Showing posts with label Data Breach. Show all posts
Showing posts with label Data Breach. Show all posts

Thoughts on $19B Cybersecurity National Action Plan

Yesterday President Obama signed two executive orders on cybersecurity to strengthen the government’s defenses against cyber attacks and protect citizens’ personal information kept by the government.

Obama asked for $19 billion for cybersecurity efforts in his budget request, a 35 percent increase from current levels, with $3 billion requested to “kick-start an overhaul of federal computer systems.” The Cybersecurity National Action Plan will ensure:
Americans have the security tools they need to protect their identities online
Companies can protect and defend their operations and information from hackers
The U.S. government protects the private information citizens provide for federal benefits and services

Our own CMO, Michael Harris, added his valuable insight:

“The United States must increase its investment in cybersecurity to protect our homeland. We live in a world of instant-anywhere-access. The cyber-terrorists are relentless. They morph. They adapt. They scoff at legacy authorization and hacker prevention systems. The recent wave of breaches to our Federal systems are proof of this reality. Deep forensic data analysis, detection and response technologies are essential for cybersecurity and we encourage congress to carefully evaluate the $19 billion spending initiative to ensure our sensitive, proprietary and military assets are protected from malicious exfiltration.”

What do you think? Share your thoughts below.

Defending Your Security Program: The FTC, Breach Class Actions, and You

Roger Angarita

Data breaches continue to fuel major media bonfires, CEOs are resigning, and the FTC is gaining ground in becoming the data-protection enforcers on behalf of consumers and business customers. Now in the wake of the Ashley Madison, Neiman Marcus, and Home Depot cyber-attacks, critical court decisions are occurring that will may raise protection standards and increase corporate liability. The smoke signal arising from the judicial system last month was the Third Circuit’s ruling affirming the data security authority of the Federal Trade Commission (FTC) in Federal Trade Commission v. Wyndham Worldwide Corp.

Office of the Secretary of Defense Calls for Emphasis on Detection and Response

Anthony Di Bello

This week, in response to the OPM breach, Chris Carpenter, the Security Director at the Office of the Secretary of Defense called for an emphasis on detection and response capabilities.

The reason, Carpenter noted, is that there is a clear window of opportunity within which to find attackers inside the network and cut off their access before they have a chance to exfiltrate data. This is backed up by the fact that the vast majority of breach disclosures note that the attackers had been inside for a period of time prior the data exfiltration.

The OPM Breach: What Went Right

Michael Harris

Today the national and federal press announced a “massive” breach of federal personnel data housed at the Office of Personnel Management (OPM) within the Department of Homeland Security (DHS). Following an earlier breach discovered in March 2014, the breach is said to have exposed the personally identifiable information (PII) of up to four million federal employees. The Washington Post reported that U.S. officials suspect the Chinese government to be behind the attack, which represents “the second significant foreign breach into U.S. government networks in recent months.”

Security and IR Labs at CEIC Focus on Advanced Malware and Attack Analysis

CEIC 2015 is just a few weeks away and we’re excited to meet with you face-to-face on the show floor and in the conference sessions earmarked for cybersecurity and incident response professionals. If your cybersecurity journey seems to grow more complicated with each passing CEIC event, this is the year you won’t want to miss.

Incident response as a discipline is still largely misunderstood and under-implemented, mainly because enterprises struggle to understand the changing security landscape and the need to be prepared for the inevitable cyber attack. To help you better understand these changes, we've developed new sessions and labs for CEIC 2015 to help you take incident response to the next level.

The Current Cyber Crisis and the IT Security Budget

Barry Plaga, Interim CEO and CFO, Guidance Software

Last summer, J.P. Morgan Chase suffered a significant cyber breach of its corporate servers that affected approximately 76 million households. Very bad news and no longer an unprecedented event for a major financial institution. Then, two things happened the following fall that are very interesting when considered together:
  1. J.P. Morgan Chairman and CEO James Dimon told a panel discussion audience at the Institute of International Finance that his bank would double its cybersecurity spending over the following five years.
  2. PwC released its latest Global State of Information Security survey that noted that spending on information security fell four percent during a period in which cyber attacks against companies increased 48 percent.

Lessons Learned from 2014 Cyber Breaches

Ashley Hernandez and John Lukach

At Guidance Software, we’re honored to train and work alongside information security teams inside numerous global corporations and government agencies. This gives us an ideal vantage point from which to learn and incorporate the latest intelligence on attack methods and best-practices for incident response. So here’s a look at what we’ve gleaned from this year’s barrage of cyber-attacks.

Where to Invest Resources in the High-Profile Breach Era

In our opinion, the biggest impact that the large number of headline-making breaches has had is in raising public and corporate awareness of the consequences and difficulty of securing companies’ assets. This awareness places more pressure and demand on those on the front lines of security.

Building Cyber-Talent in the National Collegiate Cyber Defense Competition

The headlines are full of stories about the growing number of job opportunities for what may be a too-small pool of young cyber-defenders and incident responders. At Guidance Software, we support universities with our EnCase Academic Program to help ensure that the up-and-coming generation of information security specialists has the tools and technology they need to work like seasoned professionals do. To that end, we are also proud to be a Gold sponsor of the National Collegiate Cyber Defense Competition (NCCDC).

Ten finalist teams from more than 180 colleges and universities will participate in this national competition, held in San Antonio, Texas from April 25-27. To support this valuable training exercise, we supplied EnCase software network-wide, some EnCase training for all contestants, and will staff the volunteer Red Team with an EnCase incident-response expert. 

Why Signature-Based Cyber-Defenses are Bound to Fail

Sam Maccherola

You will never see an alert from your security information and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for the malware that was custom-built for your organization and secretly colonized your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly morphing, and because the sophisticated and dedicated minds under those black hats are working night and day to design a data breach specifically for each organization it decides to invade. When it hits you, it will be the first time its signature has ever been seen.

Insider Threats in the Federal Agency: Endpoint Security and Human Analytics

Manning, Snowden, Wikileaks… Recent headlines have made the dangers of insider threats for federal agencies even more of a flashing red light than before. The risk of intentional data breaches is a critical problem, but certainly not the only one. The latest report from the Ponemon Institute, the 2013 Cost of Cyber Crime Study: United States, found that more than one third of all data security breaches at government agencies are caused accidentally by internal employees. Intentional or not, both are problematic.

Human error as insider threat
A study by the Privacy Rights Clearinghouse noted not long ago that government agencies have experienced a steady rise in data breaches caused by employees over the last four years. In addition, employee negligence caused over 150 breaches and the loss of more than 92.5 million records since January 2009.

Survey Says: Organizations Most Concerned About Length of Time to Resolve Data Breaches

During our 13th Annual Computer and Enterprise Investigations Conference (CEIC) in May, we conducted a survey of more than 150 attendees from the security, law-enforcement, and e-discovery fields to get first-hand insights on shifting priorities in enterprise and government security teams. It was not a surprise that “length of time to resolve attacks” came in as the chief cybersecurity concern. In addition, 24 percent also said they were concerned about insider threats.

Data breaches and the amount of time it takes to detect and resolve them remain a critical security issue. It takes companies an average of three months to discover a malicious breach and more than four months to resolve it, according to the 2013 Cost of Data Breach Study by the Ponemon Institute.

The Cybersecurity Framework: Identification, Collaboration, and Proactive Defense

Alex Andrianopoulos

Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:

  • The bad guys launch a new type or method of attack
  • Some (if not all) organizations attacked are breached
  • Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
  • At least one organization names the new attack method
  • The organization or a security vendor finds a defense to the new threat
  • The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.

 Here is the problem: The delay between a breach, developing a defense and sharing the solution can take months, if not longer. Why the delay? Because the good guys do not share enough information. The black hats are aggressively sharing techniques and new approaches. Thus, we applaud anything that the government can do to encourage exchange of information on cybersecurity threats and new methods employed by hackers and other cyber-criminals.

Hello? You’ve Been Breached.

Ale Espinosa Knock, knock. Who’s there? The FBI.

The reality of the world we live and do business in has made us increasingly vulnerable to cyber threats and attacks. Perimeter security and signature-based threat detection tools can only do so much when the threat is brand new or if it morphs as it spreads out through your network, making their signature unrecognizable. Chances are, there is someone lurking in your network right now and you don’t even know it.

In fact, Verizon’s 2013 Data Breach Investigations Report revealed that approximately 70% of cyber breaches go completely undetected by organizations’ security teams, and are instead discovered by external parties like the authorities, FBI, or even the attackers themselves.

Information Security Executives Share their Perspective at the 2013 CISO/CLO Summit

Ale Espinosa This year’s Computer and Enterprise Investigations Conference (CEIC) was referred to by many of its loyal attendees as our best one yet. Running concurrently with the show was the CISO/CLO Summit, which brought together top information security and legal technology executives for a day filled with valuable panel sessions, presentations, and networking opportunities.

One of the most talked about presentations at the CISO/CLO Summit was offered by Bryan Sartin of Verizon, who gave an in-depth review of the 2013 Data Breach Investigations Report (read more about the report on one of my earlier posts). And in the spirit of survey data, we asked Summit attendees to answer a few questions for us regarding their information security concerns and challenges.

Minimizing Customer Impact with Proper Breach Assessment

Ale Espinosa

Apologies are never easy – much less when they are public. Just a couple of weeks ago, daily deal website LivingSocial contacted and issued an apology to more than 50 million of its customers whose information may have been compromised in a recent cyber-attack, according to the Daily Deal Media. Whether all 50 million were indeed compromised remains the question.

Before issuing an apology or coming out publicly with details of the breach, it is critical to know the exact size and scope of the loss and damage the attack caused. Leaving room for uncertainty behind any of the details in your communication can be assumed as poor handling of the situation or a lack of insight into what really happened.

Tools like EnCase® Cybersecurity enable you to fully understand and measure the impact of a breach – down to the exact number of files, accounts, or data accessed by the attacker – by looking into the metadata of all of the files stored in your endpoints. That way, your post-breach communications are targeted to the exact number of users it may have affected, helping you minimize any impact to your customer base or brand. Your PR team will appreciate it.

It is estimated that only half of all security breaches will require disclosure of some kind to the affected parties or to the public in general. The remaining half will only affect internal systems and data that, with the right tools, can either be caught before sensitive data is accessed or remediated and brought back to normal before it causes damage to others outside of the business -- giving new meaning to the saying "better be safe than sorry."


More critical infrastructure data breaches...not terribly surprising

Josh Beckett An interesting read about a data breach involving critical infrastructure, a subject near and dear to my heart since having worked in the field for a few years.

It's always curious to me that many people that deal with such tidbits of information are often very cavalier with the data and habitually underestimate the value to any potential adversary, including the potential field of adversaries and their related capabilities.  Typical responses that always gave me the willies were "No one could ever get to that information, and if they did, they wouldn't know what to do with it anyway."  Really?  The only smart people in the world that know about this matter are in this room?

The Weakness of the Defender is the Strength of the Attacker

Ale Espinosa If hockey or soccer teams consisted only of forwards and goalies, games would turn into a sequence of nonstop penalty shots and we would get bored watching them in no time. That is why teams have defenders, and just like in cybersecurity, the outcome depends less on the skill of the attacker and more on the readiness of the defender.

That was one of the key statements on this year's Verizon Data Breach Investigations Report. Three quarters of cyber breaches examined in the report were rated "low" or "very low" when it came to difficulty of initial compromise – meaning that basic methods like automated tools and scripts requiring little to no resources or customization were used to infiltrate the victim's network. After all the investment you’ve made in creating precisely the right security architecture, you might think it would take the work of a skilled hacker to penetrate your systems. Fact is, it may not.

Whodunnit? The Real Question in the Offshore Financial Data Leak Story

Anthony Di Bello Yesterday's report of a massive data leak exposing the secrets of a vast offshore financial system that enables more than 100,000 of the planet’s richest and most well-connected citizens to avoid paying taxes poses a number of interesting questions. The media and the International Consortium of Investigative Journalists, to whom a flash drive containing the files was mailed, have had a field day pushing “massive data leak” and “offshore tax havens” headlines, but information security professionals know that the provenance of this data leak is potentially as big a story as politicians involved in scandalous relationships with African dictators.

Attack Aftermath: What’s Next for South Korean Banks and Broadcasters?

Anthony Di Bello What's next for South Korean banks and broadcasters that were paralyzed by a massive cyber attack this past week? I was talking with Rodney Smith, who directs information security and field engineering here at Guidance Software and has consulted on post-attack digital investigations with hundreds of firms around the world.

His take is that a thorough digital forensic investigation is an urgent and essential next step to getting back to normal after having hard drives and associated master boot records (MBRs) wiped out. Master boot records encapsulate critical information on the organization of file systems on the drives. Affected systems were given a forced reboot command, but restarts were impossible because the MBRs and file systems had been corrupted.

Cutting Through the Cyber "Fog of War"

Anthony Di Bello Most people are familiar with the phrase Fog of War, which refers to the uncertainty present in the heat of military operations. That same “fog of war” is also present in the cyber battlefields of today. Without the right insight, it’s next to impossible to tell what constitutes an attack, let alone what attacks have successfully hit their endpoints. Today’s advanced threats are multi-dimensional, rapidly evolving and stealthy.

And they often hit endpoints quickly, sometimes through little known zero day vulnerabilities found in browsers, operating systems, and other applications, they’ll sit clandestinely and await instructions, which may be to exfiltrate data of value, burrow deeper into the infrastructure, launch attacks on others, or wait for a more opportune time to strike.

It may be startling to many, but faith in traditional defenses to fight these attacks is often misguided as anti-virus, intrusion detection and prevention systems, firewalls, and other old-line defenses fail to block, let alone identify these attacks and provide quick visibility into what is occurring on their network.

Guidance Software has recently partnered with FireEye, Inc. to help clear away the fog by integrating communications between their Malware Protection System (MPS) Appliances, which analyzes and protects network traffic with our EnCase Cybersecurity software, which secures the endpoint. Together, the two solutions provide a clear view into attempted attacks.

One of the first things customers of our partner FireEye explain, as soon as they install the FireEye MPS Appliance, is that they can suddenly see things they couldn’t see before, such as numerous bad outbound and inbound communications they previously had no idea were underway.

But seeing the threats is much different than being able to understand precisely what they’re doing on the endpoint. Security and IT managers need to know if malicious traffic is a threat to their networks and infrastructure, and if any of these attacks have successfully compromised an endpoint.

This is where the FireEye-Guidance relationship comes in. When the FireEye MPS Appliance identifies nefarious traffic, the integration with EnCase Cybersecurity makes it possible to automatically validate if the attacks detected over the wire had successfully penetrated into any systems attached to the network.

This integration between FireEye and EnCase Cybersecurity provides customers with everything they need to scope and remedy compromised endpoints.

To achieve this we’ve built an Enterprise Service Bus (ESB), a way to communicate, with other technologies. With the new integration, EnCase Cybersecurity listens for FireEye MPS to report on detected events via an XML feed that is translated by the listener service. With just IP address information and hash values related to the FireEye detected event, EnCase Cybersecurity will first validate whether or not the attack successfully compromised the indicated endpoint(s). Once it confirms the presence of malware, additional information related to the attack with be collected and presented to the security analyst via a thin client review capability. By capturing attack artifacts and indicators in this manner at the time of the alert, the security team can be confident that have a complete picture of the attack, and a wealth of information for which to triage, determine risk exposure, and accelerate remediation efforts.

Without this network to endpoint view provided by the FireEye MPS Appliance and EnCase CyberSecurity, there’s no realistic way to tell if exploits and attacks are harmless to an infrastructure (such as exploits targeting an OS that is non-existent on a network), or if some other countermeasure such as a firewall rule or intrusion-prevention system has successfully blocked an attack. 

Additionally, EnCase Cybersecurity, is grabbing all of the data about the state of the machine, including what processes are running in RAM, what services and system libraries are running, who is authenticated to the machine, and more. With that information, the security analyst not only understands what systems are truly at-risk, but they know what they need to know to more deeply understand the attack and what is truly at-risk.

What this coupling of FireEye and EnCase technology does is clear much of the fog associated with all of the data that pounds security analyst management console screens everyday. And it makes it possible for them to make clear, well informed decisions all the way through remediation. For more information about the Guidance Software and FireEye collaboration, check out our press release, and download the datasheet.