The document discusses the emerging threat of hardware trojans - malicious code implanted directly into computer chips during the manufacturing process. This could allow attackers to manipulate data, shut down systems, or turn devices into bugs. While difficult to do, it could be done by intelligence agencies or well-funded criminals. Experts are developing techniques like hardware modeling to detect trojans in chip designs before manufacturing. Government agencies are also releasing best practices for organizations to evaluate supplier trustworthiness and mitigate these risks.
Analyst Report: The Digital Universe in 2020 - ChinaEMC
This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.
This white paper examines the need for strong authentication and explores the return on investment that can be realized in order to help organizations move toward more effective security.
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
• What steps can the board take to prevent, monitor, and mitigate data theft?
• What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
• What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
• How difficult is it to find board candidates with these skills?
Analyst Report: The Digital Universe in 2020 - ChinaEMC
This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.
This white paper examines the need for strong authentication and explores the return on investment that can be realized in order to help organizations move toward more effective security.
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
• What steps can the board take to prevent, monitor, and mitigate data theft?
• What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
• What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
• How difficult is it to find board candidates with these skills?
RSA Monthly Online Fraud Report -- February 2014EMC
This report discusses the latest global trends in phishing and cybercrime. In January, phishing losses to global organizations is estimated at $387 million.
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
Slides from the 2014 GRC Conference Presented by:
Jeff Spivey, CRISC, CPP
Vice President of Strategy, RiskIQ, Inc.
President, Security Risk Management, Inc
Adair Barton, CPA, CISA
Vice President of Internal Audit
Dycom Industries, Inc.
and
David A. Less, CISA, CISM
CIO & SVP
Sunteck, Inc.
A detailed analysis on one of the biggest data breaches in history...What JP Morgan Chase & Co did wrong and proposed mitigation techniques. The data breach at J.P. Morgan Chase is yet another example of how our most sensitive personal information is in danger.
.
Security weekly september 28 october 4, 2021 Roen Branham
Watch the full episode on Youtube: https://youtu.be/Tl3pVMaCN60
Security weekly september 28 october 4, 2021
We review the Cyber Security news events that happened from September 28 - October 4, 2021.
Digital businesses are difficult to launch and run even without the challenge of security. And yet, digital business strategies are also being used by hackers to systematically go after lucrative targets. Following up on our release of the 2015 NTT Group Global Threat Intelligence Report, this executive summary highlights key findings from the report that affect today’s digital businesses.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didn’t change often. It’s time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.
(Source: RSA USA 2016-San Francisco)
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
globalaviationairospace.com
Cyber security for telecommunications companies
The rewards and risks of the cloud, devices, and data
The fastest growing sources of security incidents, increase over 2013
Security strategies for evolving technologies
Strategic initiatives to improve cybersecurity
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
While retailers keep opening new stores, hackers continue mastering their skills.
What cybersecurity challenges should the retail industry expect in 2020? It is time to reveal trends and prepare to fight upcoming attacks.
Learn the details: https://www.intellias.com/retail-security-challenges-in-2020-in-depth-security-coverage-to-prevent-retail-theft/
The Threats Posed by Portable Storage DevicesGFI Software
In a society where the use of portable storage devices is commonplace, there is a real risk to business. The threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketEMC
This Frost & Sullivan report examines the proliferation of identity theft and data breaches caused by single-factor authentication or weak passwords, and describes how, to decrease the impact of threats, companies are integrating mobile OTP, OTP tokens, and USB tokens to protect network access and end users.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
Global Digital Forensics Market is forecasted to hit US$ 13.93 Billion by 2028, according to Renub Research. The modern world has witnessed an increased dependence on the latest digital technology. With the widespread adoption of the internet, smartphones, social media platforms like Facebook, Internet of Things (IoT), GPS, fitness trackers, and even smart cars, it has become increasingly difficult for digital forensics investigators to retrieve digital data.
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips from all three companies. During an interview with CNBC covered by Reuters, Intel’s chief executive noted that “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product.”
In other cybersecurity news, we look at 10 open source technologies you need to know about, cybersecurity predictions for 2018, and an interesting white paper published by the University of Michigan on identifying cybersecurity threats in connected vehicles.
RSA Monthly Online Fraud Report -- February 2014EMC
This report discusses the latest global trends in phishing and cybercrime. In January, phishing losses to global organizations is estimated at $387 million.
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
Slides from the 2014 GRC Conference Presented by:
Jeff Spivey, CRISC, CPP
Vice President of Strategy, RiskIQ, Inc.
President, Security Risk Management, Inc
Adair Barton, CPA, CISA
Vice President of Internal Audit
Dycom Industries, Inc.
and
David A. Less, CISA, CISM
CIO & SVP
Sunteck, Inc.
A detailed analysis on one of the biggest data breaches in history...What JP Morgan Chase & Co did wrong and proposed mitigation techniques. The data breach at J.P. Morgan Chase is yet another example of how our most sensitive personal information is in danger.
.
Security weekly september 28 october 4, 2021 Roen Branham
Watch the full episode on Youtube: https://youtu.be/Tl3pVMaCN60
Security weekly september 28 october 4, 2021
We review the Cyber Security news events that happened from September 28 - October 4, 2021.
Digital businesses are difficult to launch and run even without the challenge of security. And yet, digital business strategies are also being used by hackers to systematically go after lucrative targets. Following up on our release of the 2015 NTT Group Global Threat Intelligence Report, this executive summary highlights key findings from the report that affect today’s digital businesses.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didn’t change often. It’s time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.
(Source: RSA USA 2016-San Francisco)
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
globalaviationairospace.com
Cyber security for telecommunications companies
The rewards and risks of the cloud, devices, and data
The fastest growing sources of security incidents, increase over 2013
Security strategies for evolving technologies
Strategic initiatives to improve cybersecurity
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
While retailers keep opening new stores, hackers continue mastering their skills.
What cybersecurity challenges should the retail industry expect in 2020? It is time to reveal trends and prepare to fight upcoming attacks.
Learn the details: https://www.intellias.com/retail-security-challenges-in-2020-in-depth-security-coverage-to-prevent-retail-theft/
The Threats Posed by Portable Storage DevicesGFI Software
In a society where the use of portable storage devices is commonplace, there is a real risk to business. The threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketEMC
This Frost & Sullivan report examines the proliferation of identity theft and data breaches caused by single-factor authentication or weak passwords, and describes how, to decrease the impact of threats, companies are integrating mobile OTP, OTP tokens, and USB tokens to protect network access and end users.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
Global Digital Forensics Market is forecasted to hit US$ 13.93 Billion by 2028, according to Renub Research. The modern world has witnessed an increased dependence on the latest digital technology. With the widespread adoption of the internet, smartphones, social media platforms like Facebook, Internet of Things (IoT), GPS, fitness trackers, and even smart cars, it has become increasingly difficult for digital forensics investigators to retrieve digital data.
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips from all three companies. During an interview with CNBC covered by Reuters, Intel’s chief executive noted that “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product.”
In other cybersecurity news, we look at 10 open source technologies you need to know about, cybersecurity predictions for 2018, and an interesting white paper published by the University of Michigan on identifying cybersecurity threats in connected vehicles.
Combating Cybersecurity Challenges with Advanced AnalyticsCognizant
Using an AI-powered analytics platform, IT organizations can shift from a reactive approach to security breaches, to proactively identifying increasingly sophisticated threat vectors and quickly resolving exploitable vulnerabilities.
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...Black Duck by Synopsys
A wide spectrum of cybersecurity and open source security news in this week’s Open Source Insight, including the need for hospitals to ramp up their cybersecurity efforts; the need to include open source security in any plan to secure medical devices; a major data breach at Italian bank Unicredit; two Black Duck executives share their views on open source security in video interviews; and why the automotive industry many be close to an iPhone moment.
Here are some of the best guesses about what we will see in 2017 from several dozen vendors and analysts. There are many more than 15 predictions out there, of course, but these are the ones we heard most frequently.
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
In the past few years, a new approach to cybersecurity has emerged, based on the analysis of data on successful attacks. In this approach, continuous diagnostics and mitigation replace the reactive network security methods used in the past. The approach combines continuous monitoring of network health with relatively straightforward mitigation strategies. The strategies used in this approach reduce the opportunities for attack and force attackers to develop more sophisticated (and expensive) techniques or to give up on the target. In combination, continuous monitoring and mitigation strategies provide the basis for better cybersecurity.
Cyber-attacks destroy the trusted relationship with customers and partners, the lifeblood of financial services. The industry is also behind the curve when it comes to adapting to the changes in working practices and consumer behaviour, driven by rapidly evolving smart devices.
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts.
Dr. Murray presented current issues with IoT technologies at the Information Systems Security Association (ISSA). The ISSA Colorado Springs Chapter - Cyber Focus Day on Wednesday, March 25, 2015 at the University of Colorado Colorado Springs (UCCS). The theme for CFD 2015 was “Cybercrime”.
2. Welcome, Shane | My Account | Log Out
White Papers | Web Seminars | Newsletters | eBooks
Big Data & Analytics
Data Management
MDM & Data Governance
Infrastructure
Info Strategy & Leadership
BI & Data Discovery
Mobility
web seminars &
white papers
resource
center
Ghosts in the Machine: Attacks May Come From
Inside Computers
by Shane Kite
AUG 19, 2009 5:15am ET
Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+The next wave of hacking into computers and stealing data will not be requests or code coming from remote
points across the Web, security experts are warning.
3. Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into
the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects
and intricate mapping of the chip itself, according to scientists and academics working with the National
Institute of Standards and Technology, the White House and the Financial Services Information Sharing and
Analysis Center in Dulles, Va.
Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts
say, because the microchips that run servers have millions to billions of transistors in them. Adding a few
hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and
escape notice.
"You can never really test every single combination on the chip. Testing a billion transistors would take a very
long time. It would be very difficult to detect hardware Trojans without having some idea of what you're
looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of
Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable
Integrated Circuits."
Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a
system into a bugged phone that steals and relays vital information, the experts say.
While fabricating a Trojan horse directly into the design of a microchip is a realm where few can play--foreign
intelligence services, for instance, or perhaps the most well-funded and sophisticated criminal organizations--
there are simpler ways to infiltrate hardware, they say. Attackers of financial systems could, for instance, attach
a tiny wireless modem to a shredder at a wire transfer firm, bug a bank card reader at a European grocery store,
or plant a chip in a projector at an overseas business conference that can infect an attached laptop with spyware.
To combat the threat, the National Institute of Standards and Technology (NIST), the federal government's
technical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set of
best practices for government and industry to mitigate security risks to hardware included in the IT supply
chain.
Originally inspired by the Department of Defense and spy agencies concerned about protecting from hardware
tampering by foreign intelligence, the effort to promote awareness of the threat has filtered into the public
realm. NIST is rewriting an original set of 25 best practices based on lessons learned in a pilot program
underway with Defense. The Department of Homeland Security and Department of State are involved, as well,
parties interviewed for this story say.
The inter-agency report will be used to inform mandatory guidelines NIST expects to release by 2011, which
the federal government will be required follow to ensure its own supply chain security.
The best practices "can be used by financial services, the energy sector, health, all kinds of sectors," said
Marianne Swanson, NIST's senior advisor for information system security.
The key to mitigate hardware as a malware vector is to establish methods for evaluating trustworthiness of
equipment, suppliers and manufacturers, Swanson said. The military and intelligence agencies have done this
by establishing a "trusted access program," began in 2004, whereby organizations including the DoD and
National Security Agency only purchase circuitry from trusted foundries, like those run by IBM or Honeywell.
To be considered trusted, the chip fabrication facilities must be based in the U.S., owned and operated by U.S.
companies, and staffed with U.S. citizens with security clearances.
Right now, only government agencies use the trusted foundries; they currently lack the capacity to add
4. commercial, private-sector business. Because they are not outsourced, the programs are also expensive.
However, investment banks and private utilities joining the trusted foundry program via the chip and network
hardware manufacturers that serve them "will probably happen in the next 10 years or so," says Smith,
particularly if hardware hacking "becomes more prevalent, like software viruses have become."
What has experts worried is that much of commercial circuit-building is done by contractors overseas. So the
chance that bad actors can subvert the supply chain and add spyware into hardware has risen.
To get a sense of the potential problems, open up your laptop: Inside you'll find parts manufactured or supplied
from as many as 10 countries, which compete strategically and economically. Plus, as technology becomes
more and more miniaturized, so will its exploits. Economic or corporate espionage, while seldom talked about,
likely will escalate, the experts warm. Thus, financial firms should adjust their level of concern and awareness
as the vectors for exploits get more sophisticated.
Reported hardware security practices at financial firms seem spotty at best, according to a June survey by the
Financial Services Information Sharing and Analysis Center (FS-ISAC), a public-private group created by
presidential decree to protect operations of financial services firms, as critical infrastructure. The group sought
to measure the level of awareness that financial firms have regarding the importance of hardware security; the
report includes 16 best practices meant to mitigate hardware threats.
More than 55 percent of firms surveyed said they verified the sources of their hardware components delivered
to offices or loading docks by cross-checking the bill of lading with purchase orders. But fewer than 15 percent
inspected the boards inside their routers for tampering prior to functional testing. None of them weighed their
equipment. Although weighing wouldn't catch something as miniscule as microchip tampering, it might flag
hardware with unwanted equipment attached to it, like a wireless modem.
Physical inspection of hardware is recommended by FS-ISAC, a suggestion also included among NIST's best
upcoming practices, Swanson said.
Smith and his colleague Jia Di, an associate professor at University of Arkansas' department of computer
science and engineering, are working on a tool that could detect hardware sabotage in chip design. They are
building a system that aims to flag and warn of abnormalities found either in the circuit design software, or in
chip blueprints, based on a model that intends to identify and rank the most likely scenarios for circuit
manipulation.
Smith said the reason that they're basing the system on assessing the chip designs, versus testing the chip itself,
is because doing the former is the only feasible method that could successfully detect circuit exploits.
This is for two reasons: Because chip manufacturing is highly automated and follows explicitly the directions of
the design program. And because the transistors themselves are too many to actively and fully test.
Smith expects there will "be a big industry" for chip security tools in the next decade. "This will be part of the
chip design flow that will be running through malicious logic to make sure that nothing's been added onto your
chip before fabricating it."
Tamper-resistant chips are also coming to the commercial market. Pleasanton, Calif.-based CPU Tech has
offered the private sector since 2008 the Acalis CPU872 MultiCore chip, which the firm says protects from
hardware-based Trojans for high-performance processing within vital applications. It scatters separate parts of
the encryption key needed to boot the hardware across different pieces of the chip and also embeds memory
onto the chip, so vital data can't be accessed externally. Financial firms have expressed interest in purchasing
systems with the chip installed, said Robert Beanland, vice president of marketing for CPU Technology.
5. According to the Cyberspace Policy Review released by the White House in May, "documented examples exist
of unambiguous, deliberate subversions" of the IT supply chain. While counterfeit products have created "the
most visible" problems to date for hardware, the global nature of IT manufacturing has made subversion of
computers and networks through supply chain sabotage via subtle hardware or software manipulations, more
feasible.
Law enforcement in Europe uncovered a scam late last year whereby criminals had rigged credit card readers
installed at Tesco and other retail outlets there with what was essentially a tiny cell phone that was capturing all
the PINs from customers who used their cards on the readers in stores and sending the data through Pakistan;
though its ultimate destination remains unknown. Criminals often choose nations with porous security or
limited digital forensics practices to route their booty.
"What was interesting about this is that some portion of it really was a supply chain corruption," said Scott
Borg, director and chief economist (CEO) at the U.S. Cyber Consequences Unit (US-CCU), an independent,
non-profit research institute. Borg's work on securing IT supply chains was cited in the president's cyber policy
review.
Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector
remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says. Plus, the risk
is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it
was shown that the supply chain was compromised. The main danger here is hardware bargain hunting."
Purchasing used routers from any source other than their branded manufacturer, say a Cisco or Juniper, for
instance, is considered risky because of the increased likelihood that the purchaser could receive counterfeit
parts. In a 2008 report detailing a scam involving counterfeit Cisco equipment made in China, the FBI warned
that the fake hardware could enable foreign agents to crack codes and bug secure networks.
This article can also be found at SecuritiesIndustry.com.
JOIN THE DISCUSSION
Comment
SEE MORE IN
Comments (0)
Be the first to comment on this post using the section below.
Add Your Comments:
6. Add your comments here.
Notify me when other readers comment on this article.
Click here to receive notifications without commenting
Most Read
Most Emailed
Big Data Platforms: How To Migrate From Relational Databases to NoSQL
Self Service: A Data Scientist Productivity Boost
Big Data Applications Drive NoSQL Adoption
Hadoop as a Service: 18 Cloud Options
Business Intelligence for the Other 80 Percent
Analytics
From Big Data to Big Decisions
Self Service: A Data Scientist Productivity Boost
Price and Revenue Optimization (PRO)
Business Intelligence for the Other 80 Percent
Business Intelligence
Can Workday's Analytics Reduce Employee Turnover?
Cloud-based Business Intelligence Goes Mainstream
Redefine BI to Unleash Big Data's Power
How Big Data Keeps United Healthcare Nimble
Customer Experience
7. Become Customer Obsessed Or Fail
Data-Driven Marketers: Mobile Is One Piece of the Story
Millennials and the Machines
How to Build Connected Customer Experiences
Open Source
Hortonworks Buys SequenceIQ for Hadoop in the Cloud
Big Data Applications Drive NoSQL Adoption
Apple Buys NoSQL Big Data Specialist
EMC: Can Data Lakes Create Big Data Splash?
Predictive Analytics
Business Analytics and Forecasting: Revisited
Big Data Pushes Deeper Into Oil and Gas
Messy Big Data Overwhelms Data Scientists
Predictive Analytics or Data Science?
Data Governance
Informatica Acquired for $5.3B Amid Big Data, Cloud Shifts
California to Hire Chief Data Officer (CDO)?
Net Neutrality Decision: What You Need to Know
Balancing Freedom and Control to Enable Governed Data Discovery
Data Integration
Public Opinion: Share My Health Data
Inside Google's Insurance Data Strategy
Healthcare Industry Explores Data Monetization
Update on the DATA Act
Data Management
Amazon Acquired NoSQL Data Migration Startup Amiato
Data Virtualization: The 13th Commandment
Close Your Quarterly Financials (Even Faster)
Public Opinion: Share My Health Data
HOME
About Us
Contact Us
Content Licensing
Advertise with Us
Customer Service
Feedback
My Account
8. Site Map
Privacy Policy
Editorial Submissions
sourcemedia
corporate site
banking
American Banker
Bank Technology News
American Banker Magazine
Credit Union Journal
MORTGAGES
National Mortgage News
PAYMENTS
PaymentsSource
Collections & Credit Risk
ISO & Agent
capital markets
Mergers & Acquisitions
Asset Securitization Report
Leveraged Finance News
Private Placement Letter
Traders Magazine
MUNICIPAL FINANCE
The Bond Buyer
accounting
Accounting Today
Tax Pro Today
HEALTHCARE & BENEFITS
Employee Benefit News
Employee Benefit Adviser