Value of Annual Risk Assessment Reports and a Proper POAM

A short BIO to introduce myself, I have been involved in technology for over 25 years to include network design, deployment, and configuration of various logging and reporting techniques for these systems into a Secure Managed Environment, Systems Administration and the delivery of technology services to assist customers in their business processes. I have been heavily involved in Cyber for the past ten years and currently hold a CISSP and SANS – GSEC certifications.

As I work closely with various customers over time to meet their IA Compliance requirements the value of a proper annual Risk Assessment and the final RAR (Risk Assessment Report) including a POA&M (Plan of Action and Milestones) become increasingly evident to myself and the customer. The reports give the picture of where compliance was day one, and as the assessment team reviews annually, the initial documents become updated versions of the first noting differences but never being deleted. In my POA&M’s I include a tab for “Completed POA&M Controls” and move all items completed the previous year into that list. That list then becomes a quick reference for any Executive or potential auditor to measure the progress and changes year over year.

Posted in Opinion | Leave a comment

Smart TVs Vulnerable to Hacking, Consumer Reports Finds

This is a very interesting article and one indication of what is developing within the " Smarthome Network". As we integrate more technology into our homes and lives it becomes increasingly apparent that we are no longer autonomous as we might assume, most folks are enjoying the convenience of these new and expanding technologies but forget they are opening their lives to more and ever increasing attention from not so bad actors such as advertisers as well as bad actors such as hackers and intruders. Enjoy the read!

Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws.

The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra.

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio.

The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs’ functionality—and know the right buttons to click and settings to look for.

Data Collection in the Living Room
This is the first time Consumer Reports has carried out a test based on our new Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights.

The goal is to educate consumers on their privacy and security options and to influence manufacturers to take these concerns into consideration when developing their products.

“The Digital Standard can be used to evaluate many products that collect data and connect to the internet,” says Maria Rerecich, who oversees electronics testing at Consumer Reports. “But smart TVs were a natural place to start. These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners.”

Smart TVs represent the lion’s share of new televisions. According to market research firm IHS Markit, 69 percent of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018. Eighty-two million of these sets have already found their way to consumers.

Internet connectivity brings a lot of appealing functionality to modern televisions—including the ability to stream content through popular apps such as Hulu and Netflix, as well as to find content quickly using voice commands.

But that functionality comes with substantial data collection. Smart TVs can identify every show you watch using a technology called automatic content recognition, or ACR, which we first reported on in 2015. That viewing information can be combined with other consumer information and used for targeted advertising, not only on your TV but also on mobile phones and computers. For instance, if you’re watching a particular sports event, you could see an online advertisement from a brand interested in reaching fans of that sport.

In 2017 Vizio got in trouble with federal and state regulators for collecting this kind of data without users’ knowledge or consent. The company settled with the Federal Trade Commission for $1.5 million and the state of New Jersey for $700,000. The FTC has now made it clear that companies need your permission before collecting viewing data—but consumers may not understand the details, says Justin Brookman, director of privacy and technology at Consumers Union, the policy and mobilization division of Consumer Reports.

“For years, consumers have had their behavior tracked when they’re online or using their smartphones,” Brookman says. “But I don’t think a lot of people expect their television to be watching what they do.”

And manufacturers are aiming to make smart TVs the centerpiece of consumers’ increasingly connected homes. Companies such as LG and Samsung have recently shown off sets with built-in digital assistants that let you control other smart-home devices ranging from thermostats to security cameras to washing machines to smart speakers.

In a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51 percent were at least somewhat worried about the privacy implications of smart TVs and 62 percent were at least somewhat worried about the sets’ security practices.

Complete Article can be viewed at https://www.consumerreports.org/televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumer-reports-finds/

Posted in Home Network Security | Leave a comment

Why Manufacturers Should Be Mindful Of Cybersecurity

Hackers can penetrate the corporate IT network of a manufacturing company, then gain access to a robot’s controller software and, by exploiting a vulnerability remotely, download a tampered configuration file. As a result, instead of a straight line, the robotic arm draws one that is 2 mm off. This minuscule defect, if left unnoticed, could lead to catastrophic effects in this hypothetical example — this line is responsible for welding the chassis of a car that, if compromised, could result in casualties and a vehicle recall.

A decade ago, this would sound like the plot of a straight-to-DVD film. Today, it’s a proof-of-concept attack that hit headlines in May. As you might have guessed, I’m speaking about research conducted by specialists at Trend Micro and Politecnico di Milano, who discovered vulnerabilities in an ABB IRB140 industrial robot as well as in other industrial controllers.

Risks

The described scenario is not the only possible one. I warned about similar attacks a year ago. The tiniest of variances in the performance of operational technology could cause manufacturing disruptions, leading to defective products (meaning recalls and reputational losses), production downtime, physical damage, and even injuries and deaths.

As the example above showed, the most worrisome cases are when hackers’ actions are almost undetectable. Such minuscule defects may come in many forms. To give you another example: A hacker can slightly change welding conditions (e.g., lower temperature and time) in any part of a car manufacturing process so that two pieces will be joined not as firmly as is required. As a result, the car would be less safe, but the hack would go unnoticed.

Incident Examples

The aforementioned research is not the only piece of evidence. Manufacturing is the second most attacked industry. Of course, not all attacks are conducted against critical infrastructure. Hackers are typically financially motivated, and thus focus on industrial espionage. For instance, in 2015, a backdoor Trojan known as “Duuzer” was used by malicious actors to steal sensitive information from South Korean manufacturing organizations.

The first confirmed case of a cyberattack against manufacturing that caused physical damage also occurred in 2015, when hackers attacked a steel mill in Germany. As a result, a blast furnace was compromised and could not be shut down.

Content from Forbes.COM

Posted in Cyber Intrusions in the News | Leave a comment

Wannacry

This article was interesting to me post from wired.com, so I decided to repost.

On May 12 a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.

Though powerful, the ransomware also had significant flaws, including a mechanism that security experts effectively used as a kill switch to render the malware inert and stem its spread. US officials later concluded with “moderate confidence” that the ransomware was a North Korean government project gone awry that had been intended to raise revenue while wreaking havoc. In total, WannaCry netted almost 52 bitcoins, or about $130,000—not much for such viral ransomware

WannaCry’s reach came in part thanks to one of the leaked Shadow Brokers Windows vulnerabilities, EternalBlue. Microsoft had released the MS17-010 patch for the bug in March, but many institutions hadn’t applied it and were therefore vulnerable to WannaCry infection.

Petya/NotPetya/Nyetya/Goldeneye

A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system.

Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country.

Posted in Uncategorized | Leave a comment

How Hackers Manipulate And Compromise Business Email

Business email compromise is an attack that targets customers or employees that work with your external-facing business associates. Here’s an overview of how it might work:

Customer A (we will call them Able for this scenario) falls for a phishing scam and their email credentials are compromised. The attackers snoop around Able’s email account and notice that they conduct business, including wire transfers and payments, with your company. The attackers use Able’s email account to send a request for a wire transfer or payment that doesn’t particularly stand out as unusual because it is similar to other requests you’ve received in the past. However, instead of using the bank account on file, they ask you to send the payment to a different bank account that’s not on file. The scammer may even proactively offer some kind of reason for this, such as “Our accounts are under audit right now, please send to the account below instead”.

Essentially, attackers in this scenario use a compromised email account to manipulate the trust between you and your customers. This can also happen in reverse. Your employee could fall for a phishing scam and then the attackers use his or her credentials to target your customers, hoping to initiate a fraudulent wire transfer in your company’s name.

The FBI has reported that as of May 2016, over 15,000 organizations have become victims of business email compromise scams losing a combined total over $1 billion dollars. These victims range from small businesses to large corporations in a wide array of business sectors.

Thankfully, this type of fraud can often be detected and stopped by having standard operating procedures (SOP’s) and processes in place that require your employees to verify transfer requests before initiating payment. In addition, you should never change bank account or address information for your customers or vendors via email; such changes should always require a follow up phone call at the very least for verification. Furthermore, enabling two-factor authentication for email where possible can mitigate the risk of unauthorized access to business email. As an added measure, it’s important to be aware of the information relating to your employees and your organization available on social media. Many attackers do their homework before attempting these types of scams; the more information that’s publicly available about your organization’s structure, the easier it is for them to plan and execute their attacks.

Brian Krebs has published a great article on the , value of a hacked email account which is worth reading, to get a better sense of why the data held by companies is a lucrative target and why email fraud is so common.

Posted in Uncategorized | Leave a comment

HOW NOT TO BE A RANSOMWARE VICTIM

Regularly backup your data, and make sure the backups are not connected to the computers and networks they are backing up. Most ransomware variants can encrypt files on any attached drives or network files that are also accessible to the host machine (including cloud hosting and cloud-based backups if those passwords are stored on the machine). Bleepingcomputer’s Lawrence Abrams just published this protect against ransomware a nice primer called How to Protect and Harden a Computer Against Ransomware.

Many companies are now selling products that claim to block ransomware attacks. Those claims are beyond the scope of this article, but don’t be lulled into thinking these products will always protect you.

Even products that could somehow block all ransomware attacks can’t prevent the biggest reason that ransomware attacks succeed: They trick victims into taking an action that inadvertently undermines the security of their device — be it a smart phone, tablet or desktop computer.

This usually involves clicking a link or downloading and opening a file that arrives in an email or instant message. In either case, it is an action that opens the door to the attacker to download and install malware.

Remember my Three Rules of Online Security:

1: If you didn’t go looking for it, don’t install it.

2: If you installed it, update it.

3: If you no longer need it (or, if it’s become too big of a security risk) get rid of it.

Source of Content KrebsonSecurity.com-before you pay

Posted in Cyber Security Defense | Leave a comment

DOD Announces Digital Vulnerability Disclosure Policy and “Hack the Army” Kick-Off Press Operations Release No: NR-413-16 Nov. 21, 2016

Building on the success of the “Hack the Pentagon” bug bounty pilot in which hackers from across the country were provided legal authorization to spot vulnerabilities in specific Department of Defense networks in return for cash payments, the Department of Defense (DoD) today unveiled two new initiatives designed to further enhance the DoD cybersecurity.

The first initiative is a new DoD policy regarding the identification of network vulnerabilities. Beginning today, the DoD Vulnerability Disclosure Policy provides a legal avenue for security researchers to find and disclose vulnerabilities in any DoD public-facing systems. This policy is the first of its kind for the Department. It provides clear guidance to security researchers for testing and disclosing vulnerabilities in DoD websites, and commits the Department to working openly and in good faith with researchers.

“The Vulnerability Disclosure Policy is a ‘see something, say something’ policy for the digital domain,” said Secretary of Defense Ash Carter. “We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”

The U.S. Department of Justice’s Criminal Division, which was consulted during the development of DoD’s Vulnerability Disclosure Policy, welcomed it as an important development. Assistant Attorney General Leslie Caldwell described it as “a laudable way to help computer security researchers use their skills in an effective, beneficial, and lawful manner to reduce security vulnerabilities.”

Today also marks the opening of registration for “Hack the Army,” the next bug bounty challenge. The competition is modeled after the Defense Digital Service’s Hack the Pentagon pilot, but is focused on more operationally relevant websites — specifically those affecting the Army’s recruiting mission. Partnering with the Defense Digital Service, Secretary of the Army Eric Fanning announced the challenge earlier this month in Austin, Texas.

“As Secretary of the Army, the security of these foundational systems is incredibly important to me, and security is everyone’s responsibility,” Secretary Fanning said. “We need as many eyes and perspectives on our problem sets as possible and that’s especially true when it comes to securing the Army’s pipeline to future Soldiers.”

Approximately 500 hackers are expected to participate in this bug bounty challenge. They will be eligible to receive thousands of dollars in bounty rewards.

The Vulnerability Disclosure Policy will provide a standing avenue of reporting for all DoD websites, whereas bug bounties like “Hack the Army” will provide incentives to researchers to focus on specific high-priority DoD networks and systems. These two initiatives underscore Secretary Carter’s commitment to innovation and adopting commercial best practices. DoD has focused on efforts to modernize our digital security and find new ways to solve our internal challenges. Both “Hack the Army” and the new Vulnerability Disclosure Policy are in line with these goals.

Please visit HackerOne.com/DeptOfDefense and HackerOne.com/HacktheArmy for more information on the DoD Vulnerability Disclosure Policy and the Hack the Army bug bounty challenge.

Posted in Uncategorized | Leave a comment

Service Providers: a Weak Link in an Organization’s Cyber Security Program? – CyberArk

Vendor-related IT security is a well-documented concern within the cyber security industry. In exploring the main cyber security challenges with third-party vendors, a recent Mandiant report highlights several issues associated with attacks stemming from IT outsourcing (ITO). According to the …

Source: Service Providers: a Weak Link in an Organization’s Cyber Security Program? – CyberArk

Posted in Cyber Intrusions in the News | Leave a comment

Home Network Security a Wise Choice

We all lock our doors at night; some even purchase or build homes in gated communities so why do we install high speed internet connections into our homes and never give any thought to the security of those home networks. Consider for a moment how much financial information or information concerning the access to your financials is kept on your home PC/Network, how much information about you or your family is stored on those systems? This information is precisely what the malicious hacker is looking for “just enough” information to steal from you anonymously!

Posted in Home Network Security | Leave a comment

Best Practices for Home Network Security – SandBoxing

Surfing compromised or malicious web sites is a common way to infect your PC with malware. Consider using one of several available web browsers (e.g. ChromeTM[4], Safari®[5]) that provide a sandboxing capability. Sandboxing creates a bubble or virtual environment that contains malware infections during execution thereby not infecting the PC operating system.

Posted in Home Network Security | Leave a comment