STE WILLIAMS

Four new schools have been selected for the National Security Agency’s National Centers of Academic Excellence in Cyber Operations Program, which was designed to cultivate more U.S. cyber professionals in an ever-changing global environment.

After a rigorous application and screening process, NSA selected the following schools to receive the CAE-Cyber Operations designation for the 2013-2014 academic year:

•Air Force Institute of Technology in Ohio; •Auburn University, Alabama; •Carnegie Mellon University, Pennsylvania; and •Mississippi State University.

The program, which now has a total of eight schools, complements more than 100 existing centers of academic excellence (CAEs) in research and information assurance education – jointly overseen by NSA and the Department of Homeland Security.

An outgrowth of the President’s National Initiative for Cybersecurity Education, the program identifies institutions that have a deeply technical, interdisciplinary curriculum centered on fields such as computer science and electrical engineering. The agency has long worked with schools to improve education in science, technology, engineering, and mathematics.

In addition, the program offers some participants opportunities to apply their learning or enhance their teaching in summer seminars at NSA. Participating students and faculty members do not engage in actual U.S. government intelligence activities.

Steven LaFountain, an NSA technical leader, said legal and ethical issues in cybersecurity are a required and critical part of the effort.

“In the application process and in all of its work with selected schools, NSA emphasizes the importance of integrity and compliance,” he said. “Cyber skills are increasingly important in national defense, but it’s even more important to operate as responsible citizens in the use of such skills.”

Topics covered are routinely taught in colleges and universities, but this initiative seamlessly integrates the material to help students better understand how they could someday help to defend the nation. Summer seminar participants must undergo background checks and obtain temporary, top-secret security clearances.

The schools chosen in 2012, the program’s first year, were Dakota State University, South Dakota; the Naval Postgraduate School, California; Northeastern University, Massachusetts; and the University of Tulsa, Oklahoma. Like the agency’s other CAEs, those in the cyber operations program are evaluated annually. Designations are for five years and schools across the country can compete to join each year.

Retired Lt. Gen. Ronald L. Burgess Jr., a former director of the U.S. Defense Intelligence Agency, now serves as Auburn University’s Senior Counsel for National Security Programs, Cyber Programs, and Military Affairs. The CAE-Cyber Operations project has real merit, he said.

“Auburn has devoted significant resources and interdisciplinary rigor across campus to expand new cyber initiatives and extensive collaboration with external organizations,” he said. “We are extremely pleased that NSA has recognized our efforts by selecting Auburn University” for the program. “It is important to the nation – and we want to be a part of the strategic way ahead and feel we can contribute to this national need.”

Details about NSA’s Centers of Academic Excellence are available online at www.nsa.gov/academia.

Article source: http://www.darkreading.com/management/nsa-announces-four-new-schools-for-cyber/240160819

Four new schools have been selected for the National Security Agency’s National Centers of Academic Excellence in Cyber Operations Program, which was designed to cultivate more U.S. cyber professionals in an ever-changing global environment.

After a rigorous application and screening process, NSA selected the following schools to receive the CAE-Cyber Operations designation for the 2013-2014 academic year:

•Air Force Institute of Technology in Ohio; •Auburn University, Alabama; •Carnegie Mellon University, Pennsylvania; and •Mississippi State University.

The program, which now has a total of eight schools, complements more than 100 existing centers of academic excellence (CAEs) in research and information assurance education – jointly overseen by NSA and the Department of Homeland Security.

An outgrowth of the President’s National Initiative for Cybersecurity Education, the program identifies institutions that have a deeply technical, interdisciplinary curriculum centered on fields such as computer science and electrical engineering. The agency has long worked with schools to improve education in science, technology, engineering, and mathematics.

In addition, the program offers some participants opportunities to apply their learning or enhance their teaching in summer seminars at NSA. Participating students and faculty members do not engage in actual U.S. government intelligence activities.

Steven LaFountain, an NSA technical leader, said legal and ethical issues in cybersecurity are a required and critical part of the effort.

“In the application process and in all of its work with selected schools, NSA emphasizes the importance of integrity and compliance,” he said. “Cyber skills are increasingly important in national defense, but it’s even more important to operate as responsible citizens in the use of such skills.”

Topics covered are routinely taught in colleges and universities, but this initiative seamlessly integrates the material to help students better understand how they could someday help to defend the nation. Summer seminar participants must undergo background checks and obtain temporary, top-secret security clearances.

The schools chosen in 2012, the program’s first year, were Dakota State University, South Dakota; the Naval Postgraduate School, California; Northeastern University, Massachusetts; and the University of Tulsa, Oklahoma. Like the agency’s other CAEs, those in the cyber operations program are evaluated annually. Designations are for five years and schools across the country can compete to join each year.

Retired Lt. Gen. Ronald L. Burgess Jr., a former director of the U.S. Defense Intelligence Agency, now serves as Auburn University’s Senior Counsel for National Security Programs, Cyber Programs, and Military Affairs. The CAE-Cyber Operations project has real merit, he said.

“Auburn has devoted significant resources and interdisciplinary rigor across campus to expand new cyber initiatives and extensive collaboration with external organizations,” he said. “We are extremely pleased that NSA has recognized our efforts by selecting Auburn University” for the program. “It is important to the nation – and we want to be a part of the strategic way ahead and feel we can contribute to this national need.”

Details about NSA’s Centers of Academic Excellence are available online at www.nsa.gov/academia.

Article source: http://www.darkreading.com/management/nsa-announces-four-new-schools-for-cyber/240160819

AUSTIN, Texas, Sept. 4, 2013 /PRNewswire-iReach/ — LiveFire is the world’s first attack technology service to realistically replicate the threat facing todays leading organizations through a unique partnership between Exodus’ Exploit Pack (EXP) service, and Syndis’ goal oriented attack methodology.

“The penetration testing space today has become a race to the bottom where the industry players compete with each other on price and not quality or depth,” said Syndis CEO Rich Smith. “The sophistication level of the practitioners in the space varies widely and most offerings are more about compliance than security. These brittle assessments offer very limited, compartmentalized value and they are woefully inadequate when it comes to conveying the impact an organization would suffer were they to be targeted by a real-world sophisticated attack team.”

LiveFire more closely mimics both the techniques and capabilities employed by sophisticated threat actors. The tailoring of attack chains by Syndis to include the use of 0-day and N-day exploits contextualizes them to illustrate true impact to an organization and allows LiveFire to vigorously test the resilience and security posture of that organization. The application of the ever growing catalog of 0-day and N-day exploits found and produced by Exodus gives LiveFire a continual supply of fresh, high-impact exploits unlike any other offensive service available.

“There are a lot of excellent pen-testers out there,” said Exodus CTO Aaron Portnoy, “but the number of pen-test companies that can also do advanced vulnerability research and code a weaponized exploit in the volumes we do is zero. LiveFire allows us to provide the operators at Syndis with the resources they need in a timely manner and in a fashion that does not add time overheads or excessive cost to engagements.”

LiveFire allows both firms to tightly focus on what they do best, while providing customers with outstanding value not simply in a given engagement, but to the security of their IT enterprise overall. The results of a LiveFire assessment give C-level security leaders:

— The ability to better understand the impact that would arise from their organization being targeted by someone with access to 0-day/N-day exploits;

— The ability to independently and realistically validate the effectiveness of existing defenses that claim to detect or inhibit the use of 0-day exploits;

— The ability to test security architectures and courses of action created from the “assumption of breach” mindset;

— The most realistic dataset possible that includes real-world non-public exploits, allowing them to develop and customize detection and monitoring capabilities for attacker behavior rather than “signatures”;

— Support realistic kill-chain analysis and relative remediation priorities for a client trying to defend against a sophisticated adversary;

— The ability to be able to qualitatively assess the effort an adversary would have to go to in order to be able to circumvent the current defenses.

For additional information about LiveFire please contact [email protected].

About Exodus

Exodus Intelligence is comprised of a team of world-class security researchers dedicated to providing their customers with the latest exclusive information on emerging zero-day threats. With over 30 years of combined experience in the industry, along with their 150+ independent researchers, Exodus is able to determine, and report on critical threats facing technology today. For more information about Exodus please visit https://www.ExodusIntel.com or follow @ExodusIntel on Twitter.

About Syndis

Headquartered in Reykjavk Iceland, with offices in New York and Copenhagen, Syndis is a research-focused center of expertise for cybersecurity in Iceland as well as the wider Nordic region. Specializing in the provision of offensive security based insights and solutions for the public and private sectors; Syndis’ investment in both internal RD and academic partnerships ensures constant and bleeding edge innovation. For more information about Syndis please visit http://synd.is or follow @TheSyndis on Twitter.

Article source: http://www.darkreading.com/vulnerability/exodus-intelligence-teams-with-syndis-fo/240160842

AUSTIN, Texas, Sept. 4, 2013 /PRNewswire-iReach/ — LiveFire is the world’s first attack technology service to realistically replicate the threat facing todays leading organizations through a unique partnership between Exodus’ Exploit Pack (EXP) service, and Syndis’ goal oriented attack methodology.

“The penetration testing space today has become a race to the bottom where the industry players compete with each other on price and not quality or depth,” said Syndis CEO Rich Smith. “The sophistication level of the practitioners in the space varies widely and most offerings are more about compliance than security. These brittle assessments offer very limited, compartmentalized value and they are woefully inadequate when it comes to conveying the impact an organization would suffer were they to be targeted by a real-world sophisticated attack team.”

LiveFire more closely mimics both the techniques and capabilities employed by sophisticated threat actors. The tailoring of attack chains by Syndis to include the use of 0-day and N-day exploits contextualizes them to illustrate true impact to an organization and allows LiveFire to vigorously test the resilience and security posture of that organization. The application of the ever growing catalog of 0-day and N-day exploits found and produced by Exodus gives LiveFire a continual supply of fresh, high-impact exploits unlike any other offensive service available.

“There are a lot of excellent pen-testers out there,” said Exodus CTO Aaron Portnoy, “but the number of pen-test companies that can also do advanced vulnerability research and code a weaponized exploit in the volumes we do is zero. LiveFire allows us to provide the operators at Syndis with the resources they need in a timely manner and in a fashion that does not add time overheads or excessive cost to engagements.”

LiveFire allows both firms to tightly focus on what they do best, while providing customers with outstanding value not simply in a given engagement, but to the security of their IT enterprise overall. The results of a LiveFire assessment give C-level security leaders:

— The ability to better understand the impact that would arise from their organization being targeted by someone with access to 0-day/N-day exploits;

— The ability to independently and realistically validate the effectiveness of existing defenses that claim to detect or inhibit the use of 0-day exploits;

— The ability to test security architectures and courses of action created from the “assumption of breach” mindset;

— The most realistic dataset possible that includes real-world non-public exploits, allowing them to develop and customize detection and monitoring capabilities for attacker behavior rather than “signatures”;

— Support realistic kill-chain analysis and relative remediation priorities for a client trying to defend against a sophisticated adversary;

— The ability to be able to qualitatively assess the effort an adversary would have to go to in order to be able to circumvent the current defenses.

For additional information about LiveFire please contact [email protected].

About Exodus

Exodus Intelligence is comprised of a team of world-class security researchers dedicated to providing their customers with the latest exclusive information on emerging zero-day threats. With over 30 years of combined experience in the industry, along with their 150+ independent researchers, Exodus is able to determine, and report on critical threats facing technology today. For more information about Exodus please visit https://www.ExodusIntel.com or follow @ExodusIntel on Twitter.

About Syndis

Headquartered in Reykjavk Iceland, with offices in New York and Copenhagen, Syndis is a research-focused center of expertise for cybersecurity in Iceland as well as the wider Nordic region. Specializing in the provision of offensive security based insights and solutions for the public and private sectors; Syndis’ investment in both internal RD and academic partnerships ensures constant and bleeding edge innovation. For more information about Syndis please visit http://synd.is or follow @TheSyndis on Twitter.

Article source: http://www.darkreading.com/vulnerability/exodus-intelligence-teams-with-syndis-fo/240160842

Copenhagen, September 4, 2013 –Secunia, a leading provider of IT security solutions that enable businesses and private individuals to manage and control vulnerability threats, today announced the release of the new version of the company’s flagship solution: the Secunia Corporate Software Inspector, version 7.0, which introduces new features and improvements for vulnerability and patch management to organizations worldwide.

Cybercrime costs organizations millions of dollars(1) and to protect businesses from the consequences of security breaches, vulnerability intelligence and patch management are basic necessities in the toolbox of any IT team, as emphasized by organizations like the SANS Institute(2) and the National Institute of Standards and Technology under the US Department of Commerce (NIST)(2).

The [Secunia CSI 7.0] is the Total Package: Vulnerability Intelligence, Vulnerability Scanning with Patch Creation and Patch Deployment Integration

To help IT teams counter the threat, vulnerability research company Secunia merges their in-house vulnerability expertise with a sophisticated patch management solution into the Secunia Corporate Software Inspector (CSI 7.0). The foundation of the Secunia CSI is a unique combination of vulnerability intelligence and vulnerability scanning, with patch creation and patch deployment integration. The Secunia CSI integrates with Microsoft WSUS and System Center 2012 and third-party configuration management tools for easy deployment of third-party updates, making patching a simple and straight-forward process for all IT departments.

To make the solution flexible and suited to the processes of organizations of all sizes the new version, the Secunia CSI 7.0, comes with these new and improved features:

Smart Groups 2.0: Create Smart Groups designed to prioritize remediation efforts by filtering and segmenting data based on hosts, products or impact, and to receive alerts when a threat is detected.

User Management: Create user accounts with different roles and permissions.

Patch Configuration: Get configurable patches out-of-the-box that can be easily customized to support your environment, for example to avoid desktop shortcuts or to disable auto-update for a program.

Web Console (SaaS): Log in to the Secunia CSI from an internet browser for instant access to your data and reports – anywhere, at any time.

Password Policy Configuration: Determine and enforce the global password policy for your organization to comply with internal and external policies, as well as to meet best-practice standards in your industry.

Live updates: Get an immediate overview of how a new vulnerability affects your infrastructure as soon as the advisory has been released by Secunia Research, based on your latest scan results.

PSI for Android: Scan Android devices for vulnerabilities with the Secunia PSI for Android, and integrate it with the Secunia CSI to support your BYOD policy.

Secunia SC2012 Plugin 2.0: For CSI integration with Microsoft System Center 2012. This add-on makes it possible to deploy all third-party updates directly in Microsoft System Center 2012.

Zero-Day Vulnerability Support: This add-on includes SMS or email alerts whenever a new zero-day vulnerability is discovered that affects the particular IT infrastructure. It is designed for organizations that have a sufficiently sophisticated security apparatus to enable them to act on the zero-day threat intelligence.

Why vulnerability intelligence is a crucial aspect of patch management

In 2012, Secunia recorded a total of nearly 10,000(3) discovered vulnerabilities in software programs, and more than 1,000 vulnerabilities in the 50 most popular programs alone(3). Most of these (86%) were discovered in third-party (non-Microsoft) programs(3), presenting IT teams with the huge challenge of how to retain control over increasingly complex infrastructures and user device autonomy and identify, acquire, install and verify patches for all applications in all systems.

As vulnerabilities are the root cause of security issues, understanding how to deal with them is a critical component of protecting any organization from security breaches. IT teams must know when a vulnerability is threatening the infrastructure, where it will have the most critical impact, what the right remediation strategy is and how to deploy it.

These aspects of risk assessment fall to IT Security and IT Operations respectively, and the two departments require different sets of tools to take strategic, pre-emptive action against vulnerabilities.

“The new Secunia CSI bridges the gap between the two sets of requirements. Security teams need vulnerability intelligence and scanning to assess risk in a constantly changing threat landscape, and IT operations need a patch management solution that is sufficiently agile to maintain security levels without impairing daily performance,” explains Morten R. Stengaard, Secunia CTO.

“The core of our solution is the vulnerability intelligence delivered by Secunia’s renowned in-house Research Team, who test, verify and validate public vulnerability reports, as well as conduct independent vulnerability research on a variety of products. No other patch management solution out there can provide this expertise. To deliver the intelligence to our customers we have created a patch management solution which is constantly evolving, to meet the changing requirements of our users,” says Morten R. Stengaard.

Flexibility is the driving force behind the Secunia CSI 7.0

To ensure that the Secunia CSI 7.0 is primed to work as a conduit to Secunia’s powerful vulnerability intelligence, scanning and patch management solution, flexibility has been the driving force behind the development of the Secunia CSI 7.0.

“Each organization is unique, with its own processes, regulatory standards and security procedures, and the improvements to the Secunia CSI 7.0 enables IT teams to adapt and scale the solution to match the requirements of virtually any organization,” says Morten R. Stengaard.

#ENDS#

(1) 2012 Cost of Cyber Crime Study: United States.” Ponemon Institute. October 2012 http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf

(2) SANS: http://www.sans.org/critical-security-controls/; NIST: http://www.nist.gov/itl/csd/guides-082013.cfm

(3) Secunia Vulnerability Review 2013: http://secunia.com/vulnerability-review/

Secunia partners and memberships:

MS-ISAC, FS-ISAC, ISF, EDUcause, Microsoft Technology Partner and System Center Alliance Member, FIRST, The Open Group.

About Secunia

Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.

For more information, please visit secunia.com

Article source: http://www.darkreading.com/management/secunia-releases-zero-day-android-and-c/240160843

Copenhagen, September 4, 2013 –Secunia, a leading provider of IT security solutions that enable businesses and private individuals to manage and control vulnerability threats, today announced the release of the new version of the company’s flagship solution: the Secunia Corporate Software Inspector, version 7.0, which introduces new features and improvements for vulnerability and patch management to organizations worldwide.

Cybercrime costs organizations millions of dollars(1) and to protect businesses from the consequences of security breaches, vulnerability intelligence and patch management are basic necessities in the toolbox of any IT team, as emphasized by organizations like the SANS Institute(2) and the National Institute of Standards and Technology under the US Department of Commerce (NIST)(2).

The [Secunia CSI 7.0] is the Total Package: Vulnerability Intelligence, Vulnerability Scanning with Patch Creation and Patch Deployment Integration

To help IT teams counter the threat, vulnerability research company Secunia merges their in-house vulnerability expertise with a sophisticated patch management solution into the Secunia Corporate Software Inspector (CSI 7.0). The foundation of the Secunia CSI is a unique combination of vulnerability intelligence and vulnerability scanning, with patch creation and patch deployment integration. The Secunia CSI integrates with Microsoft WSUS and System Center 2012 and third-party configuration management tools for easy deployment of third-party updates, making patching a simple and straight-forward process for all IT departments.

To make the solution flexible and suited to the processes of organizations of all sizes the new version, the Secunia CSI 7.0, comes with these new and improved features:

Smart Groups 2.0: Create Smart Groups designed to prioritize remediation efforts by filtering and segmenting data based on hosts, products or impact, and to receive alerts when a threat is detected.

User Management: Create user accounts with different roles and permissions.

Patch Configuration: Get configurable patches out-of-the-box that can be easily customized to support your environment, for example to avoid desktop shortcuts or to disable auto-update for a program.

Web Console (SaaS): Log in to the Secunia CSI from an internet browser for instant access to your data and reports – anywhere, at any time.

Password Policy Configuration: Determine and enforce the global password policy for your organization to comply with internal and external policies, as well as to meet best-practice standards in your industry.

Live updates: Get an immediate overview of how a new vulnerability affects your infrastructure as soon as the advisory has been released by Secunia Research, based on your latest scan results.

PSI for Android: Scan Android devices for vulnerabilities with the Secunia PSI for Android, and integrate it with the Secunia CSI to support your BYOD policy.

Secunia SC2012 Plugin 2.0: For CSI integration with Microsoft System Center 2012. This add-on makes it possible to deploy all third-party updates directly in Microsoft System Center 2012.

Zero-Day Vulnerability Support: This add-on includes SMS or email alerts whenever a new zero-day vulnerability is discovered that affects the particular IT infrastructure. It is designed for organizations that have a sufficiently sophisticated security apparatus to enable them to act on the zero-day threat intelligence.

Why vulnerability intelligence is a crucial aspect of patch management

In 2012, Secunia recorded a total of nearly 10,000(3) discovered vulnerabilities in software programs, and more than 1,000 vulnerabilities in the 50 most popular programs alone(3). Most of these (86%) were discovered in third-party (non-Microsoft) programs(3), presenting IT teams with the huge challenge of how to retain control over increasingly complex infrastructures and user device autonomy and identify, acquire, install and verify patches for all applications in all systems.

As vulnerabilities are the root cause of security issues, understanding how to deal with them is a critical component of protecting any organization from security breaches. IT teams must know when a vulnerability is threatening the infrastructure, where it will have the most critical impact, what the right remediation strategy is and how to deploy it.

These aspects of risk assessment fall to IT Security and IT Operations respectively, and the two departments require different sets of tools to take strategic, pre-emptive action against vulnerabilities.

“The new Secunia CSI bridges the gap between the two sets of requirements. Security teams need vulnerability intelligence and scanning to assess risk in a constantly changing threat landscape, and IT operations need a patch management solution that is sufficiently agile to maintain security levels without impairing daily performance,” explains Morten R. Stengaard, Secunia CTO.

“The core of our solution is the vulnerability intelligence delivered by Secunia’s renowned in-house Research Team, who test, verify and validate public vulnerability reports, as well as conduct independent vulnerability research on a variety of products. No other patch management solution out there can provide this expertise. To deliver the intelligence to our customers we have created a patch management solution which is constantly evolving, to meet the changing requirements of our users,” says Morten R. Stengaard.

Flexibility is the driving force behind the Secunia CSI 7.0

To ensure that the Secunia CSI 7.0 is primed to work as a conduit to Secunia’s powerful vulnerability intelligence, scanning and patch management solution, flexibility has been the driving force behind the development of the Secunia CSI 7.0.

“Each organization is unique, with its own processes, regulatory standards and security procedures, and the improvements to the Secunia CSI 7.0 enables IT teams to adapt and scale the solution to match the requirements of virtually any organization,” says Morten R. Stengaard.

#ENDS#

(1) 2012 Cost of Cyber Crime Study: United States.” Ponemon Institute. October 2012 http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf

(2) SANS: http://www.sans.org/critical-security-controls/; NIST: http://www.nist.gov/itl/csd/guides-082013.cfm

(3) Secunia Vulnerability Review 2013: http://secunia.com/vulnerability-review/

Secunia partners and memberships:

MS-ISAC, FS-ISAC, ISF, EDUcause, Microsoft Technology Partner and System Center Alliance Member, FIRST, The Open Group.

About Secunia

Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.

For more information, please visit secunia.com

Article source: http://www.darkreading.com/management/secunia-releases-zero-day-android-and-c/240160843

Critical infrastructure operators that have adopted the security industry’s popular risk management mindset are doing it wrong, according to Ralph Langner.

Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran’s Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government’s Cyber Security Framework (PDF), which is currently in draft form.

The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a “security capability,” Langner says.

“ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent,” Langner told Dark Reading.

Then there’s the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it’s mostly only an annual patching cycle, he says. “If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are,” Langner says.

The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don’t have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

“If there is one big indicator for cyber security capability, or the lack thereof, it’s resources. If a power plant, refinery, oil terminal, pipeline operator–[or] you name it–doesn’t even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless,” Langner says.

Langner contends that risk-based approaches to security can be fudged and aren’t based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which “implementation tier” they fall into, which determines the maturity of their security status.

“An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers,” Langner wrote in a blog post today.

[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See SCADA Security 2.0 .]

Risk management has basically become a “religion” in security, says Richard Bejtlich, CSO at Mandiant. “Risk management has been beaten into everyone’s head, but below the business level, I don’t think most IT security people” are focused on it, he says.

“No one aside from Ralph is really challenging it,” Bejtlich says.

RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.

There are templates for deploying each step. “I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure,” Langner says. “Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance.”

RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.

According to Langner, RIPE is based on insights by plant floor operators, and it’s really a practical approach to better locking down these environments. Deploying RIPE isn’t a major undertaking that necessarily requires paying consultants, either, he says. “For example, it doesn’t require a genius to assemble a system inventory,” he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.

Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langner’s argument that establishing a baseline security capability before buying security products is crucial.

“Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this,” Peterson says in a blog post.

Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. “What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible,” he says. “The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE.”

He says he’s setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/management/stuxnet-expert-proposes-new-framework-fo/240160846

Critical infrastructure operators that have adopted the security industry’s popular risk management mindset are doing it wrong, according to Ralph Langner.

Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran’s Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government’s Cyber Security Framework (PDF), which is currently in draft form.

The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a “security capability,” Langner says.

“ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent,” Langner told Dark Reading.

Then there’s the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it’s mostly only an annual patching cycle, he says. “If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are,” Langner says.

The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don’t have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

“If there is one big indicator for cyber security capability, or the lack thereof, it’s resources. If a power plant, refinery, oil terminal, pipeline operator–[or] you name it–doesn’t even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless,” Langner says.

Langner contends that risk-based approaches to security can be fudged and aren’t based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which “implementation tier” they fall into, which determines the maturity of their security status.

“An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers,” Langner wrote in a blog post today.

[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See SCADA Security 2.0 .]

Risk management has basically become a “religion” in security, says Richard Bejtlich, CSO at Mandiant. “Risk management has been beaten into everyone’s head, but below the business level, I don’t think most IT security people” are focused on it, he says.

“No one aside from Ralph is really challenging it,” Bejtlich says.

RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.

There are templates for deploying each step. “I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure,” Langner says. “Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance.”

RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.

According to Langner, RIPE is based on insights by plant floor operators, and it’s really a practical approach to better locking down these environments. Deploying RIPE isn’t a major undertaking that necessarily requires paying consultants, either, he says. “For example, it doesn’t require a genius to assemble a system inventory,” he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.

Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langner’s argument that establishing a baseline security capability before buying security products is crucial.

“Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this,” Peterson says in a blog post.

Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. “What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible,” he says. “The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE.”

He says he’s setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/management/stuxnet-expert-proposes-new-framework-fo/240160846

I’m sure you’ve heard the news.

Nokia, once the 200kg gorilla of the Finnish economy – heck, the 400kg gorilla if you like [*] – is to become part of Microsoft.

More or less, anyway.

Microsoft’s press release isn’t as clear as I’d hoped, though that may be more a consequence of my poor fluency in US legalese than an objective assessment of its comprehensibility.

The wording says that Microsoft has decided to “purchase substantially all of Nokia’s Devices Services business, license Nokia’s patents, and license and use Nokia’s mapping services.”

What’s planned

Substantively, if not substantially, and at least as far as handsets are concerned, it looks as though:

• Microsoft will acquire outright the Lumia and Asha phones and brands.

• Microsoft will license Nokia’s budget handsets.

Lumias are high-end smartphones in both features and price: they have lots of memory, great cameras, cool looks, and the latest Windows Phone operating system.

Ashas are high-end feature phones: they’re stripped down to a price, which makes them good value for money, and they run what’s left of Symbian. (“Low-end smartphones,” as the marketing department might say.)

In short, Nokia is dead. Long live Nokia!

Keeping the budget handsets, sorry, basic feature phones, as Nokia products under the Nokia brand makes a lot of sense to me.

These devices still sell hugely well in the developing world, where the equivalent of $10 can get you up and running in minutes with a prepaid mobile and an activated SIM card.

Better yet, a charge will easily last you days or even weeks, rather than hours or days – a huge plus for those with only irregular access to mains eletricity.

Why confuse a large and lucrative market by reinventing a phone like the Nokia 1280 as a Microsoft device?

What about security?

Through Lumia and Asha, Microsoft is now explicitly moving into the handset business as well as the mobile operating system business.

You’ll be able to shop in Microsoft’s catalogue for a Microsoft phone that runs a Microsoft OS and is locked down to apps bought from Microsoft’s online software store.

Suddenly, Microsoft in Redmond sounds a lot closer to Apple in Cupertino.

What next?

The burning question, of course, is, “What will this acquisition do to or for mobile security?”

Over the next two or three years, my feeling is, “Almost nothing.”

That sounds bad, since it implies things won’t get better; in reality, it’s good, because Windows Phone 8 isn’t attracting much interest from cybercriminals at the moment, and that probably won’t change.

Of course, it’ll still possible to get yourself into as much trouble on a Microsoft Lumia smartphone as you could on an Android or iOS device.

If you upload the right file to the wrong person, or lose a smartphone without having encrypted or locked it, or type in your banking password on an imposter site, you may end up in harm’s way regardless of your operating system.

Looking back

And finally, we have one thing left to do: to look back at the once-dominant market position occupied by Nokia, and ask, “What did Nokia ever do for us?”

Some of us at Naked Security discussed this at some length, with our rose-tinted spectacles on, and we think we have correctly identified the Top Three Legacies of the Nokia era:

1. Snake. (Why would you ever need or want another game for a phone-sized device?)

2. The Nokia Tune. (Want to bet it enjoys a bit of a nostalgia-driven comeback for a while?)

3. S-M-S in Morse code to announce a message has arrived. (You did know that’s what it was, didn’t you?)

Follow @duckblog

[*] Idiomatically, big gorillas are supposed to be 400kg, or 800lb in America. (Where does a 400kg gorilla sit? Wherever it likes.) In fact, a 400kg gorilla would be a mythically enormous animal. A truly big gorilla would be 200kg, or in fact slightly lighter.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PCHoU4i8vyU/

I’m sure you’ve heard the news.

Nokia, once the 200kg gorilla of the Finnish economy – heck, the 400kg gorilla if you like [*] – is to become part of Microsoft.

More or less, anyway.

Microsoft’s press release isn’t as clear as I’d hoped, though that may be more a consequence of my poor fluency in US legalese than an objective assessment of its comprehensibility.

The wording says that Microsoft has decided to “purchase substantially all of Nokia’s Devices Services business, license Nokia’s patents, and license and use Nokia’s mapping services.”

What’s planned

Substantively, if not substantially, and at least as far as handsets are concerned, it looks as though:

• Microsoft will acquire outright the Lumia and Asha phones and brands.

• Microsoft will license Nokia’s budget handsets.

Lumias are high-end smartphones in both features and price: they have lots of memory, great cameras, cool looks, and the latest Windows Phone operating system.

Ashas are high-end feature phones: they’re stripped down to a price, which makes them good value for money, and they run what’s left of Symbian. (“Low-end smartphones,” as the marketing department might say.)

In short, Nokia is dead. Long live Nokia!

Keeping the budget handsets, sorry, basic feature phones, as Nokia products under the Nokia brand makes a lot of sense to me.

These devices still sell hugely well in the developing world, where the equivalent of $10 can get you up and running in minutes with a prepaid mobile and an activated SIM card.

Better yet, a charge will easily last you days or even weeks, rather than hours or days – a huge plus for those with only irregular access to mains eletricity.

Why confuse a large and lucrative market by reinventing a phone like the Nokia 1280 as a Microsoft device?

What about security?

Through Lumia and Asha, Microsoft is now explicitly moving into the handset business as well as the mobile operating system business.

You’ll be able to shop in Microsoft’s catalogue for a Microsoft phone that runs a Microsoft OS and is locked down to apps bought from Microsoft’s online software store.

Suddenly, Microsoft in Redmond sounds a lot closer to Apple in Cupertino.

What next?

The burning question, of course, is, “What will this acquisition do to or for mobile security?”

Over the next two or three years, my feeling is, “Almost nothing.”

That sounds bad, since it implies things won’t get better; in reality, it’s good, because Windows Phone 8 isn’t attracting much interest from cybercriminals at the moment, and that probably won’t change.

Of course, it’ll still possible to get yourself into as much trouble on a Microsoft Lumia smartphone as you could on an Android or iOS device.

If you upload the right file to the wrong person, or lose a smartphone without having encrypted or locked it, or type in your banking password on an imposter site, you may end up in harm’s way regardless of your operating system.

Looking back

And finally, we have one thing left to do: to look back at the once-dominant market position occupied by Nokia, and ask, “What did Nokia ever do for us?”

Some of us at Naked Security discussed this at some length, with our rose-tinted spectacles on, and we think we have correctly identified the Top Three Legacies of the Nokia era:

1. Snake. (Why would you ever need or want another game for a phone-sized device?)

2. The Nokia Tune. (Want to bet it enjoys a bit of a nostalgia-driven comeback for a while?)

3. S-M-S in Morse code to announce a message has arrived. (You did know that’s what it was, didn’t you?)

Follow @duckblog

[*] Idiomatically, big gorillas are supposed to be 400kg, or 800lb in America. (Where does a 400kg gorilla sit? Wherever it likes.) In fact, a 400kg gorilla would be a mythically enormous animal. A truly big gorilla would be 200kg, or in fact slightly lighter.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PCHoU4i8vyU/