gas stations exposed to cyberattacks: Researchers
A security researcher says malicious actors could theoretically shut down
over 5,300 gas stations in the U.S. because the automatic tank gauges (ATGs)
used to monitor fuel tanks are easily accessible via the Internet. ATGs are
electronic devices that monitor fuel level, temperature, and other parameters
in a tank. The devices alert operators in case there is a problem with the
tank, such as a fuel leak.The
researcher said there are approximately 5,300 ATGs nationwide (mostly located
in New York, Texas, Florida, Virginia, Illinois, Maryland, California,
Pennsylvania, Connecticut and Tennessee) that are accessible via the Internet
and without a password to protect them against unauthorized access.
of U.S. gas stations exposed to Internet attacks
The chief research officer at security firm Rapid7 says that over 5,000
devices used by gas stations in the U.S. to monitor their fuel tank levels can
be manipulated from the Internet by malicious attackers. These devices, known
as automated tank gauges (ATGs), are also used to trigger alarms in case of
problems with the tanks, such as fuel spills.
to hack, Sony requests financial filing extension
Sony's IT infrastructure has yet to recover from a cyberattack that
disrupted network operations, and now reportedly forced it to delay its Q3
financial reporting.Sony reportedly
said that its systems, including financial and accounting applications, won't
be restored until early February because of the “amount of destruction and
disruption that occurred, and the care necessary to avoid further damage by
prematurely restarting functions.”
elites warned about catastrophic cyberattacks
Attacks on power plants, telecommunications and financial systems, even
turning all of Los Angeles' traffic lights green: Davos elites were warned of
the terrifying possibilities of modern cyber terrorism. In the wake of the
cyberhack on Sony late last year, cybersecurity has been a hot button topic at
the four-day World Economic Forum in the swanky Swiss ski resort. The
conclusion, in one attendee's words: "Basically nothing is safe."
for cyber liability coverage grows in wake of high-profile breaches
Treasury & Risk
More companies are starting to purchase cyber liability insurance in the
wake of a string of high-profile data breaches. But it’s a relatively new type
of insurance, and policies can vary from carrier to carrier, so it behooves
companies to ask plenty of questions and make sure they understand what they’re
buying -- what the policy covers and where there may be gaps. A cyber liability
expert discusses the market growth, emphasizing the need for insurance
companies to offer larger single policies. Currently, in order to get $100
million worth of coverage, a company may need to secure policies with 10 to 15
different insurance carriers.
NSA efforts influenced U.S. stance on Sony attack
A report in The New York Times offers more insight on why the U.S.
government has taken its resolute stance in attributing the Sony Pictures
attack to North Korea. The article detailed the National Security Agency's
efforts to penetrate North Korea's cyber fortresses, which eventually succeeded
in 2010. Citing former U.S. and foreign officials, a recently disclosed NSA
document and security professionals privy to the operations, the Times said
that NSA “drilled into the Chinese networks that connect North Korea to the
outside world, picked through connections in Malaysia favored by North Korean
hackers, and penetrated directly into the North with the help of South Korea
and other American allies.”
emergency operating plan updated with cyberattack procedures
Idaho's director of homeland security said cyberthreats remain the
"most important and least understood risk" to government and the
private sector. He said the Idaho Bureau of Homeland Security is in the process
of updating Idaho's emergency operating plan, providing policies and procedures
for state agencies to follow in the event of a major cyberattack. The bureau,
together with the Pacific Northwest Economic Region, has also sponsored training
workshops. The intent is to help companies better understand the
vulnerabilities and learn how to respond.
cybersecurity center in Pennsylvania aims to help fend off attacks
In Pennsylvania, the Harrisburg University Government Technology
Institute’s Security Center for Excellence co-director believes he’s seeing a
wellspring of enthusiasm and interest from local leaders that gives him hope
about getting governments around the country better prepared for the inevitable
cyber attacks to come. Center leaders say they plan to focus on two major
levels: working with state and local governments to improve their approaches to
cyber security threats and in testing new methods and technologies to combat
these threats. A number of private sector firms are providing financial support
and offering their company resources and research to push forward the center’s
threats increase, new international net cops needed – Kaspersky to RT
With cyber-attacks on the financial sector and state sponsored attacks on
the internet on the up, a new international organization to police cyber space
is needed, Eugene Kaspersky, Chairman and CEO of Kaspersky Lab, said in an
interview.Kaspersky also discussed some
of the challenges facing his company.
Agencies face cyber risk in building access systems
The Government Accountability Office says the Department of Homeland
Security must do much more to improve the cybersecurity of access and control
systems in the thousands of buildings it operates.The GAO says DHS is not "assessing or
addressing cyber risk to building and access control systems particularly at
the nearly 9,000 federal facilities protected by the Federal Protective Service
(FPS) ,” and thatDHS lacks a strategy
that “defines the problem, identifies roles and responsibilities … and
identifies a methodology for assessing this cyber risk.” The DHS division
responsible for physical security standards has not incorporated policies
related to cyber threats in building and access control systems, citing other
next at the 'Data Department'
In this interview, Lynn Overmann, who has been at the Commerce Department
for two months and is the department's first deputy chief data officer, discusses
her goal -- "to turbocharge our open data initiatives." Among other
things, she discusses the challenges she faces at Commerce and the possibility
of a department innovation lab.
to release draft standards for high-impact systems
Draft standards, due out the week of Jan. 26, will provide a baseline for
securing the federal government’s high-impact systems in the cloud. The move is
a huge step forward for agencies — which until now had been focused on securing
low- and moderate-impact cloud computing systems — in terms of how disrupted
systems may affect organizational operations and assets. Growing demand from
agencies seeking to reap the benefits of cloud computing has shifted the focus
to high-impact systems, which are those necessary to support agencies’
continuity of operations. Also included in that category are all cyber critical
infrastructure and key resources identified in agencies’ Homeland Security
Policy Directive 7 plans.
welcome cybersecurity talks with Obama
Federal cybersecurity received a much-needed boost last Congress with the
passage of five bills, but those measures fell short of setting clear
parameters for information sharing between the government and companies, as
well as across the private sector. The hope is that additional legislation will
enable real-time sharing, “with a speed and a sufficient depth that we can
effectively generate almost what I think of as the weather map for cyberspace
so that we actually know and have some visibility into what is happening,”
according to an administration official. House and Senate Republicans are open
to working with the president on cyber legislation, but they criticize his
students to play a key role in cybersecurity workforce initiative
The Post and Courier (Charleston, SC)
Cybersecurity programs offered at Charleston County (SC) schools are poised
to receive an infusion of resources through a new federally funded
cybersecurity consortium meant to create a workforce pipeline for the growing
field of cybersecurity. The consortium is part of a five-year $25 million grant
from the U.S. Department of Energy to grow cybersecurity programs at 13
historically black colleges and universities from five states, including seven
institutions in South Carolina. An official with Lawrence Livermore Laboratory,
which is among the consortium members, said the idea behind targeting minority
students is part of a larger goal to grow and diversify the talent pool for the
suggests most DoD networks susceptible to mid-grade cyber threats
Federal News Radio
A new Pentagon report on the Defense Department's major systems includes
some worrying assessments of DoD's overall cybersecurity posture: a troubling
proportion of its IT systems appear to be vulnerable to low- or
intermediate-level hackers, leaving aside the advanced persistent threats
everyone's worried about.The annual
report from the Office of Operational Test and Evaluation is most known for its
summarized assessments on the performance of dozens of individual weapons
programs. But a separate eight-page section dedicated to cybersecurity draws
some stark conclusions about DoD's overall defensive positioning.
every U.S. arms program found vulnerable to cyber attacks
Nearly every U.S. weapons program tested in fiscal 2014 showed
"significant vulnerabilities" to cyber attacks, including
misconfigured, unpatched and outdated software, the Pentagon's chief weapons
tester said in his annual report. He wrote, "The continued development of
advanced cyber intrusion techniques makes it likely that determined cyber
adversaries can acquire a foothold in most (DoD) networks, and could be in a
position to degrade important DOD missions when and if they chose to."
'one belly button' approach to IT services
Federal News Radio
The Defense Information Services Agency is undergoing a radical
transformation in how it serves its customers to achieve better collaboration
and coordination internally and across the military services and agencies. The
reorganization, announced Jan. 11, has been in the works for the better part of
a year. Lt. Gen. Ronnie Hawkins, DISA's director, said the new structure will
focus on five core tenets: Cybersecurity; Cloud; Collaboration; Command; and Control.
communications in Pacific stretched, tested
As the US Army deploys more troops to the Pacific, it’s running into the
limits of its long-range communications systems. The shortfall in comms
capacity is not only becoming an issue as the service ramps up its “Pacific
Pathways” exercises with Asian partners: It is also raising concerns about the
network’s resiliency against a cyber attack.
networks a top priority for U.S. military in Asia-Pacific
Thousands of U.S. soldiers train alongside troops from Southeast Asian
countries as part of a larger strategy to strengthen alliances in the region
and secure U.S. access to key seaports, airfields and bases during a crisis.
But despite a huge investment by the United States — in troops, military
trainers, logistics support and weaponry — throughout the Pacific theater,
there are persistent shortfalls in communications technology and data networks
that keep countries from sharing information and collaborating more closely.
Army takes next step to merge C2,
intelligence traffic onto WIN-T
The Army's science and technology and acquisition communities have teamed
with the Army G-3/5/7, G2 and Cyber Command to provide senior leaders a closer
look into converging operational and intelligence traffic onto the Warfighter
Information Network-Tactical, or WIN-T, transport. Network Transport
Convergence describes the merging of command and control, intelligence,
logistics and medical systems onto a common network architecture.
report: How to defend against destructive malware
Prevent, detect, and contain: Those are the key overarching strategies for
combating data-destroying malware attacks, according to a new report issued
this month by the National Security Agency. The NSA's Information Assurance
Directorate (IAD) outlined key best practices for defending against such
attacks-- à la Sony or Saudi Aramco -- that require organizations being
proactive rather than reactive to a cyberattack.
open source use heightens enterprise security risks
The data breaches disclosed earlier in January at Park ‘N Fly and
OneStopParking.com, two major airport parking services, highlight the
continuing risk that enterprises face from using open-source software in their
environments without a plan for managing it. Security experts say companies
often have little clue about the extent of third-party code in the enterprise
or the risks it poses.
framework helps companies quantify risk
The World Economic Forum has released a new framework that helps companies
calculate the risk of cyberattacks. The risk calculation has three components
-- an assessment of a company's vulnerabilities and defenses, the potential
cost of data breaches, and a profile of the attacker. Security experts praised
the framework's holistic approach towards cyberrisk.
In the past two years, cyberspace has clearly changed in ways that threaten
every online business, big or small. Startups now use the cloud infrastructure
that mature companies do, and quickly aggregate large, juicy caches of private
user data and payment credentials. As malware infestations scale to scour the
“long tail” of targets, they don’t discriminate between the Fortune 50 and the
TechCrunch 50. In fact, some increasingly common attacks — like DDoS extortion
— specifically target smaller, more vulnerable businesses, whose loose cowboy
cultures, shallow security expertise, fragile infrastructure and fresh capital
make for easy pickings.
cybersecurity will suffer the same fate in 2015 as it did in 2014
2015 is nearly three weeks young and WE ARE LIKELY to see more of the same
exposures as we did in 2014. Not much has changed in organizations. They are
fundamentally following the same tactics and techniques to ‘defend’ against
adversaries as they have for the past several years. Here are 12 areas that
continue to cause problems for the CISO and information security as a whole.
DMARC: The time is
right for email authentication
Help Net Security
2015 will be the turning point for Domain-based Message Authentication,
Reporting & Conformance (DMARC) implementation by the guys on the other
side of the desk -- the world’s largest brands and email senders. The IETF
working group is currently putting together the draft specification, DMARC
policy deployment is increasing, and early adopter feedback is promising. Many
large enterprises will be able to realize huge benefits from converting their
domain’s email from a source of mistrust, spoofing, phishing and fraud to a
bastion of trust by deploying a DMARC policy – at no cost to the enterprise.
compliance not synonymous with security, panel says
None of the companies in a soon-to-be released Verizon report that
experienced a data breach “were fully PCI [Payment Card Industry Data Security
Standard] compliant at the time of breach,” according to an official at Verizon
Enterprise Solutions. In a preview of Verizon's "2015 PCI Compliance
Report," he said that only “28.6 percent of companies were PCI compliant
after one year,” indicating that many organizations “are seeing compliance as a
standalone exercise.” PCI 3.0 was released in November 2013 and all
organizations were required to start using it Jan. 1 of this year.
Global shares top secure identity trends for 2015
HID Global has issued its outlook on technology trends for 2015, as well as
other anticipated developments across key vertical industries in the secure
identity marketplace.The annual
assessment is intended to help organizations understand and take advantage of
the latest advances to improve security, convenience and the user experience.
CEO forecasts top 2015 identity management trends
Market Wired (news release)
The CEO of identify management company Avatier Corp. has released
predictions that indicate 2015 will focus on the age of identity management
authentication. Emphasizing the significant increase in breaches in 2014 and
the changing landscape of security, he notes, "In 2015, every industry
becomes a target, every identity vulnerability and every app a potential
host." He stresses that as the Enterprise of Things (EoT) unfolds,
enterprise information security will continue to shift from passwords and
access, to authentication and automation.
Demand for cyber insurance skyrockets
Demand for cybersecurity insurance is booming as a string of high-profile hacks and data breaches spurs explosive growth in what has suddenly become a $2 billion industry. “Off the charts,” Bob Parisi, the national cyber risk product leader at insurance firm Marsh, said of the spike in business. After two or three years of 35 percent to 50 percent growth, “we saw that pace looking like it was doubling, in some areas tripling” in 2014, Parisi said.
Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'
Charlotte (NC) Business Journal
Signaling the abundant and high-risk nature of hack-attacks, Bank of America Corp. CEO Brian Moynihan says the Charlotte-based lender has no spending limits in place for its cyber security teams. Moynihan says the cyber security teams for the nation's second-largest bank will spend more than $400 million this year. He says it's the first time in 20 years of corporate budgeting he has overseen a business unit with no budget.
IT buying experiments preview 'Acquisition of the Future'
Acquisition of the Future is an initiative that seeks to frame a vision in which acquisition creates significant new value for the government through fresh approaches, modern technologies and a new generation’s capabilities. Participants include a growing number of federal executives, industry leaders, notable academics and rising acquisition professionals who have been meeting since 2013 to create a framework for what federal acquisition can become, to meet the demands of the Collaboration Age -- and beyond.
Governments struggle to respond to hackers
Former CIA and NSA chief Michael Hayden recently said that the U.S. has not yet worked out how to fight in this new realm of cyber attacks and counter attacks."We have not yet worked out a taxomony" for action in the cyber domain like the U.S/ has for land, sea and air warfare, he said. "How do you categorize an event in the cyber domain that tells you what is or is not a proportional response?"
FedRAMP to release draft standards for high-impact systems
Draft standards about to be released will provide a baseline for securing the federal government’s high-impact systems in the cloud and is a huge step forward for agencies — which until now had been focused on securing low- and moderate-impact cloud computing systems — in terms of how disrupted systems may affect organizational operations and assets. The Federal Risk Authorization Management Program (FedRAMP) office will release the draft standards for public comment Jan. 27 and hopes to finalize them by the end of 2015.
Goodrich: 'FedRAMP high' baseline coming soon
Federal Risk and Authorization Management Program Director Matthew Goodrich said Jan. 22 that a draft baseline for cloud computing systems that require FISMA high-impact level security is nearly ready for public comment. Currently, FedRAMP authorizes systems only at the low- and moderate-impact levels set by FISMA. But adding high-impact cloud systems is part of the FedRAMP roadmap, and Goodrich said his office is also open to establishing other baselines if there is sufficient agency demand.
Science and Technology Directorate wants to talk
The Department of Homeland Security's Science and Technology Directorate has begun casting a wider net in its hunt for innovative security technologies. S&T launched a new public engagement strategy Jan. 12 that it calls the National Conversation on Homeland Security Technology, to inject new, outside innovators into its tech development processes. The program comprises a series of online and in-person discussions aimed at fostering discussions among the public, first responders, industry representatives, academia and government officials that will shape the agency's technology.
Vice President Biden announces $25 million in funding for cybersecurity education at HBCUs
The White House - Office of the Vice President (news release)
Vice President Biden and other Administration officials traveled to Norfolk State University in Norfolk, Va. Jan. 15 to announce the Department of Energy will provide a $25 million grant over five years to support cybersecurity education to meet the demand for skilled cyber professionals through creation of a new cybersecurity consortium consisting of 13 Historically Black Colleges and Universities (HBCUs), two national labs, and a k-12 school district. Here are some of the details of the initiative.
Experts say to expect action after State of the Union cyber shout out
After a week of cybersecurity-related congressional proposals, speeches and global talks, President Barack Obama's one-paragraph mention of cyber in the State of the Union address may have seemed a bit anticlimactic, but some Capitol Hill denizens expect Obama's 14-page legislative offer to speak for itself and gain momentum. Within the next month, several congressional committees are expected to introduce legislation that speaks to Obama's proposal, in some shape or form.
Does President Obama's bid to bolster cyber security go far enough?
President Obama is urging Congress to pass cyber security reforms, including legislation to increase information sharing among private companies and the government, introduce new penalties for cyber criminals and streamline data breach notification laws. While many agree the proposals would be a positive step, some industry leaders argued that the government’s efforts are too little, too late and mostly focus on what happens after a breach has already taken place, rather than how to prevent them.
State of the Union address disappoints security experts
In his State of the Union address Tuesday night, President Barack Obama promised to protect a free and open Internet and urged Congress to pass cybersecurity legislation, but the lack of concrete movement forward was a disappointment for many security experts. The proposed cybersecurity legislation touched on several important issues, but there was doubt as to whether it could be passed, and, if passed, if it would do any good.
President's plan to crack down on hacking could hurt good hackers
President Obama dedicated more time on cybersecurity than any other president has in a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many in the security community believe the president's proposed legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.
Is Barack Obama a cybersecurity leader?
Gov Info Security - The Public Eye (blog)
When President Obama unveiled his latest cybersecurity legislative initiative and began to promote it in a series of speeches, culminating in his State of the Union address, I began to look at his latest proposals and his actions over the past six years. With this in mind, I pondered and asked others whether he was a true leader in the cyber dominion.The responses varied, and determining whether Obama is a true cybersecurity leader could be shaded by one's own agenda.
What government can (and can’t) do about cybersecurity
Dark Reading (commentary)
President Obama has recently proposed a number of interesting, if not terribly novel, proposals, which are reviewed in this article.These proposals are not very likely to have a substantial effect on the software market. They are all reactive, attempting to target the bad guys rather than focusing on enhancing our own defenses. We are capable of producing radically more secure software than we do today, but we’re going to have to raise the bar for developers everywhere.
DHA readies $10 billion IT contract
The top procurement manager at the Defense Health Agency said DHA is in the final stages of developing a solicitation for an indefinite-delivery, indefinite-quantity IT services contract worth as much as $10 billion over five years. The agency will hold its last industry day for the Health Information Technology Services IDIQ contract on Feb. 17, and the final solicitation is expected in the third quarter of 2015.
DoD intel chief Vickers gives cyber premier priority status
Federal News Radio
Cybersecurity for the intelligence community has become what terrorism was in the early 2000s — an all-encompassing priority. So much so that Michael Vickers, the undersecretary of Defense for intelligence, is making cybersecurity transformation the hallmark of his tenure. Vickers' recent comments voicing concern about the cybersecurity of space systems is also a fairly new focus for the intelligence community.
Dempsey: Cyber vulnerabilities threaten national security
Cyber vulnerabilities in the private sector pose a serious threat to national security, the chairman of the Joint Chiefs of Staff said recently.While military cyber defenses are formidable, civilian infrastructure and businesses often are targeted first and "present a significant vulnerability to our nation," Army Gen. Martin E. Dempsey said.He also urged passage of cyber legislation to protect the nation and to allow information sharing between the government and the private sector while safeguarding civil liberties.
Bold Alligator training elevates cyber as a domain
C4ISR & Networks
A training exercise held late last year incorporated new cyber concepts into the combat scenario, seeding radio traffic meant to simulate the radio noise of a populated area with a stream of nefarious messages. The purpose of the Bold Alligator 14 exercise was to train the Marines taking part to identify and interpret the chatter that could help them know when the enemy planned to attack. About 11,000 Marines, U.S. sailors and members of other nations' navies took part in the exercise, held in November off the coasts of Virginia and North Carolina.
DoD: CENTCOM hack to have no effect on social media policy
C4ISR & Networks
Despite the high-profile Jan. 12 hacking incident that resulted in the takeover of U.S. Central Command's official Twitter and YouTube accounts, Defense Department officials called for passwords to be changed at more than 50 Office of the Secretary of Defense-level social media accounts, but said they have no plans to reevaluate policy on the use of social media. Currently, official DoD social media accounts are subject to guidance from September 2012 that outlines military members' use of social media.
Feds roll out secure card tech
The GSA will soon begin issuing new charge cards equipped with a microchip and requiring users enter a PIN number instead of a signature. Cards with those technologies are considered to be more secure than credit and debit cards with magnetic strips, which are much more common in the U.S. The new chip-enabled cards will be used by more than 350 agencies, organizations and tribal governments for purchases, travel and other purposes, and more than 1 million new cards are expected to be issued this year. Retailers have long pushed for financial services companies to switch to the new chip technology in combination with a PIN number, and these calls have only mounted amid recent high-profile data breaches.
Survey says young people ready to replace passwords with biometrics
A new survey reveals that 76% of 16- to 24-year-olds surveyed in the U.K. are ready to replace passwords with biometric authentication methods such as facial recognition, fingerprint and retina scanning.Survey respondents said that they would prefer using fingerprint scanning over all the other biometric payment methods available to consumers, with 70% predicting that this will be the primary form of identification by 2020. The report also found that 39% of respondents are interested in using retina scans and 27% opted for facial recognition.
N.S.A. tapped into North Korean networks before Sony attack, officials say
The New York Times
The trail that led U.S. officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the NSA scrambled to break into North Korean computer systems. Spurred by growing concern about North Korea’s maturing capabilities, the NSA reportedly drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other U.S. allies. A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers.
Reports: Leaked documents show China hacked F-35 plans
Leaked documents reportedly show that Chinese spies hacked large amounts of data relating to the design of the F-35 Joint Strike Fighter jet. Media reports suggest the alleged cyber theft is revealed in documents leaked to the German magazine Der Spiegel by former US security analyst Edward Snowden about the stealth aircraft developed by Lockheed Martin.
Cyber warfare: Capitol staffers aren’t ready
Capitol Hill’s networks are under constant cyber attack. But the thousands of men and women who keep Congress running every day are committing the basic cybersecurity mistakes that attackers can exploit to do harm. Interviews with nearly a dozen current and former staffers, as well as congressional IT security staff, reveal a typical array of poor cyber habits.
China suspected of cyberattack on Microsoft
The Chinese government could be behind a cyberattack on Microsoft’s email system in China, according to GreatFire, a nonprofit that monitors censorship in China. GreatFire believes the email site Outlook.com was subjected to a so-called man-in-the-middle attack, in which hackers insert themselves into systems to eavesdrop while relaying messages between users. The attack lasted most of the day January 17, GreatFire said.
US, UK to stage joint cyber 'war games' to ramp up cyberdefenses
The Associated Press
The United States and the U.K. will stage cyber "war games" together, starting this year, to boost both countries' resistance to cyberattacks, Britain's government announced Jan. 15. The two Western powers have also agreed to launch a joint "cyber cell" to share information on cyberthreats, as both countries seek to ramp up their cyberdefenses in the wake of alarming attacks. The FBI and the National Security Agency will be involved, along with Britain's GCHQ and MI5 intelligence and security agencies.
Britain announces new support for cyber security firms
Global Times (U.K.)
The British government has announced a series of new measures to help its businesses face the "cyber security challenge" and support its cyber security firms to tap into the US market. A group of 12 British cyber security firms were to travel to Washington to meet a host of US businesses, in a bid to win more British business for the growing sector. As part of the new measures, Britain appointed a new cyber security envoy to help British small businesses and first-time exporters promote their business interests across the U.S.
19,000 French websites suffer cyber attack in ‘unprecedented surge’
Around 19,000 French websites have been attacked in the last few days by “more or less structured” groups, according to France’s cyber defense chief. The attacks were primarily minor denial-of-service attacks and hit a wide range of websites. Some of the attacks are believed to be from some well-known Islamist hacker groups and are thought to be in response for Anonymous’ vow to avenge the Paris shootings. The hacker’s messages have appeared on multiple French sites, so it is likely that attackers broke in by exploiting a commonly available platform or other security flaw.
North Korea's official news website serves malware
Users who visited the site of the state-run North Korean news agency, to see the country's response to the Sony hacking accusations or for other reasons, might want to scan their computers for malware. A security researcher found that the site hosts a malicious file. One security expert said a quick look at the executable files suggests that the malware might steal passwords from browsers, and that it might also do other things, but more time is required to perform a thorough analysis.
New year, new threats: Electronic health record cyberattacks
The recent flood of cyberattacks means that hackers are relentless and more sophisticated than ever before. And there is another cyber-risk that is looming and warrants attention of our emergency management community and government: electronic health records. The American Recovery and Reinvestment Act of 2009 authorized the federal government to incentivize EHRs, but since health-care providers have been installing EHRs, the number of cyber threats and attacks has grown.
Obama's proposed data breach notification law bodes well for businesses
Security Info Watch
President Obama wants Congress to pass legislation that would create a new federal standard for data breach notification. Under the proposal, companies would be required to inform customers within 30 days if their personal information had been compromised as the result of a breach. Rather than having to navigate various state laws, it would create a single standard for organizations to follow. Some believe that this newly proposed legislation would actually be of greater benefit to businesses than consumers.
Malware getting more advanced, easier to use in 2015
Reports of breaches at private companies and federal agencies piled up throughout 2014. While security officials scramble to shore up defenses and shorten response time, experts say the malware threat is only going to get more sophisticated and easier to deploy in 2015. Much of the discussion in 2014 centered on leaks from insiders, whether malicious or accidental. However, of the 10 breaches and vulnerabilities reported by federal agencies in 2014, eight were a direct result of hackers attempting to put malware on government systems.
Industry backing Obama's cybersecurity agenda
Cybersecurity will be a focal point of President Obama's State of the Union address, including a proposal to standardize how private companies share and report information on cyber crime. The administration is also planning to create private-sector Information Sharing and Analysis Organizations (ISAOs) to manage threat reporting and disseminate important information and offer limited liability protection to companies that participate. Some 70 percent of private sector cybersecurity professionals agree or strongly agree with the president's proposal, according to a survey by the Information Systems Audit and Control Association (ISACA).
State of the Union: Ready for bipartisan cyber action
This should be the year that significant bipartisan progress is made on cybersecurity legislation, with new laws set to pass on issues ranging from data breach notification to sharing sensitive cyber intelligence between the public and private sectors. In fact, since President Obama and Republican congressional leaders can't agree on much else, cybersecurity action is moving to center stage. When President Obama delivers his seventh State of the Union address, cybersecurity plans will be one of many topics but cyber action is at the top of a short bipartisan “to do” list after years of disagreements and dashed expectations.
Vice President Biden visits Norfolk, Va., talks cybersecurity
Vice President Biden visited Norfolk State University Jan. 15 to highlight a program that will give historically black colleges and universities millions of dollars to train students for jobs in cybersecurity. NSU will be the lead campus in a new consortium that will includes 12 other historically black colleges, two national research labs and a school division in South Carolina. The Department of Energy will supply the national cybersecurity consortium with $25 million in grants over the next five years.
Proposed U.S. cyber-security legislation worries researchers
Changes proposed by the Obama Administration to a variety of laws used to prosecute cyber-crime have raised concerns among security professionals and vulnerability researchers, who worry that activities meant to improve security could lead to criminal charges. The proposed changes could make accessing public documents illegal, if the owner would not have approved; creates stricter punishments for anyone convicted of a cyber-crime; and allows the government to seize assets linked to cyber-crimes, security researchers said, which could have a chilling effect on researchers' activities.
Toward better privacy, data breach laws
Krebs on Security
President Obama has outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.
Sony hack is a corporate cyberwar game changer
The 2014 cyberattack on Sony Pictures, which the FBI has attributed to North Korean hackers, represented a major escalation in digital hostilities that could reignite the long-simmering policy debate over how to better protect systems in the public and private sectors, a panel of former top intelligence officials said Jan. 15. As the purported work of hackers representing a nation-state, the incident was the rare breach of a private-sector network where the intruders destroyed troves of corporate data. The question now is how the administration and Congress will respond.
Lawmakers, former officials debate next move in cyberspace
The conversation in Washington has moved from North Korea's alleged complicity in the hack of Sony Pictures Entertainment to whether the Obama administration has responded effectively to the hack, and whether it needs more tools from Congress to do so. President Obama's vow of a "proportional" response to Pyongyang’s alleged cyber siege on Sony Pictures raises the possibility of the U.S. carrying out its own cyberattack, a scenario the administration has planned for via U.S. Cyber Command.
What do DISA’s new cloud security requirements mean for classified information?
The Defense Information Systems Agency has released updated cloud security requirements, consolidating six previous “impact levels” of information sensitivity into four in an effort to simplify the process for cloud providers and the Defense Department alike. That follows recent moves by DISA to speed up the pace at which DoD customers can explore opportunities in the cloud. In addition to creating security requirements, DISA will still play an active role in the development of cloud access points – the physical connections where information will be exchanged between DOD networks and the cloud.
DISA releases cloud security requirements guide
The Defense Information Systems Agency has released a security requirements guide laying out the criteria for commercial and non-Defense Department cloud providers to operate within DoD. The SRG stipulates the policies, requirements, and architectures for DOD mission owners’ use of commercial cloud. In an interconnected commercial world in which more than one party might be involved in a cloud offering, the SRG makes clear that the security responsibility ultimate lies with the primary cloud provider.
DISA reorg to emphasize collaboration, cyber, cloud
C4ISR & Networks
As part of ongoing efforts to reorganize the DISA, officials are emphasizing efficiencies and effectiveness through DoD -wide partnerships to streamline defense IT operations. The reorganization includes four centers -- business and development, implementation and sustainment, resource management and operations -- to centralize requirements and analyses within organizations, as well as communications efforts, engineering, solutions, development, testing and evaluation. DISA's reorganization also hinges on launching the Joint Force Headquarters – DoD Information Networks and close collaboration between at least 39 Defense organizations.
A new era in DoD cyber defense begins
Federal News Radio
The Defense Information Systems Agency is launching a new cyber defense organization, the Joint Task Force-DoD Information Networks, as part of a broader DISA reorganization effort. For DISA, the reorganization is centered on making the agency more responsive to its customer needs by becoming more agile and adaptable. But it's the JTF-DoDIN that likely will have the more immediate impact. The new cyber organization will take over the operations or defensive work from the U.S. Cyber Command.
New rules could speed up DoD cloud migration
Until now, the Defense Department has trailed considerably behind civilian agencies when it comes to taking advantage of new commercial cloud capabilities, namely because of stringent procurement and security rules. But that's about to change. Pentagon leaders last month announced new procurement rules that empower DoD agencies to buy cloud services more quickly and easily. And this month, tight security rules that effectively closed off the option of using public cloud services in most cases were loosened. Experts say the changes will set in motion a flurry of projects across the Defense Department to migrate networks, data and applications to the cloud.
U.S. Cyber Command, NSA commander discusses state of cyber efforts
Navy Adm. Michael S. Rogers, commander of the U.S. Cyber Command and NSA director, told a West Point audience Jan. 9 how the Army is helping to contribute to the demanding cyberspace that the nation operates in. Rogers said that by the end of fiscal year 2016, USCYBERCOM will have created a dedicated cyber mission force made up of approximately 6,200 people, formed into 133 teams with three missions: defending the DoD information network; providing support to Combatant Commanders; and, when directed by the president or the defense secretary, applying DoD capability to defend critical U.S. infrastructure against cyber attacks.
Do as I say, not as I do: Most law firms lack adequate cyber protection
Property Casualty 360
For law firms, protecting the confidential data of clients and the firm is imperative as any unintended leak of information related to intellectual property or a prominent legal case can be disastrous. A security breach could potentially harm business transactions, halt a pending merger or acquisition, or damage relationships. Furthermore, firms could face financial burdens associated with the expenses following a breach. Yet, many law firms lack in their preparedness against a significant event, a new survey reveals.
The cost of malware containment
Help Net Security
Enterprises spend $1.3 million a year dealing with false positive cyber security alerts, which equals nearly 21,000 hours in wasted time. The Ponemon Institute surveyed over 600 US IT and IT security practitioners to help understand the true cost of dealing with today’s volume of malware threats. Organizations receive an average of nearly 17,000 malware alerts per week, but only 19% are deemed reliable or worthy of action. This can distract security teams from dealing with threats that actually can lead to compromise. Respondents also believe their prevention tools miss 40% of malware infections in a typical week, and the longer malware goes undetected, the greater the risk of a breach.
Top enterprise GRC and security predictions for 2015
The threat landscape has changed, and hackers' motivations are now more complicated than ever -- putting companies at even greater risk. So the question was posed to SearchCompliance GRCChat participants: Where does this leave today's organizations as they struggle to improve enterprise governance, risk and compliance (GRC) and security processes to better protect both corporate and personal information?
2015 will see a shift from identity management to identity access security
CA Technologies has announced five key trends for security and identity and access management (IAM) that will impact organizations and security professionals in 2015 as they compete in the application economy. Here's what the firm seems for the coming year.