This document discusses proactive security intelligence for smart utilities. It covers the threat landscape including sophisticated malware like Stuxnet, targeted attacks using zero-days and social engineering, and high-volume attacks. It notes challenges in securing critical infrastructures due to their use of common operating systems and protocols. The document advocates taking a performance and analytics-driven approach to proactive security using network simulation, penetration testing, and predictive modeling to identify exposures before they can be exploited.
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
This document discusses network security and provides information on key security concepts. It covers prevention, detection, and response as the foundation of security. Integrity, confidentiality, availability, and authentication are discussed in detail. The document emphasizes that network security is as much about business processes and policies as technical controls. Overall prevention is the most important and cost-effective approach to security. Detection and response procedures should also be established in case preventative controls fail.
An introduction to SOC (Security Operation Center)Ahmad Haghighi
The document discusses building a security operations center (SOC). It defines a SOC as a centralized unit that deals with security issues on an organizational and technical level. It monitors, assesses, and defends enterprise information systems. The document discusses whether to build an internal SOC or outsource it. It also covers SOC technologies, personnel requirements, and the five generations of SOCs. It provides resources for learning more about designing and maturing a SOC.
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
This document provides an overview of topics related to telecommunications and network security that will be covered in a two-part review. Part 1 will discuss security principles and the IP architecture, terms and definitions, and the OSI and TCP/IP models from the physical layer to the application layer. Part 2 will continue the discussion of security principles and network architecture, then cover security countermeasures and controls at each layer. Both parts aim to demonstrate an understanding of communications and network security as it relates to data networks.
Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
The document discusses Damballa's advanced threat protection and detection capabilities. It highlights that Damballa can discover hidden threats that have gone undetected, terminate criminal communications to reduce risk, and provide the earliest detection of emerging threats. It explains that Damballa shifts the focus from protection to active threat monitoring and detection using advanced threat intelligence and machine learning to identify hidden infections on networks and endpoints. Damballa provides appliances and solutions that pinpoint compromised assets and criminal activity through network monitoring and host forensics.
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
This document discusses network security and provides information on key security concepts. It covers prevention, detection, and response as the foundation of security. Integrity, confidentiality, availability, and authentication are discussed in detail. The document emphasizes that network security is as much about business processes and policies as technical controls. Overall prevention is the most important and cost-effective approach to security. Detection and response procedures should also be established in case preventative controls fail.
An introduction to SOC (Security Operation Center)Ahmad Haghighi
The document discusses building a security operations center (SOC). It defines a SOC as a centralized unit that deals with security issues on an organizational and technical level. It monitors, assesses, and defends enterprise information systems. The document discusses whether to build an internal SOC or outsource it. It also covers SOC technologies, personnel requirements, and the five generations of SOCs. It provides resources for learning more about designing and maturing a SOC.
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
This document provides an overview of topics related to telecommunications and network security that will be covered in a two-part review. Part 1 will discuss security principles and the IP architecture, terms and definitions, and the OSI and TCP/IP models from the physical layer to the application layer. Part 2 will continue the discussion of security principles and network architecture, then cover security countermeasures and controls at each layer. Both parts aim to demonstrate an understanding of communications and network security as it relates to data networks.
Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
The document discusses Damballa's advanced threat protection and detection capabilities. It highlights that Damballa can discover hidden threats that have gone undetected, terminate criminal communications to reduce risk, and provide the earliest detection of emerging threats. It explains that Damballa shifts the focus from protection to active threat monitoring and detection using advanced threat intelligence and machine learning to identify hidden infections on networks and endpoints. Damballa provides appliances and solutions that pinpoint compromised assets and criminal activity through network monitoring and host forensics.
The document provides an overview of the Information Security & Risk Management domain for the CISSP certification. It discusses key topics including information security concepts, governance, risk management, information classification, and security controls. The objectives are to understand planning and securing information assets, developing security policies and procedures, conducting risk assessments, and implementing controls to ensure confidentiality, integrity and availability. New requirements for 2012 include project management knowledge and privacy compliance.
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
The document discusses security validation techniques like experience-based validation using known attacks, tiger teams that simulate attacks, and tool-based validation. It also discusses the importance of having a well-defined development process for safety-critical systems that includes identifying and tracking hazards. Safety and dependability cases collect evidence like hazard analyses, test results, and review reports to argue that a system meets its safety requirements. Structured safety arguments demonstrate that hazardous conditions cannot occur by considering all program paths and showing unsafe conditions cannot be true.
Jump Start Your Application Security KnowledgeDenim Group
How to Jump-Start Your Application Security Knowledge
For the Network Security Guy Who Knows Nothing about Web Applications
Most security officers are not software developers, and rarely do they have control over the security associated with internally developed software systems. However, CSO's are still frequently held accountable when externally-facing software is compromised and a breach occurs. Unless security professionals radically upgrade their knowledge of software and software development techniques, they will continue to inadequately manage the risk that custom software systems represents to the enterprise.
Presented by John Dickson of Denim Group and Jeremiah Grossman of WhiteHat Security, this webinar will help non-development security managers understand the salient aspects of the software development process and to upgrade their IQ on software. It will help them to identify risks with different assessment approaches, how to inject themselves into the development process at key "waypoints," and to understand ways to influence development peers to write more secure code.
Damballa automated breach defense june 2014Ricardo Resnik
This document discusses the need for advanced threat protection and containment solutions due to the high percentage of cyber attacks that go undetected for months. It notes that traditional prevention-focused security approaches are no longer sufficient. The document then highlights statistics on the financial and resource costs of cyber attacks. It introduces Damballa's automated breach defense platform, which uses behavioral analytics to automatically identify active threats, regardless of prior knowledge. The platform aims to enable a breach resistant organization. The document concludes by presenting several customer case studies where Damballa helped reduce costs, detection times, and improve visibility and response.
The document discusses the Operations Security domain of the CISSP Common Body of Knowledge, including defining the domain, identifying resource protection needs, threats to information operations, and security controls and countermeasures used in operations security. Personnel security, physical security, and technical controls are discussed as ways to reduce vulnerabilities and protect organizational assets from both internal and external threats.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
This document provides an overview of the key topics within the Security Architecture & Design domain for the CISSP certification. It covers computing platforms such as early electro-mechanical machines, the von Neumann model, and transistor-based computers. It also discusses security models, evaluation and certification, security architecture concepts and implementation models. Specific topics include operating systems, CPU and memory components, software elements, process scheduling, and operating modes. The document serves as a high-level study aid for understanding the domain's important foundational concepts.
Strategy considerations for building a security operations centerCMR WORLD TECH
This document discusses considerations for building a security operations center (SOC) to better manage security threats. It describes the evolving threat landscape and increasing attacks faced by organizations. An enterprise SOC provides centralized monitoring, investigation of incidents, and reporting to improve protection of critical data assets. It assesses existing security capabilities, outlines five essential SOC functions, and discusses capacity management and moving forward with development. Consulting partners can assist with strategy and implementation of an enterprise SOC.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
The document discusses the OWASP Top 10 Proactive Controls for web application security. It summarizes 10 critical security areas that developers must address: 1) Verify security early and often, 2) Parameterize queries, 3) Encode data, 4) Validate all inputs, 5) Implement identity and authentication controls, 6) Implement access controls, 7) Protect data, 8) Implement logging and intrusion detection, 9) Leverage security frameworks and libraries, and 10) Handle errors and exceptions properly. For each area, it describes common vulnerabilities, example attacks, and recommended controls to implement for protection.
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
Senior Director of Business Development, Matt Cowell's, S4x20 presentation details how to build an effective OT security operations center and the tools and skills needed.
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
This session will present a real case study of methodology and advanced cybersecurity tools used along with important tips and lessons learned on implementing an ISOC project at the second largest city of the nation. Topics include the critical success factors, advanced tools and technologies for ISOC, Situational Awareness, Threat Intelligence Sharing and cybersecurity collaboration.
(Source: RSA USA 2016-San Francisco)
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
This document provides information about MultiPoint Ltd., a cyber security company that distributes security and networking software. It discusses MultiPoint's vendors and customers, as well as concepts like the attack lifecycle and challenges of detection. It also summarizes some of MultiPoint's product offerings and how they help customers adapt security posture, optimize resources, manage portfolio risk, and rapidly respond to threats.
This document provides an overview of the Information Security Governance and Risk Management domain covered by the CISSP certification. It discusses key topics in this domain including information security concepts, risk management, policies, standards, procedures, data classification, risk assessment, and security controls. The document is divided into sections that define learning objectives, reference materials, and describe topics covered within the domain such as information security management, governance, classification, and the role of planning, policies, guidelines, standards, procedures, security training, and risk management practices and tools.
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
The document discusses techniques for detecting threats using security analytics. It begins by explaining how a typical attack sequence is too simplistic and can fail to detect real threats. It then advocates for using a threat analysis approach to understand assets, data flows, threats and tactics. This involves profiling assets, mapping components and access points, and identifying threats, sources and techniques. The document shows how to write threat indicators using security analytics tools. It provides examples of anomaly detection rules in Event Processing Language to detect complex scenarios. The goal is to leverage threat analysis to implement risk-based indicators that effectively address residual risks.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Cybersecurity involves protecting individuals, businesses, and governments from cyber threats on computers and the internet. It is a broad field that includes threat analysis, security technologies, policies and laws. Cybersecurity problems stem from technical issues as well as human and organizational factors. It aims to prevent malicious cyber attacks and accidental damage. Attacks can come from inside or outside an organization and include fraud, spying, stalking, assault, and warfare between nations. The scale of the problem is large but difficult to measure fully. Cybersecurity issues have arisen because the internet was not designed with security in mind and prioritizes convenience, while widespread connectivity has increased risks.
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
The document discusses McAfee's embedded security solutions for OEMs. It provides an overview of McAfee Embedded Control, which offers application control and change control to prevent unauthorized software and enforce change policies. It also discusses the McAfee Embedded Anti-Virus SDK and Embedded Reputation SDK for integrating virus detection and reputation services. Finally, it discusses how McAfee ePolicy Orchestrator provides centralized security management and how these solutions have benefited OEMs like NCR, NEC, Merge Healthcare, and Sharp by reducing support costs, enforcing compliance, and preventing unauthorized changes on embedded devices.
Dr. Arun Sood is a professor of computer science who has developed an approach called Self Cleansing Intrusion Tolerance (SCIT) to improve server security. SCIT works by converting static servers into dynamic servers that refresh regularly, reducing exposure time to malware while maintaining service. His research aims to limit losses from successful attacks by restoring servers to a pristine state frequently. SCIT has been implemented to refresh servers every minute, limiting the time for malware to cause damage.
Move Over Plans - Business Continuity Goes Real-timeSeema Sheth-Voss
The document discusses how traditional business continuity planning is no longer effective in today's dynamic environment. It advocates shifting from static planning to "response modeling" using real-time and predictive data. Key attributes of effective continuity plans discussed include plan data that is accessible, contextual and relevant to actual scenarios, and integrated with real-time internal and external data sources to provide situational awareness during incidents. The presentation provides examples from fast fashion retail and outlines challenges and recommendations for getting started with this new approach to continuity planning.
The document provides tips for organizations on conducting penetration testing of their IT infrastructure on a regular basis. It recommends testing at least quarterly or whenever there are significant changes to help identify vulnerabilities before attackers. When testing, companies should consider their goals and critical assets to protect, choose tools that their security team can use effectively, ensure all testing is properly authorized, and focus remediation efforts on addressing entire attack paths discovered rather than individual vulnerabilities.
The document provides an overview of the Information Security & Risk Management domain for the CISSP certification. It discusses key topics including information security concepts, governance, risk management, information classification, and security controls. The objectives are to understand planning and securing information assets, developing security policies and procedures, conducting risk assessments, and implementing controls to ensure confidentiality, integrity and availability. New requirements for 2012 include project management knowledge and privacy compliance.
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
The document discusses security validation techniques like experience-based validation using known attacks, tiger teams that simulate attacks, and tool-based validation. It also discusses the importance of having a well-defined development process for safety-critical systems that includes identifying and tracking hazards. Safety and dependability cases collect evidence like hazard analyses, test results, and review reports to argue that a system meets its safety requirements. Structured safety arguments demonstrate that hazardous conditions cannot occur by considering all program paths and showing unsafe conditions cannot be true.
Jump Start Your Application Security KnowledgeDenim Group
How to Jump-Start Your Application Security Knowledge
For the Network Security Guy Who Knows Nothing about Web Applications
Most security officers are not software developers, and rarely do they have control over the security associated with internally developed software systems. However, CSO's are still frequently held accountable when externally-facing software is compromised and a breach occurs. Unless security professionals radically upgrade their knowledge of software and software development techniques, they will continue to inadequately manage the risk that custom software systems represents to the enterprise.
Presented by John Dickson of Denim Group and Jeremiah Grossman of WhiteHat Security, this webinar will help non-development security managers understand the salient aspects of the software development process and to upgrade their IQ on software. It will help them to identify risks with different assessment approaches, how to inject themselves into the development process at key "waypoints," and to understand ways to influence development peers to write more secure code.
Damballa automated breach defense june 2014Ricardo Resnik
This document discusses the need for advanced threat protection and containment solutions due to the high percentage of cyber attacks that go undetected for months. It notes that traditional prevention-focused security approaches are no longer sufficient. The document then highlights statistics on the financial and resource costs of cyber attacks. It introduces Damballa's automated breach defense platform, which uses behavioral analytics to automatically identify active threats, regardless of prior knowledge. The platform aims to enable a breach resistant organization. The document concludes by presenting several customer case studies where Damballa helped reduce costs, detection times, and improve visibility and response.
The document discusses the Operations Security domain of the CISSP Common Body of Knowledge, including defining the domain, identifying resource protection needs, threats to information operations, and security controls and countermeasures used in operations security. Personnel security, physical security, and technical controls are discussed as ways to reduce vulnerabilities and protect organizational assets from both internal and external threats.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
This document provides an overview of the key topics within the Security Architecture & Design domain for the CISSP certification. It covers computing platforms such as early electro-mechanical machines, the von Neumann model, and transistor-based computers. It also discusses security models, evaluation and certification, security architecture concepts and implementation models. Specific topics include operating systems, CPU and memory components, software elements, process scheduling, and operating modes. The document serves as a high-level study aid for understanding the domain's important foundational concepts.
Strategy considerations for building a security operations centerCMR WORLD TECH
This document discusses considerations for building a security operations center (SOC) to better manage security threats. It describes the evolving threat landscape and increasing attacks faced by organizations. An enterprise SOC provides centralized monitoring, investigation of incidents, and reporting to improve protection of critical data assets. It assesses existing security capabilities, outlines five essential SOC functions, and discusses capacity management and moving forward with development. Consulting partners can assist with strategy and implementation of an enterprise SOC.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
The document discusses the OWASP Top 10 Proactive Controls for web application security. It summarizes 10 critical security areas that developers must address: 1) Verify security early and often, 2) Parameterize queries, 3) Encode data, 4) Validate all inputs, 5) Implement identity and authentication controls, 6) Implement access controls, 7) Protect data, 8) Implement logging and intrusion detection, 9) Leverage security frameworks and libraries, and 10) Handle errors and exceptions properly. For each area, it describes common vulnerabilities, example attacks, and recommended controls to implement for protection.
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
Senior Director of Business Development, Matt Cowell's, S4x20 presentation details how to build an effective OT security operations center and the tools and skills needed.
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
This session will present a real case study of methodology and advanced cybersecurity tools used along with important tips and lessons learned on implementing an ISOC project at the second largest city of the nation. Topics include the critical success factors, advanced tools and technologies for ISOC, Situational Awareness, Threat Intelligence Sharing and cybersecurity collaboration.
(Source: RSA USA 2016-San Francisco)
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
This document provides information about MultiPoint Ltd., a cyber security company that distributes security and networking software. It discusses MultiPoint's vendors and customers, as well as concepts like the attack lifecycle and challenges of detection. It also summarizes some of MultiPoint's product offerings and how they help customers adapt security posture, optimize resources, manage portfolio risk, and rapidly respond to threats.
This document provides an overview of the Information Security Governance and Risk Management domain covered by the CISSP certification. It discusses key topics in this domain including information security concepts, risk management, policies, standards, procedures, data classification, risk assessment, and security controls. The document is divided into sections that define learning objectives, reference materials, and describe topics covered within the domain such as information security management, governance, classification, and the role of planning, policies, guidelines, standards, procedures, security training, and risk management practices and tools.
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
The document discusses techniques for detecting threats using security analytics. It begins by explaining how a typical attack sequence is too simplistic and can fail to detect real threats. It then advocates for using a threat analysis approach to understand assets, data flows, threats and tactics. This involves profiling assets, mapping components and access points, and identifying threats, sources and techniques. The document shows how to write threat indicators using security analytics tools. It provides examples of anomaly detection rules in Event Processing Language to detect complex scenarios. The goal is to leverage threat analysis to implement risk-based indicators that effectively address residual risks.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Cybersecurity involves protecting individuals, businesses, and governments from cyber threats on computers and the internet. It is a broad field that includes threat analysis, security technologies, policies and laws. Cybersecurity problems stem from technical issues as well as human and organizational factors. It aims to prevent malicious cyber attacks and accidental damage. Attacks can come from inside or outside an organization and include fraud, spying, stalking, assault, and warfare between nations. The scale of the problem is large but difficult to measure fully. Cybersecurity issues have arisen because the internet was not designed with security in mind and prioritizes convenience, while widespread connectivity has increased risks.
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
The document discusses McAfee's embedded security solutions for OEMs. It provides an overview of McAfee Embedded Control, which offers application control and change control to prevent unauthorized software and enforce change policies. It also discusses the McAfee Embedded Anti-Virus SDK and Embedded Reputation SDK for integrating virus detection and reputation services. Finally, it discusses how McAfee ePolicy Orchestrator provides centralized security management and how these solutions have benefited OEMs like NCR, NEC, Merge Healthcare, and Sharp by reducing support costs, enforcing compliance, and preventing unauthorized changes on embedded devices.
Dr. Arun Sood is a professor of computer science who has developed an approach called Self Cleansing Intrusion Tolerance (SCIT) to improve server security. SCIT works by converting static servers into dynamic servers that refresh regularly, reducing exposure time to malware while maintaining service. His research aims to limit losses from successful attacks by restoring servers to a pristine state frequently. SCIT has been implemented to refresh servers every minute, limiting the time for malware to cause damage.
Move Over Plans - Business Continuity Goes Real-timeSeema Sheth-Voss
The document discusses how traditional business continuity planning is no longer effective in today's dynamic environment. It advocates shifting from static planning to "response modeling" using real-time and predictive data. Key attributes of effective continuity plans discussed include plan data that is accessible, contextual and relevant to actual scenarios, and integrated with real-time internal and external data sources to provide situational awareness during incidents. The presentation provides examples from fast fashion retail and outlines challenges and recommendations for getting started with this new approach to continuity planning.
The document provides tips for organizations on conducting penetration testing of their IT infrastructure on a regular basis. It recommends testing at least quarterly or whenever there are significant changes to help identify vulnerabilities before attackers. When testing, companies should consider their goals and critical assets to protect, choose tools that their security team can use effectively, ensure all testing is properly authorized, and focus remediation efforts on addressing entire attack paths discovered rather than individual vulnerabilities.
This session at a cybersecurity conference debated whether penetration testing tools that can be misused should be restricted or banned to prevent criminal hacking. The panelists, who work in cybersecurity, discussed the debate around regulating tools that have legitimate security assessment uses but could enable illegal hacking if misused. They considered arguments on both sides of whether access to such tools should be controlled or limited versus remaining freely available.
No one can deny that malware is a serious and growing problem. However, up to this point it has been very difficult to efficiently and accurately quantify exactly how bad it is. In this presentation, Ricky will demonstrate how new scanning technologies like zmap can be used to get complete and up-to-date snapshots of current malware infections, map where the infections are worst, and even track down Command and Control servers.
The more your organization knows about potential threats, the safer your critical assets will be, but are traditional solutions, such as monthly scans and haphazard patching enough? What your scanner isn’t telling you are the critical vulnerabilities that should be fixed first.
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow. Particular focus will be given to the different steps required to fully compromise both central management servers and managed stations. Who does not want to transform a major managed AV into his private botnet within minutes?
Jerome Nokin works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.
Kathleen Fisher of DARPA's Information Innovation Office presented on high assurance systems at the 2011 DARPA Cyber Colloquium. She discussed how physical systems like vehicles and medical devices are vulnerable to cyber attacks. Current security approaches cannot fully address this problem as they focus on known vulnerabilities. Fisher proposed a new approach of developing critical system components using formal methods to mathematically prove their correctness. This could enable a "high assurance component factory" to securely compose systems from verified building blocks. She welcomed feedback on promising research directions and additional challenges.
1) The document discusses scaling cyberwarfare capabilities and limitations of relying solely on individual "cyberartisans".
2) It introduces the Binary Executable Transforms (BET) program which aims to automate software development by identifying, extracting, and recombining functional components from binary executables.
3) The author argues that to overcome limitations in force size, execution speed, and tactical depth, breakthroughs in technology are needed rather than just hiring more individual hackers.
Rand Waltzman presented on anomaly detection at multiple scales (ADAMS) at the DARPA Cyber Colloquium. The presentation discussed (1) how insider threats like Hanssen, Ames and Montes were only obvious after the fact due to weak signals over time and data, (2) the enormous amounts of behavioral data like emails and texts that must be analyzed to detect anomalies, such as analyzing nearly 48 billion links annually to investigate Fort Hood, and (3) the four coordinated thrusts of ADAMS research focusing on topic analysis, system use, social interactions, and psychological state to detect signs an insider may be turning before they act.
DARPA's PROCEED program aims to enable practical computation on encrypted data without decryption, with potential applications including privacy-preserving cloud services. The newer CSFV program seeks to "gamify" formal software verification by applying game mechanics to crowdsource solving verification problems, exploiting a large user base without expertise. This could make formal verification more scalable and affordable for verifying large DoD software systems. Contact Drew Dean for a future special notice on a CSFV funding opportunity.
The document summarizes research on "Vampire Attacks" that drain the batteries of nodes in wireless sensor networks over time rather than disrupting immediate availability. It introduces the classification of these long-term denial of service attacks and outlines several representative attacks, such as carousel and stretch attacks, that exploit vulnerabilities in stateless source routing protocols. Simulation results show these attacks can increase network-wide energy usage by factors of up to 10 by artificially lengthening packet routes. The paper aims to evaluate vulnerabilities of existing protocols, quantify attack impacts, and modify protocols to provably bound damage from these resource depletion attacks.
The document introduces the Ceylon project, which aims to design a new programming language and SDK that addresses frustrations with Java while retaining its successes. It was started by Gavin King and his team who have been developing Java frameworks for 10 years. Ceylon will run on the JVM and feature static typing, automatic memory management, and first-class functions while being readable like Java. Gavin provides some examples of Ceylon's syntax including classes, sequences, higher-order functions, and named arguments to demonstrate how it addresses issues in Java. The project is not yet available publicly and this talk is the first public discussion of Ceylon.
The document discusses predictive security intelligence and how it can drive productive partnerships between security, audit, and risk teams. It outlines FICO's security analytics journey and how their business challenges parallel those in security. Core Security's CORE Insight solution provides predictive threat analysis and visualization to help prioritize vulnerabilities and understand an organization's overall security posture. Intelligence and metrics can bridge gaps between teams by conveying risk in a common language and validating security controls.
This document summarizes new features in Core Impact Pro 2015 R1. It discusses trends in penetration testing such as more organizations performing penetration tests but not enough experienced hackers. It outlines new features like testing for the OWASP top 10 vulnerabilities, mobile device exploitation, and multi-vector attacks. The document also discusses enhancements like pause-and-resume functionality, greater reporting customization, and Windows 10 support. It promotes the training and support services provided with Core Impact Pro subscriptions.
This document discusses advanced penetration testing techniques using reverse DNS and Windows Management Instrumentation (WMI). It describes how attackers can use DNS tunneling to sneak data in and out of an organization by encapsulating it within DNS packets. It also explains how WMI events on Windows systems can be used to persistently run agents and payloads even after reboots by binding event filters and consumers. Detection techniques involving WMI monitoring are also presented. The document aims to educate penetration testers and security professionals about these stealthy techniques being used by cybercriminals.
Managing Your Pentest Data with Kvasir: Toorcon 15grutz
We’ve all done it a few times. Lost that nmap scan, can’t recall what file had that account and password combination, sat in front of a screen for a few days while your co-worker gathered tons of data and didn’t share because he’s a big fat jerk.
Kvasir is a centralized, penetration tester-focused data homogenizing application to help collect, unify and make sense of the important data gathered during tests. It’s a small footprint application designed for quick deployment. It integrates directly with NeXpose and Metasploit (for now).
This application is used daily by Cisco Systems engineers on customer penetration tests. It hasn’t solved the big fat jerk problem but it has helped us work better as a team.
Presented at Toorcon 15, October 20, 2013
The document discusses cross-site request forgery (XSRF/CSRF) attacks and how to prevent them in ASP.NET Core applications. It explains that XSRF attacks trick authenticated users into performing unwanted actions on a web application. To prevent XSRF, ASP.NET Core uses antiforgery tokens that are validated on requests. It provides built-in support for adding antiforgery tokens to MVC forms and tag helpers. Additionally, antiforgery middleware can validate tokens on incoming requests to the application.
This document summarizes a presentation about creating a backdoor in the Thunderbird email client using extensions. It describes how the backdoor would check for encrypted commands in images attached to emails, execute commands on the system by hiding output in email replies, and avoid detection through techniques like modifying existing trusted extensions and hiding the backdoor's updates. The presentation demonstrates capabilities of the backdoor like retrieving PGP keys and proposes ways to improve and expand its capabilities.
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
This document discusses continuous monitoring and real-time risk scoring. It describes how continuous monitoring can detect vulnerabilities and potential threats by monitoring network changes and comparing configurations to network activity. A two-phased compliance timeline is mentioned. Continuous monitoring provides a single console view of risk exposure needed to meet federal requirements. Metrics and risk-relevant data are discussed. The benefits of security intelligence across infrastructure for anomaly detection and actionable, informative outputs are presented.
Qradar ibm partner_enablement_220212_finalArrow ECS UK
QRadar is a SIEM, log management, and network monitoring platform from IBM Security. It provides security intelligence through log collection, correlation, threat detection, and compliance reporting. Key capabilities include log management, SIEM, risk management, network activity monitoring, and application visibility. Customers choose QRadar for its intelligence, integration, automation, scalability, leadership, and support.
Tech Alliance provides five cybersecurity services: 1) Enterprise Security Program Design and Implementation to assess risks, identify gaps, and create a security roadmap; 2) IT Risk Assessment to identify threats, vulnerabilities, impacts, and recommend controls; 3) Disaster Recovery Planning and Implementation to design technology solutions and processes to ensure business continuity; 4) Vulnerability Assessment and Penetration Testing to identify and prioritize vulnerabilities and validate fixes; 5) a Security Operations Center for 24/7 security monitoring, event correlation, and reporting.
Tech Alliance provides five cybersecurity services: 1) Enterprise Security Program Design and Implementation to assess risks, identify gaps, and create a security roadmap; 2) IT Risk Assessment to identify threats, vulnerabilities, impacts, and recommend controls; 3) Disaster Recovery Planning and Implementation to design technology solutions and processes to ensure business continuity; 4) Vulnerability Assessment and Penetration Testing to identify vulnerabilities and validate fixes; 5) a Security Operations Center for 24/7 monitoring of networks, systems, and security devices.
Ray Menard plagiarized text from Hugh Farringdon in his document about network security monitoring. The document discusses IBM's QRadar SIEM product and how it can help network and security professionals deal with the large volumes of information they receive. It provides an overview of QRadar SIEM's capabilities, such as event correlation, network flow capture and analysis, and compliance monitoring. The document also presents several use cases where QRadar SIEM can provide valuable visibility, such as complex threat detection, malicious activity identification, and network and asset discovery.
With the explosion of the public Internet and e-commerce, private computers and computer networks, if not adequately secured are increasingly vulnerable to damaging attacks. Hackers, viruses, vindictive employees and even human error all represent
clear and present dangers to networks. And all computer users from the most casual Internet surfers to large enterprises could be affected by network security breaches. However, security breaches can often be easily prevented. How? This white paper provides you an overview of the most common network security threats and its solution which protects you and your organization from threats, hackers and ensures that the
data traveling across your networks is safe.
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
This document provides an overview of AccessData's Cyber Intelligence Response Technology (CIRT) platform. CIRT offers an integrated suite of digital forensics and incident response capabilities including network forensics, host-based forensics, data auditing, and malware analysis. Key features include an agent that can independently collect and store data from endpoints, a Cerberus module that analyzes files for malicious behaviors without signatures or prior knowledge, and modules for analyzing removable media, volatile memory, and network packet captures. The platform allows multiple teams such as incident response, computer forensics, and compliance to collaborate on investigations.
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec
Symantec Endpoint Protection 12, optimized for virtual environments, offers organizations the vital protection needed to effectively safeguard information from attackers. Symantec Protection Center 2.0 draws upon correlated visibility from multiple security products to provide relevant actionable intelligence that reduces risks to business.
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
First-hand insights on the newest cloud-delivered endpoint security solutions. Hear from Joakim Liallias, Symantec and special guest speakers Sundeep Vijeswarapu from PayPal and top industry analyst Fernando Montenegro, 451 Research. Listen here: https://symc.ly/2UY2TlS.
Cyber Defense - How to be prepared to APTSimone Onofri
This document provides an overview of a presentation on cyber defense and cyber attack simulations. It begins with an agenda and introductions. It then discusses the evolving threats landscape, with attacks increasing in scale, scope and sophistication. It outlines the cyber attack simulation methodology, including researching the target, infiltrating networks, establishing footholds, moving laterally and exfiltrating data. It describes three scenario examples - a web attack, phishing email, and exploiting physical access. Each scenario provides the rules of engagement, attack overview and lessons learned. It concludes with quotes emphasizing the importance of preparation and deception in warfare.
This document discusses cybersecurity research and development needs for critical infrastructure protection. It outlines key cybersecurity requirements, technologies currently used and being researched, and gaps that need attention. Some areas that need continued research are vulnerability identification, composing secure systems from insecure components, security metrics, wireless security, and security for network embedded systems like SCADA. Long-term research should focus on privacy, fault tolerance, scalability, self-management, self-healing, and rearchitecting the internet.
This primary focus of study was to investigate how cyber risks in ICT infrastructures of supply chains are managed. As its theoretical base, the study used the Adaptive Security Architecture framework that has been employed by most IT security specialists. Five experienced IT experts participated in a semi-structured interview to provide practical insights on the state of cybersecurity in supply chains operations from various industries. Their responses were analyzed based on the four stages of prediction, prevention, detection and response.
This study offers a new framework that suggests cybersecurity requires anticipatory vigilance, profiling malevolence, instantaneous response and uncompromised recovery to dealing with the cyber threats posing disruptions to supply chains.
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
This document summarizes IBM's security intelligence, integration, and expertise capabilities. It discusses how the world is becoming more digitized and interconnected, opening the door to emerging threats. It also notes that with the rise of big data, consumerization of IT, and mobility, everything is everywhere, while attack sophistication has increased. IBM helps organizations evolve their security solutions to address these changing business, technology, and threat environments. The document outlines IBM's comprehensive security portfolio spanning enterprise governance, risk, compliance and intelligence.
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
What happens when the (Observe) Plan-Do-Check-Adjust cycle is undermined by lapses in data integrity? Observations are questioned. Plans may be ill-conceived. Actions may be undertaken that undermine rather than enhance. “Checks” can fail. Adjustments may be guesswork. In cybersecurity, the results of poor data integrity can be expensive outages, ransom requests, breaches, fines -- even bankruptcy (think Cambridge Analytica). But data integrity issues take many forms, ranging from benign to malicious. The full range of these issues is surveyed from a cybersecurity perspective, where logs and alerts are critical for defenders -- as well as quality engineers . Techniques borrowed from model-based systems engineering and ontology AI to are identified that can mitigate these deleterious effects on PDCA.
Cloud Security Checklist and Planning Guide Summary Intel IT Center
A summary of the cloud security checklist and practical planning guide to help integrate security planning into cloud computing initiatives—from data center to endpoint devices. Includes encryption, infrastructure security, and trusted compute pools.
“8th National Biennial Conference on Medical Informatics 2012”Ashu Ash
“8th National Biennial Conference on Medical Informatics 2012” at Jawaharlal Nehru Auditorium, AIIMS New Delhi on 5th Feb 2012,
The organizing committee consisting of Mr. S.K. Meher (Organizing Secretary), Major (Dr.) Anil Kuthiala (Jt. Organizing Secretary) and Ashu (Assistant to the Organizing Secretariat) worked hard and toiled to make the conference a grand success.
The scientific committee comprising of Dr. S.B Gogia, Prof. Khalid Moidu, Prof Arindam Basu, Dr. S Bhatia, Dr. Thanga Prabhu, Dr. Karanvir Singh, Tina Malaviya, Dr. Kamal Kishore, Dr. Vivek Sahi, Spriha Gogia, Dr. Supten Sarbhadhikari, Dr.Sanjay Bedi, Mr. Sushil Kumar Meher actively reviewed all papers for the various scientific sessions.
Container Workload Security Solution Ideas by Mandy Sidana.pptxMandy Sidana
Case study for coming up with good candidate ideas for a new entrant in the CNAPP market (Cloud Native Application Protection)
The imagined audience for this presentation is the leadership at a startup in the CNAPP space being presented by a product manager exploring the solution space for an MVP.
Evolving technologies and business models have led to advanced network security threats that never existed a few years back. Moreover, enterprises are also relying on outdated security solutions to shut out such threats and this is leading to bigger and frequent data breaches. So if your company recognizes the need for a reliable IT security solution, then you should join our webinar to learn the following:
- An overview of the prevalent enterprise security threats
- The evolving security landscape and the obsolete security mechanisms
- What Seqrite does to ensure enterprise security and network compliance
Similar to Core security utcpresentation962012 (20)
1. Proactive Security Intelligence for
Smart Utilities
September 11, 2012
Canadian Utility Telecom Conference, Vancouver, Canada
Seema Sheth-Voss
ssvoss@coresecurity.com
CORE Security
1 PA G E
2. What is so difficult about cyber security??
PA G E 2
3. Let’s cover the threat Landscape
Stuxnet: “Most Sophisticated Malware Ever”
● Artifact: autonomous, highly-targeted sabotage-oriented worm
● Adversary: Nation-state military / intelligence
● Most likely vector: compromised insider (USB drive!)
● Evaded:
● Firewalls
● AV
● Patching
● Host Hardening
You can protect against the
artifact, but not the adversary.
If you are targeted, escalate.
PA G E 3
4. Threat: High Tech, Targeted Attacks
● Flame: forged Microsoft update certificate
● DuQu: zero-day kernel exploit embedded in Word document
● Gauss: encrypted payload – can only be decrypted on target machine
● Nation-state adversaries, but still manual remote control
Conventional ICS security guidance
does not address targeted attacks
PA G E 4
5. Threat: Low Tech, Targeted Attacks
● Night Dragon, Shady RAT
● Trick users into providing passwords, installing malware
● Custom malware, tested to evade anti-virus
● Remote control: steal credentials, propagate
● Steal administrator credentials, create own passwords
● Create accounts, don’t guess long passwords
● Firewalls allow connections with passwords
Conventional ICS security guidance
does not address targeted attacks
PA G E 5
6. Threat: High-Volume Attacks
● Authors: organized crime
● Black market – stolen credit card number $0.25, stolen bank account
/ password $1.00
● High volume, auto-propagating, indiscriminate attacks – compromise
hundreds of thousands or millions of machines and extract pennies of
value from each
● Target of conventional anti-virus solutions
Viruses, worms and bot-nets are the
pervasive “background noise” of the
Internet. Any interaction with the Internet
risks contamination.
PA G E 6
8. Challenge in securing critical infrastructures..
Windows or Linux based
(NOT as air-gapped as we think!!)
Management
Software Layer
Hardware and
Software Protocols
H
SCADA
(Device level)
PA G E 8
9. Layered controls at each part of technology
stack but no correlation
• The vast majority at the
management software layer
are built to defend, react or
monitor
• This model has inherent gaps:
− Overwhelming amounts of data
?
− Little correlation /
communication between
solutions
− By the time alerts go off, it’s too
late
PA G E
10. Key standards and mandates provide a starting
point
Key standards and Guidance Description
documents
NERC Standards CIP-002-4 Cyber asset identification, security controls, physical,
through CIP-009-4 security management, incident response and recovery
planning
NIST SP 800-137 Continuous Monitoring Framework
FERC Approved NERC CIP rules in 2008 and in addition looks
to NIST coordinates with NIST
Canadian Standards Council Task force on Smart Grid Tech & standards created by
National Committee of IEC promotes harmonization
with NIST and NERC
.. The non-technical “managerial and organizational process”
controls (e.g. NIST) are just as important as the technical
controls.
PA G E 1 0
11. Findings of the ICS- CERT across 150 incidents
People Process Technology
• Failure to perform • Business siloes – IT • No risk assessment
risk and and control systems and impact analysis
consequence need to be
analyses safeguarded as • Network
‘one” segmentation
• Lack of situational
awareness and • Policy on removable • Patch management
training on cyber media and security in test bed
threats such as maturity
spear phishing • User access/log on
• Lack of incident
• Lack of minimum response planning • OS & Firmware
standards
Source: US Dept. of Homeland Security Industrial Control Systems Cyber Emergency Response
PA G E 1 1 Team 2011 Summary report
12. Proactive Security Intelligence - Taking a
performance and analytics driven approach
What is happening? What really matters
Why? What is likely? and what doesn’t?
What should we
do about risks?
How do we
convey the risk
to get action?
PA G E 1 2
13. What is happening? What is likely?
Network
Network operations
simulation or center
VM clone
Alarm to
monitor
temp.
Management
software for PLC
Penetration Testing
Multi-vector, multi-surface and ‘what-if’
PA G E testing helps us think like an attacker
14. What is happening? What is likely..
Unique challenges across distribution and corporate monitoring
networks - Local privilege escalation and spear phishing are
examples
PA G E 1 4
15. A predictive security architecture and process offers
a risk-based approach for proactive insights.
1. Environment
Profiling and
security data
collection
Tell Insight about your
2. Campaign
environment.
Definition
You define critical IT
assets (aka goals),
scope and timing.
Security
6. Infrastructure Verified!
3. Threat Planning
Change and Simulation
Campaigns can
Insight calculates likely
automatically adapt as
New system added to attack paths to your
you deploy new
environment! defined assets.
systems.
Security
Verified!
5. Adaptive Path 4. Threat
Adjustment Replication
Insight seeks new Insight attempts to
paths as systems are exploit vulnerabilities
compromised. along the paths.
PA G E 1 5
16. What really matters?
Get above the noise of the security data..
(Exploit)
Identify and
prove critical
exposures
Incident and
Scan data Remediation
Discover assets , Apply patches
collect incident and other
data and scan for updates
vulnerabilities
Repeat Pen
Testing
(Exploit)
Validate fix
effectiveness
Remove false positives and make sense of the noise..
PA G E
17. Value of getting above the noise of data
Before After
• Small security staff • Proactively determine attack path
• Needed to scale and enhance across 1000 assets
testing, understand risk to most • Identified the 30 most critical
critical assets exploitable vulnerabilities of the
• Getting 82,000 vulnerability 82,000 worth addressing first
signatures from scanner • Prioritize & validate vulnerabilities
• Yet only working on 300 results due
to resource constraints (hopefully Savings
the right 300?) • VM costs per year: $43,200
• Yearly vulnerability management • Trouble tickets passed ~ 30
cost: $144,000
• Yearly remediation/Patch
management estimate at 300
tickets passed to IT: $700,000
PA G E 1 7
18. What should we do with security data?
How do we convey risk and take action?
Enabling Performance Management like best practices for
security
• Security Metrics and Reporting
with Continuous Assessment
• Status of the safeguards
• Trending
• Change management
• Hand-off to remediation
systems
• Enterprise Risk Management
• Safety, continuity,
operational implications
• Business asset tagging
PA G E 1 8
19. Benefits of a proactive security intelligence approach
Balancing risk mitigation with improved security ‘performance’
• Keep the bad guys out: Predict threats without disrupting
operations
• Don’t break the bank: Eliminating data overload drives
actionable insight and improves efficiency
• Demonstrate business impact: Convey implications of cyber
risk – resiliency and operational continuity.
PA G E 1 9
20. About Core Security
• Leading provider of predictive security intelligence solutions
− Established: 1996, first commercial product: Core Impact 2001
− Headquartered in Boston, CoreLabs in Buenos Aires
− 1,400 customers, ~200 employees
• Diverse, experienced organization driving segment leadership
− Experienced management -- backgrounds include Sophos, CA, Symantec, Seagate, IBM
− Active Customer Advisory Board and Core Customer Community group
− Recognized by leading analysts in the emerging category of Security Intelligence
− Consistent award recognition from industry groups and media
• Groundbreaking research & product development
− Leading-edge consulting services brings field experience
− CoreLabs vulnerability research team world renowned – publish more than 200 exploits
− High-profile research community involvement
− 6 patents approved / 7 pending
PA G E 2 0
There is so much coverage of massive, costly attacks … and yet many warning from the experts. There is huge talk of cyber security legislation in US which got stalled but across the lines in this election year ppl know that a cyber war – where our utlities, water plants etc could be compromised.. Andrew has done a great job of covering the nature and classes of the threats.. Reason 1 – the threat is real and more complex. – the nature is stealth, internconnected and hidden. . Similar analog is For years, terrorist attacks occurred around the world. Each one tended to be viewed as a singular event. Until September 11th, 2001. Suddenly, a pattern appeared and the size of the threat became clearer.
Another reason why is this hard and not talked about enough – is our failure of communication.. This cartoon hits home.. The CEO seems okay or our communication is limited to explaining the risk of brand, reputation.or market position. In this case showing up in the news. In fact a CM survey of CEO showed that in spite of what is happening mainly a real danger to business continuity – cyber risk is not even a topic at the board level . What we really need is a way to talk about cyber risk in the language of risk management
Let’s talk about the technical challenge – for critical infrastructure particularly we need to think systematically at every layer of the technology and then holistically. A lot of attention gets paid to SCADA and right ly so. Here is an example of a vulnerability at the SCADA level but we need to think about the hw and software protocol and ultimately the management software – which ends up being a windows or linux machine connected to the big bad vulnerabile internet. So we have a double whammy – devices never designed with Cyber security in mind and need for the convenience of the public internet to monitor networks and manage the enterprise side of your business.
Now here is the challenge and an unfortunate secret I hear with CISO that I meet – they buy technology out of fear and greed. Someone in the IT department hears about a new virus or vulnerability … downloads and installs the latest patch … and they're done. Reactive big news gets a lot of attention.. We go back to business as usual until the next time. Wikileaks happened at the state department and many US federal depts rushed everyone rushed out to get Data leak prevention software.. Please you are all in the similar boat.. Whether you are the CIO, telecomm network execs, buisness leader or the security leader – I think we all recognize that we need a different approachHere is what happens with all that spending.. We think we are doing a good job – but now we have ended up with a new problem... All the stuff is actually creating more noise and distracting us from the real threat. What we really need is a system or platform that is proactive and predictive and system that helps us manage, validate and correlate our data and alerts.
Now shift gears.. Legislation and standards get the threat and have done a laudable job on offering framework and guidelines.. I am not going to read these – I am assuming you know that there is actually a lot of consensus across states, canada and even ENISA guidelines.. What is most important is the non-technical controls. I advocate the cont. monitoring framework – SP- 800-137 as a starting point.. In fact Ron Ross who is a NIST Fellow in a recent talk put up a slide for FS, Technology, CIP CISOs showing two list of control categories – technical such as encryption, vulnerability assessment which is CORE’s business, etc on in colum and then second was all about security traninging, management, awareness, analytics, operations. – Humans are the weak link and without the organizational and process oversight – no amount of investment in the technology is really enough
Here is another more post mortem view from the ICS-CERT specifically across critical infrastructure companies – water, energy and we see that the people and process gaps on standards, simple things like password updating, adherance to doing simple patch management and employee awareness were the root causes of incidents – more so than the technical
At CORE we’ve been working closely with clients on a different way to get and not just getting ahead of the threat but managing their security posture and helping them gain business level commitment on security investments.I used to work in Business intelligence and the same performance management and predictive analytics framework can apply to security data and management
What is happening and what is likely.?Back to the interconnected nature of the attacks. We need to think like the attacker. CORE has been business for 14 years and we were the early pioneers of the approach now widely known as pen testing. Pen testing is a systematicapproach to identifying weaknesses in alreadydeployed targets and exploiting thoseweaknesses. It is a vulnerability assessment followed byexploiting the vulnerabilities found during theassessment. “You are trying to break a system, withoutbreaking the system.”What is unique about automated tools such as CORE Impact – is that these are goal oriented and multi-vector.. After your critical assets – isn’t just a web url or a network it is a business and data and process collection which has multiple types ofIT assets underneath.. Pen testing simulates the actions of the attacker who exploit the weak links in the management software – not the scada devices which you think are air gapped.. And they think multi- surface across networks, web, endpoints and use weak links like admin email, phishing to gain access to deeper privileges such as adminstrative to burrow deeper into control systems or transmission layers.
This is what we call an attack path map – the target machine might be controls at your NOC or alarms system that manages the water temp.. What we are seeing is the web attacks on enterprise sites, call centers, or social engineering attacks are the common ways of entry
Now let’s imagine taking an army of pentesters and codifying their expertise into an scalable and automated platform essentially not testing a subset of goal machines but an entire division or corporate or network, web applications, end points collectively that form your smart grid infrastructure. . what we have done at CORE is taken all the expertise of humansand exploit algorithms from the tools and essentially created a engine or enterprise service bus for security. Here is how it works. CORE insight first gather information about all assets in the target test – and collects any existing security data say from IPS, Firewalls, scanners. The most important aspect is we allow the security director to prioritize assets based on business need and criticality.. So in our case it would be web applications or monitoring systems across a region.We then take that information and calculate the attack paths and probabilities of success via a simulation and threat replicationIf test is being conducted in live mode – Insight will attempt to exploit the possible vulnerabilities which are burrowed deep into your environment or the goal machineInsight doesn’t find anything it continues to find newer possible and probable paths and the test campaign adjusts as new servers, configurations etc are added into the environment. Note we can also eliminate certain assets in the subsequent run if there are no changes or the asset isn’t deemed as critical.
That brings us to the next question in our framework – what really mattersremember I talked about all the reactive and detective controls - so say you have an incident management system or you went and invested in scanner or sniffing technology – pen testing is a great way to drill further and pivot in to figure out what is real..Here is what happens if you don’t‘.. Your security teams will spend precious time chasing false positive or noisy data while the attacks keep coming and your downstream IT teams who are responsible for remediation will simply shut security out.. Because they don’t believe the threat is credible plus they have never enough resources
Here is an example from a lab under the dept of energy – they were getting 82000 signatures from their scanning technologies but only getting to 300..With a highly scalable and automated solution for security assessment and attack planning this agency was able to pinpoint the 30 most exploitable vulnerabilities saving both cost and effort in their security team but also the downstream IT remediation effort.
Finally to the final question in our framework – how do we convey risk to the board and management. CORE solutions have been critical is driving performance management like best practices for securtyFirst the CISO, director can continously test and report status of the safeguard and whether or not there working and capture the trending.From a performance viewpoint these guys want to fix or remediate the most critical exposures – managing the workflow with IT on the most critical priorities. Also the thing about vulnerability – is that change in their IT environment is constant so the keeping on top of what is most critical at any given time. Last CISO are eager to have something that they can take to their Monday morning meeting with their boss whether it is the CIO or chief compliance or audit team. We relate the technical language to the business systems or domains – e.g. network centers, operations, labs, enterprise systems such as call centers, and of course critical networks that form the support infrastructure of the transmission and power distribution. Ie. The basic discussion is what does a vulnerability or red on the asset heat map mean in terms of continuing operations, safety of personnel, impact to customers services, or potential disruptions and having a clear pulse on that at all times.
In summary the benefits of this approach and a platform We want to keep the bad guys out before they get in and at the same time achieve a good level of confidence in the risk we are taking at an reasonable cost. Security spending doesn’t need to be fear driven but should be treated like any other IT spend. I strongly believe that we need to different level in our security conversations and translate cyber risk into enterprise risk.