Cloud Security

 

 

https://sm.asisonline.org/Pages/The-Problem-with-Data-.aspxThe Problem with Data GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-09-27T04:00:00Z<p>​More than 2.5 quintillion bytes of data are created every day. The sum of all knowledge will double every 12 hours in the future, said 2017 ASIS President Thomas J. Langer, CPP, in his opening remarks at ASIS 2017.</p><p>That is a mind-boggling amount of data that will be created in the near future. And as we've seen over the past few years, it's becoming a liability for companies facing ever-more sophisticated cyberattacks.</p><p>Earlier this month, credit reporting agency Equifax reported that approximately 143 million of its customers' private data may have been exposed in a massive data breach. </p><p>The hackers behind the attack gained access to customers' names, birth dates, Social Security numbers, and addresses. While most of the customers were from the United States, individuals from Canada and the United Kingdom were also impacted.</p><p>The Equifax breach was almost seven times larger than the U.S. Office of Personnel Management breach. The treasure trove of data it exposed is ideal for criminals looking to carry out benefits and tax fraud, identity theft, and more, wrote Rick Holland, vice president of strategy at Digital Shadows, in a blog about the impact of the Equifax breach on enterprises and consumers.</p><p>"Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks," Holland wrote.</p><p>And social engineering attacks are still criminals' preferred method when it comes to spreading malware to victims—such as ransomware.</p><p>"Now firmly established as a daily desktop malware threat, the profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms," EUROPOL said in a recent report on Internet crime.</p><p>EUROPOL also predicts that devices will be the next "fertile ground for the proliferation of mobile ransomware."</p><p>All of this has prompted renewed debate on the increased need for data breach laws and regulation to keep sensitive data secure. </p><p>Europe is leading the way with the EU General Data Protection Regulation, and the United States may follow suit in light of the Equifax breach. </p><p>"In a world where one line of faulty computer code can mean the difference between normalcy and chaos, it is often not a question of if, but when, the most sensitive systems will be hacked," wrote U.S. Representative Ted Lieu (D-CA) in an op-ed for Slate about the fallout from Equifax. "Given this reality, we must improve our ability to react at every level after companies have been breached."</p>

Cloud Security

 

 

https://sm.asisonline.org/Pages/The-Problem-with-Data-.aspx2017-09-27T04:00:00ZThe Problem with Data
https://sm.asisonline.org/Pages/An-Education-Connection.aspx2017-09-01T04:00:00ZAn Education Connection
https://sm.asisonline.org/Pages/Book-Review---Network-Interview.aspx2017-08-01T04:00:00ZBook Review: Network Video
https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---Moving-to-the-Cloud-Repositions-Security.aspx2016-08-16T04:00:00ZSeminar Sneak Peek: Moving to the Cloud Repositions Security
https://sm.asisonline.org/Pages/New-Data-Rules.aspx2016-08-01T04:00:00ZNew Data Rules
https://sm.asisonline.org/Pages/Operating-Blind.aspx2016-03-01T05:00:00ZOperating Blind
https://sm.asisonline.org/Pages/Privacy-Shield-Is-Here--What-That-Means-For-Your-Company.aspx2016-02-09T05:00:00ZPrivacy Shield Is Here—What This Means For Your Company
https://sm.asisonline.org/Pages/Book-Review---Big-Data.aspx2016-02-01T05:00:00ZBook Review: Big Data
https://sm.asisonline.org/Pages/On-the-Record.aspx2016-01-14T05:00:00ZOn the Record
https://sm.asisonline.org/Pages/Conducir-hacia-el-desastre.aspx2015-07-08T04:00:00ZConducir hacia el desastre
https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspx2015-05-18T04:00:00ZBuilding Cyber Awareness
https://sm.asisonline.org/Pages/Passing-the-Biometrics-Test.aspx2015-03-01T05:00:00ZPassing the Biometrics Test
https://sm.asisonline.org/Pages/Chain-Reaction.aspx2015-01-01T05:00:00ZChain Reaction
https://sm.asisonline.org/Pages/the-password-problem.aspx2014-12-01T05:00:00ZThe Password Problem
https://sm.asisonline.org/Pages/Cyber-Crusaders.aspx2014-11-01T04:00:00ZCyber Crusaders
https://sm.asisonline.org/Pages/QA-What-are-Today's-Biggest-Malware-Challenges.aspx2014-10-01T04:00:00ZQ&A: What Are Today's Biggest Malware Challenges?
https://sm.asisonline.org/Pages/nsas-actions-threaten-us-economy-and-internet-security-new-report-suggests-0013601.aspx2014-07-29T04:00:00ZNSA's Actions Threaten U.S. Economy and Internet Security, New Report Suggests
https://sm.asisonline.org/Pages/cloud-technology-0012811.aspx2013-10-01T04:00:00ZCloud Technology
https://sm.asisonline.org/Pages/Computing-in-the-Cloud.aspx2013-10-01T04:00:00ZComputing in the Cloud

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Tuesday-Education-Sessions-Address-Security-Challenges.aspxTuesday Education Sessions Address Security Challenges<p>​Attendees had the opportunity on the second day of ASIS 2017 to listen to experts share their personal experiences in security, lead deep dives and panels, and gain insights from impact learning sessions.</p><p>Read below about a few of the sessions that the Show Daily team attended throughout the day.</p><h4>Mock Trial</h4><p>All rise! Attendees-turned-jurors gathered to judge the results of a mock trial and the chance to explore the intricacies of who is liable when workplace violence occurs.</p><p>The cheeky, candid performance, kicked off by a robe-and-wig-wearing CALSAGA President David Chandler, discussed a fictitious case following a workplace bombing in which the victim sued her job’s security contractor, and that contractor in turn sued the company. </p><p>Multiple partners from Bradley & Gmelich ran the trial, with Roy Rahn, CPP, playing the security director; Matt Thomas, CPP, as the security officer; and Linda Florence, CPP, as the plaintiff. Bonnie Michelman, CPP; Geoff Craighead, CPP; and Mark Mooring, CPP, provided expert testimony.</p><p>It all began when community center executive director Rita Bennett fired Dexter Morgan, who grew aggressive and attempted to throw a paperweight at her head. He was escorted from the premises by a Lumen Security contract officer, and Bennett sent an email to all staff that Morgan should not be allowed back on the premises. </p><p>She then called Arthur Miller, the owner of Lumen Security, expressing her concerns about Morgan. Miller assured her he would take care of it and offered her additional armed services or risk assessments, but Bennett explained that the community center could not afford them. Miller did not take any additional actions.</p><p>Morgan later showed up at the facility and passed the security desk because the officer had not seen the email that Morgan was barred from the premises. </p><p>When Bennett stepped away from her office without her radio, Morgan planted the bomb and ran away. Once the security officer realized what was going on, he tried to notify Bennett on her radio—which she did not have—but it was too late. The bomb exploded, severely injuring Bennett.</p><p>Now, years later, Morgan has admitted to the crime, and Bennett is suing Lumen for negligence, so Lumen responded by suing the community center. The lively hearing—a two-week affair squeezed into two hours—illustrated the legal process in a humorous yet thorough way. </p><p>Attorneys and plaintiffs explored whether Lumen Security could be held liable for the bombing, or if the responsibility for Morgan’s actions lay with the community center and its lack of security measures, making attendees think long and hard about responsibility and duty of care when it comes to securing private facilities. </p><h4>Hacking Motivations</h4><p>What drives a hacker? What motivates him or her to explore our computer systems—sometimes in the name of research and sometimes for malicious reasons—further than most people normally would go? And why are their efforts effective?</p><p>Those questions were the focus of “A Hacker’s Perspective on the Human Element in Society” by Coleman Wolf, CPP, CISSP, lead security practice consultant at Environmental Systems Design, Inc. </p><p>“I like to look at it as hackers in a generic sense,” Wolf said. “They have a deeper understanding of a system and they like to explore that system.”</p><p>Learning about hackers and their motivations is crucial because security professionals need to understand who initiates the threats and what tricks they use to perpetrate a hack.  </p><p>For instance, hackers know that one of the best ways to understand how a system works is to break it, to “push it to its limits” to see what it’s capable of and master it as a technical challenge, Wolf said.</p><p>Hackers are also motivated by curiosity, to explore the cyberworld; amusement, such as through trolling; social causes, like hacktivism; or profit, such as espionage and extortion. They often view the “cyberworld as a visual world you can go to” through the computer, Wolf added.</p><p>To gain access to systems, hackers will typically exploit humans—often the weakest element in the security system because they cannot or will not abide by security policies and procedures—into granting them access. </p><p>To do this, hackers use the psychology of persuasion on their victims. Wolf divided this psychology into six groups: scarcity, authority, liking, social proof, reciprocity, and consistency.</p><p>For instance, in a ransomware attack, hackers will often use scarcity to convince victims to pay them. Wolf shared an example of a Popcorn Time ransomware, which displays a countdown clock on victims’ computers with the time left to pay the ransom or lose their files. </p><p>Other ransomwares, however, combine scarcity (limited time) with liking—making the ransom payment process easy and approachable by providing a helpdesk with instructions on how to obtain Bitcoin to pay the ransom.</p><p>By learning about hackers and their motivations, security professionals will be in a better position to understand who initiates threats against them and how to prevent staff from falling for the tricks they use to perpetuate a hack. ​</p><h4>Effective Leadership</h4><p>Self-awareness is one of the best predictors of leadership success, according to several psychology and leadership studies in recent years. Leaders need to know themselves before they can forge trusting relationships with others to create an effective staff. </p><p>Becoming self-aware is not easy, though, and most aspiring leaders are never taught how to do it. At the education session “Effective Leadership: What’s Self-Awareness Got to Do With It?,” participants were given advice on what it means to be self-aware, how to increase self-awareness, and how to leverage it to become a more effective leader. The session was supported by the CSO Center.</p><p>Instructor Rosemary Maellaro, an associate professor of management at the University of Dallas, told attendees that “leadership is all about achieving goals through others. We cannot do it all ourselves.” </p><p>And to have effective relationships with those you lead, a leader needs high emotional intelligence. </p><p>Emotional intelligence can be thought of as “a different way of being smart,” said Maellaro. It requires balancing intellect and emotions so that emotions can be used to effectively inform decisions. Those with low emotional intelligence do not often achieve this balance; they either let their emotions overwhelm their actions, or they ignore their emotions completely and rely on cold logic to make their decisions. </p><p>Emotional intelligence can also be used to develop self-awareness—a thorough understanding of one’s own strengths and weaknesses, and how others perceive one. But self-awareness takes effort, Maellaro said. </p><p>It requires thoughtful introspection, and an openness to honest feedback. The three pillars on which self-awareness rests are emotional awareness, an accurate self-assessment, and self-confidence. </p><p>Many leadership studies have shown that top performers usually score high in self-awareness. Some of its benefits include the fact that self-aware leaders usually have good comradery with their staff, are trusted, are good communicators, are perceived as authentic by those who work with them, and have the ability to accurately perceive their own emotions.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspxBuilding Cyber Awareness<p>​<span style="line-height:1.5em;">Early in 2009, while working the night shift as a contract security guard, Jesse William McGraw infiltrated more than 14 computers at the North Central Medical Plaza in Dallas, Texas. McGraw, who is the self-proclaimed leader of the hacking group Electronik Tribulation Army, installed a program on the computers that would allow him to remotely access them to launch DDoS (distributed denial of service) attacks on rival hacking organizations’ websites.</span></p><p>Among the computers McGraw hacked into were a nurses’ station computer—which had access to patient information protected by the Health Insurance Portability and Accountability Act (HIPAA)—and a heating, ventilation, and air conditioning computer that controlled the airflow to floors used by the hospital’s surgery center. Over several months in 2009, McGraw further compromised the hospital’s network by installing malicious code and removing security features, making the network even more vulnerable to cyberattacks.</p><p>To document his work, McGraw made a video and audio recording of his “botnet infiltration.” Set to the theme of Mission Impossible, McGraw described his actions: accessing an office and a computer without authorization, inserting a CD containing the 0phcrack program into the computer to bypass security, and inserting a removable storage device, which he claimed contained a malicious code or program. McGraw then posted the video to the Internet, asking other hackers to aid him in conducting a “massive DDoS” on July 4, 2009. </p><p>His online actions attracted the attention of the FBI, which, five days before his planned attack, arrested him on two charges of transmitting malicious code. McGraw pled guilty to the charges and was sentenced to 110 months in federal prison in 2011.</p><p>An attack similar to McGraw’s is even more worrisome now as companies are increasingly using building systems and access control systems that are connected to computers. Between 2011 and 2014, the number of cyber incidents reported to the U.S. Department of Homeland Security (DHS) that involved industrial control systems grew from 140 to 243 incidents—an increase of 74 percent. </p><p>Yet many private and public entities aren’t addressing the cyber risks associated with these systems. In fact, according to a Government Accountability Office (GAO) report, DHS is not assessing or addressing cyber risks to building and access control systems at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) at all.</p><p>“DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue,” the GAO found in its recent report. “By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, [the National Protection and Programs Directorate] have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.”</p><p>Within most federal facilities there are building control systems that monitor and control building operations such as elevators, electrical power, heating, ventilation, and air conditioning. Many of these systems are connected to each other and to the Internet, making them extremely vulnerable to cyberattacks that could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or occupants, the GAO reports. For instance, a cyberattack could allow people to gain unauthorized access to facilities, damage temperature-sensitive equipment, and provide access to information systems.</p><p>And perpetrators aren’t just limited to outside actors; they can also come from insider threats. “Insider threats—which can include disgruntled employees, contractors, or other persons abusing their positions of trust—also represent a significant threat to building and access control systems, given their access to and knowledge of these systems,” the report explains.</p><p>Under the Homeland Security Act of 2002, DHS is required to protect federal facilities as well as people inside those facilities. As part of that responsibility, DHS’s National Protection and Programs Directorate (NPPD) is in charge of strengthening the security and resilience of U.S. physical and cyber-critical infrastructure against terrorist attacks, cyber events, natural disaster, or other catastrophic incidents.</p><p>Yet as a department, DHS lacks a strategy that defines the problem and identifies the roles and responsibilities for cyber risk to building and access control systems, according to the GAO. Also, the report notes that DHS has failed to analyze the necessary resources or identify a methodology for assessing such risk. </p><p>Additionally, the Interagency Security Committee (ISC), the body responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyberthreats to building and access control systems into its Design-Basis Threat report. The report aims to set standards based on leading security practices for all nonmilitary federal facilities to “ensure that agencies have effective physical security programs in place.”</p><p>However, cybersecurity has not been added to the report because “recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first,” according to the GAO report. But the office has reported that “incorporating the cyber threat to building and access control systems in ISC’s Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk.”</p><p>Furthermore, the General Services Administration (GSA) has not “fully assessed” the risk of a cyberattack on building control systems consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. According to the GAO’s report, GSA has assessed security controls of building control systems, but has not fully assessed the elements of risk, such as threats, vulnerabilities, and consequences.</p><p>“For example, five of the 20 reports [GAO] reviewed showed that GSA assessed the building control device to determine if a user’s identity and password were required for login, but did not assess the system to determine if password complexity rules were enforced,” the GAO reports. “This could potentially lead to weak or insecure passwords being used to secure building control systems.”</p><p>Coleman Wolf, CPP, security lead for global engineering consulting firm ESD, said he was not surprised by the office’s overall findings. “The part that does surprise me is that some of the assessment that is supposed to go on is not going on, or the plans are not in place to conduct those assessments,” says Wolf, who is also the chair of the ASIS International IT Security Council. “I would expect that on the private sector side, but I just thought there were more stringent plans in place on the federal side.” </p><p>However, Wolf says he doesn’t think there will be a big drive for changes in assessing cyber risk of building systems until it begins to impact people at a personal level in their own homes. “As people start to see these kinds of potential consequences, I think people will start to demand more be done to assess and rectify these kinds of threats,” he predicts.</p><p>While the private sector begins to focus on building control systems, the public sector is complying with GAO’s recommendation that the appropriate government agencies should take steps to assess cyber risks. </p><p>“We [at DHS] are working to develop a strategy for addressing cyber risk to building and access control systems,” says S.Y. Lee, a DHS spokesman. “This strategy will utilize best practices and lessons learned from the private sector experiences of the DHS National Cybersecurity and Communications Integration Center’s Industrial Control systems Cyber Emergency Response Team (CERT).”</p><p>The ISC is also working with DHS’s US-CERT and ISC-CERT to incorporate potential cyber risks to buildings and access control systems into the Design-Basis Threat Report and Countermeasures Appendix. As the next step of the process, ISC will meet with GSA and other agencies to plan a comprehensive review of cyber risks to building access control systems. </p><p>It will then issue additional guidance to its federal partners on appropriate countermeasures in the next annual review of its Design-Basis Threat Report, which is scheduled for release in October 2015, according to a DHS official.</p><p>GSA also agreed with the findings of the report and said it will take “appropriate action” to make sure its assessments of cyber risks to building control systems are compliant with FISMA and implementing guidelines, according to a letter included in the report by Dan Tangherlini, a GSA administrator. </p><p>However, GSA did not respond to requests for comment before press time on what specific actions it planned to take to address cyber risks.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked Again<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465