And that’s it. That is the entire basis for developing these principles, the rules of the road, these guiding lights, so that we can protect these systems we so dearly rely on.
What is a principle? The “know all” (aka, Google) tells us a principle is: “a fundamental truth or proposition that serves as the foundation for a system of belief or behavior or for a chain of reasoning.”
What is a communication system? The other “know all” (aka, Wikipedia) tells us a communication system is: “In telecommunication, a communications system is a collection of individual communications networks, transmission systems, relay stations, tributary stations, and data terminal equipment usually capable of interconnection and interoperation to form an integrated whole.” Continue reading “The Principles of a Safe Secure & Intelligent (S2I) Communications System”
If you’re unsure an email is legitimate, take the 30 seconds to call your colleague, friend, or family member and say, “did you really send me this?” That call could save you millions of dollars, your job, and avoid an avalanche of bad PR.
In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.
This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.
On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.
The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.
How was this allowed to happen? Continue reading “Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy”
Market forces are at play here, and with a global market, it’s tough to control what gets built, to what specifications, and then find an appropriate way to share that information with potential buyers.
Perspectives From 3 Of The Top SMEs In Information Security
As we approach the new year, I, Chuck Brooks, am very pleased to have a discussion with four of the most prominent technical SMEs in the world of cybersecurity; Kenneth Holley, George Platsis, and Christophe Veltsos. Their answers that follow offer practitioner perspectives and advice on some of the key issues and technologies that encompass the future of information security. It is worthwhile keeping their comments as a source reference for the C-Suite and anyone concerned about protecting their identities and data. Continue reading “2018 & Beyond – Cybersecurity’s Future”
And one from the #CyberAvengers all on Forbes
Attacks on the US government and critical infrastructure
A nation-state sponsored group will commence a 5-day long DDoS attack against a critical US government (non-DoD) agency, shutting it down in order to show their strength—The Cyber Avengers
Read the entire list on Forbes
Therefore, you are faced with a situation where you not only have to protect your information but also ensure a third-party is protecting your information. By no means is this an easy task. And if you cannot do that, you need to ensure that you are equipped with the necessary tools to protect against what we’ve been calling “potentially unwanted leaks” (PUL).
In our previous article, we laid the groundwork for what we believe to be a serious threat to ICS/SCADA devices: social engineering. We continue here with some definitions, some of which you may already know.
Phishing is a relatively broad term for any attempt to trick victims into sharing sensitive information, such as passwords, usernames and credit card details. The intent is almost always malicious. Another characteristic of phishing is that it tends to be random, usually exploratory in nature, as opposed to a targeted act. Instead of targeting a specific individual or group of individuals, phishing tends to target multiple victims from within the same organization. Think of phishing as the “throwing spaghetti on the wall and whatever sticks” approach. Continue reading “Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes”
We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.
Expectedly, our cybersecurity issues are growing. We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.
What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.
The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”
Frank Abagnale, one of the world’s most respected authorities on the subjects of forgery, embezzlement, cybercrime, and secure documents succinctly states the troubling environment. “The police can’t protect consumers. People need to be more aware and educated about identity theft. You need to be a little bit wiser, a little bit smarter and there’s nothing wrong with being skeptical. We live in a time when if you make it easy for someone to steal from you, someone will.” There are many malicious actors out in the digital landscape and it will be increasingly important to stay ever vigilant.
Email interview held on 30th September 2017 – as follows between Alan Radley (questioner) and Chuck Brooks (relator):
- What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
The current state is a scary one. Constant breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.
In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Continue reading “Science of Cybersecurity Interview with Chuck Brooks”
The threat which concerns us most is effectively preying on humans, our concern is warranted. And that is why we feel that the biggest problem the power grid faces today is phishing, spear-phishing, and pretexting, all of which we will define in this set of articles.
Do you go fishing? You may or may not, but we see far too much phishing going on in the Internet ocean, and it scares us. The risk of over-phishing is not necessarily our concern. Our concern rests in that phishing is so easy, and big fat phish of this Internet ocean are getting gobbled up. And that’s not good for us because many of us don’t really know what is in the ocean, like critical infrastructure (CI).
As the title suggests, our biggest concern as it relates to ICS/SCADA connected devices is us. We are an incredible vulnerability to CI, and seeing as though everything we depend on runs on some form of CI, its best we protect it.
Let’s start with some basics. Our CI is for the most part old. Devices are stuck with legacy software and cannot be updated or patched because they are simply too old and out-of-date are a potential problem, as these systems have vulnerabilities that hackers can take advantage of. Yes, there is a flip side to the argument here that some of these systems are so old they cannot be hacked or are extremely difficult to be hack, as is the case in the US nuclear system. (But don’t think for a moment that nobody is trying!)
Continue reading “ICS/SCADA Devices, The Threat to Critical Infrastructure, and Social Engineering”
Comprehensive risk management should include cyber-hygiene best practices; education/training, use policies and permissions, configuring network access, device management, application controls, and regular network audits. Also, encryption tools, new network mapping, automated rapid detection technologies and behavioral analytic software tools have also been developed that help mitigate the insider threat landscape of morphing digital and physical threats.
The Cyber Insider Threat is one of the most difficult challenges for companies, organizations, and countries. It is often difficult to discover, defend and remediate because such threats can involve a combination of human behavioral elements and hardware and software technologies. Many of the threat actors are tech-savvy and are becoming increasingly sophisticated in their methods of infiltration. What Is Insider Threat – read more
The recent “Vault 7” WikiLeaks download of thousands of pages of sensitive CIA hacking tools and techniques is the latest episode of high profile insider breaches. Other noted examples include Army Pfc Chelsea Manning – 400,000 documents – Iraq War logs, 91,000 documents- Afghanistan database, Edward Snowden – 50,000 to 200,000 NSA documents, Harold Thomas Martin III NSA Contractor- 50,000 gigabytes, about 500 million documents, Home Depot data breach – 56 million credit cards, Yahoo – 1 billion accounts, and Twitter – 32 million accounts. Healthcare – 4 million patient records. Average cost of a data breach in 2016 was $4 million dollars/company (Ponemon). Global business loss in 2014 – $1.7 trillion dollars with 23% annual growth. 2016 losses could be higher than $3 trillion dollars globally (stats courtesy of Mr. Thomas Kupiec – Chief Information Security Officer – SMS and former CISO of the National Geospatial Intelligence Agency) Continue reading “Defining and Addressing the Growing Cyber Insider Threat”
Just as the United States is vulnerable, so too are businesses within the United States and around the world. Just as the computer is increasingly becoming the weapon of choice for warfare, so too has it in business warfare.
What is foreseeable is that cyber attacks often are not. A few years ago the Sony Pictures Entertainment (SPE) hack turned on its head the business world that was already trying to come to grips with the Target, Home Depot, Neiman Marcus, and many other data breaches.
There was one thing about the SPE breach that really had the cybersecurity community in quite a buzz. An internal email from SPE’s cybersecurity investigators was made public and some were taking it as saying “It’s ok, it could have happened to anybody and there was nothing Sony could have done to stop it. It’s not Sony’s fault.”
That inference came from statements in the email that referred to the attack as being unique and unprecedented with the malware being undetectable by industry standard antivirus software.
The kerfuffle that ensued brings to mind the bigger picture of cybersecurity. Things such as what I have been preaching about cybersecurity. What others have been preaching about cybersecurity. More directly, what our respective roles are when it comes to cybersecurity and where and how (or whether) we really provide value to our clients. Continue reading “The Nature of Cybersecurity Strategies for Unprecedented Cyber Attacks”