STE WILLIAMS

Guide for evaluating how software companies are adopting secure coding and security support practices.

The nonprofit Software Assurance Forum for Excellence in Code (SAFECode) today published a framework for companies to use when evaluating the security of software they purchase from third-party vendors.

Howard Schmidt, executive director of SAFECode, says the nonprofit’s framework and recommendations offer enterprises a model for assessing the security of software they procure and to better manage risk.

“One of the key parts is to develop a trust of the security reliability of the technology ecosystem,” Schmidt says. “This [framework] helps an enterprise become effective in assessing the security of software … and it’s a method for assessing software security in a repeatable, scalable format.”

The framework and recommendations in part draw from existing assessment models used by Boeing and the FS-ISAC, the financial services industry’s threat intelligence-sharing community. The FS-ISAC in 2013 came up with a strategy for rolling out third-party software and services in financial institutions that includes a vendor-focused Building Security In Maturity Model (vBSIMM) assessment, binary static analysis, and policy management for open-source software libraries and components.

vBSIMM is a subset of the BSIMM, which is a study of actual secure software development programs at corporations that other companies can use to measure their own efforts with that of their counterparts. vBSIMM is a way to measure the maturity of software security of vendors selling to the financial industry.

SAFECode’s “Principles for Software Assurance Assessment” framework aims to foster more transparency and trust between vendors and buyers, officials there say.

Gary McGraw, CTO of Cigital, which works on BSIMM, says vetting the security of third-party software vendors’ wares is important. “How do you know whether the software is any good [security-wise] or not? There needs to be a way to measure vendor stuff,” he says. You can’t penetration-test all of the hundreds or thousands of vendor software programs running in a business, he says.

There are existing standards that address part of the secure coding issue, such as ISO 27034 for application security and IEC/ISA-62443 for automation and control systems. But SAFECode officials say those take care of specific areas and not the big picture of assessing the security practices of software vendors when enterprises make their purchases.

SAFECode’s membership includes some of the biggest software companies in the world:  Adobe, CA Technologies, EMC, Intel, Microsoft, SAP, Siemens, and Symantec. McGraw contends that pedigree poses a bit of a conflict-of-interest question. He says big software vendors “would like to be in control of the measuring stick” for assessing their security, thus the new framework.

Even so, the fact that they are providing a framework is good news. “[The framework] is a good thing for them to do; it needs to happen,” he says. “But the question is, who do you want to be policing the vendors. The vendors?”

SAFECode’s framework does not fit the bill for software vendors that don’t already have mature software assurance programs, however. It’s up to the enterprise buyer to vet the software with existing tools or testing services. “For this category, SAFECode recommends a tool-driven approach, such as binary code analysis tools,” according to SAFECode.

Software security vendor Veracode, which contributed to SAFECode’s paper, weighed in today on that as well. “While it is encouraging that the largest software vendors in the world are beginning to consider the need for communicating about the security of the software products they produce, a focus on only the most-mature vendors sets the wrong expectation for buyers about the overall level of maturity in the market,” Veracode’s Anne Nielsen wrote in a blog post today about SAFECode’s framework.

Nielsen, who is senior product manager for Veracode, which offers binary static analysis services, not surprisingly also called for binary static analysis of these software packages from the non-major vendors; binary static analysis is Veracode’s business. “This industry-accepted standard provides a point-in-time assessment of vulnerabilities within the product at the time of purchase which informs the buyer of exactly what they are getting: features, functionality, and risk,” she wrote.

What about enterprises that don’t fall into the big, Fortune 100 or so category like many of the BSIMM participants, for example? Cigital’s McGraw says these smaller enterprises in general are not as focused on third-party software security. “There are not enough companies worried about this … But the big companies have already figured out how to solve this,” he says.

Meantime, SAFECode says “Tier 2” software suppliers, which have internal software assurance processes but no international standards driving their programs, can be assessed by buyers in three basic areas:

Secure coding development and integration: Does the vendor deploy, for example, threat modeling, sandboxing, fuzzing, penetration testing, and static code analysis?

Product security governance:  Is security a part of the company’s culture and operations? Is the development team required to receive security training/enrichment? Is its security posture reviewed by managers at various levels in the company? Is there a “roadmap” for the next phases of secure development? Does the vendor have a documented process for fixing vulnerabilities in its products?

Vulnerability response: Is the software vendor “transparent” about bug discovery and reporting? Does it work with customers who find vulns?

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/application-security/safecode-releases-framework-for-assessing-security-of-software-/d/d-id/1323282?_mc=RSS_DR_EDT

About one in five children aged 12 to 15 believe that information found in search engines like Google or Bing must be true.

In fact, more kids are more likely in 2015 vs. 2014 to believe various kinds of online information are always true, according to a study just out from Ofcom, the UK regulator of media and communications industries, which has been tracking kids’ and parents’ media habits since 2005.

Some other key findings from the study, which relied on in-home interviews with 1379 parents and children aged 5-15:

• In 2015, kids aged 8-11 and 12-15 are more likely than those studied in 2014 to believe that all information on news sites or apps is true (23% vs. 12% for 8-11 year olds, and 14% vs. 8% for 12-15 year olds).
• The BBC remains the preferred source for truthful information about the world among 12-15 year olds, but a growing number said they would turn to YouTube for truthful information (8% vs. 3% in 2014).
• In addition to the one in five (19%) 12-15 year olds who believe search engine results must be true, 22% of them don’t consider the veracity of information but just visit the sites they “like the look of.”
• Despite being distinguished with an orange box containing the word “ad,” only 16% of 8-11 year olds and 31% of 12-15 year olds could correctly identify sponsored ads in search results.
• 45% of 12-15 year olds were aware of personalized advertising, but 18% thought everyone would see the same ads and 38% were unsure.

Looking at these results it seems obvious that many children nowadays are unprepared to withstand the onslaught of online hoaxes, scams and social engineering tricks employed by predators, cybercriminals and fraudulent advertisers.

Certainly, children need help to “develop the know-how they need to navigate the online world,” notes Ofcom’s director of research, James Thickett.

Yet many adults also need help to be better at discerning the truthfulness of information online and spotting scams and other threats.

Adults with bad security attitudes

The attitudes of adults about the veracity of search engine results are pretty bad too, according to another study of media literacy released this year by Ofcom.

Ofcom’s survey found that just 60% of adults say that “some websites will be accurate or unbiased and some won’t be.”

Another 23% of adults say information returned in search engine results will be true and unbiased, and 14% say they “don’t really think about” the accuracy of information, but just visit sites they “like the look of.”

Adults are just as vulnerable to dirty online tricks, as we know from other studies that show how bad people are at spotting phishing scams (up to 45% of people fall for the hardest-to-spot phishing attempts).

Many people just can’t seem to get security right, no matter how hard we try to raise awareness of cyberthreats: a lot of us are woefully bad at basics like creating strong passwords, and too many people ignore security warnings about dangerous websites and neglect privacy settings on our devices and social media accounts.

Getting better at cybersecurity

This lack of security conscientiousness should also be concerning for organizations under constant threat from cyberattackers looking to exploit users to gain access to systems and data.

It’s not all bad news: we’re getting better at cybersecurity in many ways, like our increasing adoption of data encryption and use of two-factor authentication to secure our accounts.

But cybersecurity is a shared responsibility – when just some of us are negligent, it gives cybercrooks the edge.

If you want to do your part, you can start by encouraging your friends, family and co-workers to start with the security basics and build up from there.

You can also get them to like our Facebook page, and sign up to our daily newsletter, to stay up to date with the latest security news and practical advice from Naked Security.

Follow @NakedSecurity

Follow @JohnZorabedian

Image of teen using a laptop courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vqZHivux_2U/

Do you really need to see your ex flirting with others on Facebook?

Is it going to help you heal at all whatsoever if you notice that their relationship status has changed?

Research has already answered that: online surveillance of an ex can trigger negative feelings – particularly for those who as children have developed an anxious, insecure attachment style.

Anxious people have a tendency to cast about for coping mechanisms.

Unfortunately, the coping mechanism is often to go back online, to seek romantic alternatives or anything that will make us feel better.

The result: more exposure to the fact that the ex is doing fine without us, which in turn makes it all worse.

Facebook wants to help.

It’s now testing tools that will help people manage how they interact with their ex-partners after relationships have ended.

Facebook Product Manager Kelly Winters explained in a blog post on Thursday that Facebook will offer users the option to use the tools when they change their relationship status.

To keep us from becoming stalkers and to help keep from being stalked, the tools will enable users to quickly and easily:

• See less of a former partner’s name and profile picture around Facebook without having to unfriend or block them. Their posts won’t show up in News Feed and their name won’t be suggested when people write a new message or tag friends in photos.
• Limit the photos, videos or status updates that a former partner will see.
• Edit who can see their past posts with a former partner and untag themselves from posts with that person.

From the blog post:

This work is part of our ongoing effort to develop resources for people who may be going through difficult moments in their lives. We hope these tools will help people end relationships on Facebook with greater ease, comfort and sense of control.

The tools sound like they could be helpful for those who have difficulty controlling the urge to keep compulsively checking up on exes.

They’re also a good reminder about the importance of buttoning up our privacy so that we don’t become surveillance targets ourselves in the aftermath of a breakup.

The jilted-ex tools are obviously not designed as a shield for domestic abuse victims, who have to take far more extreme steps to protect themselves online.

Often, such people turn to pseudonyms to protect themselves from cyber stalking partners.

That, in turn, brings up Facebook’s authentic-name policy – a policy that has hampered people’s ability to protect their identities online but which, thankfully, is due for a major overhaul in December.

In the meantime, tips to make your Facebook account safer include checking how others view you on Facebook, limiting the audience for past posts, and locking down the audience for future posts.

We recently reviewed how to do all those things when Facebook enabled people to search anyone’s public posts – all 2 trillion of them.

You can also use the Facebook Privacy Dinosaur to check your privacy settings on Facebook.

Facebook started to test its ex-partner lock-down tools last week in the US on mobile. It will tweak and roll them out based on feedback.

The tools will be optional, and Facebook said that people will be able to access them in the help center anytime.

If you’re seriously suffering from heartache, Facebook’s tools might prove helpful.

Then again, there’s always ditching Facebook completely.

After all, a sabbatical from any Facebook activity at all is good for the psyche: new research suggests that quitting Facebook altogether, at least for a short period of time, makes people happier and less stressed.

Follow @NakedSecurity

Follow @LisaVaas

Image of “ex” voodoo doll courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q4rpDJhzsnI/

About a year ago, the National Report threw social media into an uproar when it published an article about a teenager who’d been convicted on terrorism charges for swatting, and sentenced to a prison term of 25 years to life.

It turned out to be a hoax: a fake story with a sensational headline published by a satirical website well-known for such.

This, on the other hand, is not a hoax: US lawmakers on Wednesday have in fact put forth a bill to make swatting punishable by prison sentences that range from a maximum of one year to life.

Swatting is the practice of making bogus emergency calls, as a prank or as revenge, in the hopes of getting emergency responders to descend on a victim.

“Prank” is an egregiously inappropriate term for such a practice, which puts those emergency responders, targeted victims, and their families at potentially mortal risk.

In fact, lawmakers say that swatting has resulted in injury to law enforcement officers, as well as heart attacks, and serious injury to victims.

It sounds like it should be classified a federal crime, but, in fact, it’s not.

Rather, current federal law prohibits using the telecommunications system to falsely report a bomb threat hoax or a terrorist attack, but it doesn’t prohibit falsely reporting other emergency situations.

On Wednesday, two members of Congress moved to close that loophole when Congresswoman Katherine Clark (D-MA) and Congressman Patrick Meehan (R-PA) introduced the Interstate Swatting Hoax Act of 2015.

From Clark’s press release about the bill:

While federal law prohibits using the telecommunications system to falsely report a bomb threat hoax or a terrorist attack, falsely reporting other emergency situations is not currently prohibited.

The proposed bill would punish anyone who…

…uses a telecommunications system, the mails, or any other facility of interstate or foreign commerce to knowingly transmit false or misleading information indicating that conduct has taken, is taking, or will take place that may reasonably be believed to constitute a violation of any State or Federal criminal law, or endanger public health or safety.

This one’s serious: they’re looking at maximum prison terms anywhere from one year to life.

The proposed penalties:

• A fine and/or prison sentence for a maximum of five years if the call results in an emergency response.
• A fine and/or prison sentence for a maximum of 20 years in cases of swatting that results in serious bodily injury.
• A fine and/or prison sentence for a maximum of life if the call results in death.

Even if swatting doesn’t lead to any of those things, perpetrators can still face a maximum of one year in jail, a fine, or both.

Besides potential prison sentences, the fines likely will amount to more than just a slap on the wrist, given how much of a strain swatting puts on police resources.

The FBI in 2013 estimated that at the time, they were seeing hundreds of swatting attacks every year.

It’s tough to generalize about how much swatting incidents cost police, but if there are going to be fines levied against swatters, they could be stiff.

Some local departments have said that the cost is as much as $15,000. An April 2014 incident that involved 60 heavily armed officers cost an estimated $100,000.

Some states have already moved to hold swatters financially accountable for these costs.

California’s Senate Bill No. 333, which went into force in January 2014, mandated that those convicted of swatting be required to reimburse municipal departments that respond to fake emergency calls up to $10,000.

Follow @NakedSecurity

Follow @LisaVaas

Image of Special force police in action courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/k1gTu9szbCw/

Cisco, IBM, Oracle and Microsoft’s certification management provider, Pearson VUE, has copped to a data breach following a malware compromise of its Credential Manager System.

The Pearson Credential Manager (PCM) system supports a number of companies’ certification tracking programmes. Pearson VUE stated that an “unauthorised third party improperly accessed certain information related to a limited set of our users”.

Among the affected companies is Cisco. El Reg reader Oliver Jones, who tipped us off about the breach, had been trying to follow a certification with Cisco’s tracking system, which is supported by Pearson VUE, and then found it had been down for more than a week.

Since at least 14 November, Cisco’s tracking system had claimed it was down for “site maintenance”. On Saturday, however, Cisco copped to the Pearson VUE incident and stated its tracking system “will remain down until further notice”.

Cisco added that “at this time, we believe that the compromised information, as it relates to individuals who have taken exams for and hold Cisco certifications, is limited to: name, mailing address, email address and phone number”.

The Borg suggested it wasn’t the worst hit, however, “so, while you may see reports of additional types of personal information being  potentially compromised on the PCM platform, we have been informed that this is not the case with respect to the Cisco certification user profiles”.

Pearson VUE has stated there was “no indication that any other systems [than the PCM system] have been affected” and suggested other customers need not worry.

While the company doesn’t believe US Social Security numbers were spaffed – nor “full” payment card information – it acknowledged that the PCM system is “custom designed to fit specific customer requirements,” and so attempts to “understand how this issue may have affected each of our customers” are continuing.

“It is important to note that not all system users provided all of the affected data elements,” according to Pearson.

The Register has attempted to contact Pearson VUE for comment, and was forwarded through to the press office by reception in its London office. There has been no answer so far. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/pearson_vue_data_breach_pcm/

Sysadmin Blog If you want to hack someone’s network then learn your target. This starts with recon. What does your target run? What information can you find out about them? Remote scanning will tell you lots about a target system … unless their sysadmins are good and have changed all the banners to throw you off.

So you learn about the people involved. Who are they? Have any of the technical staff or managers done talks? Where did they work before? People are sloppy and leave information lying around all over the place … and the internet is forever.

That talk or blog about how a big problem was solved can give you lots of clues about how a company’s network is designed, what applications they use and so forth. Social media feeds are a gold mine; techs love nothing more than to complain about frustrating applications, or talk about new ones that they are trying out.

A really good hack can be months or even years in the recon stage. It probably involves building a duplicate network in your own lab at which you can make dry runs.

Cloud offerings can really help with this because the more people use public cloud computing, the more they are using a pre-canned offering that you can duplicate with a minimum of effort. After you know all that you are likely to know, you move to coding stage.

The coding stage overlaps recon somewhat, in that a lot of the recon stage will be spent designing the code you’ll be using to attack your target. You’ll need to assemble a list of exploits you can try, based on what you know the target runs. You’ll also want to learn the operating systems, monitoring solutions and intrusion detection systems in play so that you can hide your tracks.

The coding stage is assembling your payloads into deployable weapons. You might need to try several before you find one that managed to get you a beachhead into the target network. Once there, you can then spool out your payloads onto different systems – covering your tracks the whole time – and deploying your other beachhead tools (including those which failed; they may work from behind the perimeter) to make sure that you have multiple access points.

All of this is a lot of work, but gaining access to a network is the easy part.

Sneaking out is always hard

There is an economic incentive for companies not to pay too close attention to people trying to sneak in to their networks. Simply put: if they don’t know about it, they can’t be held accountable. Companies can point to the industry-standard, off-the-shelf security solutions they’ve deployed and say they did their due diligence.

On the other hand, companies are absolutely paranoid about people trying to remove data from the network. They’re also paranoid – for completely different reasons – about what their staff might be doing with the company network. Are the proles wasting time on Facebook? The bigger the company the more likely they will see every single bit that leaves the network.

If you manage to embed a remote access application in your target’s network making it something that people won’t notice is actually pretty easy. Have it talk something innocuous or nerdy. Nobody really notices SSL traffic to a website hosted on Amazon.

If you have a legitimate looking website living in a VM on Amazon then you can have your remote access tool talk to an API interface buried at some sub-URL in order to exchange commands. So long as the traffic usage isn’t high, it will probably be overlooked.

However, try to pull 2TB worth of data off of that network and alarms will go off everywhere.

Large volume transfers are suspicious. Protocols such as RDP are suspicious. SSH maybe not so much, but that really depends on the company. Many are getting wise to it.

Everyone monitors cloud applications such as Dropbox nowadays, so you’re not going to take your bounty, stuff it into a cloud storage application, and use that to exfiltrate data unless your target’s sysadmins are massively underfunded. Similarly, if there’s this connection to a random website on Amazon that’s open for eight consecutive months, always at exactly 50KiB/sec, someone will eventually notice.

This is why bulk data theft is so much rarer than simple compromises to mine bitcoin, pump out spam or encrypt everything and demand ransom. Getting in is easy. Getting out is hard.

Hacking from the back of beyond

You don’t need a good internet connection to hack. Most hacking isn’t real time anyways; you use robots and scripts to do the leg work because they are more precise than humans. If the robots you send in to do the job are well coded then they won’t forget things when they’re tired and they won’t get caught.

This means that you can hack a target over the crappiest network connections available. If you can get enough bandwidth through whatever series of relays and anonymisers you are using to your virtual machine on Amazon, then you can use that virtual machine to issue all the commands you want. It has great network connectivity. You just need to pass it some text and the occasional script file.

You probably need a lot more downstream bandwidth than upstream, because you need to comb through directory listings, the results of searches and filters, etc. This, however, is still all text and you can still functionally push it through a wet string. It should be pointed out that today’s satellite connections are more than up to the task of this sort of work.

The network connectivity to do the recon portion of the exercise is orders of magnitude higher, but it also isn’t time sensitive. Data that’s exfiltrated can be stored and manipulated in the public cloud, to be slowly downloaded over crappy infrastructure at the attacker’s leisure.

All of the above should serve as a lesson – hopefully more of a reminder – for those who are defending. Good attackers try to hide in plain sight.

Network defence focused solely on keeping the bad guys out will fall to any remotely skilled crew. Proper defence is going to rely on catching them once they’ve managed to get past the outer defences, and on preventing them from extracting any payloads once they’re in. ®

We will be posting part two of this blog on The Reg tomorrow morning.

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/network_defense_attack_learn_basics/

Security experts have poured scorn on claims by developers of the Telegram messaging app – said to be popular amongst the cadres of the so-called Islamic State – that it’s more secure than its rivals.

Telegram, which claims to be “way more secure” than WhatsApp, uses the MTProto protocol developed by the Russian brothers who developed the app, Pavel and Nikolai Durov. The service, which boasts 60 million users, provides Snapchat-style self-destruct timers for encrypted messages. Mobile and desktop versions are available.

However, security researchers reckon the secret chat app is problematic and almost definitely insecure.

“Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout,” OpSec expert The Grugq concludes in a damning assessment of the technology. “I couldn’t possibly think of a worse combination for a safe messenger.”

The home-brew crypto was also heavily criticised by computer science professor Matthew Green. “The UX is nice. The crypto is like being stabbed in the eye with a fork,” he said as part on a discussion on Twitter about the Telegram app.

Offering end-to-end encryption is widely seen by computer scientists as necessary for privacy in the post-Snowden era. WhatsApp (on Android, for now), Apple’s iMessage and various commercial messaging apps offer end-to-end encryption.

But of the messaging options available through Telegram – Messages, Group Chats, Channels and Secret Chats – only Secret Chats offers end-to-end encryption, Christopher Soghoian, a principal technologist at the ACLU, stated in an update to his personal Twitter account*.¹

Telegram’s technical FAQ, which states that “Telegram has two modes of communication — ordinary chats using client-server encryption and Secret Chats using end-to-end encryption”.

The service is running a competition offering “$300,000 to the first person to break Telegram encryption”.

Criticism of the architecture of the chat app from some quarters excludes any consideration about software vulnerabilities. Previous problems hardly inspire confidence on that score even before considering a new vulnerability (seriousness currently unclear) is in the pipeline.

Block and tackle

Last week Telegram blocked some “public” ISIS-related channels. More specifically, Telegram shut down the “Nasir” and “Khalifa” channels, which between them boasted 16,000 members, among others. The tool has been used to spread propaganda by the terrorist group, forcing its developers to embark on what may become a whack-a-mole mission.

Telegram said it had “blocked 78 ISIS-related channels across 12 languages” via a statement only available in full to those who have installed the messaging app, as previously reported. It later said that it had blocked another 164 public channels used to spread terrorist propaganda in response to reports of abuse.

“Telegram channels are public broadcasts. They are the opposite of private chats. Please don’t mix the two,” said Pavel Durov ‏in a Twitter update. “Our policy is simple: privacy is paramount. Public channels, however, have nothing to do with privacy. ISIS public channels will be blocked.”

The clampdown may not be entirely beneficial from the perspective of Western intel agencies, according to some observers. “‘Channels’ on Telegram aren’t encrypted. These were likely a valuable source of intel for govs,” Soghoian notes.

Pavel Durov founded VKontakte (VK), Russia’s answer to Facebook, before leaving the country rather than giving into law enforcement requests for access to discussions taking place on the site, the BBC reports. Telegram is based in Berlin. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/homebrew_crypto_in_telegram_app/

A brace of supposed porn apps for Android actually push ransomware or steal personal data from mobile device, cloud security firm Zscaler warns.

One strain of Android malware scares the user with a warning screen that falsely accusing them of watching images of child abuse.

After installing the app on a device, the user will see a video player icon which once clicked, displays a fake US Cyber Emergency Response webpage. The malware then harvests SMS messages, contacts and email address.

The malware uploads this personal data to a command and control server run by crooks behind the scam. Fortunately the malicious app does not ask for administrative privileges to lock the device and is fairly easy to remove, Zscaler reports.

Zscaler has also identified a Chinese SMS trojan infostealer that comes disguised as grumble flick viewing app for Android. If installed the malware fools the victim by displaying random adult sites before stealing sensitive information which it sends in SMS messages to predetermined Chinese numbers in the background.

The cloud security firm identified both dodgy apps, the first of their type it has seen since a September sighting, during a recent research project. The tactic of disguising malicious wares as smutty apps goes back years, while the strategy behind the approach it all to easy to discern.

“Nearly a third of Internet traffic is in some way related to pornography and this is the primary reason why malware authors are using porn apps to infect large numbers of users,” Zscaler explains in an advisory note that’s yet to appear on its research blog.

“We are seeing an increasing number of adult themed Android malware apps using pornography to lure victims. To avoid being a victim of such malware, it is always best to download apps only from trusted app stores, such as Google Play,” it adds. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/23/smut_viewer_actually_android_malware/

It’s time to find an alternative for ‘cyber’ (an adjective or noun) before the term – like ‘google’ — becomes a verb.

One of the hits of Black Hat 2015 in Las Vegas was a T-shirt featuring a growling Sam Jackson from one of Pulp Fiction’s more memorable scenes. Pointing his oversized handgun downrange, Jackson’s character threatens, “Say Cyber One More Time…” There was at least one word at the end that added even more emphasis, but the message was clear. Some clever designer captured what many security folks at the conference quietly thought. The word “cyber” has become so overused it is nearly meaningless. The term “cyber” has risen to the level of “information superhighway” or “web 2.0” and is clearly a target for ridicule. At the same time, others, mostly .gov and .mil guys, still use it in a forceful and matter of fact way.

Coming off the annual Cybersecurity Month in October and having the opportunity to recently speak at CyberMaryland, I’m all “cyber’ed” out. At least I’m painfully aware when it’s used in casual conversation, and I even wince when I use the term “cybersecurity” to describe what I do to the vast unwashed masses. What’s becoming increasingly obvious is that we need a new word for cyber. I want to actively debate this and find an alternative before “cyber” (an adjective, or noun) becomes a verb, as Google is to “googling” something. I never want to hear that a client was “cyber’ed” by a nation state threat, or that someone “cyberfied” their network to make it more resilient to attack. That bleak prospect is so gravely serious that we need to put tongue firmly in cheek and start talking….

As Alcoholics Anonymous and other recovery groups state, admitting you have a problem is the first step towards recovery. Yes, we have a problem. I’ve known this for some time. This fact was driven home to me earlier in the year when a non-security guy stated emphatically, “John, you know it’s not just about cyber, right? It’s about cyber, big data, and cloud?” My initial response was to suggest he add mobile and DevOps, then he would have every buzzword in IT covered. But after my first, and possibly snarkier, response trailed off, I thought serious discourse about the use of the word “cyber” was needed.

By background, I’ve been a security guy for nearly 20 years. That’s how I self-identify, and that’s how people know me. Like Johnny Appleseed, I dispense solicited advice at cocktail parties, family reunions, and at my daughter’s soccer game. I answer questions that range from smartphone security, to when to update one’s Window’s box, to how best to select hard-to-crack passwords. So I’m on the frontline, like all of us who read Dark Reading. It’s in our best interest to have a better term before someone finds a worse term to describe our industry and what we do. To that end, I would humbly submit the following observations and suggestions for further discussion.

Let .gov and .mil guys keep “cyber” 
They are comfortable with the term, they use it in conversation without wincing, and would likely be a willing adoptive parent. There is the practical matter that there are so many instances where the term is baked into government code, into signage, into doctrine that a simple name change would cost taxpayers billions. In the military, the term “cyber” has been adopted to mean all things that don’t blow up bad guys. Fighter pilots, infantry officers, and naval officers may not understand what it is, but they do know it might prevent them from getting shot at. One request though.  Stop using the term cyber warfighter … As an ex-Air Force Information Warfare Center alumni I’ve never been quite comfortable with the term. Those same folks who have actually been shot at might not be able to stomach the term and you might get your nose punched by a Navy SEAL in a bar talking about how you DDos’ed someone.

Don’t reuse stale terms!
If cyber does a poor job describing what we do, certainly older, well-trodden names are no better. Information security, or InfoSec for short, is seemingly hopelessly stuck in the 90’s. It might have worked then, when the scope was purely about the security of information, but not now. Related terms, like information protection and network security are similarly dated and also too narrow in scope.

The least worst current option – cybersecurity
An acceptable compromise, and one that seems to strike a happy medium, is the term many use to-date, “cybersecurity.” Don’t worry about if it’s one word, two, or hyphenated, it has the word “cyber” in it for the Feds, and “security” in it for most of the commercial types. You can say cybersecurity in a mixed audience and not get groans or a rolling of the eyes by the more grizzled security veterans. As a stopgap measure, cybersecurity works.

In a perfect world – just security
Here’s where I’ve arrived. I call it “security;” no need to further describe or elaborate. I self-identify as a “security guy.” I help clients with security services and product. Given the constant stream of front-page stories, I find security (read cybersecurity) being so mainstream that I don’t have to clarify, or distinguish myself from our physical security brethren. No guns, gates, or guards for me, and no, I’m not a mall cop. So I’m a security professional, providing security services that keep clients out of the news.

No matter what we end up calling it, we need to make sure that those who live and breathe security are the ones who dictate the term that is used. The art of what we do as IT security professionals has evolved into a sophisticated and critical part of everyday culture, not just business. We need to own what we do and come up with a term we can be proud to associate with our work; not one that makes us cringe every time we hear it.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/we-need-a-new-word-for-cyber/a/d-id/1323278?_mc=RSS_DR_EDT

Got a minute to spare?

Watch this week’s 60 Second Security…

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Watch recent episodes:

• Last week: Apple and Google in mobile malware slip-up

• 2 weeks ago: Just one lousy Facebook selfie…

In this episode:

• [0’05”] BadBIOS is back – this time on your TV
• [0’23”] Forget BadBIOS, here comes BadBarcode
• [0’43”] Google VirusTotal now does OS X malware

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Zk6chFjYPt0/