STE WILLIAMS

Russia ‘targeted 21 states’ during US election campaign, says official

Jun
23

During the recent US Senate Intelligence Committee hearings on Russian interference in US elections Jeannette Manfra, the acting deputy under-secretary for cybersecurity and communications, provided the soundbite of the day:

As of right now we have evidence of election related systems in 21 states that were targeted.

What neither Manfra nor others testifying would share, in open session at least, was how the Russians targeted the election systems, nor how successful they were. She did, however, concede that there is no evidence that any attempt was made to penetrate state voting systems and alter results. In her opinion, the decentralized nature of the US elections would make it “virtually impossible” to do so without being detected.

The senators were not pleased with the reluctance of Manfra and others to reveal additional details – the who, what, where, why, and how of the targeting – beyond the declaration that the activity was owned by Russia. So we are left to pull back the covers ourselves.

We turn to the unauthorized leak of the top secret NSA analysis on the Russian General Staff Main Intelligence Directorate (GRU) and their activities targeting the US election. The existence of this report became known when Reality Winner provided it to The Intercept. The NSA analysis, taken at face value, called out how the Russians “targeted US election via phishing attacks”.

Now to be clear, the information in the analysis was not especially noteworthy from a technological standpoint. What is interesting is the finding on how the  information was used cumulatively to move on to the next target.  The analytic document contained a redacted image that outlined the spear-phishing campaign and made clear which information was known, and what is being deduced.

Spearphishing Diagram

The analysis indicates a phish email that was sent from [email protected] to 122 separate recipients, all associated with local government organizations, across up to 21 states. Last year, both Illinois and Arizona were told that their election offices or employees had been affected by a Russian effort.

The Arizona incident, in August 2016, at first seemed to be inconsequential. As the Washington Post reported at the time, Arizona’s secretary of state, Michele Reagan, shut down the voter registration system for nearly a week following a call from the FBI that a “credible” threat existed. It turned out that no compromise of the state’s systems had occurred, nor that of any Arizona county. A single election official in Gila County, Arizona, had had their username and password compromised when “a worker may have inadvertently downloaded a virus”. However, the username/password combination would only have provided access to the Gila County voting registration system.

The Illinois incident in July 2016, however, was more substantive. Thomas Kyle, director of voting and registration systems for the Illinois State Board of Elections, sent an email to all state election officials acknowledging that the breach had occurred on July 12 2016. Subsequently we learned the voter registration information for a “small percentage” of voters had indeed been accessed, but not altered or deleted.

Then, in August 2016, the FBI published an FBI Flash Alert, Targeting Activity Against State Board of Election Systems. The similarity between the FBI Flash Alert and the Illinois email? They both described how the actors could inject SQL database queries into state’s systems. Given the timing of the outreach by the FBI, the incidents in both states appear to be consistent with the “targeting” that both Manfra and the NSA describe in their analysis.

Add to this the contemporaneous activities that were going on at the Democratic National Committee, whose dirty laundry was put on show by the Fancy Bear hacker group, and it seems clear that the Russians were busy in the summer of 2016. Interestingly, we learned from homeland security secretary Jeh Johnson, during a separate hearing that the DNC had turned away both the FBI and Homeland Security, instead relying on a private company to get to the bottom of who had ravaged their systems.

Despite all this, we would expect Russian president Vladimir Putin to deny the Russian hand has been involved. And yes, he he did not disappoint.

Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.

Whether it is acknowledged or not, what the Russians have demonstrated is their active campaign to sow doubt and uncertainty in the US election (and those of other nations) has been successful. And one thing’s for sure: this is not the last we’ve heard about the Russian meddling in the US election process, and if predictions are correct, it isn’t the last we’ve seen of their meddling either.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ic-puya9_Zs/

Russia ‘targeted 21 states’ during US election campaign, says official

Jun
23

During the recent US Senate Intelligence Committee hearings on Russian interference in US elections Jeannette Manfra, the acting deputy under-secretary for cybersecurity and communications, provided the soundbite of the day:

As of right now we have evidence of election related systems in 21 states that were targeted.

What neither Manfra nor others testifying would share, in open session at least, was how the Russians targeted the election systems, nor how successful they were. She did, however, concede that there is no evidence that any attempt was made to penetrate state voting systems and alter results. In her opinion, the decentralized nature of the US elections would make it “virtually impossible” to do so without being detected.

The senators were not pleased with the reluctance of Manfra and others to reveal additional details – the who, what, where, why, and how of the targeting – beyond the declaration that the activity was owned by Russia. So we are left to pull back the covers ourselves.

We turn to the unauthorized leak of the top secret NSA analysis on the Russian General Staff Main Intelligence Directorate (GRU) and their activities targeting the US election. The existence of this report became known when Reality Winner provided it to The Intercept. The NSA analysis, taken at face value, called out how the Russians “targeted US election via phishing attacks”.

Now to be clear, the information in the analysis was not especially noteworthy from a technological standpoint. What is interesting is the finding on how the  information was used cumulatively to move on to the next target.  The analytic document contained a redacted image that outlined the spear-phishing campaign and made clear which information was known, and what is being deduced.

Spearphishing Diagram

The analysis indicates a phish email that was sent from [email protected] to 122 separate recipients, all associated with local government organizations, across up to 21 states. Last year, both Illinois and Arizona were told that their election offices or employees had been affected by a Russian effort.

The Arizona incident, in August 2016, at first seemed to be inconsequential. As the Washington Post reported at the time, Arizona’s secretary of state, Michele Reagan, shut down the voter registration system for nearly a week following a call from the FBI that a “credible” threat existed. It turned out that no compromise of the state’s systems had occurred, nor that of any Arizona county. A single election official in Gila County, Arizona, had had their username and password compromised when “a worker may have inadvertently downloaded a virus”. However, the username/password combination would only have provided access to the Gila County voting registration system.

The Illinois incident in July 2016, however, was more substantive. Thomas Kyle, director of voting and registration systems for the Illinois State Board of Elections, sent an email to all state election officials acknowledging that the breach had occurred on July 12 2016. Subsequently we learned the voter registration information for a “small percentage” of voters had indeed been accessed, but not altered or deleted.

Then, in August 2016, the FBI published an FBI Flash Alert, Targeting Activity Against State Board of Election Systems. The similarity between the FBI Flash Alert and the Illinois email? They both described how the actors could inject SQL database queries into state’s systems. Given the timing of the outreach by the FBI, the incidents in both states appear to be consistent with the “targeting” that both Manfra and the NSA describe in their analysis.

Add to this the contemporaneous activities that were going on at the Democratic National Committee, whose dirty laundry was put on show by the Fancy Bear hacker group, and it seems clear that the Russians were busy in the summer of 2016. Interestingly, we learned from homeland security secretary Jeh Johnson, during a separate hearing that the DNC had turned away both the FBI and Homeland Security, instead relying on a private company to get to the bottom of who had ravaged their systems.

Despite all this, we would expect Russian president Vladimir Putin to deny the Russian hand has been involved. And yes, he he did not disappoint.

Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.

Whether it is acknowledged or not, what the Russians have demonstrated is their active campaign to sow doubt and uncertainty in the US election (and those of other nations) has been successful. And one thing’s for sure: this is not the last we’ve heard about the Russian meddling in the US election process, and if predictions are correct, it isn’t the last we’ve seen of their meddling either.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ic-puya9_Zs/

News in brief: drone chiefs urge regulation; Microsoft drops SMB1; Virgin router warning

Jun
23

Your daily round-up of some of the other stories in the news

Drone chiefs call for regulations

Drone industry chiefs were due to meet President Trump at the White House this week – and were expected to call for more regulation.

The meetings, which were due to start on Thursday, are to focus on regulations for emerging technologies including 5G, artificial intelligence and drones. They include executives from organisations including ATT, drone-maker PrecisionHawk and venture capitalist firms.

Michael Chasen, chief executive of PrecisionHawk, told Recode that “the drone industry is one of the few industries where we need more regulations, not less”. That’s because the FAA hasn’t yet produced rules that would make it legal to carry out commercial activities such as delivering packages.

Greg McNeal of mapping software company AirMap told Recode: “We asked why autonomous cars weighing 3,500lb can drive next to hundreds of pedestrians, but a 3lb drone can’t fly over people. The FAA follows a legacy approach to regulating aviation that requires everyone to ask for permission.”

Microsoft to retire SMB1

The next version of Windows will not include SMB1, the protocol that facilitated the spread of the WannaCry ransomware outbreak in May.

The change is already rolling out to members of Microsoft’s Windows Insider programme – the shift will feature in Build 16226 of Windows 10.

In a Windows Insider blogpost, Dona Sarker said: “As part of a multi-year security plan, we are removing the SMB1 networking protocol from Windows by default. This build has this change, however the change only affects clean installations of Windows, not upgrades.”

Microsoft has been urging users to ditch that protocol since before the WannaCry outbreak: Ned Pyle said, loud and clear, back in September last year that “SMB1 isn’t safe”.

He added in his Technet post: “The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.”

For users who aren’t early-adopter nerds on the Windows Insider programme, the change will come when the Redstone 3 – or Fall Creators’ Update – rolls out.

Virgin customers warned on routers

Are you a Virgin Media customer in the UK with the Super Hub 2 router? If so, you’re among the 800,000 or so users who probably needs to change both the Wi-Fi password and the password to access the router’s configuration pages.

The warning came after research by the consumer association Which? found that the router model’s default passwords were insecure: the Wi-Fi password is easily cracked, according to Which?, and once on the network, the default admin password is the same for all devices.

Which? criticised a number of devices that Naked Security has flagged up in the past, including the CloudPets teddy whose user accounts had been breached, and insecure IoT security cameras.

Virgin said it was offering affected customers the option to upgrade to a newer router – the Super Hub 3 – and added: “The security of our network and of our customers is of paramount importance to us.”

Catch up with all of today’s stories on Naked Security


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1uLI5moX7l8/

News in brief: drone chiefs urge regulation; Microsoft drops SMB1; Virgin router warning

Jun
23

Your daily round-up of some of the other stories in the news

Drone chiefs call for regulations

Drone industry chiefs were due to meet President Trump at the White House this week – and were expected to call for more regulation.

The meetings, which were due to start on Thursday, are to focus on regulations for emerging technologies including 5G, artificial intelligence and drones. They include executives from organisations including ATT, drone-maker PrecisionHawk and venture capitalist firms.

Michael Chasen, chief executive of PrecisionHawk, told Recode that “the drone industry is one of the few industries where we need more regulations, not less”. That’s because the FAA hasn’t yet produced rules that would make it legal to carry out commercial activities such as delivering packages.

Greg McNeal of mapping software company AirMap told Recode: “We asked why autonomous cars weighing 3,500lb can drive next to hundreds of pedestrians, but a 3lb drone can’t fly over people. The FAA follows a legacy approach to regulating aviation that requires everyone to ask for permission.”

Microsoft to retire SMB1

The next version of Windows will not include SMB1, the protocol that facilitated the spread of the WannaCry ransomware outbreak in May.

The change is already rolling out to members of Microsoft’s Windows Insider programme – the shift will feature in Build 16226 of Windows 10.

In a Windows Insider blogpost, Dona Sarker said: “As part of a multi-year security plan, we are removing the SMB1 networking protocol from Windows by default. This build has this change, however the change only affects clean installations of Windows, not upgrades.”

Microsoft has been urging users to ditch that protocol since before the WannaCry outbreak: Ned Pyle said, loud and clear, back in September last year that “SMB1 isn’t safe”.

He added in his Technet post: “The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.”

For users who aren’t early-adopter nerds on the Windows Insider programme, the change will come when the Redstone 3 – or Fall Creators’ Update – rolls out.

Virgin customers warned on routers

Are you a Virgin Media customer in the UK with the Super Hub 2 router? If so, you’re among the 800,000 or so users who probably needs to change both the Wi-Fi password and the password to access the router’s configuration pages.

The warning came after research by the consumer association Which? found that the router model’s default passwords were insecure: the Wi-Fi password is easily cracked, according to Which?, and once on the network, the default admin password is the same for all devices.

Which? criticised a number of devices that Naked Security has flagged up in the past, including the CloudPets teddy whose user accounts had been breached, and insecure IoT security cameras.

Virgin said it was offering affected customers the option to upgrade to a newer router – the Super Hub 3 – and added: “The security of our network and of our customers is of paramount importance to us.”

Catch up with all of today’s stories on Naked Security


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1uLI5moX7l8/

Virgin Media router security flap follows weak password expose

Jun
23

Virgin Media has urged 800,000 customers to change their passwords to guard against possible hacking attack.

The move follows an investigation by consumer mag Which? that discovered hackers could access the UK cableco’s Super Hub 2 router, allowing access to IoT devices connected through the same home network. The issue stems from shortcomings in the default password Virgin Media prints on its routers than a recently discovered security vulnerability in routers it supplies.

Virgin Media stickered default router password is constrained to certain characters, lowering password entropy in the process and making it easier for hackers to mount successful brute force attacks.

“It appears to be that the default Wi-fi PSK is too short. 8 char a-z. Not exactly a new story though,” Pen Test Partners’ Ken Munro told El Reg. “[It] seems unfair for Which to finger just Virgin, as most ISPs have had weak default PSKs at some point,” he added.

Virgin Media pointed El Reg towards a customer forum post on the issue, adding: “I can reassure you the threat to our security is minimal”.

David Emm, principal security researcher, Kaspersky Lab, said: “Cybercriminals routinely make use of vulnerabilities, and the case of Virgin Media’s Super Hub 2 router highlights the fact that there are more connected devices than ever before, and therefore, more potential vulnerable devices that can be compromised.”

The issue highlights wider concerns about consumer router security, which has been a problem for years – long before the rise of the infamous Mirai botnet late last year prompted more ISPs to sit up and finally take notice. Mirai spread thanks to a mixture of open ports and weak default passwords. In some cases, simply changing passwords wasn’t enough and a firmware update would be needed.

Matthias Maier, security evangelist at Splunk, said: “Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce. Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/virgin_media_router_security_flap/

Virgin Media router security flap follows weak password expose

Jun
23

Virgin Media has urged 800,000 customers to change their passwords to guard against possible hacking attack.

The move follows an investigation by consumer mag Which? that discovered hackers could access the UK cableco’s Super Hub 2 router, allowing access to IoT devices connected through the same home network. The issue stems from shortcomings in the default password Virgin Media prints on its routers than a recently discovered security vulnerability in routers it supplies.

Virgin Media stickered default router password is constrained to certain characters, lowering password entropy in the process and making it easier for hackers to mount successful brute force attacks.

“It appears to be that the default Wi-fi PSK is too short. 8 char a-z. Not exactly a new story though,” Pen Test Partners’ Ken Munro told El Reg. “[It] seems unfair for Which to finger just Virgin, as most ISPs have had weak default PSKs at some point,” he added.

Virgin Media pointed El Reg towards a customer forum post on the issue, adding: “I can reassure you the threat to our security is minimal”.

David Emm, principal security researcher, Kaspersky Lab, said: “Cybercriminals routinely make use of vulnerabilities, and the case of Virgin Media’s Super Hub 2 router highlights the fact that there are more connected devices than ever before, and therefore, more potential vulnerable devices that can be compromised.”

The issue highlights wider concerns about consumer router security, which has been a problem for years – long before the rise of the infamous Mirai botnet late last year prompted more ISPs to sit up and finally take notice. Mirai spread thanks to a mixture of open ports and weak default passwords. In some cases, simply changing passwords wasn’t enough and a firmware update would be needed.

Matthias Maier, security evangelist at Splunk, said: “Organisations that provide internet connected devices to consumers need to think carefully about how they will overcome the security challenge that will inevitably come with the devices they produce. Suppliers need to think about the responsibility they have for owning the maintenance of a device for its full lifecycle. They need to introduce monitoring for flaws and ensure over-the-air (OTA) updates are available so that their customers are better protected.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/virgin_media_router_security_flap/

Talking Cyber-Risk with Executives

Jun
23

What’s This?

Explaining risk can be difficult since CISOs and execs don’t speak the same language. The key is to tailor your message for the audience.

On March 7, a bipartisan bill was introduced to the Senate called the Cybersecurity Disclosure Act of 2017. The bill’s purpose is to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.” It adds Securities and Exchange Commission (SEC) requirements for public companies to disclose what cybersecurity expertise is present within the board of directors.

If no expertise is present, then the company must disclose in its SEC report “what other cybersecurity steps” are being done by the board nominating committee. Whether this bill succeeds in becoming law or not, it is a shot across the bow to executives.

With all this going on, it’s likely that boards and executive leadership are going to be buttonholing their CISOs into cyber-risk conversations. Just a few years ago, security professionals struggled for executive interest (let alone support), but now we are in the hot seat for answers. And what a hot seat it is! A recent survey from Osterman Research reveals that 66% of fired IT professionals were terminated for reasons of security or compliance failures. That’s why we need to make sure leadership understands the relevant security issues and how to help mitigate them.

Explaining risk can be difficult since CISOs and execs don’t speak the same language. You need to tailor your message for your audience. We’ve talked about using operational risk to frame the conversation, but there is value in a straight-forward approach as well.

To do this, you focus on the top cyber risks and provide just the information the board needs to know. A good place to start is the state of company culture regarding security. You can produce metrics on alignment to desired security policy with numbers around security awareness training attendance, patching completeness, audit findings, vulnerabilities, incident counts, and backup coverage. You can even make a nice radar chart to show the percentages and quickly make the deficiencies apparent.

Image Source: f5

Beyond the overall status of the program, you need to explain cyber-risk. Keep it simple and remember this important nuance: many ordinary people don’t realize that risk has two components: likelihood and impact. For example, some people tend to react to catastrophic impacts (What are we doing about Pottsylvanian hacker-spies?) that are rare while overlooking more likely risks like ransomware.

It shouldn’t be hard for you find likelihood data. In addition to industry statistics and open source threat intelligence, you can gather information internally. Sources can include data used to create the radar chart above as well as firewall, intrusion detection, web and mail system logs.

Impacts are easier to talk about, but you need to explain the real potential impacts to your business. Talk in terms of tangible and intangible losses that resonate with them, including:

Tangible costs:

  • Breach disclosure costs (PII record count x disclosure cost/record)
  • Customer SLA fines
  • Revenue loss during system downtime and recovery
  • Compliance and audit fines
  • Potential litigation and fines down the road
  • Incident response costs, including internal resources (OpEx), third party breach experts, required remediation controls, and effectiveness testing

Intangible costs:

  • Impact to brand (the business puts a value to this—usually found as an asset line item in your financial books)
  • Current and future customer perception and loss
  • Loss of business value in acquisition discussions
  • Competitive advantage loss
  • The board’s personal reputation and/or job

When presenting likelihood and impact, stick to the simplified High/Med/Low model. Everyone is aware that there are more layers, and most execs would understand a more complex model, but their time is limited. In matters where the risk is high, they will probably press for details.

Lastly, you should never present a problem without a solution. Make sure you have a solid mitigation plan (with proposed budget numbers) to resolve anything rated high risk. Executives will also want clear lines of responsibility. They’ll want to know who’s responsible for remediation, and who is paying. The chances are likely the board has already dealt with high risk non-cybersecurity scenarios before. If you’ve done your job well in explaining, you can sit back and watch them decide. As you are the cybersecurity expert, you should still be prepared to give them guidance or validation.

This might seem like a lot of work but for effective CISOs, it is routine. Risk assessments and reporting with the board should be happening annually, at least. As cyber-risk is better understood and managed, you might need only to present updates if something significant or material happened. This is the ideal position—not only does it mean everyone is sleeping it at night, it means the board trusts you.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/talking-cyber-risk-with-executives/a/d-id/1329161?_mc=RSS_DR_EDT

Talking Cyber-Risk with Executives

Jun
23

What’s This?

Explaining risk can be difficult since CISOs and execs don’t speak the same language. The key is to tailor your message for the audience.

On March 7, a bipartisan bill was introduced to the Senate called the Cybersecurity Disclosure Act of 2017. The bill’s purpose is to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.” It adds Securities and Exchange Commission (SEC) requirements for public companies to disclose what cybersecurity expertise is present within the board of directors.

If no expertise is present, then the company must disclose in its SEC report “what other cybersecurity steps” are being done by the board nominating committee. Whether this bill succeeds in becoming law or not, it is a shot across the bow to executives.

With all this going on, it’s likely that boards and executive leadership are going to be buttonholing their CISOs into cyber-risk conversations. Just a few years ago, security professionals struggled for executive interest (let alone support), but now we are in the hot seat for answers. And what a hot seat it is! A recent survey from Osterman Research reveals that 66% of fired IT professionals were terminated for reasons of security or compliance failures. That’s why we need to make sure leadership understands the relevant security issues and how to help mitigate them.

Explaining risk can be difficult since CISOs and execs don’t speak the same language. You need to tailor your message for your audience. We’ve talked about using operational risk to frame the conversation, but there is value in a straight-forward approach as well.

To do this, you focus on the top cyber risks and provide just the information the board needs to know. A good place to start is the state of company culture regarding security. You can produce metrics on alignment to desired security policy with numbers around security awareness training attendance, patching completeness, audit findings, vulnerabilities, incident counts, and backup coverage. You can even make a nice radar chart to show the percentages and quickly make the deficiencies apparent.

Image Source: f5

Beyond the overall status of the program, you need to explain cyber-risk. Keep it simple and remember this important nuance: many ordinary people don’t realize that risk has two components: likelihood and impact. For example, some people tend to react to catastrophic impacts (What are we doing about Pottsylvanian hacker-spies?) that are rare while overlooking more likely risks like ransomware.

It shouldn’t be hard for you find likelihood data. In addition to industry statistics and open source threat intelligence, you can gather information internally. Sources can include data used to create the radar chart above as well as firewall, intrusion detection, web and mail system logs.

Impacts are easier to talk about, but you need to explain the real potential impacts to your business. Talk in terms of tangible and intangible losses that resonate with them, including:

Tangible costs:

  • Breach disclosure costs (PII record count x disclosure cost/record)
  • Customer SLA fines
  • Revenue loss during system downtime and recovery
  • Compliance and audit fines
  • Potential litigation and fines down the road
  • Incident response costs, including internal resources (OpEx), third party breach experts, required remediation controls, and effectiveness testing

Intangible costs:

  • Impact to brand (the business puts a value to this—usually found as an asset line item in your financial books)
  • Current and future customer perception and loss
  • Loss of business value in acquisition discussions
  • Competitive advantage loss
  • The board’s personal reputation and/or job

When presenting likelihood and impact, stick to the simplified High/Med/Low model. Everyone is aware that there are more layers, and most execs would understand a more complex model, but their time is limited. In matters where the risk is high, they will probably press for details.

Lastly, you should never present a problem without a solution. Make sure you have a solid mitigation plan (with proposed budget numbers) to resolve anything rated high risk. Executives will also want clear lines of responsibility. They’ll want to know who’s responsible for remediation, and who is paying. The chances are likely the board has already dealt with high risk non-cybersecurity scenarios before. If you’ve done your job well in explaining, you can sit back and watch them decide. As you are the cybersecurity expert, you should still be prepared to give them guidance or validation.

This might seem like a lot of work but for effective CISOs, it is routine. Risk assessments and reporting with the board should be happening annually, at least. As cyber-risk is better understood and managed, you might need only to present updates if something significant or material happened. This is the ideal position—not only does it mean everyone is sleeping it at night, it means the board trusts you.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/talking-cyber-risk-with-executives/a/d-id/1329161?_mc=RSS_DR_EDT

Threat Intelligence Sharing: The New Normal?

Jun
23
The spirit of cooperation seems to be taking hold as demonstrated by the growing number of thriving services and organizations whose sole purpose is to analyze specific threats against specific communities.

“When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle” – Edmund Burke.

This quote from Edmund Burke in Thoughts on the Cause of Present Discontents, was meant to be a political statement in 18th century England, when the Whigs and Tories were dominant. But many centuries later, it’s an appropriate call-to-action for those of us in the cybersecurity industry to collaborate and share.

The kind of sharing I mean is when you give the IT security community information about the attacks you’re seeing against your own organization. When you do that, that data becomes useful to everyone as threat intelligence.

Gartner describes threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In other words, threat intelligence is the stuff that informs the good guys about how the bad guys operate. It helps the IT security community learn how the hackers operate, and how they might attack a given organization. 

If all an organization knows about their adversary is what it has learned from its own experience, the organization will remain on the defensive. But if attack data from the collective experience of thousands of companies, associations, industries and governments is collected and aggregated, that creates a far richer tapestry, and allows companies to prepare for attacks in such a way as to anticipate and prevent them, rather than discover and react.

When you get your hands on the opposition’s game plan — the hacker’s playbook — it gives you an advantage. You can test your defenses and shore up weaknesses and you can take steps to disrupt the kill chain the hacker must follow to get to his or her objective. Such capabilities are only possible when threats, attack methods and industry-specific targets most likely to put your organization at risk are known.

The spirit of cooperation and sharing is what makes that possible and the reason why threat intelligence services and threat sharing are becoming vital to IT security. Using threat intelligence feeds to constantly inform a dynamic data protection strategy continuously tests the strength of your cybersecurity and challenges convention. The result: your organization gets up on its toes and the hackers are put back on their heels. That is a big advantage.

Share and Share Alike
The spirit of cooperation seems to be taking hold. Not only are threat intelligence services thriving, but there are organizations now that exist for the sole purpose of analyzing threats specific to specific communities.

VirusTotal is one of the legacy collaborative platforms, enabling security users and vendors alike to upload files and determine if a specific malware has been detected. By changing its business model, VirusTotal now ensures that all security vendors that are taking advantage of its data are also contributing data.

At a national level, CyberUSA is a nonprofit aiming to foster American leadership in cybersecurity by shaping education, innovation and policy at both the state and federal levels. Launching with seven charter members from California, Colorado, Louisiana, Maryland, Massachusetts, South Carolina and Texas, CyberUSA hopes to extend the value of shared intelligence to businesses that might not have resources on their own.

There’s also ample evidence of collaboration in the private sector. For example, the National Credit Union Information Sharing and Analysis Organization (NCU-ISAO) was recently founded to collect, analyze and disseminate threat intelligence targeting Credit Unions. NCU-ISAO is the first operational and threat intelligence sharing organization dedicated wholly to credit unions, NCU-ISAO executive director Gene Fredriksen told Credit Union Times, noting the group’s support for “innovative, member-driven initiatives around benchmarking, process improvement, and regulatory strategies.” It’s the latest addition to the parent Information Sharing and Analysis Organization (ISAO), which tracks other organizations that have industry-focused threat intel sharing operations.

Each day millions of security events hammer away at the defenses of U.S. companies. Individual organizations in high-risk sectors such as financial services, high tech, or government may endure hundreds of thousands of attacks. While the volume and persistence may be frustrating, each attack results in a greater understanding of the adversary — but only when it is shared and added to threat intelligence feeds, hacker playbooks and breach simulations.

When bad men combine, the good must associate. Together, we’re moving in the right direction.  

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/threat-intelligence-sharing-the-new-normal/a/d-id/1329189?_mc=RSS_DR_EDT

Threat Intelligence Sharing: The New Normal?

Jun
23
The spirit of cooperation seems to be taking hold as demonstrated by the growing number of thriving services and organizations whose sole purpose is to analyze specific threats against specific communities.

“When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle” – Edmund Burke.

This quote from Edmund Burke in Thoughts on the Cause of Present Discontents, was meant to be a political statement in 18th century England, when the Whigs and Tories were dominant. But many centuries later, it’s an appropriate call-to-action for those of us in the cybersecurity industry to collaborate and share.

The kind of sharing I mean is when you give the IT security community information about the attacks you’re seeing against your own organization. When you do that, that data becomes useful to everyone as threat intelligence.

Gartner describes threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In other words, threat intelligence is the stuff that informs the good guys about how the bad guys operate. It helps the IT security community learn how the hackers operate, and how they might attack a given organization. 

If all an organization knows about their adversary is what it has learned from its own experience, the organization will remain on the defensive. But if attack data from the collective experience of thousands of companies, associations, industries and governments is collected and aggregated, that creates a far richer tapestry, and allows companies to prepare for attacks in such a way as to anticipate and prevent them, rather than discover and react.

When you get your hands on the opposition’s game plan — the hacker’s playbook — it gives you an advantage. You can test your defenses and shore up weaknesses and you can take steps to disrupt the kill chain the hacker must follow to get to his or her objective. Such capabilities are only possible when threats, attack methods and industry-specific targets most likely to put your organization at risk are known.

The spirit of cooperation and sharing is what makes that possible and the reason why threat intelligence services and threat sharing are becoming vital to IT security. Using threat intelligence feeds to constantly inform a dynamic data protection strategy continuously tests the strength of your cybersecurity and challenges convention. The result: your organization gets up on its toes and the hackers are put back on their heels. That is a big advantage.

Share and Share Alike
The spirit of cooperation seems to be taking hold. Not only are threat intelligence services thriving, but there are organizations now that exist for the sole purpose of analyzing threats specific to specific communities.

VirusTotal is one of the legacy collaborative platforms, enabling security users and vendors alike to upload files and determine if a specific malware has been detected. By changing its business model, VirusTotal now ensures that all security vendors that are taking advantage of its data are also contributing data.

At a national level, CyberUSA is a nonprofit aiming to foster American leadership in cybersecurity by shaping education, innovation and policy at both the state and federal levels. Launching with seven charter members from California, Colorado, Louisiana, Maryland, Massachusetts, South Carolina and Texas, CyberUSA hopes to extend the value of shared intelligence to businesses that might not have resources on their own.

There’s also ample evidence of collaboration in the private sector. For example, the National Credit Union Information Sharing and Analysis Organization (NCU-ISAO) was recently founded to collect, analyze and disseminate threat intelligence targeting Credit Unions. NCU-ISAO is the first operational and threat intelligence sharing organization dedicated wholly to credit unions, NCU-ISAO executive director Gene Fredriksen told Credit Union Times, noting the group’s support for “innovative, member-driven initiatives around benchmarking, process improvement, and regulatory strategies.” It’s the latest addition to the parent Information Sharing and Analysis Organization (ISAO), which tracks other organizations that have industry-focused threat intel sharing operations.

Each day millions of security events hammer away at the defenses of U.S. companies. Individual organizations in high-risk sectors such as financial services, high tech, or government may endure hundreds of thousands of attacks. While the volume and persistence may be frustrating, each attack results in a greater understanding of the adversary — but only when it is shared and added to threat intelligence feeds, hacker playbooks and breach simulations.

When bad men combine, the good must associate. Together, we’re moving in the right direction.  

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/threat-intelligence-sharing-the-new-normal/a/d-id/1329189?_mc=RSS_DR_EDT