Showing posts with label Cybersecurity. Show all posts
Showing posts with label Cybersecurity. Show all posts

Who Turned Off the Lights? U.S. Electric Grid Sees Increase in Cyber Attacks

Ale Espinosa When news of Stuxnet broke out, the world was shocked. It was the first discovered malware to spy on and subvert industrial systems, as well as the first to include a programmable logic-controller rootkit, used to attack Iran’s nuclear facilities.

Yet, despite fears of retaliation from foreign governments against the U.S. electric grid, a recent report based on over 100 surveyed utility companies revealed alarming vulnerabilities in the nation’s energy system. The report was supported by members of the U.S. House of Representatives in an effort to bring awareness to the security gaps in the utilities sector.

Among some of the report’s key findings were:
  • Attacks on the nation’s critical infrastructure – including energy – were up 68 percent from 2011
  • Many utility companies reported receiving “daily,” “constant” or “frequent” cyber-attack attempts
  • Among the attacks reported were phishing, malware infection, and unfriendly probes
  • Most utility companies are compliant with mandatory cybersecurity standards issued by the government, but voluntary recommendations by the industry watchdog – the North America Electric Reliability Corporation (NERC) – have been ignored by many

Hello? You’ve Been Breached.

Ale Espinosa Knock, knock. Who’s there? The FBI.

The reality of the world we live and do business in has made us increasingly vulnerable to cyber threats and attacks. Perimeter security and signature-based threat detection tools can only do so much when the threat is brand new or if it morphs as it spreads out through your network, making their signature unrecognizable. Chances are, there is someone lurking in your network right now and you don’t even know it.

In fact, Verizon’s 2013 Data Breach Investigations Report revealed that approximately 70% of cyber breaches go completely undetected by organizations’ security teams, and are instead discovered by external parties like the authorities, FBI, or even the attackers themselves.

Information Security Executives Share their Perspective at the 2013 CISO/CLO Summit

Ale Espinosa This year’s Computer and Enterprise Investigations Conference (CEIC) was referred to by many of its loyal attendees as our best one yet. Running concurrently with the show was the CISO/CLO Summit, which brought together top information security and legal technology executives for a day filled with valuable panel sessions, presentations, and networking opportunities.

One of the most talked about presentations at the CISO/CLO Summit was offered by Bryan Sartin of Verizon, who gave an in-depth review of the 2013 Data Breach Investigations Report (read more about the report on one of my earlier posts). And in the spirit of survey data, we asked Summit attendees to answer a few questions for us regarding their information security concerns and challenges.

The Best Tool in Your Kit

Josh Beckett As security professionals, we all have to deal with real events and incidents and false positives.  Furthermore, we all need to try to minimize the impact that false positives have on our workflow so that we can focus on the real stuff. I love to use real world examples that have a parable-like quality to them in order get interesting points about security across.

A friend recently told me of an issue with someone they knew where they were requested to show their drivers license and it happened to be expired. Now, there are obviously many situations where we know this will become a problem, but there is really only one situation where this particular bit of information is actually relevant.  What is a driver's license really? It is proof of your authorization to drive a particular class of motor vehicle. If expired, it is possible that you are no longer so authorized. That is the only use case where such information is completely relevant.

Why Are We Losing the Cyberwar? It's About the Money.

Josh Beckett 'Follow the money' is a tried and true security strategy. It will lead to you the things the bad guys may be after. It will lead you to the tools they use. It will lead you to who is committing the crimes. Money is the reason we are losing the Cyberwar.

It is simply more profitable to sell newly discovered exploits to bad guys than it is to report them to the software companies for fixing. The few companies that are willing to pay bounties for bugs are easily outbid by the bad guys as a cost of doing business. As long as that is a viable economic model, we will never have a hope of any defensive strategy that will work other than fast clean up of the mess when it happens.

Chinese government behind Chinese hack-a-thon...really?

Josh Beckett The Pentagon has come out and stated the obvious. When listening to this story this morning on NPR, the immediate thought that came to me was, "Yeah, well, what are you going to do now?"  Of course, the interviewer asked that very question and the interviewee burbled and hemmed and hawed.  No real answer.  What can you do in a war that is not fought on a physical battlefield with physical weapons, but inside of computers?

Beware cyber-criminals, here come the Cyber Jedi

Josh Beckett Don't be jealous, but I've recently been promoted to "Cyber Jedi" least in the UK.

After reading this article, it brought me back to something that I've struggled with through many Jedi battles.  Remember that the Jedi not only fought with the bad guys, but fought with the Senate as well...

Security is hot even in this down economy, so why are security experts undervalued?

It is obvious that the field of security is heating up faster than the rest of the global economy.  The problem that I see is still one of economics and understanding.  Security, as a discipline, doesn't make money.  So when hard economic times lead to even harder spending choices, one of the first things to get cut are those folks that don't bring in money.  Namely, those (sometimes) quiet folks that talk about technical things that hardly anyone understands and while they sound like they are doing something useful, few could really explain what that stuff is.  I'm sure we could do without one or two of them, right?  The end result is that we have too few Jedi trying to fight too many bad guys.

The Road to CEIC 2013: Cybersecurity 101

Jessica Bair The “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view. 

Are you an EnCase® Enterprise user who'd like to learn how to automate your network-enabled incident response? Or, perhaps an experienced EnCase® examiner looking for a career change or career enhancement? If a more complete approach to incident response is  on your task list, you should attend Cybersecurity 101 with Josh Beckett, product manager for EnCase® Cybersecurity, at the CEIC 2013 Cybersecurity and Compliance Lab.  This hands-on lab will demonstrate the basics of using EnCase Cybersecurity, as Josh walks through the major use cases of how the software will assist you in both incident response and compliance management roles; and how to implement it into your organization’s processes.

Guidance Software Customer Wins a Government Security News Homeland Security Award

Anthony Di BelloWe’re pleased to share that our customer, the U.S. Department of Energy (DOE), was selected as “Most Notable Cyber Security Program, Project or Initiative” in the 4th Annual Government Security News Homeland Security Awards competition.

The DOE won in one of the 42 categories. All of the winners were announced at a gala dinner in late 2012 that drew hundreds of government officials and industry executives to the Washington Convention Center.

EnCase software users have access to an all-in-one architecture for compliance, incident response, investigations and e-discovery. The software allows users to identify malware exploits and rapidly sweep all nodes on all networks to confirm the existence of that malware and then choose to remediate from a central console, saving hours of time on incident response and ensuring data integrity.

The winners were selected by a panel of objective judges, according to Jacob Goodwin, Editor-in-Chief of Government Security News. "We received an outstanding group of entries and have handed winners’ plaques to an exceptional group of companies and government agencies," he said.

A complete list of winners can be found at the GSN Magazine website. Congratulations to our associates at the DOE!

Cybersecurity Bill on Hiatus... Again

Anthony Di Bello A letter sent by Sen. Jay Rockefeller (D-WV) to the CEOs of the Fortune 500 a sparked a lot of conversation over the past months. The senator’s letter was sparked by his belief that the United States Chamber of Commerce's opposition to the Cybersecurity Act of 2012 is out of step with the desires of the nation’s most powerful CEOs. Rockefeller also saw the Chamber’s influence as part of the reason why so many senators were blocking a vote on the bill and thereby keeping it from seeing the light of day.
The late-minute push to get the Cybersecurity bill through the Senate on November 14th resulted in a 51-47 vote to end debate on the bill and move to a final vote, however 60 votes were needed to move the bill forward. While congress may take the issue up again this month, or in January, there is speculation the President may issue an executive order given the perceived urgency of cyber legislation.

I think there are a number of reasons why the Cybersecurity Act of 2012, of which Sen. Rockefeller is a cosponsor, was met with pushback from businesses and some members of the senate.
First, the focus leans too heavily toward so-called best practices. As anyone who has been watching cybersecurity over the years knows, there’s a rapidly moving arms race. Attackers continuously adjust their attacks, and enterprises continuously adjust their defenses. It's a study in game theory, as is most any situation that involves an intelligent adversary. For example, at one time, network firewalls, encryption, anti-virus software, and authentication were all considered state of the art when it came to best IT security practices. Today, a program that simply has those components in place would be considered rudimentary, and certainly not a leader.

In fact, any security best practices, or security technology checklist, approach is doomed to fail in short order unless there are efforts in place to continuously update those practices and drop those that are no longer necessary. This is why, because of the slow-moving nature of government, business leaders could be wary of a government-led effort to establish best practices. We may just end up with more checklist security. Certainly, we don’t need that.

Second, just a couple of years ago, “incident response,” as it applied to the corporate market, was completely new. The value of being able to automate host-based queries and responses based on detected events wasn’t entirely understood, or even valued. As new technology like this is developed, how does the federal government plan to keep up to date its best practices that may be delivered via the cybersecurity bill? In fact, how would this bill improve upon what is already in place with organizations such as the National Institute of Science and Technology (NIST) delivering best practices? NIST published incident response best practices years ago in its Special Publication 800-86.

Additionally, we’ve seen examples of out-of-date best practices being held up by non-federal organizations as security requirements. For instance, in 2004, the NSA conducted and released findings that a single overwrite was sufficient to purge classified data from electronic media.  Yet, many still cling to the false notion that electronic media requires three to seven passes to meet the NSA standard.

Third, we know from experience that public and private IT security data sharing tends to flow one way: from businesses to the government. The government collects public data, but provides data back (when it actually does) that is either stale (happened last year) or vague (providing only high-level observations like: SQLi attacks are on the rise). To be fair, the government can’t share information if there's a chance of a criminal investigation or trial. But by the time data are made public, there is little value.

Certainly, we need ways to share useful information without sharing overly sensitive security or confidential data and to encourage ongoing public–private cooperation. The answer may require novel uses of technology, for example, the entropy near-match capability in EnCase Cybersecurity that allows the creation of value, or signature, that would enable a government agency to provide that signature (or a new zero-day malware attack, for instance) to the private sector so organizations can scan it against their systems and find similar signatures. This way actual malware, or any information that could be misused is never actually publicly released.

And that’s just one example. I’m sure there are many other ways data can be anonymized so that they could be safely shared publicly. But will the government try such acceptable approaches? If history is a guide, probably not. 

Incident Response in the Cloud: Don’t Let It Be an Afterthought

Anthony Di Bello There certainly has been plenty of discussion around the impact of cloud computing on security. But the fact of the issue remains that cloud computing can both complicate, and simplify enterprise IT security. For instance, when an organization's data and applications are spread across multiple cloud service providers - security can become significantly more complex. However, using cloud and other IT outsourcing services small companies can outsource all of their IT - and security - and (in most cases) both greatly simplify their IT as well as increase security.

However, when talking about how cloud affects anything, including something as complex as security and incident response, it’s important to define what types of cloud services we are talking about. The impact on incident response will be considerably different depending.

Essentially, there are three types of cloud: public, private, and hybrid clouds. Public cloud is what most people think of when they say “cloud” computing. A public cloud is where the underlying infrastructure is shared, and resources are dynamically provisioned. Think of Amazon Web Services for cloud infrastructure, or storage-specific services such as Dropbox.

Then we have private cloud. Private cloud is primarily the domain of large enterprises and government agencies. And these are organizations that want a highly-virtualized, self-provisional cloud environment - but need to maintain full control and transparency over the infrastructure. Then are organizations that build a “hybrid” cloud infrastructure that consists of both public cloud and private cloud resources. Less critical data and applications may be used on the public cloud, while the private cloud is where classified, regulated or valuable intellectual property data will be stored and accessed.

The challenge for IR teams is understanding how each of these architectures affect digital investigations. It’ll be a topic that we look at from time to time in the upcoming months here in this blog.

A simple example in how a cloud architecture can affect a incident response would be how, under circumstances depending on the public cloud service provider, make it impossible to get the forensics data they need for an investigation. Because public providers may not have the internal policy framework, staff resources, technologies or even the architecture necessary to contain or recover data — such abilities will vary greatly from one provider to the next.

Also, the sharing of resources in multi-tenant environments may make it next to impossible for cloud providers to share logs, network data, etc. because of its contractual agreements with other customers.

Another area where cloud may complicate incident response efforts is when it comes to so-called rogue cloud services, when users turn to cloud providers without the knowledge or approval of the corporate IT department. This could include users storing data in public cloud storage services such as Megaupload, or using cloud applications at service providers that may not have the necessary processes in place to aid with IR investigation requests.

While cloud computing doesn’t change what makes for good incident response practices, it does add another level of complexity - and organizations need to be prepared for the change. Of course, this is nothing new to investigators and security teams who have had to deal with many technological changes over the years, from mobile device storage to the rise in intelligent portable devices, virtualization, and even the encroachment of early generation Web services onto the corporate network.

Cloud computing is simply another step in the evolution — and incident responders need to be prepared for the complexities cloud computing brings.

SIEM Turbocharger

Victor LimongelliWell, since no compressed air is involved, perhaps it is not technically a turbocharger, but EnCase® Cybersecurity now makes SIEM tools much more effective, by automating the digital forensics capture and analysis activity required as part of incident response.

As Martin Kuppinger has observed, the “art of SIEM is to – at best – identify exactly the critical situations which need to be handled. Not more, not less.” The problem is, no organization can do that perfectly – no SIEM is ever tuned to such a fine degree of precision so that only the “critical situations which need to be handled” are immediately presented to the incident response team. Often, there are too many “situations,” or, the critical nature of certain “situations” is not apparent until a later time, when perhaps more related data points are correlated by the SIEM. Determining what happened, whether critical data was exfiltrated from the organization, or whether the attack spread to other computing assets, is crucial. In order to do so, the data around the critical situations needs to be captured, either for immediate response, or for later analysis. As NIST has noted in its Guide to Computer Security Log Management, “data regarding a particular event could be needed weeks or months after the event occurred.” What’s more, when one of these critical situations occurs, you may want to assess a broader set of machines, even a subnet, as part of the analysis.

EnCase® Cybersecurity now facilitates this data capture and analysis in three ways. First, if an analyst sees a highly critical situation identified in the organization’s SIEM tool, he or she can now, right from the SIEM, perform an EnCase collection.  Second, an organization, in its tuning of its SIEM, can establish rules so that for critical events, forensic collection occurs automatically. Third, an assessment can be automatically run on a broad set of endpoints to determine the extent of the problem – by way of example, assessing what binaries are running that are not part of the organization’s approved builds.

The user can view the analysis results right from the SIEM console. The following video demonstrates how it works:

The result is a turbocharged SIEM – more power, more effectiveness, and a better response to critical incidents when they occur.

Victor Limongelli is president and chief executive officer of Guidance Software.

SEC Cybersecurity Guidelines Pose Potential Increase in Litigation forOrganizations

Anthony Di BelloChad McManamyOn October 13, the Division of Finance at the Securities and Exchange Commission (SEC) released “CF Disclosure Guidance: Topic No. 2 - Cybersecurity” representing the culmination of an effort on behalf of a group of Senators led by Senator Jay Rockefeller to establish a set of guidelines for publicly traded companies to consider when faced with data security breach disclosures. The concern from the Senators was that investors were having difficulty evaluating risks faced by organizations where they were not disclosing such information in their public filings.
According to the SEC in issuing the guidelines, "[w]e have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption." And while the guidelines do not make it a legal requirement for organizations to disclose data breach issues, the guidelines lay the groundwork for shareholders suits based on failure to disclose such attacks.

The guidelines come on the heels of number of recent high-profile, large-scale data security breaches including those involving Citicorp, Sony, NBC and others – many of which have affected organizations around the world. A catalyst for the regulations is found in part in many organizations failure to timely report, or complete failure to report, their breaches. To curb any future disclosure issues, the SEC released the guidelines ordering companies to reveal their data security breaches.

As stated in the guidance notes, “[c]yber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts.”

“Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.”

Consistent with other SEC forms and regulations, organizations are not being advised to report every cyber incident. To the contrary, registrants should disclose only the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” If an organization determines in their evaluation that the incident is material, they should “describe the nature of the material risks and specify how each risk affects the registrant,” avoiding generic disclosures.

The SEC indicated that in evaluating the risks associated with cyber incidents and determining whether those incidents should be reported, organizations should consider:

-- prior cyber incidents and the severity and frequency of those incidents;

-- the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and

-- the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Rather than exposing new obligations for organizations, the SEC guidance highlights what company executives already knew about their obligations to report cyber incidents but may not have fully appreciated. The true lynch pin for every organization will be the determination of materiality and making the decision on which breaches gets reported and which do not. As such, public companies will also need to weigh real-world business risks specific to their particular market associated with incidents. For example, “if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition," the statement says.

Given the sophistication and success of recent attacks, forensic response has taken center stage when it comes to exposing unknown threats, assessing potential risks to sensitive data and decreasing the overall time it takes to successfully determine the source and scope of any given incident and the risk it may present.

Cybersecurity threats will continue to proliferate for companies of all sizes around the world. Failing to protect sensitive company data will pose an even greater risk going forward, so too will the legal implications for failing to disclose those material cyber incidents. A proactive, timely approach to prevention of cyber incidents represents the best case scenario for all organizations. Guidance Software’s Professional Services team and partners can help. Our consultants can help expose unknown risks in your environment, remediation of those risks, as well as provide prevention techniques designed to give your organization an active defense and knowledge against possible attacks unique to your organization.

Chad McManamy is assistant general counsel for Guidance Software, and Anthony Di Bello is product marketing manager for Guidance Software.

Beating the Hacking Latency

Guidance SoftwareJournalist Kevin Townsend recently spoke with Guidance Software’s Frank Coggrave about preventing data theft from hacking attacks by reducing the time from security alert to remediation and Guidance Software’s recent announcement of EnCase® Cybersecurity 4.3 that automates incident response through integration with SIEM tools like ArcSight.

The article discusses the value that SIEM solutions provide: they scan logs in real-time looking for anomalies, discover security events and can show where things are happening on the network. But they do have a shortcoming – they lack the next step which is response. That’s where Guidance Software’s EnCase® Cybersecurity comes in. EnCase® Cybersecurity is able to identify the root cause of the event and help IT administrators respond quickly, closing the gap between alert and response.

Kevin writes, “Today’s hacker likes to get in and hide himself. He thinks he can go undetected (and often can and does) while he infiltrates deeper into the network looking for the most valuable data. Hacking comes with its own latency – and you need to use that latency between infiltration by the hacker and exfiltration of your data in order to stop him…SIEM plus forensics has the potential to improve the SIEM and, by reducing the time to remediation, to defeat the hacking latency.”

An additional problem is that IT security is a 24x7 job. When the SIEM solution triggers an alert in the middle of the night, response can’t wait. Frank provided Kevin with an example of how EnCase® Cybersecurity can help:

“One of the filtering systems picks up that something is happening that shouldn’t. It reports it to the SIEM. Correlation with other alerts indicates that it’s potentially a serious incident. ‘But what do you do if it’s 2:00am. Or it’s just part of a whole series of other alerts happening at the same time? Well, the SIEM can now trigger EnCase® Cybersecurity Solution to automatically and immediately dive in and do an investigation. We can capture who is on the machine in question, what applications are running at the time, what processes are in memory; we can kill the applications if we want to, and we can clear up the incident before it becomes too serious.’ Going back to our earlier metaphor, SIEM+EnCase can now close the stable door before the hacking latency expires, while the hacker is still in the stable and before too much damage is done.”
Read the full article on Kevin Townsend’s website.

Incident Response: The First Step Is Identifying the Breach

Anthony Di Bello The objective of malware has moved from weapons of mass disruption, to weapons of ultimate stealth for data theft. Today, attackers want to go unnoticed. And they’ll do anything they can to get past traditional defenses. They’ll try to compromise your users through tainted links on social networking sites, or specially crafted email attachments, and even through infected USB drives. They’ll employ any means they can, and if they’re determined, they won’t stop until they succeed.

The software tools they use today include attack exploit code, Trojans, keystroke loggers, network sniffers, bots – whatever works to infiltrate the network and then ex-filtrate the desired data.

Consider this quote from this story, “Customized, stealthy malware growing pervasive”, from an experienced penetration tester:

"The advanced attack is getting more pervasive. In our engagements and my conversations with peers we are dealing with more organizations that are grappling with international infiltration. Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.”

Consider that quote again for a second: “Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere.”
Obviously, the goal of the malware is to slither past anti-malware defenses, and too often the attackers are successful.

This is why the ability to quickly detect and respond to infiltrations is more crucial than ever for an effective IT security program. And that makes digital forensics software central to those efforts. By being able to quickly determine the nature and cause of an incident, forensics software can be used to stop future incidents through the increased visibility into the network it provides.

This is where EnCase® Cybersecurity shines. EnCase® Cybersecurity offers enterprises a way to obtain actionable endpoint data related to an event before that data has a chance to decay or disappear from the affected endpoint altogether. EnCase® Cybersecurity can easily be integrated with an alerting solution or SIEM of choice (such as ArcSight ESM) to enable real-time visibility into relevant endpoint data the moment an alert or event is generated. This ensures security teams have instant access to information such as hidden processes running at the time the alert was generated, ports that were open at the time and more. The ability to see the entire picture in regards to what was occurring on an endpoint – at a specific moment in time – allows for a far more accurate incident impact analysis and a way to gain visibility into any given threat. Having a clear view into that moment in time leads to faster incident resolution rather than chasing cold trails.

This type of instant response capability that better addresses potential threats is simply mandatory today, considering the stealthy nature of malware and significant effort that goes into masking any traces of an attack.
Anthony Di Bello is product marketing manager at Guidance Software.