computer security

02.10.2015 computer security, cyber crime, cyber security, ICTTF, information security, security, security threats Comments Off on Message to the Board: Stop being an Ostrich when it comes to Cyber Security – Trust, but verify

Message to the Board: Stop being an Ostrich when it comes to Cyber Security – Trust, but verify

I just gave this presentation to nearly 200 attendees of the ICTTF Cyber Threat Summit 2015 in Dublin, Ireland.

For those of you that attended; thank you!

Through this presentation I hope I was able to communicate three points:

  1. How company/agency executives put their agencies at risk by blindly trusting that they are doing all that can be done to secure their networks, applications and data;
  2. That leadership’s approach to motivating employee’s to practice better cyber hygiene needs to mimic principles of behavioral economics theory that advertisers use; and
  3. By changing the way they ask questions to their senior staff (mainly their CIO/CISO), they can a) have better proof that necessary cyber protections are in-place, and b) they will have a better understanding of the unaddressed cyber risk their company/agency faces.

Enjoy…r/Chuck

08.11.2014 computer security, cyber crime, cyber security, security, security threats Comments Off on IACP 2014 – October 25th – 28th, Orlando, FL – Day 2 – LE Cyber Threats and Attacks

IACP 2014 – October 25th – 28th, Orlando, FL – Day 2 – LE Cyber Threats and Attacks

mjw headshotDay Two at IACP and straight in early on Sunday morning to attend the Cyber Threats and Attacks Facing Law Enforcement Agencies session. Having attended the last two Cyber Threat Summits in Dublin, Ireland, I am well aware of the challenges we are all facing everyday in trying to protect our technology.

Mark Gage opened with a very worrisome statement, saying that we spend so much money trying to protect everything else in our lives, but not enough care is given to protecting our information and identity networks. We are at risk every single day, just by viewing Facebook or opening up an untrusted email attachment our phones/laptops can become infected, and spread malware.

We should all know better, in-fact we do know better, we know the risks associated with all these things, but yet we are all capable of making silly mistakes and suffering the consequences.

Mark says the most important thing is to educate your staff, consult with those you share systems with, do not use the same password for everything, and make your password changes a minimum of 90 days. It’s also critical that we keep all software up to date, particularly anti-virus software, and implement back up procedures. For companies, he suggests paying money to employ IT staff or contractors.

George Arruda spoke next of the worst day for him in Sept 2013, whilst driving on holiday in Florida, he received a phone call, which gave him the news he dreaded – a virus had locked down ALL of Swansea Police Department’s files thanks to a vicious virus called Cryptolocker!

The only way to get the files back was to pay a ransom of bitcoins, to some criminals out there in cyberspace. He didn’t know who there were, or where they originated from, but he gave the order to pay and get the files back.

A cyber security expert was called in and he advised against this, but they eventually began the transactions of transferring bitcoins and they started to get data back. The main problem here was that they did not have back up, so they were indeed in a vulnerable position.

Having amassed a very large amount of data, this incident shook the Swansea PD. On the back of this, George gave advice to everyone – Back Up Everything and teach your staff NOT to open anything suspicious, and only have ONE administrator access with a password.

Steve Sambar warned of the dangers of terrorist cyber attacks, and the worry of, if they attack, what do we do? Who will be responsible for handling it? How long will it take to cover? We face so many threats every day, human error, insider threats, external threats. Many big corporations have suffered already. For example, Target had 40 million accounts hacked in Dec. 2013, and Ebay’s database with 233m users was hacked in Feb. 2014.

Jim Emerson had the last word, delivering a fast paced description of the emerging threats and challenges. Everything is happening faster, he said, and we have to understand the reality of what cyber security is.

He showed two short videos from IACP about cyber security, these are available on the IACP website. Jim wants us to:

  • Check carefully where is the suspicious email coming from.
  • Be aware of who you connected to.

Jim also stressed the importance of this being a day to day footrace, and it never ends. He is right, and we do not want to be sorry when it is too late.

Until next time…take care of yourselves!

r/Mary

30.10.2013 computer security, cyber crime, cyber security, information security, insider threat, leadership, security threats Comments Off on Message to the Board: Why YOU are the reason for insider threats.

Message to the Board: Why YOU are the reason for insider threats.

Enjoy a 20 minute presentation on why executives are the cause for many to most insider threat cases…


 

11.10.2012 computer security, counterintelligence, cyber crime, cyber security, Economic espionage, espionage, information security, insider threat, leadership, security, security threats Comments Off on Why can’t Johnny be good? The making of an insider threat

Why can’t Johnny be good? The making of an insider threat

“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”

While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.

On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force (ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.

r/Chuck

05.08.2011 computer security, cyber crime, cyber security, cyber warfare Comments Off on Cyber-Crime – Cyber-Warfare…you say tomato, I still say tomato…but are we prepared?

Cyber-Crime – Cyber-Warfare…you say tomato, I still say tomato…but are we prepared?

War has been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfare has been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”

While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).

While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…

  1. More of this type of cyber-crime  is occurring today than the stuff showing up on the front page of any newspaper; and
  2. What we mean when we say “Cyber Warfare” is really just the 21st century version of crime; criminals using cyber means.

I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:

  1. One of the sessions I participated in was entitled “Why Does the Crime Rate Continue to Decline?” The speaker (a well-respected professor) informed us that crime in America is actually down to the levels it was in 1964—this represents a significant drop. I asked the question “Did crime really drop or have criminals begun to use technology to steal rather than a pistol?” His response was “criminals aren’t smart enough to use computers.” I found this very hard to believe. Criminals have always adapted to stay a step ahead of law enforcement, and I fear that they now have a significant upper-hand, especially if law enforcement feels the way the speaker did and they fail to re-tool their ranks to detect, deter, and dismantle the new cyber-oriented criminal threats.
  2. Another session I attended was entitled “A Clear and Present Threat: A Look at Cybercrime.” In this session, one of the speakers spoke of the growing problem of crime in virtual worlds—people with avatars in virtual worlds are stealing other peoples virtual property and assets, and real lawsuits are being tried in real courts by real people. If you don’t believe me, read this article – Virtual add-ons draw real-world lawsuits – that I found in researching this further. I would submit that today’s criminals are more tech/cyber-savvy and have realized that there are safer (cyber) ways to steal money and property without having to physically point a gun at someone’s face.

Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?

Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.

your comments and thoughts welcome…r/Chuck

 

 

02.06.2011 computer security, cyber security, data sharing, Information sharing, law enforcement, Law enforcement information sharing, LEIS, security, security threats, Uncategorized Comments Off on Security, Privacy, and Innovative Law Enforcement Information Sharing: Covering the bases

Security, Privacy, and Innovative Law Enforcement Information Sharing: Covering the bases

So it’s no great revelation that public safety has benefited greatly from public private partnerships, and I’m cool with that, especially when we are dealing with technology that saves lives. However, a press release hit my email inbox today that made me think of the risks to security and privacy when we implement innovative technologies.

Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy – when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.

Here’s the press release from Gatso-USA:

GATSO USA Forms Unique, Strategic Partnership with Nlets

Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.

Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.

From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.

From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).

The main points I took away from this press release were:

  1. Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
  2. Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
  3. And, because it’s behind Nlets firewalls, security is not an issue.

Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.

After I read the press release, I thought that it would be a good case-study for the topic of this blog – it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing – some might even say it had all the makings of a Will Smith movie. 🙂

To help set the stage, here are a few facts I found online:

  • Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
  • Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
  • Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
  • Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).

There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?

Maybe; maybe not. Here are nine questions I would ask:

  1. Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
  2. Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
  3. Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
  4. Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
  5. Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
  6. Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
  7. Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
  8. Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
  9. Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?

How these questions are answered will determine whether or not we should worry…

Did I miss any other important questions?

Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .

The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.

As always, your thoughts and comments are welcome.

r/Chuck

27.09.2010 computer security, cyber security, Economic espionage, SCADA, security Comments Off on Web ‘superbug’ threatens Chinese national security – Stuxnet SCADA Attack

Web ‘superbug’ threatens Chinese national security – Stuxnet SCADA Attack

Caught this article in Times of India  (PTI, Sep 27, 2010, 01.29pm) website today…funny it didn’t make any of the U.S. cyber security sites…here’s a couple snippets…

“A sophisticated malicious computer software, is attempting to infiltrate factory computers in China’s key industries, threatening the country’s national security, cyber experts have warned.”

“Called Stuxnet, the worm was first discovered in mid-June and was specially written to attack Siemens supervisory control and data (SCADA) systems commonly used to control and monitor industrial facilities – from traffic lights and oil rigs to power and nuclear plants, the state-run Global Times daily reported quoting experts.”

“Globally, the worm has been found to target Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, the report said. According to Wang, there might be large financial groups and nations behind the malicious software.”

“Eugene Kaspersky, co-founder of security firm Kaspersky said the Stuxnet worm could prove that “we have now entered the age of cyber-warfare. – He believes that Stuxnet is a working – and fearsome – prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.”

Read more: Web ‘superbug’ threatens Chinese national security – The Times of India http://timesofindia.indiatimes.com/tech/news/internet/Web-superbug-threatens-Chinese-national-security/articleshow/6635680.cms#ixzz10lUJux3C

03.08.2010 computer security, cyber security, security, security threats, Training Comments Off on FREE Computer Security Workshop for Maryland Businesses

FREE Computer Security Workshop for Maryland Businesses

Can YOU answer the following questions?

  1. What happens to my business if my sensitive business information falls someone else’s possession?
  2. What would it cost me to be without some or all of my sensitive business information?
  3. Could I recreate lost sensitive business information and what would cost?
  4. What would be the implications to my business if I could no longer trust accuracy or completeness of my sensitive business information?

If you can’t answer these questions, then you need this workshop sponsored by the Maryland InfraGard Chapter (IMMA) and the Small Busness Adminstration!!

The NIST Computer Security Division has developed a workshop to the small business owner increase information system security.

Learn how to define information security (IS) for your organization.

Hear examples of common types of threats and understand how determine the extent to which your organization should proactively address threats.

Learn common Best Practices and procedures to operate securely.

Hear a basic explanation of current technologies used in reducing vulnerabilities and learn of resources freely available to organization.

For additional information visit:

Date:  August 20, 2010

   Session I from 8:00 am – 12:00 pm*

   Session II from 1:00 pm – 5:00 pm*

     *50 seats per Session

Location: Baltimore City Community College, 710 East Lombard Street, Room 30, Baltimore, MD

Registration Fee: FREE

Register Online: http://cybersecuritymd.eventbrite.com 

Parking is available nearby at 701 Lombard St. or 55 Market Place, Baltimore, MD for

$13.00 per day.

Questions about registration ?

E-mail Lauren.F.Schuler@infragard.org or call 443-436-7725.

Questions about the class content?

See http://csrc.nist.gov/groups/SMA/sbc/ or contact Richard Kissel at rkissel@nist.gov .