Corporate IT security

  • Cyberattack insuranceEnergy companies slow to buy cyberdamage insurance

    The U.S. oil industry will spend $1.87 billion on cybersecurity defense systems by 2018, but less than 20 percent of U.S. companies overall are covered for cyberdamages. “Imagine what could happen if a large refinery or petrochemical facility’s safety monitoring systems were hijacked near an urban area, or a subsea control module was no longer able to be controlled by the people who should be controlling it,” says one expert. “As we’ve all seen from Deepwater Horizon [the 2010 BP Gulf oil spill] those risks and damages can be astronomical. It requires an immediate response.”

  • CybersecurityFinancial firms go beyond NIST's cybersecurity framework

    The National Institute of Standards and Technology(NIST) released its Framework for Improving Critical Infrastructure Cybersecurityin February 2014. Utilities, banks, and other critical industries welcomed the guidelines, but many considered the framework to be a baseline for what was needed to continuously protect their networks from cyberattacks. Some financial firms have developed industry-based cyber policies through association such as the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) Third Party Software Security Working Group. The group has been reviewing cyber policies since 2012, before the NIST guidelines were finalized.

  • CybersecurityAll-industry cybersecurity association needed: Experts

    A new report is calling for a professional association committed to serving the cybersecurity industry. Theacknowledged the shortage of qualified cybersecurity professionals, as well as the difficulty of recruiting, training, and hiring potential candidates.Experts say that a cybersecurity association could help assess the needs of employers seeking cybersecurity professionals, establish ongoing training and development programs, and also help develop cybersecurity standards across all industries.

  • CybersecurityProgram aiming to facilitate cyberthreat information sharing is slow to take off

    President Barack Obama’s 2013 executive orderto improve critical infrastructure cybersecurity allows DHS to expand an information-sharing program, once restricted to Pentagoncontractors, to sixteencritical infrastructure industries. The Enhanced Cybersecurity Servicesprogram transmits cyber threat indicators to selected companies so they may prepare their network protection systems to scan for those indicators. A DHS inspector general (IG) reportreleased on Monday has found that just about forty companies from three of the sixteen industries — energy, communications services, and defense — are part of the program. Moreover, only two ISPs are authorized to receive the indicators.

  • BusinessKeith Alexander turns government experience into lucrative private sector career

    Cybersecurity industry insiders are questioning the ethics behind recently retired NSA chief Keith Alexander’s decision to launch IronNet Cybersecurity, a private consultancy, equipped with patents for what he refers to as a game-changing cybersecurity model. Alexander says there is nothing out of the ordinary here. “If I retired from the Army as a brain surgeon, wouldn’t it be OK for me to go into private practice and make money doing brain surgery? I’m a cyber guy. Can’t I go to work and do cyber stuff?”

  • Infrastructure protectionUtilities increasingly aware of grid vulnerability

    An analysis by the federal government shows that if only nine of the country’s 55,000 electrical substations were shut down due to mechanical failure or malicious attack, the nation would experience coast-to-coast blackout. Another report finds cybersecurity as one of the top five concerns for U.S. electric utilities in 2014. The report also found that 32 percent of the surveyed electric utilities had deployed security systems with the “proper segmentation, monitoring and redundancies” needed for adequate cyber protection.

  • Cyberattack insuranceDemand for cyberattack insurance grows, but challenges remain

    The surge in cyberattacks against the private sector and critical infrastructure has led to a growth in demand for cyber insurance; yet most insurers are unable properly to assess their clients’ cyber risk, let alone issue the appropriate pricing for their cyber coverage.Insurers which traditionally handle risks like weather disasters and fires, are now rushing to gain expertise in cyber technology.On average, a $1 million cyber coverage could cost $20,000 to $25,000.

  • CybersecurityPennsylvania cybersecurity group takes down international criminal network

    Over the past month, a coalition of cybersecurity forces in Pittsburgh, Pennsylvania made of regional FBI officers and members of Carnegie Mellon University’s CERT cyberteam, took down the Gameover Zeus cyber theft network, which had employed data ransom and theft schemes. The criminal group was able to snatch funds up to seven figures from owners’ bank accounts.

  • CybersecuritySix more bugs found in popular OpenSSL security tool

    By Robert Merkel

    OpenSSL is a security tool that provides facilities to other computer programs to communicate securely over the public Internet. OpenSSL is also used in some common consumer applications, such as software in Google’s Android smartphones. So when the Heartbleed vulnerability in OpenSSL was discovered and widely publicized in April this year, system administrators had to rush to update their systems to protect against it. Computer system administrators around the world are groaning again as six new security problems have been found in the OpenSSL security library.

  • PasswordsSquiggly lines may be the future of password security

    As more people use smart phones or tablets to pay bills, make purchases, store personal information, and even control access to their houses, the need for robust password security has become more critical than ever. A new study shows that free-form gestures — sweeping fingers in shapes across the screen of a smart phone or tablet — can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer “connect-the-dots” grid exercises to be observed and reproduced by “shoulder surfers” who spy on users to gain unauthorized access.

  • CybersecurityAdm. Michael Rogers: Businesses must “own” cybersecurity threats

    Cybersecurity threats are a vital issue for the nation, and like the Defense Department, businesses must own the problem to successfully carry out their missions, DOD’s top cybersecurity expert told a forum of businesspeople.

  • EncryptionResearchers crack supposedly impregnable encryption algorithm in two hours

    Without cryptography, no one would dare to type their credit card number on the Internet. Security systems developed to protect the communication privacy between the seller and the buyer are the prime targets for hackers of all kinds, hence making it necessary for encryption algorithms to be regularly strengthened. A protocol based on “discrete logarithms,” deemed as one of the candidates for the Internet’s future security systems, was decrypted by École polytechnique fédérale de Lausann (EPFL) researchers. Allegedly tamper-proof, it could only stand up to the school machines’ decryption attempts for two hours.

  • Grid securityStates lack expertise, staff to deal with cyberthreats to utilities

    The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title.

  • CybersecurityAttackers exploited Microsoft security hole before company’s announcement

    Before Microsoft alerted its customers of a security flaw in Windows XP over a week ago, a group of advanced hackers had already discovered and used the vulnerability against targeted financial, energy, and defense companies.

  • CybersecurityFBI warns healthcare providers about cybersecurity

    The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data are as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.