking and panel event:

“We will be featuring three amazing lightning round speakers who will cover this year’s themes of ‘Own IT. Secure IT. Protect IT.’ Attendees will be introduced to the latest tech advances used to ramp up security for their personal lives and learn tips to bring to the office.”

This struck us as a very simple and effective way to support NCSAM and it can be easily replicated. As this post is being published, there’s still time to register and attend the event if you live or work in the Golden Gate City.

6) Free online training for non-technical personnel.

Several training-oriented organizations are offering free training and resources for the month. For example, KnowBe4 has an NSCAM resource kit and Global Knowledge has compiled videos, articles, white papers and primers into a cybersecurity awareness resource page.

Separately, Inspired eLearning has put together an impressive weekly curriculum with a variety of free resources – posters, webinars, videos and more. Here’s the outline they are offering:

  • Week 1: Email Phishing
  • Week 2: Alternative Phishing Methods: Vishing, SMiShing, & USB Baiting
  • Week 3: Physical Social Engineering
  • Week 4: Prevention, Protection and Training Best Practices

7) Free online training for your security pros.

The Infosec Institute provides a variety of online training courses aimed at security and IT professionals. Typically, the Institute offers a 7-day free trial, but have extended that to 30-days in support of NCSAM. Access is unlimited and includes more than 400 on-demand courses the organization offers and 50 skill and certification learning paths such as the CISSP and CCSP.

Finishing Strong and Planning for Next Year

As of today, there’s a little more than a week left for NCSAM, which offers some time to get on board with the initiative for this year – if you haven’t already. Likewise, we hope this list will give you a creative jumpstart on planning for it next year.

As Forrester Principal Analyst Jinan Budge wrote in a post titled, What CISOs Need To Do To Maximize Cybersecurity Awareness Month, “Plan for it as you would for any other security project…stay on top of planning and start organizing your Cybersecurity Awareness Month campaigns well in advance.”

If you enjoyed this post, you might also like:
6 Tips for Building an Effective SOC

*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: https://bricata.com/blog/cybersecurity-awareness-month-industry/

Source link

The post #nationalcybersecuritymonth | 7 Ways Industry is Supporting National Cybersecurity Awareness Month appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | More women needed in cyber security to meet high industry demand: Sim Ann, Singapore News & Top Stories

Source: National Cyber Security – Produced By Gregory Evans

SINGAPORE – The Republic needs more women to take up positions in cyber security, a sector that is facing a shortfall of talent.

On Thursday (Oct 3), Senior Minister of State for Communications and Information Sim Ann said more women can be encouraged to join the cyber-security industry and thrive in it.

“Given the high demand for cyber security talent, it would be a pity to draw from only half the population,” she said, noting that estimates of the proportion of women in cyber security globally range from as low as 10 per cent to about 25 per cent.

“Effective strategies to tackle cyber security… must integrate the perspectives of all people – both men and women – so that the technologies deployed and the process implemented are practical and inclusive.”

In her opening address to audience members at the Women in Cyber event during the Singapore International Cyber Week (SICW), Ms Sim outlined three ways to get more women to join the cyber-security industry and thrive in it.

First, by engaging young people to raise awareness of the opportunities in cyber security. She said this is important as people often make career choices early in life.

One such initiative is the Singapore Cyber Youth Programme, which reaches out to secondary school-level students for boot camps and career mentoring sessions.

The other two ways are for women to constantly update and deepen their skills to take advantage of emerging trends in a fast-paced sector, and to have a strong community network, she added.

“Women support networks shed light on women role models who can inspire young aspiring professionals. They also serve as a comfortable launch pad for women to plug into broader industry and community networks,” Ms Sim said.

Ms Sim’s call for more women to join the industry follows a warning by the Cyber Security Agency of Singapore (CSA) in July that the industry potentially faces a shortage of up to 3,400 professionals by 2020.

Ms Alina Tan, 26, was among the many female cyber-security professionals in the audience for the Women in Cyber event.

Combining her twin interests in cyber security and car modifications led Ms Tan to specialise in automotive cyber security.

She started working in the Land Transport Authority’s Cyber Division last month, after spending about two years in cyber-security consulting.

“What I enjoy most about working in cyber security is that I’m always learning something new,” said Ms Tan, who in her free time organises weekly meet-ups for like-minded individuals in the local community to conduct their own research in car cyber security.

“I get a sense of satisfaction from discovering vulnerabilities in a system and then finding ways to secure it. You never know what you’re going to find in there and that’s very interesting for me.”

Held at Suntec City and Convention Centre from Oct 1 to Oct 3, SICW 2019 is the fourth edition of the annual event organised by CSA.

Source link

The post #cybersecurity | More women needed in cyber security to meet high industry demand: Sim Ann, Singapore News & Top Stories appeared first on National Cyber Security.

View full post on National Cyber Security

Cybersecurity industry veteran Chris Sullivan appointed Nymi CEO

Source: National Cyber Security – Produced By Gregory Evans

Toronto-based biometric security company Nymi announced today the appointment of Chris Sullivan as its new Chief Executive Officer. Nymi is a venture-funded private company whose investors include Relay Ventures, GII Tech Ventures, Mastercard, Konica Minolta, and Export Development Canada. Sullivan’s appointment is regarded as a key addition in the next phase of the company.

Sullivan is a business-minded executive with experience working with Fortune 100, 500, and 1000 companies at the CISO and CIO level, bringing a new level of expertise to Nymi. He has served in leadership roles as founder and general manager, president, international standards chair, board advisor, partner and CTO. Outside of Nymi, Sullivan, a Forbes Technology Council Member, will continue his work to advance industry best practices across the public and private sectors with organizations like the Advanced Cyber Security Center, the Natural Technology Security Coalition, the CISO Coalition, and ISACA.

Sullivan takes over from Vijay Parmar, executive chairman at Nymi. Vijay stepped in to guide Nymi since early 2018 as Nymi moved from product development to active deployments at leading pharmaceutical companies to deliver data integrity and security, allowing highly regulated industries to achieve compliance securely and efficiently.

“Nymi has established itself as the leader in authentication within pharmaceutical manufacturing,” explains Parmar, who is also a partner at GII Tech Ventures. “Chris brings a wealth of security and operational expertise that will help Nymi step into its next phase of growth. With his leadership, Nymi is ready to start to expand beyond pharma into industrial and general enterprise use.”

Nymi recently announced a strategic partnership with Rockwell Automation’s ThinManager to ensure safety and security in factories through continuous user authentication for their customers.

Article Topics

access management  |  appointments  |  biometrics  |  continuous authentication  |  cybersecurity  |  identity verification  |  Nymi  |  wearables

Source link

The post Cybersecurity industry veteran Chris Sullivan appointed Nymi CEO appeared first on National Cyber Security.

View full post on National Cyber Security

Here Are The #Clever Means #Russia Used To #Hack The #Energy #Industry

Last July, officials from the Federal Bureau of Investigation and the Department of Homeland Security revealed that Russian hackers were behind cyber intrusions into the U.S. energy power grid. The intrusion illustrated the severe threat that hackers pose to our most critical industries – energy, finance, healthcare, manufacturing and transportation.

The DHS and FBI downplayed the danger in a joint statement: “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

But that might not be the end of it. Russia may be laying the groundwork for more damaging hacks, on America as well as other nations, using new cyber weapons like CrashOverride and BlackEnergy 3.

In 2015, Russia tested this on the Ukrainian capital of Kiev. These tools were specifically developed to disrupt electric power grids and it blacked out 225,000 people in the Ukraine.

One might wonder what is Russia’s end game for this kind of attack. To hurt us financially? To show us how vulnerable we are? In preparation for a more sinister attack?

Is it to punish America for anti-Russian policies? The White House expelled 60 Russians from the United States this week, joining western allies in response to Russia’s poisoning of a former Russian spy in Britain with what was a banned chemical weapon.

When DHS and FBI dissected the hackers’ tradecraft, it turned out to be very clever indeed. Mark Orlando, Chief Technology Officer for cyber services at Raytheon, broke down the particulars of why the new world of hacking works so well in America.

One of the attackers’ main strategies is to divide targets into two groups – intended targets which are the energy companies themselves, and staging targets like vendors, suppliers, even trade journals and industry websites.

Instead of going straight to the larger and better-protected targets, like a $60 billion energy company with a cyber security department, the hackers worked their way into the smaller and less secure companies’ networks like those that supply the big ones with smaller equipment. Or the local utilities that are partnered with them. Local regulators may also have good access.

There is even an Electric Utility Industry Sustainable Supply Chain Alliance that many of the large energy companies use.

When the hackers get into those systems, they use that access to gather intelligence and set traps for the larger company.

This targeting of the supply chain partners is brilliant. The manufacturer of natural gas turbines that supply a gas power plant would have great access to the plant’s systems and management, would probably have password access, and would not be questioned very hard.

‘It’s important to raise awareness,’ says Orlando. ‘These details, if taken by themselves, might not seem that impactful. When presented with the entire story, we can see it was part of a larger, sustained campaign, potentially causing a lot of damage.’

This is a long-term strategy that takes patience – just the kind of thing traditional espionage has perfected over the last century.

America seems to be getting the message. A recent survey from Raytheon and Ponemon showed that two-thirds of cyber security executives and chief information security officers in America, Europe and the Middle East believe cyber extortion, such as ransomware and data breaches, will increase in frequency and payout.

The traps themselves are pretty imaginative. Many are based in social media. No one would suspect a cute kitten video of hiding malware. But they do. And if your co-worker is a kitten-nut, they may not hesitate to download that video without thinking that it is a trap.

‘The weakness in cybersecurity are the users themselves, those that are not necessarily computer-savvy,’ says Quinn Mockler, a young cyber security researcher at Columbia Basin College in the Tri-Cities Washington near the Hanford Nuclear Reservation. ‘People overall need better awareness of cyber security. Otherwise, we will be open to constant attack.’

In one example discussed by Orlando, the attackers found a harmless-looking photo on one company’s human resources site that contained valuable information – the manufacturer and model of a certain piece of control-systems equipment.

That provided critical information on how the plant runs and set up the next phase of the attack – spear phishing – which is the use of customized, highly deceptive emails designed to deliver malware. Using resumés, curricula vitae, policy documents and other common messages, the hackers made reference to these control systems creating plausible, well-informed emails likely to fool someone into opening a malware-laced attachment.

One was an invitation to a company New Year’s Eve party.

Another common method used to infiltrate is called a watering-hole attack which plants malicious code in a place the targets trust, then waits for them to come pick it up.

In the energy-sector attack, DHS and FBI found that watering holes included trade publications and informational websites that dealt with matters specific to the energy industry. The hackers corrupted those sites and altered them to contain malicious content. The targets saw no reason to suspect anything was wrong when they visited them.

‘It’s a low-complexity, low-effort, high-yield attack,’ Orlando says. ‘With relatively little effort, you can target lots and lots of users.’ The best defense, he says, is for a company to monitor its own networks for signs that a user may have unwittingly stumbled into a watering-hole.

Much of the malware in the energy-sector attack was designed to capture user credentials, or the digital identity of someone authorized to use a target network. Credential harvesting includes usernames and passwords, hashes or a computer’s digital signature, often stolen through tricking someone at a false login page for a familiar site.

The hackers’ spear phishing emails contained documents that ordered the target’s computer to retrieve data from a server – one the hackers either owned themselves, or had commandeered. Once the hackers had the target’s credentials, they could apply techniques to reveal the password in plain text.

Requiring multiple modes of authentication to sign in, such as a thumbprint or a security token code, is the best way to thwart this type of attack.

Hackers imitated login pages themselves, planting a link that redirected users to a page whose ‘username’ and ‘password’ fields fed credentials straight to them. Orlando notes, ‘If I can come into your environment using authorized credentials, detecting that just became exponentially more difficult.’

There are two main lessons from the power-grid hack, Orlando says. First, businesses should know that small hacking attempts like suspicious emails are often part of a larger campaign. Also, they should understand that truly cyber-secure businesses look beyond their own networks. Like tracking the spread of a new Flu virus.

‘Your network isn’t just your network. It’s your network, plus your trusted partners, plus your suppliers,’ he says. ‘If you’re not mitigating risk across the entire cyber ecosystem, you’re potentially missing a very large exposure to your business.’

Since smaller companies are the hacker’s first stop on the way to the bigger targets, Orlando recommends monitoring computer networks for unusual activity, installing security patches regularly, developing a response plan to disclose breaches and limit damage, and communicate up and down the supply chain on cyber security.

Data diodes, air gaps, field programmable gate arrays – all the sophisticated approaches to cyber security that the nuclear and defense industries use – eventually need to be part of everyone’s defense.

But as Orlando summed up, the daunting new reality in modern cyber security is that a company’s cyber defenses are only as strong as the defenses of everyone connected to it.

advertisement:

The post Here Are The #Clever Means #Russia Used To #Hack The #Energy #Industry appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #Hype: Is the #Industry #Delivering on its #Promise?

Source: National Cyber Security News

Every week we see more headlines in the press about new cyber-attacks and security vulnerabilities affecting millions of consumers and businesses around the world.

Massive data protection scandals such as Equifax – where 143 million individuals’ personal data were exposed in a hack that could have been prevented by a simple patch – now seem to happen on a worryingly regular basis.

Meanwhile, the cybersecurity industry seems to be sitting pretty, with business revenues in the sector growing by an estimated 11% every year. A recent report from Cybersecurity Ventures forecast that global spending on cybersecurity is expected to exceed $1 trillion between 2017 and 2021. Given the ongoing list of high-profile security breaches, is the cybersecurity industry really offering its customers value for money?

The statistics would suggest that it is not. The number of businesses falling victim to attacks rose by 21% in the US last year, and doubled in the UK in the past two years. Figures show that there were 918 data breaches compromising 1.9 billion data records in the first six months of 2017, up 164% compared to 2016.

A primary cause is the rise in mobile and smart device usage within companies, with network perimeters becoming edgeless.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players

Source: National Cyber Security – Produced By Gregory Evans

Singapore is not alone in proposing a far-reaching Bill to beef up cyber security, said experts, even as it wins the support of stakeholders following a recently concluded public consultation on the issue.

Concerns about the Cyber Security Agency (CSA) of Singapore’s far-reaching powers had surfaced during the consultation. Firms must surrender any information requested when CSA investigates a suspected cyber attack, as its proposed Bill would take precedence over bank and privacy rules that prohibit data sharing.

Convinced that Singapore should not have it any other way, lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: “The far-reaching Bill is justifiable in the light of the potential damage from state-sponsored cyber espionage.”

CSA’s powers, like those of the police, are calibrated and are strictly meant to keep the lights on for essential services, Mr Leong said.

In announcing on Monday (Nov 13) its decision to keep most of its proposed ideas in the Bill, CSA responded to public feedback received during the consultation, and said the designation of a computer as critical information infrastructure would no longer be an official secret under the Official Secrets Act.

The proposed Bill, to be tabled for debate in Parliament next year, also mandates that owners of critical information infrastructure, such as those in banking, telecom and energy sectors, report security breaches and attacks “within hours”.

Similar mandatory data breach reporting requirements have been in place in the US, Europe, Japan, Australia and South Korea for years.

Mr Shlomo Kramer, founder and chief executive officer of Israeli cyber-security start-up Cato Networks, said Singapore is, in fact, playing “catch-up” with these nations in this respect.

“Such regulation will move the needle in a positive way and make organisations feel accountable,” said Mr Kramer, who also co-founded what was the first firewall solutions provider Check Point in 1993.

He spoke to The Straits Times three weeks ago when he was in Singapore to meet local cyber-services resellers ViewQwest and Quann.

Checks and balances – which are included in the proposed Bill – prevent the abuse of disclosed information, Mr Kramer noted. For instance, CSA officers may be held criminally liable if they are found to have misused the information.

Mr Bryce Boland, chief technology officer for Asia-Pacific at cyber-security firm FireEye, said laws are generally stronger in countries with a high dependence on technology. Thus, the far-reaching aspects of Singapore’s cyber-security Bill could be compared to similar laws in the United States and Britain, said Mr Boland.

Said lawyer Koh Chia Ling from law firm OC Queen Street: “The general global trend is that countries are enacting such laws and Singapore is essentially doing the same.”

Mr Jack Ow, technology partner at law firm RHTLaw Taylor Wessing, said Germany, the Czech Republic and China have similar cyber-security regimes. “The loss or compromise of such computers and computer systems could adversely affect national security or public health, safety and order,” said Mr Ow.

Technology lawyer Bryan Tan of Pinsent Masons MPillay said that debates are ongoing in the United States just like they have taken place in Singapore, arising from an ever-growing tension between security and privacy.

Referring to preserving privacy in the US, he added: “All bets are off when it comes to fighting terror or a national security issue – no one will compromise.”

Owners of critical information infrastructure said the Bill is necessary. They are waiting to work out implementation details with CSA and their sectors’ regulators.

A spokesman for telco Singtel said: “The risk of cyber-security breaches is growing, especially now as Singapore pursues its ambition to become a Smart Nation.”

An M1 spokesman said: “It is important that the powers under the Bill are exercised reasonably.”

Meanwhile, such stringent reporting requirements are not new to the banking sector.

Mr Patrick Chew, OCBC Bank’s head of operational risk management, said: “Under the Technology Risk Management Guidelines introduced in 2013, financial institutions in Singapore are already required to notify our regulator as soon as possible of any critical system failures arising from (technology) and cyber security incidents.”

The post Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Russian hackers targeting Indian hospitality industry for user data

Source: National Cyber Security – Produced By Gregory Evans

A Russian hacking group “APT28” also known as Fancy Bear is targeting Indian hospitality industry to steal user data through unsecured Wi-Fi at the hotels, according to a report from cyber-security company, FireEye. APT28 has already attacked travelers in hotels throughout Europe and the Middle East in a hacking spree…

The post Russian hackers targeting Indian hospitality industry for user data appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The Cybersecurity Crisis Facing the Healthcare Industry

Source: National Cyber Security – Produced By Gregory Evans

The increased utilization of electronic health records (EHRs) has provided remarkable benefits to medical professionals and their patients. By having immediate access to a more complete patient picture, medical professionals are better equipped to make informed decisions quickly. However, the push for widespread adoption of EHRs has resulted in increased…

The post The Cybersecurity Crisis Facing the Healthcare Industry appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

South Korean Arms Industry Urged to Prepare for Cyberattacks

Source: National Cyber Security – Produced By Gregory Evans

Industry experts are warning the South Korean arms industry to ramp up security in preparation for growing cyberattacks in the coming years, while a number of industry sources say some of the previous attacks could have been state-sponsored. Similarities found between previous cyberattacks against the South Korean arms industry over…

The post South Korean Arms Industry Urged to Prepare for Cyberattacks appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Militaries and Industry Seek to Solve Cybersecurity Conundrum

Source: National Cyber Security – Produced By Gregory Evans

Militaries and Industry Seek to Solve Cybersecurity Conundrum

For at least the whole of the current century, militaries have understood the critical role cyberdefense plays in every aspect of operations. Yet most military organizations appear reluctant to train for network defense outside of specialist cyber units. Unlike with land, sea, air and space, cyberwarfare cannot be conducted only…

The post Militaries and Industry Seek to Solve Cybersecurity Conundrum appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures