Infosec Island Latest Articles Adrift in Threats? Come Ashore! en hourly 1 US Critical Infrastructures are Being Targeted by Actors in the Middle East – But Attribution is Difficult Thu, 19 Nov 2015 08:03:04 -0600 Dewan Chowdhury of Malcrawler gave a presentation at SecurityWeek's 2015 ICS Cyber Security Conference on ICS honeypots. Malcrawler created a honeypot that replicates the Energy Management System (EMS/SCADA) of a modern electric company and the hackers came from novices to sophisticated Advanced Persistent Threat (APT) actors sponsored by nation state. The honeypot let hackers think they were controlling key parts of the power grid, including nuclear power generators, major transmission lines, smart grid distributed automation systems, and more. According to Chowdhury, large nation state attackers would steal information pertaining to the electric grid from fake transmission diagrams to RTU configuration files, but they never performed sabotage on the grid. On the other hand actors from the Middle East would perform sabotage from disconnecting nuclear plants to triggering relays on major transmission substations. 

Two years ago, Kyle Wilhoit from TrendMicro gave a presentation at the 13th ICS Cyber Security Conference on ICS honeypots ( From March to June 2013, TrendMicro observed attacks originating in 16 countries, accounting for a total of 74 attacks on seven honeypots within the honeynet. Out of these 74 attacks, 10 were considered “critical.” Critical attacks are those without established motivations but can cause the catastrophic failure of an ICS device’s operation. 20% of the critical attacks came from Middle Eastern IP addresses. The attacks from Russia were not critical attacks. TrendMicro has continued their honeypot research with very interesting results. GasPot, a honeypot also created by Kyle Wilhoit and fellow researcher Stephen Hilt, mimicked a Guardian AST gas pump monitoring ICS device. Similar to previous findings, the pair witnessed attacks across the US from several countries- namely Iran and Syria. These attacks could have caused supply chain damage, as gas pump monitors that were hacked may stop the station from receiving gasoline.

In December 2014, Cylance issued the report “Operation Cleaver” stating this is an Iranian state-sponsored campaign. According to Cylance, this campaign’s intentions may be to damage ICS/SCADA systems and impact critical infrastructures. There is an intense focus on CI companies in South Korea, which could give Iran additional clout in their burgeoning partnership with North Korea. In September 2012, Iran signed an extensive agreement for technology cooperation agreement with North Korea, which would allow for collaboration on various efforts including IT and security. I am drawing no conclusions about the December 2014 hacking of the South Korean nuclear plants. Within Cylance’s investigation, there was no direct evidence of a successful compromise of specific ICS or SCADA networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run. This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.

Another relevant presentation at the 15th ICS Cyber Security Conference was by Jason Iler of Tripwire. He stated that for less than $10,000, Gleg offers a SCADA exploit pack with about 200 new ICS cyber vulnerabilities including more than 90 “zero days”. Combine this with readily available metasploits on the web for free, critical infrastructures become an “easy” target.

I reviewed several papers from Iranian scientists and engineers on ICS cyber security. The authors were very knowledgeable in this area. Moreover, there was attendance from Iran and other Middle Eastern countries at the June 2015 International Atomic Energy Agency (IAEA) Nuclear Plant Cyber Security Conference in Vienna where a demonstration was performed on hacking the water pumps in a nuclear plant.

November 12th, I attended a High Tech Criminal Investigation Association (HTCIA) meeting. The speaker was a Digital Forensic Examiner from one of the 16 ASCLD accredited laboratories. When I asked, the Digital Forensic Examiner stated they did not have the capability for assessing ICS cyber issues (more on that in a separate blog).

Considering the vulnerabilities of our critical infrastructures as demonstrated by the red team exercise discussed at the 15th ICS Cyber Security Conference (an effectively NERC CIP-compliant utility being compromised within 30 minutes with no indication), the results of the ICS honeypots and other studies, the availability of ICS cyber exploits, and the lack of attribution, there should be more concern about the very viable cyber threat to our critical infrastructures.

Cross Posted from the Unfettered Blog

Copyright 2010 Respective Author at Infosec Island]]>
Few Firms Prepared For Business Disruption Fri, 13 Nov 2015 07:32:36 -0600 Top disruptors include security, data access, mobility, access to talent; Fastest-growing companies turning them into growth opportunities

By investing in the right mix of technology and talent, global companies can turn business and market challenges – called "disruptors" – into competitive differentiation, according to a survey of more than 600 global senior executives by KPMG LLP, the U.S. audit, tax, and advisory firm.

Results from the survey, "Succeed in Constant Change," indicate top-performing companies are able to sustain growth and increase profits in the face of the near-constant change.

While more than three-quarters (76%) of executives polled said they saw disruption as constant and most likely increasing in the future, only 17 percent said their companies were prepared for the coming volatility with a strategic approach.

"The disruptors range from emerging competitors using new, disruptive business models to the explosion of data from always-on devices and revolutionary consumer experiences that force businesses to transform their entire operations," explained John Cummings, principal, KPMG U.S. Advisory Industry Leader for Industrial Manufacturing.


Survey respondents identified the following as the Top Five Potential Disruptors to their businesses:

  • Regulatory and legislative complexity and increasing rules (71%)
  • Shifts in security, including an emphasis on cyber security (63%)
  • Instantaneous and ubiquitous data access (60%)
  • Digital/Mobile-enabled workforce and consumers (58%)
  • Global access to talent and skills (49%)

To deal with these disruptions, executives from the fastest-growing businesses said they are investing in emerging technology, industry-specific technology, and specialized talent at a much higher rate than their slower-growing counterparts.

Fully 34 percent are investing in talent with emerging technology expertise vs. 17% for slower-growing firms; 30% vs. 18% are investing in talent with industry expertise; 25% vs. 19% are utilizing Cloud computing such as IaaS, PaaS and SaaS; only 25% of faster-growing firms vs. 34% are spending time updating "legacy" enterprise systems; and 39% of faster-growing firms vs. 29% spend more time leveraging industry-specific technology advancements.


Those surveyed also listed the Top Five Disruptors they saw as creating the most opportunity for their businesses, if leveraged effectively. These are:

  • Instantaneous/ubiquitous data access
  • Digitally enabled consumers
  • Multi-generational workforce
  • Global business complexity in their industry
  • Accelerated growth of enterprises

"The fastest-growing and the most profitable organizations are increasingly – and smartly – leveraging these disruptors to continually deploy new business models, accelerate decision-making, convert data into valuable knowledge and focus on the customer," said Steve Chase, KPMG's U.S. Advisory Management Consulting leader.

In fact, survey respondents whose companies were generating a profit of 11% or greater reported making 25% higher-than-average investments in digital and mobile. Areas of investment include engaging with customers, growing the digital enterprise and enabling a mobile workforce.

Survey Methodology

The KPMG survey polled 650 senior executives of large, multinational U.S. and U.K.-based enterprises. It also conducted 20 in-depth interviews with executives at leading firms across geographies and sectors. The companies surveyed ranged in revenue from less than $10 billion (43%); $10-49 billion (27%); to over $50 billion (30%). Job titles of survey respondents spanned the enterprise – from marketing and sales, IT, Operations, Finance and Accounting, management, professional services, to Research & Development and Human Resources.

An executive summary of the report is available online in PDF format.


Copyright 2010 Respective Author at Infosec Island]]>
Is the Joomla CVE in Your Enterprise Digital Footprint? Thu, 12 Nov 2015 12:32:33 -0600 CVEs are a fact of life for security professionals. There isn’t a network, anywhere in the world that is impervious to them. Your adversary relies on them to hack into your network or takeover your website. Learn what you can do to find CVEs before your foe.

According to the security firm Sucuri, as many as 2.8 million sites have been vulnerable to SQL injection for two years due to vulnerabilities in version 3.2 of Joomla, the popular open source CMS software.

Joomla is the second most popular CMS according to w3Techs. It owns 6% of the market, which equals roughly 3 million sites.

For those in the business of spreading malware or phishing scams, this is a huge opportunity. The math is simple: hacking Joomla = pwning 2.8 million websites.

In this blog, the hacker credited for breaching security firms Gamma Group and Hacking Team, explains how he or she mapped Gamma Group’s digital footprint and found their way into the network.

So how can organizations catch up to the adversary? The problem is companies have the data sources, but lack actionable intelligence. This data is often out of date and lacks historical perspective or context. Instead, organizations need relevant information that enables security analysts to conduct focused investigations.

Enterprise Digital Footprint technology creates a catalog of the digital assets (i.e. websites, applications, IPs, ASN information, WHOIS, and DNS) associated with the company and its brand(s). It exposes what attackers see and provides an accurate, comprehensive, and sortable index of the organization’s footprint online--both good and bad.

This model can be used to identify and sort a list of Joomla 3.2 instances running in the company’s digital footprint. Their footprint reveals where the assets came from, who is responsible for them, and which, if any, of these assets can provide attackers access to the organization's network. You can take whatever steps you need to plug the holes.

The Digital Footprint approach turns the Internet into a research lab and levels the playing field, illuminating your company’s digital footprint and exposing your adversaries’ digital footprint so you can address weaknesses and block attacks.

Copyright 2010 Respective Author at Infosec Island]]>
Leveraging Graph Technology to Securely Grant Employee Access Thu, 12 Nov 2015 00:30:00 -0600 Cybercrime is on the rise: in 2014 alone data breaches increased by 49% with more than a billion data records stolen or compromised. This represents 32 records lost or stolen every second. Indeed, recent incidents involving large financial institutions such as JP Morgan Chase have brought this to the forefront of media attention, and ensured that it is high up on the CIO’s agenda.

With increased scrutiny on data regulation from security bodies and the rise of modern working practices, where more and more employees are working remotely, organizations must ensure that the right people only access the right data. This can be a nightmare for all types of businesses to manage, but using graph databases could make this a thing of the past.

The threat of unsecure data

Every two days we create more data than we did from the dawn of civilization until 2003. Some of this data can be extremely sensitive, such as hospital records or bank details, carrying serious ramifications should it end up in the wrong hands. New laws are constantly coming into play, placing more responsibility on businesses for the safety of the data they look after.

And there are serious consequences should a company be found to breach these rules - not only could it tarnish an organization’s image, but they’ll also likely face hefty fines from the Information Commissioner’s Office (ICO). With this in mind, businesses must have an evolving strategy in place to keep data safe.

Giving the key to the right people

Recent research from Kaspersky Lab highlighted that for the first time accidental leaks by an employee overtook software vulnerabilities as the leading cause of data breaches. Organizations need to make sure that they have a plan in place to prevent these incidents following the wrong employee viewing or handling data they should not have had access to in the first place.

It is unthinkable to imagine that everyone within an organization has access to the same information, files and servers. For example you would not expect a bank branch assistant to be able to access the account information for top business clients, or a civil servant to be able to view critical files regarding international relations privy only to the Prime Minister. Equally, organizations need to ensure that the door is firmly closed to external threats, including data hacking and malicious acts of fraud.

Although the issues might seem obvious, the problem is vastly complex. Particularly as organizations grow, expand overseas and increase mobile and remote working practices this problem around access management begins to intensify. While most companies have an existing access management system in place some simply aren’t designed for the needs of new working practices and in many cases the authentication process can be a slow and painful one.

Guarding the Door

Good access management requires a comprehensive and intelligent system in place for quick and accurate identification of an individual’s right to view certain information. As workplaces become less driven by hierarchy, access to important information is no longer determined by an employee’s rank, it depends on other factors such as their specific role within the company and certain projects they might be working on.

This means a more granular and flexible approach to control is needed. This is where graph databases can help.

By their nature, graph databases are designed to query intricate connected data and can be used to identify problems and patterns in a quick and easy way. For example, when it comes to data access there are many questions that need to be asked, such as:

  • Who wants access?
  • How are they connected to the company and what is their role?
  • From where are they trying to access the data?
  • Have they tried to access this file before?
  • Do they work at the company?
  • If so, how long for and at what level?
  • And why do they need this data?

This is a lot of information that must be gleaned at once. Taking all of these factors into consideration is complex enough for just one individual, let alone if this needs to be done throughout an organization, on a daily basis – especially in an age where people expect immediate access to data that is usually requested online. Graphs can answer these queries in real-time, so businesses don’t need to rely on traditional methods such as cache permissions which take longer to process.

By storing all of this information and looking at an “individual” connection to other criteria (such as length of time worked at the company and their role), you can determine if that person should be granted access instantly. This identification process is vital in today’s environment where a data leakage of any kind can have disastrous consequences. Such activity is usually traced back to the wrong people, be it internally or externally, having access to sensitive data.

Modern working has arrived, with people expecting data access at the drop of a hat from all over the globe. Coinciding with this is constantly changing data regulation, making access management an increasingly complex (but vital) task.

One thing is for certain: traditional methods of access management can no longer provide a robust system that can adapt to the rapid pace of technological change. With graphs, businesses have essential information at their fingertips to identify the right people in real-time and give them the secure access they are entitled to.

About the Author: Emil Eifrem is CEO of Neo Technology and co-founder of Neo4j, the world’s leading graph database. Before founding Neo, he was the CTO of Windh AB, where he headed the development of highly complex information architectures for Enterprise Content Management Systems. Committed to sustainable open source, he guides Neo along a balanced path between free availability and commercial reliability. Emil is a frequent conference speaker and author on NoSQL databases, and tweets at @emileifrem.

Copyright 2010 Respective Author at Infosec Island]]>
Keeping Data Secure: A Happy Marriage of Hardware & Software Thu, 12 Nov 2015 00:30:00 -0600 We've all heard the stories about being hacked - and perhaps even experienced this ourselves - whether by rogue individuals or organized criminal organizations. Cybersecurity anxiety appears to be the new normal for our times. It seems not a week goes by without news of another prominent computer security breach. Recently, there's been "VENOM" that exploits vulnerabilities in several software hypervisors as well as the data breach at the Office of Personnel Management (OPM) that exposed personnel files of four million U.S. government workers. Many of us have also received one or more notifications that our credit card or personal identity information may now be in the hands of these invaders.

There's nothing new in this, really. Willie Sutton enlightened us all a long time ago. He allegedly said he robbed banks, “Because that's where the money is.” Today, money and other valuable personal information are 1s and 0s, digital bits stored on servers. There's a real evolution from traditional crime to cyber-crime. Yesterday's bank vault is now a server and disc storage array in a data center. Instead of armed guards standing at the bank entrance, security now comes from computer access control and encryption guarding our assets.

With everything rapidly moving online, it's clearly a new age and one that is quickly growing and changing. The Internet of Things and cloud computing, two massive trends still unfolding, bring both benefits and threats. As everything becomes more connected, we gain greater services that improve our quality of life, such as being able to deposit checks and make payments from our smartphones. Organizations are better able to drive cost savings by improving asset utilization, enhancing process efficiency and boosting productivity. But at the same time, this connectedness creates new opportunities for outsiders looking to exploit security holes for their own profit.

The challenge is significant as individuals and organizations face daily peril of theft in the digital age. People are now faced with the task of protecting assets, whether on their smartphone or PC, and IT managers have to protect servers, business laptops, and other embedded computing nodes. Why embedded devices? Think about the multitude of new intelligent connection points where data is being collected: biometric authentication, mobile payment systems, toll roads, location tracking and smart electrical grids. The advent of autonomous cars will add a new wrinkle, as clearly a nefarious hack of the navigation and control system could prove disastrous. Already there are hacking efforts pointing to the potential for this vulnerability.

All of this is made more complicated by the vast technical complexities and mix of user needs. Companies, public entities and governments have mobile workforces, infrastructure  and audiences that require global communications, cloud-based functionality, and adherence to strict regulations, all while compromising neither an employee's ability to bring their own device nor the organization's data security. At the same time, even though individuals and businesses need security, they aren't willing to sacrifice convenience or performance. To achieve this along with a greater level of security requires a combination of software and chip-level hardware. Hardware-based security augments available software tools since it cannot be remotely altered. The physical layer virtually eliminates the possibility of malware, such as virtual rootkits, from infiltrating the operating system.

Security-hardened platforms for PCs, servers, high-performance computing, and embedded devices make consumer and commercial workloads more secure through encryption acceleration, trusted execution environments, isolation of sensitive applications, secured authentication and dedicated key storage. To do this, hardware developers include a secure processor paired with high performance cryptographic engines.

Dedicated hardware in the form of a secure processor enables more secure computing, whether on a PC, laptop, server, or an embedded device. The hardware provides encryption acceleration to protect data without slowing the user's experience. Hardware-based encryption is considered more secure because the encryption keys are embedded in the hardware and poses a significant road-block for the attacker to acquire the encryption keys. In addition, hardware security implemented through a dedicated processor does not consume system resources which results in faster performance for security operations.

Hardware is only half of the security story. The best security comes from a combination of hardware and software. By using an industry standard, customers have access to proven security management software that includes virus detection, anti-malware, system management, data encryption and data geo-fencing. The software library meets the needs of the consumer, commercial and embedded markets and because it is based on an open ecosystem, continues to grow.

We're now at a point where there's a crisis of trust, where cybersecurity is a fundamental requirement for modern computing. Without this, the developing trends of greater connectivity through cloud computing and the Internet of Things could possibly bring more risk than reward. As a provider of computer processors, it's incumbent on us to provide security options that seamlessly integrate with software and that enable customer choice. Individuals and businesses need full solutions to help protect consumer online experiences, corporate device and data management, security of cloud infrastructure, and the Internet of Things. Robust security hardware and software is key to securing our data future.

About the Author: Mark Papermaster is chief technology officer and senior vice president at AMD, responsible for corporate technical direction, and AMD’s intellectual property (IP) and system-on-chip (SOC) product research and development. His more than 30 years of engineering experience includes significant leadership roles managing the development of a wide range of products spanning from mobile devices to high-performance servers.

Copyright 2010 Respective Author at Infosec Island]]>
Is DDoS Mitigation as-a-Service Becoming a Defacto Offering for Providers? Wed, 11 Nov 2015 15:42:42 -0600 It’s well known in the industry that DDoS attacks are becoming more frequent and increasingly debilitating, turning DDoS mitigation into a mission critical initiative. From the largest of carriers to small and mid-level enterprises, more and more Internet connected businesses are becoming a target of DDoS attacks. What was once a problem that only a select few dealt with is now becoming a regularly occurring burden faced by network operators.

In my daily engagements with various customers of all shapes and sizes, it’s truly interesting to see how the approach to DDoS mitigation is changing. Much of this is the result of DDoS mitigation services shifting from a “nice to have” technology to a “must-have”, essential in order to maintain business continuity and availability.

When I built DDoS mitigation and detection services for Verizon back in 2004, the intent was to offer value-add revenue producing services to offer subscribers, in an effort to build out our security offerings. For many years, this concept was one that pretty much every provider I worked with was looking into; build a service with the intent of generating new revenue opportunity from customers when traditional avenues such as simple connectivity and bandwidth offerings were contracting.

However, in the past several months, as I interact with large scale carriers to data center hosting providers, I am seeing a common thread starting to emerge - that is, attracting new customers and retaining existing ones is becoming more difficult in the absence of differentiated value. Compounding this issue is that the customers are starting to expect some of these services as part of their connectivity fees.  What I’m seeing is more and more providers investigating the option of offering DDoS mitigation services to their customers as a virtue of being connected to them, in an effort to attract them away from other providers who have limited service offerings and capabilities.

Could it be that DDoS mitigation services become a standard offering on a provider’s network? Is it feasible that at some point in the future DDoS mitigation will become an inherent capability provided by the service providers?

In order for this approach to become a reality, the economics of the game have to change. Inserting DDoS mitigation elements into the network need to be reasonably inexpensive in order for carriers and hosting providers to justify the cost. The technology also needs to be simple and as close to automatic as possible, as an inherent service offering will not justify the huge expense and uplift of having a team of operations personnel managing the service. Attacks need to be mitigated dynamically and quickly and without the need for manual intervention or the requirement to have to pick up a phone to get assistance. And lastly, whatever mechanisms are in place need to ensure a “do no harm” approach and that there is no collateral damage to good traffic.

Copyright 2010 Respective Author at Infosec Island]]>
File Insecurity: The Final Data Leakage Frontier Wed, 11 Nov 2015 12:40:00 -0600 The growth of cloud and mobile computing, the ease at which files can be shared and the breadth of collaboration methods have all contributed to greater sensitive data exposure. At the same time, the use of targeted attacks and sophisticated malware by nation states and organized crime has increased the probability of unauthorized data access. Between 25.7 million individuals who were affected by the Office of Personnel Management (OPM) data breach and, more recently, the Experian data breach affecting 15 million T-Mobile users, it is ever apparent that organizations need to re-examine their defenses. IT professionals usually associate file protection with backup and encryption technologies within their network or at the gateway. But that conventional wisdom fails to protect file information throughout its lifecycle. To materially reduce the data leakage threat footprint, the last mile of defense is to protect the file itself.

Unfortunately, the protection of sensitive, confidential and regulated data within files being shared both internally and externally remains a significant source of exposure within many organizations. This lack of capability for controlling unstructured data as it moves through its lifecycle will not only yield more data privacy breaches but will impact the adoption of advanced enterprise and cloud content management systems --- as evidenced in the just released Enterprise Management Associates (EMA) 2015 State of File Collaboration Security report (infographic PDF). The research shows a distinct gap between file security policies and practices and the efficacy of technical controls in place at the organizations to monitor and enforce the policies.

Key findings in the report revealedthat more than 80 percent of mid-tier and large enterprise survey participants were aware of data leakage incidents in their organizations, and 50 percent experienced frequent incidents. While the majority of these organizations have enhanced technical controls and auditing, only 16 percent of the survey respondents felt highly confident in their file security investments – indicating an underlying insecurity in monitoring and enforcement capability. Fortunately, the vast majority of respondents, across IT, security and line of business roles, indicated that their organization plans to invest in stronger security controls.

As companies re-examine their enterprise content manager (ECM) systems and determine investments in cloud-based ECM and enterprise file sync and share (EFSS) platforms, security has to be as important a consideration as usability, accessibility and interoperability.  Organizations can have reasonable confidence that communications and storage are securewithin their organization and even within the repositories and application containers of reputable cloud-based file storage and collaboration vendors.  The elephant in the room is the risk of data leakage after a file is appropriately accessed or delivered.  In the EMA report, more than 90 percent of respondents stated the lack of protection of files leaving cloud-based platforms or device containers as the highest risk to adopting cloud-based file storage and collaboration services.

When that file leaves the network perimeter, by way of a share drive or email, or is pulled from a protected EFSS container, security provisions denigrate. We’ve all shared files with others in these systems… and then copied the file onto our device, forwarded to another device or possibly shared it with another user we trust that may just be outside the scope of intended recipients. Once this occurs, the rights and controls associated with the users and the document are no longer there to prevent saving, copying, pasting, printing or even screenshots. In a digital world, security controls must be persistent for those files containing sensitive, confidential and regulated data – no matter if the file is shared internally or externally and regardless of storage, delivery and collaboration method.

In today’s digitally collaborative business, file security must accommodate a broader set of applications, constituents and collaboration mechanisms including the use of cloud-based storage and sharing platforms.  To solve this challenge, one approach to consider is next generation file encryption and usage control platforms.  These platforms separate file security from file storage, distribution and content management. Most information rights management (IRM are encumbered by complex and restrictive information rights management capabilities – limited to certain user, system and application types. Since new file security platforms are infrastructure agnostic, they can offer more expedited onboarding for internal and especially external users.  More so, rather than the usual IRM boil-the-ocean application across an enterprise, new file security solutions can be applied by use case application, risk, department, recipient type and business need.

As data leakage incidents, information theft and public breach notifications increase, so too will the business and regulatory requirements to protect not only structured data, but also unstructured data throughout their lifecycles. Security professionals now have the opportunity to partner with business leadership to enable greater collaboration while managing new file data leakage risks. 

About the Author:  Scott Gordon, COO at FinalCode, Inc., is an accomplished leader who has helped evolve security and risk assessment technologies at both innovative startups and large organizations. An infosec authority, speaker and writer, he is the author of Operationalizing Information Security and the contributing author of the Definitive Guide to Next-Gen NAC. Scott holds CISSP-ISSMP certification.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes November 2015 - Review Wed, 11 Nov 2015 12:19:56 -0600 SAP has released the monthly critical patch update for November 2015. This patch update closes 23 vulnerabilities in SAP products (15 Patch Day Security Notes and 8 Support Package Security notes), 13 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Code injection. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov and Mathieu Geli were closed.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

  • A Remote termination of running processes vulnerability in SAP Plant Connectivity (CVSS Base Score: 7.1). Update is available in SAP Security Note 2238619. An attacker can use this vulnerability to terminate a process of vulnerable component. During that period, nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
  • Use of Base64 and DES to encrypt passwords in SAP xMII (CVSS Base Score: 2.1). Update is available in SAP Security Note 2240274. Base64 and DES are inherently insecure algorithms. A potential attacker will decrypt a password if he gets access to it.

Why vulnerabilities in SAP xMII and SAP PCo are critical?

The fact that different SAP applications are highly interconnected not only between each other but with manufacturing execution systems, plant floor systems, laboratory information management systems, and others makes them an attractive target for cybercriminals. The vulnerabilities discovered by ERPScan’s researchers affect applications that are a kind of bridge between the industrial and the ERP worlds.

SAP Plant Connection (SAP PCo) is a solution designed to exchange data between an SAP system and the industry-specific data sources of different manufacturers, such as process control systems, plant historian systems, and SPC systems.

Integration of PCo into the system landscape

SAP xMII, or SAP Manufacturing Integration and Intelligence, provides the direct connection between plant floor and business operating systems. It consists of two components: manufacturing integration and manufacturing intelligence.

Let’s look at how it works. SAP’s Business applications collect data about critical processes via SAP xMII (Manufacturing Integration and Intelligence). SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to PLC devices and systems that manage critical processes.

These vulnerabilities can be used as a starting point of sophisticated multi-stage attack aiming to get control over linked systems. For example, an attack that is to be demonstrated at the BlackHat conference allows cybercriminals to gain access to devices that control such processes as Oil and Gas separation, Burner Management, Fiscal Metering, and Tank Management.

The most critical issues closed by SAP Security Notes November 2015

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2197100: SAP SCTC_REFRESH_EXPORT_USR_CLNT Function Module has an OS command execution vulnerability (CVSS Base Score: 7.1). An attacker can use this vulnerability to run operating system commands without authorization. Executed commands will run with the same privileges as the service that executes them. The attacker can also access arbitrary files and directories located in the SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
  • 2221082: SAP WEBCUIF and CRMUIF has a Cross-site request forgery vulnerability (CVSS Base Score: 6.8). An attacker can use a Cross-site request forgery vulnerability to exploit an authenticated user's session by sending a request containing a certain URL and specific parameters. A function will be executed with the authenticated user's rights. To do this, an attacker may use a cross-site scripting vulnerability or he can send a specially crafted link to a victim. Install this SAP Security Note to prevent risks.
  • 2001109:SAP Business Intelligence Authentication has an Information disclosure vulnerability (CVSS Base Score: 6.8). An attacker can use this vulnerability to reveal additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Observations From the 2015 ICS Cyber Security Conference Tue, 10 Nov 2015 20:48:00 -0600 SecurityWeek 2015 ICS Cyber Security Conference – Neither the Grid, Nuclear Plants, or other Undustries are Cyber Secure

Recently several events coincided that affected ICS cyber security. Ted Koppel released his book on cyber attacks against the electric grid, Congress has been holding hearings on cyber security of the electric grid, President Obama has spoken about the cyber security of the electric grid, the Nuclear Regulatory Commission (NRC) just issued the Final Rule on cyber security event notifications, and the 15th ICS Cyber Security Conference was held October 26-29th in Atlanta.

The Conference showed that ICS cyber security is still a mixed bag. There were many attendees that actually understood ICS cyber security – progress! However, there were still many attendees that understood IT security but not the specific ICS cyber security issues. This was evident in some of the presentations that focused on Windows issues or network packet issues as well as a focus on compliance rather than security. There was also confusion about the relationship between safety and security.

I did not have a chance to hear all of the presentations but there were several presentations that I believe have great significance to understanding cyber security (or lack thereof) in critical infrastructure. These specific presentations address the ease of compromising ICSs, the difficulty in securing them, and the lack of forensics in detecting cyber control system cyber intrusions in all industries.  

Ease of compromising ICSs

-  Cyberx described a compromise of a modern PLC with no foreknowledge of the device or firmware. (This event was provided to Rockwell who has subsequently issued a patch.) In the attack scenario, the attacker sends an email containing a malicious URL to a technician. The targeted technician might read his emails from a laptop that he also connects to the operational network as part of ongoing daily activities. If the malicious URL is opened when the laptop is connected to the operational network, a malicious JavaScript snippet is executed in the victim’s web browser and any network-accessible PLC that is plagued by the DoS vulnerability freezes. Researchers developed a piece of firmware that uses a special algorithm for searching the firmware code and mapping potentially vulnerable functions. The firmware is uploaded to a test device by bypassing a security mechanism for firmware validation, allowing experts to easily develop working exploits that can later be used against equipment that hasn’t been tampered with. In this case the CRC algorithm was used to upload the compromised firmware. This type of attack is outside the scope of NERC CIP or could be outside the scope of the nuclear plant cyber security standards depending on the designation of the PLC. This type of attack also affects all industries.

-  The ICS Cyber Security Conference continues to be the only conference where the Aurora test and hardware mitigation are discussed. The Aurora vulnerability still exists in the electric power grid.  Aurora involves the rapid opening and closing of large circuit breakers to isolate a generator from the grid and reconnect it out of phase to the grid.  The event is over in 250 milliseconds and can cause catastrophic damage to rotating electric equipment – generators and large electric motors of the utilities and their customers.  As Aurora is a physical gap in protection of the electric grid, it can only be remediated by hardware devices. Hardware mitigation exists but has not been deployed broadly.  A joint DOD-utility effort presented the results from an 18 months study of one type of mitigation device – a Cooper iGR-933 Rotating Equipment Isolation Device (REID).  The results showed that the mitigation device tested operated correctly for the duration of the test period.  The REID identified local out-of-phase conditions that occurred but were not sufficiently severe to isolate a generator or electric motor from the grid. The results to date indicate that the Aurora hardware mitigation devices will not cause an impact to the reliability of the grid as suggested by the Dominion Virginia Quanta report. The presentation also identified many of the more “popular” myths about Aurora.  Several utility representatives mentioned this was the first time they heard about the actual details of the Aurora test and the technical issues with Aurora even though they have been involved in their utility’s Aurora program for years.

- The cost of Microsoft zero days (previously unknown cyber vulnerabilities) is on the market for >$100,000 each. Yet for ICS, it is possible to get a package of 200 control system cyber vulnerabilities including more than 90 zero days for less than $10,000. Who says it takes a nation-sate to threaten our critical infrastructures?

- Marina Krotofil’s presentation was an engineer’s look at what processes are most critical to the safety of the process and consequently where could cyber do the most damage. Compromising these critical systems doesn’t necessarily involve compromising network packets but does involve understanding how a plant operates and the ICS affecting the operation.

Difficulty in securing ICSs

-  The application of authentication and encryption for existing ICS protocols such as DNP3 has turned out to be more difficult than original thought. One of the major issues in securing ICS protocols is the lack of adequate key management strategies. If a key is invalid, what should an automated process do? The concern of an ICS or SCADA with an invalid key can result in reevaluation of how SCADA/ICSs are designed, configured and operated.

-  As mentioned, the Cyberx presentation above demonstrates you don’t need foreknowledge to compromise a modern PLC.

Lack of ICS forensics

-  A utility provided one of the first public discussions about the results of a cyber red team event (“white hat” attack). This utility took cyber security very seriously all the way to the CEO and was meeting the current NERC CIP requirements. The red team attack was conducted by the state National Guard who went in “blind” (no foreknowledge). The National Guard was able to get into critical locations including ICSs within a very short period of time without going through the firewall or anyone knowing they were there. This brings up many questions including the value of the NERC CIPs and monitoring capabilities if a “reasonable mid-tier adversary” can so easily compromise a “NERC CIP-compliant” utility without being detected.

- Robert Lee discussed several recent events that were identified as “ICS cyber attacks” that actually weren’t cyber attacks. Like the little boy who cried wolf, propagating myths can only hurt the cause of securing ICSs.

- I gave a summary presentation of three (of the more than 50) nuclear plant cyber security incidents in my database. None of these were identified as cyber, yet these three incidents caused substantial impacts. These three incidents also were initiated from systems outside the exiting cyber security scope for nuclear plants. These three (and the other 50+) incidents raise a question about the new NRC requirements on disclosure. The NRC requirements only discuss what happens AFTER discovery as the NRC has assumed that discovery capabilities exist. However, as demonstrated by this presentation, ICS cyber forensics and training may not be capable of making the discovery that nuclear plant incidents could be cyber-related.

Finally, there were several vendor displays that indicated a real path forward by developing technologies that were specific to ICS applications including operational benefits beyond just security. One vendor demonstrated a controller that actually eliminates many of the cyber pathways by the inherent design of their controller.

Related WebcastIndustrial Control Systems (ICS) Cyber Incidents - Real But Not Being Identified (Live: Nov. 18, 2015 at 1PM and Available on Demand Following)

  Cross Posted from Unfettered

Copyright 2010 Respective Author at Infosec Island]]>
SAP Security Notes October 2015 - Review Tue, 10 Nov 2015 20:44:31 -0600 SAP has released the monthly critical patch update for October 2015. This patch update closes 29 vulnerabilities in SAP products, 15 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Missing Authorization Check (as it was in SAP Security Notes September 2015). This month, one critical vulnerability found by ERPScan researcher Mathieu Geli was closed. This vulnerability also affects SAP HANA security and has the highest CVSS score among all issues closed by the update.

About SAP HANA security issues

According to Business Insider, SAP HANA is implemented in more than 6400 companies. SAP says there are more than 815,000 end users of this solution. The security of the critical data that companies entrust to SAP HANA must receive priority attention. Unfortunately, the number of SAP HANA vulnerabilities is constantly growing. In 2015, it has increased by 50% comparing to 2014. One of the critical SAP HANA vulnerabilities (static encryption keys) has recently been identified by ERPScan research team.

Issues that were patched with the help of ERPScan

Below is the details of the SAP vulnerability that was found by ERPScan researchers.

  • A Remote Command Execution vulnerability in SAP HANA (CVSS Base Score: 9.3). Update is available in SAP Security Note 2197428. An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system.

The most critical issues found by other researchers

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 2037304: SAP SDCC Download Function Module has an Implementation Flaw (CVSS Base Score: 8.5). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality, and increase the system stability. Install this SAP Security Note to prevent risks.
  • 2203591: SAP TREX/BWA has an Implementation Flaw (CVSS Base Score: 7.6). Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality, and increase the system stability. Install this SAP Security Note to prevent risks.
  • 2179615:SAP 3D Visual Enterprise Author, Generator and Viewer has a Remote Code Execution vulnerability (CVSS Base Score: 6.8). An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

Copyright 2010 Respective Author at Infosec Island]]>
Complex and Portable Passwords Tue, 10 Nov 2015 20:43:00 -0600 A person needing to keep and collect passwords for resources, throughout their lives, can create situations where maintaining them requires constant resets or means that could lack security.

A few hardening pointers in an earlier article were address for passwords that can be remembered.  Any type of password required some muscle of finger coordination memory but after some duration they would need to be changed to be maintain security requiring more memorization.    Maintaining a large variety of passwords, after system log on, to sites and systems can create stress and not allow mobility.

There is usually a problem with remembering, with context and muscle memory, all the passwords one needs to the resources they need access to. It is not usually recommended to allow the same password to be used across the board that are subject to a full compromise of credentials after a potential intruder finds out one.  It is also not recommended to write down these passwords or keep them on a computer that can be seen on the Internet.

Recent personal needs have required a new approach to allowed complex passwords that are not easily identified, remembered or stolen.  In addition to using dual factored security for public emails I have used a USB key to stored all my public site and system credentials.  This allows for passwords that are not remembered and available one where they go.

The USB key can contain encrypted files or be a solution like Ironkey.  This can allow a long and complex password to be used to cut and pasted a to the site or system logins.  As long and there are no data loggers on the system, that can capture the clipboard, the password would be safe from capture.  These passwords will be hard to retrieve even when someone could be watching the display because they are not logical and are a complex string of characters.  Make sure they are designed like this.

They can be tied into a single sign-on solution like those that are found in a browser or integrated feature like Apple’s keychain with personal devices.  I trust this solution and have a USB key on my physical keychain and take it with me wherever I go and although usage is not recommended on public machines, they can be stored and ported to machines and networks one trusts.

Copyright 2010 Respective Author at Infosec Island]]>
SAP Afaria Stored XSS vulnerability - detailed review Wed, 21 Oct 2015 20:51:23 -0500 Today we will show how SAP Afaria, an MDM solution from a world-famous software vendor, works and how cybercriminals can attack it in different ways.

In a nutshell, MDM is a set of services that help an administrator of a large company to control the mobile devices (smartphones, tablets, phablets and so on and so forth) of employees, thus establishing the security measures of corporate data stored and processed on those devices. A special application called MDM client is installed on a device and allows administrators to implement settings.

Afaria is used by companies around the world. We have found about 140 Afaria servers available via the Internet.

SAP Afaria worldwide

As you can see from the graph, the largest number of Afaria services is implemented in the US and China.

We also have discovered several SAP Afaria vulnerabilities and would like to describe the most interesting of them.

Stored XSS vulnerability

The administrative part of SAP Afaria performs the basic functionality and is available via browser. Web administrative console is where a system administrator can view a list of all connected devices, create new mobile device configurations, download applications, control devices, etc.

So, the XSS vulnerability in the administrative console is likely to be critical for the entire system and for the administrator in particular. A common Afaria user, of course, can’t obtain access to these functionalities. However, an injection of user data is still possible. So, let's examine what will happen if we try to connect a new device to the server without the proper rights (and the user account).

connection to the server without rights and accounts

That’s what we get: the server, of course, does not allow us to connect this device. However, the list of devices in the administrative console (it is the administrator’s main workspace) shows the information about the device marked as “Not approved”. It means that an attacker can inject some data into the administrative console anonymously. Guess in which field a JS injection is possible. The server does not filter the information before displaying the device IMEI.

It looks like a typical stored XSS. However, the exploit seems interesting because the length of IMEI field is restricted by 15 characters. This restriction doesn’t allow one to inject malicious JavaScript code. But nothing prevents attackers from sending several connection requests specifying only a part of the JS payload and comments.

Let’s assume the attackers want to inject the following JS code:


alert('Hello Afaria! U so secure!');

To do so, they have to send a request to the server with the following values in the IMEI field:


*/a02="lo Af";/*
*/a04=" U so";/*
*/a05=" secu";/*

As you may notice, there are special characters /**/ in every query. They are used to mark comments in JS. This way, unnecessary parts of HTML markup that prevent getting the final result are deleted.

What’s the final result? The web server will build an HTML page in the admin panel in which all the little pieces will be brought together into one JS script to be executed during the administrator’s session. It allows the attacker to gain data from the Afaria admin panel, and thus to control all devices connected to the server.

The screenshot below shows the administrative console’s source code with JS injected into the device IMEI field:

administrative console’s source code with injected JS

Stored XSS vulnerability: Wrap-up

The XSS vulnerability was closed by SAP. Install SAP Note 2152669 to fix this issue.

Please keep in mind that this issue is very critical because it can be remotely exploited without authentication, and there are at least 140 servers available on the Internet. An attacker can get full control over all mobile devices of organization, such as remotely wipe data, lock all smartphones, or even force to upload malicious backdoor which will control user’s data, send critical documents to C&C server, spy on employees, read messages, and record video from cameras.

We also recommend reading our whitepaper about XSS Vulnerabilities in SAP and how to prevent them in custom code.

Stay tuned for our new updates about SAP Afaria vulnerabilities and more SAP security research.

Copyright 2010 Respective Author at Infosec Island]]>
Boards Must Understand the Risks from Industrial Control Systems (ICS) Cyber Security Mon, 12 Oct 2015 11:15:42 -0500 The Boards of Directors function is to identify and judge risk to the organization. As one member of a utility board stated, “A Board needs to know what the company is exposed to in terms of risk and what the consequences are of that exposure. Given a specific security deployment protecting an asset – what possibilities exist for breach?


There should be an explicit list that the Board sees so they know the company is not 100% protected, nor will it be. For each items on the breach list – what is the maximum damage that might be done if the breach occurs? The Board needs to understand these questions if it is to fulfill its fiduciary responsibility and understand how management has determined to allocate resources.”  Yet, very few Boards understand the potential implications of ICS cyber incidents. To an industrial organization, the largest risk to the well-being of the organization is from compromising the ICSs not data breach.

There have been almost 750 ICS cyber incidents with impacts ranging from trivial to significant equipment damage to significant environmental damage to impacting regulatory issues to deaths. An ICS cyber incident does not need to be malicious to create a risk to the organization the Board needs to address. 

I want to focus on two ICS cyber incidents that demonstrate the potential ICS cyber risk to the financial well-being of the organization - the PG&E San Bruno natural gas pipeline rupture and the Volkswagen emissions scandal. Both were ICS cyber incidents that directly led to the resignation of the respective CEOs and both had multi-billion dollar impacts on the organization. Because they were ICS cyber incidents, IT had no knowledge of the relevant issues in either case. Both cases were caused by intentional activities though neither was malicious in the traditional sense and neither was caused by a traditional insider. The long term impacts of both cases put the respective corporations at risk. In PG&E’s case, the California PUC is now investigating whether PG&E should be split up because of systemic safety issues stemming from the San Bruno natural gas pipeline rupture. In Volkswagen’s case, Volkswagen may have lost an entire market - diesel cars - as well as their reputation as a maker of well-designed vehicles.

To meet their fiduciary responsibility, Boards need to address ICS cyber security as well as data breaches.

Related: Attend the 2015 ICS Cyber Security Conference

Copyright 2010 Respective Author at Infosec Island]]>
Crowd Funding Website Breached! Access to Development Server To Blame Thu, 08 Oct 2015 10:26:00 -0500 ‘Yesterday I learned that there was unauthorized access to a Patreon database containing user information.’ - Jack Conte, CEO Patreon

Patreon, the crowd funding website, suffered a breach late last month. The cause was an unguarded development server, which was left online. According to Patreon’s CEO, Jack Conte, the development server was accessed by a third party, and customer contact information was stolen.

Unfortunately for Patreon and its customers, the development server housed a snapshotted version of one of Patreon’s main databases, which stored the leaked customer information.

To the best of Conte’s knowledge, no passwords were leaked:

We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.

Development servers may not seem like an attack vector. However, the Las Vegas Sands Corp suffered a catastrophic breach in 2014; Iranian hackers broke into the network using an unguarded development server.

Breaches like these are indicative of a larger issue facing security organizations -- vulnerabilities in third-party cloud services that are used by departments outside of IT to stand up corporate digital assets. According to studies,30% of IT spending occurs outside the IT department.

The root of the problem is that most enterprises espouse a ‘siloed mentality’. Inter-departmental cooperation is largely nonexistent and often discouraged. The meetup point for IT used to be the data center, but that is no longer the case.

Security has a real problem. It's increasingly left in the dark until an incident occurs. This trend is proliferating across enterprises of all sizes. Moving forward, CISOs will increasingly be forced to address security incidents occurring outside their perimeter.

Conventional wisdom would suggest that more stringent policy and enforcement of internal IT practices would prevent these problems. However, it just isn’t that simple any longer.

These developments have led to the rise of digital footprint security, this approach is designed to lower an organization’s exposure to external threats that reside outside the firewall. 

Copyright 2010 Respective Author at Infosec Island]]>
How Well Do You Really Know Your Network? Tue, 06 Oct 2015 15:50:00 -0500 So you think you know your enterprise IT infrastructure pretty well. Really? Are you sure about that?

Time for a pop quiz. Don’t worry, there are only three questions, but with multiple parts to each question:

1) How many devices do you have on your agency and enterprise networks?

a. Can you name them with IP address, basic function and applications running?

b. How many devices connect via wireless access points?

c. What do you do when you discover an unknown or unauthorized connection or app running?

d. Who reports when operational systems go down? How? To whom?

2) Do you have an accurate network diagram showing all infrastructure connectivity?

a. What systems or functions are permitted to communicate with other systems by policy?

b. Where is your policy? Do you train employees to follow policies and procedures?

c. Is your policy enforced? How?

d. How do you authorize and manage exceptions to policy?


3) How do know when someone (or something) gains unauthorized access to data?

a. What data is most sensitive and how is it protected?

b. How do you manage identities and provision system access across disparate networks?

c. Who is looking at the logs, monitoring traffic and managing security alarms?

d. What processes and procedures explain how to declare that a security incident has occurred that needs to be investigated? Who owns these functions (name a person or two)?

e. Can you account for 100 percent of the network traffic? If not, how do you resolve the traffic not accounted for?

All done. So how did you do?

If you answered all these questions successfully, you can take the rest of the day off. 

Yep. You can go home right now – but only if you have complete, correct answers for all of these questions for the entire enterprise and not just your small piece of your department’s network.

Oh, and you need your management team as well as external and internal auditors to agree and sign-off that everything is in good shape and consistently updated perfectly.

Dreaded Risk Assessments, E-Discovery and Enterprisewide Audits of IT

The truth is that no large public- or private-sector enterprise can answer these questions accurately 100 percent of the time for every one of their networks, systems, people, processes and all data. The questions may even seem like an unfair anchor around the necks of CxOs nationwide, and just going through the questions may bring back negative memories.

If these questions look familiar, that's not surprising. I basically summarized key audit questions along with the typical opening checklist to enterprise-wide risk assessments that CIOs and CISOs see in your traditional “As Is, To Be, Gap Analysis” sessions every few years.

In my experience, your team is above average if you can answer more than 80 percent of these questions accurately. The Deloitte-NASCIO Cybersecurity Study published last year identified major gaps in knowledge about network and security protections in place with many government leaders feeling uncomfortable in offering specific numbers.

Another difficulty to overcome is that hardware, firmware and application software is changing constantly in large complex networks that are evolving. Answers are given for a moment in time, but gaining a true picture of all the moving parts is very difficult – even for the best technology teams with years of experience.

Exceptional network management requires a robust ITIL framework that is working well, along with pros that really understand their strengths and weaknesses in each core discipline. For example, you need database experts, network experts, system administration experts, security experts, great project managers, programmers who test code well, secure applications, tools from competing vendors that all work together as a united team.

In addition, the security implications are huge. If you don’t know “what is normal” how can you possibly identify dangerous hackers, unauthorized applications or concerning behaviors of insiders? How can your team restore systems or get data back to “normal” after system or network outages like the big halt experienced on Wall Street earlier this year?

The challenge is immense, especially when you consider that a hacker only needs to be right once.

Three Red Flags to Watch Out For

There are some recent warning signs that raise additional red flags. Sadly, these challenges are increasing the network management stakes to even higher levels in mid-2015, whereas the items spoken up to this point can be traced back decades. Nevertheless, it is true these items have always been with us – especially in hot tech markets with skills shortages.

1) Staff turnover problem is getting worse amongst technology staff. While every organization needs fresh blood and young talent, the number of veteran technology professional changing jobs, leaving companies and governments or retiring right now is a major concern. In this hot security job market, many experts are looking for greener pastures. Also, baby boomers are seeking second careers and taking their years of experience with them.

TIP: Make sure that cross-training occurs and clear roles and responsibilities are documented – along with clear policies and operational procedures.

2) Shadow IT is growing along with rogue cloud computing usage that the tech team knows little about and may be out of control.

TIP: Solutions to this issue include increasing visibility with a cloud access security broker (CASB).

3) Excellent vendor and contract management skills are lacking in government. Government CxOs who face extreme challenges in these infrastructure areas often like to bring in private-sector partners as an "easy fix." Of course, there’s nothing wrong with the expert from out of town coming in to help or using contractors.

But while partnering with external solution providers can certainly help, remember that accountability and responsibility for results and outcomes always live with the data owners and CxO involved.

Simply put: You can outsource the function but not the responsibility.

Final Thoughts

While all of this may seem rather depressing, there certainly is hope for the future.

Recent breaches, and the international emphasis on critical infrastructure protection, are helping raise awareness of the importance of technology infrastructure improvements. Many organizations are currently building “next-generation” networks with new projects that are well funded.

There are numerous frameworks, checklists and solution providers to help. The recent OPM breaches in the federal government are causing new thinking and a higher priority to these essential network architecture topics.

What’s my main point? Don’t waste any opportunity to reinvent your network or infrastructure when you get the chance.

In the meantime, get to know your network a little better – right now.

Dan Lohrmann is an internationally recognized cybersecurity leader, technologist, author and CSO of Security Mentor, a pioneer of innovative security awareness training that drives real behavior change by combining engaging, highly interactive training with content-rich lessons that convey critical security information.  

Note: An earlier version of this article published on Government Technology.

Copyright 2010 Respective Author at Infosec Island]]>
NSA Cyber Chief to Keynote 2015 ICS Cyber Security Conference in Atlanta Tue, 06 Oct 2015 08:57:31 -0500 SecurityWeek is proud to announce that Philip D. Quade, Chief of the NSA Cyber Task Force and Special Assistant to the Director National Security Agency for Cyber, will deliver a keynote address at the 2015 ICS Cyber Security Conference, taking place Oct. 26-29 in Atlanta, Georgia.

On the morning of Oct. 27, Mr. Quade will deliver a keynote address titled “Protecting the Infrastructures on Which We Depend”.

Philip Quade - NSA

As industrial control systems start looking more like IT systems, and as our everyday environment starts looking more like ICS architectures, Mr. Quade will explain why stakeholders need to re-evaluate their strategies for ensuring that ICS continues to reliably underpin the missions and services on which we depend. With the ICS 'attack surface' growing substantially, Mr. Quade will address the roles we each of us might take to leverage each other's unique insights and capabilities.

Now in its 13th year, SecurityWeek’s ICS Cyber Security Conference is the foremost and longest-running cyber security-focused event series for the industrial control systems sectors. The conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

Immediately prior to his current role at the National Security Agency, Mr. Quade served the Chief Operating Officer of the Information Assurance Directorate at NSA, managing day-to-day operations, strategy, planning, integration, and relationships, in cybersecurity and related disciplines. He also served external to NSA as head of the Information Operations Technology Center’s Advanced Technology Group, as a Professional Staffer at the US Senate, and at the Office of the Director of National Intelligence for a cross-discipline intelligence effort. Previous assignments at NSA include serving as a computer scientist, cryptanalyst, computer & network security evaluator, and a variety of policy, program management, and resource jobs.

ICS Cyber Security ConferenceRegistration is $1895 ($1695 Gov/Mil) and includes a full day of workshops and training and a total of four days of content. Registration and additional information is available online

Since 2002, the ICS Cyber Security Conference has gathered ICS cyber security stakeholders across various industries and attracts operations and control engineers, IT, government, vendors and academics. The conference will address the myriad cyber threats facing operators of ICS around the world, with topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

2015 Sponsors Include: Lockheed Martin, Symantec, Waterfall Security, Bedrock Automation, Honeywell, NexDefense, ThreatStream, Intel Security, Cybereason, Cisco, Veracity, Darktrace, Peach Fuzzer, Check Point Software Technologies, and FireEye.

SecurityWeek has also formed a strategic alliance with the Industrial Control System Information Sharing and Analysis Center for the 2015 conference.

Copyright 2010 Respective Author at Infosec Island]]>