Monday
Jul062015

June 2015 Terror Threat Snapshot Paints a Dismal Picture

DateMonday, July 6, 2015 at 10:41AM


TOP TAKEAWAYS

  • ISIS is dead set on attacking America and its allies. With the recent attacks in France and against tourists in Tunisia, ISIS has now been linked to 47 terrorist plots or attacks against the West, including 11 inside the United States. The rate of ISIS terror plots against the West has more than doubled in 2015 (19 plots in all of 2014; 28 already this year).

  • The number of post-9/11 jihadi terror plots in the United States has surged. There have been more U.S.-based terror plots or attacks in the first half of 2015 (a total of 24) than in any full year since 9/11. Overall, homegrown jihadi plots have tripled in just the past five years (from 36 plots/attacks in June 2010 to 118 today).

  • Islamist terrorists are getting better at recruiting Americans. Ten U.S.-based ISIS supporters have been arrested in the last month, bringing the total to 55 ISIS-inspired individuals arrested and charged in America (not including two who have been charged in absentia). ISIS followers have now been arrested in at least 19 states.

  • Foreign fighters continue to pour into terrorist safe havens overseas—and represent a threat past year. Around 40 have already returned to the United States, according to authorities, one of which was arrested plotting a terrorist attack in Ohio.

  • Islamist terror safe havens and franchises are proliferating rapidly, giving groups like ISIS and al Qaeda a base for operation and further expansion. Libya in particular has deteriorated quickly becoming a training ground for terror recruits. ISIS now has a direct presence, affiliates, or groups pledging support in at least 18 countries or territories, including Afghanistan, Algeria, Egypt, India, Indonesia, Iraq, Jordan, Libya, Lebanon, Nigeria, the Palestinian territories (Gaza), Pakistan, Philippines, Russia (North Caucasus region), Sudan, Syria, Tunisia, and Yemen.

    TERROR PLOTS AGAINST THE WEST

    ISIS is not a regional phenomenon but a global menace whose targeting against the West has surged in 2015.

    By the numbers

    • Since early 2014, there have been 47 planned or executed ISIS-linked terror plots against Western targets, including 11 inside in the United States.1

    • There have been more ISIS-linked plots against Western targets in the first half of this year (28) than in all of 2014 (19).

AuthorPhilip Blaisdell | CommentPost a Comment |
Thursday
Jul022015

Smart Cities' 4 Biggest Security Challenges

DateThursday, July 2, 2015 at 12:53PM

The messiness of politics and the vulnerability of the Internet of Things in one big, unwieldy package.

It's no secret that Internet of Things devices like Nest smart meters and Fitbits are behind the curve on information security -- lax encryption and access control standards for both wireless network and data security, for starters. So what about when IoT devices run a "smart city," and the public water system, power grid, waste management, traffic control, street lighting, public transportation, and physical security systems are all as vulnerable as that Fitbit on your wrist?  

"Most cities around the world are unprotected to cyber attacks," says Cesar Cerrudo, CTO of IOActive. At DEF CON last year, Cerrudo presented research about serious vulnerabilities in vehicle traffic control systems, which could be exploited to cause traffic jams or crashes. His studies inspired him to create Securing Smart Cities, a global non-profit initiative established in May by IOActive, Kaspersky Lab, Bastille, and the Cloud Security Alliance with the purpose of better definining the security challenges of smart cities and finding workable solutions.  

"Cities are really important, because they're the backbones of civilization. They're the backbones of economy," says Greg Conti, associate professor and director of the Army Cyber Institute at West Point. Conti, along with West Point associate professor David Raymond and Drawbridge Networks CTO Tom Cross, will be presenting a session on "Pen Testing a City" at the Black Hat Briefings in August.

"We're going to be looking at the security of cities, whether they're dumb, moderately intelligent or smart," says Conti.

What makes cities, particularly "smart" cities, uniquely challenging?

Insecure Products & Insufficient Testing

One of the biggest concerns about smart buildings and smart cities is that the sensors in the equipment can be hacked and fed fake data -- which could be used for all manner of mischief, like causing signal failures that shut down subways or allowing contaminants into the water supply.

"Most product vendors are releasing hardware, software without any security, and governments are releasing it without any testing," says Cerrudo. Although they may test rigorously for functionality, cybersecurity won't be part of the process. Cerrudo discovered there were 200,000 vulnerable traffic control sensors installed in cities across the world, including New York, Washington D.C., and London.

Cross says that people's attitudes toward new technology's vulnerabilities often slide through something like the five stages of grief. First it's "denial," when they remain too enamored of the technologies' fun functions to consider the risks. Then they'll move through "anger," "bargaining," "depression," and eventually "acceptance." "Smart cities technology are following the same pattern," he says, and there's still a long way to go before we reach acceptance.

As Cerrudo wrote in a report in April, "At IOActive Labs, we continue to see vendors that do not know anything about cyber security; they lack skilled security people and don’t seem interested in improving security. For instance, many vendors don’t object to giving full privileged access to a device or system to anyone who is on a local network, because they think of the internal network as safe."

Huge, Complex Attack Surface

The trouble is, the notion of "internal network" doesn't really translate to smart cities. The trend is, the smarter the city, the more computer systems, the more integration between the systems, and the more open the access to the data collected by all those systems. 

As futurologist Dr. Simon Moores said at the IFSEC conference last month, the task of integrating an entire city of buildings outfitted with smart electric meters, doors, HVAC systems, and lighting is an "almost intractable problem."

Cross explains that the challenge of integration is not just technological; it's about all the operational interdependencies that exist in a city. "If the subway shuts down, people can't get to their jobs, and then other things don't get done," he says.

Cerrudo explains that attackers know about this "cascade effect," and that they can use it to their advantage by launching an attack on a small, poorly secured system that doesn't seem very critical, and setting off a chain reaction.

The definition of "critical" may vary from city to city, too. Cross says to look at something like Las Vegas. "The economy is very dependent on casinos," he says, "but casinos are not considered critical infrastructure."

The degree of complexity also varies by the age and the size of the city -- an aspect Conti, Cross, and Raymond plan to discuss at Black Hat. "We're getting a sense there may be a sweet spot," says Conti. A city that's somewhere in the middle in terms of size and age, "small enough that it can get its arms around its technology," using "new but not necessarily bleeding-edge" technology" seems to have the best chance of success. "We thought that was an interesting dynamic," he says.

Lack of Oversight and Organization

At IFSEC, Moores posed the rhetorical question, "Who's responsible when a smart city crashes?"

Other experts agree that in many cities there is still no clear cybersecurity leadership, and that cities need to establish city-specific CERTs and/or security operations centers -- not just for information sharing, but also for cross-function vulnerability assessment and incident response planning.

"Each fiefdom can't develop infrastructure in a vacuum," says Cross.

IOActive's Cerrudo says cities need to start treating cybersecurity in the same way the private sector does.

Shifting Politics, Shifting Budgets

That's all easier said than done.

"Cities are ultimately political beasts, with responsibilities to the populace," and with that comes increased visibility, Conti says. That increased visibility can ultimately be either good or bad for security, but either way it will be subject to public scrutiny in a way that regular companies don't need to consider.

Plus, getting budget for security always requires a process of educating leaders and obtaining their buy-in. However, in the public sector, the leaders and the budgets may change severely every time there's an election.

"If [the elected official gets] tossed out, you have to start the process over again," Cross says. 
"You constantly have to reeducate and resell."

Conti adds that often there will be a failure or a breach that is the event that transforms a leader's attitude towards security. "The new leader," he says, "hasn't gone through the same transformative event."

And the security skills shortage tends to be worse in the public sector, according to Cross. "The most talented people work in the private sector," he says, "because they get better salary and compensation."

"Security problems in cities are real and are current," Cerrudo says. "The possibilities are out there ... So we need to start working on improving security right now."

AuthorPhilip Blaisdell | CommentPost a Comment |
Wednesday
Jul012015

One-Third of Industrial Control Systems Breached in Last Twelve Months

DateWednesday, July 1, 2015 at 12:58PM
Security News
07.01.15

According to a report from SANS on the state of Industrial Control System (ICS) security, one-third of respondents (34%) said their systems had been infiltrated or infected in an attack at least twice in the last twelve months.

Of the organizations breached, nearly half (44%) said they were unable to identify the source of the infiltration, and 15% said it took them more than one month to detect the breach.

“The number of confirmed breaches is rising, but the limited ability of most ICS security systems to detect attacks, let alone reveal their source and type, is at least as big a problem as the number of attacks on operational technology systems,” said Bengt Gregory-Brown, consultant to the SANS ICS program.

“Lack of visibility into ICS systems is a problem, and one that’s growing with greater connectivity and the IT-OT integration.”

The study surveyed 314 respondents, the majority of which identified their roles as security administration/security analyst, security manager/director or officer, and security design engineer.

The study revealed that the threat of attacks carried out by external actors was the primary security concern, with 42% marking it as the top threat and 73% identifying it as being  in their top three concerns.

Threats from insiders was identified by 49% of respondents as being in the top three threats, and 46% said the integration of IT systems into the ICS networks was a major risk factor.

Despite the integration concerns, only 29% of respondents said their organization has begun implementing strategies to manage the risks from convergence, 36% said their organization is currently developing strategies, and 18% said there is no strategy in place and no plans to develop one.

“We are very glad to see indications of growing collaboration between IT and ICS security staff,” says Derek Harp, director of the SANS ICS-SCADA security.

“But the number of companies lacking strategies to manage the integration of IP technologies and commercial operating systems into ICS environments is still quite high.”

In April, ICS-CERT released its annual Year In Review report (PDF), which examined the risks posed by the increase in Industrial Control Systems (ICS) that are connected to the Internet, either intentionally or by mistake.

ICS-CERT reported that they responded to 245 attacks (PDF) against U.S. based Industrial Control Systems (ICS) in the 2014 fiscal year (October 2013 to September 2014), with nearly one-third of the incidents focused on systems governing energy production and distribution.

Of the reported attacks, 32% targeted the Energy Sector, with attacks against Critical Manufacturing systems following up at a close second place at 27%, Healthcare with 6%, Water supply systems and Communications each with 6%, and Government Facilities at just over 5%.

ICS-CERT also received 159 reports of vulnerabilities identified in control systems components, and they coordinated with researchers and vendors on mitigations both domestically and abroad, with the majority affecting systems used in the Energy Sector, followed by Critical Manufacturing, Water and Wastewater.

Authentication issues, buffer overflows, and denial-of-service vulnerabilities were the most common vulnerability types, with the ‘Heartbleed’ OpenSSL vulnerability garnering the most attention through multi-vendor coordinated responses.

BY ANTHONY M. FREED

AuthorPhilip Blaisdell | CommentPost a Comment |
Monday
Jun222015

Personal data is becoming a primary target at every level

DateMonday, June 22, 2015 at 12:49PM

data
JUNE 19, 2015
I recently published a blog about the data breach at the Office of Personal Management (OPM) and the Interior Department which is being blamed on China.

In the last week, there have been a number of experts giving more detail on the depth of the stolen data. The concern is about Standard Form 86 which is used to collect data on potential federal employees applying for positions in National Security.

As you can imagine, this form probes into areas of someone’s background, family and friends that not even those close to the person may know. There are 127 pages of the form and the collection of information includes citizenship, passport, residence schools, military service, employment, financial records, alcohol and drug use, criminal records, psychological and emotional health, groups that may have been associated with, foreign travel, associates including relatives and friends.

The data is extremely valuable to any foreign government or intelligence agency, knowing your enemy in this much detail is a definite advantage. Some observers are suggesting that the data may even be used to blackmail people.  While there is of course this possibility, I doubt anyone who successfully got a position in the NSA would be susceptible to blackmail…

However, there is the risk of an unsuccessful applicant being blackmailed with the data on their Standard Form 86. Naturally, this is bad news for them and they need protection as they are not in positions of national security.

Any breach that affects the people responsible for our security is extremely serious and there needs be a robust plan to assist current and past employees, and even those who simply filled out the form.

Personal data is becoming the primary target for many cyber criminals, foreign powers and governments and the holders of the data need to take precautions to secure it. We are all potential victims of data theft and it’s our responsibility to understand the dangers of handing over our data.

While in this case there is no alternative for national security employees, in many of the data breach cases recently there are ways that we can limit our exposure by sharing less.

Tony Anscombe
June 19, 2015

AuthorPhilip Blaisdell | CommentPost a Comment |
Tuesday
Apr282015

RSA 2015 Identity, Identity, Identity

DateTuesday, April 28, 2015 at 12:42PM

This past weekend I returned from the annual RSA conference in San Francisco.  While, I may be slightly biased by my area of interest, I saw and heard more emphasis on the criticality of effective Identity and Access Management this year than ever before.  2014 was widely referred to as the The Year of the Breach.  Last year over 1 billion personal data records were stolen and the companies whose networks were compromised include some of the largest and most recognizable, including Apple, Home Depot, JP Morgan Chase, K Mart, and Staples.  In every case, compromised user credentials played some part in facilitating the breach.  For Target, whose own breach occurred at the very end of 2013, the associated costs to the company and its shareholders is now over $150 million.  Compromised user credentials are by no means the only problem thats lead to these incidents, but they play a central role.  Some of the other factors include targeted phishing attacks (spear-phishing) which accounted for 30% of all attacks on commercial networks last year. Malware, which is often used in conjunction with targeted attacks increased by 60% last year and is growing by ~4000 new threat variants per minute.

 So what has changed?  Mobile and Cloud computing along with the ever increasing need to allow customers and partners greater access to information and richer user experience, has meant extending access to data and services as well as establishing Digital Identity "Trusts" with 3rd party Identity Providers such as Google, Microsoft, Facebook and others. Instead of targeting hardened networks and application infrastructures, the bad actors, are exploiting users' identities to gain “legitimate” access.  They will then pivot to other systems or users, eventually gaining the credentials and access they need.  As an example, in the Anthem Blue Cross breach, hackers obtained multiple identities and the credentials of different employees, through phishing attacks. These included credentials of system administrators which allowed them access to steal millions of customer and employee health insurance records.  Premera Blue Cross experienced a similar breach and as a result these insurers are now facing numerous class action law suits where plaintiffs are claiming the organizations failed to provide "due care" in the protection of their user identities and credentials.

Identity is now a primary attack surface.  Amit Yoran, President of RSA, the security division of EMC Corp. addressed this in his opening keynote presentation where he stated that "Identity and Authentication are paramount to security... we must know who is accessing what, in real time, in order to stop attacks earlier in the kill chain".  Protecting this attack surface is hard because identities must be trusted in order to provide access and allow users' credentials to be securely passed between applications. At the core of this challenge is the fact that traditionally, companies have not designed Identity and Access management platforms as an attack surface.  These systems have been protected behind complex "defense in depth" architectures within the network core where they provided basic access provisioning services.  In the new paradigm, we must combine the effectiveness of traditional legacy controls, such as minimum password complexity and routine password change, strong multi-factor authentication, and end to end encryption of authentication, with new identity and access models such as claims-based authentication and secure token services.  The key strength of these services is componentization of Identity into multiple parts, the unique attributes comprising an identity, held by the Identity Issuer or Authority and the "Claim" or statement, which identifies the user and their relevant attributes such as name, preferences and privileges.  The "claim" is then secured within one or more "tokens" which can be validated by systems which share a common trust.  The exchange of tokens also securely facilitates federation of identities and access rights (including Single Sign On) between applications and across networks, relieving the need for repetitive user entry of credentials, enhancing the user experience.  The preceding is often referred to as part of the "Zero-Trust" security model, reflecting the fall of networks' perimeters.  In order to allow for necessary standardization and interoperability of this model there has been a good deal of disruption among specifications and standards with the aim of settling on a widely adopted, no-compromise approach to the need for highly distributed Identity and Access Management. The new OpenID Connect and JavaScript Notation (JSON) web token architecture, have so far, been the most widely adopted.

Visibility, the capability to effectively monitor access, in real-time, is another key capability, necessary for Identity and Access Management.  Threat intelligence and access data must be continually monitored.  This requires that Identity and Access log data and other analytics flow continuously, in machine readable format, to monitoring and detection platforms for analysis and that appropriate alerting and response occurs for anomalous activity. Among the 1200 new information security startups, receiving $7 Billion in new capital funding last year, are companies whose technology and services provide Identity and Access Intelligence.  These technologies bring together identity and access information, with varied event data which is mined using algorithms, to identify potentially threatening or business-impacting activity.  Whether its erroneous actions which threaten the integrity of production data or malicious activity which suggests pending data loss, these systems allow for much earlier and more granular detection of unusual behavior and access attributable to specific identities.  This technology and its capabilities become even more critical as the Internet of Things (IoT) explodes to over 100 billion connected devices by 2018.  Many of these types of devices will have addresses on corporate networks and user identities connecting to them as another point of entry.  Appliances with the capability to monitor and analyze activity (at near wire speed) among these ever increasing devices and identities, will be a necessity to maintain confidentiality and integrity of data, and availability of services.

AuthorPhilip Blaisdell | CommentPost a Comment |
Page 1 ... 4 5 6 7 8 ... 54 Next 5 Entries »