role

now browsing by tag

 
 

Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack

Former U.S. Director of National Intelligence and Navy Vice Adm. Mike McConnell advocated today for stronger protection of digital data transfers and for universities to play a key role in filling cyber security jobs.

McConnell was among the keynote speakers at the 2018 SEC Academic Conference hosted by Auburn University. The conference, which is ongoing through Tuesday, is focused on the topic of “Cyber Security: A Shared Responsibility” and brings together representatives from the SEC’s 14 member universities along with industry experts in the area of cyber security.

McConnell is encouraging the use of ubiquitous encryption as a solution for stronger data protection.

“As we go to the cloud…ubiquitous encryption of some sort would be used so that if anybody accessed that data, you can’t read it. If you’re moving [the data] from point A to point B, it scrambles so you can’t read it,” he said.

McConnell understands that stronger data security can come at a cost for others, including law enforcement who may need to access data within a device during a criminal investigation.

“What I’m arguing is the greater need for the country is a higher level of [data] security. If that’s the greater need, then some things of lesser need have to be sacrificed. So when I say ubiquitous encryption, that’s what I’m attempting to describe. It is protecting the data that is the very lifeblood of the country,” McConnell said.

McConnell also addressed how academia can help in securing the nation from cyber attacks.

“We have about 300,000 job openings across the United States for which there are no cyber security-skilled people to fill those jobs,” he said. “Universities are debating academically ‘What is cyber security?’ and ‘How do you credit the degrees?’ and ‘How do you get consensus on what it is and what it should do?’”

He urged universities to move more quickly on coming to a consensus so they can get certified and accredited to start producing students who can fill those jobs.

Glenn Gaffney, executive vice president at In-Q-Tel, also spoke to the role higher education institutions can play in cyber security during his keynote address at the conference.

“It is at the university level where we don’t have to take a top-down approach,” Gaffney said, adding that universities can work together, through research and student involvement, to create proactive solutions to cyber security. “This is where the next generation of leaders will be developed. It’s here that these dialogues must begin. This is the opportunity.”

Ray Rothrock, CEO and chairman of RedSeal Inc., was the day’s third speaker, presenting on the topic of “Infrastructure: IoT, Enterprise, Cyber Physical.” Rothrock also held a signing for his new book, “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?”

Attendees at the conference are exploring computer and communication technology; the economic and physical systems that are controlled by technology; and the policies and laws that govern and protect information stored, transmitted and processed with technology.

Students at each SEC member university participated in a Cyber Challenge and presented posters displaying their work in the area of cyber security.

advertisement:

The post Cyber security #experts discuss #mitigating #threats, say #universities can #play a key #role in #protecting the #country against a #cyber attack appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Encryption’s #role in #GDPR #compliance and #cloud data #security

Security of data in the cloud is a hot topic, especially with so many data breaches occurring during 2017 and the introduction of GDPR being just months away.

The field of security is so broad, it can be difficult to know where to start. In the last twelve months, I’ve had one friend who has had her cloud servers hacked and crypto ransomware installed, forcing payment of a two bitcoin ransom. Another friend had her cloud email server hacked, with the attacker modifying the bank account details of outgoing invoices and redirecting payments from the company’s bank account to the hacker’s. Both instances were security breaches and data breaches, resulting in direct financial loss.

To try to break down this broad topic and provide a how-to guide tailored towards GDPR compliance, I’ve devised four actionable steps across two categories:

Let’s examine each step in turn.

1a. System level security: fully understand the limits to the security provided by your cloud service

Are your machines fully patched with the latest operating system security updates? Are your firewall rules in place? Do you find it strange that I’m asking these questions in a discussion about cloud security? The first step to security is understanding what you’re responsible for, and what your cloud provider is responsible for; failure to do so can be catastrophic.

It’s very commonly argued by vendors that cloud services have a higher level of security than achievable by an average system administrator. For example, if you host your email on Office 365, compared to running your own email server in your basement, it’s likely to be more secure against hacking attempts. After all, if you run your own server, you are responsible for managing the entire security of your server, from setting up your firewall rules, to monitoring intrusion attempts, patching and installing security updates, backing up data, ensuring 24×7 power supply and internet connection, and everything else in between.

“Therefore the cloud is safe!” – This can easily be the impression you’re left with after attending enough cloud marketing presentations. But you have to be very cautious about getting complacent or completely misunderstanding the cloud provider’s security claims. For example, when you fire up a virtual machine in a public cloud like Amazon or Microsoft Azure, this does not mean that this machine is secure and that your cloud provider will provide security and monitoring services. In this situation, you’re consuming a platform-as-a-service (PaaS), which means that you are responsible for whatever you put on that platform, including the operating system.

Therefore it is critical for you to know what’s in your service contract and to understand what is your responsibility.

It’s also critically important to remember that when you use cloud services and store data in the cloud, you are in effect implicitly granting your cloud provider access to that data. Inevitably, selected employees of the cloud provider will have access to that data, so you are relying on the hiring policies and security procedures of the cloud provider to ensure that the cloud provider stays friendly and does not “go rogue”. Thus, many people fail to realise that outsourcing storage and services to the cloud reduces one set of risks but increases another. From 2015 to 2017, the Swedish Government and its agencies suffered massive data breaches after moving data to the cloud. Not only were the details of most Swedish citizens leaked, foreign IT workers from Serbia, Romania and the Czech Republic were given varying access to the data – a clear breach of data sovereignty that risked national security.

1b. Access level security: keep your access credentials and access controls secure

Assuming that you understand the limits of the cloud-provided security, the next step is to keep your access credentials secure.

This sounds basic, but recent large scale data breaches at Deloitte, Accenture, Uber, and (more recently) the Australian Broadcasting Corporation (ABC), clearly show that insufficient security practices are in place.

In the ABC data breach, around 1,800 daily MySQL database backups were leaked, alongside emails and login credentials to other data repositories, from a poorly secured public-facing AWS S3 bucket.

Some basic tips are:

2a. Data level security: encrypt your data wherever possible

High quality encryption technologies, properly used, will deliver the highest levels of security for your data. Many security experts argue that using client-side encryption is the only way to safeguard data when it’s stored on other people’s infrastructure such as the cloud.

The beauty of encryption is that it can be an extremely effective last-line-of-defence that stops a security breach from becoming a data breach. Not only is encryption a good cyber-defence practice, it’s specifically referenced in the EU’s General Data Protection Regulation (GDPR). Article 32 (1)(a) of GDPR guidelines calls for the “pseudonymisation and encryption of personal data”, taking into account the state of the art and implementation costs.

When the Australian Red Cross Blood Bank leaked the personal details of 550,000 blood donors (including names, addresses and details of sexual behaviour) it was done from an unencrypted database backup. Had this backup been encrypted, the server misconfiguration would have resulted in a leak of encrypted data and not a full data breach. Under the rules of GDPR, a leak of encrypted data is unlikely to result in a risk to people’s rights and freedoms, and therefore does not need to be mandatorily reported.

However, because encryption is perhaps the most misunderstood area in cybersecurity, it is most often not implemented, or is implemented so poorly it is ineffective. Being a highly specialised field full of confusing acronyms and marketing hype, buyers (and even vendors) often fail to comprehend what security they’re actually getting. This frequently leads to the “tick the box” mentality where people don’t understand what they’re buying, but because it’s advertised as “military grade”, it must be good. This is of course, a logical fallacy, but reflects the situation that buyers often have little idea if they are purchasing real security or merely ‘snake oil’.

The ideal encryption system should meet a number of requirements:

2b. Take local backups of critical cloud data

The final procedure for security revolves around backup. If the cloud contains your only copy of important data, you run the risk of suffering permanent data loss, even if you think your cloud provider has been taking backups.

In 2014, SaaS provider Code Spaces and all of Code Spaces’ customers learnt that lesson the hard way. Code Spaces provided source code management tools such as Git to its customers – in effect the company was a “safe haven” and repository of data for its customers, offering what it advertised as a robust cloud service, fully backed up and with the security of being hosted on Amazon AWS.

However, a hacker managed to gain access into Code Spaces’ AWS control panel account, and subsequently started to cause chaos. After a melee with Code Spaces’ engineers and a failed ransom attempt, the hacker proceeded to delete all of Code Spaces’ AWS objects: S3 buckets, EC2 machine instances and all the backups. This led to permanent data loss, and without a local copy of the data, it subsequently put Code Spaces out of business. Worse still, their customers also faced permanent data loss, unless of course they were savvy enough to have kept their own backup of their data instead of relying on Code Spaces.

The lesson here is clear: ultimately, you are responsible for your own data. If you choose to delegate that responsibility, you will suffer the consequences if your provider gets hacked or otherwise fails to meet their obligations.

There are two ways in which you can backup your cloud data – to take a cloud-to-cloud backup, or a cloud-to-local backup. The former has some appeal, in that an organisation can be fully in the cloud without running any local infrastructure. However, as all of the examples of security breaches mentioned here has shown, hackers can and do regularly compromise access-level security, and when they do, they can cause permanent data loss.

The cloud-to-local backup option is more secure in that sense. If you regularly download your data to a local storage device such as a hard drive (of course, securely encrypted), and then air-gap that hard drive by disconnecting it and placing it in a safe or cabinet, it becomes immune from hacking. It’s simply a cheap, low-tech solution that’s better at preventing remote hacking attempts than the world’s most expensive firewall.

Conclusion

We’ve seen that there is no single magic pill for data security, and that migrating to the cloud is absolutely not a silver bullet. Despite the marketing hyperbole and mantras regarding how safe the cloud is, history clearly demonstrates that organisations must still take careful steps to safeguard their own data.

By breaking down security into four broad areas, and focusing on those areas, organisations can shore up their cybersecurity defences and use the cloud securely. Encryption and backup are two ways in which you can take responsibility and control for your data – because ultimately while you can delegate some level of system level security to the cloud provider, the data is always yours to take care of.

Especially now, with unprecedented levels of cybercrime and the May 2018 GDPR date just around the corner, it has never been more important to review all IT security practices and avoid becoming a statistic.

View full post on National Cyber Security Ventures

The #Auto #Repair Shop’s Role in #Connected Car #Cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

“We collect 100 million miles of road per year,” says the co-founder and CTO of Nexar. “We can end up indexing the real world, structuring the real world the same way Google structures the web.”

Nexar will continue to build vehicle-to-vehicle (V2V) networks around the world, tracking connected cars’ movements and data. The connected car market is expected to continue to grow at a rapid rate (quadrupling by 2021, according to Statista), which means more companies like Nexar will be needed.

And as cars become more and more connected, vehicle cybersecurity concerns will increase. Given Nexar’s workload, it’s clear this is no longer a problem of the future—vehicle security is a concern right now. In turn, as advanced driver-assist systems (ADAS) and telematics technology become a daily component of repair shops’ work mix, the automotive aftermarket must become aware of and adapt to those security concerns.

That’s why the Alliance for Telecommunications Industry Solutions (ATIS)—a forum where information and communications technology (ICT) companies convene to find solutions to their most pressing shared challenges—published its report, “Improving Vehicle Cybersecurity: ICT Industry Experience & Perspectives,” in which the organization proposes a collaborative approach that could prove to complement smart cities initiatives, improve vehicle reliability and enhance overall customer experience in a new world of connected vehicles.

And it’s important for automotive repair shops to understand their place in that equation and secure their networks to protect customers, ATIS representatives state.

The Scope

As ATIS notes in its report, connected and self-driving vehicles will give consumers unprecedented new options, but the risks of cyber intrusion will only grow because of it. Dangers range from access to the owner’s, driver’s or passenger’s personal and financial information to outright loss of physical control of the vehicle.

“The network reaches into new frontiers as it provides vehicle connectivity for advanced applications and data collection,” says ATIS president and CEO Susan Miller. ”[This report] positions both the ICT industry and vehicle OEMs to work collaboratively to secure the network and block cyber attacks.”

And since independent repair shops seek to obtain OEM information, they are introduced to the cybersecurity problem, as well.

The Risk of Exposure

There’s no way around it, says Tom Gage: In order to properly repair radar systems and video sensors increasingly appearing in vehicles, automotive repair technicians will soon need to incorporate advanced driver-assist systems (ADAS) into their regular training schedules.

“Instead of a one-hour repair time for windshield that has sensors embedded, it takes another hour to make sure camera is appropriately calibrated,” says Gage, an ATIS board member who is also the CEO of Marconi Pacific. “We know the crash avoidance and automation world is increasingly appreciating and likely to increase the severity of accidents in terms of dollars because of sensors, and the increased software complexity adds another layer of demand on the whole vehicle ecosystem.”

Knowing how to calibrate vehicle systems back to original settings isn’t just a vehicle safety concern, but a cyber safety concern. Because if your shop’s network isn’t secure, it could lead to a cybersecurity breach for your customers.

“The fact [shop owners] will access the communications in these vehicles means they are part of that ecosystem that has to be considered,” says Jim McEachern, ATIS senior technology consultant. “Otherwise, servers in shop get infected by malware, and it will affect all their customers, which would be bad for the industry.”

Along with the growing presence of ADAS, Gage says to consider one of the other main concerns for auto repair shops: diagnostic reports generated from aftermarket OBD-II connectors—a huge player in the growing telematics industry. If your shop sets up an OBD-II connection with a customer, that’s another avenue for cyber attacks to occur.

A Secure Network

If you plan to perform more diagnostic work or vehicle reprogramming, or have plans to utilize telematics technology, Gage says it’s important to address these network concerns with any OEMs or third parties with which you’re working.

On top of that, it is worth having cybersecurity experts and consultants evaluate your network to ensure your shop and customers are as best protected as possible.

“If I’m an auto shop and I have to do some sort of an update to the software,” Gage says, “are all the connections I have secure? Is Wi-Fi secure? Are the servers I’m operating on secure? These are things you need to ensure to prevent the possibility of a cyber attack.”

There is, of course, “no magic key or silver bullet,” McEachern says. It’s a multi-layered problem.

But because it’s multi layered, each layer needs to do its part in ensuring cybersecurity—and that includes even the smallest of automotive repair shops.

The post The #Auto #Repair Shop’s Role in #Connected Car #Cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

ISPs can #play unique #role in #cyber security, says BT #CEO

Source: National Cyber Security – Produced By Gregory Evans

Internet service providers are perfectly positioned to make a significant contribution to cyber security for everyone, BT’s Gavin Patterson believes

Internet providers must do more to work collectively with businesses and governments to protect citizens from the growing threat of cyber crime, according to Gavin Patterson, chief executive of the BT Group.

“BT focuses on cyber security in a number of critical ways,” he told the FT Cyber Security Summit Europe in London. “As both a network operator and internet service provider [ISP], we are trusted to help repel cyber threats on behalf of the UK.”

With more than 2,500 dedicated security professionals operating from 15 security operations centres around the world, BT’s “global reach and depth of expertise” provides a “unique insight” into the cyber threat landscape, he said.

Based on these insights, Patterson said the cyber threat is changing and is no longer mainly about espionage and hacktivism.

Although a growing number of countries are beginning to include cyber techniques in their modern warfare arsenal and hacktivism remains a significant risk, the threat has moved on, said Patterson. “Cyber crime is now more pervasive and insidious, with a deeper impact on businesses and society.”

At the same time, said Patterson, more people than ever are connected to the internet, while the number of connected devices is projected to grow from nearly 27 billion in 2017 to 125 billion by 2030 as the internet of things (IoT) takes off, creating more points of vulnerability for criminals to exploit.

“As our head of security put it to me recently, ‘any criminal with a brain is now a cyber criminal’,” he said. “They are after the new commodity of our age, which is data.

“Stealing our data is to steal our most valuable asset, and we are seeing this happen at a faster pace and with greater sophistication than ever before.”

According to Patterson, BT’s security team detects 100,000 unique malware samples and protect the company’s network against more than 4,000 cyber attacks every day.

The attacks fall broadly into the categories of cyber theft for financial gain, phishing attacks, business email compromise (BEC), denial of service attacks and cyber extortion, he said.

Cyber-enabled fraud

Patterson said half of all reported fraud is cyber-enabled, according to the National Fraud Intelligence Bureau, and in the past 12 months, BT has identified and closed more than 5,000 phishing sites aimed at stealing personal details to commit crimes.

“CEOs, too, are at risk with the rise of whaling [or BEC], where phishing techniques are deliberately targeted at board level to impersonate and abuse their authority,” he said.

Distributed denial of service (DDoS) attacks are a popular form of cyber vandalism where the “brute force” of thousands of computers can be used to take down websites, said Patterson.

“The financial and reputational impact of such attacks on retailers, banks, airlines and utilities can be devastating,” he said, adding that DDoS attacks are a daily occurrence for BT’s customer-facing websites, with its security team mitigating an average of about 50 serious DDoS incidents every day.

BT has seen these attacks grow in frequency and size in recent years, with attacks currently up to 650Gbps, which is an increase of more than 60 times in the past 10 years.

Cyber extortion exploits businesses’ reliance on technology and data to hold them to ransom, said Patterson. “With ransomware available for purchase on the dark web for as little as $50, criminals can enter this rapidly growing market with ease, which means more high-profile attacks are likely,” he said.

“Perhaps the most worrying aspect of the WannaCry attack is its relatively unsophisticated nature. It exploited a known vulnerability, and a patch was readily available, which is a stark reminder to all of us to get the basics right – update antivirus software, install patches, invest in cyber security training for staff, and remind them to be very wary of opening suspicious emails or links.”

WannaCry also exposed the human cost of large-scale cyber crime, said Patterson. “These are not merely technical issues – people’s live are sometimes at risk,” he said.

“The attack on Britain’s healthcare system resulted in cancelled operations, missed appointments and delayed diagnoses. It is therefore a public policy imperative that this kind of disruption is prevented in the future.”

In terms of what can be done to improve the response to escalating cyber threats, Patterson said the problem cannot be solved just by investing in the latest technology.

“What is also needed is a truly comprehensive approach,” he said. “For businesses, cyber security must feature at the very top of the boardroom agenda. It is critical for companies to have a robust cyber security strategy and policies that are kept constantly under review and continually put to the test.”

Patterson also recommended organisations to continually educate their staff on cyber security to turn employees into the greatest asset in the fight to protect data, prepare for the unexpected by testing responses to cyber incidents, conduct penetration testing and run red teaming exercises.

Constantly evolving threat

But although all these initiatives are important, they are not enough on their own to stem the rising tide of cyber crime because criminals are constantly evolving the sophistication of their attacks, he said.

“We need all companies, and ISPs in particular, to work more closely with governments to help neutralise cyber crime,” said Patterson.

“This includes tackling how to improve sharing of information about emerging threats and how to prevent cyber criminals getting access to their victims.”

Sharing threat information enables the development of a collective capability to intercept attacks before the hit, said Patterson, adding that BT is making good progress in this regard.

“We proactively reach out to firms impacted by cyber events to offer our knowledge, expertise and support,” he said. “We also support the UK government’s Cybersecurity Information Sharing Partnership [Cisp – now under the auspices of the NCSC] and work with Interpol to exchange threat information.

“As for preventing access to victims, this is a matter of how active ISPs are intercepting malicious software and web content. As custodians of people’s data, as an industry, we are responsible for being a part of the solution.

“We cannot expect to eradicate online crime entirely, but we can step up our collective efforts to curb cyber criminals’ success rates significantly. If ISPs work together, in conjunction with government, we can take further steps to target online criminal activity at source.

“This requires careful consideration, but through collaboration and consensus, I am confident we can win the battle against the cyber crime threat, and BT stands ready to rise to that challenge.”

The post ISPs can #play unique #role in #cyber security, says BT #CEO appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Facebook and Twitter play bigger role in Congressional election-hacking probe

Source: National Cyber Security – Produced By Gregory Evans

As Congressional investigations into Russia’s role in manipulating the election for U.S. president deepens, tech companies are assuming a more central role in the inquiries. Both Twitter and Facebook are stepping up their efforts to cooperate with Congressional investigations into Russian interference with last year’s presidential election. For Twitter, that…

The post Facebook and Twitter play bigger role in Congressional election-hacking probe appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Man sentenced for role in Regina mail, identity theft scheme

Source: National Cyber Security – Produced By Gregory Evans

Less than a month after his associate was jailed for an identity theft scheme involving stolen mail and forged documents, the second man involved received his own prison term. This isn’t the first time James Donald Provost — who has a record of more than 200 convictions — has been…

The post Man sentenced for role in Regina mail, identity theft scheme appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Greece wants more money, top role for EU cyber security agency

Source: National Cyber Security – Produced By Gregory Evans

Greece wants the European Commission to give the Athens-based European Union Agency for Network and Information Security (ENISA) more money and the leading role in managing Europe’s cyber security issues as part of a legal overhaul next month. “We want ENISA to have a bigger role in cyber security and…

The post Greece wants more money, top role for EU cyber security agency appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Former Bergen Man Sentenced For Role In $65M ID Theft, Tax Scheme

Source: National Cyber Security – Produced By Gregory Evans

BERGEN COUNTY, NJ — A former Demarest resident was sentenced to 17 months in federal prison for his role in a $65 million stolen identity and income tax refund scheme, authorities announced. Roberto Diaz, 48, previously pleaded guilty before U.S. District Judge Claire C. Cecchi to aggravated identity theft, theft…

The post Former Bergen Man Sentenced For Role In $65M ID Theft, Tax Scheme appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The role social media companies play in combating terrorism online is evolving

Source: National Cyber Security – Produced By Gregory Evans

It’s no secret the internet has become one of the most sacred battlefields for terrorists. Not only have groups like Isis fought their messaging war online; It’s also where they’ve rallied and recruited tens of thousands of troops as well. …

The post The role social media companies play in combating terrorism online is evolving appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Houston Woman Convicted for Role in Online Dating Scam

Source: National Cyber Security – Produced By Gregory Evans

A federal jury in Oklahoma City has convicted a Houston woman for her role in an online dating scam that conned victims out of millions of dollars. Akunna Baiyina Ejiofor, 32, has been found guilty of conspiracy to commit wire …

The post Houston Woman Convicted for Role in Online Dating Scam appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures