• Financial firms go beyond NIST's cybersecurity framework

    The National Institute of Standards and Technology(NIST) released its Framework for Improving Critical Infrastructure Cybersecurityin February 2014. Utilities, banks, and other critical industries welcomed the guidelines, but many considered the framework to be a baseline for what was needed to continuously protect their networks from cyberattacks. Some financial firms have developed industry-based cyber policies through association such as the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) Third Party Software Security Working Group. The group has been reviewing cyber policies since 2012, before the NIST guidelines were finalized.

  • All-industry cybersecurity association needed: Experts

    A new report is calling for a professional association committed to serving the cybersecurity industry. Theacknowledged the shortage of qualified cybersecurity professionals, as well as the difficulty of recruiting, training, and hiring potential candidates.Experts say that a cybersecurity association could help assess the needs of employers seeking cybersecurity professionals, establish ongoing training and development programs, and also help develop cybersecurity standards across all industries.

  • Program aiming to facilitate cyberthreat information sharing is slow to take off

    President Barack Obama’s 2013 executive orderto improve critical infrastructure cybersecurity allows DHS to expand an information-sharing program, once restricted to Pentagoncontractors, to sixteencritical infrastructure industries. The Enhanced Cybersecurity Servicesprogram transmits cyber threat indicators to selected companies so they may prepare their network protection systems to scan for those indicators. A DHS inspector general (IG) reportreleased on Monday has found that just about forty companies from three of the sixteen industries — energy, communications services, and defense — are part of the program. Moreover, only two ISPs are authorized to receive the indicators.

  • Two major security vulnerabilities found in majority of world’s smartphones

    Researchers have uncovered two major vulnerabilities in smart phones from manufacturers including Apple, Google Android, and Blackberry, among others. These flaws could put up to 90 percent of the world’s two billion smartphones at risk for stolen data, password theft, and the potential for hackers even to take control of the device.

  • Utilities increasingly aware of grid vulnerability

    An analysis by the federal government shows that if only nine of the country’s 55,000 electrical substations were shut down due to mechanical failure or malicious attack, the nation would experience coast-to-coast blackout. Another report finds cybersecurity as one of the top five concerns for U.S. electric utilities in 2014. The report also found that 32 percent of the surveyed electric utilities had deployed security systems with the “proper segmentation, monitoring and redundancies” needed for adequate cyber protection.

  • SATCOMS vulnerable to hacking

    Satellite communications systems (SATCOMS) used by soldiers on the front lines, airplanes, and ships are vulnerable to hacking, according to analyst Ruben Santamarta’s presentation at the recent Black Hatcybersecurity conference.While none of the vulnerabilities discovered could directly cause a plane to crash, or override pilot commands, they could delay or intercept communications, exposing security and classified information to bad actors.

  • Training cyber security specialists for U.S. critical cyber infrastructure

    Lawrence Livermore National Laboratory is joining Bechtel BNI and Los Alamos National Laboratory to train a new class of cyber defense professionals to protect the U.S. critical digital infrastructure. The Bechtel-Lawrence Livermore-Los Alamos Cyber Career Development Program is designed to allow the national labs to recruit and rapidly develop cyber security specialists who can guide research at their respective institutions and create solutions that meet the cyber defense needs of private industry. About 80 percent of the nation’s critical digital infrastructure and assets are owned and operated by private industry.

  • Expanding the scope and impact of cybersecurity and privacy research

    As our lives and businesses become ever more intertwined with the Internet and networked technologies, it is crucial to continue to develop and improve cybersecurity measures to keep our data, devices and critical systems safe, secure, private and accessible. The other day, the National Science Foundation’s (NSF) Secure and Trustworthy Cyberspace (SaTC) program announced two new center-scale “Frontier” awards to support large, multi-institution projects that address grand challenges in cybersecurity science and engineering with the potential for broad economic and scientific impact.

  • SWAMP: Improving software assurance activities

    The Software Assurance Market Place, or SWAMP, is an online, open-source, collaborative research environment that allows software developers and researchers to test their software for security weaknesses, improve tools by testing against a wide range of software packages, and interact and exchange best practices to improve software assurance tools and techniques.

  • The smart grid offers convenience, but it also makes cyberattacks more likely

    Recent efforts to modernize the electric grid have increased communication between utilities and consumers, enhanced reliability, and created more opportunities for green energy producers; but it has also elevated the risk of cyberattacks. Proposed smart grids rely on technology that has created millions of new access points; and though more access points within the grid allows renewable energy generators to supply utilities, they also present opportunities for hackers to breach the system.

  • Chinese government hackers collected information on U.S. security clearance applicants

    Chinese government hackers last March broke into the computer networks of the U.S. Office of Personnel Management, the agency which keeps the personal information of all federal employees. The hackers targeted the information of tens of thousands of employees who had applied for top-secret security clearances. Experts note that the hacking of OPM files containing information about federal employees applying for security clearance is especially disturbing since federal employees applying for security clearances enter their most personal information.

  • Leaked documents reveal law enforcement hacking methods

    Through the sourcing of a leaked documents cache from the Italian firm Hacking Team, members of the University of Toronto’s Citizen Lab have revealed the methods of law-enforcement hackers. While much of Snowden’s revelations concerned broad international surveillance, documents from Hacking Team reveal more specific methods such as the actual techniques for tapping phones and computers to operate as eavesdropping devices.

  • Syrian Electronic Army’s attack on Reuters makes a mockery of cyber-security (again)

    By Bill Buchanan

    One big security issue that has arisen lately concerns control of news media. National boundaries have become blurred on the Internet, and the control any nation can have over information dissemination has been eroded — on news Web sites but especially on open platforms such as Twitter and Facebook. One lesson from all the attacks on open platforms is that a focus of any attempted hack will be a spear phishing e-mail. Tricking users into entering their details may be simple, but it can be very serious. For example the Reuters site, which was attacked by the Syrian Electronic Army (SEA), a pro-Assad group of “hacktivists,” integrates more than thirty third-party/advertising network agencies into its content. A breach on any of these could compromise the agency’s whole infrastructure.

  • DHS receives top FISMA score for the second year in a row

    DHS has received the top score in the annual Federal Information Security Management Act (FISMA), making it the only agency to achieve a score of ninety-nine two years in a row. The act, passed in 2002, requires the Office of Management and Budget to report on federal agencies’ implementation of set processes designed to secure federal IT infrastructures.Analysts credit the achievement to DHS’ Office of Inspector General’s (OIG) push for continuous monitoring of IT systems and standards. The OIG uses commercial vulnerability scanning tools and open source management software to form a system that routinely scans the agency’s networks for compliance with FISMA metrics.

  • Is Facelock the password alternative we’ve been waiting for?

    By Philip Branch

    One of the problems with using passwords to prove identity is that passwords that are easy to remember are also easy for an attacker to guess, and vice versa. Nevertheless, passwords are cheap to implement and well understood, so despite the mounting evidence that they are often not very secure, until something better comes along they are likely to remain the main mechanism for proving identity. But maybe something better has come along. Researchers propose a new system based on the psychology of face recognition called Facelock. But how does it stack up against existing authentication systems? The idea certainly sounds interesting and the technical challenges in implementing such a system do not seem great. But there are difficult questions regarding cost, selection and security of images that need to be answered before it becomes a practical alternative to passwords.