ways

now browsing by tag

 
 

#nationalcybersecuritymonth | Ways government, industry can overcome a perpetual challenge

Source: National Cyber Security – Produced By Gregory Evans

A congressional report recommended that the federal government takes several measures to improve its intelligence sharing relationship with industry through policy reviews and joint collaboration platforms.

The report, created by the Cyberspace Solarium Commission (made up of government and nongovernment cyber experts), presented 75 cyber policy recommendations, including the recognition that information sharing is a perpetual challenge both between feds and private industry and agencies within the federal government.

The report suggests that Congress direct the executive branch to undergo a six-month review of intelligence policies, procedures and resources to identify pieces that inhibit the intelligence community to effectively share information.

“It needs to be done better in terms of higher level of collaboration [at] more senior levels between and among the government and private sector,” said Tom Gann, chief public policy officer at McAfee.

To start, the report calls on the federal government to create a “systemically important critical infrastructure” designation that would allow operators of that infrastructure to receive special assistance from the government to secure their systems.

The information sharing relationship between the government and industry needs to include more contextualized information, Gann said, which provides greater insight into the overall threat environment. Industry doesn’t need to know just that there’s new malware and who sent it, but also what organizations and senior leaders of actors might be involved, as well as motivations.

“It’s building as complete of a picture as you can of a threat environment on a day-to-day basis … which is so important,” Gann said.

There are some efforts within the federal government focusing on improving intelligence sharing with private industry. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security works with private and public sector partners to protect critical infrastructure. Another effort at the NSA’s Cybersecurity Directorate is focusing on intelligence sharing with the Defense Industrial Base.

To further those efforts, the report also suggests Congress fund the creation of a “Joint Collaborative Environment,” which would host both classified and unclassified cyberthreat information, malware forensics and network data. The platform would share information with other federal agencies and owners of “important” critical infrastructure, and eventually expanding to intelligence sharing and analysis centers, and a larger swath of critical infrastructure operators. The commission also proposed a Joint Cyber Planning Cell to coordinate cybersecurity planning efforts with the private sector.

The report also recognizes that U.S. government doesn’t know how to best serve the private sector with intelligence collection. In order to mitigate that, the report recommends that the Congress mandate a “formal process to solicit and compile private-sector input to inform national intelligence priorities, collection requirements, and more focused U.S intelligence support to private-sector cybersecurity operations.”

The private sector was a critical piece of the commission’s three-pronged, layered deterrence strategy it recommended. Strengthening the feds’ relationship with the critical infrastructure operators was a key aspect of the report, as demonstrated by the participation of Tom Fanning, CEO of Southern Company, a utility company.

To further that relationship, the federal government and different cybersecurity providers, such as telecom and end-point security companies, may want to explore what it would look like to partner with the federal government and allow it to actively block malicious activity, said Michael Daly, chief technology officer for cybersecurity and special missions at Raytheon.

“I think there would be a benefit to us at least investigating that as an option — how could we use public-private partnerships to do more active blocking?” Daly said.

Daly added, “If we know that’s a malicious site, let’s not let our citizens go to it.”

Source link

The post #nationalcybersecuritymonth | Ways government, industry can overcome a perpetual challenge appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Five ways cyberattacks put manufacturing systems at risk

Source: National Cyber Security – Produced By Gregory Evans

Some industries, like financial services and healthcare, have been targets of cyberattacks since day one. For years, manufacturing seemed far less interesting to hackers, and even C-suite executives at these companies weren’t particularly worried about the risk of attack. However, all that’s changed now that the Internet of Things (IoT) dominates production systems across the manufacturing industry. Although these devices have helped to usher in the era of “smart” manufacturing, they’ve also dramatically expanded the attack surface across global manufacturing systems. One study revealed an average of 5,200 attacks per month on IoT devices in 2018 alone. 

Cyberthreats like NotPetya, WannaCry, Stuxnet, and EKANS are constantly evolving and targeting companies in every industry around the world. But the biggest risk to manufacturing companies is that few of these organizations are truly prepared to counter these types of threats. Here are some of the top risks manufacturers face today:

  1. Extended downtime: While intellectual property theft and ransomware are big threats to any company, the consequences of a major attack are often unique and can be devastating. For instance, a single attack could shut down a plant’s operations or even reconfigure machinery to produce faulty products without anyone realizing it until the human and business costs have skyrocketed. Although the true cost of downtime is hard to quantify, many factories lose an average of 5% to 20% of their productivity due to downtime.
  2. Longer recovery time: Consider that many manufacturers are actually smaller companies that produce parts for larger global enterprises. These smaller manufacturers often lack mature IT security practices to prevent a cyberattack, which not only makes it easier for hackers to infiltrate their systems, it may also make it much harder for these companies to restore operations impacted by a cyberattack.
  3. Loss of trade secrets: A manufacturing company’s systems and processes are often closely kept trade secrets. Guarding this information is not only critical for safety but also necessary to protect the company’s competitive advantage. However, the widespread use of always-on IoT devices offers bad actors countless ways to access devices and systems. Once hackers have gained access, they can potentially hack into the cameras in computers and mobile devices to surveil a physical location. They may also be able to gain access by stealing a third-party vendor’s credentials, which is why manufacturers must gain tighter control over their vendor privileged access management.
  4. Breach of customer confidentiality: For many hackers, customer data is a goldmine, which is why these systems are so frequently attacked. In one instance, cybercriminals breached a manufacturing company’s customer information system and installed malware that remained active for an entire year. The hackers were able to extract volumes of highly confidential customer data such as name, billing address, telephone number, payment card number, expiration date, and verification code. The malware was specifically designed to access victims’ shopping carts to access these details.
  5. Loss of reputation: Once a company’s data has been breached and customers have been impacted (either through production delays or loss of personal information), it’s extremely hard for a company to rebuild those relationships. The larger the deal, the larger the impact outages and delays can have on delivery dates across the supply chain. For manufacturers working with larger customers, a cyberattack that shuts down production can destroy not just the revenue from the deal, but also cause more financial damage from missing contractual agreements. While a company or customer may be entitled to compensation from a manufacturer, it’s much harder to repair the damage to a brand in a highly competitive and high-demand industry.

The good news is, there are solutions to help reduce the threat of malicious attacks through outside or third-party entities such as manufacturing partners and vendors. Stay tuned for our next blog, “Improve security in manufacturing with vendor privileged access management to find out how! 

In the meantime, to learn more about the risk of cyberattacks on manufacturing systems, download our infographic “The Top Remote Access Threats in Manufacturing. 

The post Five ways cyberattacks put manufacturing systems at risk appeared first on SecureLink.

*** This is a Security Bloggers Network syndicated blog from SecureLink authored by Ellen Neveux. Read the original post at: https://www.securelink.com/blog/five-ways-cyberattacks-put-manufacturing-systems-at-risk/

Source link

The post #cybersecurity | #hackerspace |<p> Five ways cyberattacks put manufacturing systems at risk <p> appeared first on National Cyber Security.

View full post on National Cyber Security

3 Ways to Strengthen Your Cyber Defenses

Source: National Cyber Security – Produced By Gregory Evans

By taking proactive action, organizations can face down threats with greater agility and earned confidence.

Security professionals are under much pressure. It’s understandable: Within the past 12 months, 61% of US and European businesses suffered a cyberattack, up from 45% in 2018, and the figures are higher in every category of breach, according to cyber insurer Hiscox. The frequency of attacks is also up, with the number of firms reporting four or more incidents increasing from 20% to 30% over the same time period.

As cyberattacks increase in volume and get more sophisticated – and hackers become more agile – CISOs must do more to build a comprehensive security strategy that can protect critical assets, monitor impact, and recover from any unexpected attacks or disruption. Building defenses will also require a fundamental shift in thinking. Security and IT leaders should take a hard look at how they’ve been working and ask themselves: Is my security posture really rock-solid? Have I taken care of the IT hygiene basics that are so often the cause of successful breaches? And what are those core fundamentals I should implement to ensure the risk of cyberattacks is minimized as much as possible going forward?

Here are three fundamentals.

1. Patch Vulnerabilities Within Minutes, Not Days
Many organizations fail to patch their hardware and software in a timely manner. Our own recent research, conducted with Forrester Consulting, revealed it can take between 28 and 37 business days to patch IT vulnerabilities. When left open, these security gaps can make it easier for malicious actors to strike, paving the way for a host of damaging assaults. From disrupted systems to data breaches, enterprises cannot operate securely or protect their data (or their customers’ data) if they fail to patch vulnerabilities as soon as they are discovered.

Hackers can and will use any opening available to breach networks, disrupt operations, steal data, or hold it ransom. And new exploits are discovered every day.  For example, in January the National Security Agency informed Microsoft about a vulnerability that would allow an attacker to, most significantly, enable remote code execution. (Microsoft quickly patched the vulnerability, which affected Windows 10 and Windows Server 2016/2019.)

And, despite some perceptions that Mac and iOS are more secure, Apple has been dealing with ongoing jailbreak issues for iOS devices, which create security vulnerabilities and are not always easy to patch.  

But it’s not just operating systems and mainstream programs that are at risk. Qualcomm’s February 2020 Security Bulletin detailed multiple vulnerabilities, each with a “High” security rating. Among them, Adobe FrameMaker suffered a memory corruption vulnerability, which could lead to arbitrary code execution, and remote attackers could also make life difficult for those who use a Belkin N300 router.

With these and so many other vulnerabilities discovered every single day, security teams must have a real-time view of their IT enterprise. Their view needs to extend across all computing devices and endpoints, and they must have the ability to quickly patch their hardware and software and monitor their environments. To that end, a unified endpoint management platform is one effective way to monitor and patch systems more quickly, thus reducing the likelihood of breaches and disruptions. [Editor’s note: The author’s company is one of many that offer a unified endpoint management platform.]  

2. Improve the Relationship Between IT and Security Ops
Last year prove challenging for other foundational concepts as well. Our research found a misplaced sense of confidence among IT decision-makers: Eighty percent said they were certain they could act on the results of vulnerability scans, yet fewer than half (49%) were confident they had full visibility into all the hardware/software assets in their environments, including servers, laptops, desktops, and containers.

What we found is that overall visibility dramatically improves when IT and security and operations work closer together, and they are better able to defend the entire enterprise using shared sets of actionable data. Among IT decision-makers, those with strained relationships with security (40%) struggled more with maintaining both visibility and IT hygiene compared to those with good partnerships. When these two teams build walls, things fall through the cracks, mistakes are made, breaches are inevitable, and the entire organization is at risk. All it takes is them getting on the same page about goals, areas of focus, and tools at their disposal.

3. Consolidate Point Tools
Tools proliferation is one of the biggest mistakes we see organizations make. Typically, as a problem emerges, businesses acquire a tool to remedy it. This approach often leads to a mountain of tools that are hard to manage and monitor at scale. Our research shows that in the past two years alone, IT teams obtained an average of five new tools just for security.

IT leaders need to step back and aggressively take stock of all their tools. They should identify the capabilities and deliverables their organizations need to implement, which will help them gain a clearer view into their networks and determine which tools they can consolidate across both teams. The end result will be a leaner, more judiciously managed environment that will help positive business outcomes.

Always Remain Vigilant
IT teams continue to face a tremendous challenge as they move forward into a new decade. Malicious actors are more sophisticated than ever before, while many enterprises are still struggling with strained internal relationships, unpatched vulnerabilities, and a lack of comprehensive endpoint visibility. By taking proactive action on these three steps, organizations can face down threats with greater agility and earned confidence.

Related Content:

Chris Hallenbeck is a security professional with years of experience as a technical lead and cybersecurity expert. In his current role as CISO for the Americas at Tanium, he focuses largely on helping Tanium’s customers ensure that the technology powering their business can … View Full Bio

More Insights

Click here for the Source link

The post 3 Ways to Strengthen Your Cyber Defenses appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Three Different Ways Teens Can Get Phished

Source: National Cyber Security – Produced By Gregory Evans

Teens like myself always expect to know everything about what happens on the Internet, ignoring the possible risks because, of course, there can’t be any risks if we’ve got everything under control, right? Well, wrong. Even though we think that we know who we can trust and what is safe (or not), phishers know exactly how to imitate that, becoming a very real hazard to us.

A while back, as part of a Hacker Highschool project, I presented a PowerPoint to my class about phishing, so I have some knowledge about the subject and am aware of the dangers involved. Before that, I didn’t really know all that much about it, but neither did my classmates.

I used to think phishing only appeared in fishy emails or websites that told me that I had won a trip to the Maldives, but after my research I found out that nowadays phishing techniques can be hidden anywhere and it surprised me how innocent and uninformed I was in the past.

Phishing Tactic #1 Copying a Reliable App

While I was presenting to my classmates, I showed them two pictures side by side. The first picture was a screenshot of one of those fake scammy websites and the other one was a link for the login information to retrieve their Instagram password. I told them to observe them both and tell me which one would seem more dangerous if they encountered them online. The first picture was the more obviously suspicious option. When I told them that both options were equally risky a few jaws dropped.

The fact that a phisher could imitate exactly what the login information page looked like was a shock to my schoolmates and, to be fair, to me too.

After informing them of the dangers of both websites, I asked them why they thought that the first one was risky but the second one was safe. One person told me that it was because they were used to seeing those typical fishy websites send fake or risky news and on the other hand, they had never seen something so legitimate-looking turn out to be a trap. I couldn’t have agreed more, primarily because we all consider Instagram to be a really trustworthy app, so if we get an email that looks like it came from them, most teens wouldn’t bother making sure if it’s real or not. On top of that, from time to time Instagram does send us emails, so receiving one from them wouldn’t even be considered strange.

Another case of using a reliable app for phishing teens happened a couple of years ago, also with Instagram. Many apps and websites were promising to fill your account with followers, likes and comments in a matter of minutes. Although I personally wasn’t interested, many of my friends and other teens were, and they gave away passwords and accounts for it.

Of course, there were a few apps that actually did work, but a few others just kept their account information and never fulfilled their promise. None of my friends that did it seemed to have any issues until someone started posting all sorts of spam and links on their accounts.

Phishing Tactic #2 Through Fake “Rewards” for Videogames

Like I mentioned before, the promise of rewards like winning a trip to the Maldives or a new phone don’t really work on most teens because we are sophisticated enough to know these are scams, but phishers do occasionally pull one over even on the most jaded teen.

A while back, many people played the game Episode and would spend lots of money on gems and tickets, which made the game more fun. Phishers knew this, and around 2016 many videos were uploaded to YouTube claiming that there was a website that could hack the game for you and get you unlimited free gems and tickets. Supposedly this was safe and perfectly legal.

Even though now I can see that it’s clearly illegal to hack an app, and quite impossible with our knowledge, thousands of teens – some of them were my friends and I – clicked on the link with hopes of gaining unlimited supplies of goodies.

Once I clicked on the link, I remember seeing on the side of the screen a very extensive list of people that apparently already got thousands of gems for the day. This was exciting until I learned the hard way that they were just bots. Long story short, the web page wasn’t the miracle we were all waiting for, but a big phishing trap instead. It was one of those cases of “too good to be true.”

To get all these “free” gems and tickets you were asked to give them lots of personal information – name, where you live, etc. – and then you had to go through a “human verification” process in which you had to answer a ton of personal questions to just end up in the home page all over again with no access to freebies. Luckily, I never put any personal information on there due to the fact that I wanted to go through it fast, so I just put whatever I came up with at the moment.

Long story short, phishers can easily take advantage of teens by exploiting their desire for free items for their favorite games. Certainly this could catch out adults too, but several studies demonstrated that teens and young adults are far more likely not to exercise caution and fall for trips like this, especially because we have this unrealistic sense of what is trustworthy and what isn’t.

Phishing Tactic #3 The Fake Email

Here we’re talking about something different from the Instagram scam I mentioned above. When I was presenting to my classmates, I asked them to explain to me how they would differentiate an email or a message from a friend from an email sent by a phisher pretending to be a friend. Everyone’s response was pretty similar: they could tell easily just by how they talk, what expressions they use and even how they type. But a phisher determined to access your online info would study all of these things beforehand, so just by letting our gut tell us if it’s our friend or not is what gets us in the trap in the first place.

I also asked my classmates how they would identify if a person is real and has genuine intentions about what they’re asking for or if it’s a phisher, because it’s one thing to try to recognize a friend, but recognizing a stranger who is genuine is something else. When asking this question I didn’t really get clear responses; some said to see if the email address looked safe or if there was a web page linked to it that could feel fishy, but again, no real response there. I realized my classmates’ approach to a phisher would purely be by feelings and trust, two factors that could be easily manipulated by the phisher themselves.

I got an email once that said that I had activity on my Google account that wasn’t mine and that I had about thirty minutes to regain control of my account. To regain it, I had to click on a link and enter my username and password. My initial reaction was to freak out and to do it before the timer ended, but luckily enough I remembered that phishing techniques love to use pressure, and that Google wouldn’t make me rush to type in a new password.

Just because I was lucky enough to not fall into that trap doesn’t mean other teens wouldn’t have.

So basically, using a fake email most definitely is a good way to get teens to give all sorts of information to the phisher, just because we prefer to trust our gut rather than using actual research on the cause.

In conclusion, several studies have demonstrated how crucial it is to protect teens from phishers, just because we’re the most vulnerable age group to fall in their traps.

Although I consider myself lucky, because thanks to the Hacker Highschool project I had to do, I learned a lot about their tactics and have been able to be extra careful when being online, and on top of that my parents have always warned me to be cautious.

I think it’s important for parents to let their teens know that phishers can pretend to be anything or anyone they want, including family members or close friends. Even if this might sound obvious to the more informed adults, it’s really shocking for most of us teens because we think it’ll only happen in movies, when in reality, it can happen to us. 

Source link

The post #cybersecurity | #hackerspace |<p> Three Different Ways Teens Can Get Phished <p> appeared first on National Cyber Security.

View full post on National Cyber Security

5 ways to be a bit safer this Data Privacy Day – Naked Security

Source: National Cyber Security – Produced By Gregory Evans Today is Data Privacy Day. As we say every year, Data Privacy Day is more than just a 24-hour period when you try to keep safe online. It’s a day to think about changes you can make in your digital life that will keep you safer […] View full post on AmIHackerProof.com

#cyberfraud | #cybercriminals | Business Mail Compromise: 5 ways to detect this scam and what can be done to prevent it

Source: National Cyber Security – Produced By Gregory Evans Advertisement Millions of dollars and lots of personal information are being stolen by a growing threat known as the Business Email Compromise (BEC). Business Mail Compromise: 5 ways to detect this scam and what can be done to prevent itMillions of dollars and lots of personal […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | 7 Ways Industry is Supporting National Cybersecurity Awareness Month

Source: National Cyber Security – Produced By Gregory Evans

We are headed into the final stretch of the 16th annual National Cybersecurity Awareness Month (NCSAM). The annual initiative is co-led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).

As the name suggests, it’s aimed at raising awareness around cybersecurity. Those that work in the space know we’ve all become more reliant on networks and cybercrime has proliferated – and the initiative is a way to spread the word about things everyone can collectively do to improve security. But spreading the word is a big challenge, so NCSAM is designed to be a public-private partnership.

Or, in the words of the official kickoff announcement:

“…a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the nation against cyber threats.”

That got us thinking: what are some of the ways the private sector is supporting NCSAM this year? Below are a few ways we found the industry is helping to build awareness.

1) Champions of NCSAM.

A “champion” is a simple and voluntary pledge an organization can make on the official website for NCSAM – StaySafeOnline.org. The pledge asks applicants how they will participate and how many people the applying organization thinks it will reach. Afterward, the NCSA asks participants to, “please collect and report to us any metrics you collect as a result of your NCSAM initiatives.”

Here is the list of the growing ranks of companies, nonprofits, schools and other organizations that have publicly signed onto the program.

2) Full-day workshops for employees.

Tech analyst Cynthia Brumfield cites a CISA representative for her story in CSO Online describing activities by “an unnamed science and research company in Bethesda.” The CISO at that organization held an all-day workshop complete with “expert speakers to educate employees on what they need to do to protect the information and data the company is building through its research efforts.”

It’s a pretty big deal for any organization to pause work for a full-day and encourage employees to attend training like this, but they weren’t alone, according to Ms. Brumfield’s reporting:

“Another big corporation, a retail giant that CISA requested remain anonymous, is holding a host of internal activities for their employees throughout the month, training and educating workers at every level, starting at headquarters all the way down to individual stores.”

3) Customer tips for safely banking online.

First Bank & Trust Company, a regional financial services company in Virginia published a list of security tips consumers should follow in online banking. The list includes current best practices such as monitoring your accounts, being wary of emails from people you don’t know, and enabling two-factor authentication (2FA), among many others.

Notably, it also highlights a recurring issue in financial scams driven by events such as disasters:

“Con artists take advantage of people after catastrophic events by claiming to be from legitimate charitable organizations when, in fact, they are attempting to steal money or valuable personal information.”

4) Hollywood-style, micro-learning videos.

Corporate training isn’t always fun, engaging or memorable, and therefore it’s not effective. That’s the thesis behind NINJIO, which makes “Hollywood-style, micro-learning videos.” These are basically short videos with important learning points about cybersecurity. However, the company goes one step further – the lessons in the video are “ripped from the headlines” meaning the videos are modeled after real security events.

In support of NCSAM this year, the company offered “organizations, employees, and families free access to a selection of their award-winning library of animated video content until the end of October 2019.”

The videos focus on three areas including:

  • email compromise and wire fraud;
  • social media engineering; and
  • spear phishing.

For example, one of the videos being offered is described as follows:

“Business Email Compromise and Real Estate Wire Fraud

NINJIO Season 2, Episode 2: ‘Homeless Homebuyer’ was inspired by the many wire fraud incidents that happen every day. In this episode, NINJIO educates learners about using verbal authorizations on any transfer of funds.”

If you are wondering, the company does have some real professional entertainment cache as the videos are “developed and co-produced by Hollywood writer and producer Bill Haynes, best known for CSI: NY and Hawaii Five-O.”

NINJIO has had about 50 companies, ranging from small and mid-sized businesses to mid-market enterprises, signed up in response to the company’s contribution to NCSAM this month, said Matt G. Lindley the CISO for NINJIO, in an email exchange with Bricata.

5) Networking and panel event.

Women in Security and Privacy (WISP) teamed up with Dropbox to organize a local San Francisco networking and panel event:

“We will be featuring three amazing lightning round speakers who will cover this year’s themes of ‘Own IT. Secure IT. Protect IT.’ Attendees will be introduced to the latest tech advances used to ramp up security for their personal lives and learn tips to bring to the office.”

This struck us as a very simple and effective way to support NCSAM and it can be easily replicated. As this post is being published, there’s still time to register and attend the event if you live or work in the Golden Gate City.

6) Free online training for non-technical personnel.

Several training-oriented organizations are offering free training and resources for the month. For example, KnowBe4 has an NSCAM resource kit and Global Knowledge has compiled videos, articles, white papers and primers into a cybersecurity awareness resource page.

Separately, Inspired eLearning has put together an impressive weekly curriculum with a variety of free resources – posters, webinars, videos and more. Here’s the outline they are offering:

  • Week 1: Email Phishing
  • Week 2: Alternative Phishing Methods: Vishing, SMiShing, & USB Baiting
  • Week 3: Physical Social Engineering
  • Week 4: Prevention, Protection and Training Best Practices

7) Free online training for your security pros.

The Infosec Institute provides a variety of online training courses aimed at security and IT professionals. Typically, the Institute offers a 7-day free trial, but have extended that to 30-days in support of NCSAM. Access is unlimited and includes more than 400 on-demand courses the organization offers and 50 skill and certification learning paths such as the CISSP and CCSP.

Finishing Strong and Planning for Next Year

As of today, there’s a little more than a week left for NCSAM, which offers some time to get on board with the initiative for this year – if you haven’t already. Likewise, we hope this list will give you a creative jumpstart on planning for it next year.

As Forrester Principal Analyst Jinan Budge wrote in a post titled, What CISOs Need To Do To Maximize Cybersecurity Awareness Month, “Plan for it as you would for any other security project…stay on top of planning and start organizing your Cybersecurity Awareness Month campaigns well in advance.”

If you enjoyed this post, you might also like:
6 Tips for Building an Effective SOC

*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: https://bricata.com/blog/cybersecurity-awareness-month-industry/

Source link

The post #nationalcybersecuritymonth | 7 Ways Industry is Supporting National Cybersecurity Awareness Month appeared first on National Cyber Security.

View full post on National Cyber Security

6 ways to #improve your #cybersecurity #practices

Source: National Cyber Security News

Whether your company is a mid-sized family-owned enterprise or a Fortune 500 entity, likely most of your board directors don’t have backgrounds in cybersecurity.

Most top corporate leaders, including many CIOs, don’t either.

Given that reality, how can a company proactively mitigate cybersecurity risks?

I recently sat down with David Ross, a principal with Baker Tilly specializing in cybersecurity, to talk about some of the steps and strategies companies can employ. Here are some of the thoughts he shared.

1) Educate your board
Boards need to understand the potential risks and how to establish proactive policies that will provide guidance and structure should a breach happen. Cyberattacks are a very real risk, and every board member must understand his or her fiduciary duty to provide oversight regarding risks.

Even if a board has a cybersecurity expert as a director, engaging with an outside consultant can be advantageous. The world of cybersecurity is changing all the time, making multiple perspectives vitally important to understanding and anticipating new threats.

2) Assess company needs and structure
The board, along with the CEO, chief risk officer, general counsel or chief information officer, should decide how to address and staff cybersecurity inside the company.

Read More….

advertisement:

View full post on National Cyber Security Ventures

6 ways #hackers will use #machine #learning to #launch #attacks

Machine learning algorithms will improve security solutions, helping human analysts triage threats and close vulnerabilities quicker. But they are also going to help threat actors launch bigger, more complex attacks.

Defined as the “ability for (computers) to learn without being explicitly programmed,” machine learning is huge news for the information security industry. It’s a technology that potentially can help security analysts with everything from malware and log analysis to possibly identifying and closing vulnerabilities earlier. Perhaps too, it could improve endpoint security, automate repetitive tasks, and even reduce the likelihood of attacks resulting in data exfiltration.

Naturally, this has led to the belief that these intelligent security solutions will spot – and stop – the next WannaCry attack much faster than traditional, legacy tools. “It’s still a nascent field, but it is clearly the way to go in the future. Artificial intelligence and machine learning will dramatically change how security is done,” said Jack Gold, president and principal analyst at J.Gold Associates, when speaking recently to CSO Online.

“With the fast-moving explosion of data and apps, there is really no other way to do security than through the use of automated systems built on AI to analyze the network traffic and user interactions.”

The problem is, hackers know this and are expected to build their own AI and machine learning tools to launch attacks.

How are cyber-criminals using machine learning?
Criminals – increasing organized and offering wide-ranging services on the dark web – are ultimately innovating faster than security defenses can keep up. This is concerning given the untapped potential of technologies like machine and deep learning.

“We must recognize that although technologies such as machine learning, deep learning, and AI will be cornerstones of tomorrow’s cyber defenses, our adversaries are working just as furiously to implement and innovate around them,” said Steve Grobman, chief technology officer at McAfee, in recent comments to the media. “As is so often the case in cybersecurity, human intelligence amplified by technology will be the winning factor in the arms race between attackers and defenders.”

This has naturally led to fears that this is AI vs AI, Terminator style. Nick Savvides, CTO at Symantec, says this is “the first year where we will see AI versus AI in a cybersecurity context,” with attackers more able to effectively explore compromised networks, and this clearly puts the onus on security vendors to build more automated and intelligent solutions.

“Autonomous response is the future of cybersecurity,” stressed Darktrace’s director of technology Dave Palmer in conversation with this writer late last year. “Algorithms that can take intelligent and targeted remedial action, slowing down or even stopping in-progress attacks, while still allowing normal business activity to continue as usual.”

Machine learning-based attacks in the wild may remain largely unheard of at this time, but some techniques are already being leveraged by criminal groups.

1. Increasingly evasive malware
Malware creation is largely a manual process for cyber criminals. They write scripts to make up computer viruses and trojans, and leverage rootkits, password scrapers and other tools to aid distribution and execution.

But what if they could speed up this process? Is there a way machine learning could be help create malware?

The first known example of using machine learning for malware creation was presented in 2017 in a paper entitled “Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN.” In the report, the authors revealed how they built a generative adversarial network (GAN) based algorithm to generate adversarial malware samples that, critically, were able to bypass machine-learning-based detection systems.

In another example, at the 2017 DEFCON conference, security company Endgame revealed how it created customized malware using Elon Musk’s OpenAI framework to create malware that security engines were unable to detect. Endgame’s research was based on taking binaries that appeared to be malicious, and by changing a few parts, that code would appear benign and trustworthy to the antivirus engines.

Other researchers, meanwhile, have predicted machine learning could ultimately be used to “modify code on the fly based on how and what has been detected in the lab,” an extension on polymorphic malware.

2. Smart botnets for scalable attacks
Fortinet believes that 2018 will be the year of self-learning ‘hivenets’ and ‘swarmbots’, in essence marking the belief that ‘intelligent’ IoT devices can be commanded to attack vulnerable systems at scale. “They will be capable of talking to each other and taking action based off of local intelligence that is shared,” said Derek Manky, global security strategist, Fortinet. “In addition, zombies will become smart, acting on commands without the botnet herder instructing them to do so. As a result, hivenets will be able to grow exponentially as swarms, widening their ability to simultaneously attack multiple victims and significantly impede mitigation and response.”

Interestingly, Manky says these attacks are not yet using swarm technology, which could enable these hivenets to self-learn from their past behavior. A subfield of AI, swarm technology is defined as the “collective behavior of decentralized, self-organized systems, natural or artificial” and is today already used in drones and fledgling robotics devices. (Editor’s note: Though futuristic fiction, some can draw conclusions from the criminal possibilities of swarm technology from Black Mirror’s Hated in The Nation, where thousands of automated bees are compromised for surveillance and physical attacks.)

3. Advanced spear phishing emails get smarter
One of the more obvious applications of adversarial machine learning is using algorithms like text-to-speech, speech recognition, and natural language processing (NLP) for smarter social engineering. After all, through recurring neural networks, you can already teach such software writing styles, so in theory phishing emails could become more sophisticated and believable.

In particular, machine learning could facilitate advanced spear phishing emails to be targeted at high-profile figures, while automating the process as a whole. Systems could be trained on genuine emails and learn to make something that looks and read convincing.

In McAfee Labs’ predictions for 2017, the firm said that criminals would increasingly look to use machine learning to analyze massive quantities of stolen records to identify potential victims and build contextually detailed emails that would very effectively target these individuals.

Furthermore, at Black Hat USA 2016, John Seymour and Philip Tully presented a paper titled “Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter,” which presented a recurrent neural network learning to tweet phishing posts to target certain users. In the paper, the pair presented that the SNAP_R neural network, which was trained on spear phishing pentesting data, was dynamically seeded with topics taken from the timeline posts of target users (as well as the users they tweet or follow) to make the click-through more likely.

Subsequently, the system was remarkably effective. In tests involving 90 users, the framework delivered a success rate varying between 30 and 60 percent, a considerable improvement on manual spear phishing and bulk phishing results.

4. Threat intelligence goes haywire
Threat intelligence is arguably a mixed blessing when it comes to machine learning. On the one hand, it is universally accepted that, in an age of false positives, machine learning systems will help analysts to identify the real threats coming from multiple systems. “Applying machine learning delivers two significant gains in the domain of threat intelligence,” said Recorded Future CTO and co-founder Staffan Truvé in a recent whitepaper.

“First, the processing and structuring of such huge volumes of data, including analysis of the complex relationships within it, is a problem almost impossible to address with manpower alone. Augmenting the machine with a reasonably capable human, means you’re more effectively armed than ever to reveal and respond to emerging threats,” Truvé wrote. “The second is automation — taking all these tasks, which we as humans can perform without a problem, and using the technology to scale up to a much larger volume we could ever handle.”

However, there’s the belief, too, that criminals will adapt to simply overload those alerts once more. McAfee’s Grobman previously pointed to a technique known as “raising the noise floor.” A hacker will use this technique to bombard an environment in a way to generate a lot of false positives to common machine learning models. Once a target recalibrates its system to filter out the false alarms, the attacker can launch a real attack that can get by the machine learning system.

5. Unauthorized access
An early example of machine learning for security attacks was published back in 2012, by researchers Claudia Cruz, Fernando Uceda, and Leobardo Reyes. They used support vector machines (SVM) to break a system running on reCAPTCHA images with an accuracy of 82 percent. All captcha mechanisms were subsequently improved, only for the researchers to use deep learning to break the CAPTCHA once more. In 2016, an article was published that detailed how to break simple-captcha with 92 percent accuracy using deep learning.

Separately, the “I am Robot” research at last year’s BlackHat revealed how researchers broke the latest semantic image CAPTCHA and compared various machine learning algorithms. The paper promised a 98 percent accuracy on breaking Google’s reCAPTCHA.

6. Poisoning the machine learning engine
A far simpler, yet effective, technique is that the machine learning engine used to detect malware could be poisoned, rendering it ineffective, much like criminals have done with antivirus engines in the past. It sounds simple enough; the machine learning model learns from input data, if that data pool is poisoned, then the output is also poisoned. Researchers from New York University demonstrated how convolutional neural networks (CNNs) could be backdoored to produce these false (but controlled) results through CNNs like Google, Microsoft, and AWS.

View full post on National Cyber Security Ventures

Four ways #state and local CIOs can boost #cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

Looking back at the hundred-plus FBI cyber investigations and victim notifications I’ve worked over the past decade, without a doubt, the most concerning and most difficult ones centered around local and state governments.

States and cities face a tall order: protecting critical data and infrastructure. They’re expected to conduct an investigation, and remediate and prevent future attacks, all with under-staffed or non-existent cybersecurity teams, limited incident response capacity, and a lack of reliable technology.

Working closely with CIOs in cities like Los Angeles and states like Colorado has given me perspective on what is working and where we should be devoting our energy. Here are the top four observations — and solutions — for helping city and state CIOs resolve their cybersecurity challenges.

1. Get the basics right, then tackle IoT

I get it. IoT is important. IoT is scary. But we are still not doing the basics on the workstations and servers that run those IoT devices. Many jurisdictions, for instance, do not yet have a complete and accurate inventory of every asset on their network. And the easiest way to breach a network will always be through the one unpatched piece of software the organization doesn’t know about — not the smart streetlight (yet). This is not to say states and cities should halt all IoT efforts. Rather, they should prioritize their time and investments in getting essential cyber hygiene efforts done first.

Action item: Have your security team run a vulnerability scan and compare the endpoints found with your IT team’s most recent patch report. If the reports are identical, compliment both teams; if they’re not, check both teams’ tools. One of them is broken.

2. Break down organizational silos

IT operations in state and city government are often run by the various agencies within the government, rather than being centralized under the state’s or city’s CIO. This leads to shadow IT, with a wide range of servers, software, and hardware spread across the state and city, and no standardized way to measure their risk level or even know when systems need to be updated. IT administrators cannot share best practices, causing further inefficiencies. What’s worse than shadow IT? Shadow security — rogue systems with no security features turned on. Fortunately, some states and cities have made significant efforts toward consolidating and federating their IT, and the broader trend is toward consolidation, as NASCIO reported in its survey of state CIOs.

Action item: Identify the agency or department with the least number of cybersecurity resources and consolidate those first. Don’t boil the ocean by starting at the agency with the most crown jewels.

3. Reduce the number of tools

Because technology management is so spread out across agencies, states and cities tend to have dozens of tools for managing their IT and security. I once responded to an incident at a state government that had more than a dozen different tools for asset inventory and patching alone. If you have a dozen tools, you need people with expertise in each piece of software, and you have to commit valuable time and money to train those people. When a mistake gets made and leads to an incident, IT staffers have to bring in outside help, because no one internally has expertise in all the tools, which is required to conduct a proper response. States and cities can significantly reduce their risk, and improve efficiency, by consolidating IT operations and security tools. Shared tools also are better for states’ budgets, because procurement officials can negotiate state-wide prices.

Action item: Track the top 10 agencies in your state or city by number of employees and count the number of IT and security tools being used across all 10 networks. Start thinking about how many tools overlap and which ones can be decommissioned.

4. Create dedicated security roles

The cybersecurity workforce gap is an oft-discussed issue, but it’s especially prevalent in local governments and even some state agencies. Too often, IT professionals are tasked with taking on security roles, too, or their positions are only part time. In both cases, not enough attention is being paid to security. IT teams need to get creative in solving their workforce issues. Try forming tiger teams made up of diverse experts from across agencies to evaluate your state holistically and solve discrete IT and security problems. Consider leveraging existing resources, such as your state’s National Guard. Explore ways to partner with local universities to get young people interested in government and cybersecurity. By far, the most interesting cyber cases I’ve investigated happened only because I worked for the government. It is why NSA, not Silicon Valley, is able to hire the best mathematicians — they recruit early and often.

Action item: Sponsor a capture-the-flag hacker tournament at a state college and offer the top three winners summer internships at your agency.

Many of these challenges and solutions are connected. Reducing the number of tools not only helps with security, it also addresses your workforce issues by freeing up the time and money you were formerly spending on a plethora of tools and training.

States and cities are clearly placing an increased emphasis on improving IT management and security, as was made clear when 38 governors signed the National Governors Association’s cybersecurity compact this summer. Now it’s time to tackle the tough issues.

The post Four ways #state and local CIOs can boost #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures