Here’s something that most of us around DC have to worry about … either directly or indirectly through our enterprise users. First it was a spiked PDF document disguised as a CFP. A few days later it was a list of conference attendees in a booby-trapped ZIP file. Now it’s back to malicious PDF files that install a Trojan that mimics Windows Update. Seculert and Zscaler describes this most recent threat in their “The MSUpdater Trojan and Ongoing Targeted Attacks” report they released a few days ago. The paper describes how attackers continue to target government contractors with the goal of stealing sensitive information using complex and difficult to detect Trojans that gain backdoor access to systems. Ah … the fight goes on.

via myce.com

A joint report was just released that details attacks that have been targeted at government contractors since 2009. The attacks involve phishing emails under the guise of inviting people to conferences.

The report by Seculert and Zscaler, details that the phishing emails contain PDFs that when opened exploit Adobe Reader flaws. These files then install an “MSUpdater” trojan, which does a very good job of posing as a legitimate Windows Update process. What really happens is that the trojan provides backdoor access into the network, giving the attackers unfettered access to very sensitive files, for as long as the trojan remains active.

The report states, “Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks.” The report does not detail exactly which companies have been involved.

Continued here.

#####

Please let us know what you think. What controls could the government use to mitigate this threat? Today’s post image is from MyAntiSpyware.com.

Could the addition of a new maturity model to the Nation’s Electrical Grid System improve security and protect the grid from cyber threats? An article at InfosecIsland.com a few weeks ago discussed a recent White House initiative to add a maturity model to be used throughout the entire energy industry.

I’ve always been a bit skeptical of maturity models. Even though this approach could provide small steps for easy incremental security improvements, it could also result in people just finding ways to shortcut the system without actually strengthening anything.

Overall … nice idea for people that really want to improve security … or a shortcut for those just interested in reaching a certain level for contract, marketing, or PR purposes.

via InfosecIsland.com

As part of the Obama Administration’s efforts to enhance the security and reliability of the nation’s electrical grid, U.S. Energy Secretary Steven Chu today announced an initiative to further protect the electrical grid from cyber attacks.

The “Electric Sector Cybersecurity Risk Management Maturity” project, a White House initiative led by the Department of Energy in partnership with the Department of Homeland Security (DHS), will leverage the insight of private industry and public sector experts to build on existing cybersecurity measures and strategies to create a more comprehensive and consistent approach to protecting the nation’s energy delivery system.

“This initiative is another important step forward in improving the security of the Nation’s energy infrastructure and ensuring that the country’s electrical systems remain secure, reliable and resilient,” said Secretary Chu.

“Establishing a comprehensive cybersecurity approach will give utility companies and grid operators another important tool to improve the grid’s ability to respond to cybersecurity risks.”

Continued here.

#####

Please let us know what you think. Will this new maturity model actually mean more security?  Today’s post image is from Rural Community Assistance Corporation.

A recent article over CSO Online by Taylor Armerding debates if password use might be outdated. According to Armerding, some experts believe that passwords are becoming obsolete and alternative forms of authentication such as biometrics should be used. Others argue that passwords are a solid form of authentication as long as they are used properly.

Even though Armerding enlightens us of arguments against passwords, I tend to agree with the pro-passwords camp and think this form of authentication is a long way from obsolete.

via CSOOnline.com

Despite all those “death to passwords” chants, some say it’s still a solid form of authentication — when users aren’t being stupid about theirs.

It’s 2012. The password is dead. Long live the password.

Perhaps the division in the IT world is not quite that stark, but there is indeed division. Some think it is past time to retire passwords, for what they say is the obvious reason: They don’t protect users, since they are so easily hacked. All the talk about making passwords more secure is ignoring the elephant in the room – they simply cannot be made secure. Besides, there are other, better, authentication options, like biometrics, since nobody has your fingerprints, eyes and DNA.

But others say not so fast – that biometrics are not duplicate proof, and that passwords would still be fairly effective if users didn’t make them so easy to hack and if password authentication systems were improved.

Christopher Frenz, CTO at See-Thru and a faculty member at Mercy College, both in New York, says the problem is, “not because of passwords being obsolete, but because of the prevalence of bad passwords and bad password practices.”

He points to the 2009 SQL injection attack on the social media site RockYou that compromised 32 million user account passwords. “The only password security requirement was a password of at least five characters,” he says, “(which) resulted in people choosing passwords such as 12345, Password, rockyou, and abc123,” plus common dictionary words.

Continued here.

#####

Please let us know what’s your take on this topic. Can passwords be “resurrected?” Today’s post image is from Information Technology and Services.

There’s been some talk about cyber insurance lately. How it’s a great business strategy … how it’s a rip-off … how you should approach it cautiously… The first thing that comes to my mind when I think of cyber insurance are companies purchasing it as a replacement for actually implementing any security at all. Instead of being pessimistic about it, the other day I was contemplating of ways cyber insurance could actually motivate companies to take infosec more seriously.

The first thought that came to mind was car insurance. You know how you get a discount on insurance for having a car with “best practices” like anti-theft devices, anti-lock brakes, air bags, a good driving record, etc. Insurance agencies could also offer lower premium rates based on similar infosec “best practices.” Although agencies already offer such discounts, I haven’t heard of many professionals using cyber insurance as a motivator to raise infosec’s profile within their organizations.

As an example say a company is in the market for some cyber insurance because of increasing attacks against competitors. If this is their first foray into the infosec realm, insurance agencies would offer relatively high rates. They could also offer their set of “best practices” so that companies would have something to work towards to get lower rates. As the company applies these controls, their rate decreases. Furthermore the longer they go without any incidents, their rate goes down.

That’s about as far as the car insurance analogy goes. It falls apart based on the fact that currently state governments do not mandate cyber insurance. But there are other considerations as well.

As many will argue this motivator could turn into a compliance issue and the difficult part there is determining the “best practices” to measure against. Whatever baseline set of controls a state or insurance agency chooses, people will argue that traditional compliance programs don’t actually make companies more secure. I’ve even been in this camp before.

And as with all baseline control arguments … the discussion often leads into something about risk management. So you do an entire risk assessment and at least only have to apply and monitor the relevant controls. Of course risk programs may become flawed despite their best intentions. Increased bureaucracy, high budgets, and implementation complexity could all play a role decreasing it’s effectiveness into a paperwork intensive exercise that, again, doesn’t improve security.

So in the end there is no perfect solution however I feel it’s an interesting thought on how cyber insurance could add another technique to help professionals raise infosec’s prominence.

via PCAdvisor.co.uk

If your company were hit with a cyber attack today, would it be able to foot the bill? The entire bill, including costs from regulatory fines, potential lawsuits, damage to your organization’s brand, and hardware and software repair, recovery and protection?

It’s a question worth careful consideration, given that the price of cyber attacks is rising at an alarming rate.

The second annual Cost of Cyber Crime study, released last August by the Ponemon Institute, reported that the median annualized cost of detection of and recovery from cyber crime per company is $5.9 million — a 56% increase from the 2010 median figures. The costs of cyber crime range from $1.5 million to $36.5 million per company.

A growing number of insurance companies are offering cyber protection in the event of breaches and other malicious data attacks. But so far, they’re having some difficulty making their case. Surveys show companies have yet to embrace these policies, whose costs can be staggering.

Continued here.

#####

What are your thoughts? Could cyber insurance actually help security? Today’s post image was brought to you by Investopedia.com.

Over the holidays I came across an announcement that Pentagon officials have approved the use of Android in addition to BlackBerry to meet their mobile computing needs. In summary the reasons why they chose Android included:

• Open Source Platform: Google likes to call Android open source however they only legally meet what true open source is. Besides the ability to fork the entire code base, their open source model doesn’t differ that much from IOS. It’s take it or leave it with no community or transparency during development. In terms of what the DoD is looking for (just being able to fork it), this would meet their requirements.
• Lock Down after Login Failures: True … but most other smartphones offer the feature of locking down the platform after so many failed login attempts so this isn’t too much of a security discriminator.

They also poopooed iOS for various reasons including:

• Closed Source Code: True but you think the U.S. government could work out a NDA with Apple so they could at least review the code. Still, it’s a long way from Android’s open source model.
• GPS Regularly Reporting to Apple: Why … Apple … do you do this? At least give us an option of disabling the reporting function and still keeping the platform useful.
• Data Shared on iCloud: It looks like this can be minimized by disabling iCloud and not using certain Apple services (e.g., iMessage). Still very frustrating though…
• Slow Patching: Yeah, but at least the devices actually get patched versus the old Android version the DoD approved, which by the way is way behind on patches.

Of these, I think the only anti-iOS arguments that stand on their own are the first two. Well maybe the government could create a special jailbroken version of iOS that meets their requirements since that seems to be legal after last year’s DMCA adjustments. At least they could knock the second criticism out.

In closing I am going to jump on the “risk” bandwagon here but I think it’s a better way to evaluate Android vs. iOS security. If you look at the enormous number of threats against Android, I feel that these two platforms are mostly on equal footing from a risk perspective.

via Net-Security.org

US Department of Defense officials that need a mobile device are no longer restricted to using a BlackBerry, reports Muktware. The Pentagon has now also allowed the use of Android, but only if it runs on Dell hardware, and only if it’s version 2.2 of the mobile platform.

The decision has been made by the Defense Information Systems Agency, and was influenced by many factors.

Continued here.

#####

What are your thoughts on the DoD’s approval of Android as a mobile platform? Should iOS have been included in that approved list? Today’s images is from Android.com.

Here’s another quick post on an article I’ve been meaning to mention for the last month or so. It falls under the “2012 prediction” category so referencing it now still seems relevant. Plus it follows nicely with yesterday’s post on the hottest security jobs but is more focused on salary. I’ve added some commentary to the main points I pulled out just for the fun of it.

In summary …

• Infosec salaries should rise by an average by 4.5%. [grecs: Yet those CEOs are getting 20%+ pay increases. Also my insurance premiums are still increasing by that same 20% so I guess I'll be 15.5% in the hole for 2012. But on the other hand ... at least we should be getting raises.]
• There are lots of positions but not enough skilled people. [grecs: Good for us I guess ... but it may also pollute our profession with people that don't really "care" as much about infosec and are just doing it for the money.]
• Data security analysts is THE hot security job for the next year. [grecs: Nice general title to mention there... It could mean almost anything.]
• CISSP and Security+ certificates continue to be the most in demand. [grecs: When with the OSCP get some respect?]
• Application, mobile, cloud and virtual security will also be big. [grecs: Yeah, guess that makes sense ... since it's been the same way for the past several years ... well maybe except for mobile.]

via InformationWeek.com

Good news for information security professionals: Expect salaries to increase by an average of 4.5% in 2012. Pay for chief security officers, meanwhile, is expected to increase by 3.9%.

Those predictions come by way of staffing agency Robert Half Technology, which last week released its 2012 Salary Guide, which details technology industry salary and hiring trends.

The report predicts that for 2012, many security jobs will be in high demand, especially for midlevel and senior roles. “Data security and protection, especially in industries such as banking and healthcare, will continue to be an in-demand area within technology,” according to the report. “In fact, 24% of CIOs polled by our firm cited security as their top professional concern.”

Continued here.

#####

Today’s featured image is from HDIStLouis.com.

Today’s post was contributed by Sarah Clarke on her thoughts of NIST’s recent update to SP 800-64 Electronic Authentication Guideline.

Another milestone has been reached in the race to get rid of now-suspect RSA token technology. On December 12, 2011, NIST published the Electronic Authentication Guideline SP-800-63-1, which updates guidance previously provided in SP-800-63. The updated document provides guidance on how federal agencies should implement the four levels of assurance defined in OMB M-04-04 as they apply to users authenticating to government systems over untrusted, public networks.

NIST’s summary of the updates [PDF] includes:

• Recognition of more types of tokens, including pre-registered knowledge token, lookup secret token, out-of-band token, as well as some terminology changes for more conventional token types;
• Detailed requirements for assertion protocols and Kerberos;
• A new section on token and credential management;
• Simplification of guidelines for password entropy and throttling;
• Emphasis that the document is aimed at Federal IT systems;
• Recognition of different models, including a broader e-authentication mode;
• Clarification of differences between Levels 3 and 4 in Table 12; and
• New guidelines that permit leveraging existing credentials to issue derived credentials.

The press release adds:

Government agencies have the option of using the services of companies that have had their authentication systems certified through the Federal Chief Information Officer Council’s Trust Framework Provider Adoption Process (TFPAP). This program assesses credentialing processes against federal requirements, including those established in 800-63. To ensure consistency and avoid redundant analysis, NIST strongly encourages agencies to leverage the TFPAP process.

So, what’s it all mean?

Remote access tokens are now going to be required for all government agencies starting at assurance level 2, with applicable token types being “Memorized Secret Tokens, Pre-Registered Knowledge Tokens, Look-up Secret Tokens, Out of Band Tokens, and Single Factor One-Time Password Devices.” The new terminology for traditional soft tokens is Multi-factor (MF) Software Cryptographic Tokens; they are still acceptable at level 3 as in the prior version. On the other hand, terminology for hard tokens is a little more tricky since they can be deployed as single-factor one-time-password device (without PIN). These single factor versions thus are no longer acceptable at levels 3 and 4, but now only at level 2, a level which previously had no requirement for hard or soft tokens. I’m not sure what category a hard token with PIN would be deployed as … I’m leaning towards level 3 but the wording is a little tricky.

Now that NIST has issued this guidance, government agencies (and the large commercial entities that follow NIST guidance) will have a path forward as they perhaps migrate away from their RSA technology. This refresh, both of tokens required currently for levels 3-4 and new purchases for the tokens now required at level 2, means large profits for TFPAP-credentialed providers in the near future. Who these TFPAP providers are was something I wasn’t able to determine. I’m not even sure if anyone has been credentialed yet or if the certified provider list has been released.

Both the press release and the summary of updates downplay the impact this updated guidance will have as it addresses the RSA problem shared by both government and private industry. This makes the updated guidance recommended reading for anyone responsible for their organizations’ remote access.

I feel like this release is a direct reaction to the RSA hacks … the updates show movement away from the original RSA technique, there’s emphasis on the diversification of models and technologies to prevent the same type of issue (where the seed database was compromised and all tokens were affected) and the guidance references thoughts on what to do in the event of a certified provider being compromised in future. The end result is that once this guidance is implemented the impact of another compromise like RSA will be much less far reaching and potentially less catastrophic.

#####

These are just my thoughts after one evenings’ writing… I’d love to hear more opinions on the subject, including determining what level an RSA token with PIN maps to, mapping old token types to new token types, and how this will affect your remote access strategies. There’s a lot more to cover … please comment and continue the conversation! Today’s featured image is from the Information Technology Forum.

A recent article over at Computer World suggested that the best way to create new infosec talent for the burgeoning security field may not necessarily be to push students through budding cyber security degree programs. Depending on the situation I feel this assertion may or may not be valid.

Two potential options managers often contemplate include either investing in current employees or hiring new cyber security degree holders. I think cross-training existing employees who have traditional degrees, a few years of experience and expertise in specific IT skills sets can improve security more due to their familiarity with the technology they are securing. On the other hand, hiring green graduates who are curious and think outside the box can stimulate new innovative security approaches for the organization.

So unfortunately in the end it’s still a toss up in my opinion … and once again it depends on the type of positions you are trying to fill.

via ComputerWorld.com

We’re hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs.

And while we’re at it, let’s address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs.

Unfortunately, the logic of these statements is about a micron thick.

Let’s look at those cybersecurity degree programs first. In no other computing discipline do you have a specialized degree program. You do not earn a bachelor’s degree specifically in software engineering, computer graphics, artificial intelligence, database management, systems administration, Web applications programming or project management. Why should there be a bachelor’s degree specific to cybersecurity? (And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)

There shouldn’t be. Security professionals need to function in a variety of disciplines. They can be called upon to evaluate software for security vulnerabilities, to determine whether a user interface is suffering from information leakage, to design secure databases, to secure operating systems, to assess and shore up the security of websites, to incorporate security requirements into new developments and so on. The person you ask to do all of those things needs to be well rounded. But a cybersecurity degree program offers many security classes at the expense of classes that would normally be required to get a general degree in computer science or information systems.

Continued here.

#####

Please let us know what’s your take on this topic? Today’s post image is from Csaho.com

The long wait for a key Federal cloud computing program is over with the launch today of FedRAMP. FedRAMP will help Federal Agency managers to adopt cost-saving and service improving cloud computing solutions.

For over two years the Federal government’s “cloud first” policy has floundered. Government executives and managers moved cautiously on adoption concerned about possible insecurity of the platform and the costs for FISMA authorization of complex cloud computing solutions.

Cloud Service Providers (CSP) have likewise been concerned with how different agencies had conflicting requirements and interpreted security control requirements differently. With multi-tenant solutions CSPs were beset by each tenant Agency wanting their own authorization, making business with the government a frustrating affair.

While there have been notable wins for cloud vendors over the past year many Federal systems that would benefit from a move to the cloud had the moves delayed until better policy and guidance was available to address those concerns.

FedRAMP Arrives

FedRAMP supplies the policy and guidance starting with the release by Federal CIO Steven VanRoekel of the FedRAMP memo, Security Authorization of Information Systems in Cloud Computing Environments [PDF]. As FedRAMP develops additional documentation it will be posted at the GSA hosted FedRAMP.gov site.

To make FedRAMP a reality a variety of organizations including GSA, NIST, CIO Council and OMB have worked to find ways to meet the many Federal security requirements for IT systems, manage the risk to government systems and make cloud computing adoption a straightforward process for everyone. Crowd-sourcing has played a huge role in development and many public and private organizations and individuals contributed throughout the process.

The FedRAMP program is a centralized method to assess and authorize (A&A) cloud computing systems under a streamlined FISMA process. By centralizing the process some key objectives can be met.

A CSP only has to go through authorization once. Subsequent customers can then leverage or re-use that authorization. If an agency has specific requirements then only the delta between the baseline FedRAMP and the agency controls needs to be addressed.

Cloud computing A&As are handled by FedRAMP components and third-party assessor organizations (3PAO) who can develop specialized skill sets for cloud computing. This will encourage development of cloud focused security staff and rapid maturation of processes focused on understanding the risks involved with cloud computing.

Compliance is only a component of good security. FedRAMP represents a minimal set of required security controls, a limited subset of the controls most systems would be required to have in place and operating effectively under normal FISMA authorization processes. FedRAMP should be seen as a starting point, a demonstration of due diligence on behalf of the CSP. Like any authorization in the Federal government, departments and agencies should use this process to determine whether the security is commensurate with the risk and magnitude of harm resulting from the cloud system being compromised or made unavailable.

How Does It Work?

The final FedRAMP concept of operations (CONOPS) and governance model have yet to be released but the basic process will involve six components: Joint Authorization Board (JAB), Program …

Continued on page 2 for some gotchas, if FedRAMP applies, and it’s current maturity…

As one of the components of an information system, does the user component need more security emphasis than attackers? As many suggest, the human aspect is the weakest link in an organization’s information security because users interact with an information system both inside and outside the organization. An article posted recently on TechJournal South seem to imply that we should put more emphasis on the human aspect instead of attackers.

Even though TechJournal’s approach is valid, I think that a balance should be struck between the two. Rather than applying an across the board rule to stress either the user or attacker more, organizations should instead apply focus based on the risks they face.

via TechJournalSouth.com

Computer security experts have long pointed out that human beings are often the weak link allowing cyber attacks to succeed. Now, researchers at the Maryland Cybersecurity Center have reaffirmed that security measures must aim at users, not just attackers. ”Users expose the network to attacks,” one said.

In a unique collaboration, an engineer and a criminologist at the University of Maryland, College Park, are applying criminological concepts and research methods in the study of cybercrime, leading to recommendations for IT managers to use in the prevention of cyber attacks on their networks.

Michel Cukier, associate professor of reliability engineering at the A. James Clark School of Engineering and Institute for Systems Research, and David Maimon, assistant professor of criminology and criminal justice in the College of Behavioral and Social Sciences, are studying cyberattacks from two different angles – that of the user and that of the attacker. Both are members of the Maryland Cybersecurity Center.

Their work is the first look at the relationship between computer-network activity patterns and computer-focused crime trends.

Continued here.

#####

Please let us know what’s your take on this topic? Today’s post image is from ManageEngine.com