now browsing by tag
VR Content Management Systems Market Analysis, trends, opportunities, Scale and Segment forecast to 2028| Contentful, VIAR, Kentico Software, ByondXR, Headjack, Mozilla Firefox | #firefox | #chrome | #microsoftedge | #cybersecurity | #infosecurity | #hacker
VR Content Management Systems Market Analysis, trends, opportunities, Scale and Segment forecast to 2028| Contentful, VIAR, Kentico Software, ByondXR, Headjack, Mozilla Firefox | #firefox | #chrome | #microsoftedge – National […]
The post VR Content Management Systems Market Analysis, trends, opportunities, Scale and Segment forecast to 2028| Contentful, VIAR, Kentico Software, ByondXR, Headjack, Mozilla Firefox | #firefox | #chrome | #microsoftedge | #cybersecurity | #infosecurity | #hacker appeared first on National Cyber Security.
View full post on National Cyber Security
What Ohio, Kentucky and Indiana have done to improve unemployment systems | #bumble | #tinder | #pof | #onlinedating | romancescams | #scams
_________________________ Reuters Videos ‘I take care of them’: Cuban man befriends pelican colony Location: Guanimar, CubaThis man has spent 20 years caring for 100 pelicans(SOUNDBITE) (Spanish) PELICAN […]
View full post on National Cyber Security
Some industries, like financial services and healthcare, have been targets of cyberattacks since day one. For years, manufacturing seemed far less interesting to hackers, and even C-suite executives at these companies weren’t particularly worried about the risk of attack. However, all that’s changed now that the Internet of Things (IoT) dominates production systems across the manufacturing industry. Although these devices have helped to usher in the era of “smart” manufacturing, they’ve also dramatically expanded the attack surface across global manufacturing systems. One study revealed an average of 5,200 attacks per month on IoT devices in 2018 alone.
Cyberthreats like NotPetya, WannaCry, Stuxnet, and EKANS are constantly evolving and targeting companies in every industry around the world. But the biggest risk to manufacturing companies is that few of these organizations are truly prepared to counter these types of threats. Here are some of the top risks manufacturers face today:
- Extended downtime: While intellectual property theft and ransomware are big threats to any company, the consequences of a major attack are often unique and can be devastating. For instance, a single attack could shut down a plant’s operations or even reconfigure machinery to produce faulty products without anyone realizing it until the human and business costs have skyrocketed. Although the true cost of downtime is hard to quantify, many factories lose an average of 5% to 20% of their productivity due to downtime.
- Longer recovery time: Consider that many manufacturers are actually smaller companies that produce parts for larger global enterprises. These smaller manufacturers often lack mature IT security practices to prevent a cyberattack, which not only makes it easier for hackers to infiltrate their systems, it may also make it much harder for these companies to restore operations impacted by a cyberattack.
- Loss of trade secrets: A manufacturing company’s systems and processes are often closely kept trade secrets. Guarding this information is not only critical for safety but also necessary to protect the company’s competitive advantage. However, the widespread use of always-on IoT devices offers bad actors countless ways to access devices and systems. Once hackers have gained access, they can potentially hack into the cameras in computers and mobile devices to surveil a physical location. They may also be able to gain access by stealing a third-party vendor’s credentials, which is why manufacturers must gain tighter control over their vendor privileged access management.
- Breach of customer confidentiality: For many hackers, customer data is a goldmine, which is why these systems are so frequently attacked. In one instance, cybercriminals breached a manufacturing company’s customer information system and installed malware that remained active for an entire year. The hackers were able to extract volumes of highly confidential customer data such as name, billing address, telephone number, payment card number, expiration date, and verification code. The malware was specifically designed to access victims’ shopping carts to access these details.
- Loss of reputation: Once a company’s data has been breached and customers have been impacted (either through production delays or loss of personal information), it’s extremely hard for a company to rebuild those relationships. The larger the deal, the larger the impact outages and delays can have on delivery dates across the supply chain. For manufacturers working with larger customers, a cyberattack that shuts down production can destroy not just the revenue from the deal, but also cause more financial damage from missing contractual agreements. While a company or customer may be entitled to compensation from a manufacturer, it’s much harder to repair the damage to a brand in a highly competitive and high-demand industry.
The good news is, there are solutions to help reduce the threat of malicious attacks through outside or third-party entities such as manufacturing partners and vendors. Stay tuned for our next blog, “Improve security in manufacturing with vendor privileged access management” to find out how!
In the meantime, to learn more about the risk of cyberattacks on manufacturing systems, download our infographic “The Top Remote Access Threats in Manufacturing.
The post Five ways cyberattacks put manufacturing systems at risk appeared first on SecureLink.
*** This is a Security Bloggers Network syndicated blog from SecureLink authored by Ellen Neveux. Read the original post at: https://www.securelink.com/blog/five-ways-cyberattacks-put-manufacturing-systems-at-risk/
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans By Zach DeMeyer Posted January 6, 2020 Although the password is a ubiquitous security measure, recent security breaches show us that the password by itself isn’t nearly strong enough to protect the entirety of an organization. In fact, compromised credentials represent the number one attack vector […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating […] View full post on AmIHackerProof.com
The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.
A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.
It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.
Though the exercise was conducted in a simulated coal plant, not a nuclear one, the tactile nature of the demonstration — the act of donning rubber boots to fix the flooding — drove home the potential physical consequence of a cyberattack on critical infrastructure. “The next step for them is to go back home and train in their real environment,” Erik Biverot, a former lieutenant colonel in the Swedish army who planned the event, told The Verge.
The drill, which took place this past October at a research facility 110 miles southwest of Stockholm, was the most technically sophisticated cyber exercise in which the UN’s nuclear watchdog — the International Atomic Energy Agency (IAEA) — has participated.
Security experts say more of these hands-on demonstrations are needed to get an industry traditionally focused on physical protection to think more creatively about growing cyber threats. The extent to which their advice is heeded will determine how prepared nuclear facilities are for the next attack.
“Unless we start to think more creatively, more inclusively, and have cross-functional thinking going into this, we’re going to stay with a very old-fashioned [security] model which I think is potentially vulnerable,” said Roger Howsley, executive director of the World Institute for Nuclear Security (WINS).
The stakes are high for this multibillion-dollar sector: a cyberattack combined with a physical one could, in theory, lead to the release of radiation or the theft of fissile material. However remote the possibility, the nuclear industry doesn’t have the luxury of banking on probabilities. And even a minor attack on a plant’s IT systems could further erode public confidence in nuclear power. It is this cruelly small room for error that motivates some in the industry to imagine what, until fairly recently, was unimaginable.
The Nuclear Threat Initiative, a Washington-based nonprofit co-founded by Ted Turner, has tallied about two-dozen cyber incidents since 1990, at least 11 of which were malicious. Those include a December 2014 attack in which suspected North Korean hackers stole blueprints for South Korean nuclear reactors and estimates of radiation exposure to local residents. The affected power company, which provides 30 percent of the country’s electricity, responded by carrying out cyber drills at plants around the country.
In another attack, hackers posing as a Japanese university student sent malicious emails to researchers at the University of Toyama Hydrogen Isotope Research Center, one of the world’s top research sites on the radioactive isotope that makes a hydrogen bomb. From November 2015 to June 2016, the hackers stole over 59,000 files, according to media reports, including research on the ill-fated Fukushima nuclear plant.
Any list of cyber incidents in the nuclear sector, however, is very likely incomplete. The US Nuclear Regulatory Commission, for example, only requires operators to report to the commission cyber incidents that affect the safety, security functions, or emergency preparedness of the plant, excluding potentially significant attacks on IT systems. It is, in general, extremely difficult for a hacker to breach a plant’s inner control systems implicated in the former category, but not nearly as challenging to penetrate the non-critical IT networks included in the latter.
“We are absolutely undercounting [the number of non-safety-related incidents] and we’re not looking so we can’t pretend that our count is accurate,” said Robert M. Lee, a former Air Force cyber officer and founder of Dragos, a firm specializing in industrial control systems (ICS) cybersecurity. By probing their networks for more of these lower-level threats, nuclear operators can bolster their security, he added.
Regulatory requirements have strengthened US nuclear plants’ cybersecurity, and most plants were built decades ago on analog systems that are shielded from direct internet-based attacks. But the growing digitization of the industry is opening up new potential vectors for hackers.
One of the first known cyber incidents at a nuclear plant took place in 1992 when rogue programmer Oleg Savchuk deliberately infected the computer system of a plant in Lithuania with a virus. Savchuk was arrested and became a precautionary footnote in the history of nuclear security. It would take a set of much more seismic events to illuminate the danger of cyber threats to nuclear operators.
In March 2007, with US energy regulators looking on, engineers at the Idaho National Lab showed how 21 lines of computer code could cripple a huge generator, as journalist Kim Zetter writes in her book. It was only through this jaw-dropping experiment, known as Aurora, that some energy industry officials came to accept that digital tools are capable of physical destruction.
Before Aurora, “there were many people who simply denied the concept that any kind of physical damage could be caused or triggered by a cyber event,” Marty Edwards, an ICS expert who helped design the experiment, told The Verge. Two years later, the destructive potential shown in Aurora became a reality. The famed Stuxnet attack injected a formidable computer worm into Iran’s Natanz enrichment facility in 2009, destroying about 1,000 centrifuges. The United States and Israel are suspected of being behind the attack, which used a USB drive to deliver malware to “air gapped” systems, or those with no direct or indirect connections to the internet. In doing so, the attackers refuted the notion that such a system was immune to hacking.
Stuxnet’s creators used four “zero-days,” or previously unknown software exploits, whereas most big cyberattacks use one at most. The attackers managed the improbable feat of breaching and manipulating a nuclear facility’s heavily protected industrial controls. In doing so, they changed the cybersecurity conversation in the nuclear industry, prompting new regulations and more investments in defenses.
As instructive as Stuxnet was, nuclear officials can only learn so much from one attack and, because successful attacks are rare, there is a small pool of data from which to learn. For some, the answer is to create your own attacks in a controlled environment.
The exercise conducted this past October took advantage of the high-tech environment provided by Sweden’s Defense Research Agency. Officials from the IAEA and at least 20 of its member countries, including the US and China, watched on TV screens as offensive and defensive cyber teams did battle. The defenders grappled with everything from straightforward denial-of-service attacks to the more insidious scenario of a contractor’s laptop exposing a facility to malware.
In one instance, they used an actual Siemens programmable logic controller. In another, they modeled one of the exercise’s attacks on the 2015 hack of the Ukrainian power grid, one of the biggest energy-sector attacks since Stuxnet.
The Swedes meticulously documented what amounted to a scientific experiment. Audio and video captured participants’ every move and may be later analyzed by a research team. The biggest early takeaway from the experiment, however, was decidedly low-tech: participants had to trust each other to navigate a stressful environment.
The IT specialists who participated normally work individually rather than as a team to handle cyber incidents, according to Biverot. For each participant, knowing that “I can give this guy a call if I’m in trouble” would be invaluable during a security incident, he told The Verge.
Security experts say there is no substitute for putting an organization’s cyber teams under the gun in an intense, credible scenario. “It’s very important to understand the link between what’s happening in cyberspace and what’s happening in real life,” said Dennis Granåsen, a senior scientist at the Defense Research Agency. “If you don’t do that, it’s very easy to just think of these exercises as a game where you need to perform and get a good score and that’s it.”
The less that exercises seem like a game to participants, the better prepared they’ll be for the real thing. The challenge, however, is that exercises as technically rigorous as the Swedish one have not been the norm across the global nuclear sector. They can be expensive, take many months to plan, and may require bringing in outside cyber expertise to drill plant personnel. Exercise programs are growing in maturity and are including more red-teaming, but experts say more work is needed.
Without outside help, many operators will struggle to keep pace with cyber threats, according to Roger Brunt, a former top official at the UK’s Office for Nuclear Regulation. For that reason, Britain’s larger nuclear operators have recently begun hiring security firms to probe their computer networks for vulnerabilities, he said.
While safety and security are paramount at nuclear plants, business considerations also come into play as many plants, including the vast majority of the 61 in the US, are privately owned. The financial and reputational damage that a successful cyberattack could wreak has led some executives to walk through them in advance.
Two weeks before the Swedish exercise, a group of lawyers, insurers, and nuclear executives huddled in central London to consider an alarming scenario: malware had hit a workstation at a nuclear plant, triggering a shutdown of the reactor and a power cut for nearby residents during a dangerous heatwave.
Whereas the Swedish drill was geeks and computer code, the London one was lawyers and the lofty words of judges and defendants.
A fictional power company was on mock trial for decisions its executives had taken leading up to the made-up incident. They had failed to ensure that software on the plant had been updated and that employees were trained in security. Despite an eloquent defense from executives, the judges found the company criminally and civilly liable for the $1.7 billion in economic and other damages incurred by the power cut, and for the 10 people who died in the heat wave.
Howsley said he was surprised at the criminal verdict, thinking the bar for damning security practices would be higher. But that may be where legal norms are headed, given that companies like Uber and Anthem have been sued for allegedly shoddy cybersecurity regimes.
Among nuclear executives, “accountability is going to drive better behavior” on cybersecurity, said Kathryn Rauhut, a lawyer and nonresident fellow at the Stimson Center, which hosted the exercise.
Rauhut said that when drawing up the exercise, she considered several scenarios that might spur strong interest from nuclear executives. Nothing resonates like the threat of a civil or criminal lawsuit for bad security practices. “The CEOs said, ‘Whoa, this is huge. I didn’t know I was liable,’” she told The Verge.
Howsley, a 35-year veteran of the nuclear industry, has seen the industry adapt its safety standards after the 1986 Chernobyl disaster, its security standards after the September 11th attacks, and its cybersecurity standards after Stuxnet. The guessing game of where the next threat might come from can be maddening.
“Someone once said to me, ‘The future is actuarial, history is forensic,’” said Howsley, a cerebral Englishman with a PhD in botany. “If something awful happens at 3 o’clock this afternoon, people will look back and say, ‘How did we allow this to happen?’ But we forget all the things that we worried about and didn’t happen.”
As training in the lab and boardroom continues, hackers in the real world are sharpening their skills. The years since Stuxnet have seen an uptick in advanced hacking operations targeting energy infrastructure. The Ukrainian power grid has been a playground for hackers, some of whom analysts have traced to Russia.
A year after the December 2015 attack, which cut power for 225,000 people, the Ukrainian grid was hit again in what Dragos says was an even more sophisticated operation. “Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt,” states the firm’s analysis of the attack.
Just last week, energy software giant Schneider Electric acknowledged that hackers had exploited a flaw in its safety system software, known as Triconex, at an industrial plant, causing the plant to shut down. The company has declined to identify the plant. Triconex systems are used at a variety of plants, including oil, gas, and nuclear.
This changing digital landscape is prompting governments and energy companies to get more ambitious in how they drill for attacks. The goal is tighter communication and unalloyed trust between the government and operators of critical infrastructure, the vast majority of which is privately owned in the US.
In the event of a serious cyberattack, nuclear operators would need to have agencies on speed dial to mitigate the damage. In the waning days of the Obama administration, US and British officials tested these lines of communication in an unprecedented exercise they called Ionic Shield.
On a conference call in November 2016, officials at the White House and Downing Street watched as a piece of malware hit the administrative networks of hypothetical nuclear plants in the US and Britain. Participants tested how well they could pass the word of a spreading attack through the chain of command and take corrective action. Communication between the two governments and between government and industry went well, according to Caitlin Durkovich, a former official for the Department of Homeland Security (DHS).
However, Durkovich told The Verge, “I think we walked away with the sense we need to improve how the industry here [in the US] is communicating with the industry there [in Britain], especially as it relates to sharing threat information.”
In June 2017, DHS officials warned the energy industry that hackers had targeted the computer network of the Wolf Creek nuclear facility in Kansas. The threat was limited and did not involve safety or other critical systems, security experts told The Verge, but it served as a reminder that nuclear facilities are still very much in hackers’ crosshairs.
“The threat is not going to go away,” Howsley said. “It will get more subtle.”
Some hackers play the long game, lingering on peripheral networks for months in the hope of gaining a foothold into more critical systems. For network defenders, maintaining urgency in the absence of regular, successful attacks can be difficult. The shock value of events like Aurora and Stuxnet can only last so long as those who study them fall back into their routines. Rigorous exercises based on unnerving scenarios are critical to keeping engineers and cyber specialists on their toes.
The post HACKING #NUCLEAR SYSTEMS IS THE #ULTIMATE #CYBER THREAT. ARE WE #PREPARED? appeared first on National Cyber Security .
View full post on National Cyber Security
International Workshop on Future Information, Security, Privacy and Forensic for Complex Systems (FISP)
General Cybersecurity Conference
August 13 – 15, 2018 | Gran Canaria, Spain
Cybersecurity Conference Description
Availability, integrity and secrecy of complex information systems are increasingly important requirements for modern society as well as nations as with every passing day computers control and administer more and more aspects of human life. We entrust much of our lives to information and computer technologies (ICT’s). However, it is difficult and challenging task to understand security risk and to provide effective security solution as attackers only need to find a single vulnerability but developers or system administrators need to find and fix all vulnerabilities. In addition, cyber space is considered as fifth battle-field after land, air, water and space.
The aim of FISP-2018 is to provide a premier international platform for wide range of professions including scholars, researchers, academicians and Industry people to discuss and present the most recent challenges and developments in “Information Security, Privacy and Forensics for Complex systems” from the perspective of providing security awareness and its best practices for the real world. After the high success of the previous edition (FISP’2017) in conjunction with 12th International Conference on Future Networks and Communications 2017 (FNC-2017), Belgium, the fourth International Workshop on Future Information Security, Privacy and Forensics for Complex systems (FISP-2018) will continue to open to submit novel and high quality research contributions as well as state of the art reviews in the field of information security and privacy. We anticipate that this workshop will open new entrance for further research and technology improvements in this important area.
View full post on National Cyber Security Ventures
General Cybersecurity Conference
June 25 – 28, 2018 | Luxembourg City, Luxembourg
Cybersecurity Conference Description
The IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) has a distinctive approach to accidental and malicious faults under a common body of knowledge. Today, it is the most prestigious international forum for presenting advanced and innovative research results, problem solutions, practices, and insights on new challenges in the field of dependable and secure computing.
DSN is the flagship conference for research furthering robustness and resilience of today’s wide spectrum of computing systems. Indeed, dependability and security concerns can no longer be tackled in isolation, from general IT to the internet-of-things, cyber-physical systems and application areas.
The post International Conference on Dependable Systems and Networks appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures