Cyber Warnings E-Magazine – January 2014 Edition Copyright © Cyber Defense Magazine, All Rights Reserved Worldwide CONTENTS CYBER WARNINGS

Published monthly by Cyber Defense NSA Spying Affecting US Revenues in a Bad Way...... 3 Magazine and distributed electronically via opt-in Email, HTML, PDF and Online Flipbook Strengthening IT Security...... 5 formats.

Security Challenges in the Age of BYOx...... 7 PRESIDENT

The Role of Deep Packet Inspection in Firewall and Stevin Victor Universal Threat Management (UTM) Applications...... 10 [email protected] EDITOR Smart Staffing Strategies To Support Cyber Defense-in- depth...... 12 PierLuigi Paganini, CEH [email protected] Only Adaptive Defense is a Good Defense...... 17 ADVERTISING Why is password creation so hard? (Part 2) ...... 21 Jessica Quinn [email protected] Challenges of Transferring Large Design Files ...... 30

KEY WRITERS AND CONTRIBUTORS Hackers targets Industries and Infrastructure ...... 32 Pierluigi Paganini Modern Cyber Defenses: An Industrial Dilemma for Alan Paller Energy and Utilities ...... 35 Gretchen Hellman Robert W. Williams Milica Djekic 5 Ways to Better Protect Customer Card Data ...... 38 Josephine Rosenburgh Art Dahnert In-house vs. Outsourcing: 24-Hour Cybersecurity without Eitan Bremler the Capital Investment ...... 41 Sathram Shiva Kumar James Clark Avery Buffington VLM: Vulnerability Lifecycle Management Mismanaged Patrick Hayes by Many ...... 45 Jon-Louis Heimerl Reuven Harrison Don’t Let the Fox Into the Henhouse: Recent Breaches and many more…

Serve as a Reminder to Keep Your Network Segmented Interested in writing for us: ...... 48 [email protected]

What Is the True Cost of a Data Leak? ...... 52 CONTACT US:

Top 3 Myths About Antivirus Software ...... 56 Cyber Defense Magazine Toll Free: +1-800-518-5248 NSA Spying Concerns? Learn Counterveillance...... 60 Fax: +1-702-703-5505 SKYPE: cyber.defense Magazine: http://www.cyberdefensemagazine.com Top Twenty INFOSEC Open Sources...... 62 Copyright (C) 2014, Cyber Defense Magazine, a National Information Security Group Offers FREE division of STEVEN G. SAMUELS LLC 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. Techtips ...... 63 EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. [email protected] Job Opportunities...... 64 Executive Producer: Free Monthly Cyber Warnings Via Email ...... 64 Gary S. Miliefsky, CISSP® Publication Date: 6/30/2014 Cyber Warnings Newsflash for June 2014 ...... 67 E-Circulation: 3,002,196

Snowden’s revelations of how far-reaching the NSA spying program has become has started to negatively affect revenues and reputations of some of the biggest players in the industry – from RSA to Cisco, Juniper, Symantec, Microsoft, IBM, McAfee, Intel, Verizon and others.

In fact, Cisco System Inc. CEO John Chambers penned a letter to US President Obama insisting he reign in surveillance activities by the National Security Agency after evidence surfaced that the agency is intercepting Cisco equipment and loading it with surveillance software before sending it on its way. Mr. Chambers urges the President in a letter dated May 15 to create “new standards of conduct” surrounding how the NSA executes its global surveillance, warning of less trust and confidence in the U.S. technology industries. He said, “We ship our products globally from inside as well as outside the United States, and if these allegations are true, these actions will undermine confidence in our industry and in the ability of technology companies to deliver products globally.”

These disclosures of spying abroad may cost U.S. companies as much as $35 billion in lost revenue through 2016 because of doubts about the security of information on their systems, according to the Information Technology & Innovation Foundation, a policy research group in Washington whose board includes representatives of companies such as International Business Machines Corp. (IBM) and Intel Corp. (INTC). In addition, the NSA’s eavesdropping on heads of state will probably hurt Cambridge-based Akamai Technologies Inc.’s German business, CEO Tom Leighton said. Akamai, which helps corporations deliver online content, is caught up in a backlash against US Internet companies, he said. Revelations about US spying raise questions about data held and managed by US companies. Data the NSA tracks may pass through Akamai’s servers. “It’s clearly bad for American companies,” Leighton said, Bloomberg News reported. Akamai’s European sales were 17 to 18 percent of revenue in 2010, 2011 and 2012.

As I proposed to you last month, this will be a “YEAR OF PRIVACY”. Focus on improving privacy and you will protect critical data. If you are looking to start a business outside of the U.S. that focuses on Privacy, now is the time.

To our faithful readers, Enjoy Pierluigi Paganini Pierluigi Paganini, Editor-in-Chief, [email protected] P.S. Congrats Ken Kleiner (USA) – this month’s contest winner!

3 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 4 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Strengthening IT Security By Alan Paller

The need to strengthen our nation’s information security has never been more critical or more urgent. Yet, the flow of cyber talent into key technical jobs in industry and government remains dangerously inadequate.

The current and future shortage of skilled professionals in cyber security is well documented, yet we have been slow to embrace innovative ways to build a faster, more effective pipeline of skilled talent. This leaves businesses and governments with little choice but to compete for the same, inadequate pool of talent, raiding each other’s knowledge and capacity.

The results are sobering. Recruiting costs increase as HR departments are forced to over- invest; Security levels are made unstable as organizations are too often in transition due to turnover. And the pace of genuine advancement in the information security industry is slowed and risks becoming stagnant.

We need a better approach.

A recently announced public/private partnership is showing real promise. Its participants include two federal agencies - NSA and the US Army’s Intelligence and Security Command (INSCOM) - and sixteen businesses: 3 banks (Citi, JPMorgan Chase, and Branch Banking & Trust Co.) plus FINRA, a large power company (NIPSCO), media leaders including both CBS and NBC Universal/Comcast, and key security product and service providers (Juniper Networks, Accenture, KPMG, Pricewaterhouse Coopers, Ernst & Young, Solutionary, Palantir, Stroz Friedberg and STIGroup). These organizations worked together to create the National Cybersecurity Career Fair (NCCF), a cost-effective, innovative way for employers, job seekers, and the industry to connect the right people, to the right jobs, in the right companies. The effort, supported by Cyber Aces, a national cyber security nonprofit, the SANS Institute, the Council on CyberSecurity, (ISC)², US Cyber Challenge, and the Center for Internet Security, launched on June 18-19 and became the United States’ largest virtual cyber security job fair.

NCCF quickly brought over 4,000 qualified applicants—veterans, students, career changers and cyber security practitioners—to one central, virtual place. Each of the jobseekers had completed training and/or certification programs through Cyber Aces, SANS, US Cyber Challenge, and (ISC)² or had cyber security experience. These newly trained (or discovered) talented new workers are a promising source of talent to meet the nation’s needs. For the jobseekers, the fair was a one-stop shop for access to important cyber security employers and job openings.

A key innovation of the NCCF allowed the candidates to prove their skills and better navigate the cyber security industry, giving them the tools and network to continue job searches long after the event. Each jobseeker was allowed to take the SANS CyberTalent Exam (at no cost), which measures their skills and capability across five information security domains. This was a unique opportunity for job seekers to demonstrate their skills to potential employers. Assessments like the SANS CyberTalent Exam offer employers the opportunity

5 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide to reduce recruiting costs and improve efficiency, and job seekers the opportunity to clearly and objectively demonstrate their skill level.

NCCF also gave participating employers a leg up in the race for talent. It helped them be seen as “employers of choice,” in cyber security. Employers from the NCCF have access to the pool of current and future jobseekers that visited their booth and now have the ability to compare the technical skill levels of these individuals. NCCF follow-up programs give the employers the opportunity to connect with additional candidates among the 4,000 participants through “matching” programs that will operate during the 6 months until the December NCCF.

The National Cyber security Career Fair is a pilot program. Intense evaluation of both the candidate and employer experience will be undertaken over the summer and fall. With appropriate improvements, and increasing numbers of employers and candidates, the NCCF may become a trusted tool for employers who are seeking talent and for talented people seeking jobs in cyber security, helping to close the skills gap that is threatening the security of the nation.

About the author

Alan Paller founded SANS, a college and professional cyber security training school that has trained more than 145,000 cyber security technologists in 72 countries. He oversees the Internet Storm Center, the annual identification of the "Seven Most Dangerous New Attack Vectors" and a global program that identifies and celebrates people responsible for remarkable improvement in cyber risk reduction. He has testified before the US Senate and House and was an initial member of the President's National Infrastructure Assurance Council. He was chosen by OMB and the Federal CIO Council as the 2005 Azimuth Award winner, a lifetime achievement award recognizing outstanding service of a non-government person to improving federal information technology. In 2010, the Washington Post named him one of seven people "worth knowing, or knowing about" in cyber security. He co-chairs the Secretary of Homeland Security's Task Force on CyberSkills, and serves on the FCC Communications Security, Reliability and Interoperability Council and on the NASA Advisory Council. Earlier in his career Alan helped build one of the first major software companies, took it public, and merged it into a larger company listed on the New York Stock Exchange. His degrees are from Cornell University and the Massachusetts institute of Technology.

6 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Security Challenges in the Age of BYOx By Gretchen Hellman, Senior Director of Security Strategy, SolarWinds

The productivity, morale and cost savings gains of allowing employees to bring their own devices to work has driven the majority of companies to allow the practice of BYOx. However, as with most shifts that provide greater IT accessibility and connectivity, big security issues have come along with it.

The mobile technology revolution has not only disrupted IT, but IT security as well. Long gone are the days of stringent common operating environments and usage policies that allowed security to keep on top of vulnerabilities, risk and security controls. Today, corporate networks are made up of a wide range of devices that have both personal and corporate applications and data. This has created a slew of new challenges for IT pros tasked with securing corporate environments.

In fact, a recent SolarWinds survey showed that IT pros believe the role needing to adapt the most in the next three to five years is information security. Combine this with the fact that in the same survey, BYOx ranked as the most disruptive technology to business over the past three to five years. Here is a closer look at how BYOx has infiltrated business and why it is causing IT pros to rethink information security.

End of Control

The greatest security challenges brought on by BYOx are the reduction of overall security control, introduction of new and often unknown vulnerabilities—and their subsequent risks— and the blending of personal and corporate use. Many companies that allow BYOx are enforcing policies and standards for acceptable use, security standards and which devices and configurations are permitted. However, without stringent controls that limit personal use, data remains at a greater risk than before. Much of this harkens back to the age old challenge of dealing with user decisions when enforcing security measures. This challenge explodes in the world of BYOx because it is that very user who owns the device.

According to a recent Gartner, Inc. survey, a quarter of business users admitted to having a security issue with their private device in 2013, but only 27 percent of those respondents felt the need to report the issue to their employer. To complicate matters, stringent controls, such as limiting allowed “apps” for personal use, while they are the best security decision, defeat the purpose of BYOD.

With an existing inherent distrust over corporate control of their personal and private data, employees are even less reluctant to dedicate their expensive personal devices to work if too many restrictions are placed on their usage. Employee participation creates the very foundation of BYOx, and security has had to make some allowances that introduce risk. What’s more, the multitude of free “apps” and their ease of deployment have made mobile devices a new focus for both lucrative and malicious malware. Android malware in particular is quickly increasing in volume and sophistication due to its open platform.

Given these new challenges resulting from BYOx, how can IT pros secure the expanded threat landscape associated with today’s average business? The answer certainly isn’t simple given the sheer volume of new security threats brought on by this trend, but there are steps for IT pros to take:

Implement a mobile device policy: Developing a strong BYOx policy is the first reasonable step. A solid BYOx mobile device policy will consider the following:

 Separate wireless networks for BYOx and company-owned machines

 The types of mobile devices allowed and their respective required security measures

 Mobile device security software as a requirement to access corporate data which enforces security measures (such as PIN and OS security updates)

 A backup policy to control the spread of sensitive corporate data

 A terminated employee policy that ensures removal of corporate data from the device

Understand the value of monitoring: Unfortunately, IT security pros can’t mitigate every potential risk simply with a mobile device policy, no matter how strong it is. So, much like alarm systems in homes, monitoring tools should be used to help address gaps as BYOx continues to expand. Creating a strong monitoring strategy to identify and profile devices that are connecting to the network and subsequent user behavior will help in the discovery of both gaps in policy and new threats as they arise.

Training is key: In the world of BYOx, the employee has greater power. Implementing a security awareness program with specific emphasis on mobile device threats and appropriate use of corporate data will help employees make smarter security decisions.

In businesses of all sizes, BYOx is here to stay, and it will only continue to grow as the mobile device market expands. Concurrently, the threat to organizations will increase, and it will be up to IT security pros to lead the charge in terms of creating protected environments. By understanding the threats and working with company leadership to make policy, monitoring and ongoing training top priorities in the age of BYOx, IT pros can ensure their environments are secure and ultimately protect the business’ bottom line.

About the author

Gretchen Hellman is senior director of security strategy at SolarWinds and brings extensive security management expertise to her role. Hellman began her career in information security as a consultant specializing in security policy and security program development. She is a frequent speaker in the areas of evolving attack methods, operationalizing security policy, security management, regulatory compliance, data security and security information and event management. She holds a B.S.E.E. from Santa Clara University.

8 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 9 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The Role of Deep Packet Inspection in Firewall and Universal Threat Management (UTM) Applications By Shawn Sweeney, Procera Networks

It seems like yesterday that the first “stateful” firewall was bought to market. In fact, it was over two decades ago that the first real commercially available product came to market. This innovation unleashed a renewed look at the firewall problem. And thus came the crush of me-toos and look-alikes for some number of years. Each one trumpeted with more promise than the last.

With the advent of application-specific integrated circuits (ASICs) and their broader use in networking products, a second wave of innovation came a decade or so later. Some new products were brought to market, religious discussions ensued, battles started, wars lost and companies acquired. Lather, rinse, repeat.

The hardware guys argued, and I know as I was conveniently in their camp for a while, “anything software can do, we can do faster!” True enough at the time, but I am reasonably certain, this too shall pass. And so it did.

Fast forward to present day. With every new product announcement exists another application, user-profile, use case and device. Each permutation of “user context” represents yet another way for bits to be sent and received.

Keeping up is a full time job that can no longer be easily solved by throwing minds at it or making faster hardware. The latter always limited to what is fact today and poorly suited to the shifting reality of tomorrow.

So, what’s a Product Manager of a firewall or UTM appliance to do, especially if the composed solution has additional special sauce, representing core competency, as it most certainly will? The dizzying array of avoidance and evasion techniques in use today is enough to drive him or her to the madhouse.

If you doubt that, consider the anonymizers and the relentless release trains they produce to keep the good people of the repressed world from being discovered – and those in the free world from being committed with a diagnosis of paranoia from the nagging fear they are being watched.

At Procera, we believe that poor, aforementioned Product Manager should seek relief in the form of leveraged expertise. With nearly 1000 customers worldwide—network managers who depend on our DPI products--to make accurate and intelligent policy decisions, there is nothing that escapes the attention of our learned staff.

If blocking or conditioning certain traffic types is your game, we would posit that being correct is kind of important and not to be left to chance.

10 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide So, our humble recommendation, be it firewall or UTM appliance, leave the deep packet inspection to the experts. We did not invent DPI, but we have advanced the technology across both premise and embedded product lines the world over.

This position is unparalleled in the industry, about this there is no dispute if admittedly some jealousy and consternation. The high ground in any disagreement the rightful claim of the best and most diligent.

About the author

Shawn Sweeney

Director Product Management and Marketing

Procera Networks

Shawn Sweeney is a veteran of the network communications business with nearly 30 years of experience in a variety of capacities in development, sales and marketing. He has worked for some of the premier brands in the industry and has been a key contributor in 5 startup ventures. He is currently the Director of Product Management and Marketing for Procera’s Embedded DPI engine.

By Robert W. Williams, CEO, Vector Technical Resources

Defense-in-depth. That is the only way to defeat today’s multi-directional, multi-dimensional threats against the network. Cyber defense-in-depth starts with an outer perimeter with a firewall, with intrusion detection and prevention systems forming an inner core of cyber protection.

What are the keys to finding the top technology talent needed to fortify your cyber defenses? Let me share the perspective I gained while serving, in the final duty post of my 30-year career in the U.S. Navy, as Director of Network Security and Chief Information Security Officer for the Navy-Marine Corps Internet (NMCI) Global Network Operations Center. In this capacity, I was in charge of information security and operational command and control for the Department of the Navy’s $8 billion, 300,000-computer shore-based enterprise network in the continental United States and Hawaii.

Ever-Changing Threats Demand a Unique Skill Set

Just as the threats are ever-changing, so are the technology requirements in the cyber security field. Certainly “hard” firewall and other tech skills are important, as well as knowledge about what your protection devices are able to pick up and the ability to evaluate what is a real intrusion.

Also, you need people savvy enough to know when to disregard intrusive events that do not pose a serious threat to the network.

But don’t overlook key “soft” skills. For example, you need people with sharp minds and the hunger to learn and to keep learning. It’s also important for members of your cyber defense team to have the flexibility to adapt their job functions to keep up with what the bad guys are throwing at your network on a daily basis. The only way to size up these “soft” skills effectively is through the interview process.

Once you have identified the need and requirements for cyber security talent, these requirements must be clearly communicated to a tech talent acquisition specialist who could be in-house or with an outside staffing firm.

It is critically important for the tech talent acquisition specialist to have an A to Z understanding of what the company needs in a successful candidate for this position. At this stage, it is also advisable to establish what the position is worth in terms of salary and benefits.

The hard reality in the staffing industry is that the best people aren’t looking –they’re working! That’s why recruitment advertising is often a hit-or-miss proposition in a field such as cyber security, and why social media and referrals are often more productive in identifying top talent. This kind of “socialized” talent search can be conducted in-house, but it often makes sense to engage an outside staffing firm (i.e., a temp-to-perm or temporary services agency) that maintains a large professional network that includes social media channels. Here’s another reason to outsource the cyber talent search: if your position is posted with several staffing firms, they will compete to offer the best candidates. Not only that, but they will also handle the clearance process.

Whether the talent search is conducted in-house or outsourced, a clear hiring process must be established that can be expedited if an ideal candidate is identified who needs to be brought on sooner rather than later. When a talent opportunity presents itself through the search process, the company must be ready to hire.

Narrowing the Field

You can see the skills listed by a candidate on his or her resume, but unless you talk to that person, preferably face to face, you will not be able to gauge whether or not they are a good fit with your team. Another advantage of using an outside staffing firm is that they will have done all the background checks, including criminal/financial screenings and verification of security clearances, so that you can concentrate on the interview process to determine the candidate with the best fit.

In fact, the biggest pitfall in finding top cyber security talent is hiring somebody off his or her resume. Not only must each candidate be thoroughly vetted, including reference and clearance checks, but if you’re the hiring official you must talk to candidates! And you need to do more than ask the “standard” interview questions. Instead, asking open-ended questions is a better way to get a feel if the candidate is the right person.

If the person is being hired for a cleared position, the Facilities Security Officer (FSO) needs to verify his or her clearance. When all is said and done, everything on the candidate’s resume should be up-to-date, verifiable and fully vetted.

Here is a cautionary note about background checks. If you are going the outsourcing route and are using a tech staffing firm, until you know who you are dealing with and trust their capabilities, it’s wise to ask for documentation of background checks to confirm results of financial/criminal screenings and security clearance verification. After you have been dealing with the staffing firm for a while, your confidence level should increase.

Extending the Offer

After checking references and clearances, rank the top three candidates. Then offer the position verbally to the A (first choice) candidate. Give the A candidate 24 hours to make a 13 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide decision. If he or she makes a verbal acceptance, send an offer letter immediately confirming the salary and benefits that were negotiated as well as the start date, working hours and whether the position is exempt or non-exempt from overtime.

The offer letter should have a signature line for the candidate to sign. The signed offer letter should be sent back within 24 hours.

Talent Acquisition for Cyber Defense: The Secret Weapon

What if you could find a turn-key solution that ensures a successful outcome in all stages of the cyber tech talent acquisition process described above? That’s what an external IT staffing firm is all about. It’s the cyber tech hiring manager’s best friend – and secret weapon.

The sooner the decision to go with an external firm can be made after the cyber security position opens up and the firm decides to fill it, the better. The staffing firm should be contacted and an interview requested with an account manager experienced in cyber tech staffing.

A good account manager is an attention-to-detail person who will not only ask the right questions – lots of questions – to get all the information about the job requirements, but will also be able to produce four to six candidates who have already been pre-screened and pre- qualified and are believed to be a strong fit for the position. A top-flight staffing firm is able to map candidates quickly to the specific requirements of any cyber tech position.

As noted earlier in this article, a key at this stage of the recruitment outsourcing process is to provide complete and detailed information about the position and the “hard” and “soft” skills needed for success. The more complete picture the staffing firm has, the quicker the search and the better the results.

Because external IT staffing firms are paid to find the A players, they make it their business to know who the top people are and how to find them.

The best staffing companies have their own proprietary applicant tracking systems using specialized database software to harvest cream-of-the-crop talent from many different sources. Not only that, but premier firms will offer a “try before you buy” guarantee that an applicant who doesn’t work out within 30 days will be replaced.

Bottom Line Benefits

The reality in today’s tech talent acquisition arena is that large businesses are using staffing firms. For small and mid-size companies, this approach can also pay dividends – literally – because a temp-to-hire agency will carry new hires on their payroll for as long as six months.

After you’re sure that the new person has worked out, you can bring them on staff. This “test drive” approach to cyber tech staffing frees up capital that would otherwise go to salary and benefits. This means smaller firms often can grow faster by using a staffing firm.

14 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide What’s the bottom line on finding top tech talent in the cyber security field? More often than not, a remarkable staffing company will find better quality candidates – and, in the long run, do it less expensively. The choice is to pay now for the right cyber tech talent solution, or pay later for talent that doesn’t pan out and may cause a loss of competitive advantage.

Lately there has been a lot of talk about a “shortage” of IT professionals across all industries, not just in cyber security. The reality, as I see it, is that more and more young people – members of the Millennial Generation who grew up playing computer games and using mobile devices – are poised to enter the tech workforce. The issue is not a lack of talent, but a need to tap the supply of tech talent more effectively with support from professionals who make it their business to find the right people.

It’s not an exact science to assemble a top-of-the-line cyber defense team. Nobody has a crystal ball, and not every single candidate will work out. But the right staffing firm, especially one with multiple layers of cyber security and IT expertise coupled with extensive network connections, can be an invaluable strategic – not to mention money-saving – asset.

About the Author

Robert W. Williams is Chief Executive Officer of Vector Technical Resources, an IT and staff augmentation company servicing the private, federal and state sectors. He has more than 30 years of experience successfully leading large geographically dispersed information technology (IT) organizations. For more information about Vector Technical Resources, please visit www.vectechresources.com.

15 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 16 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Only Adaptive Defense is a Good Defense

Milica Djekic, an Online Marketing Coordinator at Dejan SEO and the Editor-in-Chief at Australian Science Magazine

In April issue of this magazine, I have been talking about the importance of intelligence in modern security software. Then I have proposed the new concept – so called intelligence-led security software. In this article, I would like to provide more details on that new concept. As I said before, a software of the future should be the one with self-defense capacities. It’s something like a software with its own incident-response system. The software capable to make intelligent decisions and fight for itself. As it is known, an intelligence-led or intelligence-driven concept means the system is governed by intelligence. This time, I would attempt to introduce and explain this very new idea.

Introduction

At the beginning, I should define the crucial criteria of this concept. As two top requirements intelligence-led software should satisfy, I can see its stability and adaptivity. Firstly, the software must be capable of staying stable whatever signals it gets as an input. This is possible only if it has a good protection mechanism. That can be obtained using some of the adaptive encryption algorithms. In other words, its defense system should adapt to external influences and provide reliable security.

In general, what is the purpose of all software? Its purpose is to control a process the software executes. That process should be stable all the time. But, how is that possible? The software should offer a good protection to such a process. An algorithm which can do that the best under dynamic circumstances is the adaptive one. It is well-known that in modern computer and network systems, an environment and conditions change in real-time. That means the software operating conditions change as well. In this case, we can observe that software as a control system to its process.

As it is known from control theory, a plant or process should be stable and controllable in order to get controlled. So, that’s why these two are initial requirements. What we also know from control theory is that the only adequate control algorithm for dynamic conditions is an adaptive algorithm. What does this means in practice? Working conditions or incoming signals change constantly and a process needs to respond to those changes somehow. In other words, it must adapt to its environment. Since this is not strictly a control engineering issue, but rather a software engineering problem, we should apply adaptive encryption or cryptography instead of adaptive control. In addition, our software should be able to provide an adaptive defense to its process.

In the rest of the article, I would like to provide more information about intelligence, the role of stability and the importance of adaptive encryption.

The word “intelligence” means different things to different people. The most common mistake is to consider “intelligence” as synonymous with “information.” Information is not intelligence. Despite the many definitions of “intelligence” that have been promulgated over the years, the simplest and clearest of these is “information plus analysis equals intelligence”.

The formula above clarifies the distinction between collected information and produced intelligence. It notes that without analysis, there is no intelligence. Intelligence is not what is collected; it is what is produced after collected data is evaluated and analyzed.

If intelligence is analyzed information, what is analysis? Some agencies contend that computer software can perform analysis for them; thus, they invest in technology rather than in trained analysts. However, analysis requires thoughtful contemplation that results in conclusions and recommendations. Thus, computers may assist with analysis by compiling large amounts of data into an easily accessible format, but this is only collated data; it is not analyzed data or information, and it falls far short of intelligence. For information to be useful, it must be analyzed by a trained intelligence professional. In other words, intelligence tells officials everything they need to know before they knowledgeably choose a course of action.

The Role of Stability

With lot of advancements coming up in Real Time Systems, the primary controlling factors like security, reliability and trustworthiness have become key elements of success. The primary factors to ascertain stability of physical systems are ‘Controllability’ and ‘Observability’.

In literature, control theory has been used to achieve service level objectives in performance management, the main aim of this work was to develop control methodology of software system and assess the value of control analysis. There are several questions arising while analyzing the software code that implements a control system:

Does the controller which is assumed to be open loop stable render the closed loop system also stable?

Has the software code developed fulfill the given control specifications?

There are two approaches that are followed to check the stability/performance of the software systems: (a) macroscopic pattern matching technique where the specification of the controller is being reconstructed from the code (b) by doing a code level analysis.

The software system under consideration in this study is a dynamic system which means the output of the system depends on the state of the system. It is emphasized that the software engineers have to typically take into considerations the dynamic behavior and characteristics of the environment and software systems, otherwise the system will behave erratic.

Here I would like to present the conditions under which an adaptive cryptography could be applied. We should start with an adaptive chosen-chipertext attack. This attack is an interactive form of chosen-ciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, and then uses the results of these decryptions to select subsequent ciphertexts.

The goal of this attack is to gradually reveal information about an encrypted message, or about the decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable only when they have the property of ciphertext malleability — that is, a ciphertext can be modified in specific ways that will have a predictable effect on the decryption of that message. For instance, adaptive-chosen-ciphertext attacks were largely considered to be a theoretical concern until Daniel Bleichenbacher demonstrated a practical attack against systems using RSA encryption. The Bleichenbacher attacks, also known as the million message attack, took advantage of flaws within some cryptographic function to gradually reveal the content of an RSA encrypted message. Doing this requires sending several million test ciphertexts to the decryption device.

In order to prevent adaptive-chosen-ciphertext attacks, it is necessary to use an encryption or encoding scheme that limits ciphertext malleability. A number of encoding schemes have been proposed, but the most common standard for RSA encryption is Optimal Asymmetric Encryption Padding.

Conclusion

This article provides a brief brainstorming of this new idea as well as some details regarding the concept’s requirements. I plan to do more research and hopefully publish my findings with mathematical model in some competitive security journal.

About The Author

As Editor-in-Chief of Australian Science Magazine and a graduate of Control Engineering, Milica Djekic is an engineer with a deep interest in subjects such as cryptography, cyber security, and wireless systems. Although she currently works as an Online Marketing Coordinator at Dejan SEO, she still pursues her passions of reading and writing about engineering and cryptography topics.

19 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 20 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Why is password creation so hard? (Part 2) By Josephine Rosenburgh

What happened after I created that infinite encryption algorithm?

I got on with other things. (Before I created it, however, I did spend a little time working on basic password creation systems. They were not easy to use.)

Eventually, I saw a video which talked about the writing of e-books. Then it clicked. I knew exactly how the true password creation system would have to be created to give extreme security whilst allowing great ease-of-use in its forming by the average person. I had already done most of the hard work so it was just a case of bringing out the elusive algorithm that no one has ever seen before.

I was able to weave the vital simple pattern that the grid needed. This would effectively give the same level of security as someone randomly typing out a new set of characters every time they wanted a new password. With enough characters in the grid there is no way for anyone to attempt all the combinations of the password if we make the password long enough.

There is only one true grid in the universe which will allow this.

Prior to that point I had been struggling with passwords just like anyone else. I didn't bother using any of the basic systems I created because they weren't efficient enough for me to commit to for the rest of my life. However, they did form a basis.

The grid doesn't look astoundingly fantastic because it is so simple for the average person to reproduce. It is the hardest encryption algorithm that I have ever had to create but because it is so super, super efficient the grid doesn't look complicated at all.

What is the difference between Eternity 2 and my infinite algorithm? Eternity 2 is a physical jigsaw puzzle. Being physical there must be a finite number of wrong solutions. The inventors did not invent an algorithm and expect solvers to guess which one they had invented out of an infinite number.

There are infinitely many algorithms that provide infinitely many permutations. The key is knowing which ones are the most efficient. This gives the key to unlocking the obscure one true algorithm which correctly and efficiently encrypts passwords. (In other words as a result of finding an efficient infinite algorithm I found the password encryption algorithm, which was close by.) In forming it I was doing the reverse of what I had done in forming my infinite encryption algorithm and it's only now that I realize it.

I didn't use a computer to formulate that infinite algorithm because it is not a computing/mathematical problem. It is a design problem. Flowers, for instance, are not mathematical problems. They are design problems. In other words they are infinite design problems and not mathematical problems. When you look at a flower you are looking at the work of a cryptographer from the beyond.

So, effectively, I built my own flower.

21 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide What is Eternity 2? If all the pieces are arranged correctly then it is another flower. Apart from its creators no one ever got to see it.

Passwords are not the same thing as data. They are more synonymous with the words "infinite" and "hidden". On the other hand data (which can be encrypted by encryption methods) is not infinite. It is known, which is not the same as thing as infinite. How can the known be infinite? It cannot be.

The question is who in the world would need to create an encryption algorithm with infinitely many wrong permutations? Mathematicians and cryptographers clearly don't, so why would someone need to do it?

Ships have to be designed by naval architects. Racing cars have to be designed by racing- car designers, on a drawing board or a computer. Computer processors have to be designed by specialist electronics engineers. Password systems have to be designed by specialized cryptographers. It just so happens that there's very few of us.

The method that I developed is just a piece of computer software with the human user operating as a very basic supercomputer. Every good password encryption system would have to operate on that same principle.

People can do certain things very well (compared with a computer) but other things very poorly (compared with a computer). So we let the amazing formation of this super grid do all of the hard work and let the user memorize all of the components which are needed for their password, the easy part.

The paradoxical thing is that if you know what my system is it will look as if anyone in the world could have created that because it looks so simple and correctly ordered. On the other hand the user will have no doubt as to how secure it is.

Let's go further back in history. As every reader should know the Germans used the Enigma ciphering machine during the Second World War. A booklet containing hundreds of passwords was required to operate it and, of course, a different password was used daily. As army units moved around one person was required to transport the machine and the booklet. Over time the German cryptographers refined their methods.

There's nothing wrong with someone carrying a booklet. Do you agree?

We'll assume that their enemy has the use of a supercomputer beyond today and that it fits inside a pocket. That supercomputer can try all those passwords in, say, 0.0000000000001 seconds if an army unit was to suffer a defeat.

So, how many attempts of a supercomputer does my password system require? 10^35

Constrained by the physical world there is a limit on how fast supercomputers will get. They can't reach 10^35 but we don't know what technologies will emerge later. I heard of one person who can use a computer to try passwords at the rate of 100,000,000,000 per second. Attempts are already being made to build quantum computers.

How many different passwords does my system derive?

22 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide It depends how you set it. Using the default method, 450,000. Using a small adjustment you can easily go much higher, say, 10^14, although you can go higher than that. However, we'll stick with the lowly 10^14. How many German booklets are needed to store all those passwords?

We'll say that each booklet contains 40 pages and each page has 20 passwords, a total of 800. Dividing 10^14 by 800 gives 10^11.

How many people lived in Germany at the time? I don't know. We'll say 40 million. Let's divide 10^11 by 40 million.

We get 4400. During the second world war every person in Germany would have to carry 4400 booklets had my system been around at the time.

My system was not designed for generating as many different daily passwords as possible. (A different system would have been required for this.) It was designed to allow an individual to obtain 450,000 (at most) different passwords for use in the different accounts that they need passwords for, enough for one lifetime.

Let's suppose that your sheet of paper with the grid has been stolen. In fact this changes absolutely nothing. All of their new supercomputers would have to try 10^35 combinations whether it was stolen or not.

The idea is that you would use the grid to type in your passwords. You are not using the grid because you have absolutely no idea how any of your passwords could have been created. That knowledge has already been memorized in your head before you ever created your first password. You would use the grid because you cannot clearly visualize every character within it. You already have full knowledge of how to construct the grid again on another sheet of paper.

The grid is a universal method of allowing a huge number of different passwords to be constructed just like a computer keyboard is a method of allowing an infinite number of different messages to be typed in.

What about AES?

Firstly, today's cryptographers have come a long way since the second world war. Cryptography is something that goes on and on and it gets very complicated.

Some time ago the people at the American NIST (National Institute of Standards and Technology) created a contest. They needed a data encryption algorithm which would use key lengths of 128, 192 and 256 bits. Various teams of leading cryptographers around the world submitted their algorithms and the winning design would be given the title "AES" (the Advanced Encryption Standard, widely used in web browsers and encryption software today).

Ten algorithms were eliminated at stage 1 and five progressed to stage 2: Twofish, Serpent, MARS, RC6 and Rijndael.

23 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Anyone who creates encryption algorithms will already know that 2^128 is 10^38 and 2^256 is 10^77. The highest estimate for the number of subatomic particles in the universe is 10^87 (10^90 possibly).

When I selected my infinite algorithm the key was efficiency. I could have reduced the number of steps to allow quicker calculation but it would have been far less secure. I aimed for an efficient algorithm to reduce the number of calculations needed rather than increase the number of calculations to increase security.

There must be a sufficient safety margin built in. On the other hand you must not go too far above it because it would take too long and only the very top cryptographers will have the correct understanding of where this is. The algorithm must be super-efficient, not messy in any way, because we are dealing with huge, huge, huge numbers of permutations.

The quickest algorithm is not necessarily the most efficient one. It would be an incomplete algorithm. I could not get away with a deficient algorithm and my progress would have halted. The five which reached stage 2 of AES work in different ways and will not have all been equally efficient.

When you program a computer you can get away with a not-so-efficient system because it is a computer that has to do all of the work. If you expect an average football-supporting human to do all the calculations then you cannot get away with a not-so-efficient system. That is why I had to devise an efficient infinite algorithm which could be used by ordinary people. The average person can only memorize a certain number of calculations so the algorithm's efficiency is going to have to do most of the work.

Once you know exactly how efficient an algorithm is supposed to be then and only then you can correctly decide on the number of steps required in each step of the process.

But, that's just my opinion. Yours may differ.

With data encryption algorithms many different ones can be created (which will work successfully). With the password encryption algorithm, however, there is only one (because of a variety of factors). So you have to find one out of infinitely many rather than one out of millions out of infinitely many.

Cryptographer Bruce Schneier (whose team of eight men submitted Twofish) has expressed his view that each person can create an encryption algorithm that he/she cannot crack. Everyone is entitled to their own belief and I respect his. I would like to express my own view here, which is that I think it is harder to create an encryption algorithm than it is to crack one. There are plenty of math geniuses around but there are infinitely many wrong encryption algorithms. How many algorithms failed? How many of them didn't work efficiently enough?

Did any of the teams who submitted algorithms for AES create a password encryption algorithm? Did any of the people who attempted the two Eternitys? Did you?

I like the last question. Ask the person who asked the question in the first place. I should answer the question too. I did create a password encryption algorithm and all of the world's best mathematicians did not. It's just not the sort o' problem they deal with.

24 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide My infinite algorithm is a different type of algorithm to the data encryption algorithms submitted for AES. However, I did read a report on the algorithms and there are certain comparisons that can be drawn since all efficient encryption systems have to rely on exactly the same basic principles. It would be interesting to compare.

Let me get my hands dirty. Which of the five algorithms do I think best matches my infinite algorithm in terms of efficiency, in terms of the principles I have used?

The two algorithms most favored by NIST were Rijndael because it was the quickest and Serpent because it was the most secure. In the end they chose Rijndael, which was created by a team of two. (I think it's pronounced something like 'rain doll' but I can't be sure. That's what we'll call it for now.)

I want to thank Eternity's creator, Eternity 2's creators and everyone who attempted both puzzles and all those who submitted AES algorithms. My special gratitude to the Twofish team. Really, thanks for your enormous contribution to cryptography. You guys did a really fine job so I say well done. It's nice to know who had the most efficient design. I just want you to know that there are others out there that appreciate what you have done.

(Also thanks to the later Threefish team.)

Of all the algorithms submitted for AES it seems that only one replicated the design principles of my hidden infinite algorithm.

Is it supposed to be that low?

In fact, yes. It really isn't that surprising. Cryptographers make mistakes too. They run out of ideas, just like anyone else. When the going gets tough more and more people drop out. So it really wasn't that surprising. Only one team created a 256-bit encryption algorithm correctly.

Why only one? Because it's very very hard to do. (It's harder than creating an Eternity 2.)

It took a group of eight capable people to create that one algorithm. They didn't just use one or two people. They knew their algorithm would have to work efficiently in both computer software and hardware. They worked out what an acceptable safety margin would be and ensured the best compromise between speed and performance. They introduced very clever ideas which would further guarantee that no one in the world would ever crack it. The team spent thousands and thousands of hours creating it, tweaking it and testing it. They were the only team that successfully worked out, exactly, how efficient a 256-bit encryption algorithm is supposed to be and that's how it's done.

Does that sound sensible?

These are supposed to be the best cryptographers in the world. So, what went horribly wrong?

It is highly unlikely that all of the algorithms submitted will have been equally efficient and that's exactly what occurred.

25 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide When I created my infinite algorithm I did ponder over who would not be able to do it. For every ingenious idea I introduced the number of people kept dropping. I had no idea at the time how many there were who couldn't do it.

My infinite algorithm more closely matches the efficiency and workings of Twofish more than any of the others. For it to compare with Rijndael I would have had to have removed various subtle steps to reduce the calculations taken. This would have reduced the efficiency, not increase it. I am dealing with huge, huge numbers of permutations, which I am trying to control, and in removing any one of those vital steps I would not have progressed to the great unique password encryption algorithm. Rijndael's efficiency is a little below what it should be. Encryption algorithms are supposed to be super super super efficient. They are not supposed to be quick because they lack certain key steps. The two were on their own and there was no one guiding them.

At what point would they know when their algorithm was efficient enough? They didn't have enough clues. This same situation, of course, confronted every team. They still put in a very good effort. (If two or three key members of the Twofish team had helped them that would have made the difference.)

If it takes more time for Rijndael to achieve the same level of security as Twofish then it can hardly be classed as more efficient can it? If you make the algorithm more and more efficient then you will not have to worry so much about the number of steps required. The only thing that all those algorithms rely on is computer power not being fast to crack all 2^256 key attempts. Those algorithms are not infinite but efficiency is equally important for both finite and infinite algorithms.

The team that created Serpent went the opposite way: as their algorithm wasn't efficient enough they played it safe by increasing the number of calculations. Very, very easy to do and far, far safer than having too few. They put in a very good effort too.

They were unsure of its efficiency. However, the Twofish team were able to determine Serpent's efficiency and established that it was less efficient than their algorithm. They also determined Rijndael's efficiency as being less too.

The Twofish team were the only ones who knew the exact efficiency levels of the other four algorithms because they were the only ones who knew how to create an encryption algorithm correctly in the first place, which is why they are the best.

About The Author

From California this young author spends most of her time working in a computer store. An avid fanatic of sudoku and crosswords, reading several articles on cryptography lead her to the inspiration she needed for her first ebook.

Married to her husband, John, a sales rep, she also spends her spare time writing and dancing. Prior to the launch of her first ebook she was unsuccessful in her attempts to get another book into print and still continues to pursue this objective.

Josephine's book can be found at https://www.smashwords.com/books/view/429052 She can be reached online at https://twitter.com/jrosenburgh

By Art Dahnert, Security Product Manager, Klocwork, a Rogue Wave Company

More and more development teams are standardizing on static code analysis and open source scanning to reduce their risk of encountering security breaches in the field. These tools find the vulnerabilities for you, so you don’t have to spend time, money, and skill sets worrying about them. It boils down to three things: knowing where your risks are, checking in more secure code, and reducing the probability of attack.

What does static code analysis do?

Static code analysis (SCA) is the automated identification of programmatic, semantic, and security errors in code. There are simple analysis tools out there, no more than glorified compilers, but more sophisticated tools take into account all the control and data flow interactions within the application and check for compliance against common industry standards.

Consider a function that dereferences a pointer set by another function. Manual unit testing of either function in isolation may not reveal that the pointer being dereferenced could be NULL. Static code analysis, on the other hand, would find the problem. Going further, consider the same situation but having the two functions developed by two different teams. The chances of the NULL pointer dereference reaching the customer becomes higher if the test coverage isn’t there.

It’s not surprising, then, that Capers Jones of Namcook Analytics found that, without tools and processes like static code analysis, developers are less than 50 percent efficient at finding bugs in their own software.

What does open source scanning do?

Developers have nearly limitless options when it comes to finding and downloading open source code and they often include this code in any number of ways and amounts. Understanding and tracking open source use isn’t usually a priority for developers when their primary focus is on delivering features.

Scanning tools offer an automated and repeatable method for understanding the scope and depth of open source use within a company. Not only do they free up time to focus on other development efforts, they also remove any element of human error. Given that open source packages can contain other open source packages and that even just a few lines of reused code can contain risks, scanning tools are the only reliable choice to know exactly what’s going on within your code base. Sophisticated open source scanning also comes with open source support, to help you understand the software packages better.

How do these tools reduce security risks?

Static analysis helps developers deal with well-known but hard to understand security vulnerabilities. Take a buffer overflow as an example: when a buffer of insufficient or untrusted size is used to copy into memory, the application is potentially vulnerable. Buffer overflows cover so many different forms of exploits (such as the well-known Heartbleed flaw) 27 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide that it’s almost impossible to quantify. The issue isn’t necessarily that developers don’t understand what a buffer overflow is, rather it’s the size and complexity of the code base that makes it extremely difficult to find. SCA, on the other hand, uses a detailed model of the code base to identify and explains these issues in a way that helps developers fix them early in the development process.

The power of SCA isn’t limited to finding code vulnerabilities, it’s also an effective method for determining how compliant your code is to common security standards, like CWE or OWASP.

Open source software is used by over 50 percent of enterprise organizations today (from the 2014 Future of Open Source survey) yet it’s not surprising that most of them don’t know the extent of where and how open source is used. If open source isn’t tested to the same technical and performance requirements as the rest of your software, including security vulnerabilities, any product or service that includes it is potentially compromised (this issue is now number 9 on OWASP’s list of Top 10 Application Security Concerns). Open source scanning and support does two things:

It gives you a comprehensive picture of where open source is used throughout the organization, giving you the information you need to plan and execute security testing

It provides up-to-date reports on known security vulnerabilities, patch levels, and versions.

Armed with the knowledge provided by open source scanning, your team is better positioned to combat security threats.

The perfect combination

Static code analysis finds flaws before check-in and open source scanning finds flaws for code that you’re bringing in from the outside. Put the two together and you’ll not only have a complete picture of the potential weaknesses in your code, you’ll also be able to fix flaws earlier and faster than if you tried to do it manually.

About The Author

Art Dahnert is the Security Product Manager of Klocwork, a Rogue Wave Company. He is a distinguished software security engineer with over 17 years of security experience within the development process. Before joining Klocwork, Art performed numerous application security assessments while working at Trustwave Spider Labs, Symantec, Overwatch, Schlumberger, and BMC Software.

28 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 29 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Challenges of Transferring Large Design Files Selecting the right Data Exchange Solution for the transfer of large design files while ensuring privacy of information

By Eitan Bremler, Director of Product Marketing and Management, Safe-T Data

Today, thanks to improvements in design software and the increasing affordability of hardware processing, design departments in industrial organizations are able to create design files in very high resolutions and even three-dimensionally. While such files are very elaborate and highly detailed, they have one notable flaw: they are extremely large. It is not uncommon for an AutoCAD drawing to reach a size of 20 GB.

Such large files create a significant challenge for the IT managers in industrial organizations, requiring them to provide their engineering departments with tools for secure and easy file transfers to other departments within the organization and to external partners. This task may be relatively simple when both departments are located in the same facility, as all that is required is sharing the file via a network folder or FTP server located within the internal network. However, when the two departments are located in different facilities and networks, or the manufacturing is done by an external contractor, sharing multi-GB design files becomes a challenge.

The challenges of sharing large files stems from a couple of factors. First, design files are proprietary and include sensitive information, which means they must be securely transferred between internal and external users, ensuring they are not leaked or stolen in the process. For example, imagine a large airplane manufacturer’s newest design is leaked to a competitor; that could be disastrous for the company's product line.

Second, transferring large files requires special tools to accommodate the files’ large sizes, as the currently available standard tools are not suitable:

Standard email solutions (e.g. Microsoft Exchange) cannot be used, as they usually limit attachments to 10 MB and block anything larger.

Using an FTP server is a viable solution when used within the same organization, but when it is used to connect two remote locations spanning geographies or organizations, it lacks enterprise-grade features such as secure transfer, DLP, QoS (quality of service,) password encryption, transfer auditing, etc.

Using cloud solutions with simple user interfaces, such as Hightail or DropBox, are by no means enterprise-grade solutions, either. These choices suffer from the same issues that affect FTP servers (security, auditing, QoS, etc.) In addition, the fact that they are hosted solutions means the data does not reside on the organization’s premises, and there is usually no indication of the physical location of the cloud provider’s data center.

It is clear that the required solution should provide the ability to easily transfer large files between locations and organizations, as well as be able to ensure the file transfer is secured, managed, and controlled.

When coming to select a secured file transfer solution, IT should look for advanced email encryption solutions which offer a high level of security and ease of use. The solution should 30 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide work with any email client (Outlook, mobile, etc.,) using specialized plug-ins which allow for the means to send messages and attachments of any size and type securely and transparently. The sent attachments should be stored in encrypted form within the internal network, and only a download link should be sent to the recipient, thus ensuring the highest level of security and privacy for shared files.

A good, advanced, email encryption solution is a solution which allows for sending secure emails without disrupting the normal routine of the sender or recipient. It also allows both parties to continue to work with their familiar email clients, while guaranteeing secure delivery and receipt of emails and attachments.

For organizations who do not wish to deploy specialized plug-ins, some solutions offer their own centralized SMTP gateway. Such gateways allow monitoring and handling incoming and outgoing email messages. Once the gateway receives an email message, it scans the message attributes, including the message subject, body, header, attachment type, and size; then, based on pre-defined rules, it performs the required action: encrypt, drop, forward, etc.

Lastly, IT should also look at solutions which allow for automatically enforcing security policies on outgoing and incoming emails. Outgoing emails should be authenticated, scanned with a data loss prevention (DLP) solution, and encrypted to ensure only approved data is shared securely. Incoming emails should be authenticated, scanned for viruses and malware, and decrypted.

Using the solution described above, IT teams can empower engineering departments to securely send their large design files (e.g. AutoCAD) to manufacturing departments or external contractors using encrypted emails.

About The Author

Eitan Bremler, Director of Product Marketing and Management, Safe-T Data.

He is responsible for the planning, positioning, and go- to-market strategy of Safe-T’s security and collaboration solutions company-wide. He has diverse technological, field engineering, product management, and marketing experience, including: design, implementation, and launching networking, collaboration, and security solutions. He has a solid background in working closely with US, European, and Asian customers from both enterprise and carrier/telecommunication markets. His expertise extends to networking, application and network security, internet technologies, virtualization, and cloud computing technologies.

Eitan Bremler can be reached online at ([email protected], @ebremler) and at our company website http://www.safe-t.com/.

By Sathram Shiva Kumar

What is SCADA

The task of supervision of machinery and industrial processes on a routine basis can be an excruciatingly tiresome job. Always being by the side a machine or being on a 24x7 patrol duty around the assembly line equipment checking the temperature levels, water levels, oil level and performing other checks would be considered a wastage of the expertise of the technician on trivial tasks. But, to get rid of this burdensome task, the engineers devised equipment and sensors that would prevent or at least reduce the frequency of these routine checks. As a result of that, control systems and it’s various off springs like SCADA systems were formed. Supervisory Control and Data Acquisition (SCADA) offers the ease of monitoring of sensors placed at distances, from one central location.

Hacking into SCADA

“Hey you I paid my bills please patch my electric plant system” these are rights we have to demand in coming days! The ICS (Industrial control system) are need to be patched not too far our dams may be opened and nuclear plant may be down by a cyber-attack!! Yes it started around the globe and may never stops. SCADA (supervisory control and data acquisition) are used to monitor and control a plant or equipment in industries such as energy, water, power transportation, and many more I define SCADA is HEART to any ICS.

The Syrian cyber group called SEA (Syrian Electronic Army) announced an attack in may 2013 against a strategic Israel infrastructure systems in Haifa led to reveal that attackers targeted the irrigation control system of kibbutz Sa’ar near Nahariya in 2012and a Iranian hacker group parastoo attacked in a military style on California PG&E Metcalf and also International Atomic Energy Agency in 2012 plus the worlds dangerous terror group jihad group named Yaman Mukhaddab’s Electronic jihad group has already 100 volunteers since started from June 2011 these are only few incidents that many terror groups and private security firms will be involved in coming future and the government and industry owners have to take SCADA security a serious way if not owners must convince their wife’s i mean we all have a serious threat from other countries and by stats US is a major target for many countries and SCADA must be coded with a deep security measures and a antivirus for SCADA is much better which Kaspersky has already started developing it most of SCADA are using windows 95 and xp because a they made the purchased 25 years ago and it must patched definitely and they are thousands of industries which a are primary target with this configuration and a security researcher from IOActive could compromised a industrial facility which is 40miles away from 40$ (Dollar) and Chinese has gone through US water plants and they are script kiddies who can hack into chemical industry which may cause serious environment damage.

32 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide SCADA apps are also available for many multi Industries Inductive Automation is the top firm to start a successful SCADA apps to maintain a perfect security just like our android and IOS apps to protect our phones. In order to meet the future power systems we have to deal SCADA issues with flexible and in a secure way that technological and methodological changes must be addressed in global terms. SCADA and ICS software/hardware do not go through the same rigorous security lifecycle process as Information Technology systems.

These systems lag the IT world typically by 10 to 15 years so we are only recently seeing the large control systems vendors building plants to test their products for security flaws although till now these systems are not tested for a simple buffer flow also and 753 percent increase in vulnerability disclosures to ICS over past years. Most of the vulnerability reporters have been from researchers without a ICS background. I feel many are developing an interest in SCADA systems seeing the connections between cyber and kinetic world.

Traditional problems in SCADA

The people who run the plant are trying to squeeze the maximum amount of yield from their plant. Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour. Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price. You may argue that the greater good is more important than money but these guys aren't listening to that. IT is often outsourced to third parties in order to control costs. The downside of ceding control of your own infrastructure is that even something mundane like changing a firewall rule has a process which costs money and resources.

These industries are rife with rules and regulations that further inflate the cost of patching systems. In the pharmaceutical industry the cost of applying a single patch may run well into the millions of dollars because every change has to be meticulously audited. There is an old- school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it".

No person involved in the industry wants to find problems. They want the plant to produce and they expect the hardware and software they buy to produce - untouched - for 20-30 years. A good start to fixing things would be to air gap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ (Demilitarized zone) machine in between. The DMZ can be locked down hard and updated carefully, and it doesn't need to ever hold systems that need careful certifying as it should never be in the control loop; just out of band monitoring.

SACAD in cloud is faster but also too dangerous

In my view factories in the future will have full scale wireless networks supporting a robotized production process and safety control mechanism. Operating personnel in future factories confined to work stations inside control rooms. The tablets and mobile platforms will allow them to track on site going process from their devices on the move. The emergence and adoption of cloud computing will enable factories access relevant strategic data from the 33 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide internet to execute real time decisions and enhance operational efficiency it will gradually become the major means of data storage and intelligence building and also reduces over capital expenditure in essence future factories will have wireless networks supporting a highly automated production process. the global SCADA market continued to experience high growth among different end-user sector and geographic region based on recent stats global SCADA market accounted for $4584.4 million in 2009 and is projected to grow at a compound annual growth rate (CAGR) of 6.0 per cent from 2009 to 2016 Oil / gas / power / nuclear / waste water / electrical / industries were key industrial segments employing SCADA solutions and are likely to offer high growth opportunities in coming years. SCADA cloud will pay high possibility for Cyber-attacks in a wide spectrum but neglecting SCADA safety is neglecting NATIONAL PRIDE.

About The Author

I am Sathram Shiva Kumar of 18 years old with a Asian book of record for longest IT marathon and a team member of Cyber-physical systems virtual organization of medical and transportation devices and has great curiosity in IT security.

We have now entered the age of digital criminality in which well-organized and well-funded criminal groups are using sophisticated cyber techniques to carry out theft, fraud, and intrusion attacks on an unprecedented scale. Traditionally, cyber criminals have looked to penetrate systems, gather information and leave with valuable data and intelligence. However, a new wave of cyber-attacks have taken shape with the aim to target and take control of critical operational infrastructure such as the electricity grid, water or gas supply systems that have seen increased connectivity to corporate networks.

In fact, according to a report from the US Department of Homeland Security (DHS), there was an enormous increase in the number of attempted cyber-attacks on the energy sector in 2013, with 53 per cent of cyber incidents handled by this department in the first half of 2013 in the Energy & Utility (E&U) sector.[1] These organizations must, therefore, react to the modern cyber threat and elevate their cyber defences to protect both information and system integrity.

An Evolving Threat

E&U companies are becoming increasingly automated in their processes, which has led to new-found efficiencies in managing areas of critical infrastructures as well as new entry points into those systems – a trend expected to increase over the next 10 years.

An early instance of this new vulnerability was seen with the Stuxnet computer worm in 2010 that attacked the industrial Programmable Logic Controllers (PLCs) - which allowed the automation of electromechanical processes - of a nuclear facility in Iran. Stuxnet disrupted industrial systems by causing the centrifuges to fail.

Since then other attacks on the energy sector have been seen around the world. In December 2012, a Denial of Service (DOS) attack on a German renewable energy firm, 50Hertz, lasted five days and ensured that the organization’s internet communications systems remained offline for the period. More recent attacks such as Shamoon, have shown just how critical it is for organizations to protect their networks.

The larger and more diverse the organization, the greater the number of network vulnerabilities for cyber attackers to exploit – and energy and utility companies are particularly vulnerable. The size of the power grid makes it extremely susceptible to attack from cyber criminals, and with every city having its own installation which feeds into the main grid, attacks are even harder to detect. Needless to say, the integral nature of the grid to the national infrastructure means that an attack has the potential to wreak havoc on a colossal scale.

[1] http://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_April-June2013.pdf 35 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Modern Cyber Defences

These examples demonstrate that network intrusion can leave an organization open to more sophisticated threats that range from the theft of valuable information to full access/control of operations. Therefore, governments and organizations must improve their threat intelligence through both industry-leading technology and processes.

BAE Systems Applied Intelligence launched IndustrialProtect with these challenges in mind to allow organizations to monitor, protect and secure intelligence and operations amid the ongoing convergence of Operational Technology (OT) and enterprise Information Technology (IT).

IndustrialProtect works by verifying the identity of the individual or system sending information, that the information is received as it was sent and also that the content is intended and appropriate for the receiving system through five key features:

 Network segmentation without breaking critical business process,  Prevention of unauthorized systems from exchanging information,  Assurance that the integrity of information is preserved from source to destination,  Transparency to existing systems and a very low attack surface, and  Full remote management from a central console.  Critical systems, thereby, are protected from access, manipulation and control by those intending to carry out harm through disruption and sabotage.

Additionally, BAE Systems Applied Intelligence has a four-step process to test and assess the security of ICS for energy and utilities:

Step 1: Key stakeholder engagement

Working with key engineers and IT staff helps organizations understand the systems, environment, their function and platforms upon which they are hosted. In this first phase, it is important to identify if there are any test environments which could be used for the assessment. To provide a strong assessment of the production environment, organizations need to determine how close these test environments are configured with the production system.

Step 2: System sensitivity mapping

The information obtained in the key stakeholder engagement can be used to develop system mappings and group the systems based on sensitivity and criticality. This lets organizations understand the systems and determine which ones are good for testing and which systems entail a high risk of compromising the operational availability. This system knowledge can then be used as a working tool for all future implementations in the environment.

Once systems are cleared for testing, they need to be subjected to penetration testing. This process is similar to conventional penetration testing, but with these industrial control systems organizations need to make sure that they are not saturated and not denying service to legitimate users.

Step 4: Threat modeling

With the information obtained from testing performed on the ICS environment, a threat model can be developed and risks can be determined. This process is generally performed when a conventional penetration test is impossible. Threat modeling allows the organization to understand how the systems in the environment will be attacked, the types of compromises that will occur and the likelihood of attacks.

Conclusion

The threat landscape is constantly changing, and with it, modern cyber defences must evolve even more quickly. An enterprise approach to these challenges supported by technology, process and cooperation across the organization will help improve threat intelligence and stay one step ahead of cyber criminals in this age of digital criminality.

About the author

James Clark is an executive manager at BAE Systems Applied Intelligence, where he is responsible for managing and delivering cyber security services to clients in the energy and utilities sectors. James has significant experience within the industry, having served as an IT consultant for various major systems integrators. Since 2000, he has mainly focused on the energy, utilities and government sectors.

37 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 5 Ways to Better Protect Customer Card Data By Avery Buffington, Information Security Architect, SecureNet

Lately, it seems as though we’re reading about a new data breach every day. From retail breaches, like Target and Michael’s, to corporate credit card breaches, such as Visa and most recently American Express cardholders in California, we are experiencing a turning point in security. Customers are less trusting of businesses and wary of paying with credit cards. Whether you’re a developer, security analyst or IT professional, consider the following best practices for protecting your customers’ card data and defending against a data breach.

Encrypt from point-to-point (P2PE). Simply put, card data in plain text format is in its most vulnerable state. Encryption can transform the plain text information into an unreadable code, known as ciphertext. When a card is swiped by a merchant that uses a P2PE solution, the data can only be decrypted by the card processor. This mitigates many of the weaker security points exposed when cardholder data is captured by a point-of-sale terminal in plaintext or decrypted in a back-of-house merchant system prior to sending to a processor for authorization. Encrypt card data from point-to-point and you’ve taken the first step in protecting your customers from attack.

Tokenize data. Many security players in the financial industry taut the ability to tokenize post-authorized credit card data. This means the information is tokenized only after it has been sent to the processor and bank for authorization and is on its way back to the merchant to complete the transaction. Tokenizing pre-authorized transactions, typically e-commerce transactions, allows users to register their payment methods with the payments processor’s secure vault. This raises security to a new standard and is not as commonplace in the industry. Customers’ card sensitive data never touches the retailers’ servers in plaintext because the merchant saves it in a tokenized form. This differentiator is critical if you consider the fact that most well-known data breaches (like that on Target) take place at the merchant server level.

DLPs, FIMs and HIDs. Data Loss Prevention systems can potentially stop a breach at the source. Beyond the standard security measures of firewalls, intrusion detection systems and antivirus, consider advanced DLP solutions that use heuristics, machine learning and reason-based algorithms. For example, behavioral pattern or traffic analyses can detect abnormalities within the server. Designated DLPs can use data matching and statistical analyses to prevent or detect unauthorized attempts to copy sensitive card data. File Integrity Monitoring and Host Intrusion Detection systems are both internal security controls that use baseline comparisons to monitor the behaviors of a computer system and detect changes. DLP, FIM and HID systems should all be considered part of the DLP “system,” working in conjunction to alert analysts of suspicious activity that could indicate compromise or data exfiltration.

Egress filtering. Ensure stringent egress filtering standards are in place to both monitor and restrict the flow of data across networks. Most are familiar with utilizing firewalls to prevent malicious traffic from entering your server, but firewalls should also be leveraged to prevent arbitrary traffic from leaving an internal network. In a corporate setting, all traffic, save for a

38 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide select group of servers, should be denied egress. The traffic that is allowed outbound should be subject to strict monitoring and response policies. For the point-of-sale environment, the Payments Card Industry Data Security Standard requires egress filtering from any server present in the card holder environment. Egress filtering is a practice that goes beyond IT, requiring administrative and policy support for successful implementation. However, egress filtering can often be the final and most effective measure to prevent stolen data from being exfiltrated.

Network anomaly detection. Network behavior anomaly detection is an ideal complementary technology in the system of data protection, continuously monitoring the network for unusual occurrences and unusual traffic patterns. Anomaly detection can include traditional technologies such as network intrusion detection systems (NIDS), more modern technologies like web application firewalls (WAFs) and cutting edge analytic solutions that capture, monitor and normalize traffic patterns and alert you to abnormalities. At the heart of all these technologies is how the information is collected, normalized and alerted on. The key to successful anomaly detection is monitoring and response, which depends heavily on prioritizing the events that analysts see. For example, an alarm related to the portscan of a public system most likely does not have the same severity and time-sensitive response as an alarm indicating an attempt to connect to an external FTP site from a sensitive internal network. By prioritizing alerting and response policies to favor events that are traditionally related to data exfiltration, analysts have a much better opportunity to catch such activity.

About The Author

Avery Buffington is the Information Security Architect for SecureNet, an end-to-end omni-channel payments processor based in Austin. Avery has 13 years of experience in the data security and financial services industries, and graduated with a Bachelor of Science in Engineering from Texas A&M University.

Avery can be reached online via the SecureNet website: http://www.securenet.com.

39 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 40 Cyber Warnings E-Magazine – January 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide In-house vs. Outsourcing: 24-Hour Cybersecurity without the Capital Investment by Patrick Hayes, Managing Director, Seccuris Inc.

Hackers and criminals breach organizations by taking advantage of vulnerabilities within networks. Attackers are like water: they pour over every inch of your enterprise network until they find a leak. Then they break in, causing irreparable damage to your bottom line and reputation. Over the past decade, the level of attacks, breaches and potential dangers to vital data/information security have escalated to the point where organizations in every industry are taking measures to ensure their assets and technical infrastructures are safeguarded.

A key part of that protection is knowing where your environment is vulnerable and the type of risks that may threaten it. While there are several threat and vulnerability monitoring options available, including Security Information and Event Management (SIEM) products, which have been gaining popularity, the key is determining which option is the most effective for your organization. No matter which solution you choose, in most cases, it will cost you a considerable amount of time, money and effort to install, develop and maintain both the technology and personnel necessary to monitor your environment 24 hours a day. But there are more efficient and cost-effective alternative solutions available.

Rather than installing an in-house monitoring system, such as a SIEM, consider outsourcing the responsibilities to a proven Managed Security Services Provider (MSSP) that will observe and preserve critical data on your behalf. In order to determine whether building in-house or using an MSSP is the right choice for your organization, there are several factors to consider. The most significant are the rising costs and lack of qualified resources necessary to get the SIEM platform up and running, not just racked and taking in feeds. You also need to consider personnel expertise and training, as well as technology, infrastructure, and accountability.

Dedicated Security Professionals vs. In-House Staff

While your staff may work during normal business hours, hackers and criminals don’t. They can attack at any moment of the day or night. So your network needs to be protected 24 hours a day. However, in most cases, organizations with an in-house security service are only able to dedicate staff part-time due to cost constraints, or simply because there isn’t enough perceived responsibilities to justify adding additional personnel to monitor the service full time. As a result, it’s difficult to expect an in-house team to develop the same expertise as Information Security Analysts (ISA) employed by MSSPs.

MSSP analysts not only work exclusively in the area of information security, but they can also bring a broad, cross-industry perspective to the service. Typically, since MSSP analysts possess years of experience providing information security to multiple clients, they’ve developed 41 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide insights and expertise in a wide variety of vital security issues, effective solutions, and essential products.

MSSPs that are full-service information assurance firms will also typically support capability teams across various security specialties, including threat and vulnerability management, audit and compliance, design and architecture, and much more. Thus, the right MSSP can provide a higher-level of expertise and value to your organization than trying to hire (and rehire), develop and maintain a full-time in-house department and personnel.

State-of-the-Art Infrastructure

The best MSSPs will have an established dedicated Security Operations Center (SOCs) that are physically hardened sites with state-of-the-art infrastructure managed by trained personnel and security analysts. These SOCs are also frequently government certified for secure data handling and controls. This certification requires regular audit and assessment of logical and physical security controls in place, as well as security clearance requirements for all staff working within the SOC. This provides a level of assurance and infrastructure resiliency that would be difficult, or even impossible, for organizations to replicate in-house.

Rapid Deployment

Often the challenge most organizations must tackle while developing an in-house security management capability comes down to time-to-value. When implementing a service in-house, organizations are faced with installing and configuring hardware and software, integrating the devices within their environment (especially if the system doesn’t perform the way it claims in the product literature), the steep learning curve that often comes with automating the security information, and understanding the organization’s security priorities.

Service deployment by an MSSP, on the other hand, can typically be much faster. The service may not require remodeling of enterprise network infrastructure, customer technical expertise, or server management. Depending on the underlying technology used by an MSSP, they may also be in a position to begin monitoring data and threats right away. The ability to integrate various data sources, regardless of its type or manufacturer, also means minimal set-up costs, little or no cost to replace existing IT assets, and a significant flexibility in how you apply technology.

24-Hour Responsiveness

Most MSSPs offer real-time security monitoring and services 24 hours a day, seven days a week. Information security solutions and technologies such as firewalls, intrusion detection and prevention systems (IDS/IPS), virtual private networks (VPNs), and vulnerability assessment 42 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide tools are far more effective when they are managed and monitored by dedicated, trained and specialized security services professionals offered by MSSPs. These professionals are better able to determine the validity and true priority of every security threat and vulnerability. They focus on security response efforts so your organization's in-house staff can concentrate on other vital IT issues. MSSP’s also provide an enhanced level of support for products developed by the MSSP, as well as trusted third-party provider products monitored by the MSSP.

MSSPs also offer organizations service level agreements (SLA) for the service standards they provide, including availability, response and escalation service level expectations. This can be very difficult and costly to replicate in-house because staff may be limited to monitoring during the day. Even organizations that implement on-call services after hours don’t have the full protection that 24-hour MSSP services offer. With an MSSP, you can increase your security without increasing your security staff.

Improved Decision Making at all Levels

Knowledge is power, especially where security is concerned. “Knowing what I don’t know” is a common phrase these days with IT personnel and executives. An experienced MSSP can help you with know what you don’t know by focusing on threats and incidents that impact your entire business, not just your perimeter, 24 hours a day. They can also align the priorities of these threats. That way the MSSP can alert your organization about events that deserve your immediate attention, while they continue to investigate lower-priority risks.

Experienced MSSPs will also provide you with comprehensive reporting on the performance of your threat management service so you can make more effective risk-based decisions at every level. Executives get a top-down view of your organization’s security risk exposure and how it affects your business objectives and critical information assets. IT Security Managers receive an operational view of the status of security incidents and current security posture so they can plan security operations and execute day-to-day activities efficiently. Network and IT Analysts will have access to information that helps them identify and correlate threat events, prioritize and respond to incidents, manage vulnerabilities, and support security operations.

Operational Security without the Capital Investment

In order to provide the same level of 24-hour monitoring service as an MSSP, you need to consider costs that include the hardware and software, future upgrades and replacements, a minimum of four security analysts that require initial and ongoing training, and the supporting infrastructure to accommodate all of them. Yet, in most cases, these costs are considerably more expensive than most budgets will allow. In contrast, MSSPs use a utility/shared services model that enables operational costs to be spread over multiple clients. That means your cost- per-client for the MSSP’s services is less than what you would pay to develop and maintain an in-house program. 43 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide So, when considering whether to build out your in-house security operations capability or partnering with a MSSP, make sure you weigh the key factors of expertise, training, staff, technology, infrastructure, accountability, and the cost associated with maintaining them on a continuing basis. That way, you can choose the right security solution to protect not only your network and data, but also your organizations ability to conduct business on a daily basis.

About the Author

Patrick Hayes is Managing Director for Seccuris Inc., a leading information security consulting, risk management, and managed security services firm serving North America since 1999. He is a seasoned business leader with over 20 years of experience in Information Technology strategy. Patrick is a certified Enterprise Security Architect and PCI-DSS QSA. During the course of his career, he has operated in several key senior technology and operation roles accountable for strategic direction, organizational alignment, and execution. Contact him through LinkedIn at https://www.linkedin.com/in/phbalance, or at the Seccuris website: http://www.seccuris.com.

Vulnerability Lifecycle Management (VLM) can be a polarizing subject. Many people do not generally endorse the term, or think that VLM is a critical part of their security operations. At least until they think about what VLM really is; the active management and mitigation of known vulnerabilities in your environment. Then, most people would consider VLM one of the most basic processes of an IT security team. And, the reality is that it should be. When you detect a vulnerability in your environment, you close the vulnerability or find a way to mitigate the effect it could have on your environment. The function and process you use to manage, track and report on the status of those vulnerabilities is your VLM.

The most obvious question is “Does a VLM system work?” When we compare clients with a VLM system to clients without a VLM system, we found on average four-times the number of exploitable vulnerabilities in organizations without a mature VLM program. In that same vein, security programs with proactive VLM systems realized a 20 percent faster remediation time across the board. Especially since it can have such a profound impact on the organizational environment, the ability to effectively manage vulnerabilities that you know exist in your environment should be a basic security control. Yet, when we see organizations with no formal VLM it is clear that the basics are not being done well by all organizations.

We look at vulnerability management in terms of a comprehensive lifecycle. Something that is basic, repeatable and ongoing, and is an integral part of an organization’s success in meeting immediate security challenges. A well-designed VLM program will also go a long way towards addressing future information security needs for an organization. Some vendors offer regular, monthly patches for their systems and software. That’s fantastic for organizations with automated tools to digest and implement apply patches. But what can organizations, with limited staff and budget, do to better defend against and remediate continuing threats that seem to appear daily?

What Are the Vulnerabilities That Put Organizations in Harm’s Way? Even though VLM is such a critical, yet basic, part of an information security team’s toolkit, the industry is still plagued by relative complacency. Regular comparison of identified vulnerabilities shows that many sites include unpatched vulnerabilities as much as 10 years old, even though there are patches available. Many organizations remain exposed to these common vulnerabilities, simply because they have not tracked and patched them. When attackers consider this, it has two specific effects on attacker techniques:

Research indicates exploit kit developers are pruning older exploits and favoring newer ones, as 78% of current exploit kits are taking advantage of vulnerabilities less than two years old. Meanwhile, the creators of these kits are actually ramping up their capabilities to leverage more recent vulnerabilities. Attackers know organizations are slow to patch, so appreciate that many organizations will continue to be vulnerable to more recent exploits for some time. In addition to new exploits, cybercriminals are taking advantage of vulnerabilities that organizations have identified as low priority or no longer consider a threat. Fifty percent of vulnerabilities identified in 2013 were more than three years old. Organizations have effectively been ignoring some of these vulnerabilities for nearly a decade. These vulnerabilities are no longer on the Top 10 lists, and are no longer getting the same level of attention as the newer, more current vulnerabilities, so they sometimes “fall off the list.” Attackers continue to take

45 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide advantage of the “forgotten” vulnerabilities by maintaining exploits for some older vulnerabilities in current toolkits, simply because they know the exploits still work.

This statistic merely reinforces the point that organizations do not have effective VLM systems, and are drastically lagging when it comes to patching older, known vulnerabilities.

These two facts are key to understanding the true effectiveness of an effective VLM system. At the end of the day, organizations must account for the scope of systems affected as well as the root cause of the vulnerability. Making one small change to an operating system configuration which addresses 20 outstanding high and medium vulnerabilities has a much higher ROI on your security spend than taking days to address a vulnerability that affects a single system. The most effective risk-based approach is the “find it, understand root cause, fix it forever and for everything, move on” approach. Organizations with this mentality spend less effort addressing vulnerabilities and are more likely to avoid future threats, but this is not a process that is easily managed on an Excel spreadsheet. We categorize the approaches to VLM into four buckets.

Four Common Approaches to VLM: The Good, The Bad, The Ugly

Risk-based. Many organizations take a simplified risk-based approach, reviewing the vulnerability scan results by severity, starting at the highest severity and working their way down. This can be inefficient, and potentially dangerous, because it treats all the highest severity vulnerabilities as equal. In reality, they are not equal, and this reinforces a “find it, fix this one, move on” mentality which ignores the root cause. Asset-based. Some organizations take an asset-based approach. These organizations consider which vulnerabilities are detected on critical assets or subnets and remediate those first. This is typically blended with the risk-based approach, which is good, but root cause analysis still typically takes a back seat to the “fix it now” pressures the security organization faces. Operational. Organizations which take an operational approach analyze the data by fix type such as patches, operating system, application configuration, etc., then build a to-do list for the 46 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide appropriate operational team and assign ownership to the team. This process includes plans for the organization’s next vulnerability re-scan to measure how the operational team is doing. PCI-based. PCI recommends organizations take a risk-based approach towards remediating vulnerabilities. These organizations often take a strict pass/fail approach – if the vulnerability would cause a failing report, that’s what the organization fixes first. For example, there is an issue with a Denial of Service vulnerability assigned a Common Vulnerability Scoring System (CVSS) score of 10.0, but considered “passing” by PCI. It is not out of the realm of possibility that it could be ignored by most organizations because it wouldn’t affect their PCI-compliance status.

Given these types of processes, it is crucial that organizations understand the root cause of vulnerabilities and identify security controls which failed or were missing. Organizations tend to look at vulnerabilities as something that happened to them rather than taking a proactive approach to understand why their systems and environments become, and often times remain, vulnerable. Not to discount the fact that some vulnerabilities are legitimately the result of weaknesses in the firm’s software, but in many cases the vulnerability results from actions taken – or lack-there-of – by the organization.

VLM shouldn’t just be about reporting the number of critical, serious, or informational vulnerabilities in January and repeating the same statistics in February, March and so on. It should be an analysis of what third-party vendors, products, security controls or processes caused the vulnerabilities and what was done to address them. The most secure organizations emphasize what can be done to prevent similar vulnerabilities in the future.

The results are only meaningful if they actually help you manage the vulnerabilities and improve the organization’s overall security posture. Not all vulnerabilities pose an equal threat to the organization, and not all vulnerabilities can be closed with the same level of effort. The “find it, fix it and move on” approach misses the opportunity to avoid future threats through increasing the baseline security of deployed systems and that is where organizations are missing the mark. VLM should be about understanding what the root cause of the vulnerability is, how it impacts your organization, addressing that cause, remediating the vulnerability and validating the fix across repeated scans via ongoing verification of the security control. An effective VLM will not just ensure that isolated patches have been applied to specific systems, but will improve the effectiveness of actually managing (identifying, tracking, mitigating and reporting) vulnerabilities across the entire enterprise.

About the author

Jon-Louis Heimerl is the senior security strategist for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.

47 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Don’t Let the Fox Into the Henhouse: Recent Breaches Serve as a Reminder to Keep Your Network Segmented By Reuven Harrison, CTO, Tufin

In light of recent breaches, where third-party credentials have been used to access entire networks, IT organizations are turning their attention to the risks that can result from basic network segmentation errors.

Clearly anyone who’s not directly managing these systems should not have access to them, but let’s say a very determined and skilled hacker finds their way in - how can you quarantine your most vulnerable systems to keep them from falling victim to the ‘lateral movement’ that many of today’s most sophisticated attacks leverage?

Proper network segmentation is perhaps the most effective way to do this, but make no mistake, network segmentation is very hard. Complex networks house hundreds of devices, and enterprises typically have complicated security policies with hundreds of rules. At Tufin, we see customers with hundreds of firewalls, routers and switches across their network, each on average having hundreds of rules per device. A typical enterprise therefore has to consider tens of thousands of rules when segmenting their network –to maintain a secure and compliant enterprise.

In addition, most organizations are dealing with dozens of changes a week to support new business applications, and users are demanding technologies like virtualization and cloud – each of which is a force-multiplier to this complexity and can impact the integrity of network segments.

In many organizations, network segmentation has been a ‘set it and forget it’ effort, which once done is almost immediately out of date. But network segmentation needs to be managed, and security policies continuously enforced to maintain the desired network segmentation.

It’s helpful to think of your network in zones, so you can visualize and manage your network segmentation, either manually or in an automated fashion.

Consider the business drivers as you map out your zones, including compliance (e.g., PCI DSS), industry or company-specific risks, third-party contractual requirements, and company- specific business processes.

Once you have mapped this out, you can instantly see detailed insights on your network segmentation, such as what services are allowed between different network zones, zone sensitivity etc.

When you can easily visualize your zoning, it enables you to quickly understand traffic-flow restrictions between zones, the level of sensitivity within each zone, and zone-to-zone policies that need to be applied.

Enterprises have hundreds of applications serving multiple lines of business, which adds to the order of magnitude and complexity of any change, and must be factored in to any segmenting exercise.

For example, when an organization rolls out a new application that requires interaction with several other resources in the network, a visual map of how this application interacts with other resources can help ensure that only the business required communications are allowed, while other types of communication are blocked.

One customer we work with has segmented their network into 40 zones, split based on risk assessments, business and compliance requirements. Some of the key segmentation they do includes separation of the development network from the Internet, and even the general enterprise network, so as to minimize any leakages of intellectual property or risk any viruses entering that network.

In addition, organizations need to consider how they can be alerted on policy violations, so that changes made ‘out of band’ can be immediately remediated, and security administrators made aware of gaps between desired and actual segmentation. Organizations should consider obtaining the ability to visually validate that the desired segmentation is the same as the actual (or enforced) segmentation.

And they should analyze every network change across multi-vendor firewalls against the corporate security policies and segmentation policies, for continuous governance and compliance.

Recent breaches should have served as a wake-up call to those not closely watching their network segmenting policies. Organizations should consider adopting a matrix approach to network segmentation, to enable a clear baseline and set of rules for all ongoing changes. Once this is established, they can consider enabling automation of these rules and policies as much as possible, in order to reduce the risk of policy violations going unnoticed for days, weeks, or months.

Reuven Harrison is CTO and Co-Founder of Tufin. He led all development efforts during the company’s initial fast-paced growth period, and is focused on Tufin’s product leadership. Reuven is responsible for the company’s future vision, product innovation and market strategy. Under Reuven’s leadership, Tufin’s products have received numerous awards and wide industry recognition.

Reuven brings more than 20 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS. He received a Bachelor's degree in Mathematics and Philosophy from Tel Aviv University.

50 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 51 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide What Is the True Cost of a Data Leak? By Jonathan Cogley, CEO, Thycotic Software

An excruciating legal saga came to a close in May 2014, when former EnerVest IT administrator Ricky Joe Mitchell of West Virginia was sentenced to four years in a federal prison for his intentional sabotage of his employer’s network. He was also ordered to pay $428,000 in restitution and $100,000 in fines.

As court documents showed, when Mitchell heard that his job with the oil and gas company was on the chopping block, he didn’t go quietly; instead, he reset the company's servers to their original factory settings and disabled cooling equipment for EnerVest’s systems, along with a data-replication process.

As a result, EnerVest was unable to communicate reliably with customers or conduct business operations for a full month and was forced to spend hundreds of thousands of dollars on data recovery efforts. The incident cost the company over $1 million, according to the prosecution.

Assessing the damage: Reputation and beyond

When tallying the costs associated with a data breach, most organizations look at the potential loss of intellectual property and short-term and long-term damage to their systems, as well as remediation and forensic costs required to identify and prosecute the cybercriminal responsible. Organizations should also factor in the cost associated with reputation damage, which may harm revenue, as well as any industry fines they may incur.

Depending on the nature of the breach, the company itself might even face prosecution. These costs can be sizable and some are difficult to fully quantify, especially damage to the company brand. As the recent Target breach demonstrated, fallout from these types of attacks can quickly tarnish the careers of IT executives, resulting in CISOs or CIOs being forced to step down.

However, in addition to all of these, organizations now must consider punitive damages brought about by any legal proceedings of those affected by data breaches. For example, the class action lawsuit against health insurance provider AvMed presents some sobering implications for companies who have experienced a breach involving their customers’ information.

In the $3 million settlement, 460,000 individuals whose personally identifiable information was exposed are being compensated, even though they did not experience identity theft themselves. They did not have any of the demonstrable damages typically required for any sort of remunerative relief in class action suits. Instead, they are being compensated on the basis that their insurance premium was overpriced due to the expectation that some portion of the premium would be spent on data security, and the breach shows that didn’t happen. In this 52 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide case, individuals are receiving $10 per year of premium paid up to a maximum of $30 per individual.

If the AvMed settlement precedent is followed in other cases, costs for companies who have experienced a breach have the potential to spiral wildly out of control. Following the logic of this ruling, a case could be made that every consumer purchasing goods at Target, for example, had a reasonable expectation of data security when swiping their payment card, and as such, a small portion of their purchases over the last several years should be paid back. This seems highly unlikely, but the incentive structure of class action lawsuits, where legal counsel receives a large percentage of the settlement, could influence this line of thinking.

Preventative and proactive: How to thwart data theft

Whether the AvMed settlement spawns more class action suits around data breaches or not, companies need to mitigate the financial damage posed by these attacks. This requires a fundamental organizational shift by making security a high priority within the organization – and not just within the IT department. CEOs and CFOs need to participate in an organization’s security strategy as well. The recent media spotlight on breaches and their costs has certainly attracted the attention of boards and senior executives worldwide. To mitigate against data breaches, consider the following steps:

Tighten up password protection policies. With recent vulnerabilities like the OpenSSL Heartbleed bug, it’s clear that relying on simple passwords without constant rotation leaves organizations vulnerable to credential theft. Enforce strong password practices in your entire organization; for both end users and non-human accounts. That means requiring long, complex passwords and automated scheduling of password rotations to protect against hackers and social engineering.

Be aware of user activity. The reality is, as much as you’d like to keep a keen eye on all of your end-users’ workstation activities, putting a surveillance camera on everyone’s desk wouldn’t exactly boost morale. Instead, begin with your IT teams. Utilize best practices around keylogging, auditing and live monitoring of IT admin sessions to ensure a detailed audit of user activity. Monitoring behavior and events can help you detect a suspicious pattern to stop an insider threat before it occurs.

Circle the wagons around privileged accounts. Traditional spending on the perimeter is no longer sufficient and more attention needs to be paid to how breaches are caused and escalated. An often overlooked area is the inadequate management of privileged accounts – these are the proverbial “keys to the kingdom” trusted to the IT administrators, but typically with 53 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide no controls or accountability on their use. This can lead to an accidental breach due to misuse or breach escalation by a deliberate external or internal attack.

Keep the conversation going. IT security needs to be included at a strategic level in the steering of the organization. Many companies are already adopting this mentality by changing their internal reporting structure. The CISO will now often report directly to the CEO or CFO rather than the CIO, giving IT security a seat at the senior management table with direct access to executive decision makers and budget. This is especially important to ensure appropriate IT security staffing, training, technology and best practices are implemented.

The price of a data breach is simply too high to ignore. Organizations who fail to make data security a priority across the entire line of business risk losing revenue, reputation, customer trust and more.

About the author

Jonathan Cogley is the CEO of Thycotic – a Washington, D.C.-based provider of privileged account management tools. Jonathan has a software engineering background and frequently speaks at IT Security industry events around the world.

54 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 55 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Top 3 Myths About Antivirus Software by AntivirusTruth.org

56 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 57 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 58 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide (Source: www.AntiVirusTruth.org, www.privacyrights.org, and nvd.nist.gov)

Free Online Course Replay at www.snoopwall.com/free

"NSA Spying Concerns? Learn Counterveillance" is a 60-minute recorded online instructor-led course for beginners who will learn how easily we are all being spied upon - not just by the NSA but by cyber criminals, malicious insiders and even online predators who watch our children; then you will learn the basics in the art of Counterveillance and how you can use new tools and techniques to defend against this next generation threat of data theft and data leakage.

The course has been developed for IT and IT security professionals including Network Administrators, Data Security Analysts, System and Network Security Administrators, Network Security Engineers and Security Professionals.

After you take the class, you'll have newfound knowledge and understanding of:

1. How you are being Spied upon. 2. Why Counterveillance is so important. 3. What You can do to protect private information.

Course Overview:

How long has the NSA been spying on you? What tools and techniques have they been using? Who else has been spying on you? What tools and techniques they have been using? What is Counterveillance? Why is Counterveillance the most important missing piece of your security posture? How hard is Counterveillance? What are the best tools and techniques for Counterveillance?

Your Enrollment includes :

1. A certificate for one free personal usage copy of the Preview Release of SnoopWall for Android 2. A worksheet listing the best open and commercial tools for Counterveillance 3. Email access to the industry leading Counterveillance expert, Gary S. Miliefsky, our educator. 4. A certificate of achievement for passing the Concise-Courses Counterveillance 101 course.

Visit this course online, sponsored by Concise-Courses.com and SnoopWall.com at http://www.snoopwall.com/free

60 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 61 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Top Twenty INFOSEC Open Sources

Our Editor Picks His Favorite Open Sources You Can Put to Work Today

There are so many projects at sourceforge it’s hard to keep up with them. However, that’s not where we are going to find our growing list of the top twenty infosec open sources. Some of them have been around for a long time and continue to evolve, others are fairly new. These are the Editor favorites that you can use at work and some at home to increase your security posture, reduce your risk and harden your systems. While there are many great free tools out there, these are open sources which means they comply with a GPL license of some sort that you should read and feel comfortable with before deploying. For example, typically, if you improve the code in any of these open sources, you are required to share your tweaks with the entire community – nothing proprietary here.

Here they are:

1. TrueCrypt.org – The Best Open Encryption Suite Available 2. OpenSSL.org – The Industry Standard for Web Encryption 3. OpenVAS.org – The Most Advance Open Source Vulnerability Scanner 4. NMAP.org – The World’s Most Powerful Network Fingerprint Engine 5. WireShark.org – The World’s Foremost Network Protocol Analyser 6. Metasploit.org – The Best Suite for Penetration Testing and Exploitation 7. OpenCA.org – The Leading Open Source Certificate and PKI Management - 8. Stunnel.org – The First Open Source SSL VPN Tunneling Project 9. NetFilter.org – The First Open Source Firewall Based Upon IPTables 10. ClamAV – The Industry Standard Open Source Antivirus Scanner 11. PFSense.org – The Very Powerful Open Source Firewall and Router 12. OSSIM – Open Source Security Information Event Management (SIEM) 13. OpenSwan.org – The Open Source IPSEC VPN for Linux 14. DansGuardian.org – The Award Winning Open Source Content Filter 15. OSSTMM.org – Open Source Security Test Methodology 16. CVE.MITRE.org – The World’s Most Open Vulnerability Definitions 17. OVAL.MITRE.org – The World’s Standard for Host-based Vulnerabilities 18. WiKiD Community Edition – The Best Open Two Factor Authentication 19. Suricata – Next Generation Open Source IDS/IPS Technology 20. CryptoCat – The Open Source Encrypted Instant Messaging Platform

Please do enjoy and share your comments with us – if you know of others you think should make our list of the Top Twenty Open Sources for Information Security, do let us know at [email protected].

(Source: CDM)

Have a tough INFOSEC Question – Ask for an answer and ‘YE Shall Receive

Here’s a wonderful non-profit organization. You can join for free, start your own local chapter and so much more.

The best service of NAISG are their free Techtips. It works like this, you join the Techtips mailing list.

Then of course you’ll start to see a stream of emails with questions and ideas about any area of INFOSEC. Let’s say you just bought an application layer firewall and can’t figure out a best-practices model for ‘firewall log storage’, you could ask thousands of INFOSEC experts in a single email by posting your question to the Techtips newsgroup.

Next thing you know, a discussion ensues and you’ll have more than one great answer. It’s the NAISG.org’s best kept secret.

So use it by going here: http://www.naisg.org/techtips.asp

SOURCES: CDM and NAISG.ORG

SIDENOTE: Don’t forget to tell your friends to register for Cyber Defense Magazine at: http://register.cyberdefensemagazine.com where they (like you) will be entered into a monthly drawing for the Award winning Lavasoft Ad-Aware Pro, Emsisoft Anti-malware and our new favorite system ‘cleaner’ from East-Tec called Eraser 2013.

Send us your list and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at [email protected]

Free Monthly Cyber Warnings Via Email

Enjoy our monthly electronic editions of our Magazines for FREE.

This magazine is by and for ethical information security professionals with a twist on innovative consumer products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best ideas, products and services in the information technology industry. Our monthly Cyber Warnings e-Magazines will also keep you up to speed on what’s happening in the cyber crime and cyber warfare arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of sharing with you – so enjoy.

You get all of this for FREE, always, for our electronic editions.

Click here to signup today and within moments, you’ll receive your first email from us with an archive of our newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Sample Sponsors:

To learn more about us, visit us online at http://www.cyberdefensemagazine.com/ 65 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Don’t Miss Out on a Great Advertising Opportunity. Join the INFOSEC INNOVATORS MARKETPLACE: First-come-first-serve pre-paid placement One Year Commitment starting at only $199 Five Year Commitment starting at only $499 http://www.cyberdefensemagazine.com/infosec-innovators-marketplace

Now Includes: Your Graphic or Logo Page-over Popup with More Information Hyperlink to your website BEST HIGH TRAFFIC OPPORTUNITY FOR INFOSEC INNOVATORS

Email: [email protected] for more information.

Highlights of CYBER CRIME and CYBER WARFARE Global News Clippings

Get ready to read on and click the titles below to read the full stories – this has been one of the busiest months in Cyber Crime and Cyber Warfare that we’ve tracked so far. Even though these titles are in BLACK, they are active hyperlinks to the stories, so find those of interest to you and read on through your favorite web browser…

The West Is Studying The Flashpoints That Could Lead To A New 'Great War'

06/03/2014 08:14 (Business Insider)

...between Washington and Beijing on issues from regional maritime disputes to cyber security. In recent weeks, current and former officials say,

No public action on China cyber spy case despite attorney general’s pledge

06/03/2014 07:21 (Fort Frances Times Online)

The disruption of Cryptolocker and GameoverZeus

06/03/2014 07:04 (Help Net Security)

...new variants undetectable by antivirus software. They then go on their phishing campaigns, which costs them nothing or they pay for an exploit...

How the NSA Could Bug Your Powered-Off Phone, and How to Stop Them

06/03/2014 06:37 (Wired)

Security researchers posit that if an attacker has a chance to install malware before you shut down your phone, that software could make the...

US Disrupts One Of The Biggest Hacking And Extortion Rings Ever — Russian Charged

06/03/2014 06:07 (Business Insider) 67 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...normal, Robert Anderson, the top FBI official in charge of combating cyber crime said at a news conference announcing the Russian action. When asked...

Operationalizing Cyber is New Commander's Biggest Challenge

06/03/2014 04:09 (Technology News)

'We're seeing activity X, and need you to be part of the federal government's response to this.'" As a department, the admiral said, DOD routinely...

Phishing campaign touts fake 'Heartbleed removal' tool

06/03/2014 01:46 (Computerworld)

Phishing campaign touts fake 'Heartbleed removal' tool The program attached to the emails is actually a keylogger, according to Trend Micro IDG...

Cyber Attack 'To Hit In Next Two Weeks'

06/03/2014 01:07 (Technology News)

Cyber Attack 'To Hit In Next Two Weeks' (Sky News (UK) Via Acquire Media NewsEdge) Computer users are being urged to protect their machines from...

Hacker Conference Will Invite Feds Back – In 2016

06/02/2014 22:10 (Nextgov)

...help from humans. DARPA officials put it this way: "The first computer security tournament designed to test the wits of machines, not experts."

FBI, EuroPol And NCA Hijack Botnet And What You Should Do

06/02/2014 16:59 (Forbes.com)

...one up on the cyber criminals. Today is such a day. Cyber crime is a tough problem for law enforcement . Cyber criminals gain incredible scale...

Free DHS Cyber Assessments

06/02/2014 16:20 (Isssource.com)

...small- to medium-sized manufacturers, the idea of taking on a cyber security program can be daunting. Cyber attacks are growing and most people cannot...

06/02/2014 16:12 (Federal Times)

...many sources of publically available intelligence and the importance of cyber intelligence to our national security. Cyber intelligence is a...

Agencies Seek Better DHS Incident Response Aid

06/02/2014 15:16 (GovInfoSecurity)

...from unauthorized access would be beneficial. A category specific to phishing and advanced persistent threats would be helpful. Sub-categories...

U.S. University researchers test cyber-defense for nation's power grid

06/02/2014 14:26 (Computerworld Malaysia)

U.S. University researchers test cyber-defense for nation's power grid Researchers are testing a distributed computing system that would help...

Google unveils source code for Chrome encryption extension

06/04/2014 09:04 (Help Net Security)

...are trying to address discounts adversaries with physical access and users with malware outside the browser," they shared. "Chrome s design means...

Shuttering Gameover: Temporary Success - BankInfoSecurity

06/04/2014 09:00 (Bankinfosecurity)

...U.K. and Germany have also been "been hit hard" by the malware, which is often distributed together with Cryptolocker. Stolen: $130+ Million Most...

Cryptolocker: Police take further action on ransomware that hit 50,000 in UK

06/04/2014 07:48 (The Guardian)

...payments globally. Troels Oerting, the head of Europol's European Cyber Crime Centre (EC3) told The Guardian today that the ongoing investigation...

It’s More Than Just NSA Troubles In China-IBM Dust-Up

06/04/2014 06:28 (Mint Press News) 69 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide from the purchase of energy-efficient computers on the grounds of computer security and the Communist Party s Youth League s criticism of Cisco...

Criminals seeking more buyers with all-in-one malware

06/04/2014 03:33 (ComputerworldUK.com)

Criminals seeking more buyers with all-in-one malware Soraya malware targets point of sale systems Security researchers have discovered multipurpose...

China’s State Media Urges “Severe Punishment” for U.S. Tech Firms

06/04/2014 00:27 (Re/code) companies such as Yahoo, Cisco Systems, Microsoft and Facebook threaten the cyber-security of China and its Internet users, said the People s...

Justice Department Allowed To Intercept Info From Affected Computers Hacked By Russians

06/03/2014 18:34 (Headlines & Global News)

...computers worldwide which have been infected with a data-stealing virus spread by an alleged Russian computer hacker and his conspirators, The...

Analysis After cryptolocker, how do we make data safe?

06/03/2014 17:58 (Technology News)

...easier to fake, leaving people at risk of identity theft and phishing attacks where they are tricked into revealing financial information. "All...

Molerats Hackers Hit US, EU Governments - BankInfoSecurity

06/03/2014 15:58 (Bankinfosecurity)

...help organizations spot related attacks, which often combine news-referencing phishing e-mails with freely available remote-access tool malware.

DARPA's Cyber Grand Challenge offers $3.75 million in prizes

06/03/2014 10:45 (Help Net Security)

...Cyber Grand Challenge offers $3.75 million in prizes Computer security experts from academia, industry and the larger security community have...

06/05/2014 11:17 (GovInfoSecurity)

UK Seeks Hacking Life Sentences Serious Crimes Bill Targets 'Cyber Terrorism' The U.K. government wants to give judges the ability to sentence...

Most People Have Not Protected Themselves Against Fraud Since Target Breach

06/05/2014 10:00 (Dark Reading)

...services on the market are worth the money. "Most people want to rely on the government to protect them," he said. "And they don't seem to care...

Hackers Infiltrate Desk Phones for Epic Office Pranks

06/05/2014 06:13 (Wired)

But if a hacker could gain an initial foothold, say by sending a spear phishing email with a malware-laden link that took over a staffer s computer,

Simplocker Android malware locks up mobile data and demands a ransom

06/05/2014 05:21 (The Guardian)

Simplocker Android malware locks up mobile data and demands a ransom New strain of criminal software asks for payment to unlock files on SD cards,

American Express credit card data exposed

06/05/2014 04:16 (Help Net Security)

...returns with large refunds using victims SSNs. Be wary of any potential phishing scams that can arise through your account post-breach, via email,

NSA faces fresh revelations as Snowden anniversary arrives

06/05/2014 02:32 (We Live Security)

...I don t think it s hyperbolic to predict that the history of computer security and data privacy will henceforth be referred to as two eras, pre-Snowden...

06/05/2014 01:46 (Help Net Security)

...Commodore revealed that preparations have already begun for a full-scale cyber-attack on sponsors such as Coca Cola, Budweiser, Emirates Airlines...

Edward Snowden and the NSA one year later

06/09/2014 11:01 (The Global Dispatch)

...the $652 million project has placed covert implants, sophisticated malware transmitted from far away, in computers, routers and firewalls on...

Turing Test passed for the first time; computer convinces judges it's human

06/09/2014 10:57 (Syracuse.com) or even something, is a person we trust is a wake-up call to cyber crime," said Warwick. "The Turing Test is a vital tool for combating that...

Phishing Sites Intensify World Cup Campaigns

06/09/2014 10:45 (Blog @ Trend Micro)

Phishing Sites Intensify World Cup Campaigns With the 2014 FIFA World Cup in Brazil about to kick off in less than a week, it should be no surprise...

What to avoid in Dropbox-related phishing attack

06/09/2014 09:02 (CITEworld)

What to avoid in Dropbox-related phishing attack Criminals are using malware stored in Dropbox in phishing campaign aimed at corporate employees,

A Multidisciplinary Approach to InfoSec

06/09/2014 08:13 (GovInfoSecurity)

...to InfoSec Army Cyber Institute to Tackle Perplexing Challenges Imagine a cyber-attack that disables an electricity distribution center. What's...

What is the Turing test? And are we all doomed now?

06/09/2014 06:56 (The Guardian) 72 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...possibilities for the future, from automatic scambots which carry out phishing attacks to customer support algorithms that don't need to reveal...

Kim Dotcom Can Encrypt Your Files. Why Can’t Google?

06/09/2014 06:44 (Wired)

...2010, he has taught more than 400 activists the ins and outs of digital security, how to use a virtual private network and the TOR anonymous browser,

Upsurge In Hacking Makes Customer Data 'Toxic' To Retailers

06/09/2014 05:26 (Business Insider)

...security and nervously wondering which of them is next. The reality, cyber security experts say, is that however much they spend, even the largest...

China Slams Pentagon Report on Its Military: End This Annual ‘Belly-Aching’

06/09/2014 04:31 (CNS News)

...intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs.

What data breaches teach us about the future of malware: Your own data could dupe you

06/08/2014 23:00 (Tech & Gadget - MSN CA)

Putter Panda: Tip Of The Iceberg

06/10/2014 09:40 (Dark Reading)

...Panda infections inside their networks. The report also contains network and malware signatures in Snort and Yara format. You can use our free...

The Notorious Hacker Who Leaked George Bush's Self-Portraits Has Been Sentenced To Four Years In Prison

06/10/2014 08:42 (Business Insider)

...US had sort extradition. How to protect yourself from phishing attacks and unwittingly handing over sensitive private information This article...

06/10/2014 07:57 (GovInfoSecurity)

...is revising its guidance and giving it a new moniker, "Guidelines on Mobile Device Forensics". The latest version of the guide is known as the...

World Cup Brazil 2014: How cybercriminals are looking to score

06/10/2014 07:47 (Help Net Security)

...domains selling fake tickets, fake giveaways, and several phishing and malware campaigns. They are also using methods like credit card cloning and...

Is the Turing Test milestone all it's cracked up to be?

06/10/2014 06:49 (Oxford Press)

...from Reading says the achievement signals a new era for combating cyber crime and delivering better customers services to those online. (Via...

Cyberspace, Real Wars And NATO's Role

06/10/2014 06:47 (Forbes.com)

...response teams in place, to be able to respond and quickly recover after a cyber attack, and we re talking to our allies in order to get better in...

After Heartbleed, We’re Overreacting to Bugs That Aren’t a Big Deal

06/10/2014 06:37 (Wired)

...actively (and courageously, given the U.S. s broad computer crime laws) executed Heartbleed against Yahoo and posted a redacted screenshot of...

BOE Mimics Cybercriminals in Testing Banks’ Resilience

06/10/2014 05:38 (Bloomberg)

...threat intelligence from government and elsewhere to improve information sharing and cyber-attack testing, Andrew Gracie, the central bank s...

Winning the war on web stealth attacks

06/10/2014 05:17 (Help Net Security) 74 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...geopolitical DDoS attacks that are still dominant (such as the recent cyber war between the Ukraine and Russia, and Operation Ababil of Islamic...

Chinese military group linked to hacks of US and European satellite companies

06/10/2014 03:41 (The Guardian)

...and European satellite companies A US security company claims that a hacker group based in People s Liberation Army offices was responsible for...

Poolesville High School students crack codes in international cybersecurity competition

06/09/2014 13:39 (Gazette.net)

...won an international cybersecurity competition run by the U.S. Department of Defense Cyber Crime Center, placing first among high school teams...

UNH Cyber Forensics Unit Signs Educational Partnership Agreement with the Defense Cyber Crime Center

06/09/2014 01:00 (University of New Haven)

UNH Cyber Forensics Unit Signs Educational Partnership Agreement with the Defense Cyber Crime Center June 9, 2014 Abe Baggili WEST HAVEN, CONN.

Hackers allegedly behind iPhone ransom attacks arrested in Russia

06/11/2014 10:40 (Computerworld Malaysia)

...modus operandi. The two allegedly compromised email accounts and used phishing pages and social engineering techniques to gain access to Apple ID...

Who Needs Heartbleed When Many Dot-Govs Don't Even Encrypt Communications?

06/11/2014 09:50 (Nextgov)

...email authentication, "government sites are ripe for spoofing and spear-phishing attacks not only against constituents but also employees at...

Guarding against 'Carmageddon' cyberattacks

06/11/2014 09:45 (EurekAlert!)

...development. But they have a worrisome downside: They are vulnerable to cyber attacks by criminals, terrorists or hostile nations. There was a Hollywood... 75 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide The Promise of a New Internet

06/11/2014 08:06 (Nextgov)

...bypassing the original Internet, which is struggling in governance, cyber crime, data mining, pervasive passive surveillance, and massive hacks."

14 Year Olds Hack ATM In Lunch Hour - How It Happened

06/11/2014 07:55 (Forbes.com)

14 Year Olds Hack ATM In Lunch Hour - How It Happened Over my morning coffee I saw rumblings on Naked Security s Twitter feed of a couple of...

Evernote Pounded By Aggressive Cyber Attack

06/11/2014 07:53 (Forbes.com)

Evernote Pounded By Aggressive Cyber Attack Evernote, the note taking service with over 100 million users, has been pounded by an aggressive...

P.F. Chang’s Restaurant Chain May Be The Latest Victim Of A Credit Card Breach

06/11/2014 00:54 (Business Insider)

...on Monday, according to KrebsOnSecurity.com, which covers computer security and cyber crime. Banks contacted by KrebsOnSecurity said the stolen...

FBI Shutdown of Virus Demanded New Anti-Hacker Tactics

06/11/2014 00:17 (Bloomberg)

...U.S. law enforcement is adapting to the threat of increasingly sophisticated cyber crime. Slapping handcuffs on a hacker and seizing his or her...

'Clandestine Fox' hackers target energy employee with social media

06/10/2014 23:00 (Computerworld)

...installed a benign version of itself but also slipped a backdoor onto the computer. The attack is different from other campaigns by the group in that...

06/10/2014 09:31 (The Guardian)

...crimes he committed." Snowden, the former CIA and National Security Agency computer specialist, leaked US and British documents to the Guardian...

P.F. Chang’s Breach: Link to Target?

06/12/2014 08:47 (GovInfoSecurity)

Chang s Breach: Link to Target? Experts Debate Possible Connections in Apparent Cyber-Attack Restaurant chain P.F. Chang's China Bistro continues...

NIST Guide Targets Supply Chain Risks

06/12/2014 08:17 (GovInfoSecurity)

...organizations. Boyens says NIST stakeholders identify malicious insertion of malware, counterfeit products, intellectual property theft and poor technology...

Authentication innovation, identity and credential management

06/12/2014 07:52 (Help Net Security)

...IoT the emphasis over the next decade will shift from the basic cyber security argument to a more all-encompassing view; revolving around how...

Tweetdeck vulnerability found by teen trying to code emoji heart

06/12/2014 07:41 (The Guardian)

...wild. Ninety minutes later, the first worm the name given to a computer attack which is self-replicating was created using the flaw, by German...

DARPA's Plan X Uses New Technologies to 'See' Cyber Effects

06/12/2014 04:26 (Technology News)

...industry spinoffs of Plan X technologies are possible, as is true of all government programs. "Siri on your iPhone was a DARPA program that spun off...

Don't be a World Cup loser online: give football cyber-scammers the boot

06/12/2014 03:29 (The Guardian) 77 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...cyber-scammers the boot Watch out for soccer-themed cybercrime, from phishing emails to malware-toting Cristian Ronaldo websites The World Cup will...

Advanced cyber attacks rely on privileged credential exploitation

06/12/2014 03:09 (Help Net Security)

...rely on privileged credential exploitation While new and sophisticated malware variants were continually developed to exploit systems in 2013,

Zeus variant 'Maple' targets financial data of Canadian users

06/11/2014 17:39 (SC Magazine)

...often opt to spread the banking trojan via drive-by download or phishing emails, Tamir said. The new Maple variant also takes up other malicious...

NSA claims its systems are too complex to stop deleting incriminating data

06/11/2014 16:07 (My Fox Orlando)

...millions of our digital images per day The NSA collects millions of our digital images per day The National Security Agency (NSA) has ramped up...

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware

06/11/2014 15:48 (SC Magazine)

...banking trojans, Komarov said, explaining attackers make use of spear phishing emails spoofed from cloud-based POS services providers. Additionally,

Gmail Bug Could Have Exposed Every User’s Address

06/11/2014 14:15 (Wired)

...those accounts, but could easily have left users vulnerable to spam, phishing or password-guessing attacks. The bug may have existed for years.

Microsoft Releases 2 Critical Updates, Patches 59 IE Holes

06/11/2014 13:31 (Dark Reading)

...when users open a specially crafted website or file, which means a phishing campaign is involved. If you look at the affected software list,

06/13/2014 08:04 (GovInfoSecurity)

...card data was compromised. Leading theories range from a network penetration attack that allowed hackers to exfiltrate information from a database,

On the beat: The next big Wi-Fi threat? Buckle up

06/13/2014 07:55 (GFI Software)

...another side to this street, as CNNMoney reported: security experts warn that connecting a computer s wireless communications technology with...

Swanger Bill to Notify Public of Data Breaches Passes House

06/13/2014 07:35 (Technology News)

...information," said Swanger. "Even with the best security measures, sophisticated cyber criminals may occasionally find ways to penetrate the...

Attackers nab credentials of security firm message board users

06/13/2014 06:39 (Nextgov)

Attackers nab credentials of security firm message board users Network intrusion; Stolen credentials A contractor hosting the ESET Security Forum...

The Nightmare on Connected Home Street

06/13/2014 06:37 (Wired)

...banned list. You see, my house has a virus again. Technically it s malware. But there s no patch yet, and pretty much everyone s got it. Homes...

UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat

06/13/2014 00:33 (Bloomberg)

UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat Related Spy Dispute: China Said to Push Banks to Remove IBM Somewhere in China, a man...

06/12/2014 20:27 (Army Times) so it can afford to be more selective but perhaps not in the cyber community. The Defense Department is planning to grow its cyber force to 6,000...

PLXsert warns Fortune 500 companies of evolving Zeus threat

06/12/2014 17:28 (SC Magazine)

...correspondence. The main infection vectors are drive-by downloads and phishing campaigns, where users are mislead to click and execute malicious code,

Video: Making Cyber a Mainstay of U.S. Operations

06/12/2014 15:11 (DVIDS)

Cyber Command ADM Michael Rogers says many of the biggest obstacles in cyber security are more cultural than technical. 2014 - Commander of U.S.

Ransomware "Svpeng" strikes US, leaves Android devices unusable

06/12/2014 15:05 (SC Magazine)

...CryptoLocker. It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution the malware will block the device...

Fake Dot-Gov Webmail Used in Phishing Scam to Hack EPA and Census Staff

06/12/2014 14:55 (Nextgov)

Fake Dot-Gov Webmail Used in Phishing Scam to Hack EPA and Census Staff A Nigerian man has admitted to compromising the email accounts of federal...

Bridging The Cybersecurity Talent Gap

06/12/2014 13:30 (Dark Reading)

...SANS Institute, the Council on CyberSecurity, (ISC)2, US Cyber Challenge, Center for Internet Security, and SC Magazine, Cyber Aces has launched...

Information Risk Maturity Index Says We're Aware But Not Ready

06/12/2014 13:30 (Dark Reading) 80 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management,

DHS readies next CDM task orders

06/12/2014 12:02 (Federal Times)

...said. The CDM Program is comprehensive, adhering to the cyber security framework and security controls detailed in The National Institute of...

Monitor DNS Traffic & You Just Might Catch A RAT

06/12/2014 12:00 (Dark Reading)

...botnet administration, and they use compromised domains to host phishing or malware downloads. They inject malicious queries to exploit name...

Is full disclosure always a good idea?

06/16/2014 09:48 (GFI Software)

...wear (or don t wear) to bed and yes, what security vulnerabilities have been discovered in computer software. Perhaps this penchant for more...

Financial ransomware now targeting U.S. users

06/16/2014 09:39 (Help Net Security)

...languages. "It is impossible to repel an attack of American Svpeng if a mobile device doesn't have a security solution - the malware will block the device...

Federal Agencies Invested $1.6B in Mobile Workforce Since Digital Government Strategy; Security Focus Remains Top Concern and IT Priority

06/16/2014 08:51 (Fort Mill Times)

Federal Agencies Invested $1.6B in Mobile Workforce Since Digital Government Strategy; Security Focus Remains Top Concern and IT Priority Agencies...

600,000 customer details compromised at Domino’s

06/16/2014 08:16 (Help Net Security)

...least. As a result of this attack there s an additional risk of phishing attacks. Consumers should be aware that the value of that data to criminals... 81 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Comcast is turning your home router into a public Wi-Fi hotspot

06/16/2014 07:10 (KSPR 33)

...could be unnecessary exposure to potential harm. Craig Young, a computer security researcher at Tripwire, has tested the top 50 routers on the...

Target Fixes Glitch That Caused Delays at Checkout

06/15/2014 19:40 (NBC Chicago)

...said. Last December, Target announced it was the victim of a cyber attack that resulted in the theft of at least 40 million payment card numbers...

Researcher claims to have found rare new Trojan [ITP.net (United Arab Emirates)]

06/15/2014 12:29 (Technology News)

...dynamic encrypted communications and other methods to evade isolation by cyber security researchers. Marcus believes the malware could become more...

The Covert Devaluation of US Businesses - Hackers Getting Their Hands on Intellectual Property Proving Costly

06/14/2014 17:04 (WBCB)

...common entry vector for attackers is usually a successful phishing or spear phishing campaign. And with the magnitude of information at hackers...

P.F. Chang's Breach: 6 Key Developments - BankInfoSecurity

06/17/2014 09:22 (Bankinfosecurity)

Chang's received a warning from the U.S. Secret Service that its network may have been compromised, and card data stolen. Rescator is also where a...

Student provides Java program to reverse Android ransomware damage

06/17/2014 08:00 (Help Net Security)

...converted into an Android app to decrypt the files encrypted by the malware. University of Sussex student Simon Bell has reverse-engineered -

06/17/2014 06:13 (Help Net Security)

...Vulnerability Research teams at McAfee Labs. He has led cyber defense technologies focused on exploit prevention and mitigation for both host...

Brazil's World Cup Of Cyber Attacks: From Street Fighting To Online Protest

06/17/2014 06:07 (Forbes.com)

Brazil's World Cup Of Cyber Attacks: From Street Fighting To Online Protest Spear-phishing, DDoS attacks, malware. Spear-phishing, DDoS attacks,

The digital arms race – and what is being done to fight it

06/17/2014 06:00 (The Guardian)

...software on the rise, the fight against the use of espionage malware on citizens is gathering steam In March, the world s biggest surveillance-technology...

Powerful Dyreza banking malware emerges

06/17/2014 01:08 (Computerworld)

...past, but Tokazowski wrote that the service moves quickly to block phishing links. Using trusted domains from legitimate services can help extend...

Hacked Synology NAS systems used in high-profit cryptocurrency mining operation

06/16/2014 21:32 (Computer World Singapore)

...operation A hacker exploited publicly known vulnerabilities to install malware on network-attached storage systems manufactured by Synology and...

Anti-malware efforts at DHS

06/16/2014 19:30 (WJLA.com)

International Studies released an eye-opening report. They estimate that cyber crime costs the global economy more then $400 billion and impacts...

U.S.$35 Raspberry Pi Could Round Up Computer Viruses

06/16/2014 12:32 (Technology News) 83 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...very poor. Most of the computers are infected with viruses, botnets and malware," says Zubair Nabi, a researcher at IBM Research in Dublin, Ireland.

You can’t spell “cryptography” without a “why”

06/16/2014 11:14 (Bits & Pieces from the Embedded Design World)

...point is, intentionally leaving an embedded system exposed to hacking, malware and cloning to save cost is simply not prudent from a financial...

Smartphone From China Comes With Malware Preinstalled

06/18/2014 09:38 (Ubergizmo)

Smartphone From China Comes With Malware Preinstalled G Data has attempted to reach out to the phone s manufacturer but so far have been unsuccessful,

Password protected Zbot malware in the wild

06/18/2014 09:07 (Help Net Security)

Password protected Zbot malware in the wild Early this morning a small malware campaign started up claiming to be daily customer statements from...

UK forges close cyber ties with China despite ‘endemic espionage’

06/18/2014 08:58 (The Guardian)

...on cybercrime investigations including the recent takedown of the Cryptolocker malware, has responded far more aggressively to China s alleged...

We're Aswarm In Denial Of Service Attacks And It's Getting Worse

06/18/2014 08:30 (Forbes.com)

...traffic. In February, CloudFlare registered a nearly 400Gbps NTP attack traffic on its network. Sources and destinations of DDoS attacks bigger...

Microsoft patches DoS flaw in its Malware Protection Engine

06/18/2014 07:36 (Help Net Security)

Microsoft patches DoS flaw in its Malware Protection Engine Microsoft has released an update for its Malware Protection Engine to fix a privately...

06/18/2014 01:02 (Computerworld)

...enterprise is at risk for intercepted traffic, fake app installation, sophisticated phishing and APTs (advanced persistent threats)," Marble said. "We...

The senate is still trying to jam through its hugely controversial cybersecurity bill

06/18/2014 00:00 (BGR)

...responds to the massive and growing threat to national and economic security from cyber intrusion and attack, and seeks to improve the security...

How A Hacker Nabbed $600,000 In Two Months By Googling People's Home Networks

06/17/2014 17:49 (Business Insider)

...developers post and share their software projects.). Folio used a security flaw in a computer storage product called Synology, Dell says. Synology's...

Feinstein Releases Draft Cybersecurity Information Sharing Bill

06/17/2014 17:12 (United States Senator Dianne Feinstein)

...responds to the massive and growing threat to national and economic security from cyber intrusion and attack, and seeks to improve the security...

Navy's top officer revising U.S. maritime strategy

06/17/2014 16:07 (Navy Times)

...recession. The updated strategy will have a new emphasis on cyber warfare and the changing security landscape, and will address such current...

Here’s What Cyberspace Looks Like

06/17/2014 15:24 (Nextgov)

...Esri, which contracts with most federal agencies, said the Homeland Security Department and Marine Corps Cyber Command are close to deploying the...

06/17/2014 10:38 (Network World)

...the IRS wants some receipt from a decade ago? IRS cyber security previous Previous Post Extreme cybersecurity ineptitude: Stratfor was a hack...

The Key to Anticipating Cyber-Attacks

06/20/2014 09:09 (GovInfoSecurity)

...the Department of Homeland Security, where he led the National Cyber Security Division, the National Communications System and the Office of...

Cyber Threats to Banks Bring Ex-NSA Chief Pitching His Services

06/20/2014 07:32 (Washington Post - Bloomberg)

...that, Alexander said. Still, despite the banks growing investments in computer security, Alexander said, many of them aren t really confident they...

How to defend against the latest Android kernel flaw

06/20/2014 02:09 (Computerworld Malaysia)

...transferred to another app. "An attacker could carve out a place on a mobile device that is outside of the view of most Android security tools," Ryan...

Center for Internet Security Releases 2013 Annual Report and Outlook for 2014

06/19/2014 20:35 (Seattlepi.com)

...Outlook for 2014 The nonprofit organization dedicated to enhancing cyber security announces key successes from 2013 and initiatives for 2014.

US could run short on talent to fight cyber-war, study says

06/19/2014 19:05 (The Christian Science Monitor) the Cyber Security Treasure Hunt, CyberPatriot, NetWars, and the DC3 (Defense Cyber Crime Center) Digital Forensics Challenge. Some key agencies...

Cybersecurity firm says large hedge fund attacked

06/19/2014 09:13 (CNBC) 86 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...attack began in late 2013, when hackers sent a so-called "spear phishing" email a seemingly innocuous message that, when opened, inserted the...

Bitcoin miner lurking on Facebook

06/19/2014 08:43 (Help Net Security)

...new viral campaign aimed at saddling you with a Bitcoin mining Trojan has been spotted. "The virus spreads through private Facebook messages,

Microsoft fixes flaw in its own security software

06/18/2014 07:48 (Computerworld)

...to attack Computerworld - Microsoft on Tuesday warned customers that its malware detection engine, used in a wide range of its products including...

DDoS + Breach = End of Business

06/23/2014 08:05 (GovInfoSecurity)

...incident against Code Spaces particularly devastating was the combination of a DDoS attack and cyber-intrusion into the company's systems. "DDoS...

Bulletin (SB14-174)Vulnerability Summary for the Week of June 16, 2014

06/23/2014 06:25 (US-CERT)

...network. 2014-06-13 5.0 CVE-2014-3812 microsoft -- malware_protection_engine mpengine.dll in Microsoft Malware Protection Engine before 1.1.10701.0

Ad network compromise led to rogue page redirects on Reuters site

06/23/2014 04:25 (Network World)

...this over the next 24 hours. SEA s preferred method of attack is spear phishing a targeted form of phishing. When the group doesn t succeed at...

Hedge-Fund Hack Part of Bigger Siege: Cyber-Experts

06/23/2014 00:16 (Bloomberg)

Hedge-Fund Hack Part of Bigger Siege: Cyber-Experts The attack on a U.S. hedge fund s network, which a cybersecurity contractor said last week...

06/22/2014 13:29 (The Chronicle Herald)

U.S. government at war with itself over civil liberties

06/22/2014 03:01 (HeraldNet.com)

...is looking to support technologies that enhance the privacy and security of digital communications and that are less susceptible to intrusion...

This 'NSA-Proof' Email Service Raised $160,000 And Signed Up 200,000 Users In Just One Month

06/21/2014 19:16 (Business Insider)

...vetted by security experts. We ve had constant input from the computer security team at CERN and hundreds of computer scientists on the staff...

IRS chief evades blame over lost emails during grilling by House Republicans

06/21/2014 00:01 (Tribune-Review (AP))

...Commissioner John Koskinen about why Congress was not informed earlier that a computer hard drive failure had compromised Lois Lerner's email records.

Why these local teens are learning to hack

06/20/2014 20:59 (UTSanDiego)

...college education and career devoted to the increasingly relevant world of cyber security. Offered by the Securing Our eCity Foundation, a local...

Tool aims to help enterprise IT manage 'honeypot' hacker decoys

06/20/2014 10:05 (Network World) techniques and intentions. They were once almost exclusively used by security vendors, researchers and computer emergency response teams, but have...

Mobile security and incident readiness

06/24/2014 09:28 (Help Net Security)

88 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...in threats affecting mobile devices such as data leakage, mobile malware, insider threats and hacker compromises, enterprises need to look beyond...

Despite Target, Retailers Still Weak On Third-Party Security

06/24/2014 09:27 (Dark Reading)

...confident" that their security controls could detect rogue applications (including malware), 35% said they were very confident, and the rest...

Content Widget Maker Taboola Is Hacked On Reuters

06/24/2014 07:30 (Dark Reading)

...authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will...

New Havex malware variants target industrial control system and SCADA users

06/24/2014 06:25 (Network World)

New Havex malware variants target industrial control system and SCADA users A malware threat previously used in attacks against energy sector...

Researchers Find and Decode the Spy Tools Governments Use to Hijack Phones

06/24/2014 06:11 (Wired)

...used for remotely infecting phones with the Hacking Team malware via a phishing attack or a malicious web site. Citizen Lab points out in its...

Utica College One of First Colleges in US to Earn Endorsements from Multiple Government Agencies for Excellence in Cybersecurity Education

06/23/2014 22:01 (Yahoo! Finance)

...Center of Academic Excellence in Information Assurance and Cyber Defense Education by National Security Agency, Department of Homeland Security;

AskMen.com website redirects to Caphaw malware, WebSense says

06/23/2014 15:57 (Computerworld)

AskMen.com website redirects to Caphaw malware, WebSense says High-traffic websites can potentially expose thousands of visitors to automated... 89 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Planned cyber center includes USNA's first classified facility

06/23/2014 15:20 (Navy Times)

...happen, said Capt. Paul Tortora, director of academy s Center for Cyber Security Studies. If Congress approves the $120 million needed to build the...

Dropbox-themed phishing is after multiple login credentials

06/23/2014 13:05 (Help Net Security)

Dropbox-themed phishing is after multiple login credentials Phishing emails purportedly leading users to a file hosted on Dropbox are targeting...

DHS to award continuous monitoring task orders

06/23/2014 11:37 (Federal Times)

...the contract will be available to the Defense Department, the Defense Industrial Base, the 50 state governments, local governments, territory...

Atypical cloned banking app pops up on Google Play

06/25/2014 08:50 (Help Net Security)

...asking for the user's ID and password is loaded. It is definitely a phishing attempt, but a very curious one, as only the ID is sent to the app...

Hospital Networks Are Leaking Data, Leaving Critical Devices Vulnerable

06/25/2014 06:34 (Wired)

...defibrillators or oncology equipment and send it to a hospital worker via a phishing email. The payload could then seek out the equipment on the network...

Eyes on you: Experts reveal police hacking methods

06/25/2014 04:55 (USA Today)

...to spy on them with methods traditionally associated with cybercriminals, two computer security groups said Tuesday. LONDON (AP) -- Law enforcement...

06/24/2014 21:36 (Brighton-Pittsford Post)

Better Business Bureau: Ransomware computer virus is back The Better Business Bureau is warning consumers of a recent increase in another type...

Agency heads hash out critical infrastructure protection roles

06/24/2014 17:44 (Federal Times)

...legislation that would better integrate the government and private sector on cyber security matters. Until now, legislation has been held up...

NYPD, FBI, MTA create joint cyber crime task force

06/24/2014 16:06 (SC Magazine)

NYPD, FBI, MTA create joint cyber crime task force The FBI, the NYPD and the Metropolitan Transportation Authority (MTA) have teamed to create...

Montana officials notifying 1.3M whose data were in hacked computer

06/24/2014 15:19 (Missoulian)

...noticed what appeared to be unauthorized Internet access to the DPHHS computer and that a private security contractor later confirmed the breach.

Former NSA director defends data collection, cloud security

06/24/2014 13:58 (Network World)

...the media leaks by Edward Snowden about how the NSA conducts cyber-espionage have undermined national security . and he ardently defends those...

Two new squadrons coming to Scott

06/26/2014 10:06 (AdVantage News)

...direct message from the Air Force about Scott s critical role in cyber security, Enyart said. These two squadrons will create 320 new positions...

What's next: Advanced Evasion Techniques

06/26/2014 05:23 (Help Net Security) 91 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide ...multiple and rarely used protocols. Once inside, AETs reassemble to unleash malware and continue an APT attack. McAfee released a What s Next:

PayPal error shows how NOT to use two-factor authentication

06/26/2014 04:26 (Network World)

...to first obtain an accountholder's username and password through a phishing attack or other scheme. PayPay has deployed a temporary fix that...

Italy's 'Hacking Team' spy Trojan targeting Android and iOS devices, researchers discover

06/26/2014 04:15 (ComputerWorldUK.com)

Italy's 'Hacking Team' spy Trojan targeting Android and iOS devices, researchers discover Now musters 326 servers in 20 countries Italy's infamous...

Banks, payment services and social networks most targeted by phishing kits

06/25/2014 17:48 (SC Magazine)

Banks, payment services and social networks most targeted by phishing kits Financial institutions, ePayment and money transfer services, and...

Not All Malware is Created Equally - BankInfoSecurity

06/25/2014 15:53 (Bankinfosecurity)

Not All Malware is Created Equally - BankInfoSecurity Julian Waits of ThreatTrack Security on Isolating Most Dangerous Malware Not all malware...

Senate panel passes procurement, cyber reform bills

06/25/2014 14:36 (Federal Times)

Senate panel passes procurement, cyber reform bills The Senate Homeland Security and Governmental Affairs Committee passed several bills June...

The Tech Trends Making Government Smarter

06/25/2014 12:24 (Forbes.com)

...Gryth. Erin Richey is a freelance data and investigative journalist reporting on digital security and construction from St. Louis. EMC Voice

06/25/2014 12:00 (Dark Reading)

...the user accounts. He posited that if bank customer gets infected with malware, and the customer s money is subsequently sent to the Ukraine,

This Animated Map Shows Who's Hacking Who In Real-Time

06/25/2014 11:51 (Business Insider)

...help. A new animated map created by the U.S.-based computer security firm Norse illustrates just how ubiquitous hacking is around the world. The...

93 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide Copyright (C) 2014, Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC. 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. [email protected] Cyber Warnings Published by Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC.Cyber Defense Magazine, CDM, Cyber Warnings, Cyber Defense Test Labs and CDTL are Registered Trademarks of STEVEN G. SAMUELS LLC. All rights reserved worldwide. Copyright © 2014, Cyber Defense Magazine. All rights reserved. No part of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

Cyber Defense Magazine - Cyber Warnings rev. date: 06/30/2014

94 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide 95 Cyber Warnings E-Magazine – June 2014 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide