Connect with us

Security

STATE OF CYBERSECURITY 2018

Published

on

LEARN ABOUT SEVERAL CLEAR CHALLENGES ENTERPRISES ARE FACING

For the fourth year in a row, ISACA has surveyed security leaders worldwide to determine their insights and experiences with key cybersecurity issues, ranging from workforce challenges and opportunities to the emerging threat landscape.

Part 1 of the report is now available and provides key insights into the current trends in the threat landscape. Among the findings:

  • Overall results confirm that cybersecurity remains dynamic and turbulent as the field continues to mature
  • Skill challenges remain but are better understood
  • Gender disparity is present but can be mitigated
  • It is predicted that budgets will increase at a higher rate than last year-64% of respondents indicate that their security budgets will expand
  • Confidence in preparedness is increasing but organizational alignment is inconsistent

Download your FREE copy of the White Paper – State of Cybersecurity 2018, Part 1 to see how your experience compares to the findings.

 

Source: CSX

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

13 BIG CYBERSECURITY IDEAS FOR THE CISO BY CISOS

Published

on

Peers are a great source of information for the CISO because they are tackling the same security problems in different ways. Taking note of what they are doing is useful for replicating their successes in your own organization.

We recently sifted through dozens of interviews with, and reports about, CISOs, to uncover several knowledge gems. The emphasis highly effective CISOs place on the less tangible aspects of the job – leadership, culture and business savvy for example – is readily apparent.

What follows below is a roundup of useful comments, facts, and statistics – big cybersecurity ideas – for the CISO by CISOs.

1) Businesses do not exist to provide information security

It’s all too easy for security leaders to forget that the business of their business isn’t security – it’s to fulfill customer-demand for products or services:

“It is very easy to fall into a myopic view and focus strictly on information security without taking into consideration what is it ultimately that the organization is trying to accomplish strategically. So, keeping that front and center for our teams helps not only enable the business but keeps us all grounded because we, as a company, we exist because we sell toothpaste and tennis shoes and all of those things that customers count on us to provide. At the end of the day, we’re not in the information security business. So, the day that information security makes that prohibitively difficult, there is really no reason for us to be here, so we have to keep that organizational mission front and center.”

– Jerry Geisler, SVP & Global CISO, Walmart; source: Walmart’s Jerry Geisler on the CISO position, retail challenges by Kathleen Richards.

2) Understanding how IT supports the business

More than just understanding the IT infrastructure, security leaders need to understand how that infrastructure supports the business. While this comment stems from a healthcare security leader, it has broader applicability for any vertical market:

“CISOs need to know the entire architecture of a healthcare organization’s IT environment and how it supports each line of business. They need to fully understand the environment’s technological composition and nature of all the data contained therein, the process for storage and transmission, as well as the process of all critical and sensitive data and the complete flow of data in and out of the organization.”

– Mark Beckmeyer, Director of IT Security, Binary Fountain; source: Securing healthcare organizations: The challenges CISOs face by Zeljka Zorz.

3) Articulating the value of cybersecurity to the business

In business, cybersecurity is often seen as a cost. Yet one security leader found his experiences in government helped him translate the value of security in business:

“Cybersecurity is all about the management of enterprise risk. The value a CISO and security department provides to the company is the continuous management of this risk so the business units that directly generate revenue can focus on being innovative and helping the company meet its strategic objectives. So my value is risk management as a service: We support the business units so they can focus on what the business needs, and together we are all successful.”

– Gary Hayslip, CISO, Webroot; source: A Career CISO’s 7 Observations on Public vs. Private Sectorvia TechWire

Note: Mr. Hayslip co-authored a two-volume CISO Desk Reference Guide.

4) Managing security to your organization’s tolerance for risk

Experts say cybersecurity boils down to an exercise in risk management – the probability of an event – combined with the severity of impact. Investors might add another factor in tolerance, which is why this commentary from a CISO at a big investment bank is so relevant:

“To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the ‘Are we secure?’ question is somewhat misguided. The question should be: ‘Are we managing risk according to our risk profile?’ To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.”

– Israel Bryski, Vice President, technology risk, Goldman Sachs; source: 8 Tough Questions Every CISO Should Be Ready to Answer by Joan Goodchild.

5) Translating security risk into business decisions

Some researchers say the best CISOs learn to lead without authority. It’s a nod to the idea that ultimately, successful security leaders identify and articulate the risks to business leaders so they can make the right decisions:

“It’s very important that the CISO take the time to translate the enterprise security/risk/compliance needs into what executives can assimilate and make the decision.”

– Rebecca Wynn, Head of Information Security and DPO, Matrix Medical Network; source: Leading Cyber Security Execs Describe CISO ‘Toolkits’ by Dan Gunderman.

 

6) Security leaders and technology leaders need leadership parity

Business wants to innovate – to deliver a service or make a product better and faster. Yet faster comes with risks and someone needs to examine those risks and pump the brakes when the risk exceeds the business’ tolerance level:

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play.”

– Anthony Belfiore, CSO, Aon PLC; source: Companies Unleash CISOs from Ties to Tech Chiefs by Kate Fazzini

7) A “security first” culture is a path to business efficacy

A “security first” approach is derived from culture and a security-conscious culture may enable a business to favor efficacy over stronger prohibitions and rigid policies:

“We’re not a blocker unless it’s absolutely essential. What I’m aiming for is when security does ‘say no’, the people take it seriously, because it’s so rare that they know it’s a serious occurrence.”

– Kevin Fielder, CISO, Just Eat; source: Just Eat’s first CISO is building security in from the ground up by Tom Allen.

8) Best-of-breed tools may help ward off future threats

The security tools fielded yesterday were designed to defend against yesterday’s threats. That’s why cybersecurity inherently involves economics. It’s may also part of the case for best of breed tools aimed at modern threats:

“As the threat landscape changes, some of the things that we think are a priority today may have a different priority tomorrow. And that’s part of the reason why when we have a vendor come in and do our security operations center, we will have the best-of-breed tools that will allow us to evolve in the next five years to deal with the current threats.”

– Marcelo Peredo, CISO, City of San José; source: San Jose’s first CISO braces for ubiquitous connectivity by Colin Wood.

9) The toughest questions a CISO must answer

Security leaders are often faced with difficult questions. A group of CISOs narrowed down what is surely a long list to the top five – as compiled by Kudelski Security:

> “Are we secure?”
> “How do we know if we have been breached?”
> “How does our security program compare to peers within the same industry?”
> “Do we have enough resources for our cybersecurity program?”
> “How effective is our security program, and is our current investment strategy aligned to it properly?”

– Survey of CISOs; source: The 5 most challenging questions CISOs face and how to answer themby Macy Bayern.

10) The 4 “Tribes” of CISOs

Personality tests strive to group people into categories based on characteristics, habits and communication style. Doing so is intended to provide insight into our preferences and weak spots so we can improve. A research project by Synopsys did something similar for the CISO “based on factors related to workforce, governance, and security controls.”  The research found CISOs can be used to grouped into one of four tribes:

> Tribe 1: Security as an Enabler;
> Tribe 2: Security as Technology;
> Tribe 3: Security as Compliance; and
> Tribe 4: Security as a Cost Center.

– CISO research project; source: Which CISO ‘Tribe’ Do You Belong To? by Kelly Sheridan

11)  What CISOs think makes CISOs successful

New York University Professor Nasir Memon once observed that security isn’t just a technical problem, but a legal problem, a policy problem and perhaps most importantly, a human behavior problem. CISOs it seems, agree with that assessment, according to a survey of CISOs by the Enterprise Strategy Group and ISSA.  The top skills CISOs say influence the success of a CISO are as follows:

> 54% say leadership skills;
> 49% say communications skills;
> 44% say strong relationships with executives;
> 33% say management skills; and
> 21% say upon technical skills.

– Survey of CISO; source: What makes CISOs successful? by Jon Oltsik

12) Individual consequences for getting phished?

While attacks have grown more sophisticated, many being with the same initiation stage: phishing emails. The organization can pay a heavy price when an individual gets phished and some say the risk and consequences should be shared:

“Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government. You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”

– Paul Beckman, CISO, U.S. Department of Homeland Security; source: DHS infosec chief: We should pull clearance of feds who fail phish test by Sean Gallagher.

13) One upside to a breach:  a learning moment 

Once a breach has occurred, the dynamics between security and business may change. A breach is a learning moment, that makes conveying the message about the importance of security easier.

“One of the things that I really love about being a CISO in a post-breach environment is it gives you such an immense opportunity to drive fundamental, meaningful change in a very short timeframe. I felt like I did good things when I was at Los Alamos or at NASA, but it takes so frickin’ long to push some of this stuff. The barriers you face at any company not post-breach is you’re always fighting for budget, you’re always fighting for face time, trying to justify and convince people about the importance of security and risk management. When you’re in a post-breach environment, everyone already knows that it’s critically important.”

–  Jamil Farshchi, CISO, Equifax; source: Equifax’s Security Overhaul, a Year After Its Epic Breach by Lily Hay Newman.

Continue Reading

Security

HACKERS FOUND A (NOT-SO-EASY) WAY TO MAKE THE AMAZON ECHO A SPY BUG

Published

on

Since smart speakers like the Amazon Echo first began to appear in homes across the world, the security community has come to see them as a prime target. But that threat has remained largely hypothetical: No Echo malware has appeared in the wild, and even proof-of-concept attacks on the devices have remained impractical at best.

Now, one group of Chinese hackers has spent months developing a new technique for hijacking Amazon’s voice assistant gadget. It’s still hardly a full-blown remote takeover of those smart speakers. But it may be the closest thing yet to a practical demonstration of how the devices might be silently hijacked for surveillance.

 

At the DefCon security conference Sunday, researchers Wu Huiyu and Qian Wenxiang plan to present a technique that chains together a series of bugs in Amazon’s second-generation Echo to take over the devices, and stream audio from its microphone to a remote attacker, while offering no clue to the user that the device has been compromised.

Echo owners shouldn’t panic: The hackers already alerted Amazon to their findings, and the company pushed out security fixes in July. Even before then, the attack required some serious hardware skills, as well as access to the target Echo’s Wi-Fi network—a degree of difficulty that likely means it wouldn’t be used against the average Echo owner. But the effort nonetheless sheds new light on how an Echo eavesdropping technique might work against a high-value target.

“After several months of research, we successfully break the Amazon Echo by using multiple vulnerabilities in the Amazon Echo system, and [achieve] remote eavesdropping,” reads a description of their work provided to WIRED by the hackers, who work on the Blade team of security researchers at Chinese tech giant Tencent. “When the attack [succeeds], we can control Amazon Echo for eavesdropping and send the voice data through network to the attacker.”

The research also raises the specter of more direct physical access attacks on a victim’s Echo.

The researchers’ attack, though already patched, demonstrates how hackers can tie together a devious collection of tricks to create an intricate multistep penetration technique that works against even a relatively secure gadget like the Echo. They start by taking apart an Echo of their own, removing its flash chip, writing their own firmware to it, and re-soldering the chip back to the Echo’s motherboard. That altered Echo will serve as a tool for attacking other Echoes: Using a series of web vulnerabilities in the Alexa interface on Amazon.com that included cross-site scripting, URL redirection, and HTTPS downgrade attacks—all since fixed by Amazon—they say that they could link their hacked Echo with a target user’s Amazon account.

If they can then get that doctored Echo onto the same Wi-Fi network as a target device, the hackers can take advantage of a software component of Amazon’s speakers, known as Whole Home Audio Daemon, that the devices use to communicate with other Echoes in the same network. That daemon contained a vulnerability that the hackers found they could exploit via their hacked Echo to gain full control over the target speaker, including the ability to make the Echo play any sound they chose, or more worryingly, silently record and transmit audio to a faraway spy.

That requirement that the victim and attacker be on the same Wi-Fi network represents a serious limitation to the attack. It means that, even after some serious hardware hacking, an Echo attacker would have had to know a target’s Wi-Fi password or otherwise gain network access. But the researchers argue that an Echo spy could potentially brute force the Wi-Fi password, trick a victim into installing their altered Echo themselves and linking it to their Wi-Fi, or the attack could be performed on Echoes in environments with more widely shared passwords, like hotels and schools.

When WIRED reached out to Amazon about the attack, the company responded in a statement that “customers do not need to take any action as their devices have been automatically updated with security fixes.” The spokesperson also wrote that “this issue would have required a malicious actor to have physical access to a device and the ability to modify the device hardware.”

That last point, to be clear, isn’t as comforting as it sounds. The hackers would have had to have access to the victim Echo’s Wi-Fi, but would only need hands-on physical access to their own Echo, which they could alter to create their attack tool in the privacy of their lab.

‘They’d make phenomenal listening devices if you can exploit them.’

Former NSA Hacker Jake Williams

The research also raises the specter of more direct physical access attacks on a victim’s Echo, if a hacker can manage to get some alone time with it in the target’s home or hotel room. The researchers mention in passing that they were able to alter the firmware of their own Echoes in just minutes, suggesting that they might be able to physically plant spyware on a target Echo just as quickly. “After a period of practice, we can now use the manual soldering method to remove the firmware chip…from the motherboard and extract the firmware within 10 minutes, then modify the firmware within 5 minutes and [attach it] back to the device board,” they write. “The success rate is nearly 100 percent. We have used this method to create a lot of rooted Amazon Echo devices.”

The Tencent researchers aren’t the first to demonstrate techniques that transform Echos into spy tools. British hacker Mark Barnes last year published a technique that uses physical access to a first-generation Echo to install malware on it via metal contacts accessible under its rubber base. Researchers at security firm Checkmarx later showed they could hijack an Amazon Echo remotely, but only when its owner downloads the attacker’s software extension—what Amazon calls a “skill”—to their device, the equivalent of sneaking a malicious Android app into the Google Play Store and tricking users into downloading it. Unlike the Tencent hackers’ work, neither earlier technique represented a targeted, over-the-network Echo-hacking technique.

A truly remote Echo hack wouldn’t be easy, says Jake Williams, a former member of the NSA’s elite hacking team Tailored Access Operations. He points out that the devices primarily accept only voice input and cloud communications via an encrypted connection with Amazon’s server, creating a very limited “attack surface” for hackers to exploit. Hence the Tencent researchers’ clever use of Amazon’s Echo-to-Echo communications instead.

But if spies could compromise a smart speaker like the Echo, it would make a powerful surveillance device, Williams notes. Unlike a phone, for instance, it picks up sound not only directly next to the device, but anywhere in earshot. “These smart speakers are designed to pick up all the noises in the room, listen and transcribe them,” says Williams. “As a result they’d make phenomenal listening devices if you can exploit them.”

Even the Tencent hackers’ work doesn’t prove that eavesdropper’s dream has come true just yet. But you’d be forgiven for eyeing your Echo warily in the meantime.

Continue Reading

News

HTTP SECURITY CONSIDERATIONS – AN INTRODUCTION TO HTTP BASICS

Published

on

HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.

HTTP Security Considerations - An Introduction To HTTP Basics

HTTP is the protocol that powers the web and to penetrate via a web service it pays to have a good solid foundational understanding of HTTP, how it works and the common response codes – many of which can lead to some kind of vulnerability which is exploitable.

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, and hypermedia information systems.[1] HTTP is the foundation of data communication for the World Wide Web.

Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text. HTTP is the protocol to exchange or transfer hypertext.

Development of HTTP was initiated by Tim Berners-Lee at CERN in 1989. Standards development of HTTP was coordinated by the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), culminating in the publication of a series of Requests for Comments (RFCs). The first definition of HTTP/1.1, the version of HTTP in common use, occurred in RFC 2068 in 1997, although this was made obsolete by RFC 2616 in 1999 and then again by the RFC 7230 family of RFCs in 2014.

Source: Wikipedia

From a security perspective it’s important to understand:

– Requests
– Request methods
– Responses
– Response status codes

All of which are covered in the Security-focused HTTP article by Acunetix.

You can find the article with the full details here:

HTTP Security: A Security-focused Introduction to HTTP, Part 1

Continue Reading

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 671 other subscribers

Advertisement

Trending

%d bloggers like this: