Tag Archives: cost

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A disaster foretold — and ignored

http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/ By Craig Timberg The Washington Post June 22, 2015 The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world. Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it. “If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes. The senators — a bipartisan group including John Glenn, Joseph I. Lieberman and Fred D. Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hard to Sprint When You Have Two Broken Legs

http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html By Valsmith June 14, 2015 Now as a disclaimer, I don’t work for the government so there is a lot I don’t know but I have friends who do or who have in the past and you hear things. I also pay attention and listen to questions I get in my training classes and conference talks. This directive from the White House is laughable for a number of reasons and demonstrates just how out of touch decision makers in the Government are on these issues. 1.) Technically skilled people have been BEGGING to improve cyber security in the government for well over 15 years. I don’t think this is any kind of secret, just google for a bit or talk to anyone who works in government in the trenches. Asking for staff, tools, budget, authority, support and getting little of it. In a way, this directive is insulting to them after years of asking, trying and failing suddenly someone says: “oh hey I have an idea, why don’t you go and secure stuff!”. Right. Unless you are going to supply those things they need RIGHT NOW, they will fail. And government procurement and hiring organizations are notoriously slow so the chances of that happening are slim. 2.) IT Operations. The first thing that has to be in place for there to be any real chance is solid IT operations. Organizations have to be able to push out images and patches quickly, orderly, and with assurance. Backup recovery, knowledge of inventory, well managed systems, etc. are all paramount. Do you know how most government IT operations are managed? By contractors, aka the lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc. who bid on large omnibus support contracts, win them, and THEN try to fill the staffing requirements. How do you win the lowest bid in services / support contracts? By keeping staffing costs down, aka paying the lowest possible salaries. This results in some of the most piss-poor IT operations in the world. You want to know why Hilary Clinton, former Secretaries of Defense, and numerous other government staff run their own private mail servers? Most likely its because their work provided email DOESN’T work. Slow systems, tiny inbox quotas, inability to handle attachments, downtime, no crypto or crypto incompatible with anyone else, these are just a few of the issues out there. And its not just email. I have personally seen a government conference room system take 15-20 minutes to log in at the windows login prompt, due too poor IT practices. I was told that most of the time people resorted to paper hand outs or overhead projectors. Yeh like the ones you had in highschool in the 90s with the light bulbs and transparencies. Essentially what this directive is saying: “Hey you low end IT staff, winners of the lowest bid, who can barely keep a network up or run a mail server, make sure you become infosec experts and shore up our defenses, and you have 30 days to do it.” Right. I have heard horror stories from acquaintances in the government of waiting 6 months for an initial account setup ticket to get performed. Weeks to get a new desktop deployed. It is idiotic to think that current IT operations can support this kind of request. But that is who typically manages servers, network and desktops, and who would have to deploy whatever security tools would be needed to do this in support of pitifully small infosec teams. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Foiling Pump Skimmers With GPS

http://krebsonsecurity.com/2015/05/foiling-pump-skimmers-with-gps/ By Brian Krebs Krebs on Security May 4, 2015 Credit and debit card skimmers secretly attached to gas pumps are an increasingly common scourge throughout the United States. But the tables can be turned when these fraud devices are discovered, as evidenced by one California police department that has eschewed costly and time-consuming stakeouts in favor of affixing GPS tracking devices to the skimmers and then waiting for thieves to come collect their bounty. One morning last year the Redlands, Calif. police department received a call about a skimming device that was found attached to a local gas pump. This wasn’t the first call of the day about such a discovery, but Redlands police didn’t exactly have time to stake out the compromised pumps. Instead, they attached a specially-made GPS tracking device to the pump skimmer. At around 5 a.m. the next morning, a computer screen at the Redlands PD indicated that the compromised skimming device was on the move. The GPS device that the cops had hidden inside the skimmer was beaconing its location every six seconds, and the police were quickly able to determine that the skimmer was heading down a highway adjacent to the gas station and traveling at more than 50 MPH. Using handheld radios to pinpoint the exact location of the tracker, the police were able to locate the suspects, who were caught with several other devices implicating them in an organized crime ring. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How fear and self-preservation are driving a cyber arms race

http://www.cnet.com/news/how-fear-and-self-preservation-are-driving-a-cyber-arms-race/ By Max Taves @maxtaves CNET News May 2, 2015 When a man was fired from his job in Minneapolis, Minn., last May, he inadvertently touched off a boom in Silicon Valley. Gregg Steinhafel, then a 35-year veteran of Target and its CEO, was shown the door after hackers infiltrated the retailer’s computer systems, stealing 70 million shoppers’ information and 40 million credit and debit card numbers. It turned out the hack might have been prevented, had the company not ignored warnings from its own security systems. It happened again in December, when Amy Pascal, one of the most powerful women in Hollywood, was fired from her job heading up Sony Pictures after hackers exposed thousands of financial documents and emails revealing the film studio’s inner secrets. The hack captured the world’s attention and elicited criticism from customers, industry leaders and even the president of the United States. Pascal’s and Steinhafel’s exits sent shockwaves through corporate America. The message was clear: Top executives will be held responsible for their companies’ cybersecurity failings. The result, venture capitalists say, has been a boom for cybersecurity startups. In ways that previous attacks on consumers never did, the firings have sparked a scramble for new security technology by companies desperate to head off the next costly, embarrassing cyberattack. And venture capitalists are responding, pouring unprecedented billions into a dizzying array of young companies and their, largely, untested products. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Preparing for Warfare in Cyberspace

http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html By THE EDITORIAL BOARD The New York Times APRIL 28, 2015 The Pentagon’s new 33-page cybersecurity strategy is an important evolution in how America proposes to address a top national security threat. It is intended to warn adversaries — especially China, Russia, Iran and North Korea — that the United States is prepared to retaliate, if necessary, against cyberattacks and is developing the weapons to do so. As The Times recently reported, Russian hackers swept up some of President Obama’s email correspondence last year. Although the breach apparently affected only the White House’s unclassified computers, it was more intrusive and worrisome than publicly acknowledged and is a chilling example of how determined adversaries can penetrate the government system. The United States’ cybersecurity efforts have typically focused on defending computer networks against hackers, criminals and foreign governments. Playing defense is still important, and the Obama administration has started to push Silicon Valley’s software companies to join in that fight. But the focus has shifted to developing the malware and other technologies that would give the United States offensive weapons should circumstances require disrupting an adversary’s network. The strategy document provides some overdue transparency about a military program that is expected to increase to 6,200 workers in a few years and costs billions of dollars annually. Officials apparently hope talking more openly about America’s plans will deter adversaries who view cyberattacks as a cheap way to gather intelligence from more destructive operations. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Pentagon Announces New Strategy for Cyberwarfare

http://www.nytimes.com/2015/04/24/us/politics/pentagon-announces-new-cyberwarfare-strategy.html By DAVID E. SANGER The New York Times APRIL 23, 2015 SAN FRANCISCO — The Pentagon on Thursday took a major step designed to instill a measure of fear in potential cyberadversaries, releasing a new strategy that for the first time explicitly discusses the circumstances under which cyberweapons could be used against an attacker, and naming the countries it says present the greatest threat: China, Russia, Iran and North Korea. The policy, announced in a speech at Stanford University by Defense Secretary Ashton B. Carter, represents the fourth time in four months that the Obama administration has named suspected hackers or announced new strategies designed to raise the cost of cyberattacks. A previous strategy, released in 2011, was less detailed and only alluded to the new arsenal of cyberweapons that the Pentagon was deploying. That strategy talked vaguely about adversaries, naming none. But President Obama’s decision to publicly name North Korea’s leaders for ordering the largest destructive attack on an American target, the announcement of new sanctions against state-sponsored and criminal hackers, and the indictment of five members of the People’s Liberation Army for attacking American corporate targets all reflect a sea change in administration policy. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The FBI’s Stance on Encrypted Communications

http://blogs.wsj.com/experts/2015/04/20/the-fbis-stance-on-encrypted-communications/ By Amy Hess Executive Assistant Director of the Federal Bureau of Investigation. Apr1l 20, 2015 {This post is in response to the article, Should Law Enforcement Have the Ability to Access Encrypted Communications} AMY HESS: Imagine an America where federal, state, and municipal law enforcement agencies cannot access critical communications, even when legally authorized to do so. Imagine a time when the police cannot pursue logical leads in electronic data to rescue a missing child, identify the co-conspirators of a massive fraud scheme, or obtain relevant evidence of an elected official’s public corruption. Imagine the injustice if a suspected criminal can hide incriminating communications without fear of discovery by the police, or if information that could exonerate an innocent party is inaccessible. With the move to ubiquitous encryption, that time is closer than you think. Increasingly, law enforcement investigations require some degree of access to encrypted communications—whether stored on a computer or mobile device, or transmitted over a communication service provider’s network—and that access is increasingly limited. The FBI firmly supports the development and adoption of robust encryption as a key tool to strengthen cybersecurity, secure commerce and trade, safeguard private information, and promote free expression and association. However, absolute encryption does not mean absolute safety. Terrorists and other criminals also use encryption to conceal and facilitate their crimes. No one in this country should be beyond the law. The notion that electronic devices and communications could never be unlocked or unencrypted – even when a judge has decided that the public interest requires accessing this data to find evidence — is troubling. It may be time to ask: Is that a cost we, as a society, are prepared to pay? […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail