Utah Wind and Solar Power Generation hit by a Cyber Attack

A Cyber Attack that took place on a Utah based renewable energy generation provider named sPower is said to have disconnected the power generation source from the Central US Power Grid.

Although the cyber incident took place in March this year, it was revealed yesterday by a news resource named E&E News after it obtained information from the Department of Energy as per the Freedom of Information Act (FOIA).

Highly placed sources say that the attack disrupted the operator in two ways- One by disconnecting it from the Central US Power Grid. Secondly, it also made the company become the sole firm in the history of renewable energy providers to have been the victim of a cyber attack.

According to sources reporting to Cybersecurity Insiders the root cause of the attack was due to an unpatched firewall of Cisco which made hackers exploit it to the core and crash the device, thereafter breaking the connection between sPower’s wind and solar power generation installations and the company’s central command and control server.

The only interesting point in this attack is that the hacker did not continue to explore the network after infiltration, but stopped when he/she attained success in disconnecting the communication mediums of the server with the central power grid.

It has to be notified over here that adversaries and foreign hackers are nowadays a lot interested in breaking into US government networks to steal info. And the motive of some nations is to create a power blackout by launching cyberattacks on power grids.

The post Utah Wind and Solar Power Generation hit by a Cyber Attack appeared first on Cybersecurity Insiders.

November 01, 2019 at 11:00AM

Read More

App stores become home to Government Spyware

Security researchers from BlackBerry’s Cylance have discovered that Android and iOS app stores have become home to government-induced espionage malware. According to the company’s latest report, prolific and pervasive government spyware are being spread on Android and iOS application platforms which give us a confirmation that consumers are being misled by technology companies that are making them live in a false sense of security.

Blackberry claims that hundreds of apps have somehow found a way into Apple and Google app stores by breaking into the security defense-line respectively.

Although Google did not react to the report, Apple Inc has reacted by saying that its company’s app store can detect and avoid malware from being published and also can ban untrusted apps on an automated note.

Cylance report takes a dig directly at China’s APT hacking groups, as the report claims as it has over a dozen instances where Chinese hackers have been found spying on their neighboring nations like India, Russia, Mongolia, Nepal and Vietnam with the help of mobile apps. The AI-based Cybersecurity Company also states that hackers from China, probably funded by the government, are hitting industrial targets these days mostly from the US covering oil and gas, chemical, pharma, and defense companies.

And the mobile malware is being spread through click and advertising baits and some via subscription frauds.

As there is a lot of immaturities prevailing in the mobile security market, nations and some state-funded hackers are succeeding in propagating spying malware’s through app stores.

Hope, tech companies like Google and Apple have taken a queue from the report and will strengthen their mobile security measures to weed out malicious apps from their apps stores to the core.

The post App stores become home to Government Spyware appeared first on Cybersecurity Insiders.

November 01, 2019 at 10:57AM

Read More

The Bitglass Blog

Despite the massive international push for cloud adoption, a distressing number of corporations have not deployed the proper means to securing critical data. Traditional firewalls may have sufficed in the traditional on-prem setting, but with businesses adopting BYOD (bring your own device) for on-premises use and the emerging trend of telecommuting for employees that work remotely, the need for a borderless solution has become increasingly vital. This day in age, enterprises that solely rely on traditional firewall solutions are waging a bet and the odds are stacked against them. The consequence of relying on archaic security systems range from IT oversight limitations and massive data leaks.

The post The Bitglass Blog appeared first on Cybersecurity Insiders.

October 31, 2019 at 09:09PM

Read More

Pay Ransom to Ransomware spreading hackers says FBI

 

US Federal Bureau of Investigation(FBI) has suddenly taken a U-Turn on its decision to not pay ransom to hackers during ransomware incidents. And that’s because it is proving as a cost-effective option to victims rather than recovering data through various means.

 

Although the company doesn’t want the victimized companies to cave into the demands of hackers, it does say to pay if that’s the only option left to unlock the data.

 

“Paying a ransom encourages cyber crooks to launch more cyber attacks on organizations and companies as it is proving lucrative to them,” says an FBI Guidance read.

 

But in some cases, it becomes a priority to protect the interests of employees, shareholders, and customers and that’s when the firms need to pay a ransom to hackers.

 

Regardless of whether paying a ransom, the FBI urges the victims to report the incident to the law enforcement so that it can keep a track of the incident whereabouts thereafter and hold them lawful in the future.

 

FBI is also emphasizing on a fact that the organizations should implement a backup and other defenses to thwart cyberattacks of any range. Implementing threat monitoring solutions might also help organizations be proactive rather than being reactive.

 

Now, to those reading this article what’s your say on this advice of the FBI?

Pay or not to pay for a ransomware incident?

 

Please disclose your mind in the comments section below.

 

Note- Since the past two years, hackers have been leveraging phishing campaigns, remote desktop protocol vulnerabilities, and software vulnerabilities to infect organizations….sophistication in launching cyberattacks aah aah!

 

The post Pay Ransom to Ransomware spreading hackers says FBI appeared first on Cybersecurity Insiders.

October 31, 2019 at 08:49PM

Read More

Dtrack Malware attack on India’s largest Nuclear Power Plant

The Nuclear Power Corporation of India Limited (NPCIL) has issued a press statement yesterday admitting that its digital infrastructure did go through a Dtrack malware attack. However, AK Nema, the associate director of NPCIL has cleared the air that the attack was neutralized before it could affect any sensitive infrastructure.

Going by the details, CERT-In (India’s Computer Emergency Response Team) was the first agency that detected the malware attack on September 4th, 2019 and is said to have reported the same to NPCIL in September 5th, 2019. DAE specialists investigated the matter and continuously monitored the networks after the incident and found that the plant systems were not affected.

The NPCIL power plant is officially called as Kundankulam Nuclear Power Project and is located in Southern Indian State of Tamil Nadu.

Coming to the DTrack Malware, it has so far affected only ATMs Operating across India and for the first time is said to have infected computer systems of a nuclear power plant.

According to Kaspersky, Dtrack is a malware devised by the Lazarus APT group of North Korea and is known to infect critical systems related to industrial units. In the year 2017, it was devised to hack ATMs across South Korea by the North Korean intelligence and is now reported to be used on the digital infrastructure of India.

Security researchers claim that the Dtrack malware virus can record keylogging, retrieve browser history, gather host IP addresses, gather details of running processes, and listing out files available on the disk volumes.

And the only way to thwart this malware from your network is to tighten your network with utmost passwords policies and 2FAs, use threat detection tools and use anti-malware solutions.

The post Dtrack Malware attack on India’s largest Nuclear Power Plant appeared first on Cybersecurity Insiders.

October 31, 2019 at 10:18AM

Read More

Hackers plead guilty for hacking and accessing 57m user details from Uber and LinkedIn

Two hackers have pleaded guilty for stealing account information of over 57 million users belonging to tech companies Uber and Lynda- now renamed as LinkedIn Learning after acquisition by the professional networking giant.

Highly placed sources say that the two hackers, Brandon Glover, of Florida and Vasile Mereacre of Toronto, Canada were presented before the Florida Court of Justice yesterday and admitted for hacking information from Amazon Web Servers related to two companies. They also agreed that their intention to fraudulently access the data was to blackmail the data owners for a ransom payment.

Based on a personal bond, they both were released on bail on a condition to attend the hearing in March next year.

The Justice Department says that the two men downloaded the information related to 57 million users which includes driver data from the AWS server at the end of 2016 to later blackmail the owners for ransom.

Details are now out that two former employees of UBER agreed to pay $100,000 in bitcoins through a third party to the hackers for retraining them from disclosing the stolen details to the world via the dark web.

Meanwhile, the two hackers also tried to blackmail the officials of Lynda.com with a promise that their 90k records will not be deleted if they paid a fancy ransom in crypto. However, the duo stopped further correspondence, as the IT staff of Lynda.com sought to identify them.

More details will be updated shortly!

The post Hackers plead guilty for hacking and accessing 57m user details from Uber and LinkedIn appeared first on Cybersecurity Insiders.

October 31, 2019 at 10:15AM

Read More

Security Congress: Securing a Rapidly Changing Environment

The cyber ecosystem is changing faster than ever, creating new attack surfaces and increasing the challenge of defending against new and evolving threats. The fast-changing landscape requires new ways of thinking and approaches to protect environments that spread across on-premise and cloud infrastructures and connect IT with OT (operational technology) systems.

Just accepting that the expansion of the ecosystem – and the growing presence of technology in our lives – will increase risk isn’t good enough. This is a point (ISC)² CEO David Shearer made clear at the kickoff of the organization’s Security Congress 2019 this week in Orlando. We cannot accept the idea that “expansion of the cloud must expose us to greater risk instead of greater opportunity,” he said. “As technology becomes more and more prevalent, so too must cybersecurity.”

Of course, developing cybersecurity tools and policies to keep up with new threats is not an easy task. But there is also opportunity in the expansion of the cyber ecosystem, said Curtis Keliiaa, Senior Network Engineer and Principal Investigator at the U.S. Department of Energy’s Sandia National Laboratories.

As new standards such as the IPv6 (Internet Protocol, version 6) specification and the 5G cellular network take hold, the opportunity arises for introducing security controls upfront, Keliiaa said. Both IPv6 and 5G will require the implementation of new hardware, applications and security. Referring specifically to IPv6 during a session on the evolving cyber landscape, he said: “Right now, we have a chance to build security like we never have. Now we know how bad the cyber problem is,” he said.

Data is the focus, he said. As data moves around widely dispersed connected systems, cybersecurity teams need to “follow the data,” Keliiaa said. Data owners are transitioning into the role of data stewards, which requires an understanding of what and where the data is in order to protect it.

The IPv6 specification is intended to replace the older IPv4, but it will be some time before that actually happens. In the meantime, both standards will be in use side by side, creating complexity and challenges in managing risk.

IPv6 needs champions who will approach the C-suite and make a case for migration, Keliaa said. When talking to executives, he advised: “Be right; don’t talk opinion. Be fast; don’t waste their time.” Executives have a lot on their plates besides managing risk; they also have to think about increasing profits and managing the entire organization efficiently.

Cloud Challenges

An example of how changes in technology impact cybersecurity involves penetration testing of cloud systems. Mike Weber, CISSP, vice president of Coalfire Labs, said that moving assets to the cloud adds complexity to the process – and it’s not possible to test everything. With that in mind, he told attendees at Security Congress to put a plan together for cloud penetration tests.

The plan should include rules of engagement, a timetable and methodology. It’s essential to identify the scope, he said. “Your objective needs to be narrow enough so you don’t have to boil the ocean. If you try to test all of an organization’s cloud, then you’re going nowhere.”

Weber stressed the importance of asking permission from cloud providers before doing a test. Unfortunately, different cloud service providers have different sets of rules for testing. If the test involves two or more providers, getting approval from all of them can be time-consuming and delay projects. Thankfully, he said, the rules are starting to converge and these issues eventually will go away.

The post Security Congress: Securing a Rapidly Changing Environment appeared first on Cybersecurity Insiders.

October 31, 2019 at 09:09AM

Read More

Security Visibility is Mission-Critical

IaaS has continued to evolve and make it easier for companies to set up public cloud infrastructure faster than ever. Many are doing just that and moving more and more workloads to cloud environments. Although in these new, dynamic environments where changes happen often, and fast, security is mission-critical, but achieving security visibility is still a challenge for security teams.

The same properties that make a dynamic cloud environment attractive to businesses often add complexity to matters of security and compliance—a daunting challenge for quickly evolving, agile businesses, as well as those with legacy systems resistant to change.

If you’re hosting critical applications in public cloud infrastructure, security and compliance visibility should be a top priority. Without it, you might be in for some very unpleasant surprises. 

Security Visibility is Mission-Critical in IaaS

In today’s business environment, the core value of many organizations depends on their digital footprint. Unauthorized access or damage to their cloud infrastructure poses a significant risk to the business. That’s why an effective cloud security solution should help you do three things:

1. Prevent data breaches – Protect your business from risk, protect your customers from exposure, and show your meeting compliance requirements.
2. Protect infrastructure assets – Your business processes depend on them, which makes them critical to your company, that’s why attackers want to subvert them for their own purposes or to disrupt business operations.
3. Maintain compliance – If you can protect the business from risk, you can comply with regulators, and fulfill contractual requirements.

When the needs of a business expand to require diverse methods of data access and storage, often as a result of enabling competitive advantage, the risk of potential exposure increases. To manage business risk and protect customers, it is critical to maintain complete visibility into this rapidly changing landscape and its security posture.

Share Security Model
While CSPs do a great job of providing a secure foundation across physical, infrastructure, and operational security. You maintain responsibility for protecting the security of your application workloads, data, identities, on-premises resources, and all the cloud components that you control within your public cloud infrastructure—referred to as the “Shared Responsibility Model.” 

Maintaining your part of the shared security model is critical but a complex task. The very nature of these distributed systems can make it difficult to obtain accurate and up-to-date security visibility and inventory of cloud assets. In addition, rapid growth across multiple environments can make it nearly impossible to consistently apply best practices for security and compliance. 

The most prominent breaches today typically involve the loss of data. Even where there is no direct harm to business operations, potential repercussions to customers, partners, and the public add legal, compliance, and marketing risk to the direct impacts of an attack. 

Security is Challenging in IaaS Environments

The scale and speed of IaaS environments are bigger and much faster compared to traditional IT environments, with the number of assets in your public cloud potentially growing rapidly, and exponentially. Before you know it you could have thousands or tens of thousands to track and manage.

In addition, companies taking advantage of public cloud infrastructure often create and maintain many cloud services accounts. Reasons vary—for example, different accounts might be used by different business units or to separate development and production environments. 

Whatever the reason, every account is a potential target for attackers, meaning complete security visibility and continuous monitoring for exposures is key to maintaining security across your cloud infrastructure. 

User-error Causes Security Vulnerabilities
Add to the challenge of simply managing a multitude of accounts, all the chances for human error on the numerous configuration items in public cloud infrastructure, and you have a recipe for disaster.

Misconfiguration of the AWS cloud platform took the number one spot in this year’s AWS Cloud Security Report as the single biggest vulnerability to cloud security (62%), followed by unauthorized access through misuse of employee credentials and improper access controls (55%) and insecure interfaces/APIs (52%)

Without security automation, securing your cloud infrastructure has become almost impossible, so making sure you select the right cloud security solution is key to meeting your cloud infrastructure security requirements.

Public Cloud Security Solution Checklist

Your ideal cloud security visibility infrastructure solution should be:

• FAST – Aligns with dynamic IaaS. Automatic deployment and assessment
• PORTABLE – Works across multiple IaaS providers and components  
• SCALABLE – Expands or contracts to meet shifting needs
• INTEGRATED – Visibility mechanisms are part of the infrastructure
• CONTINUOUS – Supports rate of change demands with continuous issue visibility
• COMPREHENSIVE – Covers all critical aspects of both security and compliance
• ACTIONABLE – Presents actionable security and compliance intelligence

Halo Meets Key Cloud Security Requirements

CloudPassage has built the Halo platform to help security teams deal with the challenges of cloud infrastructure, as well as maximize its benefits and opportunities. By optimizing and automating security visibility, it helps your team boost security defenses, streamline operations, and ensure compliance across your public cloud and hybrid infrastructure.

Better still, it provides immediate short term value by:

• Enabling immediate discovery and visibility of all your assets across your cloud infrastructure, at a high level, and rapid rollout of deeper visibility into workloads
• Providing the basis for building out advanced security programs by enabling you to implement internal security policies and roll them out in a structured way, as well as automate remediation and make DevOps a force multiplier

Download our white paper: Achieving Complete Security Visibility for Public Cloud Infrastructure to learn more about the challenges of security visibility in these dynamic environments, the characteristics of an effective solution and how Halo can help keep your clouds safe and compliant.

The post Security Visibility is Mission-Critical appeared first on Cybersecurity Insiders.

October 31, 2019 at 09:09AM

Read More

Physical threats to Cybersecurity that you must address

Photo by Nahel Abdul Hadi on Unsplash
Over 90% of data breach is attributed to human error costing a company anywhere from $1.25 million to $8.19 million. Tackling cybersecurity does not only entail non-physical risks, but also includes an assessment of physical threats such as human, internal, and external hazards. Only then can an appropriate and effective security plan to dissuade hackers and thieves be devised.
Internal and External Risks
Internal dangers may include fire or unstable power supply. Another risk is humidity which can cause the appearance of mold that will damage data and equipment. Mold remediation and regular maintenance of the heating, ventilation, and air-conditioning (HVAC) system are necessary to ensure that equipment is stored properly.
While lightning, flood, and earthquakes are difficult to predict, preparing a comprehensive risk assessment is the first step. A detailed plan on what to do if…

Posted by: Karoline Gore

Read full post

      

The post Physical threats to Cybersecurity that you must address appeared first on Cybersecurity Insiders.

October 30, 2019 at 09:09PM

Read More

Cyber Attacks on Asian Ports cost $110 Billion

A survey conducted by London firm Lloyd says that the cyberattacks on Asian Ports could cost as much as $110 Billion which is equal to the loss borne by natural catastrophes in 2018. Therefore, covering commercial risks has become a lucrative earning option for insurance providers having businesses in Europe, Asia, and the United States.

 

Lloyd’s report also states that the past year witnessed the disruption of operations in more than 15 ports running in Japan, Malaysia, Singapore, South Korea, and China. However, the bad news is that more than $101 billion assets remain uncovered by any insurance cover which might prove disastrous in the near time.

 

Readers of Cybersecurity Insiders have to notify that the report was compiled after the Financial Firm simulated a malware-based cyber-attack by ships which usually leads to disruption of services and scramble of database records at the ports.

 

As Asia is home to a few of the world’s largest ports, any disruption could lead to a major economic loss as these ports act as commercial hubs to transport industrial goods, automobiles, clothing, and electronic goods.

 

Besides those countries which are linked to these ports will also witness a deep impact, leading to temporary or permanent business closures.

 

Note 1- The report was compiled by researchers from the University of Cambridge for Risk Studies- as a part of the Cyber Risk Management (CyRIM) Project sponsored by Lloyd’s.

 

Note 2- China, Malaysia, Singapore, and South Korea are reported to be home to Asia’s largest ports.

 

The post Cyber Attacks on Asian Ports cost $110 Billion appeared first on Cybersecurity Insiders.

October 30, 2019 at 09:09PM

Read More

Security Congress Day 2: From PAM to Cyber Insurance to Finding a Voice

While cybersecurity spending is expected to hit $124 billion this year, only a small portion of it will go toward identity management. Yet, a disproportionate number of breaches occur because of flaws in access management and dangerous practices such as the sharing of passwords, according to Tariq Shaikh, CISSP, Senior Security Advisor for CVS Health.

Identity management spending accounts for 5% to 10% of total cybersecurity spend. When it comes to privileged access management (PAM), Shaikh said the portion is even smaller — 1%. It’s time to change that, he argued during a session on PAM at the (ISC)² Security Congress 2019, taking place in Orlando this week. Considering how many breaches result from access management issues, Shaikh said PAM can substantially reduce the number of security incidents.

Shaikh’s presentation was one of dozens of sessions on the second full day of Security Congress, covering a range of topics, including challenges around cybersecurity protection, how to cope with data privacy and security regulations, and how to find your voice as a professional to make yourself heard.

“Your ability to secure your assets depends on how well you manage privileged access,” Shaikh said. “It’s the critical attack vector.” He added that PAM isn’t a one-and-done situation, but rather an ongoing endeavor that requires updating to keep up with the evolution of the threat landscape.

He shared a list of best practices for PAM implementation, which includes separating user accounts and infrastructures for routine business and privileged activities, using a centralized enterprise authentication solution, removing privileged access from users who don’t need it, and keeping track of who has privileged access and their activities.

To build a business case for PAM, Shaikh recommended communicating the objectives of the PAM program and the changes it will bring, using simple language, and developing informational materials about it such as FAQs and tutorials.

Cyber Insurance

During a session on cyber insurance, Lisa Angelo, Principal at the Angelo Law Firm, and Seth Jaffe, General Counsel and Vice President of Incident Response at LEO Cyber Security, discussed several ongoing court cases involving companies that bought cyber insurance policies. In many cases, insurers have denied claims for a number of reasons.

One claim involving healthcare records, Columbia Casualty Co. v. Cottage Health System, was denied because medical records that were breached had been stored in an unsecured system accessible through the internet.

In another case, Mondelez v. Zurich, the insurer invoked an Act of War exclusion to turn down a claim after a company suffered two NonPetya ransomware attacks that affected 24,000 laptops. At one point, the insurer agreed to pay $10 million but took too long to pay. The customer threatened to sue and later Zurich rescinded the settlement offer.

These legal disputes, Jaffe and Angelo said, deliver important lessons on how to approach negotiations with insurers when taking out a cyber policy. Mondelez, for instance, demonstrates the need for explicitly excluding acts of cyber terrorism from an Act of War clause.

It’s important to understand what the policy covers before signing a contract, Angelo said.

“Pay attention to what you’re signing up for and work with them to see what you can negotiate.”

Finding Your Voice

A late-afternoon panel discussion focused on knowing how to speak up to “sell yourself in your career, business and life. Panelists advised attendees to find ways to communicate effectively, not only through public speaking but also through writing, video and audio recordings. A strong focus was placed on understanding what your audience wants and finding ways to deliver the content effectively.

“It’s more about the audience than it is about me when I give a talk,” said Keri Pearlson, Executive Director and Principal Investigator of Cybersecurity at the MIT Sloan School of Management’s research consortium. It’s important to listen so you can deliver the right message, she added.

Another panelist, Katzcy CEO Jessica Gulick, spoke about timing, giving out content in digestible pieces, and repeating information when necessary. Make the information relevant to your audience, and resist the temptation to make it about you, she said. “If you want it to be sticky, make it relatable. Give them a framework so that they can remember.”

The post Security Congress Day 2: From PAM to Cyber Insurance to Finding a Voice appeared first on Cybersecurity Insiders.

October 30, 2019 at 09:08PM

Read More

Facebook sues Israeli firm NSO for spying on 1400 targets via WhatsApp malware

Facebook has issued a press update yesterday saying that an Israeli firm named NSO group has used malware tactics to spy on 1400 targets across the world between April- May 2019 via WhatsApp. The social networking giant is intending to sue the firm for carrying malpractices and will be contacting all affected customers individually by detailing them about the cyber attack.

 

Chances are high that Facebook might intend to block the company soon from using its service on a permanent note as it has violated laws including the US Computer Fraud and Abuse Act.

 

News is out that a research company named Citizen Lab has given a hint about the breach to Facebook early last week after it was hired to survey some of the users of WhatsApp.

 

It is said that at least 100 cases of journalists or human rights activists were targeted by the attack which took place across 20 different countries including Africa, Asia, Europe, the Middle East, and North America.

 

Cybersecurity Insiders has learned that NSO indulged in spying deeds after it was acquired by Novalpina Capital, a private firm from London.

 

Note 1- NSO is widely known to sell spying software to government agencies and hackers across the world. However, the company claims that its company’s objective is to sell its spyware strictly to government clients only and has secured a license to do from the Israeli Government.

 

Note 2- NSO is reported to have carried surveillance through its Pegasus spyware on a small section of WhatsApp users by hacking into the smartphones of users through a mobile security flaw. But as the activity done by orders from any government is yet to be probed by Facebook.

The post Facebook sues Israeli firm NSO for spying on 1400 targets via WhatsApp malware appeared first on Cybersecurity Insiders.

October 30, 2019 at 10:42AM

Read More

Google Pay users get Biometrics Security

All those who use Google Pay for making digital payments might feel happy by knowing that the technology giant has introduced Biometrics security to allow users to protect their online transactions using fingerprint and facial recognition features.

The feature can be seen in the latest 2.100 version of the app and will be rolled out across the digital wallet platform in the next few days.

As a result of this payment security update, users can also opt for biometrics API so that they can use fingerprints or facial recognition to authenticate a money transfer along with the option of using the regular PIN inputs.

Users who have tested the feature are reportedly finding their transactions being processed faster than the regular PIN security.
Currently, the Biometric addition feature will only be available to users using Google Pay app on the Android 10 version. But pretty soon it will also be rolled out to those using the Android 9 operating system on their devices.

To those who haven’t heard about Google Pay, it is just a rebranded digital payment version of UPI based TEZ app which was launched in the year 2017. In the year 2018, Google renamed TEZ as Google Pay which now has more than 67 million active users around the world.

Also from now on, all Google Pay users will get SMS notifications on their respective mobile phones that any request approval will deduct money from their respective bank account linked to the Google Pay wallet on a respective note.

NOTE- Android 10 happens to be the latest mobile operating system of Google which was released on September 3rd of 2019. It was first released in March this year to Pixel smartphones and might be introduced into foldable smartphones released by Samsung and LG early next year. Google has announced that the Android 10 version of OS will get guaranteed security updates for the next three years. Also, the OS is speculated to bring in a revolution among 5G smartphone users by offering greater protection, transparency, and control over data.

The post Google Pay users get Biometrics Security appeared first on Cybersecurity Insiders.

October 30, 2019 at 10:38AM

Read More

Security Congress Keynote Speaker: Put Down Your Phone

At public events, speakers and performers often ask the audience to turn off their mobile phones, but Catherine Price really meant it. She asked attendees of Tuesday’s keynote speech at (ISC)² Security Congress 2019 to actually press their phones’ power button.

“I’m going to guess a lot of people are feeling uncomfortable. A lot of you faked it. A lot of you are probably hating me right now,” said Price, a journalist and author of the book, “How to Break Up with Your Phone.”

For the next hour, Price discussed the reasons we are so tethered to our phones, what it’s doing to us, and how we can take back control. She addressed the dangers of our constant attachment to phones in order to feel connected and prevent FOMO (fear of missing out), which causes anxiety, reduces our attention span and cognitive abilities, and may trigger health effects such as high blood pressure and depression. She also offered advice on how to break the habit.

Phones, she said, are like slot machines, which are designed to hook users by releasing dopamine, a neurotransmitter that reminds us of activities we enjoy and want to keep doing. “You never know what’s going to be on your phone, which makes you want to check it even more,” she said, citing social media, news apps and email as applications that tend to hook users.

“Apps are specifically designed to make them hard to put down. Why would that be? Because they make money,” she said. She cited Facebook, which essentially treats users as a product by collecting data about users and targeting ads at them.

Phones are causing a “state of continuous partial attention,” which splits our attention between our phones and our lives. And when we are looking at the phones, our attention is further split by email and other apps on the phone. While we may think we are multitasking, that is actually impossible because our brains cannot hold two thoughts at the exact same time, Price said.

In addition to reducing attention span, phones also are hurting our creativity because the state of continuous partial attention and FOMO create an effect of ongoing crisis. The body responds to crisis by increasing cortisol levels. Cortisol is a hormonal steroid that can increase the chances of obesity, stroke, heart disease, high blood pressure, anxiety, depression and other health effects.

Phone use also reduces the protein that the brain creates to promote creativity, she said. For cybersecurity professionals, she noted, this can be a problem since people in the field need to draw on their creativity to solve cybersecurity problems.

Breaking the Habit

Price shared several practices to help users reduce their phone time:

1. Have a positive goal. Figure out when your phone use is getting in the way of achieving that goal and try to correct that.
2. Notice your habits. Price suggested putting a rubber band around your phone, for instance, as a reminder to use it less. When you reach for the phone, the rubber band triggers the reminder and you stop yourself.
3. Kill the “slot machine.” Get rid of dopamine triggers by making the phone boring. Some tips she shared include making your home screen black and white; bright colors used in apps are designed to hook you.
4. Reduce your FOMO with an antidote – JOMO (joy of missing out).
5. Protect yourself. Build firewalls around your life to increase happiness and creativity through deliberate decisions to, for instance, not having the phone during meals, meetings and bedtime.

Vita Unplugged

Before Price took the stage, Pat Craven, director of the (ISC)²’s non-profit Center for Cyber Safety and Education, announced a pilot program called Vita Unplugged. The program’s goal is to reduce screen time among students for an hour a day to focus on other activities. The inspiration for the program, Craven said, came from reading Price’s book.

The post Security Congress Keynote Speaker: Put Down Your Phone appeared first on Cybersecurity Insiders.

October 30, 2019 at 09:08AM

Read More

Privacy Regulations: More Work for Cyber Professionals

Whenever new data privacy and cybersecurity laws go into effect, they create more work and responsibilities for cyber professionals. This reality hasn’t gone unnoticed by attorney Scott Giordano, who reminded cybersecurity professionals during a session about the California Consumer Privacy Act (CCPA) that the law will create new duties for them.

Giordano, Vice President of Data Protection at Spirion, went over details of the law, which takes effect on Jan. 1, 2020, and how organizations should prepare for it. His was one of a series of presentations at the 2019 (ISC)² Security Congress, taking place in Orlando this week, about privacy and security regulations, and their impact on how organizations go about collecting and keeping personal customer data.

The California law comes in the heels of Europe’s General Data Protection Regulation (GDPR), and employs a broad definition of personal information. It includes identifiers such as name, address, email account and passport number, as well as other data such as personal property, web purchases, and internet browser and search history. “You can see that just about anything is personal information,” Giordano said.

The law will require businesses to respond within 45 days to requests from individuals for the information companies keep about them. It also will give users the right to have their data deleted. But there are exceptions, such using the data for debugging and security incident detection.

Giordano fielded a lot of questions in a roomful of (ISC)² Security Congress attendees, who clearly are keenly interested in how the law will work and what it means to them. Giordano also shared a list of recommendations to prepare for the law, including the following:

• Create a data inventory.
• Create a data subject access request (DSAR) process.
• Determine what to include in a report to fulfill a data request and how to package it. “You don’t want to crate a snowflake for every consumer; otherwise, you’re going to get buried,” he aid.
• Determine a delivery mechanism – customer account, email, regular mail.
• Have a protocol to “make sure nothing falls through the cracks.”

The CCPA and other regulations were the subject of a panel discussion of attorneys on Monday afternoon. Panelists talked about another upcoming data privacy statute, the New York SHIELD Act, which takes effect on March 21, 2020.

The New York law is the most prescriptive yet, said Monique Ferraro, Cyber Counsel, Global Cyber Products at the Hartford Steam Boiler Insurance and Inspection Co. It lays out what the state expects companies to implement as part of their cybersecurity programs and expands the definition of personal identification information (PII), she said.

Unlike the California law, which does not cover disclosure, the New York statute covers the reporting of breaches to the attorney general and the state police. It also covers the implementation of security programs and the need to put one or more employees in charge of them.

Coping with GDPR

Earlier on Monday, James MacKay, Deputy CISO and Data Protection Officer at insurance carrier Markel Corp., related his company’s experiences with GDPR before and after the law took effect. Four days after the law took effect, he got a call about a possible violation, he said.

Documents were mistakenly sent to two lawyers that were intended for the other, which could have been a problem because of the information they contained. Fortunately neither recipient opened the documents and the situation was resolved.

Then someone in the U.S. operations left the organization and emailed the full company phone directory to their personal address. Since the directory contained no email addresses, no violation occurred. Another incident involved an email sent to a recipient who threatened to complain to regulators because it didn’t have an opt-out link. The recipient follow through, so another issue was averted.

The incidents showed MacKay the company needed better data protection policies and procedures. This included making him Markel’s data protection officer, a position the company didn’t have before, and creating a framework for data protection. The framework covers privacy controls and procedures for communicating about data protection to the Markel board.

Part of the challenge was to establish a clear understanding of what data is used when a company launches a new service or application, and where the data comes from. Because the Markel operates in 17 countries, the framework has to be standardized across its global operations. “We are not fully there yet. We are still working on it but that’s our intention,” he said.

Markel also decided to educate all employees on GDPR and how it affects them. In addition, he has regular conversations about data protection with the CEO. Lastly, MacKay said, Markel has a process for reporting data privacy incidents, should one ever happen. “We have a defined process for reporting to the regulator, and we practice it. It’s something we feel it’s important and it’s something we feel we have to get right across all of our different regions.”

The post Privacy Regulations: More Work for Cyber Professionals appeared first on Cybersecurity Insiders.

October 30, 2019 at 09:08AM

Read More

Security Expert: AI Not Ready for Cybersecurity

While artificial intelligence (AI) has gotten a lot of attention in recent years as a possible solution for cybersecurity issues, Winn Schwartau argues there’s a long way to go before we can trust AI and its siblings, machine learning (ML) and deep learning (DL), to deliver the results we need.

During a presentation on the ethical bias of AI-based systems at the (ISC)² Security Congress 2019, Schwartau said significant problems with AI need to be overcome before we can fully trust it with something as important as cybersecurity. Schwartau, a top expert on security and privacy, is the Chief Visionary Officer at The Security Awareness Company.

During a mid afternoon session at Security Congress, taking place this week in Orlando, Schwartau walked through the yet-unresolved, inherent problems with AI. For one thing, he pointed out, AI relies on probability, which creates some level of uncertainty about the results it delivers. The same algorithm might give different results when asked to resolve the same problem.

“AI is not deterministic. AI will not give you the answer under any circumstances whatsoever regardless of what your vendor of choice tells you,” Schwartau said. Using medicine as an example, Schwartau said he would “absolutely not” recommend that a doctor accept an AI-based diagnosis, though it might be helpful in deciding a course of action.

Another problem with AI comes down to a question of ethics. Schwartau used the classic ethics “trolley problem” to make his point. In this ethics conundrum, someone is asked to choose between killing one person or five when a trolley cannot be stopped. If the trolley stays on course, it will kill the five, but if a track switch is thrown to divert the trolley to another track, one person dies.

Leaving that solution to be solved by AI is problematic, he said. It would require allowing the AI engine to make a value judgment based on the information it has been fed over time. And there’s no guarantee the engine would make the right decision. There actually is no right – or perfectly acceptable – answer because one way or another in this theoretical conundrum, someone would die.

Schwartau also talked about the biases inherent in data that is fed to AI algorithms. He referred to the Microsoft Twitter bot experiment that quickly went awry when the bot was manipulated to make racist, xenophobic and sexist comments. Similar results could occur even without malice, Schwartau argued, because the humans feeding data into the AI systems may have biases they don’t even recognize.

An example of unintended bias involves experiments with using AI to hand out criminal sentences. Because the AI systems use historical crime sentencing data, and are looking at statistical correlations instead of causation, their recommendations for sentencing have been largely biased and inclined to send a disproportionate number of non-white people to jail.

Based on these issues, Schwartau expressed serious doubts about the prospect of AI solving cybersecurity issues. While he concedes that data scientists might solve issues of bias and other problems with data, it may ultimately be impossible to get AI algorithms to become truly neutral in their output.

The post Security Expert: AI Not Ready for Cybersecurity appeared first on Cybersecurity Insiders.

October 30, 2019 at 09:08AM

Read More

New payment revolution lets consumers manage ecommerce transactions from their mobile banking app

For many of us it would be practically impossible to count all of the times we’ve had to provide credit card details to online retailers. There are millions of ‘digital footprints’ of financial records across the internet, making it an arduous – likely impossible – task to find out which retailers have kept these details on file, whether that card is still in use or whether they are sitting on long-expired card details.

Imagine a future – that’s nearer than you think – where you open your mobile banking app, and in addition to all the services you already know and use, you can find a list of all the web sites where you enrolled your card(s). Imagine that for each of those retailers, you could suspend or de-activate your card or set individual monthly spending limits for each of them.

Sounds wonderful to have? The good news is that your bank, thanks to Gemalto, as a certified VTS/MDES partner for EMV tokenization, is about to bring it to you.

This is a digital payment revolution. It started five years ago with the emergence of digital wallets. EMV Tokenization is the technology behind the scenes that lets you enroll your EMV cards into wallets for mobile payment, in-app payments or in-web payments, for smartphones and wearables. This is already a massive success in the world but still has huge growth potential. Now that these digital cards have expanded to eCommerce, EMV tokens are set to replace real card data on the merchant site used at checkout.

By replacing your card with a token for your online payments, your Bank will manage the token’s life cycle. The VISA and MasterCard tokenization platform is essentially the engine room that helps to deploy these new services and drive this powerful functionality. We are helping banks to deploy this innovative customer journey through the use of its Cloud Based Developer Portal, allowing suppliers to stay up to speed with EMV token life cycle management features, by providing sample codes, testing and tracking its deployments.

On top of this up-to-date list of retailers, EMV Tokens also take care of card expiration dates automatically so you’ll never worry again about keeping your subscription accounts up to date.

Tokens also protect you from rejected payments caused by false-positive declined transactions. This can occur even if you enter your card data correctly, simply because the merchant risk management software evaluates you, you card or the transaction as risky and denies it, leading to user frustration. This is more common than you’d expect with one out of every four generation Y customers affected at least once in the last 12 months.

False-positives can hurt retailers beyond the initial lost sale. According to The Paypers it also damages the merchant’s reputation and ultimately the customer relationship.

This technology is helping to enable new services and convenience, as well as new services. Stay tuned, your bank is about to put you back in control of your online transactions, with a little help from Gemalto.

The post New payment revolution lets consumers manage ecommerce transactions from their mobile banking app appeared first on Cybersecurity Insiders.

October 29, 2019 at 09:09PM

Read More

Three developments helping to increase trust in the commercial drone ecosystem

In recent years, vast leaps forward in drone technology have helped to confirm their practical application in a variety of different environments. In times of natural disasters, such as avalanches for example, drones have help saved the lives of people buried under the snow, by scanning large mountainous areas quicker than a person on foot. What’s more, in point-to-point delivery services the speed of drones is also revolutionizing the way we transport time-sensitive goods, such as blood, to hospitals in need.

But despite their potential, there remain questions surrounding the security of commercial drones and how they would work together to deliver our goods as part of a ‘commercial drone ecosystem’. Additionally, headlines continue to highlight the security risks that accompany drone flights, including stories of mid-air collisions with commercial flights and the ease of which drones can be hacked from the ground.

With an increasing number of drones communicating both with each other and devices on the ground, it is imperative that the ‘Internet of Skies’ is safe enough for the projected wide scale network of drones it will support.

1. Identifying pilots and Drones using Trusted Remote ID

One of the key elements that will help to engender trust in the drone ecosystem is making sure that a drone’s pilot and the drone’s own unique identity can always be identified using a Trusted Remote ID. In practice, this works the same way your cars license plate links your car to you.

By using our DroneConnect solution, identifying a drone and their pilot becomes incredibly secure and seamless. Here, biometric processes, including facial recognition and liveness detection, are gathered from the specific pilot, and then linked to their drone. This information is then kept on file by a public authority so that it can be checked against their servers before every flight, to make sure each drone is linked to its legitimate pilot. If a drone is found to be flying in an unsafe manner it can also be quickly linked to who is at its helm, so that authorities can take swift action.

Fully integrating drones into a trusted ecosystem also requires that any Unmanned Aerial Vehicle (UAV) can itself be identified and tracked – even without having to know who its pilot is. One way to do this is to place a tamper-proof box inside the drone. This box securely stores each drone’s unique digital ID, pilot and mission information, meaning it can be identified at any point in its journey, and can be monitored to ensure it is on the correct course. In addition, as the data from the digital ID is encrypted, it also protects the drone against various forms of data manipulation, such as a man-in-the-middle attack.

Directly linking drones to their pilots and giving them their own highly secure digital identities, should demonstrate to consumers that, with this technology, it will become much easier to identify people flying drones irresponsibly. Hopefully, this will reassure them that just because there are more drones in the sky, with the creation of an ecosystem, it does not mean that we won’t know exactly who these belong to and their flight paths.

2. Seamless and Secure Connectivity

For easy worldwide deployment, drone manufacturers need their drones to connect seamlessly, securely and dependably to a variety of networks in countries across the world. Parallel to this, for consumers to put trust in the ecosystem, they will need their goods to be delivered reliably and to be sure that drones cannot be hacked, and their packages be stolen.

It is therefore key that drones cannot simply disappear off the grid. It must always be possible to pinpoint a drone’s exact location so it can be accounted for.

To ensure this is the case, technology inside the drone must secure a connection to a wireless network when the drone is flying both shorter distances (less than five miles) at lower altitudes, as well as via the Global System for Mobile Communications (GSM) for drones partaking in longer journeys.

Part of this involves making sure that any wireless networks a drone uses over short distance flights is not susceptible to being hacked, and that any data sent over the network is encrypted to reduce the security risk that it can be modified.

However, it is also essential that in both cases the drone could connect to unmanned traffic management (UTM) platforms, which would receive flight plan updates, and could command any additional data needed for before a flight. For example, before the drone could take off, its mission and flight path would have to be approved based on the fact its path did not cross a no-fly zone. Once in the air, real-time tracking would be used to monitor its route (using an IoT module inside the drone that automatically sends identity and location data) and make sure it is on the correct path. In this way, UTM platforms will allow regulations to be implemented and enable safe and secure flights.

However, at present, GSM connectivity is not 100% available at every location. It therefore remains essential that drones using GSM connectivity have a backup solution for the network they run on, such as satellite communication for beyond visual line of sight flights, or Wi-Fi for short flights.

Additionally, by the same logic, swapping from one network to another (in order to achieve the best coverage possible) must also be entirely secure and, must also be smooth process for drone operators. Therefore, to garner trust and reliability in the drone ecosystem, both for producers transporting goods, and for consumers receiving them, connectivity is key.

3. Confidential data storage and exchange

The final pillar that would bolster trust in this ecosystem centers around the protection of confidential information that must be kept private. Take, for instance, public-safety-related information collected and processed during rescue operations – this clearly cannot be freely shared and could cause harm to the general public if it were to be intercepted by a third party. On a more personal level, imagine that a commercial drone carrying a package addressed to you was intercepted. The hacker would then have access to sensitive information, such as your place of residence and other credentials.

To make sure this cannot happen, it is crucial that data encryption mechanisms are mobilized properly. This involves making sure that legitimate data will only be shared with people and applications that hold the proper key to decrypt it, and that every point where a malicious actor could take advantage is well protected.

For example, despite the GSM network being securely encrypted, when data leaves this network and is sent to the cloud, there remains a potential gap that could be exploited by a cyber-attacker. It is therefore imperative that an end-to-end Transport Layer Security (TLS) protocol is applied, as this guarantees that the data is safe and secure from the drone all the way through to the UTM.

Finally, it is also essential that consumers fully understand what happens with their drone’s flight data after its flight, as all flight data will need to be safely stored and protected for any investigations, or for traceability purposes. To ensure that consumers can trust their data is being stored correctly, and at the highest possible standard, sensitive data needs to be collected on secure servers in the cloud and an advanced encryption mechanism must be mandatory in order to access it. This way, it very clear to the public that only authorized parties will be able to view and use this information, if they need to for the sake of an inquiry.

This new, connected world is bringing lots of advantages in day-to-day life, but it’s also bringing challenges in terms of data privacy and cyber-security. To build trust in this ecosystem, security-by-design must be the priority at every stage of the drone lifecycle – from making sure it is built into its hardware at the point of creation and at every point after until the final platform.

To unlock the potential of the skies, trust is essential. It is clear that we’ll need smart, digital and autonomous systems that are able to co-ordinate the complex web of users and flightpaths, while at the same time maintaining the incredible safety levels expected for our aircraft and airspaces.

Reducing the instances where drones are compromised or cannot be traced to an owner to hold them accountable is an essential step towards proving that an entire drone ecosystem can be safe. Only once governments, citizens and companies trust that drones are reliable and safe can companies begin to create a network of drones that fly beyond the visual line of sight.

The post Three developments helping to increase trust in the commercial drone ecosystem appeared first on Cybersecurity Insiders.

October 29, 2019 at 09:09PM

Read More

Apple issues Mobile Security warning to old iPhone and old iPad users

Apple Inc has issued a mobile security warning to owners of old iPhones and Old iPads saying their devices will be prone to vulnerabilities such as failing to connect to the internet and can easily be intercepted by hackers after this weekend.

Technically speaking, the iPhone giant has issued a warning that all its old iPhone devices are prone to GPS Clock reset in April next year, after which the devices will lose track of time. And this is reported to happen every 19.5 years.

So, iPhone and iPad users are being requested to update their software by November 3rd, 2019 i.e by Sunday this week, so that they can operate their devices without any issues after April next year.

Thus, all users of the iPhone 5, 4, 4S, iPad 2, Retina Display and 4th Generation iPads are being requested to update their software by 12 am of the said date.

And FYI for those who are not showing interest in updating their software, there is a high probability that your safari browser, email, app store, iCloud, and Maps will go offline after the said deadline.

As the Bugfix is automatically applied to Apple Software versions such as iOS 10.3.4 and 9.3. and later, those devices which are running on the said the preceding iOS versions need not worry.

BTW, all old iPhone 5s users have/will already/will receive a pop up stating to update their software with the latest security fix. Others, that is those operating their phones on older versions should get the update done on a manual note.

The post Apple issues Mobile Security warning to old iPhone and old iPad users appeared first on Cybersecurity Insiders.

October 29, 2019 at 08:50PM

Read More

Microsoft previews Azure Sphere with Cloud Security controls

Microsoft has announced the release date of its Azure Sphere which happens to be February 9th of 2020. The Linux based chip which was earlier named ‘Project Sopris’ by the tech giant was previewed to the world yesterday at the IoT Solutions World Congress.

 

Microsoft Azure Sphere is a Linux based silicon wafer that can be used to power internet-connected devices. Operating with a MediaTek MT3620 processor and an Azure Sphere OS entailed with Linux Kernel, the architecture is ambled to provide authentication, threat response and info related to on-device resources and application failure.

 

In the coming days, Azure Sphere will also be enriched with artificial intelligence, graphics, and richer UI experiences.

 

As of now, those who got an opportunity to have hands-on the chip are testing it by integrating it into consumer appliances meant for retail and manufacturing equipment.

 

Even the news is out that Azure Sphere is being used in mission-critical appliances such as “Guardian Modules” for securely connecting the devices to the internet.

 

At the same conference, Microsoft took an opportunity to introduce Azure RTOS which will be offered as a complimentary to Sphere.

 

In the coming days, the American software giant is also thinking to revamp its Azure IoT Hub with several features and that includes Azure Time Insights, a multi-layered flexible cold storage and rich analytical skills with improved scale and performance.

 

Note- MediaTek MT3620 chips were developed to support high-level security in modern connected appliances and are being used in smart homes, commercial, industrial and many other domains.

The post Microsoft previews Azure Sphere with Cloud Security controls appeared first on Cybersecurity Insiders.

October 29, 2019 at 10:17AM

Read More

Over 2K of Media, Government and TV station websites hacked in Georgia

More than 2,000 websites are reported to be hacked in Georgia in a massive cyberattack launched late yesterday. And security analysts suggest that it was a sophisticated attack made on web hosting provider Pro-Service which led to the disruption.

Highly placed sources say that the shutdown websites include those related to government agencies, Media and TV stations and a few from local banks and legal courts. TV Channel Pirveli was also partially affected by the cyber incident.

As all those websites were being hosted on a single provider, hackers managed to target the servers of the service provider to disrupt the website services of many- the toll could reach the number of 15,000.

In a media statement issued early Tuesday, Pro-Service provider took the blame wholly and confessed that a hacker/s were able to infiltrate into its network through a configuration flaw. More details will be revealed on an official note as the probe unfolds.

Cybersecurity Insiders has learned that the first response team of the Pro- Service provider was able to recover more than half of the impacted websites by 8 PM on Monday the day after the Halloween party.

People in Georgia who were busy with their Halloween parties panicked as the cyberattack was of a “Defacement” Genre.

The interesting point in this attack is that almost 70% of websites faced defacement and the homepage was replaced with a picture of former Georgian President Mikheil Saakashvili. So, the attack could have been launched either by a protester or a fan of Saakashvili, who is now a Ukrainian citizen due to developments.

The post Over 2K of Media, Government and TV station websites hacked in Georgia appeared first on Cybersecurity Insiders.

October 29, 2019 at 10:14AM

Read More

Cybersecurity Ethics: How Far Is Too Far?

When doing their work, cybersecurity professionals often come across situations that put their skills to the test. And sometimes those tests have far less to do with technology or business than with questions of ethics.

When cyber professionals discover vulnerabilities while performing penetration tests or some other security-related work, is it OK to disclose those vulnerabilities publicly? What happens if system owners are made aware of issues but decide to ignore them? And at which point, while testing systems containing private information, do cyber professionals reach a line they should not cross?

These questions were part of a lively panel discussion today at the (ISC)² Security Congress 2019, taking place in Orlando this week. The session, “Ethics Dilemmas Information Security Professionals Face,” was moderated by Biljana Cerin, CISSP, CEO of Ostendo Consulting and Chair of the (ISC)²  Ethics Commission. Joining her were committee members Wim Remes, CISSP, Founder and Principal Consultant of NRJ Security; William H. Murray, CISSP, retired security professional; and William Campbell, President of Predictable Solutions.

Legal Coverage

Much of the discussion centered on the ethical boundaries of penetration testing. There have been cases in which security researchers were arrested for doing their work. To avoid such a fate, Remes stressed the importance of clarity upfront.

“Make sure there is a clear contract,” Remes said. “The contract is where everything starts and and stops.”

Sometimes, during penetration tests, researchers may find vulnerabilities in third-party systems, which raises questions on how to proceed. If the client, who is paying the security consultant, decides not to notify the third party, it can create an ethical dilemma for the consultant.

In such situations, it may be tempting to act unilaterally. But Murray strongly advised against doing so, pointing out that is how security professionals end up in trouble. It is always best to seek the counsel of others, including client’s superiors and professional peers to make the best possible informed decision, he argued.

“Consulting with peers as a security professional is something you should definitely consider,” Remes added. “I don’t think I’ve ever made good decisions in isolation.”

Campbell noted that one of the challenges cyber professionals face is that they function as advisors. Security professionals can make recommendations and spell out the consequences of pursuing one path or another, but it is up to managers or clients to make decisions.

Whatever the outcome of a penetration test or some other cybersecurity-focused pursuit, Murray advised documenting the work and decisions made. If management, in weighing cyber risks, decides to ignore the cybersecurity professional’s recommendations, ask them to sign a statement to that effect and file it with other relevant documentation.

Communicating Risk

In getting business leaders to make sound risk management decisions, Campbell stressed the importance of communicating to them in ways they understand. Cybersecurity professionals have often been guilty of being too technical and not understanding what makes executives tick.

Company leaders typically have sales backgrounds, where maximizing revenue is the priority, or come from finance, where costs take precedence. It is important to understand that and communicate in that context when talking about security investments, he said.

Building on Campbell’s point, Murray said: “General managers are not good at making expressions of risk tolerance. That’s not what they do, so we have to express the risk tolerance in such a way that general management says, ‘Oh yea, that’s what I intend.’”

Remes put it in even simpler terms: “In my opinion, if you are not expressing risk in financial terms, then you are not talking about risk at all.”

But what should a CISO or other member of the cybersecurity team do when their advice falls on deaf ears? When nothing else works, the panelists agreed that you should walk away. “If management is not doing the right things, it’s your obligation to forgo that paycheck and leave,” Remes said.

The post Cybersecurity Ethics: How Far Is Too Far? appeared first on Cybersecurity Insiders.

October 29, 2019 at 09:08AM

Read More

Security Congress Kickoff: Creating a Safe World

The spotlight was on safety at the kickoff this morning of (ISC)² Security Congress 2019, taking place this week in Orlando. First, (ISC)² CEO David Shearer talked about the role that association members have in protecting society through their cybersecurity work.

Then, Capt. Chesley Burnett “Sully” Sullenberger, the pilot of flight 1549, which landed on the Hudson River in January 2009, related the events of that day and how he and his co-pilot, Jeff Skiles, safely landed their U.S. Airways Airbus with everyone aboard surviving the event.

Shearer spent much of his kickoff address on the importance of abstracting what cybersecurity professionals do from the very users they are protecting. “Our customers’ users simply want to be able to do their jobs and live their lives and passions unencumbered by cybersecurity,” he told the gathered crowd of attendees. This year’s Security Congress has attracted 2,500 professionals to the Walt Disney Dolphin Resort and features more than 250 speakers.

Shearer’s point was that users shouldn’t have to think or worry about cybersecurity. Cybersecurity professionals need to be able to do their work without interrupting users; otherwise, users tend to find ways to circumvent security, which produces the exact opposite effect of what cyber professionals are trying to accomplish.

Drawing parallels between what cyber professionals do and how Walt Disney runs its theme parks and shows, he noted that a lot of behind-the-scenes work has to take place for the magic to happen. When people visit the parks and see the shows, they are not thinking about what goes on behind the curtain, but what they are experiencing. Such is the work of cybersecurity professionals – to toil behind the scenes for the safety of users, their systems and their organizations.

Quoting the rock band Rush, who in turn was quoting Shakespeare, Shearer said: “All the world’s indeed a stage / And we are merely players / Performers and portrayers / Each another’s audience / Outside the gilded cage.’’

Drawing another parallel with the work of cyber pros, Shearer said: “As cybersecurity pros, our goal isn’t the limelight but all the world is indeed our stage.”

Always be Learning

After his address, Shearer ceded the stage to the “Miracle on the Hudson” hero, Sullenberger, who kept the audience engrossed as he related the events of Jan. 15, 2019, when he and Skiles had to ditch on the Hudson, saving all 150 passengers and crew.

While no one ever really prepares for an event like that, Sullenberger says, he attributed his ability to communicate with his co-pilot and make the right decisions under such stressful circumstances to the training and discipline he has received through a lifetime of learning. That training and discipline came not only from the values his parents passed on to him, Sullenberger said, but also from his experience in the Air Force Academy and his work as a fighter pilot and commercial airline captain.

He challenged attendees to challenge themselves: “Never stop investing in yourselves. Never stop learning.” As the pace of change accelerates, he said, “most of us cannot get through a lifetime with only one set of skills.” He urged attendees to reinvent themselves and figure out how to innovate.

Sullenberger also talked about the importance of understanding the reality around your in order to make the best possible decisions. “As citizens, we have an obligation to be not just literate but scientifically literate. When we make important decisions, we must make them based facts, not fears and certainly not untruths.”

The post Security Congress Kickoff: Creating a Safe World appeared first on Cybersecurity Insiders.

October 28, 2019 at 09:08PM

Read More

UK offers a £20M worth Cyberthreat contract to CGI

Canadian Global Information is shortly known as CGI has bagged a government contract worth £20M to develop a Cyber Threat analysis system for the UK’s Ministry of Defense. A white paper released by the government of Britain recently has confirmed the same and added that the service will be utilizing a combination of various data sources to support the decision-making skills for authorities in the field of Cyber Defense.

 

Readers of Cybersecurity Insiders have to notify a fact that the same company won a £5.6 million contract two years back to building a cyber situational awareness fusion architecture for Britain.

 

The resource page released by the contract finder of the UK says that the CGI will from now act as a technical authority on the MODs Defensive Cyber Capability.

 

“It’s becoming crucial to increase the defense budget to stay ahead of our adversaries when it comes to improving UK’s defensive measures against cyberattacks said Michael Fallon, the Defense Secretary of the UK.

 

He added that his government is all set to invest in protecting the digital infrastructure against cyber threats- all as a part of the year 2016 initiative. 

 

Note- CGI has a reputation in working for more than 40 years with MOD and the company is excited about bagging another contract. Steve Smart the Senior Vice President of CGI expressed his happiness in building a strong relationship with MoD and hopes to live up to the expectations in framing out the Cyber Threat Analysis System.

 

The post UK offers a £20M worth Cyberthreat contract to CGI appeared first on Cybersecurity Insiders.

October 28, 2019 at 08:49PM

Read More

UK suspects China is conducting espionage with few among 100,000 Chinese University students

MI5 and GCHQ have warned universities and educational institutes operating across their region that the Chinese government could be conducting espionage on its research and computer systems through hidden spies among the 100,000 Chinese students who are studying on the campus. The agency suspects that the investment made by the Beijing in the research work of UK Universities was multi-purpose as it could be using students as espionage agents to transmit data related to research to the Xi Jinping government.

It has to be notified over here that Chinese students who are pursuing post-graduate courses have to pay a fee of £50k as yearly fees. And half of the fees are reimbursed to them as a scholarship by the Chinese government.

Britain’s Intelligence sources suspect that the students pay-back financial help by passing secrets related to the UK’s government projects to the Chinese government.

It is estimated that in the past 10 years, over 500 Chinese Military Scientists have purposed degrees from Britain’s top Universities in the fields related to supercomputers, jet aircraft, missiles and thin film which is used to disguise water tanks powered by solar energy.

As per an article in Times, the Center for the Protection of National Infrastructure has warned Universities in the UK to keep a tab of students pursuing studies from hostile nations as they could be used by adversaries to steal personal data, research data, intellectual property related to military, commercial and authoritarian interests.

The post UK suspects China is conducting espionage with few among 100,000 Chinese University students appeared first on Cybersecurity Insiders.

October 28, 2019 at 10:14AM

Read More