• U.S., European Aviation Authorities at Odds Over Cybersecurity
    From “U.S., European Aviation Authorities at Odds Over Cybersecurity”
    Wall Street Journal (12/23/15) Pasztor, Andy

    U.S. and European aviation authorities are reportedly at odds over a key question of how to protect aircraft from potential cyberattacks. There is wide agreement between U.S. authorities and their European counterparts that aircraft are vulnerable to cyber threats today. The European Aviation Safety Agency warns that “all recently designed large airplanes are known to be sensitive” to cyberthreats because of the “interconnectivity features of their avionics systems.” They even agree that for large commercial planes, the solution should include enhancing the separation of cabin entertainment and passenger Internet access from any safety related systems. The disagreement, apparently, is over how to address cyber threats facing smaller air craft. European authorities want the same testing guidelines and regulations to cover both large and small planes, while American authorities and industry representatives want aircraft with fewer than 19 seats to be subject to different standards. Both sides hope to hammer out a possible compromise before the Federal Aviation Administration proposes new U.S. standards next summer.

    Share       | Web Link | Return to Headlines
    Iranian Hackers Infiltrated New York Dam in 2013
    From “Iranian Hackers Infiltrated New York Dam in 2013”
    Wall Street Journal (12/21/15) Yadron, Danny

    According to current and former U.S. officials, Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City in 2013. The hack of the Bowman Avenue Dam near the village of Rye, N.Y., was first noticed by National Security Agency, which was monitoring the activity of Iranian hackers launching attacks on U.S. firms Capitol One Financial and SunTrust Banks. NSA analysts noticed that one of the hackers’ machines was crawling the Internet, looking for vulnerable U.S. industrial-control systems. This information was passed on to the Department of Homeland Security, which linked one of the addresses targeted by the hackers to a “Bowman” dam. There are 31 dams in the U.S. with Bowman in the name, and investigators worried that the hackers had targeted the 245-foot-tall Arthur R.Bowman dam in Oregon. Officials say much of this concern dissipated when the Bowman Avenue Dam, a small structure used for flood control, was identified as the target. However, several officials say the incident was a wake-up call for many in the government about the potential capabilities of Iran’s hackers and the vulnerability of the industrial control systems underlying much of the U.S.’s critical infrastructure.

    Share       | Web Link | Return to Headlines
    Cyberattack Prediction: Hackers Will Target a U.S. Election Next Year
    From “Cyberattack Prediction: Hackers Will Target a U.S. Election Next Year”
    CIO (12/17/15) Lawson, Stephen

    Security expert Bruce Schneier, chief technology officer of Resilient Systems, says that a major cyberattack could target next year’s presidential election. “There are going to be hacks that affect politics in the United States,” Schneier said. He pointed to the massive Sony hack and attempted Chinese and Iranian hacks as evidence that cyber criminals are aiming for more complex targets. This has already wreaked havoc on international relations. The EU in October invalidated the Safe Harbor agreement on offshore data storage, claiming that the US did not have their trust. The scope of data has changed because of cyber crime, and that means more intricate problems. The only improvement, albeit a significant one, is the advent of complex encryption. It is not perfect, Schneier said, but it certainly helps more than some may thing. “We get a lot of security because of this,” he said.

    Share       | Web Link

  • How to Bolster Data, Physical Security to Make Threats Go Elsewhere
    eWeek (12/07/15) Rash, Wayne

    Having adequate security requires organizations to think about the risks they are most likely to face and the resources they expect to have on hand. In addition to foreign hackers, risks could include someone sitting in the reception area who has connected via an Ethernet port and launches a man-in-the middle attack on the Wi-Fi router. Organizations need to examine who would benefit if it underwent a disruption, such as stolen server or a former employee connected to the network to download trade secrets. Organizations also need to conduct what security experts call “security in depth” or “defense in depth.” One expert recommends housing a server in a room with a solid door and a lock that requires a passcode to enter. An alarm should sound if the door is opened without the passcode or if someone enters the wrong code more than twice. Side doors or doors to the loading dock should be similarly equipped with secure locks and have alarms that go off if someone forces open the door, enters the wrong code, or if the door is propped open longer than a fixed time. The alarms should connect with the organization’s security control center, but if nothing happens, then they should automatically roll over to the police department. The receptionist should be an armed security guard who controls the locks in doors that lead further into the building, and unless someone shows the right ID or gets past the badge reader, they cannot enter.

    Web Link

  • Post-Paris, a Fundamental Rethink of Corporate Security Is In Order
    Forbes (11/30/15) Udell, Bill

    The recent attacks in Paris should push business leaders to incorporate security concerns into everyday operations, writes Bill Udell, a former CIA operations officer and the Los Angeles-based Senior Managing Director for crisis and security consulting at Control Risks. Because Islamic State is focused more on setting off numerous attacks than specific, “quality” targets, this means that any place where large groups gather could be at risk. The consequences of mismanagement are also harsher, Udell says, and so organizations must take care to protect their staff and assets. Corporations have reacted to the Paris attacks by placing “quick-fix” security support around their travelers and expatriates, and some are canceling corporate travel. In the longer-term, corporations will probably focus more on threat and risk monitoring, including their profiles, geographical locations, and personnel exposures. They will also focus on risk management and governance, increase their care of business travelers, reexamine security at facilities that were once considered low-risk, and may allow security departments to become more involved in employee screening. Organizations also should test and refresh their crisis-management plans to account for new, potential terrorism scenarios.

    Web Link

  • How to Secure Corporate Data in Post-Perimeter World
    eSecurity Planet (11/12/15) Webber, Chris

    With employees increasingly moving to the cloud and taking corporate data with them, the traditional enterprise security perimeter is no longer enough. IT leaders should adopt a new approach to protecting critical information that is focused on identity management and allows IT to follow its users as they move across networks, apps, and devices. To start, IT leaders should find a solid federated identity solution that can extend across all the apps and devices users need, while allowing them the convenience of a single-sign-on solution. Such solutions eliminate the need for users to have multiple accounts and passwords for every app and device, which creates numerous points of weakness attackers can target. Next, critical apps that handle sensitive data should be even more secured, ideally by using multi-factor authentication. Lost or stolen devices are also a serious threat, so whatever identity solution IT selects should ideally include the ability to locate, lock, or erase lost or stolen devices. Finally, it should be easy to both assign and revoke credentials to users. Automating the provisioning and deprovisioning process is ideal, but at the very least there should be a specific individual in charge of tracking users access to apps and removing that access upon the employee’s departure.

    Web Link | Return to Headlines

    Survey: How Wearables and IoT Are Impacting BYOD
    ZDNet (11/09/15) Matteson, Scott

    A majority of companies now use bring your own device (BYOD) policies in the workplace. These new concepts, ranging from wearables to personal employee-owned phones, have the potential to further influence and change the BYOD trend by making it more complex. A survey from Tech Pro Research found that nearly three-quarters of organizations allow BYOD, with security concerns ranking as the biggest impediment to implementation. IT and educational companies were most likely to permit BYOD and the government was the most likely to prohibit it. Smartphones and tablets were the most common devices. Small companies were the most likely to have included Internet of Things (IoT) devices into their BYOD plans. Interestingly, 78 percent indicated that BYOD policies had no effect on IT costs. Securing these devices remains a sticky issue for many companies, but the improved communication, better organizational capabilities, and enhanced productivity are causing many companies to overlook the negatives and focus on the immediate positives.

    Web Link

« Previous Entries   Next Entries »