Showing posts with label Cybersecurity. Show all posts
Showing posts with label Cybersecurity. Show all posts

Thoughts on $19B Cybersecurity National Action Plan

Yesterday President Obama signed two executive orders on cybersecurity to strengthen the government’s defenses against cyber attacks and protect citizens’ personal information kept by the government.

Obama asked for $19 billion for cybersecurity efforts in his budget request, a 35 percent increase from current levels, with $3 billion requested to “kick-start an overhaul of federal computer systems.” The Cybersecurity National Action Plan will ensure:
Americans have the security tools they need to protect their identities online
Companies can protect and defend their operations and information from hackers
The U.S. government protects the private information citizens provide for federal benefits and services

Our own CMO, Michael Harris, added his valuable insight:

“The United States must increase its investment in cybersecurity to protect our homeland. We live in a world of instant-anywhere-access. The cyber-terrorists are relentless. They morph. They adapt. They scoff at legacy authorization and hacker prevention systems. The recent wave of breaches to our Federal systems are proof of this reality. Deep forensic data analysis, detection and response technologies are essential for cybersecurity and we encourage congress to carefully evaluate the $19 billion spending initiative to ensure our sensitive, proprietary and military assets are protected from malicious exfiltration.”

What do you think? Share your thoughts below.

2015: Fighting Adaptive Attacks Requires Adaptive Defense with Response Automation

Anthony Di Bello

Attackers are always looking for new vulnerabilities to exploit technologies with large-scale adoption or use/create/modify malware that changes just enough to avoid known detection methods as it propagates through a corporate network. The same malware or vulnerability is rarely used after public discovery. The identification and sale of new vulnerabilities is a high-revenue enterprise, as is the sale of malware kits which can be customized and use as weapons against unsuspecting organizations. Cybercrime is a high-growth industry and the players are only getting better organized and their attack methods more elaborate.

The defenses widely in use today are limited to technology that is overly reliant on the known, is unable to adapt when attackers change their patterns, or find easier ways to sneak onto our networks undetected. The headline-grabbing hacks of 2014 — Home Depot, JP Morgan Chase, eBay — only serve to highlight this fact.

Billington Cybersecurity Summit: Situational Awareness and Cyber Resiliency

Victor Limongelli

I was pleased to have the opportunity to participate on a panel at the 5th Annual Billington Cybersecurity Summit, a very well attended event in Washington, DC yesterday. At the Summit’s opening keynote, Admiral Michael Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency, made a strong call for the adoption within cybersecurity of the military concept of “situational awareness,” both in government agencies and in corporate America. This, he said, can be achieved through understanding normal behavior across a network and on endpoints and having a way to quickly visualize anomalies

Building Cyber-Talent in the National Collegiate Cyber Defense Competition

The headlines are full of stories about the growing number of job opportunities for what may be a too-small pool of young cyber-defenders and incident responders. At Guidance Software, we support universities with our EnCase Academic Program to help ensure that the up-and-coming generation of information security specialists has the tools and technology they need to work like seasoned professionals do. To that end, we are also proud to be a Gold sponsor of the National Collegiate Cyber Defense Competition (NCCDC).

Ten finalist teams from more than 180 colleges and universities will participate in this national competition, held in San Antonio, Texas from April 25-27. To support this valuable training exercise, we supplied EnCase software network-wide, some EnCase training for all contestants, and will staff the volunteer Red Team with an EnCase incident-response expert. 

NIST Senior Policy Advisor Adam Sedgewick to Present in Webinar Series on NIST Cybersecurity Framework

To help organizations better understand the merits of the National Institute of Standards and Technology Cybersecurity Framework, Guidance Software is hosting a two-part webinar, “Implementing the Detect Function in the NIST Cybersecurity Framework.” Senior Information Technology Advisor Adam Sedgewick of NIST will be the featured presenter. The webinar will also feature a presentation by Alfred Chung, EnCase Analytics product manager for Guidance Software.

Security Professionals 2.0: Inspiring the Next Generation of Cybersecurity Warriors

There is heightened awareness within the business community regarding vulnerabilities related to cyber threats and the financial repercussions of breaches, data loss and cyber attacks. In fact, according to a recent Ponemon Institute survey, a majority of respondents indicated that cybersecurity risks rank higher in terms of business risks than natural disasters. However, there is a worrisome lack of interest in the IT security profession among young adults.

The Jobs are There. Where are the Skilled Workers… and Investment in Security?

According to a recent jobs report, of 1,000 adults ages 18-26 surveyed, only 24 percent expressed interest in a cybersecurity career. In comparison, 32 percent are interested in being an app designer/ developer. Additionally, 82 percent said that their high school counselor never mentioned the possibility of a career in cybersecurity.

NIST Cybersecurity Framework Needs More Focus on Collaboration and Finding Anomalies

Jason Fredrickson

A few days ago, I was delighted to see the National Institute of Standards and Technology (NIST) release its Preliminary Cybersecurity Framework for reducing cyber risks to critical infrastructure. And my first read-through was pretty positive: they cover a lot of material, and I think it will help organizations understand the full picture of security readiness. Their tiered approach, for instance, is sound, and I’ve seen it work successfully in other industries–e-discovery, for instance, has the EDRM Maturity Model, and software development has the CMMI. And I’m very pleased to see such attention paid to PII and privacy.

That said, however, I saw a few structural problems on my second review. The Framework has a lot of noise about security policies and procedures and not as much of a call-to-action on collaboration and threat intelligence-sharing as I would like. It lacks any mention of proactive forensics or proactive investigation. It contains a wealth of detail on rules and process for ensuring information security, but very little in the way of the means of, or requirements for, organizations to work together to fight the good fight. And it has a major hole in its attempt to categorize threat detection and response.

The Security Playbook 2013: Lessons from the Road

For the last couple of months, a few of us security types at Guidance Software have taken our show on the road to talk about new tactics in cyber and information defense. At selected cities across the United States (and coming soon in Europe), we have worked with technology and industry partners to present highly relevant new tactics at the Security Roadshow 2013: Cyber Defense under the Assumption of Compromise. We are really enjoying the interaction and the insights we get from our partners and the professionals who attend each half-day seminar.

Not only are these Security Playbook events ripe with opportunities for learning from our security specialists and our partners’ best and brightest, but they dish up the best of the new best practices, techniques, and technologies from everyone in the room. Here are some of the lessons we have learned from you and your peers while out on the road.

Survey Says: Organizations Most Concerned About Length of Time to Resolve Data Breaches

During our 13th Annual Computer and Enterprise Investigations Conference (CEIC) in May, we conducted a survey of more than 150 attendees from the security, law-enforcement, and e-discovery fields to get first-hand insights on shifting priorities in enterprise and government security teams. It was not a surprise that “length of time to resolve attacks” came in as the chief cybersecurity concern. In addition, 24 percent also said they were concerned about insider threats.

Data breaches and the amount of time it takes to detect and resolve them remain a critical security issue. It takes companies an average of three months to discover a malicious breach and more than four months to resolve it, according to the 2013 Cost of Data Breach Study by the Ponemon Institute.

U.K. Announces Engagement in the War With No Front Line

Alex Andrianopoulos

On the day the mighty U.S. government shut down, the U.K. government threw down a colossal gauntlet: it revealed that it has been developing the capacity to carry out cyber attacks. The Financial Times reported today: Philip Hammond, defence secretary, said ahead of the Conservative party conference in Manchester that the UK was "developing a full-spectrum military cyber capability, including a strike capability." It was the first time any country  has made such a sensitive statement in public.

The Cybersecurity Framework: Identification, Collaboration, and Proactive Defense

Alex Andrianopoulos

Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:

  • The bad guys launch a new type or method of attack
  • Some (if not all) organizations attacked are breached
  • Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
  • At least one organization names the new attack method
  • The organization or a security vendor finds a defense to the new threat
  • The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.

 Here is the problem: The delay between a breach, developing a defense and sharing the solution can take months, if not longer. Why the delay? Because the good guys do not share enough information. The black hats are aggressively sharing techniques and new approaches. Thus, we applaud anything that the government can do to encourage exchange of information on cybersecurity threats and new methods employed by hackers and other cyber-criminals.

Border Wars: Incident Response vs. Forensic Investigation

Josh Beckett

In my day job, we often discuss security tools and the respective processes that generate the requirements that demand the use of such tools. Lately, we have been debating incident response tools and processes as contrasted with forensic investigation tools and processes.  Obviously, both have differing benefits that they bring to the general discipline of security.  They also have differing requirements in terms of the tool sets that they require to execute those processes.

To me, the boundaries between forensic investigation and incident response have always been rather clear.  Maybe slightly fuzzy at the exact interface between them, but not a huge gaping canyon of a zone of uncertainty.  However, lately, I'm starting to believe that out there in the rest of the community it may not be so clear.  I could be wouldn't be the first time and I'm sure it won't be the last, especially if you ask some of my close friends.

Yeah, they got an app that steals that.

Josh Beckett

Once again on my long and arduous morning commute the radio brought me a news story that prompted me to write.  There was an NPR news story, and oddly enough I can't find a reference to it anywhere, about how many mobile phone apps borrow, steal, or leak your privacy info.  My initial thought was 'hey, big software companies that attempt to understand issues of privacy have a tough time with this. It must be a serious problem when it comes to a boutique firm or garage programmer that doesn't care about anything other than getting their app to work and to market.'

When old processes meet new technology

Josh Beckett

As usual, one article triggered a series of thoughts to connect from various news pieces that have been building up in my head over the past week.  Let's start with the most recent first.  Reading this article on what security concerns the leadership in healthcare the most got me thinking.  Particularly this quote from the article:  “The goal in healthcare generally is treating those patients, not privacy and security. You don’t see the same focus on security in healthcare that you do in the financial sector.”  Yeah, that sounds about right.  Makes sense from what I've seen and experienced.  I'm sure we've all seen that there are signs in hospitals and other health care places that say 'No Smoking, Oxygen In Use' or some such thing.  These rules make sense to all of us.  We all get it.  Problem is, there is no such rule about no hacking hospitals.  'Our pricing model doesn't let us afford ample security staff, so please don't hack us' just doesn't carry the weight as 'don't smoke or you'll blow us all up.'  Patients' health is their primary focus, thankfully, and the data is just a way to describe the current condition and progress so that you can achieve the good health outcome of your client.  Essentially, it is a model that hasn't evolved in light of the data revolution of the computer age.  This brings me to my next thought...government security clearances.

Six Steps for Managing Cyber Breaches

Ale Espinosa

You’ve been breached. Now what?

Being quick to respond to a security breach is critical in minimizing the impact that malware could have on your network, as well as limiting an intruder’s access to your data. Having helped numerous clients with their cybersecurity needs, we have identified how to better prepare for and respond to cyber-attacks, which we included in our recently published white paper Incident Response: Six Steps for Managing Cyber Breaches.

With 70% of cyber-attack victims being notified by third parties about their security breaches (which you can read more in my recent blog post Hello? You’ve Been Breached.), many security professionals from even the largest organizations and agencies in the world have found themselves surprised by the fact that their enterprise was center stage to a cyber-attack –sometimes for several months—all without their knowing. That is why it is extremely important to be proactive about implementing security best practices and an incident response plan, as well as having in place tools for the detection, analysis, and remediation or cyber-attacks, such as EnCase Analytics and EnCase Cybersecurity.

Trust but verify, people.

Josh Beckett

I thought it was a well understood security principle; trust but verify.  Maybe it is and the PHBs are simply out-voting the security crowd and the voice of reason.  At the end of the day when you don't know what is out in the cloud and have limited to no controls to act if you did know, your data is seriously at risk.

Of course, an equally well known security principle states that a valid response to risk is to accept it.  I would sincerely hope that the businesses that have my data aren't doing this.  Who am I kidding? I know they are.  As if I only do business with the 20% crowd...I can only dream of the day.

...Or you could fix the software.

Josh Beckett

One of the fundamental realities of security is dealing with vulnerabilities.  In the industry, we have become so jaded to the fact that software makers simply don't want to go to the trouble and expense of churning out secure code that we have just learned to 'abide.'  Consequently, we come up with elaborate ways to measure vulnerabilities and concoct Wile E. Coyote style mitigation plans to bring the risk down to an acceptable level.

Occasionally, I'm reminded that my permanently security-tainted skepticism needs a bit of a challenge to my comfortable position that there is no real security, there is only incident response.  We continue to fight a losing war and resign ourselves to try harder tomorrow.  With nation-states throwing their hats and ample wallets into the ring and anonymously buying bugs and exploits and expecting it to not be reported to the software vendor or public, it seems all is lost.

Beyond Reactive: Your Security Game Plan

Sandy Lii The well-known military general and strategist Sun Tzu said it best in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” In today’s war against cybersecurity threats, two types of enemy have been classified: known threats and unknown threats.

The known threats, true to their name, are tracked by their known and readily available signatures and are typically stopped by perimeter security solutions such as antivirus software, firewalls, or SIEM (security information and event management) systems. While these tools are necessary and can be effective at stopping known threats, the unknown threats--the ones with no defined modi operandi or signatures--remain at large within organizations, lurking undetected, waiting for the right moment to strike. Sometimes, these threats can even be a careless or disgruntled employee.

Medical Devices Vulnerable to Remote Cyber Tampering, FDA Warns

Ale Espinosa This post is not suited for the faint-hearted … especially those wearing a medical device.

The U.S. Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical device manufacturers and user facilities, hospitals, health care IT and procurements staff, and biomedical engineers, following news of security issues in certain fetal monitors and software used in body fluid analysis.

According to the FDA’s safety communication issued last week, there are strong concerns regarding medical devices and hospital networks’ vulnerability to malware, as well as with the unauthorized access to their configuration settings. Among the devices and systems at greater risk are those that are network-connected or configured, hospital computers, smartphones and tablets, and password databases, among others.

Better Incident Response Is the Real Game Changer

Josh Beckett As usual, on my very long drive to work, I was getting my daily fix of NPR and a couple of stories prompted me to write today.  First was a story that had to do with one of the interesting side effects of moneyball and how it was making baseball games longer by increasing the value of players that get walks.  More walks = longer games = less action = more fan boredom.  Their take away from get what you ask for.  Not very security-esque, but stay with me.

The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications.  I've heard claims that all three branches of government had oversight into the process.  It struck me that there is a major problem with that claim.  They were all sworn to secrecy and operating behind closed doors.  No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff.  Ok, so how are they related?