As a result, the President directed a top-to-bottom review of the Federal Government’s efforts to defend our information and communications infrastructure, which resulted in a report titled the Cyberspace Policy Review. To implement the results of this review, the President has appointed Howard Schmidt to serve at the U.S. Cybersecurity Coordinator and created the Cybersecurity Office within the National Security Staff, which works closely with the Federal Chief Information Officer Steven VanRoekel , the Federal Chief Technology Officer Todd Park, and the National Economic Council.  As per www.whitehouse.gov/cybersecurity.

What is Cybersecurity? It’s really computer security, or better yet, information security applied beyond a single company, enterprise or government. Although the word was coined in 1994, it has recently been used by the media and the U.S. government to define the secure electronic “bubble” that protects a country, therefore the cyber space and cyber security that comes along with it.  This includes not just the traditional traffic of the internet, but also the power grid, transportation and utilities that make computing possible… as well as the protection of the cyber citizens!

When we start the study of its parts, we find that cyber security is the body of people, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access (both internal and external.)

The U.S. Department. of Defense (DoD) has a lot to protect and cannot do this alone. It relies on many public and private enterprises to help achieve this critical goal. The number of incidents of documented attacks on computer-based systems and communications systems increases on a daily basis and we call this activity cyberwarfare. The threats are increasing, and the number of jobs relating to cyber security will continue to expand! Which side do you want to be on? Defender or attacker? Well, in cyberwarfare there is room for both! We need defenders as well as some skilled attackers…

A well trained information security professional will be able to detect when intruders attack or be alerted by a central console which is monitoring thousands of sensors placed on servers, network devices and even laptops and desktops. Recently, the network has been extended to protect those “Bring Your Own Device” (BYOD) cases or even mobile and cell phone equipment.  In order for these talented security engineers to perform or even be considered for the position, the U.S. DoD made an official policy in 2004 where it requires any full- or part-time military service member, contractor, or foreign employee with privileged access to a DoD information system, regardless of job or occupational series, to obtain a commercial information security credential accredited by ANSI or equivalent authorized body under the ANSI/ISO/IEC 17024 Standard. The Directive also requires that those same employees maintain their certified status with a certain number of hours of continuing professional education each year. The U.S. DoD Directive 8570 lists about 12 different security certifications among the top 3 is the CISSP. The Certified Information Systems Security Professional continues to be the gold standard in certifications.

Megamind Institute is offering many opportunities this year for boot camps for security professionals who want to pursue this highly coveted certification. Check our schedule for details: http://megamindtraining.com/portfolio/cissp-boot-camp-training.

The post Cybersecurity and Cyberwarfare appeared first on Megamind.

Many organizations, thinking to increase security for valuable systems have looked into alternatives which require something you have, like a smart card or token, but these technical security controls tend to be expensive propositions when deployed to thousands of administrators… The even more expensive technical solution, which requires to record something you are, like your fingerprints, face recognition or iris scan have come down in price and even most entry level computers or Android phones offer some of these capabilities.
The issue comes down to infrastructure, support costs and common sense.
The average support cost for password resets is about $30. Single sign-on minimizes this cost factor.  On-line password reset systems are also a great cost and time savers. If we increase the length of the password string and its complexity, we increase the security of our network for the small price of a minor inconvenience.
Security is not free, but it also is not a business hindrance…
In regards to this last statement, many corporate and government agencies security policies read something pretty close to this:
“Users must have the capability of changing their own password online.”
“Regular Passwords should be changed every 90 days or sooner.”
And last but not least, “Password construction must be complex enough to avoid use of passwords that are vulnerable to cracking or attack.  Names, dictionary words, or combinations of words must not be used; not even if they contain substitutions of numbers for letters, e.g. s3cur1ty.  Do not use passwords that might be easily guessed or subject to social engineering, e.g. data of birth, wedding anniversary, pet or partner’s name, favorite sport team.”

What do you think? Are passwords obsolete or too expensive for our internet connected world?

The post Are Passwords Becoming Obsolete? appeared first on Megamind.

What’s in store in Information Security for 2013?

If we continue the trends of 2012, the good news is that Security will improve for larger or well-funded organizations. Here some of the main issues of Information Security that I predict for 2013…

Clouds for Enterprise and Government

In 2013 more businesses and government will continue the move to cloud computing  while also seeking security checks and balances to protect corporate data. Cloud services are finally getting over its hype curve, and are starting to deliver reliable and secure platforms.

Sandboxing Smartphone Apps

Using a sandbox application to access corporate emails, that application is only resident on the machine while you’re receiving emails but you can’t copy out or in any attachments and then all transient data disappears when the application exits.

Cross-Platform Attacks Increase
Write once, infect anywhere? A dream come true for any malware writer.  But until recently, the relatively small base of alternative operating systems (Mac, Linux, Unix, Android), did not make it easy to cross-platform malware. In 2012, however, malware authors altered their approach with the Flashback malware. With the Flashback Trojan in early 2012, more than 600,000 Mac computers were infected. Since Flashback, more than one attack has targeted multiple operating systems via cross-platform vulnerabilities present in Java and Flash, and no doubt that targeting those in 2013 will continue. With the prevalence of Macs in the workplace and the number of mobile devices, this is becoming an easier target.

Malware Targets Critical Infrastructure

In 2012 we saw two major attacks from government and hacktivists [strange bedfellows!] organizations attacking foreign countries infrastructure [Iran, Egypt] or companies [Saudi energy]: Flame and Shamoon malware. There will be more to come… The scary thing is that these malware lived without detection for months…

Malware Targets New High Tech Mobile Technologies

One of the more innovative attacks to emerge over the past year involves fake QR codes, which attackers have printed out and used to cover up real QR codes on advertisements! Attackers promise “free $100 to open a bank account” and send consumers to fake versions of their bank’s website, then steal their access credentials. Another new banking technology for payment convenience is near field communication (NFC), but since it’s still young, many security issues will be discovered and exploited! Another mobile issue will be Digital Wallets, and expect any combination of smartphones, payment capabilities, or credit card data to draw attackers’ interest…

STAY SAFE IN 2013!

The post Information Security Trends For 2013 appeared first on Megamind.

Mobile devices

When Marconi invented wireless back in 1896, he probably did not predict the new trend of Bring Your Own Device (BYOD) and security headaches. According to Gartner Group, the world is expected to have over 1.8 billion smartphones by 2013, more devices than personal computers! More and more people use their smart shopping to purchase items online or show a coupon at the sore to get an instant coupon! Wireless and mobile computing represent the true convergence of cyberspace and the physical world, which brings cybersecurity into the picture.

Any communication channel can be vulnerable to attacks against the confidentiality, accessibility and integrity of the transferred data. Fast and ubiquitous network technologies create a fertile environment to commit crimes of significant magnitude and complexity with incredible speed. In other words, Pandora’s box was opened years ago when enterprises and government facilities allowed personal wireless and mobile devices into their secure enclaves.

The cybercrimes of today are not new in concept – fraud, theft, impersonation, denial of service and related extortion demands have all plagued the financial services industry for years. However, the widespread use of the Internet and emerging wireless technologies to carry out these acts has exposed everyone using information technology to crimes of greater impact and scope. In recent years, this “digital insider” phenomenon has become a widespread compromise of corporate, financial and government IT systems security.

“Bring Your Own Device” is a megatrend in the workplace, due to personal emails or social networking being blocked on corporate equipment.
You should always follow the security policy and procedures or your organization. Here are some tips to protect you and your devices:

Encryption: Do not store private or sensitive information on the device. If there is a need to store private or sensitive information on the device, it should be encrypted.

Passwords: Prevent unauthorized access to the device by using a password, PIN, or secure code.

Security Software: Install mobile device security where applicable, with features such as anti-virus, antimalware, anti-spyware, anti-phishing and suspicious web site, etc.

Patches and Updates: Just like a desktop computer, keep the device current with the latest patches and updates issued from the manufacturer for continued protection from potential and/or existing security vulnerabilities.

Backup: Use a separate and removable storage device to regularly back-up information stored on the mobile device, or signup for a trusted online backup service.

Apps: Millions of apps are available; however they are not all secure. Some apps may contain malicious code, such as malware or viruses. Others may be tracking your location, monitoring your online activities, or even sending email without
your knowledge. Be sure to read the permissions when downloading apps and only download them from reputable sources (specially Android sources since they install apps from multiple sources.)

WiFi: Be careful about using WiFi access. Most public WiFi networks are insecure meaning anything you access, read, or transmit can be seen by any other user on that same WiFi network by using a simple sniffer or acting as a man-in-the-middle-attack.

Email: Email is accessible from any mobile device that has network access. Be cautious of suspicious emails that contain attached files or URLs embedded in the email. Just this past week there was a the security flaw for the Galaxy SIII where by sending you to a web site with malware code so it could perform a factory data reset without your consent! http://www.taskmobilesolutions.com/security-flaw-for-the-galaxy-siii/

Physical Security: Physical security is an important component to protecting a mobile device from theft or unauthorized access.
Never leave mobile devices unattended. Devices should be locked up, or hidden out of plain view when not in use.

Remote Services: Install and enable remote services and features such as remote lock, remote wipe and GPS locations.

Have safe travels! And if you lose your mobile device, chances are if will end up at unclaimedbaggage.com

Didn’t we recommended to use a password/PIN to lock screen? …

The post Mobile Security appeared first on Megamind.

Well, it’s been a while since I’ve posted… Security work is always in demand! I will cover Android and PCI Assessments in future blogs, but I would like to start a short series on a hot [and hyped] topic: Cloud Computing Security…

First, lets define the terms: Cloud Computing is a SERVICE provided by an internal IT shop [private cloud] or outsourced to a provide [public cloud.] Occasionally organizations, line non government organizations (NGO) or Universities work together to create a like cloud they can share among themselves and that is called a “community cloud.” If you mix any of the three types of clouds, you get a hybrid cloud! So far so good?

Alright, let’s go a little deeper… remember, all we are trying to do is for our client computer to connect to a remote server to perform some work… As I mentioned earlier, cloud computing is a service and it comes in 3 flavors:

Infrastructure – just like you have been able to rent rack space or gigabytes galore in the past, Infrastructure as a service (IaaS) is the service of providing infrastructure on demand. You provide the OS and things you need… as close to bare metal as you can get. You also have good control  of the security of the remote infrastructure.

Platform – sometimes you just don’t have the IT resources and you just need another database or application server for testing or when you know demand will be high. You may need debugging or programming tools as well, whether is Java, .Net or PHP. Many software vendors are a pain in dealing with software licenses. Well,  that’s where the Platform as a Service (PaaS) comes in. You rely on the vendor to maintain and secure the platform, you provide the data and the applications.

Software as a Service or SaaS is a perfect fit for a small company [but not limited by size] that does not even have an IT department and the need an email service, a content management server (CMS) or a customer relationship management (CRM,) basically: on-demand software.

So the companies get to save money… and the former hosting companies sell more “space and bandwidth.” Wait! What about security? I’m glad you asked! We’ll cover that exact topic tomorrow!

=====

What about Cloud Security?

Let’s think of the process for a second: you used to have servers in house (if you had an IT department) then you moved them to a hosting environment under tight control, and now you finally moved your main servers to a another layer on the internet where your trusted employees and partners can get access… any security issues here?

When an organization goes to the cloud, it gains a number of advantages (especially cost savings) at the cost of losing at least some degree of control over its computing and networking environment. If an organization contracts for Software-as-a-Service (Saas), its users will obtain access to a variety of applications and databases that support the applications. The cloud applications will run somewhere outside of the organization’s network, so the hop count for traffic from users’ workstations to servers on which the applications run will grow, causing increased latency in interactions with applications.

Another important integration consideration is authentication and authorization. In some ways, the worst possible cloud integration scenario is when an organization that has designed and implemented an identity management solution based on certain services and protocols migrates to cloud services that perform authentication and authorization in a different way. Suppose, for example, that an organization uses an identity management system with LDAP-based authentication and authorization. Suppose, too, that a large proportion of internal applications interface with the identity management system through LDAP. If this organization signs on for SaaS with a cloud provider that does not use LDAP-based authentication and authorization, the organization’s transition is likely to be very difficult.

Still another integration issue is auditability. When an organization’s IT functions are entirely in-house, it is easy to obtain log output from servers, workstations and devices to obtain a thorough picture of what kinds of events and conditions are occurring. Additionally, IT staff can launch vulnerability scans at will. When the organization moves its IT functions to the cloud, however, it is generally more difficult to obtain the same amount of information. Some CSPs allow customers to query at will for information such as the status of patches in critical hosts, but many do not. Organizations that are making the transition between in-house and cloud services need to determine how to keep getting the log and status condition output they need in the interim, while at the same time exploring long-term solutions.

Next we’ll get really technical: Encryption!

=============================

The post Cloud Security appeared first on Megamind.

Security has become mainstream in moderate to mature corporations. They start with a policy, they provide the tools to the techies and then they ENFORCE the policy! Younger organizations or the ones not realizing the risk they are in, they endanger themselves or connected partners, and they think the joke is on them…

The PCI DSS (Payment Card IndustryData Security Standard) has proven to have more teeth than other government regulations. Compare these statements: Big Credit Card company tells retailer: “If you are not PCI certified, you have to pay us $50,000 a month or stop processing our credit cards” versus GSA telling a government agency: “so you have an F in security this year, so we are cutting the budget a little this year”.  One of the consequences of  a government incident: U.S. Department of Veteran Affairs breach resulted in fines of $1,000 per violation and amounted to $26.5 billion. Who paid for that? US taxpayers. T.J. Max was hacked and 94 million credit card numbers were stolen. Who paid? T.J. Max shareholders and consumers.

So where is the joke in all this? It’s not funny. But why does it an incident to raise concerns by management and start doling out money for security and compliance? Because they the pain and shame of being the butt of the joke! And as Frank wrote: “maybe your users will realize that what they do matters.”

Until next time, stay secure!

Sources:

US Veteran Affairs http://datalossdb.org/incidents/289-names-social-security-numbers-and-dates-of-birth-of-26-5-million-u-s-military-veterans-stolen

TJ Max http://datalossdb.org/incidents/548-hack-exposes-94-million-credit-card-numbers-and-transaction-details

The post Security is not funny appeared first on Megamind.

Organized crime and creative malicious people will have their share of stolen goods before the end of the year…. don’t make it easy on them and become a cyber victim!

Cyber-thieves use all kinds of methods (hacking, tempting targeted spam, spyware for intercepting information, etc.) in stealing personal or financial information from their victims, mostly from their computers.

The latest of these nefarious activities even sports a name: phishing (pronounced like ‘‘fishing”). The thief sends a simple e-mail that looks like it came from a genuine site (mostly from financial institutions as Citibank, eBay, PayPal, Best Buy and others), telling you there is a problem with your account.  Basically, it’s like “hacking for dummies”, except they are doing the hacking and you are being the dummy if you click on the link! The hacker would like you to click on a certain link in the e-mail, and you are taken to a site that looks exactly like that of your bank.  Here, they will ask you to fill out again your password, Social Security or credit card numbers, and/or other confidential numbers.

The following are some ways to minimize the risk of your identity being stolen:

• Don’t visit any site that is using third party links. Open a new browser and type the address yourself if you want to visit a site.
• Do business with reputable companies.
• Some attackers may try to trick you by creating web sites that appear to be legitimate.
• Update your web browser! Newer versions of Internet Explorer, Firefox or Google chrome have anti-spoofing alerts or alert you about invalid certificates…

You can also check privacy policies to see how the company in question use and distribute information. Many companies allow customers to request that their information not be shared with other companies.

Maintain a security mindset – always be skeptical of unfamiliar sites and links, suspicious e-mails and IM messages.

Anti-virus software and firewall
As standard practice, use and maintenance of an anti-virus software and firewall will protect your computer from attacks that may steal or modify data in your computer.
Make sure to keep your anti-virus program and firewall up to date.

Fighting identity robbery
As precautionary steps, regularly check your credit reports for strange transactions or transactions you don’t recall, unusual charges on your bills, bills for products and services you don’t have, or worse, unexpected denial of your credit card.

Once the identity robbery has been confirmed, calls to appropriate companies and agencies have to be done immediately. Have your credit card accounts closed right away so future charges will be denied.

Contact the Social Security Administration if your SSS card number has been accessed or the DMV if your driver’s license or car registration papers were stolen. This is to warn these agencies for possible unauthorized use of your personal ID information. Of course, you need to file a criminal report with the local police.

For U.S. citizens, you need to contact the main credit reporting companies (Equifax, Experian, TransUnion) to see if there had been any unexpected or unauthorized activity.  Have fraud alerts placed on your credit reports to prevent new accounts from being opened without verification. File a complaint with the FTC and IFCC.

A website, www.identitytheftactionplan.com, had been created to help citizens prevent, detect, and respond to identity theft and fraud. Within the site is information on how identity theft occurs, the latest prevention tips, what to do in case you are victimized and pertinent information of law enforcement agencies that investigate these crimes. Two other sites to learn more about phishing and ID theft are the following: consumer.gov/idtheft and idtheftcenter.org

If you want to watch an interesting movie of the dangers of Identity Theft, check out the classic movie “The Net” about a person’s ordeals when her identity is stolen http://www.imdb.com/title/tt0113957/

Vigilance, information and action. Cyber security dictates that every cyber citizen (those using computers and the Internet in most of their activities) needs to be vigilant at all times!!!

The post Cyber Security and Identity Theft appeared first on Megamind.

However, what most of us don’t know and what we are forced to believe is that having these precautionary measures are just enough. Well, the truth is, they are not! It is time that you know the truth and expose some of the myths cyber security or cyber-rumors that we have believed for years. It’s been almost 22 years since the first famous piece of malware: the Morris worm spread via the internet. About 20 years ago, we only had to be concerned with viruses. Later there were also worms, Trojan horses, spam, spyware, phishing, root-kits, code injection and internet bots. To simplify we group them as malware. While the malware family has grown considerably the defenses have been few and hardly effective…

Let’s start of with anti-virus software and your system firewall. Despite what manufacturers say, despite what the advertisements say, despite what some of your friends might tell you, no anti-virus software or firewall for that matter is 100% effective. You need to understand that virus creators make malicious code so advanced that an anti-virus application is not yet capable of handling an attack coming from it.

Despite the regular updates released by anti-virus software companies, they cannot foresee what kinds of virus will come out next month or the month after that. They can only provide their customers with protection based on the virus that they know off and the potential virus that could come out. As mentioned or implied earlier, the best way to have a degree of protection is to combine these technologies together. Have separate anti-virus software installed and keep a strong firewall active.

Although, there might be a problem with some applications not working well together but conduct your own research and see which software works well together. Newer versions of anti-viruses also look at software behavior to detect malicious activity, but since it consumes more CPU cycles, most people turn them off! I’m always surprised when visiting friends and family, or even clients, that they show me their systems running “a bit strange lately” and the first thing I’ve noticed is that the 30 day demo anti-virus subscription has expired or they are running an obsolete version, which is useless since it offers very little protection, if any!

It is also important to know that because you have successfully installed a software application that’s the end of it. Unfortunately, you will also need to get the patches or updates that manufacturers release. These patches or updates are fixes on some little or sometimes big inconsistencies or bugs in the application. How to do it? This can take some planning and work. Microsoft releases all of their patches the second Tuesday of every month. Unfortunately in the Microsoft world, they don’t see the computer as a collection of applications on top of an integrated user-friendly operating system (OS,) just the OS and “other stuff”. So they don’t track categories of software installed or even care to update them. In order to update those programs, you will need third-party tools or the software package themselves which now opens more security issues!

Examples: Java and Adobe Acrobat Reader check every time you boot your computer to see if there are any updates [and they will update themselves unless you postpone the download.]

In the world of operating systems which are more user friendly and security intelligent, Linux and Apple OS X alert you when there are new software versions of the applications you have installed and can even install it for you… and if there is a critical patch required for the OS it can be downloaded and installed now, not some time in the future when it’s more convenient for the software manufacturer. All digitally signed and from a central repository! That’s better overall protection, so it’s no wonder there is very little malware for these operating systems!

Look into your installed applications and see it there is an automatic updating option, which there usually is, that allows you to automatically receive updates whenever manufacturers release a new version or an upgrade of the system.

Also, don’t believe that just because you have mainly personal and insignificant information in your computer that it’s not worth protecting at all. Please bear in mind that what you think is not important can turn out be quite useful for hackers. Every bit of information you have in your computer, email or any other system can be manipulated and used by hackers to access more of your confidential information or use it to gain some profit. Even if you keep your files in a computer not connected to any network, the one that a hacker gains access to can be used to attack other computers or cause problems with other systems. In the worst case, a hacker can steal your internet bandwidth or computer storage by converting your computer into an illegal file server so he or she can share with their accomplices!

Not being rich is not a good enough reason of being attacked as well. Hackers and identity thieves will grab any opportunity that they come across with. If they can get you personal information easily, they will do so and think about how they can use it for their personal gain and believe me, they will think of a way.

After we exposed some of these myths and now you know a bit more about the truth on cyber security, I hope you get a renewed conviction regarding cyber security. Your mind is your first line of defense. So train it well so you’ll be better protected… We will cover cyber security awareness and training in a future post!

Read
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Patch_Tuesday
http://en.wikipedia.org/wiki/Mac_OS_X
http://en.wikipedia.org/wiki/Linux
http://en.wikipedia.org/wiki/Package_manager

The post Know the Truth, Exposing Myths in Cyber Security appeared first on Megamind.

This is an interactive “discussion board” where we can share our thoughts, rants, pet peeves or frustrations… in a fun and informal manner.

Let’s discuss security, from the top! Unless your organization (whether you work for a non-profit, multi-national corporation or government agency) is “obligated” by some government regulation or business supplier or partner to shape up and come up with some “security” money, most organizations invest the bare minimum until they get hacked and then they start rethinking.   And I’m not alone venting this issue… the latest Insecure Magazine (June 2010) points out the fact that many managers of Heartland Payment Systems (one of the largest security breaches in history), knew that PCI security compliance wasn’t enough to secure Heartland against a sophisticated cyber attack, but failed to take extra precautions…”Of the breaches in 2009, 81% of vendors were not PCI compliant….” Sometimes, some executives will get top management to understand the security priorities and prepare to spend the money now or prepare to deal with the mess later and spend even more money [British Petroleum execs: are you listening?] In many industries, after unfortunate events like Enron, or the T.J.Maxx wireless cyber theft, a drastic change has to occur because someone was hurt. Law is reactionary: it changes to address recent painful events and enforce new rules. So for the last few years, public companies had to deal with Sarbanes Oxley (Sox), health providers, have to deal with HIPAA, merchants that process credit cards have to deal with the PCI Council, and the US Government had to deal with FISMA. The question is still valid: are we more secure?  There are many people working in security positions that have no clue about security! Yes, you know them: the politically appointed or because they’re related to someone in top of the totem pole… So what about the bottom of the totem pole? Many software engineers know their software needs more testing but they are pressed by management to release it or else [again, it costs time and money]

So what’s my point, you may ask? Well, security is not just about firewalls, antivirus and a building badge. Those are many expressions of security technology. Security is the result of a process. A process requires people to follow procedures. These procedures are designed to mitigate or reduce risk. Just like an insurance company will give you a discount if you have an alarm system in your house or your car, a company feels that by having a security card and a badge reader or a firewall reduces the risk of physical or cyber attack. Unfortunately, in the real world, according to FBI statistics, more than half of the security incidents are inside jobs. That number does not count those “oops” moments when some system administrator rebooted the incorrect server, since no data was leaked… only a few transactions were lost forever.

This was an intro to the many topics we will cover in future sessions in this blog, from people, processes and procedures, in order to make our systems more secure… [hopefully!]

Securely,
Adrian Mikeliunas, CISSP, CISA, PCI-QSA

The post Security from the Top! appeared first on Megamind.